C++: Accept changes to library-tests/dataflow/taint-tests

This is a side-effect of us now paying attention to the "Unexpected
eok_lvalue" warning.

.codeqlmanifest.json

@@ -1,6 +1,5 @@
 { "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
-               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",

.github/workflows/check-change-note.yml

@@ -19,5 +19,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
-          grep true -c
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
+          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status

.github/workflows/close-stale.yml

@@ -1,30 +0,0 @@
-name: Mark stale issues
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "30 1 * * *"
-
-jobs:
-  stale:
-    if: github.repository == 'github/codeql'
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/stale@v3
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
-        close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
-        days-before-stale: 14
-        days-before-close: 7
-        only-labels: awaiting-response
-
-        # do not mark PRs as stale
-        days-before-pr-stale: -1
-        days-before-pr-close: -1
-
-        # Uncomment for dry-run
-        # debug-only: true
-        # operations-per-run: 1000

.github/workflows/codeql-analysis.yml

@@ -19,18 +19,13 @@ jobs:
 
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: read
-
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
+      uses: github/codeql-action/init@v1
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: csharp
@@ -39,7 +34,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@main
+      uses: github/codeql-action/autobuild@v1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -53,4 +48,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main
+      uses: github/codeql-action/analyze@v1

.github/workflows/csv-coverage.yml

@@ -1,77 +0,0 @@
-name: Build/check CSV flow coverage report
-
-on:
-  workflow_dispatch:
-    inputs:
-      qlModelShaOverride:
-        description: 'github/codeql repo SHA used for looking up the CSV models'
-        required: false
-  push:
-    branches:
-     - main
-     - 'rc/**'
-  pull_request:
-    paths:
-      - '.github/workflows/csv-coverage.yml'
-      - '*/ql/src/**/*.ql'
-      - '*/ql/src/**/*.qll'
-      - 'misc/scripts/library-coverage/*.py'
-      # input data files
-      - '*/documentation/library-coverage/cwe-sink.csv'
-      - '*/documentation/library-coverage/frameworks.csv'
-      # coverage report files
-      - '*/documentation/library-coverage/flow-model-coverage.csv'
-      - '*/documentation/library-coverage/flow-model-coverage.rst'
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: script
-    - name: Clone self (github/codeql) at a given SHA for analysis
-      if: github.event.inputs.qlModelShaOverride != ''
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        ref: github.event.inputs.qlModelShaOverride
-    - name: Clone self (github/codeql) for analysis
-      if: github.event.inputs.qlModelShaOverride == ''
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
-      with:
-        repo: "github/codeql-cli-binaries"
-        version: "latest"
-        file: "codeql-linux64.zip"
-        token: ${{ secrets.GITHUB_TOKEN }}
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Build modeled package list
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
-    - name: Upload CSV package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: csv-flow-model-coverage
-        path: flow-model-coverage-*.csv
-    - name: Upload RST package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: rst-flow-model-coverage
-        path: flow-model-coverage-*.rst
-    # - name: Check coverage files
-    #   if: github.event.pull_request
-    #   run: |
-    #     python script/misc/scripts/library-coverage/compare-files.py codeqlModels
-

config/identical-files.json

@@ -5,7 +5,6 @@
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
@@ -57,10 +56,6 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
     "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
   ],
-  "DataFlow Java/C# Flow Summaries": [
-    "java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
-  ],
   "SsaReadPosition Java/C#": [
     "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
@@ -250,10 +245,6 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
-  "SSA PrintAliasAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
-  ],
   "C++ SSA AliasAnalysisImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
@@ -443,10 +434,6 @@
   ],
   "CryptoAlgorithms Python/JS": [
     "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
-  ],
-  "SensitiveDataHeuristics Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
-    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
+    "python/ql/src/semmle/crypto/Crypto.qll"
   ]
-}
+}

cpp/change-notes/2021-03-11-overflow-abs.md

@@ -1,2 +0,0 @@
-lgtm
-* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

cpp/change-notes/2021-04-06-assign-where-compare-meant.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.

cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.

cpp/change-notes/2021-04-13-arithmetic-queries.md

@@ -1,2 +0,0 @@
-lgtm
-* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

cpp/change-notes/2021-04-21-return-stack-allocated-object.md

@@ -1,2 +0,0 @@
-codescanning
-* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).

cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.

cpp/change-notes/2021-05-10-comparison-with-wider-type.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.

cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-18-static-buffer-overflow.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md

@@ -1,2 +0,0 @@
-lgtm
-* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

cpp/change-notes/2021-05-20-ref-qualifiers.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).

cpp/change-notes/2021-05-21-unsafe-strncat.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

cpp/change-notes/2021-06-10-std-types.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
-* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
-* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
- * @security-severity 5.9
  * @precision medium
  * @tags reliability
  *       security

cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.qhelp

@@ -39,7 +39,7 @@ then replace all the relevant occurrences in the code.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.qhelp

@@ -38,7 +38,7 @@ constant.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

cpp/ql/src/Best Practices/SloppyGlobal.qhelp

@@ -21,7 +21,7 @@ Review the purpose of the each global variable flagged by this rule and update e
 
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 1: Naming, Rec 1.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 1: Naming, Rec 1.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.

cpp/ql/src/Best Practices/UseOfGoto.qhelp

@@ -45,7 +45,7 @@ this rule.
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
-  (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.

cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/descriptor-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/descriptor-never-closed
  * @problem.severity warning
- * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileMayNotBeClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/file-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileNeverClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/file-never-closed
  * @problem.severity warning
- * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/GlobalUseBeforeInit.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/global-use-before-init
  * @problem.severity warning
- * @security-severity 6.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-457

cpp/ql/src/Critical/InconsistentNullnessTesting.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/inconsistent-nullness-testing
  * @problem.severity warning
- * @security-severity 3.6
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/InitialisationNotRun.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/initialization-not-run
  * @problem.severity warning
- * @security-severity 6.4
  * @tags reliability
  *       security
  *       external/cwe/cwe-456

cpp/ql/src/Critical/LateNegativeTest.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/late-negative-test
  * @problem.severity warning
- * @security-severity 10.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MemoryMayNotBeFreed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/memory-may-not-be-freed
  * @problem.severity warning
- * @security-severity 3.6
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MemoryNeverFreed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/memory-never-freed
  * @problem.severity warning
- * @security-severity 3.6
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MissingNegativityTest.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/missing-negativity-test
  * @problem.severity warning
- * @security-severity 10.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MissingNullTest.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/missing-null-test
  * @problem.severity recommendation
- * @security-severity 3.6
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/NewFreeMismatch.ql

@@ -3,7 +3,6 @@
  * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
  * @precision high
  * @id cpp/new-free-mismatch
  * @tags reliability

cpp/ql/src/Critical/OverflowCalculated.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/overflow-calculated
  * @problem.severity warning
- * @security-severity 5.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-131

cpp/ql/src/Critical/OverflowDestination.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/overflow-destination
  * @problem.severity warning
- * @security-severity 10.0
  * @precision low
  * @tags reliability
  *       security

cpp/ql/src/Critical/OverflowStatic.ql

@@ -4,7 +4,6 @@
  *              may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
  * @precision medium
  * @id cpp/static-buffer-overflow
  * @tags reliability
@@ -15,7 +14,6 @@
 
 import cpp
 import semmle.code.cpp.commons.Buffer
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import LoopBounds
 
 private predicate staticBufferBase(VariableAccess access, Variable v) {
@@ -53,8 +51,6 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
     loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
     loop.limit() >= bufaccess.bufferSize() and
     loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
-    // Ensure that we don't have an upper bound on the array index that's less than the buffer size.
-    not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
     msg =
       "Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
         loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -98,22 +94,17 @@ class CallWithBufferSize extends FunctionCall {
   }
 
   int statedSizeValue() {
-    // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
-    // result in this case we pick the minimum value obtainable from dataflow and range analysis.
-    result =
-      upperBound(statedSizeExpr())
-          .minimum(min(Expr statedSizeSrc |
-              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
-            |
-              statedSizeSrc.getValue().toInt()
-            ))
+    exists(Expr statedSizeSrc |
+      DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
+      result = statedSizeSrc.getValue().toInt()
+    )
   }
 }
 
 predicate wrongBufferSize(Expr error, string msg) {
   exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
     staticBuffer(call.buffer(), buf, bufsize) and
-    statedSize = call.statedSizeValue() and
+    statedSize = min(call.statedSizeValue()) and
     statedSize > bufsize and
     error = call.statedSizeExpr() and
     msg =

cpp/ql/src/Critical/ReturnStackAllocatedObject.ql

@@ -4,12 +4,9 @@
  * @kind problem
  * @id cpp/return-stack-allocated-object
  * @problem.severity warning
- * @security-severity 2.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-562
- * @deprecated This query is not suitable for production use and has been deprecated. Use
- *             cpp/return-stack-allocated-memory instead.
  */
 
 import semmle.code.cpp.pointsto.PointsTo

cpp/ql/src/Critical/ReturnValueIgnored.qhelp

@@ -7,7 +7,7 @@
 <overview>
 <p>
 This rule finds calls to a function that ignore the return value. A function call is only marked 
-as a violation if at least 90% of the total calls to that function check the return value. Not
+as a violation if at least 80% of the total calls to that function check the return value. Not 
 checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
 These functions return the status information and the return values should always be checked 
 to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
@@ -32,7 +32,7 @@ Check the return value of functions that return status information.
 <references>
 
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
 </li>
 <li>
   The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.

cpp/ql/src/Critical/ReturnValueIgnored.ql

@@ -1,6 +1,6 @@
 /**
  * @name Return value of a function is ignored
- * @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
+ * @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
  * @kind problem
  * @id cpp/return-value-ignored
  * @problem.severity recommendation

cpp/ql/src/Critical/SizeCheck.ql

@@ -4,7 +4,6 @@
  *              an instance of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
  * @precision medium
  * @id cpp/allocation-too-small
  * @tags reliability

cpp/ql/src/Critical/SizeCheck2.ql

@@ -4,7 +4,6 @@
  *              multiple instances of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
  * @precision medium
  * @id cpp/suspicious-allocation-size
  * @tags reliability

cpp/ql/src/Critical/UseAfterFree.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/use-after-free
  * @problem.severity warning
- * @security-severity 5.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-416

cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql

@@ -6,7 +6,6 @@
  *              to a larger type.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
  * @precision very-high
  * @id cpp/bad-addition-overflow-check
  * @tags reliability

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -4,7 +4,6 @@
  *              be a sign that the result can overflow the type converted from.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision high
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability

cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql

@@ -5,13 +5,10 @@
  *              unsigned integer values.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision high
  * @id cpp/signed-overflow-check
  * @tags correctness
  *       security
- *       external/cwe/cwe-128
- *       external/cwe/cwe-190
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql

@@ -6,14 +6,13 @@
  *              use the width of the base type, leading to misaligned reads.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 10.0
  * @precision high
- * @id cpp/upcast-array-pointer-arithmetic
  * @tags correctness
  *       reliability
  *       security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-843
+ * @id cpp/upcast-array-pointer-arithmetic
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -6,7 +6,6 @@
  *              from an untrusted source, this can be used for exploits.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 6.9
  * @precision high
  * @id cpp/non-constant-format
  * @tags maintainability

cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql

@@ -3,14 +3,11 @@
  * @description Using the return value from snprintf without proper checks can cause overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision high
  * @id cpp/overflowing-snprintf
  * @tags reliability
  *       correctness
  *       security
- *       external/cwe/cwe-190
- *       external/cwe/cwe-253
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql

@@ -4,13 +4,11 @@
  *              a source of security issues.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
  * @precision high
  * @id cpp/wrong-number-format-arguments
  * @tags reliability
  *       correctness
  *       security
- *       external/cwe/cwe-234
  *       external/cwe/cwe-685
  */
 

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -4,7 +4,6 @@
  *              behavior.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
  * @precision high
  * @id cpp/wrong-type-format-argument
  * @tags reliability

cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql

@@ -54,7 +54,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
   override predicate isWhitelisted() {
     this.getConversion().(ParenthesisExpr).isParenthesised()
     or
-    // Allow this assignment if all comparison operations in the expression that this
+    // whitelist this assignment if all comparison operations in the expression that this
     // assignment is part of, are not parenthesized. In that case it seems like programmer
     // is fine with unparenthesized comparison operands to binary logical operators, and
     // the parenthesis around this assignment was used to call it out as an assignment.
@@ -62,21 +62,6 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
     forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
       not op.isParenthesised()
     )
-    or
-    // Match a pattern like:
-    // ```
-    // if((a = b) && use_value(a)) { ... }
-    // ```
-    // where the assignment is meant to update the value of `a` before it's used in some other boolean
-    // subexpression that is guarenteed to be evaluate _after_ the assignment.
-    this.isParenthesised() and
-    exists(LogicalAndExpr parent, Variable var, VariableAccess access |
-      var = this.getLValue().(VariableAccess).getTarget() and
-      access = var.getAnAccess() and
-      not access.isUsedAsLValue() and
-      parent.getRightOperand() = access.getParent*() and
-      parent.getLeftOperand() = this.getParent*()
-    )
   }
 }
 

cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/incorrect-not-operator-usage
  * @problem.severity warning
- * @security-severity 3.6
  * @precision medium
  * @tags security
  *       external/cwe/cwe-480

cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp

@@ -26,7 +26,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
   MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
 </li>
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
 </li>
 
 

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -3,7 +3,6 @@
  * @description Using alloca in a loop can lead to a stack overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
  * @precision high
  * @id cpp/alloca-in-loop
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/improper-null-termination
  * @problem.severity warning
- * @security-severity 5.9
  * @tags security
  *       external/cwe/cwe-170
  *       external/cwe/cwe-665

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql

@@ -4,12 +4,10 @@
  *              on undefined behavior and may lead to memory corruption.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
  * @precision high
  * @id cpp/pointer-overflow-check
  * @tags reliability
  *       security
- *       external/cwe/cwe-758
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/potential-buffer-overflow
  * @problem.severity warning
- * @security-severity 10.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-676

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -13,7 +13,6 @@
 
 import cpp
 import semmle.code.cpp.dataflow.EscapesTree
-import semmle.code.cpp.models.interfaces.PointerWrapper
 import semmle.code.cpp.dataflow.DataFlow
 
 /**
@@ -40,10 +39,6 @@ predicate hasNontrivialConversion(Expr e) {
     e instanceof ParenthesisExpr
   )
   or
-  // A smart pointer can be stack-allocated while the data it points to is heap-allocated.
-  // So we exclude such "conversions" from this predicate.
-  e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
-  or
   hasNontrivialConversion(e.getConversion())
 }
 

cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql

@@ -4,7 +4,6 @@
  *              as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
  * @precision medium
  * @id cpp/bad-strncpy-size
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql

@@ -7,7 +7,6 @@
  * @kind problem
  * @id cpp/suspicious-call-to-memset
  * @problem.severity recommendation
- * @security-severity 10.0
  * @precision medium
  * @tags reliability
  *       correctness

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.cpp

@@ -2,7 +2,3 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
 
 strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest. 
                                   //Also fails if dest is a pointer and not an array.
- 
-strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
-
-strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp

@@ -4,17 +4,7 @@
 <qhelp>
 <overview>
 <p>The standard library function <code>strncat</code> appends a source string to a target string. 
-The third argument defines the maximum number of characters to append and should be less than or equal
-to the remaining space in the destination buffer.</p>
-
-<p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
-the third argument to the entire size of the destination buffer.
-Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
-
-<p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
-byte to be written ouside the <code>dest</code> buffer.</p>
-
-<p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
+The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
 
 </overview>
 <recommendation>
@@ -35,10 +25,6 @@ byte to be written ouside the <code>dest</code> buffer.</p>
 <li>
   M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
 </li>
-<li>
-  CERT C Coding Standard:
-<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
-</li>
 
 
 </references>

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql

@@ -1,15 +1,14 @@
 /**
  * @name Potentially unsafe call to strncat
- * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
+ * @description Calling 'strncat' with the size of the destination buffer
+ *              as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
  * @precision medium
  * @id cpp/unsafe-strncat
  * @tags reliability
  *       correctness
  *       security
- *       external/cwe/cwe-788
  *       external/cwe/cwe-676
  *       external/cwe/cwe-119
  *       external/cwe/cwe-251
@@ -17,53 +16,11 @@
 
 import cpp
 import Buffer
-import semmle.code.cpp.models.implementations.Strcat
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-/**
- * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
- * destination arguments, respectively.
- */
-predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
-  exists(StrcatFunction strcat |
-    strcat = call.getTarget() and
-    sizeArg = call.getArgument(strcat.getParamSize()) and
-    destArg = call.getArgument(strcat.getParamDest())
-  )
-}
-
-/**
- * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
- * argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
- */
-predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
-  interestringCallWithArgs(fc, sizeArg, destArg) and
-  exists(VariableAccess va |
-    va = sizeArg.(BufferSizeExpr).getArg() and
-    destArg.getTarget() = va.getTarget()
-  )
-}
-
-/**
- * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
- * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
- */
-predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
-  interestringCallWithArgs(fc, sizeArg, destArg) and
-  exists(SubExpr sub, int n |
-    // The destination buffer is an array of size n
-    destArg.getUnspecifiedType().(ArrayType).getSize() = n and
-    // The size argument is equivalent to a subtraction
-    globalValueNumber(sizeArg).getAnExpr() = sub and
-    // ... where the left side of the subtraction is the constant n
-    globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
-    // ... and the right side of the subtraction is a call to `strlen` where the argument is the
-    // destination buffer.
-    globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
-      globalValueNumber(destArg).getAnExpr()
-  )
-}
-
-from FunctionCall fc, Expr sizeArg, Expr destArg
-where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
+from FunctionCall fc, VariableAccess va1, VariableAccess va2
+where
+  fc.getTarget().(Function).hasName("strncat") and
+  va1 = fc.getArgument(0) and
+  va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
+  va1.getTarget() = va2.getTarget()
 select fc, "Potentially unsafe call to strncat."

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql

@@ -5,7 +5,6 @@
  *              the machine pointer size.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision medium
  * @id cpp/suspicious-sizeof
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/uninitialized-local
  * @problem.severity warning
- * @security-severity 5.9
  * @precision medium
  * @tags security
  *       external/cwe/cwe-665

cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql

@@ -4,7 +4,6 @@
  *              may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision medium
  * @id cpp/unsafe-strcat
  * @tags reliability

cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/self-assignment-check
  * @problem.severity warning
- * @security-severity 5.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-826

cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql

@@ -6,12 +6,10 @@
  * @kind path-problem
  * @id cpp/unsafe-use-of-this
  * @problem.severity error
- * @security-severity 3.6
  * @precision very-high
  * @tags correctness
  *       language-features
  *       security
- *       external/cwe/cwe-670
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql

@@ -7,14 +7,11 @@
  *              undefined data.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
  * @precision very-high
  * @id cpp/too-few-arguments
  * @tags correctness
  *       maintainability
  *       security
- *       external/cwe/cwe-234
- *       external/cwe/cwe-685
  */
 
 import cpp

cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp

@@ -29,7 +29,7 @@ build time: the more included files, the longer the compilation time.</p>
   <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
 </li>
 <li>
-  <a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
+  <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
 Designing Header Files</a>
 </li>
 

cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp

@@ -35,7 +35,7 @@ they are contributing to unnecessarily long build times and creating artificial
   <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
 </li>
 <li>
-  <a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
+  <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
 Designing Header Files</a>
 </li>
 </references>

cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/memset-may-be-deleted
  * @problem.severity warning
- * @security-severity 6.4
  * @precision high
  * @tags security
  *       external/cwe/cwe-14

cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql

@@ -5,7 +5,6 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 

cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql

@@ -5,7 +5,6 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -4,7 +4,6 @@
  *              attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.4
  * @precision medium
  * @id cpp/path-injection
  * @tags security

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -5,7 +5,6 @@
  *              to command injection.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
  * @precision low
  * @id cpp/command-line-injection
  * @tags security

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -4,7 +4,6 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
  * @precision high
  * @id cpp/cgi-xss
  * @tags security

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -5,7 +5,6 @@
  *              to SQL Injection.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
  * @precision high
  * @id cpp/sql-injection
  * @tags security

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -5,7 +5,6 @@
  *              commands.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.0
  * @precision medium
  * @id cpp/uncontrolled-process-operation
  * @tags security

cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/overflow-buffer
  * @problem.severity recommendation
- * @security-severity 10.0
  * @tags security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-121

cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

@@ -5,7 +5,6 @@
  *              overflow.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
  * @precision high
  * @id cpp/badly-bounded-write
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql

@@ -4,7 +4,6 @@
  *              of data written may overflow.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
  * @precision medium
  * @id cpp/overrunning-write
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql

@@ -5,7 +5,6 @@
  *              take extreme values.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
  * @precision medium
  * @id cpp/overrunning-write-with-float
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -4,7 +4,6 @@
  *              of data written may overflow.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
  * @precision medium
  * @id cpp/unbounded-write
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql

@@ -5,7 +5,6 @@
  *              a specific value to terminate the argument list.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision medium
  * @id cpp/unterminated-variadic-call
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/unclear-array-index-validation
  * @problem.severity warning
- * @security-severity 5.9
  * @tags security
  *       external/cwe/cwe-129
  */

cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql

@@ -5,7 +5,6 @@
  *              terminator can cause a buffer overrun.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
  * @precision high
  * @id cpp/no-space-for-terminator
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -5,7 +5,6 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.9
  * @precision high
  * @id cpp/tainted-format-string
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql

@@ -5,7 +5,6 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.9
  * @precision high
  * @id cpp/tainted-format-string-through-global
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/user-controlled-null-termination-tainted
  * @problem.severity warning
- * @security-severity 10.0
  * @tags security
  *       external/cwe/cwe-170
  */

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -4,7 +4,6 @@
  *              not validated can cause overflows.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision low
  * @id cpp/tainted-arithmetic
  * @tags security

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -4,7 +4,6 @@
  *              validated can cause overflows.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision medium
  * @id cpp/uncontrolled-arithmetic
  * @tags security
@@ -16,107 +15,34 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import TaintedWithPath
 
-predicate isUnboundedRandCall(FunctionCall fc) {
-  exists(Function func | func = fc.getTarget() |
-    func.hasGlobalOrStdOrBslName("rand") and
-    not bounded(fc) and
-    func.getNumberOfParameters() = 0
-  )
+predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
+
+predicate isRandCallOrParent(Expr e) {
+  isRandCall(e) or
+  isRandCallOrParent(e.getAChild())
 }
 
-/**
- * An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
- * a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
- */
-pragma[inline]
-predicate boundedDiv(Expr e, Expr left) { e = left }
-
-/**
- * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
- * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
- * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
- * allowed by the result type of `rem`.
- */
-pragma[inline]
-predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
-  e = left and
-  upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
-}
-
-/**
- * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
- * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
- * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
- */
-pragma[inline]
-predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
-  operand1 != operand2 and
-  e = operand1 and
-  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
-}
-
-/**
- * Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
- * of possible values.
- */
-predicate bounded(Expr e) {
-  //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
-  //  maximum possible value of the result type of the operation.
-  //  For example, the function call `rand()` is considered bounded in the following program:
-  //  ```
-  //  int i = rand() % (UINT8_MAX + 1);
-  //  ```
-  //  but not in:
-  //  ```
-  //  unsigned char uc = rand() % (UINT8_MAX + 1);
-  //  ```
-  exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
-  or
-  exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
-  or
-  exists(BitwiseAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
-  )
-  or
-  exists(AssignAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
-  )
-  or
-  // Optimitically assume that a division always yields a much smaller value.
-  boundedDiv(e, any(DivExpr div).getLeftOperand())
-  or
-  boundedDiv(e, any(AssignDivExpr div).getLValue())
-  or
-  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
-  or
-  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
-}
-
-predicate isUnboundedRandCallOrParent(Expr e) {
-  isUnboundedRandCall(e)
-  or
-  isUnboundedRandCallOrParent(e.getAChild())
-}
-
-predicate isUnboundedRandValue(Expr e) {
-  isUnboundedRandCall(e)
+predicate isRandValue(Expr e) {
+  isRandCall(e)
   or
   exists(MacroInvocation mi |
     e = mi.getExpr() and
-    isUnboundedRandCallOrParent(e)
+    isRandCallOrParent(e)
   )
 }
 
 class SecurityOptionsArith extends SecurityOptions {
   override predicate isUserInput(Expr expr, string cause) {
-    isUnboundedRandValue(expr) and
-    cause = "rand"
+    isRandValue(expr) and
+    cause = "rand" and
+    not expr.getParent*() instanceof DivExpr
   }
 }
 
+predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
+
 predicate missingGuard(VariableAccess va, string effect) {
   exists(Operation op | op.getAnOperand() = va |
     missingGuardAgainstUnderflow(op, va) and effect = "underflow"
@@ -126,15 +52,29 @@ predicate missingGuard(VariableAccess va, string effect) {
 }
 
 class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element e) { missingGuard(e, _) }
+  override predicate isSink(Element e) {
+    isDiv(e)
+    or
+    missingGuard(e, _)
+  }
+}
 
-  override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
+/**
+ * A value that undergoes division is likely to be bounded within a safe
+ * range.
+ */
+predicate guardedByAssignDiv(Expr origin) {
+  exists(VariableAccess va |
+    taintedWithPath(origin, va, _, _) and
+    isDiv(va)
+  )
 }
 
 from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
 where
   taintedWithPath(origin, va, sourceNode, sinkNode) and
-  missingGuard(va, effect)
+  missingGuard(va, effect) and
+  not guardedByAssignDiv(origin)
 select va, sourceNode, sinkNode,
   "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
   "Uncontrolled value"

cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/arithmetic-with-extreme-values
  * @problem.severity warning
- * @security-severity 5.9
  * @precision low
  * @tags security
  *       reliability

cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql

@@ -5,7 +5,6 @@
  * @id cpp/comparison-with-wider-type
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
  * @precision high
  * @tags reliability
  *       security
@@ -50,9 +49,7 @@ where
   small = rel.getLesserOperand() and
   large = rel.getGreaterOperand() and
   rel = l.getCondition().getAChild*() and
-  forall(Expr conv | conv = large.getConversion*() |
-    upperBound(conv).log2() > getComparisonSize(small) * 8
-  ) and
+  upperBound(large).log2() > getComparisonSize(small) * 8 and
   // Ignore cases where the smaller type is int or larger
   // These are still bugs, but you should need a very large string or array to
   // trigger them. We will want to disable this for some applications, but it's