Merge branch 'codeql-cli-2.20.4' into release-prep/2.20.4

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -49,7 +49,11 @@ private Class getRootType(FieldAccess fa) {
   exists(VariableAccess root |
     root = fa.getQualifier+() and
     not exists(root.getQualifier()) and
-    result = root.getUnspecifiedType()
+    // We strip the type because the root may be a pointer. For example `p` in:
+    // struct S { char buffer[10]; };
+    // S* p = ...;
+    // strcpy(p->buffer, "abc");
+    result = root.getUnspecifiedType().stripType()
   )
 }
 

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -59,12 +59,15 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
     any(CommandInjectionAdditionalTaintStep s).step(n1, n2)
   }
 
-  // It's valid to use diff-informed data flow for this configuration because
+  // The query, as a predicate, is used negated in another query, but that's
-  // the location of the selected element in the query is contained inside the
+  // only to prevent overlapping results between two queries.
-  // location of the sink. The query, as a predicate, is used negated in
-  // another query, but that's only to prevent overlapping results between two
-  // queries.
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  // All queries use the argument as the primary location and do not use the
+  // sink as an associated location.
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation())
+  }
 }
 
 /**

java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll

@@ -46,6 +46,12 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    // This module is only used in `WebviewDebuggingEnabled.ql`, which doesn't
+    // select the source in any "$@" column.
+    none()
+  }
 }
 
 /**