Merge pull request #14830 from aibaars/csharp/fixintegrationtests

C# fix integration tests

.bazelrc

@@ -1,3 +1,9 @@
-build --repo_env=CC=clang --repo_env=CXX=clang++ --cxxopt="-std=c++17"
+common --enable_platform_specific_config
+
+build --repo_env=CC=clang --repo_env=CXX=clang++
+
+build:linux --cxxopt=-std=c++20
+build:macos --cxxopt=-std=c++20 --cpu=darwin_x86_64
+build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor
 
 try-import %workspace%/local.bazelrc

.bazelversion

@@ -1 +1 @@
-6.1.2
+6.3.1

.github/dependabot.yml

@@ -17,3 +17,26 @@ updates:
     ignore:
       - dependency-name: '*'
         update-types: ['version-update:semver-patch', 'version-update:semver-minor']
+
+  - package-ecosystem: "gomod"
+    directory: "go/extractor"
+    schedule:
+      interval: "daily"
+    allow:
+      - dependency-name: "golang.org/x/mod"
+      - dependency-name: "golang.org/x/tools"
+    groups:
+      extractor-dependencies:
+        patterns:
+          - "golang.org/x/*"
+    reviewers:
+      - "github/codeql-go"
+
+  - package-ecosystem: "gomod"
+    directory: "go/ql/test"
+    schedule:
+      interval: "monthly"
+    ignore:
+      - dependency-name: "*"
+    reviewers:
+      - "github/codeql-go"

.github/labeler.yml

@@ -45,11 +45,7 @@ documentation:
 
 # Since these are all shared files that need to be synced, just pick _one_ copy of each.
 "DataFlow Library":
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
-  - "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"
+  - "shared/dataflow/**/*"
 
 "ATM":
   - javascript/ql/experimental/adaptivethreatmodeling/**/*

.github/workflows/check-change-note.yml

@@ -9,26 +9,42 @@ on:
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
       - "*/ql/lib/**/*.yml"
+      - "shared/**/*.ql"
+      - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
+    env: 
+      REPO: ${{ github.repository }}
+      PULL_REQUEST_NUMBER: ${{ github.event.number }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-latest
     steps:
+
       - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
         if: |
           github.event.pull_request.draft == false &&
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
-          grep true -c
+          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
+          
+          if [ -z "$change_note_files" ]; then
+            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
+            exit 1
+          fi
+
+          echo "Change notes found:"
+          echo "$change_note_files"
+
       - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
-          grep true -c
+          bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
+
+          if [ -n "$bad_change_note_file_names" ]; then
+            echo "The following change note file names are invalid:"
+            echo "$bad_change_note_file_names"
+            exit 1
+          fi

.github/workflows/check-implicit-this.yml

@@ -0,0 +1,29 @@
+name: "Check implicit this warnings"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - "**qlpack.yml"
+    branches:
+      - main
+      - "rc/*"
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check that implicit this warnings is enabled for all packs
+        shell: bash
+        run: |
+          EXIT_CODE=0
+          packs="$(find . -iname 'qlpack.yml')"
+          for pack_file in ${packs}; do
+            option="$(yq '.warnOnImplicitThis' ${pack_file})"
+            if [ "${option}" != "true" ]; then
+              echo "::error file=${pack_file}::warnOnImplicitThis property must be set to 'true' for pack ${pack_file}"
+              EXIT_CODE=1
+            fi
+          done
+          exit "${EXIT_CODE}"

.github/workflows/check-qldoc.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
 

.github/workflows/check-query-ids.yml

@@ -16,6 +16,6 @@ jobs:
     name: Check query IDs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check for duplicate query IDs
         run: python3 misc/scripts/check-query-ids.py

.github/workflows/codeql-analysis.yml

@@ -33,7 +33,7 @@ jobs:
         dotnet-version: 7.0.102
 
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/compile-queries.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest-xl
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:
@@ -29,9 +29,9 @@ jobs:
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500

.github/workflows/csharp-qltest.yml

@@ -29,7 +29,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -52,8 +52,7 @@ jobs:
       matrix:
         slice: ["1/2", "2/2"]
     steps:
-      - uses: actions/checkout@v3
-      - uses: ./.github/actions/fetch-codeql
+      - uses: actions/checkout@v4
       - uses: ./csharp/actions/create-extractor-pack
       - name: Cache compilation cache
         id: query-cache
@@ -62,25 +61,41 @@ jobs:
           key: csharp-qltest-${{ matrix.slice }}
       - name: Run QL tests
         run: |
-          CODEQL_PATH=$(gh codeql version --format=json | jq -r .unpackedLocation)
-          # The legacy ASP extractor is not in this repo, so take the one from the nightly build
-          mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
-          # Safe guard against using the bundled extractor
-          rm -rf "$CODEQL_PATH/csharp"
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-2019]
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup dotnet
         uses: actions/setup-dotnet@v3
         with:
           dotnet-version: 7.0.102
       - name: Extractor unit tests
         run: |
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
-          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 autobuilder/Semmle.Autobuild.CSharp.Tests
           dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
+        shell: bash
+  stubgentest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Run stub generator tests
+        run: |
+          # Generate (Asp)NetCore stubs
+          STUBS_PATH=stubs_output
+          python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
+          rm -rf ql/test/resources/stubs/_frameworks
+          # Update existing stubs in the repo with the freshly generated ones
+          mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
+          git status
+          codeql test run --threads=0 --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/csv-coverage-metrics.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -31,11 +31,11 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: merge
       - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 2
           path: base
@@ -89,9 +89,32 @@ jobs:
       - name: Save PR number
         run: |
           mkdir -p pr
-          echo ${{ github.event.pull_request.number }} > pr/NR
+          echo ${PR_NUMBER} > pr/NR
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
       - name: Upload PR number
         uses: actions/upload-artifact@v3
         with:
           name: pr
           path: pr/
+      - name: Save comment ID (if it exists)
+        run: |
+          # Find the latest comment starting with COMMENT_PREFIX
+          COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
+          COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
+          if [[ -z ${COMMENT_ID} ]]
+          then
+            echo "Comment not found. Not uploading 'comment/ID' artifact."
+          else
+            mkdir -p comment
+            echo ${COMMENT_ID} > comment/ID
+          fi
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+      - name: Upload comment ID (if it exists)
+        uses: actions/upload-artifact@v3
+        with:
+          name: comment
+          path: comment/
+          if-no-files-found: ignore

.github/workflows/csv-coverage-pr-comment.yml

@@ -20,7 +20,7 @@ jobs:
         GITHUB_CONTEXT: ${{ toJSON(github.event) }}
       run: echo "$GITHUB_CONTEXT"
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Set up Python 3.8
       uses: actions/setup-python@v4
       with:

.github/workflows/csv-coverage-timeseries.yml

@@ -9,11 +9,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: codeqlModels
           fetch-depth: 0

.github/workflows/csv-coverage-update.yml

@@ -17,7 +17,7 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: ql
           fetch-depth: 0

.github/workflows/csv-coverage.yml

@@ -13,11 +13,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: codeqlModels
           ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}

.github/workflows/fast-forward.yml

@@ -25,7 +25,7 @@ jobs:
           exit 1
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Git config
         shell: bash

.github/workflows/go-tests-other-os.yml

@@ -7,19 +7,21 @@ on:
       - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
+env:
+  GO_VERSION: '~1.21.0'
 jobs:
   test-mac:
     name: Test MacOS
     runs-on: macos-latest
     steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql
@@ -47,14 +49,14 @@ jobs:
     name: Test Windows
     runs-on: windows-latest-xl
     steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql

.github/workflows/go-tests.yml

@@ -15,19 +15,21 @@ on:
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
+env:
+  GO_VERSION: '~1.21.0'
 jobs:
   test-linux:
     name: Test Linux (Ubuntu)
     runs-on: ubuntu-latest-xl
     steps:
-      - name: Set up Go 1.20
+      - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql

.github/workflows/js-ml-tests.yml

@@ -1,65 +0,0 @@
-name: JS ML-powered queries tests
-
-on:
-  push:
-    paths:
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-      - .github/workflows/js-ml-tests.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
-  pull_request:
-    paths:
-      - "javascript/ql/experimental/adaptivethreatmodeling/**"
-      - .github/workflows/js-ml-tests.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-  workflow_dispatch:
-
-defaults:
-  run:
-    working-directory: javascript/ql/experimental/adaptivethreatmodeling
-
-jobs:
-  qltest:
-    name: Test QL
-    runs-on: ubuntu-latest-xl
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - name: Install pack dependencies
-        run: |
-          for pack in modelbuilding src test; do
-            codeql pack install --mode verify -- "${pack}"
-          done
-      
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: js-ml-test
-
-      - name: Check QL compilation
-        run: |
-          codeql query compile \
-            --check-only \
-            --ram 50000 \
-            --additional-packs "${{ github.workspace }}" \
-            --threads=0 \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            lib modelbuilding src
-
-      - name: Run QL tests
-        run: |
-          codeql test run \
-            --threads=0 \
-            --ram 50000 \
-            --additional-packs "${{ github.workspace }}" \
-            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
-            -- \
-            test

.github/workflows/mad_modelDiff.yml

@@ -27,12 +27,12 @@ jobs:
         slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
     steps:
       - name: Clone github/codeql from PR
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         if: github.event.pull_request
         with:
           path: codeql-pr
       - name: Clone github/codeql from main
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: codeql-main
           ref: main

.github/workflows/mad_regenerate-models.yml

@@ -27,11 +27,11 @@ jobs:
             ref: "placeholder"
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup CodeQL binaries
         uses: ./.github/actions/fetch-codeql
       - name: Clone repositories
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: repos/${{ matrix.ref }}
           ref: ${{ matrix.ref }}

.github/workflows/qhelp-pr-preview.yml

@@ -43,7 +43,7 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
           persist-credentials: false

.github/workflows/ql-for-ql-build.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       ### Build the queries ###
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Find codeql

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -21,7 +21,7 @@ jobs:
           - github/codeql
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Find codeql
         id: find-codeql
@@ -42,7 +42,7 @@ jobs:
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -71,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
         with:
           name: measurements

.github/workflows/ql-for-ql-tests.yml

@@ -21,7 +21,7 @@ jobs:
   qltest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@v2
@@ -61,7 +61,7 @@ jobs:
     needs: [qltest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install GNU tar 
         if: runner.os == 'macOS'
         run: |

.github/workflows/query-list.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         path: codeql 
     - name: Set up Python 3.8

.github/workflows/ruby-build.yml

@@ -42,7 +42,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |
@@ -113,7 +113,7 @@ jobs:
   compile-queries:
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Cache compilation cache
@@ -145,7 +145,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, compile-queries]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
         with:
           name: ruby.dbscheme
@@ -206,7 +206,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [package]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 

.github/workflows/ruby-dataset-measure.yml

@@ -27,14 +27,14 @@ jobs:
         repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: ./.github/actions/fetch-codeql
 
       - uses: ./ruby/actions/create-extractor-pack
 
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
         with:
           name: measurements

.github/workflows/ruby-qltest.yml

@@ -14,6 +14,7 @@ on:
   pull_request:
     paths:
       - "ruby/**"
+      - "shared/**"
       - .github/workflows/ruby-qltest.yml
       - .github/actions/fetch-codeql/action.yml
       - codeql-workspace.yml
@@ -32,7 +33,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -53,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache

.github/workflows/swift.yml

@@ -39,31 +39,31 @@ jobs:
   build-and-test-macos:
     runs-on: macos-12-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
   build-and-test-linux:
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
   qltests-linux:
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests
   qltests-macos:
     if : ${{ github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests
   integration-tests-linux:
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-integration-tests
   integration-tests-macos:
     if : ${{ github.event_name == 'pull_request' }}
@@ -71,13 +71,13 @@ jobs:
     runs-on: macos-12-xl
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./swift/actions/run-integration-tests
   codegen:
     if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: bazelbuild/setup-bazelisk@v2
       - uses: actions/setup-python@v4
         with:
@@ -102,6 +102,6 @@ jobs:
     if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: ./swift/actions/database-upgrade-scripts

.github/workflows/sync-files.yml

@@ -14,7 +14,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check synchronized files
         run: python config/sync-files.py
       - name: Check dbscheme fragments

.github/workflows/tree-sitter-extractor-test.yml

@@ -27,7 +27,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check formatting
         run: cargo fmt --all -- --check
       - name: Run tests
@@ -35,12 +35,12 @@ jobs:
   fmt:
     runs-on: ubuntu-latest  
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Check formatting
         run: cargo fmt --check
   clippy:
     runs-on: ubuntu-latest  
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Run clippy
         run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

.github/workflows/validate-change-notes.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql

.pre-commit-config.yaml

@@ -5,9 +5,9 @@ repos:
     rev: v3.2.0
     hooks:
       - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
       - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v13.0.1
@@ -21,6 +21,11 @@ repos:
       - id: autopep8
         files: ^misc/codegen/.*\.py
 
+  - repo: https://github.com/warchant/pre-commit-buildifier
+    rev: 0.0.2
+    hooks:
+      - id: buildifier
+
   - repo: local
     hooks:
       - id: codeql-format

CONTRIBUTING.md

@@ -14,14 +14,16 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
 1. **Directory structure**
 
-    There are six language-specific query directories in this repository:
+    There are eight language-specific query directories in this repository:
 
       * C/C++: `cpp/ql/src`
       * C#: `csharp/ql/src`
-      * Java: `java/ql/src`
+      * Go: `go/ql/src`
+      * Java/Kotlin: `java/ql/src`
       * JavaScript: `javascript/ql/src`
       * Python: `python/ql/src`
       * Ruby: `ruby/ql/src`
+      * Swift: `swift/ql/src`
 
     Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
     - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.

codeql-workspace.yml

@@ -4,7 +4,9 @@ provide:
   - "*/ql/test/qlpack.yml"
   - "*/ql/examples/qlpack.yml"
   - "*/ql/consistency-queries/qlpack.yml"
-  - "shared/*/qlpack.yml"
+  - "*/ql/automodel/src/qlpack.yml"
+  - "*/ql/automodel/test/qlpack.yml"
+  - "shared/**/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"
@@ -27,6 +29,7 @@ provide:
   - "swift/extractor-pack/codeql-extractor.yml"
   - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
+  - ".github/codeql/extensions/**/codeql-pack.yml"
 
 versionPolicies:
   default:

config/identical-files.json

@@ -1,24 +1,4 @@
 {
-  "DataFlow Java/C++/C#/Go/Python/Ruby/Swift": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlow.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlow.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlow.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlow.qll"
-  ],
-  "DataFlowImpl Java/C++/C#/Go/Python/Ruby/Swift": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
-  ],
   "DataFlow Java/C++/C#/Go/Python/Ruby/Swift Legacy Configuration": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
@@ -42,37 +22,14 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
     "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll",
     "go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
   ],
-  "DataFlow Java/C++/C#/Go/Python/Ruby/Swift Common": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll"
-  ],
-  "TaintTracking Java/C++/C#/Go/Python/Ruby/Swift": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTracking.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTracking.qll"
-  ],
   "TaintTracking Legacy Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
@@ -96,15 +53,6 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
-  "DataFlow Java/C++/C#/Python/Ruby/Swift Consistency checks": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll",
-    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll"
-  ],
   "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
@@ -514,15 +462,14 @@
     "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
     "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
   ],
-  "CFG": [
-    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
-    "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll",
-    "swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImplShared.qll"
-  ],
   "TypeTracker": [
     "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
     "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
   ],
+  "SummaryTypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
+  ],
   "AccessPathSyntax": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
     "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
@@ -551,22 +498,6 @@
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
     "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
   ],
-  "TaintedFormatStringQuery Ruby/JS": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
-    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
-  ],
-  "TaintedFormatStringCustomizations Ruby/JS": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
-    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
-  ],
-  "HttpToFileAccessQuery JS/Ruby": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
-    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
-  ],
-  "HttpToFileAccessCustomizations JS/Ruby": [
-    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
-    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
-  ],
   "Typo database": [
     "javascript/ql/src/Expressions/TypoDatabase.qll",
     "ql/ql/src/codeql_ql/style/TypoDatabase.qll"
@@ -598,5 +529,9 @@
   "EncryptionKeySizes Python/Java": [
     "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
     "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
+  ],
+  "Python model summaries test extension": [
+    "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
+    "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ]
 }

cpp/BUILD.bazel

@@ -1,12 +1,17 @@
-package(default_visibility = ["//visibility:public"])
-
 load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
 
+package(default_visibility = ["//visibility:public"])
+
 alias(
     name = "dbscheme",
     actual = "//cpp/ql/lib:dbscheme",
 )
 
+alias(
+    name = "dbscheme-stats",
+    actual = "//cpp/ql/lib:dbscheme-stats",
+)
+
 pkg_filegroup(
     name = "db-files",
     srcs = [

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -145,9 +145,9 @@ namespace Semmle.Autobuild.Cpp.Tests
 
         bool IBuildActions.IsMacOs() => IsMacOs;
 
-        public bool IsArm { get; set; }
+        public bool IsRunningOnAppleSilicon { get; set; }
 
-        bool IBuildActions.IsArm() => IsArm;
+        bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
 
         string IBuildActions.PathCombine(params string[] parts)
         {
@@ -327,7 +327,7 @@ namespace Semmle.Autobuild.Cpp.Tests
         {
             Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
             Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
-            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
+            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
             Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
             Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
             Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = 0;

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/builtintypes.ql

@@ -0,0 +1,19 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if
+    type instanceof @fp16 or
+    type instanceof @std_bfloat16 or
+    type instanceof @std_float16 or
+    type instanceof @complex_std_float32 or
+    type instanceof @complex_float32x or
+    type instanceof @complex_std_float64 or
+    type instanceof @complex_float64x or
+    type instanceof @complex_std_float128
+  then kind_new = 2
+  else kind_new = kind
+select type, name, kind_new, size, sign, alignment

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties

@@ -0,0 +1,3 @@
+description: Introduce new floating-point types from C23 and C++23
+compatibility: backwards
+builtintypes.rel: run builtintypes.qlo

cpp/downgrades/8cba93a44180e0d50a80a660950800d822b981fc/upgrade.properties

@@ -0,0 +1,2 @@
+description: Removed @assignpaddexpr and @assignpsubexpr from @assign_bitwise_expr
+compatibility: full

cpp/downgrades/d77c09d8bdc172c9201dec293de1e14c931d3f05/upgrade.properties

@@ -0,0 +1,2 @@
+description: Remove _Float128 type
+compatibility: full

cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/upgrade.properties

@@ -0,0 +1,2 @@
+description: Make __is_trivial a builtin operation
+compatibility: full

cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties

@@ -0,0 +1,3 @@
+description: Introduce extractor version numbers
+compatibility: breaking
+extractor_version.rel: delete

cpp/downgrades/qlpack.yml

@@ -2,3 +2,4 @@ name: codeql/cpp-downgrades
 groups: cpp
 downgrades: .
 library: true
+warnOnImplicitThis: true

cpp/ql/examples/qlpack.yml

@@ -4,3 +4,4 @@ groups:
   - examples
 dependencies:
   codeql/cpp-all: ${workspace}
+warnOnImplicitThis: true

cpp/ql/lib/BUILD.bazel

@@ -1,7 +1,7 @@
-package(default_visibility = ["//cpp:__pkg__"])
-
 load("@rules_pkg//:mappings.bzl", "pkg_files")
 
+package(default_visibility = ["//cpp:__pkg__"])
+
 pkg_files(
     name = "dbscheme",
     srcs = ["semmlecode.cpp.dbscheme"],

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,121 @@
+## 0.12.0
+
+### Breaking Changes
+
+* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
+
+### Minor Analysis Improvements
+
+* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
+* Added models for `strlcpy` and `strlcat`.
+* Added models for the `sprintf` variants from the `StrSafe.h` header.
+* Added SQL API models for `ODBC`.
+* Added taint models for `realloc` and related functions.
+
+## 0.11.0
+
+### Breaking Changes
+
+* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
+
+### New Features
+
+* Added a new class `AdditionalCallTarget` for specifying additional call targets.
+
+### Minor Analysis Improvements
+
+* More field accesses are identified as `ImplicitThisFieldAccess`.
+* Added support for new floating-point types in C23 and C++23.
+
+## 0.10.1
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
+* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
+
+## 0.10.0
+
+### Minor Analysis Improvements
+
+* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
+ non-returning in the IR and dataflow.
+* Treat functions that reach the end of the function as returning in the IR.
+  They used to be treated as unreachable but it is allowed in C. 
+* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
+
+## 0.9.3
+
+No user-facing changes.
+
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
+
+## 0.9.1
+
+No user-facing changes.
+
+## 0.9.0
+
+### Breaking Changes
+
+* The `shouldPrintFunction` predicate from `PrintAstConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
+* The `shouldPrintFunction` predicate from `PrintIRConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
+
+### Major Analysis Improvements
+
+* The `PrintAST` library now also prints global and namespace variables and their initializers.
+
+### Minor Analysis Improvements
+
+* The `_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
+
+## 0.8.1
+
+### Deprecated APIs
+
+* The library `semmle.code.cpp.dataflow.DataFlow` has been deprecated. Please use `semmle.code.cpp.dataflow.new.DataFlow` instead.
+
+### New Features
+
+* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. 
+  Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+
+### Minor Analysis Improvements
+
+* Data flow configurations can now include a predicate `neverSkip(Node node)`
+  in order to ensure inclusion of certain nodes in the path explanations. The
+  predicate defaults to the end-points of the additional flow steps provided in
+  the configuration, which means that such steps now always are visible by
+  default in path explanations.
+* The `IRGuards` library has improved handling of pointer addition and subtraction operations.
+
+## 0.8.0
+
+### New Features
+
+* The `ProductFlow::StateConfigSig` signature now includes default predicates for `isBarrier1`, `isBarrier2`, `isAdditionalFlowStep1`, and `isAdditionalFlowStep1`. Hence, it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `getURL` predicate from the `Container`, `Folder`, and `File` classes. Use the `getLocation` predicate instead.
+
+## 0.7.4
+
+No user-facing changes.
+
 ## 0.7.3
 
 ### Minor Analysis Improvements

cpp/ql/lib/change-notes/released/0.10.0.md

@@ -0,0 +1,9 @@
+## 0.10.0
+
+### Minor Analysis Improvements
+
+* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
+ non-returning in the IR and dataflow.
+* Treat functions that reach the end of the function as returning in the IR.
+  They used to be treated as unreachable but it is allowed in C. 
+* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.

cpp/ql/lib/change-notes/released/0.10.1.md

@@ -0,0 +1,6 @@
+## 0.10.1
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
+* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

cpp/ql/lib/change-notes/released/0.11.0.md

@@ -0,0 +1,14 @@
+## 0.11.0
+
+### Breaking Changes
+
+* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
+
+### New Features
+
+* Added a new class `AdditionalCallTarget` for specifying additional call targets.
+
+### Minor Analysis Improvements
+
+* More field accesses are identified as `ImplicitThisFieldAccess`.
+* Added support for new floating-point types in C23 and C++23.

cpp/ql/lib/change-notes/released/0.12.0.md

@@ -0,0 +1,13 @@
+## 0.12.0
+
+### Breaking Changes
+
+* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
+
+### Minor Analysis Improvements
+
+* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
+* Added models for `strlcpy` and `strlcat`.
+* Added models for the `sprintf` variants from the `StrSafe.h` header.
+* Added SQL API models for `ODBC`.
+* Added taint models for `realloc` and related functions.

cpp/ql/lib/change-notes/released/0.7.4.md

@@ -0,0 +1,3 @@
+## 0.7.4
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.8.0.md

@@ -0,0 +1,9 @@
+## 0.8.0
+
+### New Features
+
+* The `ProductFlow::StateConfigSig` signature now includes default predicates for `isBarrier1`, `isBarrier2`, `isAdditionalFlowStep1`, and `isAdditionalFlowStep1`. Hence, it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `getURL` predicate from the `Container`, `Folder`, and `File` classes. Use the `getLocation` predicate instead.

cpp/ql/lib/change-notes/released/0.8.1.md

@@ -0,0 +1,19 @@
+## 0.8.1
+
+### Deprecated APIs
+
+* The library `semmle.code.cpp.dataflow.DataFlow` has been deprecated. Please use `semmle.code.cpp.dataflow.new.DataFlow` instead.
+
+### New Features
+
+* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. 
+  Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+
+### Minor Analysis Improvements
+
+* Data flow configurations can now include a predicate `neverSkip(Node node)`
+  in order to ensure inclusion of certain nodes in the path explanations. The
+  predicate defaults to the end-points of the additional flow steps provided in
+  the configuration, which means that such steps now always are visible by
+  default in path explanations.
+* The `IRGuards` library has improved handling of pointer addition and subtraction operations.

cpp/ql/lib/change-notes/released/0.9.0.md

@@ -0,0 +1,14 @@
+## 0.9.0
+
+### Breaking Changes
+
+* The `shouldPrintFunction` predicate from `PrintAstConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
+* The `shouldPrintFunction` predicate from `PrintIRConfiguration` has been replaced by `shouldPrintDeclaration`. Users should now override `shouldPrintDeclaration` if they want to limit the declarations that should be printed.
+
+### Major Analysis Improvements
+
+* The `PrintAST` library now also prints global and namespace variables and their initializers.
+
+### Minor Analysis Improvements
+
+* The `_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.

cpp/ql/lib/change-notes/released/0.9.1.md

@@ -0,0 +1,3 @@
+## 0.9.1
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.9.2.md

@@ -0,0 +1,14 @@
+## 0.9.2
+
+### Deprecated APIs
+
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
+
+### New Features
+
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
+
+### Minor Analysis Improvements
+
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

cpp/ql/lib/change-notes/released/0.9.3.md

@@ -0,0 +1,3 @@
+## 0.9.3
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.3
+lastReleaseVersion: 0.12.0

cpp/ql/lib/experimental/cryptography/Concepts.qll

@@ -0,0 +1,3 @@
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.modules.OpenSSL as OpenSSL

cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll

@@ -0,0 +1,239 @@
+/**
+ * Names of known cryptographic algorithms.
+ * The names are standardized into upper-case, no spaces, dashes or underscores.
+ */
+
+/**
+ * Returns a string to represent generally unknown algorithms.
+ * Predicate is to be used to get a consistent string representation
+ * for unknown algorithms.
+ */
+string unknownAlgorithm() { result = "UNKNOWN" }
+
+string getHashType() { result = "HASH" }
+
+string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" }
+
+string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" }
+
+string getKeyDerivationType() { result = "KEY_DERIVATION" }
+
+string getCipherBlockModeType() { result = "BLOCK_MODE" }
+
+string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" }
+
+string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" }
+
+string getEllipticCurveType() { result = "ELLIPTIC_CURVE" }
+
+string getSignatureType() { result = "SIGNATURE" }
+
+string getKeyExchangeType() { result = "KEY_EXCHANGE" }
+
+string getAsymmetricType() {
+  result in [
+      getAsymmetricEncryptionType(), getSignatureType(), getKeyExchangeType(),
+      getEllipticCurveType()
+    ]
+}
+
+predicate isKnownType(string algType) {
+  algType in [
+      getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(),
+      getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(),
+      getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType()
+    ]
+}
+
+predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) }
+
+predicate isKnownAlgorithm(string name, string algType) {
+  isHashingAlgorithm(name) and algType = "HASH"
+  or
+  isEncryptionAlgorithm(name, algType) and
+  algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"]
+  or
+  isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION"
+  or
+  isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE"
+  or
+  isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"]
+  or
+  isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE"
+  or
+  isSignatureAlgorithm(name) and algType = "SIGNATURE"
+  or
+  isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE"
+}
+
+/**
+ * Holds if `name` is a known hashing algorithm in the model/library.
+ */
+predicate isHashingAlgorithm(string name) {
+  name =
+    [
+      "BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224",
+      "SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256",
+      "SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD",
+      "RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1",
+      "MDC2", "SIPHASH"
+    ]
+}
+
+predicate isEncryptionAlgorithm(string name, string algType) {
+  isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION"
+  or
+  isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION"
+}
+
+predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) }
+
+/**
+ * Holds if `name` corresponds to a known symmetric encryption algorithm.
+ */
+predicate isSymmetricEncryptionAlgorithm(string name) {
+  // NOTE: AES is meant to caputure all possible key lengths
+  name =
+    [
+      "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5",
+      "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20",
+      "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789",
+      "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012",
+      "GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES",
+      "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5",
+      "RC5", "MAGMA", "KUZNYECHIK"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known key derivation algorithm.
+ */
+predicate isKeyDerivationAlgorithm(string name) {
+  name =
+    [
+      "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF",
+      "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT",
+      "X963KDF", "EVPKDF"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known cipher block mode
+ */
+predicate isCipherBlockModeAlgorithm(string name) {
+  name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"]
+}
+
+/**
+ * Holds if `name` corresponds to a known padding algorithm
+ */
+predicate isPaddingAlgorithm(string name, string algType) {
+  isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING"
+  or
+  isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING"
+}
+
+/**
+ * holds if `name` corresponds to a known symmetric padding algorithm
+ */
+predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] }
+
+/**
+ * Holds if `name` corresponds to a known asymmetric padding algorithm
+ */
+predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] }
+
+predicate isBrainpoolCurve(string curveName, int keySize) {
+  // ALL BRAINPOOL CURVES
+  keySize in [160, 192, 224, 256, 320, 384, 512] and
+  (
+    curveName = "BRAINPOOLP" + keySize.toString() + "R1"
+    or
+    curveName = "BRAINPOOLP" + keySize.toString() + "T1"
+  )
+}
+
+predicate isSecCurve(string curveName, int keySize) {
+  // ALL SEC CURVES
+  keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and
+  exists(string suff | suff in ["R1", "R2", "K1"] |
+    curveName = "SECT" + keySize.toString() + suff or
+    curveName = "SECP" + keySize.toString() + suff
+  )
+}
+
+predicate isC2Curve(string curveName, int keySize) {
+  // ALL C2 CURVES
+  keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and
+  exists(string pre, string suff |
+    pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"]
+  |
+    curveName = "C2" + pre + keySize.toString() + suff
+  )
+}
+
+predicate isPrimeCurve(string curveName, int keySize) {
+  // ALL PRIME CURVES
+  keySize in [192, 239, 256] and
+  exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff)
+}
+
+predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) }
+
+/**
+ * Holds if `name` corresponds to a known elliptic curve.
+ */
+predicate isEllipticCurveAlgorithm(string curveName, int keySize) {
+  isSecCurve(curveName, keySize)
+  or
+  isBrainpoolCurve(curveName, keySize)
+  or
+  isC2Curve(curveName, keySize)
+  or
+  isPrimeCurve(curveName, keySize)
+  or
+  curveName = "ES256" and keySize = 256
+  or
+  curveName = "CURVE25519" and keySize = 255
+  or
+  curveName = "X25519" and keySize = 255
+  or
+  curveName = "ED25519" and keySize = 255
+  or
+  curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size
+  or
+  curveName = "ED448" and keySize = 448
+  or
+  curveName = "X448" and keySize = 448
+  or
+  curveName = "NUMSP256T1" and keySize = 256
+  or
+  curveName = "NUMSP384T1" and keySize = 384
+  or
+  curveName = "NUMSP512T1" and keySize = 512
+  or
+  curveName = "SM2" and keySize in [256, 512]
+}
+
+/**
+ * Holds if `name` corresponds to a known signature algorithm.
+ */
+predicate isSignatureAlgorithm(string name) {
+  name =
+    [
+      "DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256",
+      "ECDSA384", "ECDSA512"
+    ]
+}
+
+/**
+ * Holds if `name` is a key exchange algorithm.
+ */
+predicate isKeyExchangeAlgorithm(string name) {
+  name = ["ECDH", "DH", "DIFFIEHELLMAN", "X25519", "X448"]
+}
+
+/**
+ * Holds if `name` corresponds to a known asymmetric encryption.
+ */
+predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] }

cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll

@@ -0,0 +1,316 @@
+import cpp
+private import experimental.cryptography.CryptoAlgorithmNames
+import semmle.code.cpp.ir.dataflow.TaintTracking
+
+/*
+ * A cryptographic artifact is a DataFlow::Node associated with some
+ * operation, algorithm, or any other aspect of cryptography.
+ */
+
+abstract class CryptographicArtifact extends Expr { }
+
+// /**
+//  * Associates a symmetric encryption algorithm with a block mode.
+//  * The DataFlow::Node representing this association should be the
+//  * point where the algorithm and block mode are combined.
+//  * This may be at the call to encryption or in the construction
+//  * of an object prior to encryption.
+//  */
+// abstract class SymmetricCipher extends CryptographicArtifact{
+//   abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
+//   abstract BlockMode getBlockMode();
+//   final predicate hasBlockMode(){
+//     exists(this.getBlockMode())
+//   }
+// }
+// /**
+//  * A cryptographic operation is a method call that invokes a cryptographic
+//  * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm
+//  * (key generation).
+//  *
+//  * Since operations are related to or in support of algorithms, operations must
+//  * provide a reference to their associated algorithm. Often operataions themselves
+//  * encapsulate algorithms, so operations can also extend CryptographicAlgorithm
+//  * and refer to themselves as the target algorithm.
+//  */
+// abstract class CryptographicOperation extends CryptographicArtifact, Call{
+//   // bindingset[paramName, ind]
+//   // final DataFlow::Node getParameterSource(int ind, string paramName){
+//   //   result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName))
+//   // }
+//   final string getAlgorithmName(){
+//     if exists(this.getAlgorithm().getName())
+//     then result = this.getAlgorithm().getName()
+//     else result = unknownAlgorithm()
+//   }
+//   final predicate hasAlgorithm(){
+//     exists(this.getAlgorithm())
+//   }
+//   final predicate isUnknownAlgorithm(){
+//     this.getAlgorithmName() = unknownAlgorithm()
+//     or
+//     not this.hasAlgorithm()
+//   }
+//   // TODO: this might have to be parameterized by a configuration source for
+//   //       situations where an operation is passed an algorithm
+//   abstract CryptographicAlgorithm getAlgorithm();
+// }
+// /** A key generation operation for asymmetric keys */
+// abstract class KeyGen extends CryptographicOperation{
+//   int getAKeySizeInBits(){
+//     result = getKeySizeInBits(_)
+//   }
+//   final predicate hasKeySize(Expr configSrc){
+//     exists(this.getKeySizeInBits(configSrc))
+//   }
+//   final predicate hasKeySize(){
+//     exists(this.getAKeySizeInBits())
+//   }
+//   abstract Expr getKeyConfigSrc();
+//   abstract int getKeySizeInBits(Expr configSrc);
+// }
+abstract class CryptographicOperation extends CryptographicArtifact, Call { }
+
+abstract class KeyGeneration extends CryptographicOperation {
+  // TODO: what if the algorithm is UNKNOWN?
+  abstract Expr getKeyConfigurationSource(CryptographicAlgorithm alg);
+
+  abstract CryptographicAlgorithm getAlgorithm();
+
+  int getKeySizeInBits(CryptographicAlgorithm alg) {
+    result = this.getKeyConfigurationSource(alg).(Literal).getValue().toInt()
+  }
+
+  predicate hasConstantKeySize(CryptographicAlgorithm alg) { exists(this.getKeySizeInBits(alg)) }
+
+  predicate hasKeyConfigurationSource(CryptographicAlgorithm alg) {
+    exists(this.getKeyConfigurationSource(alg))
+  }
+
+  Expr getAKeyConfigurationSource() { result = this.getKeyConfigurationSource(_) }
+}
+
+abstract class AsymmetricKeyGeneration extends KeyGeneration { }
+
+abstract class SymmetricKeyGeneration extends KeyGeneration { }
+
+/**
+ * A cryptographic algorithm is a `CryptographicArtifact`
+ * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`).
+ * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5)
+ * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")).
+ * Cryptogrpahic algorithms may also be operations that wrap or abstract one or
+ * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7).
+ *
+ * In principle, this class should model the location where an algorithm enters the program, not
+ * necessarily where it is used.
+ */
+abstract class CryptographicAlgorithm extends CryptographicArtifact {
+  abstract string getName();
+
+  abstract string getAlgType();
+
+  //  string getAlgType(){
+  //   if this instanceof HashAlgorithm then result = getHashType()
+  //   else if this instanceof KeyDerivationAlgorithm then result = getKeyDerivationType()
+  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricEncryptionType()
+  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricEncryptionType()
+  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricPaddingType()
+  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricPaddingType()
+  //   else if this instanceof EllipticCurveAlgorithm then result = getEllipticCurveType()
+  //   else if this instanceof BlockMode then result = getCipherBlockModeType()
+  //   else if this instanceof KeyExchangeAlgorithm then result = getKeyExchangeType()
+  //   else if this instanceof SigningAlgorithm then result = getSignatureType()
+  //   else result = unknownAlgorithm()
+  // }
+  // TODO: handle case where name isn't known, not just unknown?
+  /**
+   * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
+   * Subclassess should override for more api-specific normalization.
+   * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
+   */
+  bindingset[s]
+  string normalizeName(string s) {
+    exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+      result = normStr and isKnownAlgorithm(result)
+      or
+      result = unknownAlgorithm() and not isKnownAlgorithm(normStr)
+    )
+  }
+
+  abstract Expr configurationSink();
+
+  predicate hasConfigurationSink() { exists(this.configurationSink()) }
+}
+
+abstract class HashAlgorithm extends CryptographicAlgorithm {
+  final string getHashName() {
+    if exists(string n | n = this.getName() and isHashingAlgorithm(n))
+    then isHashingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getHashType() }
+}
+
+abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm {
+  final string getKDFName() {
+    if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n))
+    then isKeyDerivationAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getKeyDerivationType() }
+}
+
+// abstract class KeyDerivationOperation extends CryptographicOperation{
+//   DataFlow::Node getIterationSizeSrc(){
+//     none()
+//   }
+//   DataFlow::Node getSaltConfigSrc(){
+//     none()
+//   }
+//   DataFlow::Node getHashConfigSrc(){
+//     none()
+//   }
+//   // TODO: get encryption algorithm for CBC-based KDF?
+//   DataFlow::Node getDerivedKeySizeSrc(){
+//     none()
+//   }
+//   DataFlow::Node getModeSrc(){
+//     none()
+//   }
+//   // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type?
+//   abstract predicate requiresIteration();
+//   abstract predicate requiresSalt();
+//   abstract predicate requiresHash();
+//   //abstract predicate requiresKeySize(); // Going to assume all requires a size
+//   abstract predicate requiresMode();
+// }
+abstract class EncryptionAlgorithm extends CryptographicAlgorithm {
+  final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm }
+
+  final predicate isSymmetric() { not this.isAsymmetric() }
+  // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent
+  //       class does not have this common predicate.
+}
+
+/**
+ * A parent class to represent any algorithm for which
+ * asymmetric cryptography is involved.
+ * Intended to be distinct from AsymmetricEncryptionAlgorithm
+ * which is intended only for asymmetric algorithms that specifically encrypt.
+ */
+abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { }
+
+/**
+ * Algorithms directly or indirectly related to asymmetric encryption,
+ * e.g., RSA, DSA, but also RSA padding algorithms
+ */
+abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n))
+    then isAsymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getAsymmetricEncryptionType() }
+}
+
+/**
+ * Algorithms directly or indirectly related to symmetric encryption,
+ * e.g., AES, DES, but also block modes and padding
+ */
+abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  // TODO: add a stream cipher predicate?
+  override string getAlgType() { result = getSymmetricEncryptionType() }
+}
+
+// Used only to categorize all padding into a single object,
+// DO_NOT add predicates here. Only for categorization purposes.
+abstract class PaddingAlgorithm extends CryptographicAlgorithm { }
+
+abstract class SymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n))
+    then isSymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getSymmetricPaddingType() }
+}
+
+abstract class AsymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n))
+    then isAsymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getAsymmetricPaddingType() }
+}
+
+abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm {
+  final string getCurveName() {
+    if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n))
+    then isEllipticCurveAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) }
+
+  override string getAlgType() { result = getEllipticCurveType() }
+}
+
+abstract class BlockModeAlgorithm extends CryptographicAlgorithm {
+  final string getBlockModeName() {
+    if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
+    then isCipherBlockModeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  /**
+   * Gets the source of the IV configuration.
+   */
+  abstract Expr getIVorNonce();
+
+  final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
+
+  override string getAlgType() { result = getCipherBlockModeType() }
+}
+
+// abstract class KeyWrapOperation extends CryptographicOperation{
+// }
+abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm {
+  final string getAuthticatedEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm {
+  final string getKeyExchangeName() {
+    if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))
+    then isKeyExchangeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getKeyExchangeType() }
+}
+
+abstract class SigningAlgorithm extends AsymmetricAlgorithm {
+  final string getSigningName() {
+    if exists(string n | n = this.getName() and isSignatureAlgorithm(n))
+    then isSignatureAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  override string getAlgType() { result = getSignatureType() }
+}

cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll

@@ -0,0 +1,718 @@
+import cpp
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.utils.OpenSSL.CryptoFunction
+import experimental.cryptography.utils.OpenSSL.AlgorithmSink
+import experimental.cryptography.utils.OpenSSL.PassthroughFunction
+import experimental.cryptography.utils.OpenSSL.CryptoAlgorithm
+import experimental.cryptography.CryptoArtifact
+// import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.DataFlow
+
+/**
+ *  Problematic case in OpenSSL speed.c
+ *    static const char *names[ALGOR_NUM] = {
+ *        "md2", "mdc2", "md4", "md5", "sha1", "rmd160",
+ *        "sha256", "sha512", "whirlpool", "hmac(md5)",
+ *        "des-cbc", "des-ede3", "rc4", "idea-cbc", "seed-cbc",
+ *        "rc2-cbc", "rc5-cbc", "blowfish", "cast-cbc",
+ *        "aes-128-cbc", "aes-192-cbc", "aes-256-cbc",
+ *        "camellia-128-cbc", "camellia-192-cbc", "camellia-256-cbc",
+ *        "evp", "ghash", "rand", "cmac"
+ *    };
+ *
+ *    Every entry is considered a block mode, hash, and symmetric encryption algorithm
+ *    getEncryptionName for example, will return unknown
+ */
+predicate nodeToExpr(DataFlow::Node node, Expr e) {
+  e = node.asExpr() or e = node.asIndirectArgument()
+}
+
+Expr getExprFromNode(DataFlow::Node node) { nodeToExpr(node, result) }
+
+DataFlow::Node getNodeFromExpr(Expr e) { nodeToExpr(result, e) }
+
+predicate isEVP_PKEY_CTX(Type t) { t.getUnderlyingType().stripType().getName() = "evp_pkey_ctx_st" }
+
+/**
+ * An expression representing an EVP_PKEY_CTX* at the location of a
+ * known AlgorithmSinkArgument.
+ * The EVP_PKEY_CTX* represents the location where the CTX is tied to the algorithm,
+ * and can be used as a source for tracing EVP_PKEY_CTX to other operations.
+ */
+class Known_EVP_PKEY_CTX_Ptr_Source extends Expr {
+  Known_EVP_PKEY_CTX_Ptr_Source() {
+    isEVP_PKEY_CTX(this.getUnderlyingType()) and
+    this.getUnderlyingType() instanceof PointerType and
+    exists(AlgorithmSinkArgument arg, Call sinkCall |
+      arg.getSinkCall() = sinkCall and
+      sinkCall.getAnArgument() = this
+      or
+      this = sinkCall
+    )
+  }
+}
+
+// module CTXFlow implements DataFlow::ConfigSig{
+//     predicate isSource(DataFlow::Node source) {
+//         // ASSUMPTION: at a sink, an algorithm is converted into a CTX through a return of the call only
+//         //             and is the primary source of interest for CTX tracing
+//         source.asExpr() instanceof AlgorithmSinkArgument
+//     }
+//     predicate isSink(DataFlow::Node sink){
+//         sink.asExpr() instanceof CTXSink
+//     }
+//     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+//         //  cls.getName() = "asn1_object_st" flow out on any EVP_PKEY_CTX which is "evp_pkey_ctx_st"
+//         exists(Call c |
+//             isEVP_PKEY_CTX(c.getUnderlyingType()) and
+//             node1.asExpr() = c.getAnArgument() and c = node2.asExpr())
+//     }
+// }
+// module CTXFlowConfig = DataFlow::Global<CTXFlow>;
+// TODO: currently only handles tracing from literals to sinks
+module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof Literal and
+    // Optimization to reduce literal tracing on integers to only those that are known/relevant NIDs.
+    (
+      exists(source.asExpr().getValue().toInt())
+      implies
+      source.asExpr().getValue().toInt() < getNIDMax()
+    ) and
+    // False positives observed inside OBJ_nid2* and OBJ_sn2* functions where NULL is a possible assignment.
+    // While this is a concern, it only occurs if the object being referenced is NULL to begin with
+    // Perhaps a different query should be used to find these caes if they represent a threat.
+    // Filter out any open ssl function source in a function namae Obj_*
+    // False positives in OpenSSL also observed for CRYPTO_strndup (filtering any CRYPTO_* function)
+    // due to setting a null byte in the string
+    (
+      isPossibleOpenSSLFunction(source.getEnclosingCallable())
+      implies
+      (
+        not source.getEnclosingCallable().getName().matches("OBJ_%") and
+        not source.getEnclosingCallable().getName().matches("CRYPTO_%")
+      )
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    // A sink is a call to a function that takes an algorithm as an argument
+    // must include checks for asIndirectArgument since the input may be a pointer to an object
+    // and the member of the object holds the algorithm on the trace.
+    getExprFromNode(sink) instanceof AlgorithmSinkArgument
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    knownPassThroughStep(node1, node2)
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    // If the node is the 'next' argument of a isCallPassThrough, it is only allowed if it is an out parameter
+    // i.e., a defining argument. This barrier says that if the node is an expression not an out parameter, it is filtered.
+    // Out arguments will not be filtered.
+    exists(Call c | knownPassthoughCall(c, _, node.asExpr()) and c.getAnArgument() = node.asExpr())
+    or
+    // False positive reducer, don't flow out through argv
+    node.asVariable().hasName("argv")
+    or
+    node.asIndirectVariable().hasName("argv")
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // Assume a read on crypto identifying field for any object of type asn1_object_st (i.e., ASN1_OBJECT)
+    exists(Class cls | cls.getName() = "asn1_object_st" |
+      node.getType().getUnspecifiedType().stripType() = cls and
+      c.(DataFlow::FieldContent).getField() = cls.getAMember() and
+      c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]
+    )
+  }
+}
+
+module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;
+
+/**
+ * `source` is an expression that is a source of an algorithm of type `algType`.
+ * `algType` may be `UNKONWN`.
+ *  See CryptoAlgorithmNames for other possible values of `algType`.
+ */
+bindingset[sinkAlgType]
+predicate hasLiteralPathToAlgSink(DataFlow::Node source, DataFlow::Node sink, string sinkAlgType) {
+  LiteralAlgorithmTracer::flow(source, sink) and
+  getExprFromNode(sink).(AlgorithmSinkArgument).algType() = sinkAlgType
+}
+
+private predicate knownTracedAlgorithm(Literal e, string srcSinkType) {
+  knownTracedAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate knownTracedAlgorithm(Literal e, string srcType, string sinkType) {
+  resolveAlgorithmFromLiteral(e, _, srcType) and
+  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
+  isKnownType(sinkType) and
+  isKnownType(srcType)
+}
+
+private predicate unknownTracedLiteralAlgorithm(Literal e, string srcSinkType) {
+  // Asymmetric special case:
+  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
+  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
+  if getAsymmetricType() = srcSinkType
+  then forall(string t | t = getAsymmetricType() | unknownTracedLiteralAlgorithm(e, t, srcSinkType))
+  else unknownTracedLiteralAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate unknownTracedLiteralAlgorithm(Literal e, string srcType, string sinkType) {
+  // the literal resolves to an algorithm, but not to the sinktype
+  // or generally doesn't resolve to any algorithm type
+  // this case covers 'nonsense' cases e.g., use RSA for symmetric encryption
+  not resolveAlgorithmFromLiteral(e, _, srcType) and
+  isValidAlgorithmLiteral(e) and
+  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
+  isKnownType(sinkType) and
+  isKnownType(srcType)
+}
+
+private predicate unknownTracedNonLiteralAlgorithm(AlgorithmSinkArgument e, string srcSinkType) {
+  // Asymmetric special case:
+  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
+  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
+  if getAsymmetricType() = srcSinkType
+  then
+    forall(string t | t = getAsymmetricType() | unknownTracedNonLiteralAlgorithm(e, t, srcSinkType))
+  else unknownTracedNonLiteralAlgorithm(e, srcSinkType, srcSinkType)
+}
+
+private predicate unknownTracedNonLiteralAlgorithm(
+  AlgorithmSinkArgument e, string srcType, string sinkType
+) {
+  not hasLiteralPathToAlgSink(_, getNodeFromExpr(e), srcType) and
+  LiteralAlgorithmTracerConfig::isSink(getNodeFromExpr(e)) and
+  e.algType() = sinkType and
+  isKnownType(srcType) and
+  isKnownType(sinkType)
+}
+
+private predicate functionAlgorithm(Call c, string algType) {
+  isOpenSSLCryptoFunctionCall(c, _, algType)
+}
+
+abstract class OpenSSLTracedAlgorithm extends CryptographicAlgorithm {
+  override string getName() { resolveAlgorithmFromLiteral(this, result, this.getAlgType()) }
+
+  override Expr configurationSink() {
+    exists(DataFlow::Node sink |
+      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
+    |
+      result = getExprFromNode(sink)
+    )
+  }
+}
+
+abstract class OpenSSLFunctionAlgorithm extends CryptographicAlgorithm {
+  override string getName() { isOpenSSLCryptoFunctionCall(this, result, this.getAlgType()) }
+
+  override Expr configurationSink() { result = this }
+}
+
+abstract class OpenSSLUnknownTracedLiteralAlgorithm extends CryptographicAlgorithm {
+  override string getName() { result = unknownAlgorithm() }
+
+  override Expr configurationSink() {
+    exists(DataFlow::Node sink |
+      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
+    |
+      result = getExprFromNode(sink)
+    )
+  }
+}
+
+abstract class OpenSSLUnknownTracedNonLiteralAlgorithm extends CryptographicAlgorithm {
+  override string getName() { result = unknownAlgorithm() }
+
+  override Expr configurationSink() { result = this }
+}
+
+module SymmetricEncryption {
+  abstract class OpenSSLSymmetricEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { }
+
+  class OpenSSLSymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionTracedAlgorithm() {
+      knownTracedAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionFunctionAlgorithm() {
+      functionAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getSymmetricEncryptionType())
+    }
+  }
+}
+
+module BlockModes {
+  /**
+   * In OpenSSL, block modes are associated directly with symmetric encryption algorithms.
+   * As such, OpenSSLBLockModes are modeled as extensions of any openssl symmetric encryption algorithm
+   */
+  class OpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
+  {
+    OpenSSLBlockModeAlgorithm() {
+      //two cases, either the block mode is a literal or it is a function call
+      resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE")
+      or
+      isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
+    }
+
+    override string getName() {
+      resolveAlgorithmFromLiteral(this, result, "BLOCK_MODE")
+      or
+      isOpenSSLCryptoFunctionCall(this, result, "BLOCK_MODE")
+    }
+
+    override Expr configurationSink() {
+      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
+    }
+
+    override Expr getIVorNonce() {
+      // TODO
+      none()
+    }
+  }
+
+  class UnknownOpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
+  {
+    UnknownOpenSSLBlockModeAlgorithm() {
+      //two cases, either the block mode is a literal or it is a function call
+      not resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE") and
+      not isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() {
+      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
+    }
+
+    override Expr getIVorNonce() { none() }
+  }
+}
+
+module Hashes {
+  abstract class OpenSSLHashAlgorithm extends HashAlgorithm { }
+
+  class OpenSSLHashTracedAlgorithm extends OpenSSLTracedAlgorithm, OpenSSLHashAlgorithm {
+    OpenSSLHashTracedAlgorithm() { knownTracedAlgorithm(this, getHashType()) }
+  }
+
+  class OpenSSLHashFunctionAlgorithm extends OpenSSLFunctionAlgorithm, OpenSSLHashAlgorithm {
+    OpenSSLHashFunctionAlgorithm() { functionAlgorithm(this, getHashType()) }
+  }
+
+  class OpenSSLHashTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    OpenSSLHashAlgorithm
+  {
+    OpenSSLHashTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getHashType())
+    }
+  }
+
+  class OpenSSLHashUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    OpenSSLHashAlgorithm
+  {
+    OpenSSLHashUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getHashType())
+    }
+  }
+
+  class OpenSSLNullHash extends HashAlgorithm {
+    OpenSSLNullHash() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getTarget().getName() in ["EVP_md_null"]
+      )
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() { result = this }
+  }
+}
+
+module EllipticCurves {
+  // TODO: need to address EVP_PKEY_Q_keygen where the type is "EC" but the curve is UNKNOWN?
+  class OpenSSLEllipticCurveTracedAlgorithm extends OpenSSLTracedAlgorithm, EllipticCurveAlgorithm {
+    OpenSSLEllipticCurveTracedAlgorithm() { knownTracedAlgorithm(this, getEllipticCurveType()) }
+  }
+
+  class OpenSSLEllipticCurveFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurveFunctionAlgorithm() { functionAlgorithm(this, getEllipticCurveType()) }
+  }
+
+  class OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getEllipticCurveType())
+    }
+  }
+
+  class OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    EllipticCurveAlgorithm
+  {
+    OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getEllipticCurveType())
+    }
+  }
+
+  // https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_ex.html
+  class OpenSSLNullEllipticCurve extends EllipticCurveAlgorithm {
+    OpenSSLNullEllipticCurve() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getTarget().getName() in ["EC_KEY_new", "EC_KEY_new_ex"]
+      )
+    }
+
+    override string getName() { result = unknownAlgorithm() }
+
+    override Expr configurationSink() { result = this }
+  }
+}
+
+module AsymmetricEncryption {
+  class OpenSSLAsymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionTracedAlgorithm() {
+      knownTracedAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionFunctionAlgorithm() {
+      functionAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+
+  class OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    AsymmetricEncryptionAlgorithm
+  {
+    OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getAsymmetricEncryptionType())
+    }
+  }
+}
+
+module SigningAlgorithms {
+  class OpenSSLSignatureTracedAlgorithm extends OpenSSLTracedAlgorithm, SigningAlgorithm {
+    OpenSSLSignatureTracedAlgorithm() { knownTracedAlgorithm(this, getSignatureType()) }
+  }
+
+  class OpenSSLSignatureFunctionAlgorithm extends OpenSSLFunctionAlgorithm, SigningAlgorithm {
+    OpenSSLSignatureFunctionAlgorithm() { functionAlgorithm(this, getSignatureType()) }
+  }
+
+  class OpenSSLSignatureTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    SigningAlgorithm
+  {
+    OpenSSLSignatureTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getSignatureType())
+    }
+  }
+
+  class OpenSSLSignatureUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    SigningAlgorithm
+  {
+    OpenSSLSignatureUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getSignatureType())
+    }
+  }
+}
+
+module KeyExchange {
+  class OpenSSLKeyExchangeTracedAlgorithm extends OpenSSLTracedAlgorithm, KeyExchangeAlgorithm {
+    OpenSSLKeyExchangeTracedAlgorithm() { knownTracedAlgorithm(this, getKeyExchangeType()) }
+  }
+
+  class OpenSSLKeyExchangeFunctionAlgorithm extends OpenSSLFunctionAlgorithm, KeyExchangeAlgorithm {
+    OpenSSLKeyExchangeFunctionAlgorithm() { functionAlgorithm(this, getKeyExchangeType()) }
+  }
+
+  class OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
+    KeyExchangeAlgorithm
+  {
+    OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm() {
+      unknownTracedLiteralAlgorithm(this, getKeyExchangeType())
+    }
+  }
+
+  class OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
+    KeyExchangeAlgorithm
+  {
+    OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm() {
+      unknownTracedNonLiteralAlgorithm(this, getKeyExchangeType())
+    }
+  }
+}
+
+module KeyGeneration {
+  /**
+   * Functions that explicitly set key generation parameters.
+   * `sizeInd` is the parameter specifying the size of the key.
+   * `outInd` is the parameter or return value that the key is written to.
+   * `outInd` is -1 if the key is written to the return value.
+   */
+  predicate isAsymmetricKeyGenExplicitAlgorithm(Function func, int sizeInd, int outInd) {
+    isPossibleOpenSSLFunction(func) and
+    exists(string name | func.hasGlobalName(name) |
+      name in [
+          "EVP_PKEY_CTX_set_dsa_paramgen_bits", "DSA_generate_parameters_ex",
+          "EVP_PKEY_CTX_set_rsa_keygen_bits", "RSA_generate_key_ex", "RSA_generate_key_fips",
+          "EVP_PKEY_CTX_set_dh_paramgen_prime_len", "DH_generate_parameters_ex"
+        ] and
+      sizeInd = 1 and
+      outInd = 0
+      or
+      name in ["DSA_generate_parameters", "RSA_generate_key", "DH_generate_parameters"] and
+      sizeInd = 0 and
+      outInd = -1
+    ) and
+    exists(Type t |
+      (
+        if sizeInd = -1
+        then t = func.getType().getUnderlyingType()
+        else t = func.getParameter(sizeInd).getUnderlyingType()
+      ) and
+      t instanceof IntegralType and
+      not t instanceof CharType
+    )
+  }
+
+  module AsymExplicitAlgKeyLengthFlowConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      // Optimizations to avoid tracing all integers
+      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
+      node.asExpr().(Literal).getValue().toInt() < 8500
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(FunctionCall c, int sizeInd |
+        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), sizeInd, _) and
+        c.getArgument(sizeInd) = node.asExpr()
+      )
+    }
+  }
+
+  module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;
+
+  class OpenSSLAsymmetricKeyGenTiedToAlgorithm extends AsymmetricKeyGeneration {
+    OpenSSLAsymmetricKeyGenTiedToAlgorithm() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), _, _)
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() { result = this }
+
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
+      alg = this and
+      exists(int sizeInd |
+        isAsymmetricKeyGenExplicitAlgorithm(this.getTarget(), sizeInd, _) and
+        AsymExplicitAlgKeyLengthFlow::flow(DataFlow::exprNode(result),
+          DataFlow::exprNode(this.getArgument(sizeInd)))
+      )
+    }
+  }
+
+  module Length_to_RSA_EVP_PKEY_Q_keygen_Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      // Optimizations to avoid tracing all integers
+      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
+      node.asExpr().(Literal).getValue().toInt() < 5000
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(FunctionCall c |
+        c.getTarget().getName() = "EVP_PKEY_Q_keygen" and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        c.getArgument(3) = node.asExpr()
+      )
+    }
+  }
+
+  module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =
+    DataFlow::Global<Length_to_RSA_EVP_PKEY_Q_keygen_Config>;
+
+  class OpenSSL_RSA_EVP_PKEY_Q_keygen extends AsymmetricKeyGeneration {
+    OpenSSL_RSA_EVP_PKEY_Q_keygen() {
+      exists(Call c |
+        this = c and
+        isPossibleOpenSSLFunction(c.getTarget()) and
+        this.getTarget().getName() = "EVP_PKEY_Q_keygen" and
+        this.getArgument(3).getUnderlyingType() instanceof IntegralType
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() {
+      result.configurationSink().(AlgorithmSinkArgument).getSinkCall() = this
+    }
+
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
+      alg = this.getAlgorithm() and
+      Length_to_RSA_EVP_PKEY_Q_keygen_Flow::flow(DataFlow::exprNode(result),
+        DataFlow::exprNode(this.getArgument(3)))
+    }
+  }
+
+  predicate isKeyGenOperationWithNoSize(Function func) {
+    isPossibleOpenSSLFunction(func) and
+    exists(string name | func.hasGlobalName(name) |
+      name in ["EVP_PKEY_keygen", "DSA_generate_key", "DH_generate_key", "EVP_PKEY_generate"]
+    )
+  }
+
+  module KeyGenKeySizeInitToKeyGenConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node node) {
+      exists(Call c, Function func, int outInd |
+        isAsymmetricKeyGenExplicitAlgorithm(func, _, outInd) and
+        c.getTarget() = func
+      |
+        if outInd = -1 then node.asExpr() = c else node.asExpr() = c.getArgument(outInd)
+      )
+    }
+
+    predicate isSink(DataFlow::Node node) {
+      exists(Call c |
+        isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()
+      )
+    }
+  }
+
+  module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;
+
+  predicate isEVP_PKEY_CTX_Source(DataFlow::Node node, CryptographicAlgorithm alg) {
+    exists(Call c |
+      alg.configurationSink().(AlgorithmSinkArgument).getSinkCall() = c and
+      (
+        node.asExpr() = c
+        or
+        node.asExpr() = c.getAnArgument()
+        or
+        node.asDefiningArgument() = c.getAnArgument()
+      )
+    ) and
+    (
+      node.asExpr() instanceof Known_EVP_PKEY_CTX_Ptr_Source
+      or
+      node.asDefiningArgument() instanceof Known_EVP_PKEY_CTX_Ptr_Source
+    )
+  }
+
+  predicate isKeyGen_EVP_PKEY_CTX_Sink(DataFlow::Node node, Call c) {
+    isKeyGenOperationWithNoSize(c.getTarget()) and nodeToExpr(node, c.getAnArgument())
+  }
+
+  /**
+   * Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
+   * users can then extrapolatae the matching algorithm from the alg sink to the keygen
+   */
+  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
+
+    predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
+  }
+
+  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
+    DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize>;
+
+  /**
+   * UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
+   * is it set on context prior to the call). No path from a key configuration to these operations
+   * means the key size is UNKNOWN, or more precisely the key size is DEFAULT but
+   * the defaults can change with each version of OpenSSL, we simply assume the size is generally UNKNOWN.
+   * ASSUMPTION/TODO: we currently model all known locations where a key size is set explicitly.
+   *                 When a key is set implicitly, this usually means a key generation operation
+   *                 is called where the operation takes in no key size, and no flow to this operation
+   *                 initializes the context with a key size.
+   *                 Currently, without a definitive source (set of sources) to start tracing from, we cannot determine
+   *                 determine if a single path exists that initializes the context with a key size and another that doesn't.
+   *                 Rather than attempt to model all possible sources, we assume that if no path
+   *                 from a key config location reaches a generic key generation operation, then the key size is not set.
+   *                 NOTE: while this is true, it is possible a key size is set in one path, but not in another
+   *                 meaning this approach (and other similar approaches used in this model for UNKNOWN)
+   *                 can produce false negatives.
+   */
+  class OpenSSLDefaultKeyGeneration extends AsymmetricKeyGeneration {
+    OpenSSLDefaultKeyGeneration() {
+      // this is a call to a function matching isKeyGenOperationWithNoSize
+      // and there is no flow from a key configuration source to this call
+      exists(Call c |
+        this = c and
+        isKeyGenOperationWithNoSize(this.getTarget()) and
+        not exists(DataFlow::Node src, DataFlow::Node sink |
+          KeyGenKeySizeInitToKeyGenFlow::flow(src, sink) and
+          nodeToExpr(sink, this.getAnArgument())
+        )
+      )
+    }
+
+    override CryptographicAlgorithm getAlgorithm() {
+      if this.getTarget().getName() in ["DSA_generate_key", "DH_generate_key"]
+      then result = this
+      else
+        // NOTE/ASSUMPTION: EVP_PKEY_keygen, EVP_PKEY_generate assume only other possibilities,
+        //        each take in a CTX as the first arg, need to trace from an alg sink from this CTX param
+        // get every alg sink, get the corresponding call, trace out on any CTX type variable
+        // to the key gen
+        // NOTE: looking for any cryptographic algorithm tracing to the keygen to handle
+        //  any odd cases we aren't awaare of where keygen can be used for other algorithm types
+        exists(DataFlow::Node src, DataFlow::Node sink |
+          EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow::flow(src, sink) and
+          isEVP_PKEY_CTX_Source(src, result) and
+          isKeyGen_EVP_PKEY_CTX_Sink(sink, this)
+          // TODO: what if there is no CTX source? then the keygen becomes an UNKNOWN sink
+        )
+    }
+
+    /**
+     * For this class, there is no known configuration source for any algorithm
+     */
+    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { none() }
+  }
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll

@@ -0,0 +1,296 @@
+/**
+ * Predicates/classes for identifying algorithm sinks.
+ * An Algorithm Sink is a function that takes an algorithm as an argument.
+ * In particular, any function that takes in an algorithm that until the call
+ * the algorithm is not definitely known to be an algorithm (e.g., an integer used as an identifier to fetch an algorithm)
+ */
+
+//TODO: enforce a hierarchy of AlgorithmSinkArgument, e.g., so I can get all Asymmetric SinkArguments that includes all the strictly RSA etc.
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import experimental.cryptography.CryptoAlgorithmNames
+
+predicate isAlgorithmSink(AlgorithmSinkArgument arg, string algType) { arg.algType() = algType }
+
+abstract class AlgorithmSinkArgument extends Expr {
+  AlgorithmSinkArgument() {
+    exists(Call c | c.getAnArgument() = this and openSSLLibraryFunc(c.getTarget()))
+  }
+
+  /**
+   * Gets the function call in which the argument exists
+   */
+  Call getSinkCall() { result.getAnArgument() = this }
+
+  abstract string algType();
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
+predicate cipherAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EVP_get_cipherbyname", "EVP_get_cipherbynid", "EVP_get_cipherbyobj"] and argInd = 0
+  or
+  funcName = "EVP_CIPHER_fetch" and argInd = 1
+}
+
+class CipherAlgorithmSink extends AlgorithmSinkArgument {
+  CipherAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      cipherAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getSymmetricEncryptionType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_MAC_fetch
+predicate macAlgorithmSink(string funcName, int argInd) {
+  (funcName = "EVP_MAC_fetch" and argInd = 1)
+}
+
+class MACAlgorithmSink extends AlgorithmSinkArgument {
+  MACAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      macAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_MD_fetch
+predicate messageDigestAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"] and argInd = 0
+  or
+  funcName = "EVP_MD_fetch" and argInd = 1
+}
+
+class MessageDigestAlgorithmSink extends AlgorithmSinkArgument {
+  MessageDigestAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      messageDigestAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getHashType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEYEXCH_fetch
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEM_fetch
+predicate keyExchangeAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KEYEXCH_fetch" and argInd = 1
+  or
+  funcName = "EVP_KEM_fetch" and argInd = 1
+}
+
+class KeyExchangeAlgorithmSink extends AlgorithmSinkArgument {
+  KeyExchangeAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyExchangeAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getKeyExchangeType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KEYMGMT_fetch
+predicate keyManagementAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KEYMGMT_fetch" and argInd = 1
+}
+
+class KeyManagementAlgorithmSink extends AlgorithmSinkArgument {
+  KeyManagementAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyManagementAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_KDF
+predicate keyDerivationAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_KDF_fetch" and argInd = 1
+}
+
+class KeyDerivationAlgorithmSink extends AlgorithmSinkArgument {
+  KeyDerivationAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      keyDerivationAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getKeyDerivationType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_ASYM_CIPHER_fetch
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new_CMAC_key.html
+predicate asymmetricCipherAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_ASYM_CIPHER_fetch" and argInd = 1
+  or
+  funcName = "EVP_PKEY_new_CMAC_key" and argInd = 3
+  // NOTE: other cases are handled by AsymmetricAlgorithmSink
+}
+
+class AsymmetricCipherAlgorithmSink extends AlgorithmSinkArgument {
+  AsymmetricCipherAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      asymmetricCipherAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
+}
+
+class AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(3)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      c.getArgument(3).getType().getUnderlyingType() instanceof IntegralType
+    )
+  }
+
+  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_RAND_fetch
+predicate randomAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_RAND_fetch" and argInd = 1
+}
+
+class RandomAlgorithmSink extends AlgorithmSinkArgument {
+  RandomAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      randomAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = "TBD" }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_SIGNATURE_fetch
+predicate signatureAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_SIGNATURE_fetch" and argInd = 1
+}
+
+class SignatureAlgorithmSink extends AlgorithmSinkArgument {
+  SignatureAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      signatureAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getSignatureType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_by_curve_name.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.html
+predicate ellipticCurveAlgorithmSink(string funcName, int argInd) {
+  funcName in ["EC_KEY_new_by_curve_name", "EVP_EC_gen"] and argInd = 0
+  or
+  funcName = "EC_KEY_new_by_curve_name_ex" and argInd = 2
+  or
+  funcName in ["EVP_PKEY_CTX_set_ec_paramgen_curve_nid"] and argInd = 1
+}
+
+class EllipticCurveAlgorithmSink extends AlgorithmSinkArgument {
+  EllipticCurveAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      ellipticCurveAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getEllipticCurveType() }
+}
+
+/**
+ * Special cased to address the fact that arg index 3 (zero offset based) is the curve name.
+ * ASSUMPTION: if the arg ind 3 is a char* assume it is an elliptic curve
+ */
+class EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(3)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      c.getArgument(3).getType().getUnderlyingType() instanceof PointerType and
+      c.getArgument(3).getType().getUnderlyingType().stripType() instanceof CharType
+    )
+  }
+
+  override string algType() { result = getEllipticCurveType() }
+}
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id.html
+// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_new_raw_private_key.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_Q_keygen.html
+// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
+predicate asymmetricAlgorithmSink(string funcName, int argInd) {
+  funcName = "EVP_PKEY_CTX_new_id" and argInd = 0
+  or
+  funcName = "EVP_PKEY_CTX_new_from_name" and argInd = 1
+  or
+  funcName in [
+      "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key", "EVP_PKEY_new_mac_key"
+    ] and
+  argInd = 0
+  or
+  funcName in ["EVP_PKEY_new_raw_private_key_ex", "EVP_PKEY_new_raw_public_key_ex"] and argInd = 1
+  or
+  // special casing this as arg index 3 must be specified depending on if RSA or ECC, and otherwise not specified for other algs
+  // funcName = "EVP_PKEY_Q_keygen" and argInd = 2
+  funcName in ["EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"] and argInd = 1
+  // TODO consider void cases EVP_PKEY_new
+}
+
+class AsymmetricAlgorithmSink extends AlgorithmSinkArgument {
+  AsymmetricAlgorithmSink() {
+    exists(Call c, string funcName, int argInd |
+      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
+    |
+      asymmetricAlgorithmSink(funcName, argInd)
+    )
+  }
+
+  override string algType() { result = getAsymmetricType() }
+}
+
+class AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
+  AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen() {
+    exists(Call c, string funcName |
+      funcName = c.getTarget().getName() and
+      this = c.getArgument(2)
+    |
+      funcName = "EVP_PKEY_Q_keygen" and
+      not exists(c.getArgument(3))
+    )
+  }
+
+  override string algType() { result = getAsymmetricType() }
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll

@@ -0,0 +1,121 @@
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import experimental.cryptography.CryptoAlgorithmNames
+
+predicate inferredOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) {
+  inferredOpenSSLCryptoFunction(c.getTarget(), normalized, algType)
+}
+
+predicate inferredOpenSSLCryptoFunction(Function f, string normalized, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  normalizeFunctionName(f, algType) = normalized
+}
+
+predicate isOpenSSLCryptoFunction(Function f, string normalized, string algType) {
+  // NOTE: relying on inference as there are thousands of functions for crypto
+  //       enumerating them all and maintaining the list seems problematic.
+  //       For now, we will rely on dynamically inferring algorithms for function names.
+  //       This has been seen to be reasonably efficient and accurate.
+  inferredOpenSSLCryptoFunction(f, normalized, algType)
+}
+
+predicate isOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) {
+  isOpenSSLCryptoFunction(c.getTarget(), normalized, algType)
+}
+
+private string basicNormalizeFunctionName(Function f, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `f` is the function name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+private string privateNormalizeFunctionName(Function f, string algType) {
+  isPossibleOpenSSLFunction(f) and
+  result = basicNormalizeFunctionName(f, algType) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = basicNormalizeFunctionName(f, algType) and
+    res2.length() > result.length()
+  )
+}
+
+/**
+ * Normalizes a function name to a known algorithm name, similar to `normalizeName`.
+ * A function is not, however, allowed to be UNKNOWN. The function either
+ * normalizes to a known algorithm name, or the predicate does not hold (no result).
+ *
+ * The predicate attempts to restrict normalization to what looks like an openssl
+ * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
+ * This may give false postive functions if a directory erronously appears to be openssl;
+ * however, we take the stance that if a function
+ * exists strongly mapping to a known function name in a directory such as these,
+ * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
+ */
+private string normalizeFunctionName(Function f, string algType) {
+  algType != "UNKNOWN" and
+  isPossibleOpenSSLFunction(f) and
+  result = privateNormalizeFunctionName(f, algType) and
+  // Addressing false positives
+  // For algorithm names less than or equal to 4, we must see the algorithm name
+  // in the original function as upper case (it can't be split between tokens)
+  // One exception found is DES_xcbc_encrypt, this is DESX
+  (
+    (result.length() <= 4 and result != "DESX")
+    implies
+    f.getName().toUpperCase().matches("%" + result + "%")
+  ) and
+  (
+    (result.length() <= 4 and result = "DESX")
+    implies
+    (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%"))
+  ) and
+  // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*")))
+  // and
+  // DES specific false positives
+  (
+    result.matches("DES")
+    implies
+    not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*")
+  ) and
+  // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] |
+  //     f.getName().toUpperCase().matches("%" + s + "%"))) and
+  // SEED specific false positives
+  (
+    result.matches("SEED")
+    implies
+    not exists(string s |
+      s in [
+          "SEED_SRC_GENERATE", "RAND", "NEW_SEED", "GEN_SEED", "SEED_GEN", "SET_SEED", "GET_SEED",
+          "GET0_SEED", "RESEED", "SEEDING"
+        ]
+    |
+      f.getName().toUpperCase().matches("%" + s + "%")
+    )
+  ) and
+  // ARIA specific false positives
+  (result.matches("ARIA") implies not f.getName().toUpperCase().matches("%VARIANT%")) and
+  // CTR false positives
+  (result.matches("CTR") implies not f.getName().toUpperCase().matches("%CTRL%")) and
+  // ES false positives (e.g., ES256 from AES256)
+  (result.matches("ES%") implies not f.getName().toUpperCase().matches("%AES%")) and
+  // RSA false positives
+  (result.matches("RSA") implies not f.getName().toUpperCase().matches("%UNIVERSAL%")) and
+  //rsaz functions deemed to be too low level, and can be ignored
+  not f.getLocation().getFile().getBaseName().matches("rsaz_exp.c") and
+  // General False positives
+  // Functions that 'get' do not set an algorithm, and therefore are considered ignorable
+  not f.getName().toLowerCase().matches("%get%")
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll

@@ -0,0 +1,153 @@
+/**
+ * This file contains predicates create to build up initial data sets for OpenSSL
+ * predicates. E.g., These predicates were used to assist in associating all
+ * openSSL functions with their known crypto algorithms.
+ */
+
+import cpp
+import experimental.cryptography.CryptoAlgorithmNames
+import experimental.cryptography.utils.OpenSSL.CryptoFunction
+
+private string basicNormalizeFunctionName(Function f, string algType) {
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `f` is the function name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+private string privateNormalizeFunctionName(Function f, string algType) {
+  result = basicNormalizeFunctionName(f, algType) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = basicNormalizeFunctionName(f, algType) and
+    res2.length() > result.length()
+  ) and
+  // Addressing bad normalization case-by-case
+  // CASE: ES256 being identified when the algorithm is AES256
+  (
+    result.matches("ES256")
+    implies
+    not exists(string res2 | res2 = basicNormalizeFunctionName(f, _) and res2.matches("AES%"))
+  )
+}
+
+/**
+ * Normalizes a function name to a known algorithm name, similar to `normalizeName`.
+ * A function is not, however, allowed to be UNKNOWN. The function either
+ * normalizes to a known algorithm name, or the predicate does not hold (no result).
+ *
+ * The predicate attempts to restrict normalization to what looks like an openssl
+ * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`).
+ * This may give false postive functions if a directory erronously appears to be openssl;
+ * however, we take the stance that if a function
+ * exists strongly mapping to a known function name in a directory such as these,
+ * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were.
+ */
+string normalizeFunctionName(Function f, string algType) {
+  algType != "UNKNOWN" and
+  result = privateNormalizeFunctionName(f, algType) and
+  openSSLLibraryFunc(f) and
+  // Addressing false positives
+  // For algorithm names less than or equal to 4, we must see the algorithm name
+  // in the original function as upper case (it can't be split between tokens)
+  // One exception found is DES_xcbc_encrypt, this is DESX
+  (
+    (result.length() <= 4 and result != "DESX")
+    implies
+    f.getName().toUpperCase().matches("%" + result + "%")
+  ) and
+  (
+    (result.length() <= 4 and result = "DESX")
+    implies
+    (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%"))
+  ) and
+  // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*")))
+  // and
+  // DES specific false positives
+  (
+    result.matches("DES")
+    implies
+    not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*")
+  ) and
+  // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] |
+  //     f.getName().toUpperCase().matches("%" + s + "%"))) and
+  // SEED specific false positives
+  (
+    result.matches("%SEED%")
+    implies
+    not not exists(string s |
+      s in ["NEW_SEED", "GEN_SEED", "SET_SEED", "GET_SEED", "GET0_SEED", "RESEED", "SEEDING"]
+    |
+      f.getName().toUpperCase().matches("%" + s + "%")
+    )
+  ) and
+  // ARIA specific false positives
+  (result.matches("%ARIA%") implies not f.getName().toUpperCase().matches("%VARIANT%"))
+}
+
+/**
+ * Predicate to support name normalization.
+ * Converts the raw name upper-case with no hyphen, slash, underscore, hash, or space.
+ * Looks for substrings that are known algorithms, and normalizes the name.
+ * If the algorithm cannot be determined or is in the ignorable list (`isIgnorableOpenSSLAlgorithm`)
+ * this predicate will not resolve a name.
+ *
+ * Rationale for private: For normalization, we want to get the longest string for a normalized name match
+ *       for a given algorithm type. I found this easier to express if the public normalizeName
+ *       checks that the name is the longest, and that UNKNOWN is reserved if there exists no
+ *       result from this predicate that is known.
+ */
+bindingset[name]
+string privateNormalizeName(string name, string algType) {
+  //not isIgnorableOpenSSLAlgorithm(name, _, _) and
+  // targetOpenSSLAlgorithm(name, _) and
+  isKnownAlgorithm(result, algType) and
+  exists(string normStr | normStr = name.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
+    normStr.matches("%" + result + "%")
+  )
+}
+
+/**
+ * Converts a raw OpenSSL algorithm to a normalized algorithm name.
+ *
+ * If more than one match occurs for a given algorithm type, normalize attempts to find the "max"
+ * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES.
+ *
+ * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type.
+ *
+ * `name` is the name to normalize.
+ * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`)
+ */
+bindingset[name]
+string normalizeName(string name, string algType) {
+  (
+    if exists(privateNormalizeName(name, _))
+    then result = privateNormalizeName(name, algType)
+    else (
+      result = unknownAlgorithm() and algType = "UNKNOWN"
+    )
+  ) and
+  not exists(string res2 |
+    result != res2 and
+    res2 = privateNormalizeName(name, algType) and
+    res2.length() > result.length()
+  ) and
+  // Addressing bad normalization case-by-case
+  // CASE: ES256 being identified when the algorithm is AES256
+  (
+    result.matches("ES256")
+    implies
+    not exists(string res2 | res2 = privateNormalizeName(name, _) and res2.matches("AES%"))
+  )
+}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll

@@ -0,0 +1,59 @@
+import cpp
+import experimental.cryptography.utils.OpenSSL.LibraryFunction
+import semmle.code.cpp.ir.dataflow.DataFlow
+
+// TODO: possible use of extensible predicates here
+// NOTE: -1 for outInd represents the return value
+predicate knownPassthroughFunction(Function f, int inInd, int outInd) {
+  // Trace through functions
+  // See https://www.openssl.org/docs/man1.1.1/man3/OBJ_obj2txt
+  //     https://www.openssl.org/docs/man3.0/man3/EVP_CIPHER_get0_name
+  openSSLLibraryFunc(f) and
+  (
+    f.getName() in [
+        "OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn", "OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid",
+        "OBJ_txt2nid", "OBJ_txt2obj", "OBJ_dup", "EVP_CIPHER_get0_name"
+      ] and
+    inInd = 0 and
+    outInd = -1
+    or
+    f.getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and
+    inInd = 2 and
+    outInd = 0
+    or
+    // Dup/copy pattern occurs in more places,
+    //see: https://www.openssl.org/docs/manmaster/man3/EC_KEY_copy.html and https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_dup.html
+    f.getName().matches("%_dup") and inInd = 0 and outInd = -1
+    or
+    f.getName().matches("%_copy") and inInd = 0 and outInd = -1
+  )
+}
+
+/**
+ * `c` is a call to a function that preserves the algorithm but changes its form.
+ * `onExpr` is the input argument passing through to, `outExpr` is the next expression in a dataflow step associated with `c`
+ */
+predicate knownPassthoughCall(Call c, Expr inExpr, Expr outExpr) {
+  exists(int inInd, int outInd |
+    knownPassthroughFunction(c.getTarget(), inInd, outInd) and
+    inExpr = c.getArgument(inInd) and
+    if outInd = -1 then outExpr = c else outExpr = c.getArgument(outInd)
+  )
+}
+
+/*
+ * Explicitly add flow through openssl functions that preserve the algorithm but alter the form (e.g., from NID to string)
+ */
+
+predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(Expr cur, Expr next |
+    (cur = node1.asExpr() or cur = node1.asIndirectArgument()) and
+    (
+      next = node2.asExpr() or
+      next = node2.asIndirectArgument() or
+      next = node2.asDefiningArgument()
+    )
+  |
+    exists(Call c | knownPassthoughCall(c, cur, next))
+  )
+}

cpp/ql/lib/printAst.ql

@@ -18,10 +18,10 @@ external string selectedSourceFile();
 
 class Cfg extends PrintAstConfiguration {
   /**
-   * Holds if the AST for `func` should be printed.
-   * Print All functions from the selected file.
+   * Holds if the AST for `decl` should be printed.
+   * Print All declarations from the selected file.
    */
-  override predicate shouldPrintFunction(Function func) {
-    func.getFile() = getFileBySourceArchiveName(selectedSourceFile())
+  override predicate shouldPrintDeclaration(Declaration decl) {
+    decl.getFile() = getFileBySourceArchiveName(selectedSourceFile())
   }
 }

cpp/ql/lib/qlpack.yml

@@ -1,11 +1,13 @@
 name: codeql/cpp-all
-version: 0.7.3
+version: 0.12.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/dataflow: ${workspace}
+  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -5,163 +5,35 @@
 import semmle.code.cpp.Element
 import semmle.code.cpp.Declaration
 import semmle.code.cpp.metrics.MetricFile
+private import codeql.util.FileSystem
+
+private module Input implements InputSig {
+  abstract class ContainerBase extends @container {
+    abstract string getAbsolutePath();
+
+    ContainerBase getParentContainer() {
+      containerparent(unresolveElement(result), underlyingElement(this))
+    }
+
+    string toString() { result = this.getAbsolutePath() }
+  }
+
+  class FolderBase extends ContainerBase, @folder {
+    override string getAbsolutePath() { folders(underlyingElement(this), result) }
+  }
+
+  class FileBase extends ContainerBase, @file {
+    override string getAbsolutePath() { files(underlyingElement(this), result) }
+  }
+
+  predicate hasSourceLocationPrefix = sourceLocationPrefix/1;
+}
+
+private module Impl = Make<Input>;
 
 /** A file or folder. */
-class Container extends Locatable, @container {
-  /**
-   * Gets the absolute, canonical path of this container, using forward slashes
-   * as path separator.
-   *
-   * The path starts with a _root prefix_ followed by zero or more _path
-   * segments_ separated by forward slashes.
-   *
-   * The root prefix is of one of the following forms:
-   *
-   *   1. A single forward slash `/` (Unix-style)
-   *   2. An upper-case drive letter followed by a colon and a forward slash,
-   *      such as `C:/` (Windows-style)
-   *   3. Two forward slashes, a computer name, and then another forward slash,
-   *      such as `//FileServer/` (UNC-style)
-   *
-   * Path segments are never empty (that is, absolute paths never contain two
-   * contiguous slashes, except as part of a UNC-style root prefix). Also, path
-   * segments never contain forward slashes, and no path segment is of the
-   * form `.` (one dot) or `..` (two dots).
-   *
-   * Note that an absolute path never ends with a forward slash, except if it is
-   * a bare root prefix, that is, the path has no path segments. A container
-   * whose absolute path has no segments is always a `Folder`, not a `File`.
-   */
-  string getAbsolutePath() { none() } // overridden by subclasses
-
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets a URL representing the location of this container.
-   *
-   * For more information see [Providing URLs](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls).
-   */
-  deprecated string getURL() { none() } // overridden by subclasses
-
-  /**
-   * Gets the relative path of this file or folder from the root folder of the
-   * analyzed source location. The relative path of the root folder itself is
-   * the empty string.
-   *
-   * This has no result if the container is outside the source root, that is,
-   * if the root folder is not a reflexive, transitive parent of this container.
-   */
-  string getRelativePath() {
-    exists(string absPath, string pref |
-      absPath = this.getAbsolutePath() and sourceLocationPrefix(pref)
-    |
-      absPath = pref and result = ""
-      or
-      absPath = pref.regexpReplaceAll("/$", "") + "/" + result and
-      not result.matches("/%")
-    )
-  }
-
-  /**
-   * Gets the base name of this container including extension, that is, the last
-   * segment of its absolute path, or the empty string if it has no segments.
-   *
-   * Here are some examples of absolute paths and the corresponding base names
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Base name</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst.js"</td></tr>
-   * <tr><td>"C:/Program Files (x86)"</td><td>"Program Files (x86)"</td></tr>
-   * <tr><td>"/"</td><td>""</td></tr>
-   * <tr><td>"C:/"</td><td>""</td></tr>
-   * <tr><td>"D:/"</td><td>""</td></tr>
-   * <tr><td>"//FileServer/"</td><td>""</td></tr>
-   * </table>
-   */
-  string getBaseName() {
-    result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
-  }
-
-  /**
-   * Gets the extension of this container, that is, the suffix of its base name
-   * after the last dot character, if any.
-   *
-   * In particular,
-   *
-   *  - if the name does not include a dot, there is no extension, so this
-   *    predicate has no result;
-   *  - if the name ends in a dot, the extension is the empty string;
-   *  - if the name contains multiple dots, the extension follows the last dot.
-   *
-   * Here are some examples of absolute paths and the corresponding extensions
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Extension</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"js"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>"classpath"</td></tr>
-   * <tr><td>"/bin/bash"</td><td>not defined</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>""</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"gz"</td></tr>
-   * </table>
-   */
-  string getExtension() {
-    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3)
-  }
-
-  /**
-   * Gets the stem of this container, that is, the prefix of its base name up to
-   * (but not including) the last dot character if there is one, or the entire
-   * base name if there is not.
-   *
-   * Here are some examples of absolute paths and the corresponding stems
-   * (surrounded with quotes to avoid ambiguity):
-   *
-   * <table border="1">
-   * <tr><th>Absolute path</th><th>Stem</th></tr>
-   * <tr><td>"/tmp/tst.js"</td><td>"tst"</td></tr>
-   * <tr><td>"/tmp/.classpath"</td><td>""</td></tr>
-   * <tr><td>"/bin/bash"</td><td>"bash"</td></tr>
-   * <tr><td>"/tmp/tst2."</td><td>"tst2"</td></tr>
-   * <tr><td>"/tmp/x.tar.gz"</td><td>"x.tar"</td></tr>
-   * </table>
-   */
-  string getStem() {
-    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1)
-  }
-
-  /** Gets the parent container of this file or folder, if any. */
-  Container getParentContainer() {
-    containerparent(unresolveElement(result), underlyingElement(this))
-  }
-
-  /** Gets a file or sub-folder in this container. */
-  Container getAChildContainer() { this = result.getParentContainer() }
-
-  /** Gets a file in this container. */
-  File getAFile() { result = this.getAChildContainer() }
-
-  /** Gets the file in this container that has the given `baseName`, if any. */
-  File getFile(string baseName) {
-    result = this.getAFile() and
-    result.getBaseName() = baseName
-  }
-
-  /** Gets a sub-folder in this container. */
-  Folder getAFolder() { result = this.getAChildContainer() }
-
-  /** Gets the sub-folder in this container that has the given `baseName`, if any. */
-  Folder getFolder(string baseName) {
-    result = this.getAFolder() and
-    result.getBaseName() = baseName
-  }
-
-  /**
-   * Gets a textual representation of the path of this container.
-   *
-   * This is the absolute path of the container.
-   */
-  override string toString() { result = this.getAbsolutePath() }
+class Container extends ElementBase, Impl::Container {
+  override string toString() { result = Impl::Container.super.toString() }
 }
 
 /**
@@ -174,21 +46,8 @@ class Container extends Locatable, @container {
  *
  * To get the full path, use `getAbsolutePath`.
  */
-class Folder extends Container, @folder {
-  override string getAbsolutePath() { folders(underlyingElement(this), result) }
-
-  override Location getLocation() {
-    result.getContainer() = this and
-    result.hasLocationInfo(_, 0, 0, 0, 0)
-  }
-
+class Folder extends Container, Impl::Folder {
   override string getAPrimaryQlClass() { result = "Folder" }
-
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this folder.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
 }
 
 /**
@@ -203,9 +62,7 @@ class Folder extends Container, @folder {
  * The base name further decomposes into the _stem_ and _extension_ -- see
  * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
  */
-class File extends Container, @file {
-  override string getAbsolutePath() { files(underlyingElement(this), result) }
-
+class File extends Container, Locatable, Impl::File {
   override string getAPrimaryQlClass() { result = "File" }
 
   override Location getLocation() {
@@ -213,12 +70,6 @@ class File extends Container, @file {
     result.hasLocationInfo(_, 0, 0, 0, 0)
   }
 
-  /**
-   * DEPRECATED: Use `getLocation` instead.
-   * Gets the URL of this file.
-   */
-  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
-
   /** Holds if this file was compiled as C (at any point). */
   predicate compiledAsC() { fileannotations(underlyingElement(this), 1, "compiled as c", "1") }
 

cpp/ql/lib/semmle/code/cpp/NameQualifiers.qll

@@ -158,9 +158,7 @@ class NameQualifyingElement extends Element, @namequalifyingelement {
 /**
  * A special name-qualifying element. For example: `__super`.
  */
-library class SpecialNameQualifyingElement extends NameQualifyingElement,
-  @specialnamequalifyingelement
-{
+class SpecialNameQualifyingElement extends NameQualifyingElement, @specialnamequalifyingelement {
   /** Gets the name of this special qualifying element. */
   override string getName() { specialnamequalifyingelements(underlyingElement(this), result) }
 

cpp/ql/lib/semmle/code/cpp/Print.qll

@@ -6,11 +6,9 @@ private import PrintAST
  * that requests that function, or no `PrintASTConfiguration` exists.
  */
 private predicate shouldPrintDeclaration(Declaration decl) {
-  not decl instanceof Function
+  not (decl instanceof Function or decl instanceof GlobalOrNamespaceVariable)
   or
-  not exists(PrintAstConfiguration c)
-  or
-  exists(PrintAstConfiguration config | config.shouldPrintFunction(decl))
+  exists(PrintAstConfiguration config | config.shouldPrintDeclaration(decl))
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/PrintAST.ql

@@ -9,13 +9,13 @@ import cpp
 import PrintAST
 
 /**
- * Temporarily tweak this class or make a copy to control which functions are
+ * Temporarily tweak this class or make a copy to control which declarations are
  * printed.
  */
 class Cfg extends PrintAstConfiguration {
   /**
    * TWEAK THIS PREDICATE AS NEEDED.
-   * Holds if the AST for `func` should be printed.
+   * Holds if the AST for `decl` should be printed.
    */
-  override predicate shouldPrintFunction(Function func) { any() }
+  override predicate shouldPrintDeclaration(Declaration decl) { any() }
 }

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -1,9 +1,9 @@
 /**
  * Provides queries to pretty-print a C++ AST as a graph.
  *
- * By default, this will print the AST for all functions in the database. To change this behavior,
- * extend `PrintASTConfiguration` and override `shouldPrintFunction` to hold for only the functions
- * you wish to view the AST for.
+ * By default, this will print the AST for all functions and global and namespace variables in
+ * the database. To change this behavior, extend `PrintASTConfiguration` and override
+ * `shouldPrintDeclaration` to hold for only the declarations you wish to view the AST for.
  */
 
 import cpp
@@ -12,7 +12,7 @@ private import semmle.code.cpp.Print
 private newtype TPrintAstConfiguration = MkPrintAstConfiguration()
 
 /**
- * The query can extend this class to control which functions are printed.
+ * The query can extend this class to control which declarations are printed.
  */
 class PrintAstConfiguration extends TPrintAstConfiguration {
   /**
@@ -21,14 +21,16 @@ class PrintAstConfiguration extends TPrintAstConfiguration {
   string toString() { result = "PrintASTConfiguration" }
 
   /**
-   * Holds if the AST for `func` should be printed. By default, holds for all
-   * functions.
+   * Holds if the AST for `decl` should be printed. By default, holds for all
+   * functions and global and namespace variables. Currently, does not support any
+   * other declaration types.
    */
-  predicate shouldPrintFunction(Function func) { any() }
+  predicate shouldPrintDeclaration(Declaration decl) { any() }
 }
 
-private predicate shouldPrintFunction(Function func) {
-  exists(PrintAstConfiguration config | config.shouldPrintFunction(func))
+private predicate shouldPrintDeclaration(Declaration decl) {
+  exists(PrintAstConfiguration config | config.shouldPrintDeclaration(decl)) and
+  (decl instanceof Function or decl instanceof GlobalOrNamespaceVariable)
 }
 
 bindingset[s]
@@ -69,7 +71,7 @@ private predicate locationSortKeys(Locatable ast, string file, int line, int col
   )
 }
 
-private Function getEnclosingFunction(Locatable ast) {
+private Declaration getAnEnclosingDeclaration(Locatable ast) {
   result = ast.(Expr).getEnclosingFunction()
   or
   result = ast.(Stmt).getEnclosingFunction()
@@ -78,6 +80,10 @@ private Function getEnclosingFunction(Locatable ast) {
   or
   result = ast.(Parameter).getFunction()
   or
+  result = ast.(Expr).getEnclosingDeclaration()
+  or
+  result = ast.(Initializer).getDeclaration()
+  or
   result = ast
 }
 
@@ -86,21 +92,21 @@ private Function getEnclosingFunction(Locatable ast) {
  * nodes for things like parameter lists and constructor init lists.
  */
 private newtype TPrintAstNode =
-  TAstNode(Locatable ast) { shouldPrintFunction(getEnclosingFunction(ast)) } or
+  TAstNode(Locatable ast) { shouldPrintDeclaration(getAnEnclosingDeclaration(ast)) } or
   TDeclarationEntryNode(DeclStmt stmt, DeclarationEntry entry) {
     // We create a unique node for each pair of (stmt, entry), to avoid having one node with
     // multiple parents due to extractor bug CPP-413.
     stmt.getADeclarationEntry() = entry and
-    shouldPrintFunction(stmt.getEnclosingFunction())
+    shouldPrintDeclaration(stmt.getEnclosingFunction())
   } or
-  TParametersNode(Function func) { shouldPrintFunction(func) } or
+  TParametersNode(Function func) { shouldPrintDeclaration(func) } or
   TConstructorInitializersNode(Constructor ctor) {
     ctor.hasEntryPoint() and
-    shouldPrintFunction(ctor)
+    shouldPrintDeclaration(ctor)
   } or
   TDestructorDestructionsNode(Destructor dtor) {
     dtor.hasEntryPoint() and
-    shouldPrintFunction(dtor)
+    shouldPrintDeclaration(dtor)
   }
 
 /**
@@ -158,10 +164,10 @@ class PrintAstNode extends TPrintAstNode {
 
   /**
    * Holds if this node should be printed in the output. By default, all nodes
-   * within a function are printed, but the query can override
-   * `PrintASTConfiguration.shouldPrintFunction` to filter the output.
+   * within functions and global and namespace variables are printed, but the query
+   * can override `PrintASTConfiguration.shouldPrintDeclaration` to filter the output.
    */
-  final predicate shouldPrint() { shouldPrintFunction(this.getEnclosingFunction()) }
+  final predicate shouldPrint() { shouldPrintDeclaration(this.getEnclosingDeclaration()) }
 
   /**
    * Gets the children of this node.
@@ -229,10 +235,15 @@ class PrintAstNode extends TPrintAstNode {
   abstract string getChildAccessorPredicateInternal(int childIndex);
 
   /**
-   * Gets the `Function` that contains this node.
+   * Gets the `Declaration` that contains this node.
    */
-  private Function getEnclosingFunction() {
-    result = this.getParent*().(FunctionNode).getFunction()
+  private Declaration getEnclosingDeclaration() { result = this.getParent*().getDeclaration() }
+
+  /**
+   * Gets the `Declaration` this node represents.
+   */
+  private Declaration getDeclaration() {
+    result = this.(AstNode).getAst() and shouldPrintDeclaration(result)
   }
 }
 
@@ -571,16 +582,53 @@ class DestructorDestructionsNode extends PrintAstNode, TDestructorDestructionsNo
   final Destructor getDestructor() { result = dtor }
 }
 
+abstract private class FunctionOrGlobalOrNamespaceVariableNode extends AstNode {
+  override string toString() { result = qlClass(ast) + getIdentityString(ast) }
+
+  private int getOrder() {
+    this =
+      rank[result](FunctionOrGlobalOrNamespaceVariableNode node, Declaration decl, string file,
+        int line, int column |
+        node.getAst() = decl and
+        locationSortKeys(decl, file, line, column)
+      |
+        node order by file, line, column, getIdentityString(decl)
+      )
+  }
+
+  override string getProperty(string key) {
+    result = super.getProperty(key)
+    or
+    key = "semmle.order" and result = this.getOrder().toString()
+  }
+}
+
+/**
+ * A node representing a `GlobalOrNamespaceVariable`.
+ */
+class GlobalOrNamespaceVariableNode extends FunctionOrGlobalOrNamespaceVariableNode {
+  GlobalOrNamespaceVariable var;
+
+  GlobalOrNamespaceVariableNode() { var = ast }
+
+  override PrintAstNode getChildInternal(int childIndex) {
+    childIndex = 0 and
+    result.(AstNode).getAst() = var.getInitializer()
+  }
+
+  override string getChildAccessorPredicateInternal(int childIndex) {
+    childIndex = 0 and result = "getInitializer()"
+  }
+}
+
 /**
  * A node representing a `Function`.
  */
-class FunctionNode extends AstNode {
+class FunctionNode extends FunctionOrGlobalOrNamespaceVariableNode {
   Function func;
 
   FunctionNode() { func = ast }
 
-  override string toString() { result = qlClass(func) + getIdentityString(func) }
-
   override PrintAstNode getChildInternal(int childIndex) {
     childIndex = 0 and
     result.(ParametersNode).getFunction() = func
@@ -604,31 +652,10 @@ class FunctionNode extends AstNode {
     or
     childIndex = 3 and result = "<destructions>"
   }
-
-  private int getOrder() {
-    this =
-      rank[result](FunctionNode node, Function function, string file, int line, int column |
-        node.getAst() = function and
-        locationSortKeys(function, file, line, column)
-      |
-        node order by file, line, column, getIdentityString(function)
-      )
-  }
-
-  override string getProperty(string key) {
-    result = super.getProperty(key)
-    or
-    key = "semmle.order" and result = this.getOrder().toString()
-  }
-
-  /**
-   * Gets the `Function` this node represents.
-   */
-  final Function getFunction() { result = func }
 }
 
 private string getChildAccessorWithoutConversions(Locatable parent, Element child) {
-  shouldPrintFunction(getEnclosingFunction(parent)) and
+  shouldPrintDeclaration(getAnEnclosingDeclaration(parent)) and
   (
     exists(Stmt s | s = parent |
       namedStmtChildPredicates(s, child, result)
@@ -647,7 +674,7 @@ private string getChildAccessorWithoutConversions(Locatable parent, Element chil
 }
 
 private predicate namedStmtChildPredicates(Locatable s, Element e, string pred) {
-  shouldPrintFunction(getEnclosingFunction(s)) and
+  shouldPrintDeclaration(getAnEnclosingDeclaration(s)) and
   (
     exists(int n | s.(BlockStmt).getStmt(n) = e and pred = "getStmt(" + n + ")")
     or
@@ -735,12 +762,14 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
 }
 
 private predicate namedExprChildPredicates(Expr expr, Element ele, string pred) {
-  shouldPrintFunction(expr.getEnclosingFunction()) and
+  shouldPrintDeclaration(expr.getEnclosingDeclaration()) and
   (
     expr.(Access).getTarget() = ele and pred = "getTarget()"
     or
     expr.(VariableAccess).getQualifier() = ele and pred = "getQualifier()"
     or
+    expr.(FunctionAccess).getQualifier() = ele and pred = "getQualifier()"
+    or
     exists(Field f |
       expr.(ClassAggregateLiteral).getAFieldExpr(f) = ele and
       pred = "getAFieldExpr(" + f.toString() + ")"
@@ -797,17 +826,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(Conversion).getExpr() = ele and pred = "getExpr()"
     or
-    expr.(DeleteArrayExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
+    expr.(DeleteOrDeleteArrayExpr).getDeallocatorCall() = ele and pred = "getDeallocatorCall()"
     or
-    expr.(DeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
+    expr.(DeleteOrDeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
     or
-    expr.(DeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
-    or
-    expr.(DeleteExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
-    or
-    expr.(DeleteExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
-    or
-    expr.(DeleteExpr).getExpr() = ele and pred = "getExpr()"
+    expr.(DeleteOrDeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
     or
     expr.(DestructorFieldDestruction).getExpr() = ele and pred = "getExpr()"
     or

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -814,14 +814,35 @@ private predicate floatingPointTypeMapping(
   // _Float128
   kind = 49 and base = 2 and domain = TRealDomain() and realKind = 49 and extended = false
   or
-  // _Float128x
-  kind = 50 and base = 2 and domain = TRealDomain() and realKind = 50 and extended = true
-  or
   // _Float16
   kind = 52 and base = 2 and domain = TRealDomain() and realKind = 52 and extended = false
   or
   // _Complex _Float16
   kind = 53 and base = 2 and domain = TComplexDomain() and realKind = 52 and extended = false
+  or
+  // __fp16
+  kind = 54 and base = 2 and domain = TRealDomain() and realKind = 54 and extended = false
+  or
+  // __bf16
+  kind = 55 and base = 2 and domain = TRealDomain() and realKind = 55 and extended = false
+  or
+  // std::float16_t
+  kind = 56 and base = 2 and domain = TRealDomain() and realKind = 56 and extended = false
+  or
+  // _Complex _Float32
+  kind = 57 and base = 2 and domain = TComplexDomain() and realKind = 45 and extended = false
+  or
+  // _Complex _Float32x
+  kind = 58 and base = 2 and domain = TComplexDomain() and realKind = 46 and extended = true
+  or
+  // _Complex _Float64
+  kind = 59 and base = 2 and domain = TComplexDomain() and realKind = 47 and extended = false
+  or
+  // _Complex _Float64x
+  kind = 60 and base = 2 and domain = TComplexDomain() and realKind = 48 and extended = true
+  or
+  // _Complex _Float128
+  kind = 61 and base = 2 and domain = TComplexDomain() and realKind = 49 and extended = false
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -73,6 +73,10 @@ private int isSource(Expr bufferExpr, Element why) {
   )
 }
 
+/** Same as `getBufferSize`, but with the `why` column projected away to prevent large duplications. */
+pragma[nomagic]
+int getBufferSizeProj(Expr bufferExpr) { result = getBufferSize(bufferExpr, _) }
+
 /**
  * Get the size in bytes of the buffer pointed to by an expression (if this can be determined).
  */
@@ -87,7 +91,7 @@ int getBufferSize(Expr bufferExpr, Element why) {
     why = bufferVar and
     parentPtr = bufferExpr.(VariableAccess).getQualifier() and
     parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
-    result = getBufferSize(parentPtr, _) + bufferSize - parentClass.getSize()
+    result = getBufferSizeProj(parentPtr) + bufferSize - parentClass.getSize()
   |
     if exists(bufferVar.getType().getSize())
     then bufferSize = bufferVar.getType().getSize()
@@ -95,7 +99,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
   )
   or
   // dataflow (all sources must be the same size)
-  result = unique(Expr def | DataFlow::localExprFlowStep(def, bufferExpr) | getBufferSize(def, _)) and
-  // find reason
+  result = unique(Expr def | DataFlow::localExprFlowStep(def, bufferExpr) | getBufferSizeProj(def)) and
   exists(Expr def | DataFlow::localExprFlowStep(def, bufferExpr) | exists(getBufferSize(def, why)))
 }

cpp/ql/lib/semmle/code/cpp/commons/StringAnalysis.qll

@@ -27,9 +27,6 @@ predicate canValueFlow(Expr fromExpr, Expr toExpr) {
   fromExpr = toExpr.(ConditionalExpr).getElse()
 }
 
-/** DEPRECATED: Alias for AnalyzedString */
-deprecated class AnalysedString = AnalyzedString;
-
 /**
  * An analyzed null terminated string.
  */

cpp/ql/lib/semmle/code/cpp/controlflow/DefinitionsAndUses.qll

@@ -78,7 +78,7 @@ predicate parameterUsePair(Parameter p, VariableAccess va) {
 /**
  * Utility class: A definition or use of a stack variable.
  */
-library class DefOrUse extends ControlFlowNodeBase {
+class DefOrUse extends ControlFlowNodeBase {
   DefOrUse() {
     // Uninstantiated templates are purely syntax, and only on instantiation
     // will they be complete with information about types, conversions, call
@@ -140,7 +140,7 @@ library class DefOrUse extends ControlFlowNodeBase {
 }
 
 /** A definition of a stack variable. */
-library class Def extends DefOrUse {
+class Def extends DefOrUse {
   Def() { definition(_, this) }
 
   override SemanticStackVariable getVariable(boolean isDef) {
@@ -155,7 +155,7 @@ private predicate parameterIsOverwritten(Function f, Parameter p) {
 }
 
 /** A definition of a parameter. */
-library class ParameterDef extends DefOrUse {
+class ParameterDef extends DefOrUse {
   ParameterDef() {
     // Optimization: parameters that are not overwritten do not require
     // reachability analysis
@@ -169,7 +169,7 @@ library class ParameterDef extends DefOrUse {
 }
 
 /** A use of a stack variable. */
-library class Use extends DefOrUse {
+class Use extends DefOrUse {
   Use() { useOfVar(_, this) }
 
   override SemanticStackVariable getVariable(boolean isDef) {

cpp/ql/lib/semmle/code/cpp/controlflow/Dereferenced.qll

@@ -26,17 +26,18 @@ predicate callDereferences(FunctionCall fc, int i) {
 }
 
 /**
- * Holds if evaluation of `op` dereferences `e`.
+ * Holds if evaluation of `op` dereferences `e` directly.
+ *
+ * This predicate does not recurse through function calls or arithmetic operations. To find
+ * such cases, use `dereferencedByOperation`.
  */
-predicate dereferencedByOperation(Expr op, Expr e) {
+predicate directDereferencedByOperation(Expr op, Expr e) {
   exists(PointerDereferenceExpr deref |
     deref.getAChild() = e and
     deref = op and
     not deref.getParent*() instanceof SizeofOperator
   )
   or
-  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
-  or
   exists(ArrayExpr ae |
     (
       not ae.getParent() instanceof AddressOfExpr and
@@ -50,6 +51,24 @@ predicate dereferencedByOperation(Expr op, Expr e) {
     )
   )
   or
+  // ptr->Field
+  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
+  or
+  // ptr->method()
+  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
+}
+
+/**
+ * Holds if evaluation of `op` dereferences `e`.
+ *
+ * This includes the set of operations identified via `directDereferencedByOperation`, as well
+ * as calls to function that are known to dereference an argument.
+ */
+predicate dereferencedByOperation(Expr op, Expr e) {
+  directDereferencedByOperation(op, e)
+  or
+  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
+  or
   exists(AddressOfExpr addof, ArrayExpr ae |
     dereferencedByOperation(addof, op) and
     addof.getOperand() = ae and
@@ -74,12 +93,6 @@ predicate dereferencedByOperation(Expr op, Expr e) {
     e = fc.getArgument(i) and
     op = fc
   )
-  or
-  // ptr->Field
-  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
-  or
-  // ptr->method()
-  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
 }
 
 private predicate isClassPointerType(Type t) {

cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll

@@ -240,7 +240,7 @@ private class GuardConditionFromIR extends GuardCondition {
    */
   private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
     exists(IRBlock irb |
-      forex(IRGuardCondition inst | inst = ir | inst.controls(irb, testIsTrue)) and
+      ir.controls(irb, testIsTrue) and
       irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
       not isUnreachedBlock(irb)
     )
@@ -627,6 +627,20 @@ private predicate sub_lt(
     x = int_value(rhs.getRight()) and
     k = c - x
   )
+  or
+  exists(PointerSubInstruction lhs, int c, int x |
+    compares_lt(cmp, lhs.getAUse(), right, c, isLt, testIsTrue) and
+    left = lhs.getLeftOperand() and
+    x = int_value(lhs.getRight()) and
+    k = c + x
+  )
+  or
+  exists(PointerSubInstruction rhs, int c, int x |
+    compares_lt(cmp, left, rhs.getAUse(), c, isLt, testIsTrue) and
+    right = rhs.getLeftOperand() and
+    x = int_value(rhs.getRight()) and
+    k = c - x
+  )
 }
 
 // left + x < right + c => left < right + (c-x)
@@ -653,6 +667,26 @@ private predicate add_lt(
     ) and
     k = c + x
   )
+  or
+  exists(PointerAddInstruction lhs, int c, int x |
+    compares_lt(cmp, lhs.getAUse(), right, c, isLt, testIsTrue) and
+    (
+      left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
+      or
+      left = lhs.getRightOperand() and x = int_value(lhs.getLeft())
+    ) and
+    k = c - x
+  )
+  or
+  exists(PointerAddInstruction rhs, int c, int x |
+    compares_lt(cmp, left, rhs.getAUse(), c, isLt, testIsTrue) and
+    (
+      right = rhs.getLeftOperand() and x = int_value(rhs.getRight())
+      or
+      right = rhs.getRightOperand() and x = int_value(rhs.getLeft())
+    ) and
+    k = c + x
+  )
 }
 
 // left - x == right + c => left == right + (c+x)
@@ -673,6 +707,20 @@ private predicate sub_eq(
     x = int_value(rhs.getRight()) and
     k = c - x
   )
+  or
+  exists(PointerSubInstruction lhs, int c, int x |
+    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and
+    left = lhs.getLeftOperand() and
+    x = int_value(lhs.getRight()) and
+    k = c + x
+  )
+  or
+  exists(PointerSubInstruction rhs, int c, int x |
+    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and
+    right = rhs.getLeftOperand() and
+    x = int_value(rhs.getRight()) and
+    k = c - x
+  )
 }
 
 // left + x == right + c => left == right + (c-x)
@@ -699,6 +747,26 @@ private predicate add_eq(
     ) and
     k = c + x
   )
+  or
+  exists(PointerAddInstruction lhs, int c, int x |
+    compares_eq(cmp, lhs.getAUse(), right, c, areEqual, testIsTrue) and
+    (
+      left = lhs.getLeftOperand() and x = int_value(lhs.getRight())
+      or
+      left = lhs.getRightOperand() and x = int_value(lhs.getLeft())
+    ) and
+    k = c - x
+  )
+  or
+  exists(PointerAddInstruction rhs, int c, int x |
+    compares_eq(cmp, left, rhs.getAUse(), c, areEqual, testIsTrue) and
+    (
+      right = rhs.getLeftOperand() and x = int_value(rhs.getRight())
+      or
+      right = rhs.getRightOperand() and x = int_value(rhs.getLeft())
+    ) and
+    k = c + x
+  )
 }
 
 /** The int value of integer constant expression. */

cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll

@@ -10,7 +10,7 @@ import SSAUtils
  * The SSA logic comes in two versions: the standard SSA and range-analysis RangeSSA.
  * This class provides the standard SSA logic.
  */
-library class StandardSsa extends SsaHelper {
+class StandardSsa extends SsaHelper {
   StandardSsa() { this = 0 }
 }
 

cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll

@@ -114,7 +114,7 @@ private predicate live_at_exit_of_bb(StackVariable v, BasicBlock b) {
 
 /** Common SSA logic for standard SSA and range-analysis SSA. */
 cached
-library class SsaHelper extends int {
+class SsaHelper extends int {
   /* 0 = StandardSSA, 1 = RangeSSA */
   cached
   SsaHelper() { this in [0 .. 1] }

cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -332,21 +332,12 @@ private Node getControlOrderChildSparse(Node n, int i) {
   n = any(ConditionDeclExpr cd | i = 0 and result = cd.getInitializingExpr())
   or
   n =
-    any(DeleteExpr del |
+    any(DeleteOrDeleteArrayExpr del |
       i = 0 and result = del.getExpr()
       or
       i = 1 and result = del.getDestructorCall()
       or
-      i = 2 and result = del.getAllocatorCall()
-    )
-  or
-  n =
-    any(DeleteArrayExpr del |
-      i = 0 and result = del.getExpr()
-      or
-      i = 1 and result = del.getDestructorCall()
-      or
-      i = 2 and result = del.getAllocatorCall()
+      i = 2 and result = del.getDeallocatorCall()
     )
   or
   n =

cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll

@@ -366,12 +366,12 @@ class CompileTimeConstantInt extends Expr {
   int getIntValue() { result = val }
 }
 
-library class CompileTimeVariableExpr extends Expr {
+class CompileTimeVariableExpr extends Expr {
   CompileTimeVariableExpr() { not this instanceof CompileTimeConstantInt }
 }
 
 /** A helper class for evaluation of expressions. */
-library class ExprEvaluator extends int {
+class ExprEvaluator extends int {
   /*
    * 0 = ConditionEvaluator,
    * 1 = SwitchEvaluator,
@@ -956,7 +956,7 @@ private predicate returnStmt(Function f, Expr value) {
 }
 
 /** A helper class for evaluation of conditions. */
-library class ConditionEvaluator extends ExprEvaluator {
+class ConditionEvaluator extends ExprEvaluator {
   ConditionEvaluator() { this = 0 }
 
   override predicate interesting(Expr e) {
@@ -967,7 +967,7 @@ library class ConditionEvaluator extends ExprEvaluator {
 }
 
 /** A helper class for evaluation of switch expressions. */
-library class SwitchEvaluator extends ExprEvaluator {
+class SwitchEvaluator extends ExprEvaluator {
   SwitchEvaluator() { this = 1 }
 
   override predicate interesting(Expr e) { e = getASwitchExpr(_, _) }
@@ -976,7 +976,7 @@ library class SwitchEvaluator extends ExprEvaluator {
 private int getSwitchValue(Expr e) { exists(SwitchEvaluator x | result = x.getValue(e)) }
 
 /** A helper class for evaluation of loop entry conditions. */
-library class LoopEntryConditionEvaluator extends ExprEvaluator {
+class LoopEntryConditionEvaluator extends ExprEvaluator {
   LoopEntryConditionEvaluator() { this in [2 .. 3] }
 
   abstract override predicate interesting(Expr e);
@@ -1149,7 +1149,7 @@ library class LoopEntryConditionEvaluator extends ExprEvaluator {
 }
 
 /** A helper class for evaluation of while-loop entry conditions. */
-library class WhileLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
+class WhileLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
   WhileLoopEntryConditionEvaluator() { this = 2 }
 
   override predicate interesting(Expr e) { exists(WhileStmt while | e = while.getCondition()) }
@@ -1162,7 +1162,7 @@ library class WhileLoopEntryConditionEvaluator extends LoopEntryConditionEvaluat
 }
 
 /** A helper class for evaluation of for-loop entry conditions. */
-library class ForLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
+class ForLoopEntryConditionEvaluator extends LoopEntryConditionEvaluator {
   ForLoopEntryConditionEvaluator() { this = 3 }
 
   override predicate interesting(Expr e) { exists(ForStmt for | e = for.getCondition()) }