Merge branch 'main' into turbo/experimental-suite

Add experimental,ml-generated tags
2026-05-24 16:17:07 +02:00 · 2022-12-14 16:31:03 +01:00 · 2022-08-22 15:59:39 +02:00
534 changed files with 4059 additions and 6221 deletions
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll
@@ -11,6 +11,38 @@
 import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models

+/**
+ * An allocation function such as `malloc`.
+ */
+abstract class AllocationFunction extends Function {
+  /**
+   * Gets the index of the argument for the allocation size, if any. The actual
+   * allocation size is the value of this argument multiplied by the result of
+   * `getSizeMult()`, in bytes.
+   */
+  int getSizeArg() { none() }
+
+  /**
+   * Gets the index of an argument that multiplies the allocation size given by
+   * `getSizeArg`, if any.
+   */
+  int getSizeMult() { none() }
+
+  /**
+   * Gets the index of the input pointer argument to be reallocated, if this
+   * is a `realloc` function.
+   */
+  int getReallocPtrArg() { none() }
+
+  /**
+   * Whether or not this allocation requires a corresponding deallocation of
+   * some sort (most do, but `alloca` for example does not).  If it is unclear,
+   * we default to no (for example a placement `new` allocation may or may not
+   * require a corresponding `delete`).
+   */
+  predicate requiresDealloc() { any() }
+}
+
 /**
 * An allocation expression such as call to `malloc` or a `new` expression.
 */
@@ -54,41 +86,6 @@ abstract class AllocationExpr extends Expr {
  predicate requiresDealloc() { any() }
 }

-/**
- * An allocation function such as `malloc`.
- *
- * Note: `AllocationExpr` includes calls to allocation functions, so prefer
- * to use that class unless you specifically need to reason about functions.
- */
-abstract class AllocationFunction extends Function {
-  /**
-   * Gets the index of the argument for the allocation size, if any. The actual
-   * allocation size is the value of this argument multiplied by the result of
-   * `getSizeMult()`, in bytes.
-   */
-  int getSizeArg() { none() }
-
-  /**
-   * Gets the index of an argument that multiplies the allocation size given by
-   * `getSizeArg`, if any.
-   */
-  int getSizeMult() { none() }
-
-  /**
-   * Gets the index of the input pointer argument to be reallocated, if this
-   * is a `realloc` function.
-   */
-  int getReallocPtrArg() { none() }
-
-  /**
-   * Whether or not this allocation requires a corresponding deallocation of
-   * some sort (most do, but `alloca` for example does not).  If it is unclear,
-   * we default to no (for example a placement `new` allocation may or may not
-   * require a corresponding `delete`).
-   */
-  predicate requiresDealloc() { any() }
-}
-
 /**
 * An `operator new` or `operator new[]` function that may be associated with
 * `new` or `new[]` expressions.  Note that `new` and `new[]` are not function
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll
@@ -11,6 +11,16 @@
 import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models

+/**
+ * A deallocation function such as `free`.
+ */
+abstract class DeallocationFunction extends Function {
+  /**
+   * Gets the index of the argument that is freed by this function.
+   */
+  int getFreedArg() { none() }
+}
+
 /**
 * An deallocation expression such as call to `free` or a `delete` expression.
 */
@@ -21,19 +31,6 @@ abstract class DeallocationExpr extends Expr {
  Expr getFreedExpr() { none() }
 }

-/**
- * A deallocation function such as `free`.
- *
- * Note: `DeallocationExpr` includes calls to deallocation functions, so prefer
- * to use that class unless you specifically need to reason about functions.
- */
-abstract class DeallocationFunction extends Function {
-  /**
-   * Gets the index of the argument that is freed by this function.
-   */
-  int getFreedArg() { none() }
-}
-
 /**
 * An `operator delete` or `operator delete[]` function that may be associated
 * with `delete` or `delete[]` expressions.  Note that `delete` and `delete[]`
--- a/Errors/OffsetUseBeforeRangeCheck.ql
+++ b/Errors/OffsetUseBeforeRangeCheck.ql
@@ -15,7 +15,6 @@

 import cpp

-pragma[nomagic]
 predicate beforeArrayAccess(Variable v, ArrayExpr access, Expr before) {
  exists(LogicalAndExpr andexpr |
    access.getArrayOffset() = v.getAnAccess() and
@@ -24,7 +23,6 @@ predicate beforeArrayAccess(Variable v, ArrayExpr access, Expr before) {
  )
 }

-pragma[nomagic]
 predicate afterArrayAccess(Variable v, ArrayExpr access, Expr after) {
  exists(LogicalAndExpr andexpr |
    access.getArrayOffset() = v.getAnAccess() and
--- a/cpp/ql/src/Critical/MissingCheckScanf.ql
+++ b/cpp/ql/src/Critical/MissingCheckScanf.ql
@@ -115,8 +115,7 @@ BasicBlock blockGuardedBy(int value, string op, ScanfFunctionCall call) {
 from ScanfOutput output, ScanfFunctionCall call, Access access
 where
  output.getCall() = call and
-  output.hasGuardedAccess(access, false) and
-  not exists(DeallocationExpr dealloc | dealloc.getFreedExpr() = access)
+  output.hasGuardedAccess(access, false)
 select access,
  "This variable is read, but may not have been written. " +
    "It should be guarded by a check that the $@ returns at least " +
--- a/cpp/ql/src/change-notes/2022-12-15-no-scanf-buffer-allocation-warnings.md
+++ b/cpp/ql/src/change-notes/2022-12-15-no-scanf-buffer-allocation-warnings.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `cpp/missing-check-scanf` query no longer reports the free'ing of `scanf` output variables as potential reads.
--- a/Bugs/RedundantNullCheckParam.ql
+++ b/Bugs/RedundantNullCheckParam.ql
@@ -9,6 +9,7 @@
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
@@ -10,6 +10,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-20
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
@@ -12,6 +12,7 @@
 * @security-severity 7.5
 * @tags security
 *       external/cwe/cwe-020
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
@@ -9,6 +9,7 @@
 *       maintainability
 *       security
 *       external/cwe/cwe-1041
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -10,6 +10,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-1126
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
@@ -7,6 +7,7 @@
 * @tags reliability
 *       security
 *       external/cwe/cwe-120
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-125
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -8,6 +8,7 @@
 *       correctness
 *       external/cwe/cwe-190
 *       external/cwe/cwe-128
+ *       experimental
 * @id cpp/multiplication-overflow-in-alloc
 */

--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-190
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
@@ -10,6 +10,7 @@
 *       security
 *       external/cwe/cwe-200
 *       external/cwe/cwe-264
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
@@ -9,6 +9,7 @@
 *       security
 *       external/cwe/cwe-243
 *       external/cwe/cwe-252
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
@@ -13,6 +13,7 @@
 *       external/cwe/cwe-200
 *       external/cwe/cwe-560
 *       external/cwe/cwe-687
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
@@ -9,6 +9,7 @@
 * @id cpp/drop-linux-privileges-outoforder
 * @tags security
 *       external/cwe/cwe-273
+ *       experimental
 * @precision medium
 */

--- a/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
@@ -6,6 +6,7 @@
 * @id cpp/pam-auth-bypass
 * @tags security
 *       external/cwe/cwe-285
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
@@ -7,6 +7,7 @@
 * @id cpp/private-cleartext-write
 * @tags security
 *       external/cwe/cwe-359
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
@@ -12,6 +12,7 @@
 * @security-severity 7.5
 * @tags security
 *       external/cwe/cwe-362
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-377
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
@@ -9,6 +9,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-401
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
@@ -7,6 +7,7 @@
 * @precision medium
 * @tags security
 *       external/cwe/cwe-415
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
@@ -9,6 +9,7 @@
 *       security
 *       external/cwe/cwe-476
 *       external/cwe/cwe-415
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
@@ -11,6 +11,7 @@
 *       external/cwe/cwe-561
 *       external/cwe/cwe-691
 *       external/cwe/cwe-478
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-670
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
@@ -8,6 +8,7 @@
 * @tags security
 *       external/cwe/cwe-675
 *       external/cwe/cwe-666
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
@@ -11,6 +11,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-691
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -9,6 +9,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-691
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
@@ -10,6 +10,7 @@
 *       external/cwe/cwe-703
 *       external/cwe/cwe-248
 *       external/cwe/cwe-390
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
@@ -9,6 +9,7 @@
 *       security
 *       external/cwe/cwe-754
 *       external/cwe/cwe-908
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
@@ -9,6 +9,7 @@
 * @precision medium
 * @tags security
 *       external/cwe/cwe-758
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
@@ -10,6 +10,7 @@
 *       readability
 *       external/cwe/cwe-783
 *       external/cwe/cwe-480
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
@@ -10,6 +10,7 @@
 *       security
 *       external/cwe/cwe-783
 *       external/cwe/cwe-480
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
@@ -7,6 +7,7 @@
 * @tags reliability
 *       security
 *       external/cwe/cwe-787
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -9,6 +9,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-788
+ *       experimental
 */

 import cpp
--- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected
+++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected
@@ -1,21 +1,19 @@
-| test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf |
-| test.cpp:51:7:51:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:50:3:50:7 | call to scanf | call to scanf |
-| test.cpp:68:7:68:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:67:3:67:7 | call to scanf | call to scanf |
-| test.cpp:80:7:80:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:79:3:79:7 | call to scanf | call to scanf |
-| test.cpp:90:8:90:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:89:3:89:7 | call to scanf | call to scanf |
-| test.cpp:98:8:98:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:97:3:97:7 | call to scanf | call to scanf |
-| test.cpp:108:7:108:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:107:3:107:8 | call to fscanf | call to fscanf |
-| test.cpp:115:7:115:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:114:3:114:8 | call to sscanf | call to sscanf |
-| test.cpp:164:8:164:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:162:7:162:11 | call to scanf | call to scanf |
-| test.cpp:173:8:173:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:171:7:171:11 | call to scanf | call to scanf |
-| test.cpp:205:8:205:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:204:7:204:11 | call to scanf | call to scanf |
-| test.cpp:224:8:224:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:221:7:221:11 | call to scanf | call to scanf |
-| test.cpp:248:9:248:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:246:25:246:29 | call to scanf | call to scanf |
-| test.cpp:252:9:252:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:250:14:250:18 | call to scanf | call to scanf |
-| test.cpp:264:7:264:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:263:3:263:7 | call to scanf | call to scanf |
-| test.cpp:272:7:272:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:271:3:271:7 | call to scanf | call to scanf |
-| test.cpp:280:7:280:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:279:3:279:7 | call to scanf | call to scanf |
-| test.cpp:292:7:292:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:291:3:291:7 | call to scanf | call to scanf |
-| test.cpp:302:8:302:12 | ptr_i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:301:3:301:7 | call to scanf | call to scanf |
-| test.cpp:310:7:310:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:309:3:309:7 | call to scanf | call to scanf |
-| test.cpp:404:25:404:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:403:6:403:11 | call to sscanf | call to sscanf |
+| test.cpp:30:7:30:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:29:3:29:7 | call to scanf | call to scanf |
+| test.cpp:46:7:46:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:45:3:45:7 | call to scanf | call to scanf |
+| test.cpp:63:7:63:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:62:3:62:7 | call to scanf | call to scanf |
+| test.cpp:75:7:75:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:74:3:74:7 | call to scanf | call to scanf |
+| test.cpp:87:7:87:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:86:3:86:8 | call to fscanf | call to fscanf |
+| test.cpp:94:7:94:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:93:3:93:8 | call to sscanf | call to sscanf |
+| test.cpp:143:8:143:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:141:7:141:11 | call to scanf | call to scanf |
+| test.cpp:152:8:152:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:150:7:150:11 | call to scanf | call to scanf |
+| test.cpp:184:8:184:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:183:7:183:11 | call to scanf | call to scanf |
+| test.cpp:203:8:203:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:200:7:200:11 | call to scanf | call to scanf |
+| test.cpp:227:9:227:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:225:25:225:29 | call to scanf | call to scanf |
+| test.cpp:231:9:231:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:229:14:229:18 | call to scanf | call to scanf |
+| test.cpp:243:7:243:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:242:3:242:7 | call to scanf | call to scanf |
+| test.cpp:251:7:251:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:250:3:250:7 | call to scanf | call to scanf |
+| test.cpp:259:7:259:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:258:3:258:7 | call to scanf | call to scanf |
+| test.cpp:271:7:271:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:270:3:270:7 | call to scanf | call to scanf |
+| test.cpp:281:8:281:12 | ptr_i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:280:3:280:7 | call to scanf | call to scanf |
+| test.cpp:289:7:289:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:288:3:288:7 | call to scanf | call to scanf |
+| test.cpp:383:25:383:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:382:6:382:11 | call to sscanf | call to sscanf |
--- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp
+++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp
@@ -19,11 +19,6 @@ FILE *get_a_stream();
 const char *get_a_string();
 extern locale_t get_a_locale();

-typedef long size_t;
-
-void *malloc(size_t size);
-void free(void *ptr);
-
 int main()
 {
 	// --- simple cases ---
@@ -83,22 +78,6 @@ int main()
 		use(i); // GOOD
 	}

-	{
-		int *i = (int*)malloc(sizeof(int)); // Allocated variable
-
-		scanf("%d", i);
-		use(*i); // BAD
-		free(i); // GOOD
-	}
-
-	{
-		int *i = new int; // Allocated variable
-
-		scanf("%d", i);
-		use(*i); // BAD
-		delete i; // GOOD
-	}
-
 	// --- different scanf functions ---

 	{
--- a/csharp/ql/lib/ext/Dapper.model.yml
+++ b/csharp/ql/lib/ext/Dapper.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["Dapper", "SqlMapper", False, "Execute", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
      - ["Dapper", "SqlMapper", False, "ExecuteAsync", "(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>)", "", "Argument[1]", "sql", "manual"]
--- a/csharp/ql/lib/ext/Microsoft.ApplicationBlocks.Data.model.yml
+++ b/csharp/ql/lib/ext/Microsoft.ApplicationBlocks.Data.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String)", "", "Argument[2]", "sql", "manual"]
      - ["Microsoft.ApplicationBlocks.Data", "SqlHelper", False, "ExecuteDataset", "(System.Data.SqlClient.SqlConnection,System.Data.CommandType,System.String,System.Data.SqlClient.SqlParameter[])", "", "Argument[2]", "sql", "manual"]
--- a/csharp/ql/lib/ext/Microsoft.EntityFrameworkCore.model.yml
+++ b/csharp/ql/lib/ext/Microsoft.EntityFrameworkCore.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRaw", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>)", "", "Argument[1]", "sql", "manual"]
      - ["Microsoft.EntityFrameworkCore", "RelationalDatabaseFacadeExtensions", False, "ExecuteSqlRaw", "(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[])", "", "Argument[1]", "sql", "manual"]
--- a/csharp/ql/lib/ext/Microsoft.Extensions.Primitives.model.yml
+++ b/csharp/ql/lib/ext/Microsoft.Extensions.Primitives.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["Microsoft.Extensions.Primitives", "StringValues", False, "Add", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["Microsoft.Extensions.Primitives", "StringValues", False, "Add", "(System.String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/csharp/ql/lib/ext/Microsoft.VisualBasic.model.yml
+++ b/csharp/ql/lib/ext/Microsoft.VisualBasic.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["Microsoft.VisualBasic", "Collection", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
      - ["Microsoft.VisualBasic", "Collection", False, "GetEnumerator", "()", "", "Argument[this].Element", "ReturnValue.Property[System.Collections.IEnumerator.Current]", "value", "manual"]
--- a/csharp/ql/lib/ext/MySql.Data.MySqlClient.model.yml
+++ b/csharp/ql/lib/ext/MySql.Data.MySqlClient.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["MySql.Data.MySqlClient", "MySqlHelper", False, "ExecuteDataRow", "(System.String,System.String,MySql.Data.MySqlClient.MySqlParameter[])", "", "Argument[1]", "sql", "manual"]
      - ["MySql.Data.MySqlClient", "MySqlHelper", False, "ExecuteDataRowAsync", "(System.String,System.String,MySql.Data.MySqlClient.MySqlParameter[])", "", "Argument[1]", "sql", "manual"]
--- a/csharp/ql/lib/ext/Newtonsoft.Json.Linq.model.yml
+++ b/csharp/ql/lib/ext/Newtonsoft.Json.Linq.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["Newtonsoft.Json.Linq", "JArray", False, "get_Item", "(System.Object)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["Newtonsoft.Json.Linq", "JArray", False, "set_Item", "(System.Object,Newtonsoft.Json.Linq.JToken)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/Newtonsoft.Json.model.yml
+++ b/csharp/ql/lib/ext/Newtonsoft.Json.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["Newtonsoft.Json", "JsonConvert", False, "DeserializeAnonymousType<>", "(System.String,T)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["Newtonsoft.Json", "JsonConvert", False, "DeserializeAnonymousType<>", "(System.String,T,Newtonsoft.Json.JsonSerializerSettings)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
--- a/csharp/ql/lib/ext/ServiceStack.OrmLite.model.yml
+++ b/csharp/ql/lib/ext/ServiceStack.OrmLite.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["ServiceStack.OrmLite", "IUntypedSqlExpression", True, "UnsafeAnd", "(System.String,System.Object[])", "", "Argument[0]", "sql", "manual"]
      - ["ServiceStack.OrmLite", "IUntypedSqlExpression", True, "UnsafeFrom", "(System.String)", "", "Argument[0]", "sql", "manual"]
--- a/csharp/ql/lib/ext/ServiceStack.Redis.model.yml
+++ b/csharp/ql/lib/ext/ServiceStack.Redis.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["ServiceStack.Redis", "IRedisClient", True, "Custom", "(System.Object[])", "", "Argument[0]", "code", "manual"]
      - ["ServiceStack.Redis", "IRedisClient", True, "ExecCachedLua", "(System.String,System.Func<System.String,T>)", "", "Argument[0]", "code", "manual"]
--- a/csharp/ql/lib/ext/ServiceStack.model.yml
+++ b/csharp/ql/lib/ext/ServiceStack.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["ServiceStack", "IOneWayClient", True, "SendAllOneWay", "(System.Collections.Generic.IEnumerable<System.Object>)", "", "Argument[1].Element", "remote", "manual"]
      - ["ServiceStack", "IOneWayClient", True, "SendOneWay", "(System.Object)", "", "Argument[0]", "remote", "manual"]
@@ -80,7 +80,7 @@ extensions:
      - ["ServiceStack", "ServiceClientBase", True, "Put", "(System.Object)", "", "Argument[0]", "remote", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["ServiceStack", "HttpResult", False, "HttpResult", "(System.Byte[],System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["ServiceStack", "HttpResult", False, "HttpResult", "(System.IO.Stream,System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.CodeDom.model.yml
+++ b/csharp/ql/lib/ext/System.CodeDom.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.CodeDom", "CodeNamespaceImportCollection", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Collections.Concurrent.model.yml
+++ b/csharp/ql/lib/ext/System.Collections.Concurrent.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Collections.Concurrent", "BlockingCollection<>", False, "Add", "(T)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["System.Collections.Concurrent", "BlockingCollection<>", False, "CopyTo", "(T[],System.Int32)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Collections.Generic.model.yml
+++ b/csharp/ql/lib/ext/System.Collections.Generic.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Collections.Generic", "Dictionary<,>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]
      - ["System.Collections.Generic", "Dictionary<,>", False, "Add", "(System.Collections.Generic.KeyValuePair<TKey,TValue>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Value]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Value]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Collections.Immutable.model.yml
+++ b/csharp/ql/lib/ext/System.Collections.Immutable.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Collections.Immutable", "IImmutableDictionary<,>", True, "AddRange", "(System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<TKey,TValue>>)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
      - ["System.Collections.Immutable", "IImmutableDictionary<,>", True, "Clear", "()", "", "Argument[this].WithoutElement", "ReturnValue", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Collections.ObjectModel.model.yml
+++ b/csharp/ql/lib/ext/System.Collections.ObjectModel.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Collections.ObjectModel", "KeyedCollection<,>", False, "get_Item", "(TKey)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["System.Collections.ObjectModel", "ReadOnlyCollection<>", False, "get_Item", "(System.Int32)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Collections.Specialized.model.yml
+++ b/csharp/ql/lib/ext/System.Collections.Specialized.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Collections.Specialized", "IOrderedDictionary", True, "get_Item", "(System.Int32)", "", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Value]", "ReturnValue", "value", "manual"]
      - ["System.Collections.Specialized", "IOrderedDictionary", True, "set_Item", "(System.Int32,System.Object)", "", "Argument[0]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Collections.model.yml
+++ b/csharp/ql/lib/ext/System.Collections.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Collections", "ArrayList", False, "AddRange", "(System.Collections.ICollection)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
      - ["System.Collections", "ArrayList", False, "Clone", "()", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.ComponentModel.Design.model.yml
+++ b/csharp/ql/lib/ext/System.ComponentModel.Design.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.ComponentModel.Design", "DesignerCollection", False, "GetEnumerator", "()", "", "Argument[this].Element", "ReturnValue.Property[System.Collections.IEnumerator.Current]", "value", "manual"]
      - ["System.ComponentModel.Design", "DesignerOptionService+DesignerOptionCollection", False, "get_Item", "(System.Int32)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
--- a/csharp/ql/lib/ext/System.ComponentModel.model.yml
+++ b/csharp/ql/lib/ext/System.ComponentModel.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.ComponentModel", "AttributeCollection", False, "GetEnumerator", "()", "", "Argument[this].Element", "ReturnValue.Property[System.Collections.IEnumerator.Current]", "value", "manual"]
      - ["System.ComponentModel", "ComponentCollection", False, "CopyTo", "(System.ComponentModel.IComponent[],System.Int32)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Configuration.Provider.model.yml
+++ b/csharp/ql/lib/ext/System.Configuration.Provider.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Configuration.Provider", "ProviderCollection", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Configuration.model.yml
+++ b/csharp/ql/lib/ext/System.Configuration.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Configuration", "CommaDelimitedStringCollection", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
      - ["System.Configuration", "ConfigurationLockCollection", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Data.Common.model.yml
+++ b/csharp/ql/lib/ext/System.Data.Common.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Data.Common", "DataColumnMappingCollection", False, "AddRange", "(System.Array)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
      - ["System.Data.Common", "DataColumnMappingCollection", False, "AddRange", "(System.Data.Common.DataColumnMapping[])", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Data.Entity.model.yml
+++ b/csharp/ql/lib/ext/System.Data.Entity.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Data.Entity", "Database", False, "ExecuteSqlCommand", "(System.Data.Entity.TransactionalBehavior,System.String,System.Object[])", "", "Argument[1]", "sql", "manual"]
      - ["System.Data.Entity", "Database", False, "ExecuteSqlCommand", "(System.String,System.Object[])", "", "Argument[0]", "sql", "manual"]
--- a/csharp/ql/lib/ext/System.Data.EntityClient.model.yml
+++ b/csharp/ql/lib/ext/System.Data.EntityClient.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Data.EntityClient", "EntityCommand", False, "EntityCommand", "(System.String)", "", "Argument[0]", "sql", "manual"]
      - ["System.Data.EntityClient", "EntityCommand", False, "EntityCommand", "(System.String,System.Data.EntityClient.EntityConnection)", "", "Argument[0]", "sql", "manual"]
--- a/csharp/ql/lib/ext/System.Data.Odbc.model.yml
+++ b/csharp/ql/lib/ext/System.Data.Odbc.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Data.Odbc", "OdbcCommand", False, "OdbcCommand", "(System.String)", "", "Argument[0]", "sql", "manual"]
      - ["System.Data.Odbc", "OdbcCommand", False, "OdbcCommand", "(System.String,System.Data.Odbc.OdbcConnection)", "", "Argument[0]", "sql", "manual"]
--- a/csharp/ql/lib/ext/System.Data.OleDb.model.yml
+++ b/csharp/ql/lib/ext/System.Data.OleDb.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Data.OleDb", "OleDbCommand", False, "OleDbCommand", "(System.String)", "", "Argument[0]", "sql", "manual"]
      - ["System.Data.OleDb", "OleDbCommand", False, "OleDbCommand", "(System.String,System.Data.OleDb.OleDbConnection)", "", "Argument[0]", "sql", "manual"]
--- a/csharp/ql/lib/ext/System.Data.SQLite.model.yml
+++ b/csharp/ql/lib/ext/System.Data.SQLite.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Data.SQLite", "SQLiteCommand", False, "SQLiteCommand", "(System.String)", "", "Argument[0]", "sql", "manual"]
      - ["System.Data.SQLite", "SQLiteCommand", False, "SQLiteCommand", "(System.String,System.Data.SQLite.SQLiteConnection)", "", "Argument[0]", "sql", "manual"]
@@ -12,7 +12,7 @@ extensions:
      - ["System.Data.SQLite", "SQLiteDataAdapter", False, "SQLiteDataAdapter", "(System.String,System.String,System.Boolean)", "", "Argument[0]", "sql", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Data.SQLite", "SQLiteCommand", False, "SQLiteCommand", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.Data.SQLite", "SQLiteCommand", False, "SQLiteCommand", "(System.String,System.Data.SQLite.SQLiteConnection)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.Data.SqlClient.model.yml
+++ b/csharp/ql/lib/ext/System.Data.SqlClient.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "sql", "manual"]
      - ["System.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,System.Data.SqlClient.SqlConnection)", "", "Argument[0]", "sql", "manual"]
@@ -11,7 +11,7 @@ extensions:
      - ["System.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(System.String,System.String)", "", "Argument[0]", "sql", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,System.Data.SqlClient.SqlConnection)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.Data.model.yml
+++ b/csharp/ql/lib/ext/System.Data.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Data", "ConstraintCollection", False, "Add", "(System.Data.Constraint)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["System.Data", "ConstraintCollection", False, "AddRange", "(System.Data.Constraint[])", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Diagnostics.model.yml
+++ b/csharp/ql/lib/ext/System.Diagnostics.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Diagnostics", "ActivityTagsCollection", False, "ActivityTagsCollection", "(System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<System.String,System.Object>>)", "", "Argument[0].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]
      - ["System.Diagnostics", "ActivityTagsCollection", False, "ActivityTagsCollection", "(System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<System.String,System.Object>>)", "", "Argument[0].Element.Property[System.Collections.Generic.KeyValuePair<,>.Value]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Value]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Dynamic.model.yml
+++ b/csharp/ql/lib/ext/System.Dynamic.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Dynamic", "ExpandoObject", False, "Add", "(System.Collections.Generic.KeyValuePair<System.String,System.Object>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]
      - ["System.Dynamic", "ExpandoObject", False, "Add", "(System.Collections.Generic.KeyValuePair<System.String,System.Object>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Value]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Value]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.IO.Compression.model.yml
+++ b/csharp/ql/lib/ext/System.IO.Compression.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.IO.Compression", "DeflateStream", False, "DeflateStream", "(System.IO.Stream,System.IO.Compression.CompressionLevel)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.IO.Compression", "DeflateStream", False, "DeflateStream", "(System.IO.Stream,System.IO.Compression.CompressionLevel,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.IO.model.yml
+++ b/csharp/ql/lib/ext/System.IO.model.yml
@@ -1,12 +1,12 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sourceModel
+      extensible: extSourceModel
    data:
      - ["System.IO", "FileStream", False, "FileStream", "", "", "Argument[this]", "file", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.IO", "FileStream", False, "FileStream", "(System.String,System.IO.FileMode)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.IO", "FileStream", False, "FileStream", "(System.String,System.IO.FileMode,System.IO.FileAccess)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
@@ -58,18 +58,18 @@ extensions:
      - ["System.IO", "Stream", False, "WriteAsync", "(System.Byte[],System.Int32,System.Int32)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
      - ["System.IO", "Stream", True, "WriteAsync", "(System.Byte[],System.Int32,System.Int32,System.Threading.CancellationToken)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding,System.Boolean,System.Int32)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding,System.Boolean,System.Int32,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.IO.FileStreamOptions)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Text.Encoding)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Text.Encoding,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Text.Encoding,System.Boolean,System.IO.FileStreamOptions)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Text.Encoding,System.Boolean,System.Int32)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding,System.Boolean,System.Int32)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding,System.Boolean,System.Int32,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Text.Encoding,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.IO.FileStreamOptions)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Text.Encoding)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "StreamReader", False, "StreamReader", "(System.String,System.Text.Encoding)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.IO", "StringReader", False, "StringReader", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["System.IO", "TextReader", True, "Read", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["System.IO", "TextReader", True, "Read", "(System.Char[],System.Int32,System.Int32)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.Linq.model.yml
+++ b/csharp/ql/lib/ext/System.Linq.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Linq", "Enumerable", False, "Aggregate<,,>", "(System.Collections.Generic.IEnumerable<TSource>,TAccumulate,System.Func<TAccumulate,TSource,TAccumulate>,System.Func<TAccumulate,TResult>)", "", "Argument[0].Element", "Argument[2].Parameter[1]", "value", "manual"]
      - ["System.Linq", "Enumerable", False, "Aggregate<,,>", "(System.Collections.Generic.IEnumerable<TSource>,TAccumulate,System.Func<TAccumulate,TSource,TAccumulate>,System.Func<TAccumulate,TResult>)", "", "Argument[1]", "Argument[2].Parameter[0]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Net.Http.Headers.model.yml
+++ b/csharp/ql/lib/ext/System.Net.Http.Headers.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Net.Http.Headers", "HttpHeaders", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Net.Http.model.yml
+++ b/csharp/ql/lib/ext/System.Net.Http.model.yml
@@ -1,12 +1,12 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Net.Http", "StringContent", False, "StringContent", "", "", "Argument[0]", "xss", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Net.Http", "HttpRequestOptions", False, "Add", "(System.Collections.Generic.KeyValuePair<System.String,System.Object>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Key]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Key]", "value", "manual"]
      - ["System.Net.Http", "HttpRequestOptions", False, "Add", "(System.Collections.Generic.KeyValuePair<System.String,System.Object>)", "", "Argument[0].Property[System.Collections.Generic.KeyValuePair<,>.Value]", "Argument[this].Element.Property[System.Collections.Generic.KeyValuePair<,>.Value]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Net.Mail.model.yml
+++ b/csharp/ql/lib/ext/System.Net.Mail.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Net.Mail", "MailAddressCollection", False, "Add", "(System.String)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Net.Sockets.model.yml
+++ b/csharp/ql/lib/ext/System.Net.Sockets.model.yml
@@ -1,9 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/csharp-all
-      extensible: sourceModel
-    data:
-      - ["System.Net.Sockets", "TcpClient", False, "GetStream", "", "", "ReturnValue", "remote", "manual"]
-      - ["System.Net.Sockets", "UpdClient", False, "EndReceive", "", "", "ReturnValue", "remote", "manual"]
-      - ["System.Net.Sockets", "UpdClient", False, "Receive", "", "", "ReturnValue", "remote", "manual"]
-      - ["System.Net.Sockets", "UpdClient", False, "ReceiveAsync", "", "", "ReturnValue", "remote", "manual"]
--- a/csharp/ql/lib/ext/System.Net.model.yml
+++ b/csharp/ql/lib/ext/System.Net.model.yml
@@ -1,7 +1,15 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSourceModel
+    data:
+      - ["System.Net.Sockets", "TcpClient", False, "GetStream",    "", "", "ReturnValue", "remote", "manual"]
+      - ["System.Net.Sockets", "UpdClient", False, "EndReceive",   "", "", "ReturnValue", "remote", "manual"]
+      - ["System.Net.Sockets", "UpdClient", False, "Receive",      "", "", "ReturnValue", "remote", "manual"]
+      - ["System.Net.Sockets", "UpdClient", False, "ReceiveAsync", "", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: extSummaryModel
    data:
      - ["System.Net", "Cookie", False, "get_Value", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["System.Net", "CookieCollection", False, "Add", "(System.Net.CookieCollection)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Runtime.CompilerServices.model.yml
+++ b/csharp/ql/lib/ext/System.Runtime.CompilerServices.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Runtime.CompilerServices", "ConditionalWeakTable<,>", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
      - ["System.Runtime.CompilerServices", "ConfiguredTaskAwaitable<>", False, "GetAwaiter", "()", "", "Argument[this].SyntheticField[m_configuredTaskAwaiter]", "ReturnValue", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Security.Cryptography.X509Certificates.model.yml
+++ b/csharp/ql/lib/ext/System.Security.Cryptography.X509Certificates.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Security.Cryptography.X509Certificates", "X509Certificate2Collection", False, "Add", "(System.Security.Cryptography.X509Certificates.X509Certificate2)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["System.Security.Cryptography.X509Certificates", "X509Certificate2Collection", False, "AddRange", "(System.Security.Cryptography.X509Certificates.X509Certificate2Collection)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Security.Cryptography.model.yml
+++ b/csharp/ql/lib/ext/System.Security.Cryptography.model.yml
@@ -1,14 +1,14 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Security.Cryptography", "SymmetricAlgorithm", True, "CreateDecryptor", "(System.Byte[],System.Byte[])", "", "Argument[0]", "encryption-decryptor", "manual"]
      - ["System.Security.Cryptography", "SymmetricAlgorithm", True, "CreateEncryptor", "(System.Byte[],System.Byte[])", "", "Argument[0]", "encryption-encryptor", "manual"]
      - ["System.Security.Cryptography", "SymmetricAlgorithm", True, "set_Key", "(System.Byte[])", "", "Argument[0]", "encryption-keyprop", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Security.Cryptography", "AsnEncodedDataCollection", False, "Add", "(System.Security.Cryptography.AsnEncodedData)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["System.Security.Cryptography", "AsnEncodedDataCollection", False, "CopyTo", "(System.Security.Cryptography.AsnEncodedData[],System.Int32)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Security.Permissions.model.yml
+++ b/csharp/ql/lib/ext/System.Security.Permissions.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Security.Permissions", "KeyContainerPermissionAccessEntryCollection", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Security.Policy.model.yml
+++ b/csharp/ql/lib/ext/System.Security.Policy.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Security.Policy", "ApplicationTrustCollection", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
      - ["System.Security.Policy", "Evidence", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Text.RegularExpressions.model.yml
+++ b/csharp/ql/lib/ext/System.Text.RegularExpressions.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Text.RegularExpressions", "CaptureCollection", False, "get_Item", "(System.Int32)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["System.Text.RegularExpressions", "GroupCollection", False, "get_Item", "(System.Int32)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Text.model.yml
+++ b/csharp/ql/lib/ext/System.Text.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Text", "Encoding", True, "GetBytes", "(System.Char*,System.Int32,System.Byte*,System.Int32)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["System.Text", "Encoding", True, "GetBytes", "(System.Char[])", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.Threading.Tasks.model.yml
+++ b/csharp/ql/lib/ext/System.Threading.Tasks.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Threading.Tasks", "Task", False, "ContinueWith", "(System.Action<System.Threading.Tasks.Task,System.Object>,System.Object)", "", "Argument[1]", "Argument[0].Parameter[1]", "value", "manual"]
      - ["System.Threading.Tasks", "Task", False, "ContinueWith", "(System.Action<System.Threading.Tasks.Task,System.Object>,System.Object,System.Threading.CancellationToken)", "", "Argument[1]", "Argument[0].Parameter[1]", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Web.UI.WebControls.model.yml
+++ b/csharp/ql/lib/ext/System.Web.UI.WebControls.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Web.UI.WebControls", "TextBox", False, "get_Text", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.Web.model.yml
+++ b/csharp/ql/lib/ext/System.Web.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Web", "HttpResponse", False, "BinaryWrite", "", "", "Argument[0]", "html", "manual"]
      - ["System.Web", "HttpResponse", False, "TransmitFile", "", "", "Argument[0]", "html", "manual"]
@@ -9,7 +9,7 @@ extensions:
      - ["System.Web", "HttpResponse", False, "WriteFile", "", "", "Argument[0]", "html", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Web", "HttpCookie", False, "get_Value", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["System.Web", "HttpCookie", False, "get_Values", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.Xml.Schema.model.yml
+++ b/csharp/ql/lib/ext/System.Xml.Schema.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Xml.Schema", "XmlSchemaCollection", False, "Add", "(System.Xml.Schema.XmlSchema)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["System.Xml.Schema", "XmlSchemaCollection", False, "Add", "(System.Xml.Schema.XmlSchemaCollection)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Xml.Serialization.model.yml
+++ b/csharp/ql/lib/ext/System.Xml.Serialization.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Xml.Serialization", "XmlAnyElementAttributes", False, "Add", "(System.Xml.Serialization.XmlAnyElementAttribute)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["System.Xml.Serialization", "XmlAnyElementAttributes", False, "CopyTo", "(System.Xml.Serialization.XmlAnyElementAttribute[],System.Int32)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
--- a/csharp/ql/lib/ext/System.Xml.model.yml
+++ b/csharp/ql/lib/ext/System.Xml.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System.Xml", "XmlAttributeCollection", False, "CopyTo", "(System.Xml.XmlAttribute[],System.Int32)", "", "Argument[this].Element", "Argument[0].Element", "value", "manual"]
      - ["System.Xml", "XmlDocument", False, "Load", "(System.IO.Stream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
--- a/csharp/ql/lib/ext/System.model.yml
+++ b/csharp/ql/lib/ext/System.model.yml
@@ -1,14 +1,14 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sourceModel
+      extensible: extSourceModel
    data:
      - ["System", "Console", False, "Read", "", "", "ReturnValue", "local", "manual"]
      - ["System", "Console", False, "ReadKey", "", "", "ReturnValue", "local", "manual"]
      - ["System", "Console", False, "ReadLine", "", "", "ReturnValue", "local", "manual"]
  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["System", "Array", False, "AsReadOnly<>", "(T[])", "", "Argument[0].Element", "ReturnValue.Element", "value", "manual"]
      - ["System", "Array", False, "Clear", "(System.Array)", "", "Argument[0].WithoutElement", "Argument[0]", "value", "manual"]
--- a/csharp/ql/lib/ext/Windows.Security.Cryptography.Core.model.yml
+++ b/csharp/ql/lib/ext/Windows.Security.Cryptography.Core.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["Windows.Security.Cryptography.Core", "SymmetricKeyAlgorithmProvider", False, "CreateSymmetricKey", "(Windows.Storage.Streams.IBuffer)", "", "Argument[0]", "encryption-symmetrickey", "manual"]
--- a/csharp/ql/lib/ext/generated/dotnet_runtime.model.yml
+++ b/csharp/ql/lib/ext/generated/dotnet_runtime.model.yml
@@ -5,7 +5,7 @@ extensions:

  - addsTo:
      pack: codeql/csharp-all
-      extensible: sinkModel
+      extensible: extSinkModel
    data:
      - ["System.Data.Odbc", "OdbcDataAdapter", false, "OdbcDataAdapter", "(System.String,System.Data.Odbc.OdbcConnection)", "", "Argument[0]", "sql", "generated"]
      - ["System.Data.Odbc", "OdbcDataAdapter", false, "OdbcDataAdapter", "(System.String,System.String)", "", "Argument[0]", "sql", "generated"]
@@ -39,7 +39,7 @@ extensions:

  - addsTo:
      pack: codeql/csharp-all
-      extensible: summaryModel
+      extensible: extSummaryModel
    data:
      - ["JsonToItemsTaskFactory", "JsonToItemsTaskFactory+CaseInsensitiveDictionaryConverter", false, "Read", "(System.Text.Json.Utf8JsonReader,System.Type,System.Text.Json.JsonSerializerOptions)", "", "Argument[0]", "ReturnValue", "taint", "generated"]
      - ["JsonToItemsTaskFactory", "JsonToItemsTaskFactory+JsonModelItemConverter", false, "Read", "(System.Text.Json.Utf8JsonReader,System.Type,System.Text.Json.JsonSerializerOptions)", "", "Argument[0]", "ReturnValue", "taint", "generated"]
@@ -10195,7 +10195,7 @@ extensions:

  - addsTo:
      pack: codeql/csharp-all
-      extensible: neutralModel
+      extensible: extNeutralModel
    data:
      - ["AssemblyStripper", "AssemblyStripper", "StripAssembly", "(System.String,System.String)", "generated"]
      - ["Generators", "EventSourceGenerator", "Execute", "(Microsoft.CodeAnalysis.GeneratorExecutionContext)", "generated"]
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -82,7 +82,6 @@
 */

 import csharp
-private import ExternalFlowExtensions as Extensions
 private import internal.AccessPathSyntax
 private import internal.DataFlowDispatch
 private import internal.DataFlowPrivate
@@ -139,6 +138,14 @@ private predicate summaryModelInternal(string row) { any(SummaryModelCsvInternal

 private predicate sinkModelInternal(string row) { any(SinkModelCsvInternal s).row(row) }

+/**
+ * Holds if a source model exists for the given parameters.
+ */
+extensible predicate extSourceModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string output, string kind, string provenance
+);
+
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
  string namespace, string type, boolean subtypes, string name, string signature, string ext,
@@ -158,9 +165,15 @@ predicate sourceModel(
    row.splitAt(";", 8) = provenance
  )
  or
-  Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance)
+  extSourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance)
 }

+/** Holds if a sink model exists for the given parameters. */
+extensible predicate extSinkModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string kind, string provenance
+);
+
 /** Holds if a sink model exists for the given parameters. */
 predicate sinkModel(
  string namespace, string type, boolean subtypes, string name, string signature, string ext,
@@ -180,9 +193,15 @@ predicate sinkModel(
    row.splitAt(";", 8) = provenance
  )
  or
-  Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance)
+  extSinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance)
 }

+/** Holds if a summary model exists for the given parameters. */
+extensible predicate extSummaryModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string output, string kind, string provenance
+);
+
 /** Holds if a summary model exists for the given parameters. */
 predicate summaryModel(
  string namespace, string type, boolean subtypes, string name, string signature, string ext,
@@ -203,12 +222,20 @@ predicate summaryModel(
    row.splitAt(";", 9) = provenance
  )
  or
-  Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-    provenance)
+  extSummaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance)
 }

 /** Holds if a model exists indicating there is no flow for the given parameters. */
-predicate neutralModel = Extensions::neutralModel/5;
+extensible predicate extNeutralModel(
+  string namespace, string type, string name, string signature, string provenance
+);
+
+/** Holds if a model exists indicating there is no flow for the given parameters. */
+predicate neutralModel(
+  string namespace, string type, string name, string signature, string provenance
+) {
+  extNeutralModel(namespace, type, name, signature, provenance)
+}

 private predicate relevantNamespace(string namespace) {
  sourceModel(namespace, _, _, _, _, _, _, _, _) or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlowExtensions.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlowExtensions.qll
@@ -1,34 +0,0 @@
-/**
- * This module provides extensible predicates for defining MaD models.
- */
-
-/**
- * Holds if a source model exists for the given parameters.
- */
-extensible predicate sourceModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance
-);
-
-/**
- * Holds if a sink model exists for the given parameters.
- */
-extensible predicate sinkModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance
-);
-
-/**
- * Holds if a summary model exists for the given parameters.
- */
-extensible predicate summaryModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance
-);
-
-/**
- * Holds if a model exists indicating there is no flow for the given parameters.
- */
-extensible predicate neutralModel(
-  string namespace, string type, string name, string signature, string provenance
-);
--- a/csharp/ql/src/change-notes/2022-12-15-rename-mad-extensibles.md
+++ b/csharp/ql/src/change-notes/2022-12-15-rename-mad-extensibles.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The extensible predicates for Models as Data have been renamed (the `ext` prefix has been removed). As an example `extSummaryModel` has been renamed to `summaryModel`.
--- a/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
+++ b/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
@@ -11,6 +11,7 @@
 *       external/cwe/cwe-023
 *       external/cwe/cwe-036
 *       external/cwe/cwe-073
+ *       experimental
 */

 import csharp
--- a/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
+++ b/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
@@ -7,6 +7,7 @@
 * @id cs/request-forgery
 * @tags security
 *       external/cwe/cwe-918
+ *       experimental
 */

 import csharp
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
turbo	118daaba5c	Merge branch 'main' into turbo/experimental-suite	2022-12-14 16:31:03 +01:00
turbo	ce2b59ae4a	Add experimental,ml-generated tags	2022-08-22 15:59:39 +02:00