Merge branch 'main' into atorralba/promote-mvel-injection

2026-04-30 03:05:15 +02:00 · 2021-06-16 15:44:43 +02:00
parent 34a8383c1a 9b84a8e146
commit dab33b21fb
800 changed files with 15540 additions and 6277 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -1,5 +1,6 @@
 { "provide": [ "*/ql/src/qlpack.yml",
               "*/ql/test/qlpack.yml",
+               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
               "*/ql/examples/qlpack.yml",
               "*/upgrades/qlpack.yml",
               "misc/legacy-support/*/qlpack.yml",
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -70,8 +70,8 @@ jobs:
      with:
        name: rst-flow-model-coverage
        path: flow-model-coverage-*.rst
-    - name: Check coverage files
-      if: github.event.pull_request
-      run: |
-        python script/misc/scripts/library-coverage/compare-files.py codeqlModels
+    # - name: Check coverage files
+    #   if: github.event.pull_request
+    #   run: |
+    #     python script/misc/scripts/library-coverage/compare-files.py codeqlModels

--- a/cpp/change-notes/2021-06-10-std-types.md
+++ b/cpp/change-notes/2021-06-10-std-types.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
+* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
+* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.
--- a/Errors/OffsetUseBeforeRangeCheck.ql
+++ b/Errors/OffsetUseBeforeRangeCheck.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/offset-use-before-range-check
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-may-not-be-closed
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-never-closed
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/file-may-not-be-closed
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileNeverClosed.ql
+++ b/cpp/ql/src/Critical/FileNeverClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/file-never-closed
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/global-use-before-init
 * @problem.severity warning
+ * @security-severity 6.9
 * @tags reliability
 *       security
 *       external/cwe/cwe-457
--- a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+++ b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/inconsistent-nullness-testing
 * @problem.severity warning
+ * @security-severity 3.6
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/InitialisationNotRun.ql
+++ b/cpp/ql/src/Critical/InitialisationNotRun.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/initialization-not-run
 * @problem.severity warning
+ * @security-severity 6.4
 * @tags reliability
 *       security
 *       external/cwe/cwe-456
--- a/cpp/ql/src/Critical/LateNegativeTest.ql
+++ b/cpp/ql/src/Critical/LateNegativeTest.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/late-negative-test
 * @problem.severity warning
+ * @security-severity 10.0
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/memory-may-not-be-freed
 * @problem.severity warning
+ * @security-severity 3.6
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MemoryNeverFreed.ql
+++ b/cpp/ql/src/Critical/MemoryNeverFreed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/memory-never-freed
 * @problem.severity warning
+ * @security-severity 3.6
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MissingNegativityTest.ql
+++ b/cpp/ql/src/Critical/MissingNegativityTest.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/missing-negativity-test
 * @problem.severity warning
+ * @security-severity 10.0
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MissingNullTest.ql
+++ b/cpp/ql/src/Critical/MissingNullTest.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/missing-null-test
 * @problem.severity recommendation
+ * @security-severity 3.6
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/NewFreeMismatch.ql
+++ b/cpp/ql/src/Critical/NewFreeMismatch.ql
@@ -3,6 +3,7 @@
 * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 3.6
 * @precision high
 * @id cpp/new-free-mismatch
 * @tags reliability
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/overflow-calculated
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags reliability
 *       security
 *       external/cwe/cwe-131
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/overflow-destination
 * @problem.severity warning
+ * @security-severity 10.0
 * @precision low
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -4,6 +4,7 @@
 *              may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 10.0
 * @precision medium
 * @id cpp/static-buffer-overflow
 * @tags reliability
--- a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+++ b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/return-stack-allocated-object
 * @problem.severity warning
+ * @security-severity 2.9
 * @tags reliability
 *       security
 *       external/cwe/cwe-562
--- a/cpp/ql/src/Critical/SizeCheck.ql
+++ b/cpp/ql/src/Critical/SizeCheck.ql
@@ -4,6 +4,7 @@
 *              an instance of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
+ * @security-severity 6.4
 * @precision medium
 * @id cpp/allocation-too-small
 * @tags reliability
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -4,6 +4,7 @@
 *              multiple instances of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
+ * @security-severity 6.4
 * @precision medium
 * @id cpp/suspicious-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/use-after-free
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags reliability
 *       security
 *       external/cwe/cwe-416
--- a/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+++ b/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
@@ -6,6 +6,7 @@
 *              to a larger type.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision very-high
 * @id cpp/bad-addition-overflow-check
 * @tags reliability
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -4,6 +4,7 @@
 *              be a sign that the result can overflow the type converted from.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision high
 * @id cpp/integer-multiplication-cast-to-long
 * @tags reliability
--- a/Bugs/Arithmetic/SignedOverflowCheck.ql
+++ b/Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -5,6 +5,7 @@
 *              unsigned integer values.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision high
 * @id cpp/signed-overflow-check
 * @tags correctness
--- a/Bugs/Conversion/CastArrayPointerArithmetic.ql
+++ b/Bugs/Conversion/CastArrayPointerArithmetic.ql
@@ -6,6 +6,7 @@
 *              use the width of the base type, leading to misaligned reads.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 10.0
 * @precision high
 * @id cpp/upcast-array-pointer-arithmetic
 * @tags correctness
--- a/Bugs/Format/NonConstantFormat.ql
+++ b/Bugs/Format/NonConstantFormat.ql
@@ -6,6 +6,7 @@
 *              from an untrusted source, this can be used for exploits.
 * @kind problem
 * @problem.severity recommendation
+ * @security-severity 6.9
 * @precision high
 * @id cpp/non-constant-format
 * @tags maintainability
--- a/Bugs/Format/SnprintfOverflow.ql
+++ b/Bugs/Format/SnprintfOverflow.ql
@@ -3,6 +3,7 @@
 * @description Using the return value from snprintf without proper checks can cause overflow.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision high
 * @id cpp/overflowing-snprintf
 * @tags reliability
--- a/Bugs/Format/WrongNumberOfFormatArguments.ql
+++ b/Bugs/Format/WrongNumberOfFormatArguments.ql
@@ -4,6 +4,7 @@
 *              a source of security issues.
 * @kind problem
 * @problem.severity error
+ * @security-severity 2.9
 * @precision high
 * @id cpp/wrong-number-format-arguments
 * @tags reliability
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -4,6 +4,7 @@
 *              behavior.
 * @kind problem
 * @problem.severity error
+ * @security-severity 6.4
 * @precision high
 * @id cpp/wrong-type-format-argument
 * @tags reliability
--- a/Typos/IncorrectNotOperatorUsage.ql
+++ b/Typos/IncorrectNotOperatorUsage.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-not-operator-usage
 * @problem.severity warning
+ * @security-severity 3.6
 * @precision medium
 * @tags security
 *       external/cwe/cwe-480
--- a/Management/AllocaInLoop.ql
+++ b/Management/AllocaInLoop.ql
@@ -3,6 +3,7 @@
 * @description Using alloca in a loop can lead to a stack overflow
 * @kind problem
 * @problem.severity warning
+ * @security-severity 3.6
 * @precision high
 * @id cpp/alloca-in-loop
 * @tags reliability
--- a/Management/ImproperNullTermination.ql
+++ b/Management/ImproperNullTermination.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/improper-null-termination
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags security
 *       external/cwe/cwe-170
 *       external/cwe/cwe-665
--- a/Management/PointerOverflow.ql
+++ b/Management/PointerOverflow.ql
@@ -4,6 +4,7 @@
 *              on undefined behavior and may lead to memory corruption.
 * @kind problem
 * @problem.severity error
+ * @security-severity 2.9
 * @precision high
 * @id cpp/pointer-overflow-check
 * @tags reliability
--- a/Management/PotentialBufferOverflow.ql
+++ b/Management/PotentialBufferOverflow.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/potential-buffer-overflow
 * @problem.severity warning
+ * @security-severity 10.0
 * @tags reliability
 *       security
 *       external/cwe/cwe-676
--- a/Management/StrncpyFlippedArgs.ql
+++ b/Management/StrncpyFlippedArgs.ql
@@ -4,6 +4,7 @@
 *              as the third argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 10.0
 * @precision medium
 * @id cpp/bad-strncpy-size
 * @tags reliability
--- a/Management/SuspiciousCallToMemset.ql
+++ b/Management/SuspiciousCallToMemset.ql
@@ -7,6 +7,7 @@
 * @kind problem
 * @id cpp/suspicious-call-to-memset
 * @problem.severity recommendation
+ * @security-severity 10.0
 * @precision medium
 * @tags reliability
 *       correctness
--- a/Management/SuspiciousCallToStrncat.ql
+++ b/Management/SuspiciousCallToStrncat.ql
@@ -3,6 +3,7 @@
 * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 10.0
 * @precision medium
 * @id cpp/unsafe-strncat
 * @tags reliability
--- a/Management/SuspiciousSizeof.ql
+++ b/Management/SuspiciousSizeof.ql
@@ -5,6 +5,7 @@
 *              the machine pointer size.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/suspicious-sizeof
 * @tags reliability
--- a/Management/UninitializedLocal.ql
+++ b/Management/UninitializedLocal.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/uninitialized-local
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @tags security
 *       external/cwe/cwe-665
--- a/Management/UnsafeUseOfStrcat.ql
+++ b/Management/UnsafeUseOfStrcat.ql
@@ -4,6 +4,7 @@
 *              may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/unsafe-strcat
 * @tags reliability
--- a/Bugs/OO/SelfAssignmentCheck.ql
+++ b/Bugs/OO/SelfAssignmentCheck.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/self-assignment-check
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags reliability
 *       security
 *       external/cwe/cwe-826
--- a/Bugs/OO/UnsafeUseOfThis.ql
+++ b/Bugs/OO/UnsafeUseOfThis.ql
@@ -6,6 +6,7 @@
 * @kind path-problem
 * @id cpp/unsafe-use-of-this
 * @problem.severity error
+ * @security-severity 3.6
 * @precision very-high
 * @tags correctness
 *       language-features
--- a/Functions/TooFewArguments.ql
+++ b/Functions/TooFewArguments.ql
@@ -7,6 +7,7 @@
 *              undefined data.
 * @kind problem
 * @problem.severity error
+ * @security-severity 2.9
 * @precision very-high
 * @id cpp/too-few-arguments
 * @tags correctness
--- a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/memset-may-be-deleted
 * @problem.severity warning
+ * @security-severity 6.4
 * @precision high
 * @tags security
 *       external/cwe/cwe-14
--- a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
+ * @security-severity 5.9
 * @tags security external/cwe/cwe-20
 */

--- a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
+ * @security-severity 5.9
 * @tags security external/cwe/cwe-20
 */

--- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -4,6 +4,7 @@
 *              attacker to access unexpected resources.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 6.4
 * @precision medium
 * @id cpp/path-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -5,6 +5,7 @@
 *              to command injection.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision low
 * @id cpp/command-line-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,6 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 2.9
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -5,6 +5,7 @@
 *              to SQL Injection.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 6.4
 * @precision high
 * @id cpp/sql-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -5,6 +5,7 @@
 *              commands.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 6.0
 * @precision medium
 * @id cpp/uncontrolled-process-operation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+++ b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/overflow-buffer
 * @problem.severity recommendation
+ * @security-severity 10.0
 * @tags security
 *       external/cwe/cwe-119
 *       external/cwe/cwe-121
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -5,6 +5,7 @@
 *              overflow.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision high
 * @id cpp/badly-bounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -4,6 +4,7 @@
 *              of data written may overflow.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/overrunning-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -5,6 +5,7 @@
 *              take extreme values.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/overrunning-write-with-float
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -4,6 +4,7 @@
 *              of data written may overflow.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/unbounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -5,6 +5,7 @@
 *              a specific value to terminate the argument list.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/unterminated-variadic-call
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/unclear-array-index-validation
 * @problem.severity warning
+ * @security-severity 5.9
 * @tags security
 *       external/cwe/cwe-129
 */
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -5,6 +5,7 @@
 *              terminator can cause a buffer overrun.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision high
 * @id cpp/no-space-for-terminator
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -5,6 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 6.9
 * @precision high
 * @id cpp/tainted-format-string
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -5,6 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 6.9
 * @precision high
 * @id cpp/tainted-format-string-through-global
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/user-controlled-null-termination-tainted
 * @problem.severity warning
+ * @security-severity 10.0
 * @tags security
 *       external/cwe/cwe-170
 */
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -4,6 +4,7 @@
 *              not validated can cause overflows.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision low
 * @id cpp/tainted-arithmetic
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,6 +4,7 @@
 *              validated can cause overflows.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/uncontrolled-arithmetic
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/arithmetic-with-extreme-values
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision low
 * @tags security
 *       reliability
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -5,6 +5,7 @@
 * @id cpp/comparison-with-wider-type
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision high
 * @tags reliability
 *       security
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/integer-overflow-tainted
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision low
 * @tags security
 *       external/cwe/cwe-190
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -4,11 +4,13 @@
 *              user can result in integer overflow.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/uncontrolled-allocation-size
 * @tags reliability
 *       security
 *       external/cwe/cwe-190
+ *       external/cwe/cwe-789
 */

 import cpp
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/unsigned-difference-expression-compared-zero
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @tags security
 *       correctness
--- a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/hresult-boolean-conversion
 * @problem.severity error
+ * @security-severity 4.2
 * @precision high
 * @tags security
 *       external/cwe/cwe-253
--- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -5,6 +5,7 @@
 *              vulnerable to spoofing attacks.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 5.8
 * @precision medium
 * @id cpp/user-controlled-bypass
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -4,6 +4,7 @@
 *              to an attacker.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/cleartext-storage-buffer
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -4,6 +4,7 @@
 *              to an attacker.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 6.4
 * @precision medium
 * @id cpp/cleartext-storage-file
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -4,6 +4,7 @@
 *              database can expose it to an attacker.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 6.4
 * @precision medium
 * @id cpp/cleartext-storage-database
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -4,6 +4,7 @@
 *              an attacker to compromise security.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.2
 * @precision medium
 * @id cpp/weak-cryptographic-algorithm
 * @tags security
@@ -28,7 +29,7 @@ Function getAnInsecureEncryptionFunction() {
 /**
 * A function with additional evidence it is related to encryption.
 */
-Function getAdditionalEvidenceFunction() {
+Function getAnAdditionalEvidenceFunction() {
  (
    isEncryptionAdditionalEvidence(result.getName()) or
    isEncryptionAdditionalEvidence(result.getAParameter().getName())
@@ -47,7 +48,7 @@ Macro getAnInsecureEncryptionMacro() {
 /**
 * A macro with additional evidence it is related to encryption.
 */
-Macro getAdditionalEvidenceMacro() {
+Macro getAnAdditionalEvidenceMacro() {
  isEncryptionAdditionalEvidence(result.getName()) and
  exists(result.getAnInvocation())
 }
@@ -63,61 +64,78 @@ EnumConstant getAnInsecureEncryptionEnumConst() { isInsecureEncryption(result.ge
 EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(result.getName()) }

 /**
- * A function call we have a high confidence is related to use of an insecure
- * encryption algorithm.
+ * A function call we have a high confidence is related to use of an insecure encryption algorithm, along
+ * with an associated `Element` which might be the best point to blame, and a description of that element.
 */
-class InsecureFunctionCall extends FunctionCall {
-  Element blame;
-  string explain;
+predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
+  // find use of an insecure algorithm name
+  (
+    fc.getTarget() = getAnInsecureEncryptionFunction() and
+    blame = fc and
+    description = "call to " + fc.getTarget().getName()
+    or
+    exists(MacroInvocation mi |
+      (
+        mi.getAnExpandedElement() = fc or
+        mi.getAnExpandedElement() = fc.getAnArgument()
+      ) and
+      mi.getMacro() = getAnInsecureEncryptionMacro() and
+      blame = mi and
+      description = "invocation of macro " + mi.getMacro().getName()
+    )
+    or
+    exists(EnumConstantAccess ec |
+      ec = fc.getAnArgument() and
+      ec.getTarget() = getAnInsecureEncryptionEnumConst() and
+      blame = ec and
+      description = "access of enum constant " + ec.getTarget().getName()
+    )
+  ) and
+  // find additional evidence that this function is related to encryption.
+  (
+    fc.getTarget() = getAnAdditionalEvidenceFunction()
+    or
+    exists(MacroInvocation mi |
+      (
+        mi.getAnExpandedElement() = fc or
+        mi.getAnExpandedElement() = fc.getAnArgument()
+      ) and
+      mi.getMacro() = getAnAdditionalEvidenceMacro()
+    )
+    or
+    exists(EnumConstantAccess ec |
+      ec = fc.getAnArgument() and
+      ec.getTarget() = getAdditionalEvidenceEnumConst()
+    )
+  )
+}

-  InsecureFunctionCall() {
-    // find use of an insecure algorithm name
-    (
-      getTarget() = getAnInsecureEncryptionFunction() and
-      blame = this and
-      explain = "function call"
-      or
-      exists(MacroInvocation mi |
-        (
-          mi.getAnExpandedElement() = this or
-          mi.getAnExpandedElement() = this.getAnArgument()
-        ) and
-        mi.getMacro() = getAnInsecureEncryptionMacro() and
-        blame = mi and
-        explain = "macro invocation"
-      )
-      or
-      exists(EnumConstantAccess ec |
-        ec = this.getAnArgument() and
-        ec.getTarget() = getAnInsecureEncryptionEnumConst() and
-        blame = ec and
-        explain = "enum constant access"
-      )
-    ) and
-    // find additional evidence that this function is related to encryption.
-    (
-      getTarget() = getAdditionalEvidenceFunction()
-      or
-      exists(MacroInvocation mi |
-        (
-          mi.getAnExpandedElement() = this or
-          mi.getAnExpandedElement() = this.getAnArgument()
-        ) and
-        mi.getMacro() = getAdditionalEvidenceMacro()
-      )
-      or
-      exists(EnumConstantAccess ec |
-        ec = this.getAnArgument() and
-        ec.getTarget() = getAdditionalEvidenceEnumConst()
-      )
+/**
+ * An element that is the `blame` of an `InsecureFunctionCall`.
+ */
+class BlamedElement extends Element {
+  string description;
+
+  BlamedElement() { getInsecureEncryptionEvidence(_, this, description) }
+
+  /**
+   * Holds if this is the `num`-th `BlamedElement` in `f`.
+   */
+  predicate hasFileRank(File f, int num) {
+    exists(int loc |
+      getLocation().charLoc(f, loc, _) and
+      loc =
+        rank[num](BlamedElement other, int loc2 | other.getLocation().charLoc(f, loc2, _) | loc2)
    )
  }

-  Element getBlame() { result = blame }
-
-  string getDescription() { result = explain }
+  string getDescription() { result = description }
 }

-from InsecureFunctionCall c
-select c.getBlame(),
-  "This " + c.getDescription() + " specifies a broken or weak cryptographic algorithm."
+from File f, BlamedElement firstResult, BlamedElement thisResult
+where
+  firstResult.hasFileRank(f, 1) and
+  thisResult.hasFileRank(f, _)
+select firstResult,
+  "This file makes use of a broken or weak cryptographic algorithm (specified by $@).", thisResult,
+  thisResult.getDescription()
--- a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
@@ -4,6 +4,7 @@
 *              attackers to retrieve portions of memory.
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.2
 * @precision very-high
 * @id cpp/openssl-heartbleed
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -5,6 +5,7 @@
 *              the two operations.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/toctou-race-condition
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -4,6 +4,7 @@
 * @id cpp/unsafe-create-process-call
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision medium
 * @msrc.severity important
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
@@ -5,6 +5,7 @@
 *              state, and reading the variable may result in undefined behavior.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 6.9
 * @opaque-id SM02313
 * @id cpp/conditionally-uninitialized-variable
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
@@ -4,6 +4,7 @@
 *              can cause buffer overflow conditions.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/suspicious-pointer-scaling
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/incorrect-pointer-scaling-char
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision low
 * @tags security
 *       external/cwe/cwe-468
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
@@ -4,6 +4,7 @@
 *              can cause buffer overflow conditions.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/suspicious-pointer-scaling-void
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -5,6 +5,7 @@
 *              implicitly scaled.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision high
 * @id cpp/suspicious-add-sizeof
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -5,6 +5,7 @@
 *              attack plan.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 3.6
 * @precision medium
 * @id cpp/system-data-exposure
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+++ b/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
@@ -3,6 +3,7 @@
 * @description Use of a standard library function that does not guard against buffer overflow.
 * @kind problem
 * @problem.severity error
+ * @security-severity 10.0
 * @precision very-high
 * @id cpp/dangerous-function-overflow
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+++ b/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
@@ -4,6 +4,7 @@
 *              may be dangerous.
 * @kind problem
 * @problem.severity error
+ * @security-severity 10.0
 * @precision high
 * @id cpp/dangerous-cin
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+++ b/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
@@ -3,6 +3,7 @@
 * @description Use of a standard library function that is not thread-safe.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 10.0
 * @precision high
 * @id cpp/potentially-dangerous-function
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-string-type-conversion
 * @problem.severity error
+ * @security-severity 5.9
 * @precision high
 * @tags security
 *       external/cwe/cwe-704
--- a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
@@ -3,6 +3,7 @@
 * @description Creating a file that is world-writable can allow an attacker to write to the file.
 * @kind problem
 * @problem.severity warning
+ * @security-severity 5.9
 * @precision medium
 * @id cpp/world-writable-file-creation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
@@ -7,6 +7,7 @@
 * @id cpp/unsafe-dacl-security-descriptor
 * @kind problem
 * @problem.severity error
+ * @security-severity 5.9
 * @precision high
 * @tags security
 *       external/cwe/cwe-732
--- a/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/lock-order-cycle
 * @problem.severity error
+ * @security-severity 6.9
 * @tags security
 *       external/cwe/cwe-764
 *       external/cwe/cwe-833
--- a/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/twice-locked
 * @problem.severity error
+ * @security-severity 6.9
 * @precision low
 * @tags security
 *       external/cwe/cwe-764
--- a/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/unreleased-lock
 * @problem.severity error
+ * @security-severity 6.9
 * @precision low
 * @tags security
 *       external/cwe/cwe-764
--- a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+++ b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
@@ -5,6 +5,7 @@
 *              attack.
 * @kind path-problem
 * @problem.severity warning
+ * @security-severity 6.4
 * @precision medium
 * @id cpp/tainted-permissions-check
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
+++ b/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/infinite-loop-with-unsatisfiable-exit-condition
 * @problem.severity warning
+ * @security-severity 3.6
 * @tags security
 *       external/cwe/cwe-835
 */
--- a/cpp/ql/src/Summary/LinesOfUserCode.ql
+++ b/cpp/ql/src/Summary/LinesOfUserCode.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Total lines of user written C/C++ code in the database
+ * @description The total number of lines of C/C++ code from the source code directory, excluding auto-generated files. This query counts the lines of code, excluding whitespace or comments. Note: If external libraries are included in the codebase either in a checked-in virtual environment or as vendored code, that will currently be counted as user written code.
+ * @kind metric
+ * @tags summary
+ *       lines-of-code
+ * @id cpp/summary/lines-of-user-code
+ */
+
+import cpp
+import semmle.code.cpp.AutogeneratedFile
+
+select sum(File f |
+    f.fromSource() and exists(f.getRelativePath()) and not f instanceof AutogeneratedFile
+  |
+    f.getMetrics().getNumberOfLinesOfCode()
+  )
--- a/cpp/ql/src/semmle/code/cpp/Location.qll
+++ b/cpp/ql/src/semmle/code/cpp/Location.qll
@@ -128,7 +128,9 @@ deprecated library class LocationExpr extends Location, @location_expr { }
 * Gets the length of the longest line in file `f`.
 */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getEndColumn()) }
+private int maxCols(File f) {
+  result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn()))
+}

 /**
 * A C/C++ element that has a location in a file
--- a/Show More
+++ b/Show More