Merge branch 'main' into ql-last-msg

2026-01-20 09:54:45 +01:00 · 2022-10-11 10:44:20 +02:00
parent 73f88fbdb6 9bbbece8a7
commit f4e928eec4
271 changed files with 6456 additions and 2219 deletions
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -52,7 +52,7 @@ jobs:
        id: changes
        run: |
          (git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
-           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) |
+           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename -z | xargs --null -rn1 git grep -z -l) |
           grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"

      - name: QHelp preview
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.1
+
+No user-facing changes.
+
 ## 0.4.0

 ### Deprecated APIs
--- a/cpp/ql/lib/change-notes/released/0.4.1.md
+++ b/cpp/ql/lib/change-notes/released/0.4.1.md
@@ -0,0 +1,3 @@
+## 0.4.1
+
+No user-facing changes.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.0
+lastReleaseVersion: 0.4.1
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.4.1-dev
+version: 0.4.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/Practices/Hiding/LocalVariableHidesGlobalVariable.ql
+++ b/Practices/Hiding/LocalVariableHidesGlobalVariable.ql
@@ -35,4 +35,4 @@ from LocalVariableOrParameter lv, GlobalVariable gv
 where
  lv.getName() = gv.getName() and
  lv.getFile() = gv.getFile()
-select lv, lv.type() + gv.getName() + " hides $@ with the same name.", gv, "a global variable"
+select lv, lv.type() + gv.getName() + " hides a $@ with the same name.", gv, "global variable"
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.4.1
+
+### Minor Analysis Improvements
+
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
 ## 0.4.0

 ### New Queries
--- a/Bugs/ShortLoopVarName.ql
+++ b/Bugs/ShortLoopVarName.ql
@@ -48,5 +48,5 @@ where
  not coordinatePair(iterationVar, innerVar)
 select iterationVar,
  "Iteration variable " + iterationVar.getName() +
-    " for $@ should have a descriptive name, since there is $@.", outer, "this loop", inner,
-  "a nested loop"
+    " for $@ should have a descriptive name, since there is a $@.", outer, "this loop", inner,
+  "nested loop"
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -56,29 +56,26 @@ class VarargsFunction extends Function {
    result = strictcount(FunctionCall fc | fc = this.getACallToThisFunction())
  }

-  string normalTerminator(int cnt) {
+  string normalTerminator(int cnt, int totalCount) {
+    // the terminator is 0 or -1
    result = ["0", "-1"] and
+    // at least 80% of calls have the terminator
    cnt = this.trailingArgValueCount(result) and
-    2 * cnt > this.totalCount() and
-    not exists(FunctionCall fc, int index |
-      // terminator value is used in a non-terminating position
-      this.nonTrailingVarArgValue(fc, index) = result
-    )
+    totalCount = this.totalCount() and
+    100 * cnt / totalCount >= 80 and
+    // terminator value is not used in a non-terminating position
+    not exists(FunctionCall fc, int index | this.nonTrailingVarArgValue(fc, index) = result)
  }

-  predicate isWhitelisted() {
-    this.hasGlobalName("open") or
-    this.hasGlobalName("fcntl") or
-    this.hasGlobalName("ptrace")
-  }
+  predicate isWhitelisted() { this.hasGlobalName(["open", "fcntl", "ptrace", "mremap"]) }
 }

-from VarargsFunction f, FunctionCall fc, string terminator, int cnt
+from VarargsFunction f, FunctionCall fc, string terminator, int cnt, int totalCount
 where
-  terminator = f.normalTerminator(cnt) and
+  terminator = f.normalTerminator(cnt, totalCount) and
  fc = f.getACallToThisFunction() and
  not normalisedExprValue(f.trailingArgumentIn(fc)) = terminator and
  not f.isWhitelisted()
 select fc,
-  "Calls to $@ should use the value " + terminator + " as a terminator (" + cnt + " calls do).", f,
-  f.getQualifiedName()
+  "Calls to $@ should use the value " + terminator + " as a terminator (" + cnt + " of " +
+    totalCount + " calls do).", f, f.getQualifiedName()
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -135,5 +135,5 @@ where
  sink.getNode().asExpr() = va and
  missingGuard(va, effect)
 select sink.getNode(), source, sink,
-  "Arithmetic expression depends on an $@, potentially causing an " + effect + ".",
+  "This arithmetic expression depends on an $@, potentially causing an " + effect + ".",
  getExpr(source.getNode()), "uncontrolled value"
--- a/cpp/ql/src/change-notes/2022-10-06-unterminated-variadic-call.md
+++ b/cpp/ql/src/change-notes/2022-10-06-unterminated-variadic-call.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Unterminated variadic call" (`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results.
--- a/csharp/ql/src/change-notes/2022-09-29-alert-messages.md
+++ b/csharp/ql/src/change-notes/2022-09-29-alert-messages.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 0.4.1
+
+### Minor Analysis Improvements
+
 * The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.0
+lastReleaseVersion: 0.4.1
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.4.1-dev
+version: 0.4.2-dev
 groups: 
  - cpp
  - queries
--- a/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.expected
+++ b/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.expected
@@ -1 +1 @@
-| UnintendedDeclaration.cpp:65:14:65:20 | definition of myMutex | Local variable myMutex hides $@ with the same name. | UnintendedDeclaration.cpp:40:7:40:13 | myMutex | a global variable |
+| UnintendedDeclaration.cpp:65:14:65:20 | definition of myMutex | Local variable myMutex hides a $@ with the same name. | UnintendedDeclaration.cpp:40:7:40:13 | myMutex | global variable |
--- a/Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.expected
+++ b/Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.expected
@@ -1,5 +1,5 @@
-| Hiding.c:22:25:22:26 | definition of gi | Local variable gi hides $@ with the same name. | Hiding.c:2:5:2:6 | gi | a global variable |
-| Hiding.c:23:25:23:26 | definition of gj | Local variable gj hides $@ with the same name. | Hiding.c:3:12:3:13 | gj | a global variable |
-| Hiding.c:24:25:24:26 | definition of gk | Local variable gk hides $@ with the same name. | Hiding.c:4:12:4:13 | gk | a global variable |
-| Hiding.c:37:20:37:21 | definition of g3 | Parameter g3 hides $@ with the same name. | Hiding.c:33:13:33:14 | g3 | a global variable |
-| Hiding.c:40:20:40:21 | definition of g5 | Parameter g5 hides $@ with the same name. | Hiding.c:33:21:33:22 | g5 | a global variable |
+| Hiding.c:22:25:22:26 | definition of gi | Local variable gi hides a $@ with the same name. | Hiding.c:2:5:2:6 | gi | global variable |
+| Hiding.c:23:25:23:26 | definition of gj | Local variable gj hides a $@ with the same name. | Hiding.c:3:12:3:13 | gj | global variable |
+| Hiding.c:24:25:24:26 | definition of gk | Local variable gk hides a $@ with the same name. | Hiding.c:4:12:4:13 | gk | global variable |
+| Hiding.c:37:20:37:21 | definition of g3 | Parameter g3 hides a $@ with the same name. | Hiding.c:33:13:33:14 | g3 | global variable |
+| Hiding.c:40:20:40:21 | definition of g5 | Parameter g5 hides a $@ with the same name. | Hiding.c:33:21:33:22 | g5 | global variable |
--- a/Bugs/ShortLoopVarName/ShortLoopVarName.expected
+++ b/Bugs/ShortLoopVarName/ShortLoopVarName.expected
@@ -1,4 +1,4 @@
-| ShortLoopVarName.cpp:6:6:6:6 | i | Iteration variable i for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:12:2:18:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:14:3:17:3 | for(...;...;...) ... | a nested loop |
-| ShortLoopVarName.cpp:30:13:30:13 | a | Iteration variable a for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:30:2:38:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:34:3:37:3 | for(...;...;...) ... | a nested loop |
-| ShortLoopVarName.cpp:73:11:73:11 | y | Iteration variable y for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:73:2:80:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:75:3:79:3 | for(...;...;...) ... | a nested loop |
-| ShortLoopVarName.cpp:96:12:96:12 | i | Iteration variable i for $@ should have a descriptive name, since there is $@. | ShortLoopVarName.cpp:96:3:102:3 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:98:4:101:4 | for(...;...;...) ... | a nested loop |
+| ShortLoopVarName.cpp:6:6:6:6 | i | Iteration variable i for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:12:2:18:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:14:3:17:3 | for(...;...;...) ... | nested loop |
+| ShortLoopVarName.cpp:30:13:30:13 | a | Iteration variable a for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:30:2:38:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:34:3:37:3 | for(...;...;...) ... | nested loop |
+| ShortLoopVarName.cpp:73:11:73:11 | y | Iteration variable y for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:73:2:80:2 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:75:3:79:3 | for(...;...;...) ... | nested loop |
+| ShortLoopVarName.cpp:96:12:96:12 | i | Iteration variable i for $@ should have a descriptive name, since there is a $@. | ShortLoopVarName.cpp:96:3:102:3 | for(...;...;...) ... | this loop | ShortLoopVarName.cpp:98:4:101:4 | for(...;...;...) ... | nested loop |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.expected
@@ -1,9 +1,9 @@
-| more_tests.cpp:23:2:23:12 | call to myFunction2 | Calls to $@ should use the value -1 as a terminator (4 calls do). | more_tests.cpp:5:6:5:16 | myFunction2 | myFunction2 |
-| more_tests.cpp:34:2:34:12 | call to myFunction4 | Calls to $@ should use the value 0 as a terminator (3 calls do). | more_tests.cpp:7:6:7:16 | myFunction4 | myFunction4 |
-| more_tests.cpp:44:2:44:12 | call to myFunction6 | Calls to $@ should use the value 0 as a terminator (3 calls do). | more_tests.cpp:9:6:9:16 | myFunction6 | myFunction6 |
-| more_tests.cpp:55:2:55:12 | call to myFunction7 | Calls to $@ should use the value 0 as a terminator (7 calls do). | more_tests.cpp:10:6:10:16 | myFunction7 | myFunction7 |
-| more_tests.cpp:56:2:56:12 | call to myFunction7 | Calls to $@ should use the value 0 as a terminator (7 calls do). | more_tests.cpp:10:6:10:16 | myFunction7 | myFunction7 |
-| tests.c:34:2:34:3 | call to f1 | Calls to $@ should use the value 0 as a terminator (4 calls do). | tests.c:4:6:4:7 | f1 | f1 |
-| tests.c:67:2:67:3 | call to f6 | Calls to $@ should use the value -1 as a terminator (3 calls do). | tests.c:24:6:24:7 | f6 | f6 |
-| tests.c:68:2:68:3 | call to f6 | Calls to $@ should use the value -1 as a terminator (3 calls do). | tests.c:24:6:24:7 | f6 | f6 |
-| tests.c:73:2:73:3 | call to f7 | Calls to $@ should use the value 0 as a terminator (3 calls do). | tests.c:28:6:28:7 | f7 | f7 |
+| more_tests.cpp:25:2:25:12 | call to myFunction2 | Calls to $@ should use the value -1 as a terminator (5 of 6 calls do). | more_tests.cpp:5:6:5:16 | myFunction2 | myFunction2 |
+| more_tests.cpp:39:2:39:12 | call to myFunction4 | Calls to $@ should use the value 0 as a terminator (5 of 6 calls do). | more_tests.cpp:7:6:7:16 | myFunction4 | myFunction4 |
+| more_tests.cpp:49:2:49:12 | call to myFunction6 | Calls to $@ should use the value 0 as a terminator (5 of 6 calls do). | more_tests.cpp:9:6:9:16 | myFunction6 | myFunction6 |
+| more_tests.cpp:64:2:64:12 | call to myFunction7 | Calls to $@ should use the value 0 as a terminator (9 of 11 calls do). | more_tests.cpp:10:6:10:16 | myFunction7 | myFunction7 |
+| more_tests.cpp:65:2:65:12 | call to myFunction7 | Calls to $@ should use the value 0 as a terminator (9 of 11 calls do). | more_tests.cpp:10:6:10:16 | myFunction7 | myFunction7 |
+| tests.c:34:2:34:3 | call to f1 | Calls to $@ should use the value 0 as a terminator (4 of 5 calls do). | tests.c:4:6:4:7 | f1 | f1 |
+| tests.c:78:2:78:3 | call to f6 | Calls to $@ should use the value -1 as a terminator (10 of 12 calls do). | tests.c:24:6:24:7 | f6 | f6 |
+| tests.c:79:2:79:3 | call to f6 | Calls to $@ should use the value -1 as a terminator (10 of 12 calls do). | tests.c:24:6:24:7 | f6 | f6 |
+| tests.c:84:2:84:3 | call to f7 | Calls to $@ should use the value 0 as a terminator (12 of 13 calls do). | tests.c:28:6:28:7 | f7 | f7 |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp
@@ -13,27 +13,32 @@ int main()
 {
 	int x;

-	myFunction1("%i", 0); // not common enough to be assumed a terminator
+	myFunction1("%i", 0); // GOOD: not common enough to be assumed a terminator
+	myFunction1("%i", 0);
 	myFunction1("%i", x);

 	myFunction2(-1);
 	myFunction2(0, -1);
 	myFunction2(0, 1, -1);
 	myFunction2(0, 1, 2, -1);
-	myFunction2(0, 1, 2, 3); // missing terminator
+	myFunction2(0, 1, 2, 3, -1);
+	myFunction2(0, 1, 2, 3, 4); // BAD: missing terminator

 	myFunction3(-1);
 	myFunction3(0, -1);
-	myFunction3(-1, 1, -1); // -1 isn't a terminator because it's used in a non-terminal position
+	myFunction3(-1, 1, -1); // GOOD: -1 isn't a terminator because it's used in a non-terminal position
 	myFunction3(0, 1, 2, -1);
-	myFunction3(0, 1, 2, 3);
+	myFunction3(0, 1, 2, 3, -1);
+	myFunction3(0, 1, 2, 3, 4);

 	myFunction4(x, x, 0);
 	myFunction4(0, x, 1, 0);
 	myFunction4(0, 0, 1, 1, 0);
-	myFunction4(x, 0, 1, 1, 1); // missing terminator
+	myFunction4(0, x, 1, 1, 1, 0);
+	myFunction4(0, 0, 1, 1, 1, 1, 0);
+	myFunction4(x, 0, 1, 1, 1, 1, 1); // BAD: missing terminator

-	myFunction5('a', 'b', 'c', 0); // ambiguous terminator
+	myFunction5('a', 'b', 'c', 0); // GOOD: ambiguous terminator
 	myFunction5('a', 'b', 'c', 0);
 	myFunction5('a', 'b', 'c', 0);
 	myFunction5('a', 'b', 'c', -1);
@@ -41,19 +46,23 @@ int main()
 	myFunction5('a', 'b', 'c', -1);

 	myFunction6(0.0);
-	myFunction6(1.0); // missing terminator
+	myFunction6(1.0); // BAD: missing terminator
 	myFunction6(1.0, 2.0, 0.0);
 	myFunction6(1.0, 2.0, 3.0, 0.0);
+	myFunction6(1.0, 2.0, 3.0, 4.0, 0.0);
+	myFunction6(1.0, 2.0, 3.0, 4.0, 5.0, 0.0);

 	myFunction7(NULL);
 	myFunction7("hello", "world", NULL);
 	myFunction7("apple", "banana", "pear", "mango", NULL);
 	myFunction7("dog", "cat", "elephant", "badger", "fish", NULL);
 	myFunction7("one", "two", "three", 0);
+	myFunction7("four", "five", "six", 0);
+	myFunction7("seven", "eight", "nine", 0);
 	myFunction7("alpha", "beta", "gamma", 0);
 	myFunction7("", 0);
-	myFunction7("yes", "no"); // missing terminator
-	myFunction7(); // missing terminator
+	myFunction7("yes", "no"); // BAD: missing terminator
+	myFunction7(); // BAD: missing terminator

 	return 0;
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c
@@ -42,6 +42,7 @@ int main(int argc, char *argv[])

 	// GOOD: 0 is not common enough to be sure it's a terminator
 	f3("", 0);
+	f3("", 0);
 	f3("", 10);

 	// GOOD: -1 is not common enough to be sure it's a terminator
@@ -50,6 +51,9 @@ int main(int argc, char *argv[])
 	f4("", -1);
 	f4("", -1);
 	f4("", -1);
+	f4("", -1);
+	f4("", -1);
+	f4("", -1);
 	f4("", 1);

 	// GOOD: no obvious required terminator
@@ -61,16 +65,32 @@ int main(int argc, char *argv[])
 	f5("", 0);
 	f5("", 10);
 	
-	f6("fsdf", 3, 8, -1);
-	f6("a", 7, 9, 10, -1);
-	f6("a", 1, 22, 6, 17, 2, -1);
-	f6("fgasfgas", 5, 6, argc); // BAD: not (necessarily) terminated with -1
-	f6("sadfsaf"); // BAD: not terminated with -1
+	f6("a", 3, 8, -1);
+	f6("b", 7, 9, 10, -1);
+	f6("c", 1, 22, 6, 17, 2, -1);
+	f6("d", 1, -1);
+	f6("e", 1, 2, -1);
+	f6("f", 1, 2, 3, -1);
+	f6("g", 1, 2, 3, 4, -1);
+	f6("h", 5, -1);
+	f6("i", 5, 6, -1);
+	f6("j", 5, 6, 7, -1);
+	f6("k", 5, 6, argc); // BAD: not (necessarily) terminated with -1
+	f6("l"); // BAD: not terminated with -1

 	f7("", 0);
 	f7("", 0);
 	f7("", 0);
 	f7(""); // BAD: not terminated with 0
+	f7("", 0);
+	f7("", 0);
+	f7("", 0);
+	f7("", 0);
+	f7("", 0);
+	f7("", 0);
+	f7("", 0);
+	f7("", 0);
+	f7("", 0);

 	return 0;
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected
@@ -52,27 +52,27 @@ nodes
 | examples.cpp:38:9:38:12 | data | semmle.label | data |
 subpaths
 #select
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
-| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | Arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
+| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
@@ -92,31 +92,31 @@ nodes
 | test.cpp:219:8:219:8 | x | semmle.label | x |
 subpaths
 #select
-| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value |
-| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value |
-| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value |
-| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value |
-| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value |
-| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value |
-| test.c:157:9:157:9 | r | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r | Arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
-| test.c:157:9:157:9 | r | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r | Arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
-| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
-| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
-| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value |
-| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value |
-| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value |
-| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |
-| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value |
-| test.cpp:171:11:171:16 | (int)... | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | (int)... | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
-| test.cpp:171:16:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
-| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
-| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
-| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
-| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
-| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
-| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
-| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | Arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value |
+| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value |
+| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value |
+| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value |
+| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value |
+| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value |
+| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value |
+| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value |
+| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value |
+| test.c:157:9:157:9 | r | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
+| test.c:157:9:157:9 | r | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value |
+| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value |
+| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value |
+| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value |
+| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value |
+| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value |
+| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value |
+| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value |
+| test.cpp:171:11:171:16 | (int)... | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | (int)... | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
+| test.cpp:171:16:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value |
+| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
+| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
+| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value |
+| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
+| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
+| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value |
+| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value |
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.3.1
+
+No user-facing changes.
+
 ## 1.3.0

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.1.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.1.md
@@ -0,0 +1,3 @@
+## 1.3.1
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.0
+lastReleaseVersion: 1.3.1
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.3.1-dev
+version: 1.3.2-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.3.1
+
+No user-facing changes.
+
 ## 1.3.0

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.1.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.1.md
@@ -0,0 +1,3 @@
+## 1.3.1
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.0
+lastReleaseVersion: 1.3.1
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.3.1-dev
+version: 1.3.2-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.4.1
+
+### Minor Analysis Improvements
+
+* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
+* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected. 
+
 ## 0.4.0

 ### Deprecated APIs
--- a/csharp/ql/lib/change-notes/2022-09-23-simpletypesanitizer.md
+++ b/csharp/ql/lib/change-notes/2022-09-23-simpletypesanitizer.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
--- a/csharp/ql/lib/change-notes/2022-08-24-aps-net-core-controllers.md
+++ b/csharp/ql/lib/change-notes/2022-08-24-aps-net-core-controllers.md
@@ -1,4 +1,6 @@
---
-category: minorAnalysis
---
+## 0.4.1
+
+### Minor Analysis Improvements
+
+* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
 * ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected. 
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.0
+lastReleaseVersion: 0.4.1
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.4.1-dev
+version: 0.4.2-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
@@ -163,7 +163,9 @@ abstract class Configuration extends string {
  /**
   * Holds if data may flow from some source to `sink` for this configuration.
   */
-  predicate hasFlowTo(Node sink) { this.hasFlow(_, sink) }
+  predicate hasFlowTo(Node sink) {
+    sink = any(PathNodeSink n | this = n.getConfiguration()).getNodeEx().asNode()
+  }

  /**
   * Holds if data may flow from some source to `sink` for this configuration.
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.4.1
+
+### Minor Analysis Improvements
+
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
 ## 0.4.0

 ### Minor Analysis Improvements
--- a/java/ql/src/change-notes/2022-09-23-alert-messages.md
+++ b/java/ql/src/change-notes/2022-09-23-alert-messages.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
-* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+## 0.4.1
+
+### Minor Analysis Improvements
+
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.0
+lastReleaseVersion: 0.4.1
--- a/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
+++ b/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a method of WebClient.",
-  source.getNode(), "User-provided value"
+select sink.getNode(), source, sink, "A method of WebClient depepends on a $@.", source.getNode(),
+  "user-provided value"
--- a/Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
+++ b/Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
@@ -17,5 +17,6 @@ import JsonWebTokenHandlerLib

 from TokenValidationParametersProperty p, CallableAlwaysReturnsTrueHigherPrecision e
 where e = p.getAnAssignedValue()
-select e, "JsonWebTokenHandler security-sensitive property $@ is being delegated to $@.", p,
-  p.getQualifiedName().toString(), e, "a callable that always returns \"true\""
+select e,
+  "JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns \"true\".",
+  p, p.getQualifiedName().toString()
--- a/Features/backdoor/ProcessNameToHashTaintFlow.ql
+++ b/Features/backdoor/ProcessNameToHashTaintFlow.ql
@@ -50,5 +50,5 @@ predicate isSuspiciousPropertyName(PropertyRead pr) {
 from DataFlow::PathNode src, DataFlow::PathNode sink, DataFlowFromMethodToHash conf
 where conf.hasFlow(src.getNode(), sink.getNode())
 select src.getNode(), src, sink,
-  "The hash is calculated on the process name $@, may be related to a backdoor. Please review the code for possible malicious intent.",
-  sink.getNode(), "here"
+  "The hash is calculated on $@, may be related to a backdoor. Please review the code for possible malicious intent.",
+  sink.getNode(), "this process name"
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.4.1-dev
+version: 0.4.2-dev
 groups: 
  - csharp
  - queries
--- a/Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.expected
+++ b/Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.expected
@@ -1,7 +1,7 @@
-| delegation-test.cs:101:63:101:186 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:54:34:54:50 | LifetimeValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.LifetimeValidator | delegation-test.cs:101:63:101:186 | (...) => ... | a callable that always returns "true" |
-| delegation-test.cs:102:63:102:178 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:102:63:102:178 | (...) => ... | a callable that always returns "true" |
-| delegation-test.cs:115:63:115:190 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:115:63:115:190 | (...) => ... | a callable that always returns "true" |
-| delegation-test.cs:116:63:116:180 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:116:63:116:180 | (...) => ... | a callable that always returns "true" |
-| delegation-test.cs:117:63:117:217 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:117:63:117:217 | (...) => ... | a callable that always returns "true" |
-| delegation-test.cs:118:63:118:248 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:118:63:118:248 | (...) => ... | a callable that always returns "true" |
-| delegation-test.cs:119:63:119:177 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator | delegation-test.cs:119:63:119:177 | (...) => ... | a callable that always returns "true" |
+| delegation-test.cs:101:63:101:186 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:54:34:54:50 | LifetimeValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.LifetimeValidator |
+| delegation-test.cs:102:63:102:178 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
+| delegation-test.cs:115:63:115:190 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
+| delegation-test.cs:116:63:116:180 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
+| delegation-test.cs:117:63:117:217 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
+| delegation-test.cs:118:63:118:248 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
+| delegation-test.cs:119:63:119:177 | (...) => ... | JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns "true". | stubs.cs:55:34:55:50 | AudienceValidator | Microsoft.IdentityModel.Tokens.TokenValidationParameters.AudienceValidator |
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.3.1
+
+### Minor Analysis Improvements
+
+* Added support for `BeegoInput.RequestBody` as a source of untrusted data.
+
 ## 0.3.0

 ### Deprecated APIs
--- a/go/ql/lib/change-notes/2022-10-06-beego-request-body-source.md
+++ b/go/ql/lib/change-notes/2022-10-06-beego-request-body-source.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 0.3.1
+
+### Minor Analysis Improvements
+
 * Added support for `BeegoInput.RequestBody` as a source of untrusted data.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.0
+lastReleaseVersion: 0.3.1
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.3.1-dev
+version: 0.3.2-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll
@@ -64,7 +64,7 @@ module InsecureRandomness {
      )
    }

-    override string getKind() { result = "this cryptographic algorithm" }
+    override string getKind() { result = "This cryptographic algorithm" }
  }

  /**
@@ -75,7 +75,7 @@ module InsecureRandomness {
      this.getRoot().(FuncDef).getName().regexpMatch("(?i).*(gen(erate)?|salt|make|mk)Password.*")
    }

-    override string getKind() { result = "a password-related function" }
+    override string getKind() { result = "A password-related function" }
  }

  /** Gets a package that implements hash algorithms. */
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.3.1
+
+No user-facing changes.
+
 ## 0.3.0

 ### Query Metadata Changes
--- a/go/ql/src/InconsistentCode/WrappedErrorAlwaysNil.ql
+++ b/go/ql/src/InconsistentCode/WrappedErrorAlwaysNil.ql
@@ -61,4 +61,4 @@ where
    // }
    n = DataFlow::BarrierGuard<nilTestGuard/3>::getABarrierNode()
  )
-select n, "The first argument to 'errors.Wrap' is always nil"
+select n, "The first argument to 'errors.Wrap' is always nil."
--- a/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql
+++ b/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql
@@ -48,5 +48,5 @@ class Config extends DataFlow::Configuration {

 from Config c, DataFlow::PathNode source, DataFlow::PathNode sink, string report
 where c.hasFlowPath(source, sink) and c.isSource(source.getNode(), report)
-select source, source, sink, "$@ that is $@ contains " + report, source, "A string literal", sink,
+select source, source, sink, "This string literal that is $@ contains " + report, sink,
  "used as a regular expression"
--- a/go/ql/src/Security/CWE-117/LogInjection.ql
+++ b/go/ql/src/Security/CWE-117/LogInjection.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph

 from LogInjection::Configuration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Log entry depends on a $@.", source.getNode(),
+select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
  "user-provided value"
--- a/go/ql/src/Security/CWE-338/InsecureRandomness.ql
+++ b/go/ql/src/Security/CWE-338/InsecureRandomness.ql
@@ -19,7 +19,7 @@ where
  cfg.hasFlowPath(source, sink) and
  cfg.isSink(sink.getNode(), kind) and
  (
-    kind != "a password-related function"
+    kind != "A password-related function"
    or
    sink =
      min(DataFlow::PathNode sink2, int line |
@@ -31,5 +31,5 @@ where
      )
  )
 select sink.getNode(), source, sink,
-  "$@ generated with a cryptographically weak RNG is used in $@.", source.getNode(),
-  "A random number", sink.getNode(), kind
+  kind + " depends on a $@ generated with a cryptographically weak RNG.", source.getNode(),
+  "random number"
--- a/cpp/ql/src/change-notes/2022-09-23-alert-messages.md
+++ b/cpp/ql/src/change-notes/2022-09-23-alert-messages.md
--- a/go/ql/src/change-notes/released/0.3.1.md
+++ b/go/ql/src/change-notes/released/0.3.1.md
@@ -0,0 +1,3 @@
+## 0.3.1
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.0
+lastReleaseVersion: 0.3.1
--- a/go/ql/src/experimental/CWE-369/DivideByZero.ql
+++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql
@@ -54,5 +54,4 @@ class DivideByZeroCheckConfig extends TaintTracking::Configuration {

 from DataFlow::PathNode source, DataFlow::PathNode sink, DivideByZeroCheckConfig cfg
 where cfg.hasFlowPath(source, sink)
-select sink, source, sink, "Variable $@ might be zero leading to a division-by-zero panic.", sink,
-  sink.getNode().toString()
+select sink, source, sink, "This variable might be zero leading to a division-by-zero panic."
--- a/go/ql/src/experimental/CWE-400/DatabaseCallInLoop.ql
+++ b/go/ql/src/experimental/CWE-400/DatabaseCallInLoop.ql
@@ -66,4 +66,4 @@ query predicate edges(CallGraphNode pred, CallGraphNode succ) {

 from LoopStmt loop, DatabaseAccess dbAccess
 where edges*(loop, dbAccess.asExpr())
-select dbAccess, loop, dbAccess, "$@ is called in $@", dbAccess, dbAccess.toString(), loop, "a loop"
+select dbAccess, loop, dbAccess, "This calls " + dbAccess.toString() + " in a $@.", loop, "loop"
--- a/go/ql/src/experimental/CWE-918/SSRF.ql
+++ b/go/ql/src/experimental/CWE-918/SSRF.ql
@@ -19,4 +19,4 @@ from
 where
  cfg.hasFlowPath(source, sink) and
  request = sink.getNode().(ServerSideRequestForgery::Sink).getARequest()
-select request, source, sink, "The URL of this request depends on a user-provided value"
+select request, source, sink, "The URL of this request depends on a user-provided value."
--- a/go/ql/src/experimental/IntegerOverflow/IntegerOverflow.ql
+++ b/go/ql/src/experimental/IntegerOverflow/IntegerOverflow.ql
@@ -11,4 +11,4 @@ import RangeAnalysis

 from Expr expr
 where exprMayOverflow(expr) or exprMayUnderflow(expr)
-select expr, "this expression may cause an integer overflow"
+select expr, "This expression may cause an integer overflow."
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.3.1-dev
+version: 0.3.2-dev
 groups:
  - go
  - queries
--- a/go/ql/test/experimental/CWE-369/DivideByZero.expected
+++ b/go/ql/test/experimental/CWE-369/DivideByZero.expected
@@ -24,9 +24,9 @@ nodes
 | DivideByZero.go:57:17:57:21 | value | semmle.label | value |
 subpaths
 #select
-| DivideByZero.go:12:16:12:20 | value | DivideByZero.go:10:12:10:16 | selection of URL : pointer type | DivideByZero.go:12:16:12:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:12:16:12:20 | value | value |
-| DivideByZero.go:19:16:19:20 | value | DivideByZero.go:17:12:17:16 | selection of URL : pointer type | DivideByZero.go:19:16:19:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:19:16:19:20 | value | value |
-| DivideByZero.go:26:16:26:20 | value | DivideByZero.go:24:12:24:16 | selection of URL : pointer type | DivideByZero.go:26:16:26:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:26:16:26:20 | value | value |
-| DivideByZero.go:33:16:33:20 | value | DivideByZero.go:31:12:31:16 | selection of URL : pointer type | DivideByZero.go:33:16:33:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:33:16:33:20 | value | value |
-| DivideByZero.go:40:16:40:20 | value | DivideByZero.go:38:12:38:16 | selection of URL : pointer type | DivideByZero.go:40:16:40:20 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:40:16:40:20 | value | value |
-| DivideByZero.go:57:17:57:21 | value | DivideByZero.go:54:12:54:16 | selection of URL : pointer type | DivideByZero.go:57:17:57:21 | value | Variable $@ might be zero leading to a division-by-zero panic. | DivideByZero.go:57:17:57:21 | value | value |
+| DivideByZero.go:12:16:12:20 | value | DivideByZero.go:10:12:10:16 | selection of URL : pointer type | DivideByZero.go:12:16:12:20 | value | This variable might be zero leading to a division-by-zero panic. |
+| DivideByZero.go:19:16:19:20 | value | DivideByZero.go:17:12:17:16 | selection of URL : pointer type | DivideByZero.go:19:16:19:20 | value | This variable might be zero leading to a division-by-zero panic. |
+| DivideByZero.go:26:16:26:20 | value | DivideByZero.go:24:12:24:16 | selection of URL : pointer type | DivideByZero.go:26:16:26:20 | value | This variable might be zero leading to a division-by-zero panic. |
+| DivideByZero.go:33:16:33:20 | value | DivideByZero.go:31:12:31:16 | selection of URL : pointer type | DivideByZero.go:33:16:33:20 | value | This variable might be zero leading to a division-by-zero panic. |
+| DivideByZero.go:40:16:40:20 | value | DivideByZero.go:38:12:38:16 | selection of URL : pointer type | DivideByZero.go:40:16:40:20 | value | This variable might be zero leading to a division-by-zero panic. |
+| DivideByZero.go:57:17:57:21 | value | DivideByZero.go:54:12:54:16 | selection of URL : pointer type | DivideByZero.go:57:17:57:21 | value | This variable might be zero leading to a division-by-zero panic. |
--- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected
+++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected
@@ -8,6 +8,6 @@ edges
 | test.go:24:2:26:2 | for statement | test.go:25:3:25:17 | call to runRunQuery |
 | test.go:25:3:25:17 | call to runRunQuery | test.go:14:1:16:1 | function declaration |
 #select
-| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | $@ is called in $@ | DatabaseCallInLoop.go:9:3:9:41 | call to First | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | a loop |
-| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | $@ is called in $@ | test.go:11:2:11:13 | call to Take | call to Take | test.go:20:2:22:2 | for statement | a loop |
-| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | $@ is called in $@ | test.go:11:2:11:13 | call to Take | call to Take | test.go:24:2:26:2 | for statement | a loop |
+| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop |
+| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop |
+| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop |
--- a/go/ql/test/experimental/CWE-918/SSRF.expected
+++ b/go/ql/test/experimental/CWE-918/SSRF.expected
@@ -55,20 +55,20 @@ nodes
 | new-tests.go:96:11:96:46 | ...+... | semmle.label | ...+... |
 subpaths
 #select
-| builtin.go:22:12:22:63 | call to Get | builtin.go:19:12:19:34 | call to FormValue : string | builtin.go:22:21:22:62 | ...+... | The URL of this request depends on a user-provided value |
-| builtin.go:88:12:88:53 | call to Dial | builtin.go:83:21:83:31 | call to Referer : string | builtin.go:88:27:88:40 | untrustedInput | The URL of this request depends on a user-provided value |
-| builtin.go:102:13:102:40 | call to DialConfig | builtin.go:97:21:97:31 | call to Referer : string | builtin.go:101:36:101:49 | untrustedInput | The URL of this request depends on a user-provided value |
-| builtin.go:114:3:114:39 | call to Dial | builtin.go:111:21:111:31 | call to Referer : string | builtin.go:114:15:114:28 | untrustedInput | The URL of this request depends on a user-provided value |
-| builtin.go:132:3:132:62 | call to DialContext | builtin.go:129:21:129:31 | call to Referer : string | builtin.go:132:38:132:51 | untrustedInput | The URL of this request depends on a user-provided value |
-| new-tests.go:31:2:31:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:31:11:31:57 | call to Sprintf | The URL of this request depends on a user-provided value |
-| new-tests.go:32:2:32:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:32:11:32:57 | call to Sprintf | The URL of this request depends on a user-provided value |
-| new-tests.go:35:3:35:59 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:35:12:35:58 | call to Sprintf | The URL of this request depends on a user-provided value |
-| new-tests.go:47:2:47:47 | call to Get | new-tests.go:39:18:39:30 | call to Param : string | new-tests.go:47:11:47:46 | ...+... | The URL of this request depends on a user-provided value |
-| new-tests.go:50:2:50:47 | call to Get | new-tests.go:49:18:49:30 | call to Query : string | new-tests.go:50:11:50:46 | ...+... | The URL of this request depends on a user-provided value |
-| new-tests.go:68:2:68:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:68:11:68:57 | call to Sprintf | The URL of this request depends on a user-provided value |
-| new-tests.go:69:2:69:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:69:11:69:57 | call to Sprintf | The URL of this request depends on a user-provided value |
-| new-tests.go:74:3:74:59 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:74:12:74:58 | call to Sprintf | The URL of this request depends on a user-provided value |
-| new-tests.go:79:2:79:47 | call to Get | new-tests.go:78:18:78:24 | selection of URL : pointer type | new-tests.go:79:11:79:46 | ...+... | The URL of this request depends on a user-provided value |
-| new-tests.go:82:2:82:47 | call to Get | new-tests.go:81:37:81:43 | selection of URL : pointer type | new-tests.go:82:11:82:46 | ...+... | The URL of this request depends on a user-provided value |
-| new-tests.go:88:2:88:47 | call to Get | new-tests.go:86:10:86:20 | call to Vars : map type | new-tests.go:88:11:88:46 | ...+... | The URL of this request depends on a user-provided value |
-| new-tests.go:96:2:96:47 | call to Get | new-tests.go:95:18:95:45 | call to URLParam : string | new-tests.go:96:11:96:46 | ...+... | The URL of this request depends on a user-provided value |
+| builtin.go:22:12:22:63 | call to Get | builtin.go:19:12:19:34 | call to FormValue : string | builtin.go:22:21:22:62 | ...+... | The URL of this request depends on a user-provided value. |
+| builtin.go:88:12:88:53 | call to Dial | builtin.go:83:21:83:31 | call to Referer : string | builtin.go:88:27:88:40 | untrustedInput | The URL of this request depends on a user-provided value. |
+| builtin.go:102:13:102:40 | call to DialConfig | builtin.go:97:21:97:31 | call to Referer : string | builtin.go:101:36:101:49 | untrustedInput | The URL of this request depends on a user-provided value. |
+| builtin.go:114:3:114:39 | call to Dial | builtin.go:111:21:111:31 | call to Referer : string | builtin.go:114:15:114:28 | untrustedInput | The URL of this request depends on a user-provided value. |
+| builtin.go:132:3:132:62 | call to DialContext | builtin.go:129:21:129:31 | call to Referer : string | builtin.go:132:38:132:51 | untrustedInput | The URL of this request depends on a user-provided value. |
+| new-tests.go:31:2:31:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:31:11:31:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:32:2:32:58 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:32:11:32:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:35:3:35:59 | call to Get | new-tests.go:26:26:26:30 | &... : pointer type | new-tests.go:35:12:35:58 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:47:2:47:47 | call to Get | new-tests.go:39:18:39:30 | call to Param : string | new-tests.go:47:11:47:46 | ...+... | The URL of this request depends on a user-provided value. |
+| new-tests.go:50:2:50:47 | call to Get | new-tests.go:49:18:49:30 | call to Query : string | new-tests.go:50:11:50:46 | ...+... | The URL of this request depends on a user-provided value. |
+| new-tests.go:68:2:68:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:68:11:68:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:69:2:69:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:69:11:69:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:74:3:74:59 | call to Get | new-tests.go:62:31:62:38 | selection of Body : ReadCloser | new-tests.go:74:12:74:58 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:79:2:79:47 | call to Get | new-tests.go:78:18:78:24 | selection of URL : pointer type | new-tests.go:79:11:79:46 | ...+... | The URL of this request depends on a user-provided value. |
+| new-tests.go:82:2:82:47 | call to Get | new-tests.go:81:37:81:43 | selection of URL : pointer type | new-tests.go:82:11:82:46 | ...+... | The URL of this request depends on a user-provided value. |
+| new-tests.go:88:2:88:47 | call to Get | new-tests.go:86:10:86:20 | call to Vars : map type | new-tests.go:88:11:88:46 | ...+... | The URL of this request depends on a user-provided value. |
+| new-tests.go:96:2:96:47 | call to Get | new-tests.go:95:18:95:45 | call to URLParam : string | new-tests.go:96:11:96:46 | ...+... | The URL of this request depends on a user-provided value. |
--- a/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.expected
+++ b/go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.expected
@@ -1,4 +1,4 @@
-| WrappedErrorAlwaysNil.go:31:22:31:24 | err | The first argument to 'errors.Wrap' is always nil |
-| WrappedErrorAlwaysNil.go:41:14:41:16 | nil | The first argument to 'errors.Wrap' is always nil |
-| WrappedErrorAlwaysNil.go:45:14:45:16 | err | The first argument to 'errors.Wrap' is always nil |
-| WrappedErrorAlwaysNil.go:49:14:49:21 | localErr | The first argument to 'errors.Wrap' is always nil |
+| WrappedErrorAlwaysNil.go:31:22:31:24 | err | The first argument to 'errors.Wrap' is always nil. |
+| WrappedErrorAlwaysNil.go:41:14:41:16 | nil | The first argument to 'errors.Wrap' is always nil. |
+| WrappedErrorAlwaysNil.go:45:14:45:16 | err | The first argument to 'errors.Wrap' is always nil. |
+| WrappedErrorAlwaysNil.go:49:14:49:21 | localErr | The first argument to 'errors.Wrap' is always nil. |
--- a/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected
+++ b/go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.expected
@@ -13,14 +13,14 @@ nodes
 | test.go:23:21:23:36 | "hello\\\\\\bworld" | semmle.label | "hello\\\\\\bworld" |
 subpaths
 #select
-| SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | $@ that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | A string literal | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | used as a regular expression |
-| test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:7:21:7:24 | "\\a" | A string literal | test.go:7:21:7:24 | "\\a" | used as a regular expression |
-| test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:9:21:9:26 | "\\\\\\a" | A string literal | test.go:9:21:9:26 | "\\\\\\a" | used as a regular expression |
-| test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:10:21:10:27 | "x\\\\\\a" | A string literal | test.go:10:21:10:27 | "x\\\\\\a" | used as a regular expression |
-| test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:12:21:12:28 | "\\\\\\\\\\a" | A string literal | test.go:12:21:12:28 | "\\\\\\\\\\a" | used as a regular expression |
-| test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | A string literal | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | used as a regular expression |
-| test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | A string literal | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | used as a regular expression |
-| test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:20:21:20:34 | "hello\\aworld" | A string literal | test.go:20:21:20:34 | "hello\\aworld" | used as a regular expression |
-| test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | $@ that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:21:21:21:36 | "hello\\\\\\aworld" | A string literal | test.go:21:21:21:36 | "hello\\\\\\aworld" | used as a regular expression |
-| test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | $@ that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:22:21:22:34 | "hello\\bworld" | A string literal | test.go:22:21:22:34 | "hello\\bworld" | used as a regular expression |
-| test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | $@ that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:23:21:23:36 | "hello\\\\\\bworld" | A string literal | test.go:23:21:23:36 | "hello\\\\\\bworld" | used as a regular expression |
+| SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | This string literal that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | SuspiciousCharacterInRegexp.go:6:34:6:55 | "\\bforbidden.host.org" | used as a regular expression |
+| test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | test.go:7:21:7:24 | "\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:7:21:7:24 | "\\a" | used as a regular expression |
+| test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | test.go:9:21:9:26 | "\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:9:21:9:26 | "\\\\\\a" | used as a regular expression |
+| test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | test.go:10:21:10:27 | "x\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:10:21:10:27 | "x\\\\\\a" | used as a regular expression |
+| test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | test.go:12:21:12:28 | "\\\\\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:12:21:12:28 | "\\\\\\\\\\a" | used as a regular expression |
+| test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:14:21:14:30 | "\\\\\\\\\\\\\\a" | used as a regular expression |
+| test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:16:21:16:32 | "\\\\\\\\\\\\\\\\\\a" | used as a regular expression |
+| test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | test.go:20:21:20:34 | "hello\\aworld" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:20:21:20:34 | "hello\\aworld" | used as a regular expression |
+| test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | test.go:21:21:21:36 | "hello\\\\\\aworld" | This string literal that is $@ contains the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text? | test.go:21:21:21:36 | "hello\\\\\\aworld" | used as a regular expression |
+| test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | test.go:22:21:22:34 | "hello\\bworld" | This string literal that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:22:21:22:34 | "hello\\bworld" | used as a regular expression |
+| test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | test.go:23:21:23:36 | "hello\\\\\\bworld" | This string literal that is $@ contains a literal backspace \\b; did you mean \\\\b, a word boundary? | test.go:23:21:23:36 | "hello\\\\\\bworld" | used as a regular expression |
--- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
+++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
@@ -20,8 +20,8 @@ nodes
 | sample.go:47:17:47:39 | call to Intn | semmle.label | call to Intn |
 subpaths
 #select
-| InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | $@ generated with a cryptographically weak RNG is used in $@. | InsecureRandomness.go:12:18:12:40 | call to Intn | A random number | InsecureRandomness.go:12:18:12:40 | call to Intn | a password-related function |
-| sample.go:26:25:26:30 | call to Guid | sample.go:15:49:15:61 | call to Uint32 : uint32 | sample.go:26:25:26:30 | call to Guid | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:15:49:15:61 | call to Uint32 | A random number | sample.go:26:25:26:30 | call to Guid | this cryptographic algorithm |
-| sample.go:37:25:37:29 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:25:37:29 | nonce | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:34:12:34:40 | call to New | A random number | sample.go:37:25:37:29 | nonce | this cryptographic algorithm |
-| sample.go:37:32:37:36 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:32:37:36 | nonce | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:34:12:34:40 | call to New | A random number | sample.go:37:32:37:36 | nonce | this cryptographic algorithm |
-| sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | $@ generated with a cryptographically weak RNG is used in $@. | sample.go:43:17:43:39 | call to Intn | A random number | sample.go:43:17:43:39 | call to Intn | a password-related function |
+| InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | InsecureRandomness.go:12:18:12:40 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | InsecureRandomness.go:12:18:12:40 | call to Intn | random number |
+| sample.go:26:25:26:30 | call to Guid | sample.go:15:49:15:61 | call to Uint32 : uint32 | sample.go:26:25:26:30 | call to Guid | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:15:49:15:61 | call to Uint32 | random number |
+| sample.go:37:25:37:29 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:25:37:29 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number |
+| sample.go:37:32:37:36 | nonce | sample.go:34:12:34:40 | call to New : pointer type | sample.go:37:32:37:36 | nonce | This cryptographic algorithm depends on a $@ generated with a cryptographically weak RNG. | sample.go:34:12:34:40 | call to New | random number |
+| sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | sample.go:43:17:43:39 | call to Intn | A password-related function depends on a $@ generated with a cryptographically weak RNG. | sample.go:43:17:43:39 | call to Intn | random number |
--- a/java/kotlin-extractor/build.py
+++ b/java/kotlin-extractor/build.py
@@ -25,6 +25,8 @@ def parse_args():
                        dest='many', help='Build for a single version/kind')
    parser.add_argument('--single-version',
                        help='Build for a specific version/kind')
+    parser.add_argument('--single-version-embeddable', action='store_true',
+                        help='When building a single version, build an embeddable extractor (default is standalone)')
    return parser.parse_args()


@@ -235,7 +237,13 @@ def compile_standalone(version):


 if args.single_version:
-    compile_standalone(args.single_version)
+    if args.single_version_embeddable == True:
+        compile_embeddable(args.single_version)
+    else:
+        compile_standalone(args.single_version)
+elif args.single_version_embeddable == True:
+    print("--single-version-embeddable requires --single-version", file=sys.stderr)
+    sys.exit(1)
 elif args.many:
    for version in kotlin_plugin_versions.many_versions:
        compile_standalone(version)
--- a/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
+++ b/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
--- a/java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
+++ b/java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
@@ -411,16 +411,9 @@ open class KotlinUsesExtractor(
        if (replacedArgsIncludingOuterClasses == null || replacedArgsIncludingOuterClasses.isNotEmpty()) {
            // If this is a generic type instantiation or a raw type then it has no
            // source entity, so we need to extract it here
-            val extractorWithCSource by lazy { this.withFileOfClass(replacedClass) }
-
-            if (!instanceSeenBefore) {
-                extractorWithCSource.extractClassInstance(replacedClass, replacedArgsIncludingOuterClasses)
-            }
-
-            if (inReceiverContext && tw.lm.genericSpecialisationsExtracted.add(classLabelResult.classLabel)) {
-                val supertypeMode = if (replacedArgsIncludingOuterClasses == null) ExtractSupertypesMode.Raw else ExtractSupertypesMode.Specialised(replacedArgsIncludingOuterClasses)
-                extractorWithCSource.extractClassSupertypes(replacedClass, classLabel, supertypeMode, true)
-                extractorWithCSource.extractNonPrivateMemberPrototypes(replacedClass, replacedArgsIncludingOuterClasses, classLabel)
+            val shouldExtractClassDetails = inReceiverContext && tw.lm.genericSpecialisationsExtracted.add(classLabelResult.classLabel)
+            if (!instanceSeenBefore || shouldExtractClassDetails) {
+                this.withFileOfClass(replacedClass).extractClassInstance(classLabel, replacedClass, replacedArgsIncludingOuterClasses, !instanceSeenBefore, shouldExtractClassDetails)
            }
        }

@@ -658,6 +651,26 @@ open class KotlinUsesExtractor(
        RETURN, GENERIC_ARGUMENT, OTHER
    }

+    private fun isOnDeclarationStackWithoutTypeParameters(f: IrFunction) =
+        this is KotlinFileExtractor && this.declarationStack.findOverriddenAttributes(f)?.typeParameters?.isEmpty() == true
+
+    private fun isStaticFunctionOnStackBeforeClass(c: IrClass) =
+        this is KotlinFileExtractor && (this.declarationStack.findFirst { it.first == c || it.second?.isStatic == true })?.second?.isStatic == true
+
+    private fun isUnavailableTypeParameter(t: IrType) =
+        t is IrSimpleType && t.classifier.owner.let { owner ->
+            owner is IrTypeParameter && owner.parent.let { parent ->
+                when (parent) {
+                    is IrFunction -> isOnDeclarationStackWithoutTypeParameters(parent)
+                    is IrClass -> isStaticFunctionOnStackBeforeClass(parent)
+                    else -> false
+                }
+            }
+        }
+
+    private fun argIsUnavailableTypeParameter(t: IrTypeArgument) =
+        t is IrTypeProjection && isUnavailableTypeParameter(t.type)
+
    private fun useSimpleType(s: IrSimpleType, context: TypeContext): TypeResults {
        if (s.abbreviation != null) {
            // TODO: Extract this information
@@ -729,11 +742,13 @@ open class KotlinUsesExtractor(
            }

            owner is IrClass -> {
-                val args = if (s.isRawType()) null else s.arguments
+                val args = if (s.isRawType() || s.arguments.any { argIsUnavailableTypeParameter(it) }) null else s.arguments

                return useSimpleTypeClass(owner, args, s.isNullable())
            }
            owner is IrTypeParameter -> {
+                if (isUnavailableTypeParameter(s))
+                    return useType(erase(s), context)
                val javaResult = useTypeParameter(owner)
                val aClassId = makeClass("kotlin", "TypeParam") // TODO: Wrong
                val kotlinResult = if (true) TypeResult(fakeKotlinType(), "TODO", "TODO") else
@@ -1043,9 +1058,9 @@ open class KotlinUsesExtractor(
            f.parent,
            maybeParentId,
            getFunctionShortName(f).nameInDB,
-            maybeParameterList ?: f.valueParameters,
+            (maybeParameterList ?: f.valueParameters).map { it.type },
            getAdjustedReturnType(f),
-            f.extensionReceiverParameter,
+            f.extensionReceiverParameter?.type,
            getFunctionTypeParameters(f),
            classTypeArgsIncludingOuterClasses,
            overridesCollectionsMethodWithAlteredParameterTypes(f),
@@ -1067,12 +1082,12 @@ open class KotlinUsesExtractor(
        maybeParentId: Label<out DbElement>?,
        // The name of the function; normally f.name.asString().
        name: String,
-        // The value parameters that the functions takes; normally f.valueParameters.
-        parameters: List<IrValueParameter>,
+        // The types of the value parameters that the functions takes; normally f.valueParameters.map { it.type }.
+        parameterTypes: List<IrType>,
        // The return type of the function; normally f.returnType.
        returnType: IrType,
-        // The extension receiver of the function, if any; normally f.extensionReceiverParameter.
-        extensionReceiverParameter: IrValueParameter?,
+        // The extension receiver of the function, if any; normally f.extensionReceiverParameter?.type.
+        extensionParamType: IrType?,
        // The type parameters of the function. This does not include type parameters of enclosing classes.
        functionTypeParameters: List<IrTypeParameter>,
        // The type arguments of enclosing classes of the function.
@@ -1089,11 +1104,7 @@ open class KotlinUsesExtractor(
        prefix: String = "callable"
    ): String {
        val parentId = maybeParentId ?: useDeclarationParent(parent, false, classTypeArgsIncludingOuterClasses, true)
-        val allParams = if (extensionReceiverParameter == null) {
-                            parameters
-                        } else {
-                            listOf(extensionReceiverParameter) + parameters
-                        }
+        val allParamTypes = if (extensionParamType == null) parameterTypes else listOf(extensionParamType) + parameterTypes

        val substitutionMap = classTypeArgsIncludingOuterClasses?.let { notNullArgs ->
            if (notNullArgs.isEmpty()) {
@@ -1103,11 +1114,11 @@ open class KotlinUsesExtractor(
                enclosingClass?.let { notNullClass -> makeTypeGenericSubstitutionMap(notNullClass, notNullArgs) }
            }
        }
-        val getIdForFunctionLabel = { it: IndexedValue<IrValueParameter> ->
+        val getIdForFunctionLabel = { it: IndexedValue<IrType> ->
            // Kotlin rewrites certain Java collections types adding additional generic constraints-- for example,
            // Collection.remove(Object) because Collection.remove(Collection::E) in the Kotlin universe.
            // If this has happened, erase the type again to get the correct Java signature.
-            val maybeAmendedForCollections = if (overridesCollectionsMethod) eraseCollectionsMethodParameterType(it.value.type, name, it.index) else it.value.type
+            val maybeAmendedForCollections = if (overridesCollectionsMethod) eraseCollectionsMethodParameterType(it.value, name, it.index) else it.value
            // Add any wildcard types that the Kotlin compiler would add in the Java lowering of this function:
            val withAddedWildcards = addJavaLoweringWildcards(maybeAmendedForCollections, addParameterWildcardsByDefault, javaSignature?.let { sig -> getJavaValueParameterType(sig, it.index) })
            // Now substitute any class type parameters in:
@@ -1117,7 +1128,7 @@ open class KotlinUsesExtractor(
            val maybeErased = if (functionTypeParameters.isEmpty()) maybeSubbed else erase(maybeSubbed)
            "{${useType(maybeErased).javaResult.id}}"
        }
-        val paramTypeIds = allParams.withIndex().joinToString(separator = ",", transform = getIdForFunctionLabel)
+        val paramTypeIds = allParamTypes.withIndex().joinToString(separator = ",", transform = getIdForFunctionLabel)
        val labelReturnType =
            if (name == "<init>")
                pluginContext.irBuiltIns.unitType
@@ -1551,7 +1562,7 @@ open class KotlinUsesExtractor(
     * Note that `Array<T>` is retained (with `T` itself erased) because these are expected to be lowered to Java
     * arrays, which are not generic.
     */
-    private fun erase (t: IrType): IrType {
+    fun erase (t: IrType): IrType {
        if (t is IrSimpleType) {
            val classifier = t.classifier
            val owner = classifier.owner
@@ -1578,6 +1589,8 @@ open class KotlinUsesExtractor(
    private fun eraseTypeParameter(t: IrTypeParameter) =
        erase(t.superTypes[0])

+    fun getValueParameterLabel(parentId: Label<out DbElement>?, idx: Int) = "@\"params;{$parentId};$idx\""
+
    /**
     * Gets the label for `vp` in the context of function instance `parent`, or in that of its declaring function if
     * `parent` is null.
@@ -1607,7 +1620,7 @@ open class KotlinUsesExtractor(
            logger.error("Unexpected negative index for parameter")
        }

-        return "@\"params;{$parentId};$idx\""
+        return getValueParameterLabel(parentId, idx)
    }


@@ -1669,7 +1682,7 @@ open class KotlinUsesExtractor(
            val returnType = getter?.returnType ?: setter?.valueParameters?.singleOrNull()?.type ?: pluginContext.irBuiltIns.unitType
            val typeParams = getFunctionTypeParameters(func)

-            getFunctionLabel(p.parent, parentId, p.name.asString(), listOf(), returnType, ext, typeParams, classTypeArgsIncludingOuterClasses, overridesCollectionsMethod = false, javaSignature = null, addParameterWildcardsByDefault = false, prefix = "property")
+            getFunctionLabel(p.parent, parentId, p.name.asString(), listOf(), returnType, ext.type, typeParams, classTypeArgsIncludingOuterClasses, overridesCollectionsMethod = false, javaSignature = null, addParameterWildcardsByDefault = false, prefix = "property")
        }
    }

--- a/java/ql/consistency-queries/visibility.ql
+++ b/java/ql/consistency-queries/visibility.ql
@@ -10,6 +10,8 @@ string visibility(Method m) {
  result = "internal" and m.isInternal()
 }

+predicate hasPackagePrivateVisibility(Method m) { not exists(visibility(m)) }
+
 // TODO: This ought to check more than just methods
 from Method m
 where
@@ -19,5 +21,6 @@ where
  // TODO: This ought to have visibility information
  not m.getName() = "<clinit>" and
  count(visibility(m)) != 1 and
-  not (count(visibility(m)) = 2 and visibility(m) = "public" and visibility(m) = "internal") // This is a reasonable result, since the JVM symbol is declared public, but Kotlin metadata flags it as internal
+  not (count(visibility(m)) = 2 and visibility(m) = "public" and visibility(m) = "internal") and // This is a reasonable result, since the JVM symbol is declared public, but Kotlin metadata flags it as internal
+  not (hasPackagePrivateVisibility(m) and m.getName().matches("%$default")) // This is a reasonable result because the $default forwarder methods corresponding to private methods are package-private.
 select m, concat(visibility(m), ", ")
--- a/java/ql/integration-tests/posix-only/kotlin/gradle_kotlinx_serialization/PrintAst.expected
+++ b/java/ql/integration-tests/posix-only/kotlin/gradle_kotlinx_serialization/PrintAst.expected
@@ -65,7 +65,48 @@ app/src/main/kotlin/testProject/App.kt:
 #    0|             -3: [TypeAccess] Project
 #    0|             0: [VarAccess] name
 #    0|             1: [VarAccess] language
-#    0|     5: [Method] equals
+#    0|     5: [Method] copy$default
+#    0|       3: [TypeAccess] Project
+#-----|       4: (Parameters)
+#    0|         0: [Parameter] p0
+#    0|           0: [TypeAccess] Project
+#    0|         1: [Parameter] p1
+#    0|           0: [TypeAccess] String
+#    0|         2: [Parameter] p2
+#    0|           0: [TypeAccess] int
+#    0|         3: [Parameter] p3
+#    0|           0: [TypeAccess] int
+#    0|         4: [Parameter] p4
+#    0|           0: [TypeAccess] Object
+#    0|       5: [BlockStmt] { ... }
+#    0|         0: [IfStmt] if (...)
+#    0|           0: [EQExpr] ... == ...
+#    0|             0: [AndBitwiseExpr] ... & ...
+#    0|               0: [IntegerLiteral] 1
+#    0|               1: [VarAccess] p3
+#    0|             1: [IntegerLiteral] 0
+#    0|           1: [ExprStmt] <Expr>;
+#    0|             0: [AssignExpr] ...=...
+#    0|               0: [VarAccess] p1
+#    0|               1: [VarAccess] p0.name
+#    0|                 -1: [VarAccess] p0
+#    0|         1: [IfStmt] if (...)
+#    0|           0: [EQExpr] ... == ...
+#    0|             0: [AndBitwiseExpr] ... & ...
+#    0|               0: [IntegerLiteral] 2
+#    0|               1: [VarAccess] p3
+#    0|             1: [IntegerLiteral] 0
+#    0|           1: [ExprStmt] <Expr>;
+#    0|             0: [AssignExpr] ...=...
+#    0|               0: [VarAccess] p2
+#    0|               1: [VarAccess] p0.language
+#    0|                 -1: [VarAccess] p0
+#    0|         2: [ReturnStmt] return ...
+#    0|           0: [MethodAccess] copy(...)
+#    0|             -1: [VarAccess] p0
+#    0|             0: [VarAccess] p1
+#    0|             1: [VarAccess] p2
+#    0|     6: [Method] equals
 #    0|       3: [TypeAccess] boolean
 #-----|       4: (Parameters)
 #    0|         0: [Parameter] other
@@ -114,7 +155,7 @@ app/src/main/kotlin/testProject/App.kt:
 #    0|                 0: [BooleanLiteral] false
 #    0|         5: [ReturnStmt] return ...
 #    0|           0: [BooleanLiteral] true
-#    0|     6: [Method] hashCode
+#    0|     7: [Method] hashCode
 #    0|       3: [TypeAccess] int
 #    0|       5: [BlockStmt] { ... }
 #    0|         0: [LocalVariableDeclStmt] var ...;
@@ -134,7 +175,7 @@ app/src/main/kotlin/testProject/App.kt:
 #    0|                   -1: [ThisAccess] this
 #    0|         2: [ReturnStmt] return ...
 #    0|           0: [VarAccess] result
-#    0|     7: [Method] toString
+#    0|     8: [Method] toString
 #    0|       3: [TypeAccess] String
 #    0|       5: [BlockStmt] { ... }
 #    0|         0: [ReturnStmt] return ...
@@ -148,7 +189,7 @@ app/src/main/kotlin/testProject/App.kt:
 #    0|             5: [VarAccess] this.language
 #    0|               -1: [ThisAccess] this
 #    0|             6: [StringLiteral] )
-#    0|     8: [Method] write$Self
+#    0|     9: [Method] write$Self
 #    0|       3: [TypeAccess] Unit
 #-----|       4: (Parameters)
 #    0|         0: [Parameter] self
@@ -172,7 +213,7 @@ app/src/main/kotlin/testProject/App.kt:
 #    7|             1: [IntegerLiteral] 1
 #    7|             2: [MethodAccess] getLanguage(...)
 #    7|               -1: [VarAccess] self
-#    7|     9: [Class] $serializer
+#    7|     10: [Class] $serializer
 #    0|       1: [FieldDeclaration] SerialDescriptor descriptor;
 #    0|         -1: [TypeAccess] SerialDescriptor
 #    0|       2: [Method] childSerializers
@@ -384,7 +425,7 @@ app/src/main/kotlin/testProject/App.kt:
 #    7|                   -1: [ThisAccess] $serializer.this
 #    7|                     0: [TypeAccess] $serializer
 #    7|                 1: [VarAccess] tmp0_serialDesc
-#    7|     10: [Class] Companion
+#    7|     11: [Class] Companion
 #    0|       1: [Method] serializer
 #    0|         3: [TypeAccess] KSerializer<Project>
 #    0|           0: [TypeAccess] Project
@@ -395,7 +436,7 @@ app/src/main/kotlin/testProject/App.kt:
 #    7|         5: [BlockStmt] { ... }
 #    7|           0: [SuperConstructorInvocationStmt] super(...)
 #    7|           1: [BlockStmt] { ... }
-#    8|     11: [Constructor] Project
+#    8|     12: [Constructor] Project
 #-----|       4: (Parameters)
 #    8|         0: [Parameter] name
 #    8|           0: [TypeAccess] String
@@ -410,21 +451,21 @@ app/src/main/kotlin/testProject/App.kt:
 #    8|           1: [ExprStmt] <Expr>;
 #    8|             0: [KtInitializerAssignExpr] ...=...
 #    8|               0: [VarAccess] language
-#    8|     12: [FieldDeclaration] String name;
+#    8|     13: [FieldDeclaration] String name;
 #    8|       -1: [TypeAccess] String
 #    8|       0: [VarAccess] name
-#    8|     13: [Method] getName
+#    8|     14: [Method] getName
 #    8|       3: [TypeAccess] String
 #    8|       5: [BlockStmt] { ... }
 #    8|         0: [ReturnStmt] return ...
 #    8|           0: [VarAccess] this.name
 #    8|             -1: [ThisAccess] this
-#    8|     14: [Method] getLanguage
+#    8|     15: [Method] getLanguage
 #    8|       3: [TypeAccess] int
 #    8|       5: [BlockStmt] { ... }
 #    8|         0: [ReturnStmt] return ...
 #    8|           0: [VarAccess] this.language
 #    8|             -1: [ThisAccess] this
-#    8|     15: [FieldDeclaration] int language;
+#    8|     16: [FieldDeclaration] int language;
 #    8|       -1: [TypeAccess] int
 #    8|       0: [VarAccess] language
--- a/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/User.java
+++ b/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/User.java
@@ -1,39 +0,0 @@
-public class User {
-
-  public static String source() { return "taint"; }
-
-  public static void test(Test2 t2, GenericTest<Integer> gt) {
-
-    Test.taintSuppliedAsDefault(1, "no taint", 2);
-    Test.taintSuppliedAsDefault(1, 2);
-    Test.noTaintByDefault(1, source(), 2, 3);
-    Test.noTaintByDefault(1, source(), 2);
-
-    Test2.taintSuppliedAsDefaultStatic(1, "no taint", 2);
-    Test2.taintSuppliedAsDefaultStatic(1, 2);
-    Test2.noTaintByDefaultStatic(1, source(), 2, 3);
-    Test2.noTaintByDefaultStatic(1, source(), 2);
-
-    t2.taintSuppliedAsDefault(1, "no taint", 2);
-    t2.taintSuppliedAsDefault(1, 2);
-    t2.noTaintByDefault(1, source(), 2, 3);
-    t2.noTaintByDefault(1, source(), 2);
-
-    gt.taintSuppliedAsDefault(1, "no taint", 2);
-    gt.taintSuppliedAsDefault(1, 2);
-    gt.noTaintByDefault(1, source(), 2, 3);
-    gt.noTaintByDefault(1, source(), 2);
-
-    new ConstructorTaintsByDefault(1, "no taint", 2);
-    new ConstructorTaintsByDefault(1, 2);
-    new ConstructorDoesNotTaintByDefault(1, source(), 2, 3);
-    new ConstructorDoesNotTaintByDefault(1, source(), 2);
-
-    new GenericConstructorTaintsByDefault<Integer>(1, "no taint", 2);
-    new GenericConstructorTaintsByDefault<Integer>(1, 2);
-    new GenericConstructorDoesNotTaintByDefault<Integer>(1, source(), 2, 3);
-    new GenericConstructorDoesNotTaintByDefault<Integer>(1, source(), 2);
-
-  }
-
-}
--- a/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.expected
+++ b/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.expected
@@ -1,19 +0,0 @@
-| User.java:9:30:9:37 | source(...) | test.kt:13:97:13:97 | s |
-| User.java:10:30:10:37 | source(...) | test.kt:13:97:13:97 | s |
-| User.java:14:37:14:44 | source(...) | test.kt:25:105:25:105 | s |
-| User.java:15:37:15:44 | source(...) | test.kt:25:105:25:105 | s |
-| User.java:19:28:19:35 | source(...) | test.kt:33:97:33:97 | s |
-| User.java:20:28:20:35 | source(...) | test.kt:33:97:33:97 | s |
-| User.java:24:28:24:35 | source(...) | test.kt:43:93:43:93 | s |
-| User.java:25:28:25:35 | source(...) | test.kt:43:93:43:93 | s |
-| User.java:29:45:29:52 | source(...) | test.kt:58:10:58:10 | s |
-| User.java:30:45:30:52 | source(...) | test.kt:58:10:58:10 | s |
-| User.java:34:61:34:68 | source(...) | test.kt:74:10:74:10 | s |
-| User.java:35:61:35:68 | source(...) | test.kt:74:10:74:10 | s |
-| test.kt:10:55:10:62 | source(...) | test.kt:10:84:10:84 | s |
-| test.kt:22:63:22:70 | source(...) | test.kt:22:92:22:92 | s |
-| test.kt:22:63:22:70 | source(...) | test.kt:22:92:22:92 | s |
-| test.kt:30:55:30:62 | source(...) | test.kt:30:84:30:84 | s |
-| test.kt:40:53:40:60 | source(...) | test.kt:40:80:40:80 | s |
-| test.kt:47:92:47:99 | source(...) | test.kt:50:10:50:10 | s |
-| test.kt:63:100:63:107 | source(...) | test.kt:66:10:66:10 | s |
--- a/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.kt
+++ b/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.kt
@@ -1,78 +0,0 @@
-fun getString() = "Hello world"
-
-fun source() = "tainted"
-
-fun sink(s: String) { }
-
-object Test {
-
-  @JvmOverloads @JvmStatic
-  fun taintSuppliedAsDefault(before: Int, s: String = source(), after: Int) { sink(s) }
-  
-  @JvmOverloads @JvmStatic
-  fun noTaintByDefault(before: Int, s: String = "no taint", after: Int, after2: Int = 1) { sink(s) }
-
-}
-
-public class Test2 {
-
-  companion object {
-
-    @JvmOverloads @JvmStatic
-    fun taintSuppliedAsDefaultStatic(before: Int, s: String = source(), after: Int) { sink(s) }
-
-    @JvmOverloads @JvmStatic
-    fun noTaintByDefaultStatic(before: Int, s: String = "no taint", after: Int, after2: Int = 1) { sink(s) }
-
-  }
-
-  @JvmOverloads
-  fun taintSuppliedAsDefault(before: Int, s: String = source(), after: Int) { sink(s) }
-
-  @JvmOverloads
-  fun noTaintByDefault(before: Int, s: String = "no taint", after: Int, after2: Int = 1) { sink(s) }
-
-}
-
-public class GenericTest<T> {
-
-  @JvmOverloads
-  fun taintSuppliedAsDefault(before: T, s: String = source(), after: T) { sink(s) }
-
-  @JvmOverloads
-  fun noTaintByDefault(before: T, s: String = "no taint", after: T, after2: Int = 1) { sink(s) }
-
-}
-
-public class ConstructorTaintsByDefault @JvmOverloads constructor(before: Int, s: String = source(), after: Int) {
-
-  init {
-    sink(s)
-  }
-
-}
-
-public class ConstructorDoesNotTaintByDefault @JvmOverloads constructor(before: Int, s: String = "no taint", after: Int, after2: Int = 1) {
-
-  init {
-    sink(s)
-  }
-   
-}
-
-public class GenericConstructorTaintsByDefault<T> @JvmOverloads constructor(before: T, s: String = source(), after: T) {  
-
-  init {
-    sink(s)
-  }
-   
-}
- 
-public class GenericConstructorDoesNotTaintByDefault<T> @JvmOverloads constructor(before: T, s: String = "no taint", after: T, after2: T? = null) { 
-
-  init {
-    sink(s)
-  }
-
-}
-
--- a/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.py
+++ b/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.py
@@ -1,4 +0,0 @@
-from create_database_utils import *
-
-os.mkdir('kbuild')
-run_codeql_database_create(["kotlinc test.kt -d kbuild", "javac User.java -cp kbuild"], lang="java")
--- a/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.ql
+++ b/java/ql/integration-tests/posix-only/kotlin/jvmoverloads_flow/test.ql
@@ -1,18 +0,0 @@
-import java
-import semmle.code.java.dataflow.DataFlow
-
-class Config extends DataFlow::Configuration {
-  Config() { this = "config" }
-
-  override predicate isSource(DataFlow::Node n) {
-    n.asExpr().(MethodAccess).getCallee().getName() = "source"
-  }
-
-  override predicate isSink(DataFlow::Node n) {
-    n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
-  }
-}
-
-from Config c, DataFlow::Node source, DataFlow::Node sink
-where c.hasFlow(source, sink)
-select source, sink
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.4.1
+
+### Minor Analysis Improvements
+
+* Added external flow sources for the intents received in exported Android services.
+
 ## 0.4.0

 ### Breaking Changes
--- a/java/ql/lib/change-notes/2022-09-22-android-deeplink-flow-steps.md
+++ b/java/ql/lib/change-notes/2022-09-22-android-deeplink-flow-steps.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added data flow steps for tainted Android intents that are sent to services and receivers.
+* Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered.
--- a/java/ql/lib/change-notes/2022-09-22-android-deprecate-contextstartactivitymethod.md
+++ b/java/ql/lib/change-notes/2022-09-22-android-deprecate-contextstartactivitymethod.md
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* Deprecated `ContextStartActivityMethod`. Use `StartActivityMethod` instead.
--- a/java/ql/lib/change-notes/2022-09-23-android-service-sources.md
+++ b/java/ql/lib/change-notes/2022-09-23-android-service-sources.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 0.4.1
+
+### Minor Analysis Improvements
+
 * Added external flow sources for the intents received in exported Android services.
--- a/Show More
+++ b/Show More