Merge pull request #18917 from github/smowton/admin/jdk-24-2.20.6

Update supported Java version

.bazelrc

@@ -12,6 +12,9 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
 
+# print test output, like sembuild does.
+# Set to `errors` if this is too verbose.
+test --test_output all
 # we use transitions that break builds of `...`, so for `test` to work with that we need the following
 test --build_tests_only
 

.github/workflows/go-tests-other-os.yml

@@ -3,6 +3,7 @@ on:
   pull_request:
     paths:
       - "go/**"
+      - "!go/documentation/**"
       - "!go/ql/**" # don't run other-os if only ql/ files changed
       - .github/workflows/go-tests-other-os.yml
       - .github/actions/**

.github/workflows/go-tests.yml

@@ -3,6 +3,7 @@ on:
   push:
     paths:
       - "go/**"
+      - "!go/documentation/**"
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
@@ -13,6 +14,7 @@ on:
   pull_request:
     paths:
       - "go/**"
+      - "!go/documentation/**"      
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2006-2020 GitHub, Inc.
+Copyright (c) 2006-2025 GitHub, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

MODULE.bazel

@@ -58,15 +58,12 @@ register_toolchains("@rust_toolchains//:all")
 py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
 use_repo(
     py_deps,
-    "vendor__anyhow-1.0.44",
-    "vendor__cc-1.0.70",
-    "vendor__clap-2.33.3",
-    "vendor__regex-1.5.5",
-    "vendor__smallvec-1.6.1",
-    "vendor__string-interner-0.12.2",
-    "vendor__thiserror-1.0.29",
-    "vendor__tree-sitter-0.20.4",
-    "vendor__tree-sitter-graph-0.7.0",
+    "vendor_py__anyhow-1.0.95",
+    "vendor_py__cc-1.2.14",
+    "vendor_py__clap-4.5.30",
+    "vendor_py__regex-1.11.1",
+    "vendor_py__tree-sitter-0.20.4",
+    "vendor_py__tree-sitter-graph-0.7.0",
 )
 
 # deps for ruby+rust

actions/extractor/BUILD.bazel

@@ -4,7 +4,9 @@ codeql_pkg_files(
     name = "extractor",
     srcs = [
         "codeql-extractor.yml",
-    ] + glob(["tools/**"]),
+        "//:LICENSE",
+    ],
+    exes = glob(["tools/**"]),
     strip_prefix = strip_prefix.from_pkg(),
     visibility = ["//actions:__pkg__"],
 )

actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml

@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["github/codeql-action/analyze"]
+      - ["github/codeql-action/autobuild"]
+      - ["github/codeql-action/init"]
+      - ["github/codeql-action/resolve-environment"]
+      - ["github/codeql-action/start-proxy"]
+      - ["github/codeql-action/upload-sarif"]
+      - ["octokit/request-action"]

actions/ql/extensions/immutable-actions-list/qlpack.yml

@@ -0,0 +1,14 @@
+# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
+# yet released, so this pack will only be used within GitHub. Once the feature is available to
+# customers, we will move the contents of this pack back into the standard library pack.
+name: codeql/immutable-actions-list
+version: 0.0.1-dev
+library: true
+warnOnImplicitThis: true
+extensionTargets:
+  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
+  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
+  # bump the major version to 2.
+  codeql/actions-all: ">=0.4.3 <2.0.0"
+dataExtensions:
+- ext/**/*.yml

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.4
+
+No user-facing changes.
+
 ## 0.4.3
 
 ### New Features

actions/ql/lib/change-notes/released/0.4.4.md

@@ -0,0 +1,3 @@
+## 0.4.4
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.3
+lastReleaseVersion: 0.4.4

actions/ql/lib/ext/config/immutable_actions.yml

@@ -2,21 +2,9 @@ extensions:
   - addsTo:
       pack: codeql/actions-all
       extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["octokit/request-action"]
+    # Since the Immutable Actions feature is not yet available to customers, we won't alert about
+    # any unversioned immutable action references for now. Within GitHub, we'll include the
+    # `codeql/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # for internal use. Once the feature is available to customers, we'll move that list back into
+    # this file.
+    data: []

actions/ql/lib/ext/config/trusted_actions_owner.yml

@@ -5,4 +5,4 @@ extensions:
     data:      
       - ["actions"]
       - ["github"]
-      - ["advanced-security"]
+      - ["advanced-security"]

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.3
+version: 0.4.4
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 0.5.1
+
+### Bug Fixes
+
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query remains in the
+  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
+  available, the query will be updated to report alerts again.
+
 ## 0.5.0
 
 ### Breaking Changes

actions/ql/src/change-notes/released/0.5.1.md

@@ -0,0 +1,8 @@
+## 0.5.1
+
+### Bug Fixes
+
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query remains in the
+  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
+  available, the query will be updated to report alerts again.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.0
+lastReleaseVersion: 0.5.1

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.0
+version: 0.5.1
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/qlpack.yml

@@ -3,6 +3,10 @@ groups: [codeql, test]
 dependencies:
   codeql/actions-all: ${workspace}
   codeql/actions-queries: ${workspace}
+  # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
+  # We can remove this dependency when we incorporate the data from that model pack back into the
+  # standard library pack.
+  codeql/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true

codeql-workspace.yml

@@ -17,7 +17,7 @@ provide:
   - "misc/legacy-support/*/qlpack.yml"
   - "misc/suite-helpers/qlpack.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
-
+  - "actions/ql/extensions/**/qlpack.yml"
 versionPolicies:
   default:
     requireChangeNotes: true

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 4.0.2
+
+### Minor Analysis Improvements
+
+* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
+* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.
+
 ## 4.0.1
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/4.0.2.md

@@ -0,0 +1,6 @@
+## 4.0.2
+
+### Minor Analysis Improvements
+
+* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
+* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.0.1
+lastReleaseVersion: 4.0.2

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.0.1
+version: 4.0.2
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -75,7 +75,10 @@ class Location extends @location {
 
   /** Holds if `this` comes on a line strictly before `l`. */
   pragma[inline]
-  predicate isBefore(Location l) { this.isBefore(l, false) }
+  predicate isBefore(Location l) {
+    this.getFile() = l.getFile() and
+    this.getEndLine() < l.getStartLine()
+  }
 
   /**
    * Holds if `this` comes strictly before `l`. The boolean `sameLine` is

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -71,7 +71,7 @@ private int getSize(VariableAccess va) {
       result = t.getSize()
     )
     or
-    exists(Class c |
+    exists(Class c, int trueSize |
       // Otherwise, we find the "outermost" object and compute the size
       // as the difference between the size of the type of the "outermost
       // object" and the offset of the field relative to that type.
@@ -91,7 +91,9 @@ private int getSize(VariableAccess va) {
       // of `y` relative to the type `S2` (i.e., `4`). So the size of the
       // buffer is `12 - 4 = 8`.
       c = getRootType(va) and
-      result = c.getSize() - v.(Field).getOffsetInClass(c)
+      // we calculate the size based on the last field, to avoid including any padding after it
+      trueSize = max(Field f | | f.getOffsetInClass(c) + f.getUnspecifiedType().getSize()) and
+      result = trueSize - v.(Field).getOffsetInClass(c)
     )
   )
 }
@@ -105,9 +107,16 @@ private int getSize(VariableAccess va) {
 private int isSource(Expr bufferExpr, Element why) {
   exists(Variable bufferVar | bufferVar = bufferExpr.(VariableAccess).getTarget() |
     // buffer is a fixed size array
-    result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
+    exists(bufferVar.getUnspecifiedType().(ArrayType).getSize()) and
+    result =
+      unique(int size | // more generous than .getSize() itself, when the array is a class field or similar.
+        size = getSize(bufferExpr)
+      |
+        size
+      ) and
     why = bufferVar and
     not memberMayBeVarSize(_, bufferVar) and
+    not exists(BuiltInOperationBuiltInOffsetOf offsetof | offsetof.getAChild*() = bufferExpr) and
     // zero sized arrays are likely to have special usage, for example
     // behaving a bit like a 'union' overlapping other fields.
     not result = 0

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -869,12 +869,11 @@ private predicate elementSpecMatchesSignature(
 bindingset[nameWithoutArgs]
 pragma[inline_late]
 private Class getClassAndNameImpl(Function method, string nameWithoutArgs) {
-  exists(string memberName | result = method.getClassAndName(memberName) |
-    nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType()
-    or
-    not method instanceof ConversionOperator and
-    memberName = nameWithoutArgs
-  )
+  result = method.getDeclaringType() and
+  nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType()
+  or
+  result = method.getClassAndName(nameWithoutArgs) and
+  not method instanceof ConversionOperator
 }
 
 /**

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 1.3.5
+
+### Minor Analysis Improvements
+
+* Due to changes in libraries the query "Static array access may cause overflow" (`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single `memset` or similar operation.
+* The query "Call to memory access function may overflow buffer" (`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.
+
 ## 1.3.4
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -49,11 +49,17 @@ predicate interestingConcatenation(DataFlow::Node incoming, DataFlow::Node outgo
     call.getTarget() = op and
     op.hasQualifiedName("std", "operator+") and
     op.getType().(UserType).hasQualifiedName("std", "basic_string") and
-    incoming.asIndirectArgument() = call.getArgument(1) and // left operand
+    incoming.asIndirectArgument() = call.getArgument(1) and // right operand
     call = outgoing.asInstruction().getUnconvertedResultExpression()
   )
 }
 
+/**
+ * A state will represent the most recent concatenation that occurred in the data flow.
+ *  - `TConcatState` if the concetenation has not yet occurred.
+ *  - `TExecState(incoming, outgoing)`, representing the concatenation of data from `incoming`
+ *    into result `outgoing`.
+ */
 newtype TState =
   TConcatState() or
   TExecState(DataFlow::Node incoming, DataFlow::Node outgoing) {
@@ -74,7 +80,9 @@ class ExecState extends TExecState {
 
   DataFlow::Node getOutgoingNode() { result = outgoing }
 
-  /** Holds if this is a possible `ExecState` for `sink`. */
+  /**
+   * Holds if this is a possible `ExecState` at `sink`, that is, if `outgoing` flows to `sink`.
+   */
   predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
 
   string toString() { result = "ExecState" }
@@ -110,6 +118,12 @@ module ExecStateConfig implements DataFlow::ConfigSig {
 
 module ExecState = TaintTracking::Global<ExecStateConfig>;
 
+/**
+ * A full `TaintTracking` configuration from source to concatenation to sink, using a flow
+ * state to remember the concatenation. It's important that we track flow to the sink even though
+ * as soon as we reach the concatenation we know it will get there (due to the check of
+ * `isFeasibleForSink`), because this way we get a complete flow path.
+ */
 module ExecTaintConfig implements DataFlow::StateConfigSig {
   class FlowState = TState;
 

cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql

@@ -5,8 +5,9 @@
  *              buffer.
  * @kind problem
  * @id cpp/overflow-buffer
- * @problem.severity recommendation
+ * @problem.severity warning
  * @security-severity 9.3
+ * @precision medium
  * @tags security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-121

cpp/ql/src/change-notes/released/1.3.5.md

@@ -0,0 +1,6 @@
+## 1.3.5
+
+### Minor Analysis Improvements
+
+* Due to changes in libraries the query "Static array access may cause overflow" (`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single `memset` or similar operation.
+* The query "Call to memory access function may overflow buffer" (`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.4
+lastReleaseVersion: 1.3.5

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.4
+version: 1.3.5
 groups:
   - cpp
   - queries

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -7,68 +7,88 @@ edges
 | test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags | provenance |  |
 | test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command | provenance |  |
 | test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument | provenance | Config |
-| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename | provenance |  |
-| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command | provenance |  |
-| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument | provenance | Config |
-| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename | provenance |  |
-| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command | provenance |  |
-| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument | provenance | Config |
-| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename | provenance |  |
-| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path | provenance |  |
-| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument | provenance | Config |
-| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path | provenance | TaintFunction |
-| test.cpp:107:31:107:31 | call to operator+ | test.cpp:107:31:107:31 | call to operator+ | provenance |  |
-| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str | provenance | TaintFunction |
-| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ | provenance | Config |
-| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path | provenance | TaintFunction |
-| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | TaintFunction |
-| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | TaintFunction |
-| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ | provenance |  |
-| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ | provenance | Config |
-| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ | provenance | Config |
-| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path | provenance | TaintFunction |
-| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data | provenance | TaintFunction |
-| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ | provenance | Config |
-| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str | provenance |  |
-| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command | provenance |  |
-| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument | provenance | Config |
-| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename | provenance |  |
-| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename | provenance |  |
-| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance |  |
-| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance |  |
-| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | Config |
-| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | TaintFunction |
-| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance |  |
-| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance |  |
-| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | Config |
-| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | TaintFunction |
-| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance |  |
-| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument | provenance | Config |
-| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename | provenance |  |
-| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance |  |
-| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance |  |
-| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | Config |
-| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | TaintFunction |
-| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance |  |
-| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command | provenance |  |
-| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command [Return] | provenance |  |
-| test.cpp:188:11:188:17 | strncat output argument | test.cpp:186:19:186:25 | *command [Return] | provenance |  |
-| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | Config |
-| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | TaintFunction |
-| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename | provenance |  |
-| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance |  |
-| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance |  |
-| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | provenance |  |
-| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | Config |
-| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | TaintFunction |
-| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename | provenance |  |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | TaintFunction |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | TaintFunction |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
-| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance |  |
-| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | Config |
-| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | Config |
-| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename | provenance |  |
+| test.cpp:63:9:63:16 | fread output argument | test.cpp:65:20:65:27 | *filename | provenance |  |
+| test.cpp:65:11:65:17 | strncat output argument | test.cpp:66:10:66:16 | *command | provenance |  |
+| test.cpp:65:20:65:27 | *filename | test.cpp:65:11:65:17 | strncat output argument | provenance | Config |
+| test.cpp:83:9:83:16 | fread output argument | test.cpp:85:20:85:27 | *filename | provenance |  |
+| test.cpp:85:11:85:17 | strncat output argument | test.cpp:86:32:86:38 | *command | provenance |  |
+| test.cpp:85:20:85:27 | *filename | test.cpp:85:11:85:17 | strncat output argument | provenance | Config |
+| test.cpp:92:9:92:16 | fread output argument | test.cpp:94:17:94:24 | *filename | provenance |  |
+| test.cpp:94:11:94:14 | strncat output argument | test.cpp:95:45:95:48 | *path | provenance |  |
+| test.cpp:94:17:94:24 | *filename | test.cpp:94:11:94:14 | strncat output argument | provenance | Config |
+| test.cpp:107:20:107:38 | *call to getenv | test.cpp:108:33:108:36 | *path | provenance | TaintFunction |
+| test.cpp:108:31:108:31 | call to operator+ | test.cpp:108:31:108:31 | call to operator+ | provenance |  |
+| test.cpp:108:31:108:31 | call to operator+ | test.cpp:109:18:109:22 | *call to c_str | provenance | TaintFunction |
+| test.cpp:108:33:108:36 | *path | test.cpp:108:31:108:31 | call to operator+ | provenance | Config |
+| test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:19:115:22 | *path | provenance | TaintFunction |
+| test.cpp:115:10:115:23 | call to operator+ | test.cpp:115:25:115:29 | *call to c_str | provenance | TaintFunction |
+| test.cpp:115:10:115:23 | call to operator+ | test.cpp:115:25:115:29 | *call to c_str | provenance | TaintFunction |
+| test.cpp:115:17:115:17 | call to operator+ | test.cpp:115:10:115:23 | call to operator+ | provenance |  |
+| test.cpp:115:19:115:22 | *path | test.cpp:115:10:115:23 | call to operator+ | provenance | Config |
+| test.cpp:115:19:115:22 | *path | test.cpp:115:17:115:17 | call to operator+ | provenance | Config |
+| test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:19:121:22 | *path | provenance | TaintFunction |
+| test.cpp:121:17:121:17 | call to operator+ | test.cpp:121:10:121:30 | *call to data | provenance | TaintFunction |
+| test.cpp:121:19:121:22 | *path | test.cpp:121:17:121:17 | call to operator+ | provenance | Config |
+| test.cpp:141:9:141:11 | fread output argument | test.cpp:143:31:143:33 | *str | provenance |  |
+| test.cpp:143:11:143:17 | sprintf output argument | test.cpp:144:10:144:16 | *command | provenance |  |
+| test.cpp:143:31:143:33 | *str | test.cpp:143:11:143:17 | sprintf output argument | provenance | Config |
+| test.cpp:175:9:175:16 | fread output argument | test.cpp:178:20:178:27 | *filename | provenance |  |
+| test.cpp:175:9:175:16 | fread output argument | test.cpp:181:22:181:29 | *filename | provenance |  |
+| test.cpp:178:13:178:17 | strncat output argument | test.cpp:179:22:179:26 | *flags | provenance |  |
+| test.cpp:178:13:178:17 | strncat output argument | test.cpp:179:22:179:26 | *flags | provenance |  |
+| test.cpp:178:20:178:27 | *filename | test.cpp:178:13:178:17 | strncat output argument | provenance | Config |
+| test.cpp:178:20:178:27 | *filename | test.cpp:178:13:178:17 | strncat output argument | provenance | TaintFunction |
+| test.cpp:179:13:179:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance |  |
+| test.cpp:179:13:179:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance |  |
+| test.cpp:179:22:179:26 | *flags | test.cpp:179:13:179:19 | strncat output argument | provenance | Config |
+| test.cpp:179:22:179:26 | *flags | test.cpp:179:13:179:19 | strncat output argument | provenance | TaintFunction |
+| test.cpp:181:13:181:19 | strncat output argument | test.cpp:184:32:184:38 | *command | provenance |  |
+| test.cpp:181:22:181:29 | *filename | test.cpp:181:13:181:19 | strncat output argument | provenance | Config |
+| test.cpp:187:47:187:54 | *filename | test.cpp:188:18:188:25 | *filename | provenance |  |
+| test.cpp:188:11:188:15 | strncat output argument | test.cpp:189:20:189:24 | *flags | provenance |  |
+| test.cpp:188:11:188:15 | strncat output argument | test.cpp:189:20:189:24 | *flags | provenance |  |
+| test.cpp:188:18:188:25 | *filename | test.cpp:188:11:188:15 | strncat output argument | provenance | Config |
+| test.cpp:188:18:188:25 | *filename | test.cpp:188:11:188:15 | strncat output argument | provenance | TaintFunction |
+| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command | provenance |  |
+| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command | provenance |  |
+| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command [Return] | provenance |  |
+| test.cpp:189:11:189:17 | strncat output argument | test.cpp:187:19:187:25 | *command [Return] | provenance |  |
+| test.cpp:189:20:189:24 | *flags | test.cpp:189:11:189:17 | strncat output argument | provenance | Config |
+| test.cpp:189:20:189:24 | *flags | test.cpp:189:11:189:17 | strncat output argument | provenance | TaintFunction |
+| test.cpp:195:9:195:16 | fread output argument | test.cpp:197:26:197:33 | *filename | provenance |  |
+| test.cpp:197:10:197:16 | concat output argument | test.cpp:199:32:199:38 | *command | provenance |  |
+| test.cpp:197:10:197:16 | concat output argument | test.cpp:199:32:199:38 | *command | provenance |  |
+| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | provenance |  |
+| test.cpp:197:26:197:33 | *filename | test.cpp:197:10:197:16 | concat output argument | provenance | Config |
+| test.cpp:197:26:197:33 | *filename | test.cpp:197:10:197:16 | concat output argument | provenance | TaintFunction |
+| test.cpp:219:9:219:16 | fread output argument | test.cpp:221:19:221:26 | *filename | provenance |  |
+| test.cpp:221:10:221:16 | strncat output argument | test.cpp:221:10:221:16 | strncat output argument | provenance | TaintFunction |
+| test.cpp:221:10:221:16 | strncat output argument | test.cpp:221:10:221:16 | strncat output argument | provenance | TaintFunction |
+| test.cpp:221:10:221:16 | strncat output argument | test.cpp:223:32:223:38 | *command | provenance |  |
+| test.cpp:221:10:221:16 | strncat output argument | test.cpp:223:32:223:38 | *command | provenance |  |
+| test.cpp:221:19:221:26 | *filename | test.cpp:221:10:221:16 | strncat output argument | provenance | Config |
+| test.cpp:221:19:221:26 | *filename | test.cpp:221:10:221:16 | strncat output argument | provenance | Config |
+| test.cpp:221:19:221:26 | *filename | test.cpp:221:19:221:26 | *filename | provenance |  |
+| test.cpp:231:11:231:16 | strncat output argument | test.cpp:232:11:232:16 | strncat output argument | provenance | TaintFunction |
+| test.cpp:231:19:231:33 | *call to getenv | test.cpp:231:11:231:16 | strncat output argument | provenance | Config |
+| test.cpp:232:11:232:16 | strncat output argument | test.cpp:233:11:233:16 | strncat output argument | provenance | TaintFunction |
+| test.cpp:232:11:232:16 | strncat output argument | test.cpp:233:11:233:16 | strncat output argument | provenance | TaintFunction |
+| test.cpp:232:19:232:33 | *call to getenv | test.cpp:232:11:232:16 | strncat output argument | provenance | Config |
+| test.cpp:233:11:233:16 | strncat output argument | test.cpp:234:10:234:15 | *buffer | provenance |  |
+| test.cpp:233:11:233:16 | strncat output argument | test.cpp:234:10:234:15 | *buffer | provenance |  |
+| test.cpp:242:11:242:17 | sprintf output argument | test.cpp:247:5:247:11 | *buffer1 | provenance |  |
+| test.cpp:242:11:242:17 | sprintf output argument | test.cpp:247:5:247:11 | *buffer1 | provenance |  |
+| test.cpp:243:5:243:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | TaintFunction |
+| test.cpp:244:5:244:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | Config |
+| test.cpp:244:5:244:10 | *call to getenv | test.cpp:242:11:242:17 | sprintf output argument | provenance | TaintFunction |
+| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance |  |
+| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance |  |
+| test.cpp:245:11:245:17 | sprintf output argument | test.cpp:249:10:249:16 | *buffer2 | provenance |  |
+| test.cpp:247:5:247:11 | *buffer1 | test.cpp:245:11:245:17 | sprintf output argument | provenance | Config |
+| test.cpp:247:5:247:11 | *buffer1 | test.cpp:245:11:245:17 | sprintf output argument | provenance | TaintFunction |
+| test.cpp:248:5:248:10 | *call to getenv | test.cpp:245:11:245:17 | sprintf output argument | provenance | Config |
+| test.cpp:259:13:259:18 | strncat output argument | test.cpp:261:10:261:15 | *buffer | provenance |  |
+| test.cpp:259:21:259:35 | *call to getenv | test.cpp:259:13:259:18 | strncat output argument | provenance | Config |
 nodes
 | test.cpp:15:27:15:30 | **argv | semmle.label | **argv |
 | test.cpp:16:20:16:26 | *access to array | semmle.label | *access to array |
@@ -80,98 +100,130 @@ nodes
 | test.cpp:50:11:50:17 | sprintf output argument | semmle.label | sprintf output argument |
 | test.cpp:50:35:50:43 | *envCflags | semmle.label | *envCflags |
 | test.cpp:51:10:51:16 | *command | semmle.label | *command |
-| test.cpp:62:9:62:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:64:11:64:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:64:20:64:27 | *filename | semmle.label | *filename |
-| test.cpp:65:10:65:16 | *command | semmle.label | *command |
-| test.cpp:82:9:82:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:84:11:84:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:84:20:84:27 | *filename | semmle.label | *filename |
-| test.cpp:85:32:85:38 | *command | semmle.label | *command |
-| test.cpp:91:9:91:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:93:11:93:14 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:93:17:93:24 | *filename | semmle.label | *filename |
-| test.cpp:94:45:94:48 | *path | semmle.label | *path |
-| test.cpp:106:20:106:38 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:107:31:107:31 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:107:33:107:36 | *path | semmle.label | *path |
-| test.cpp:108:18:108:22 | *call to c_str | semmle.label | *call to c_str |
-| test.cpp:113:20:113:38 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:114:10:114:23 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:114:17:114:17 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:114:19:114:22 | *path | semmle.label | *path |
-| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
-| test.cpp:114:25:114:29 | *call to c_str | semmle.label | *call to c_str |
-| test.cpp:119:20:119:38 | *call to getenv | semmle.label | *call to getenv |
-| test.cpp:120:10:120:30 | *call to data | semmle.label | *call to data |
-| test.cpp:120:17:120:17 | call to operator+ | semmle.label | call to operator+ |
-| test.cpp:120:19:120:22 | *path | semmle.label | *path |
-| test.cpp:140:9:140:11 | fread output argument | semmle.label | fread output argument |
-| test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
-| test.cpp:142:31:142:33 | *str | semmle.label | *str |
-| test.cpp:143:10:143:16 | *command | semmle.label | *command |
-| test.cpp:174:9:174:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:177:20:177:27 | *filename | semmle.label | *filename |
-| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
-| test.cpp:178:22:178:26 | *flags | semmle.label | *flags |
-| test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:180:22:180:29 | *filename | semmle.label | *filename |
-| test.cpp:183:32:183:38 | *command | semmle.label | *command |
-| test.cpp:183:32:183:38 | *command | semmle.label | *command |
-| test.cpp:183:32:183:38 | *command | semmle.label | *command |
-| test.cpp:186:19:186:25 | *command | semmle.label | *command |
-| test.cpp:186:19:186:25 | *command | semmle.label | *command |
-| test.cpp:186:19:186:25 | *command [Return] | semmle.label | *command [Return] |
-| test.cpp:186:19:186:25 | *command [Return] | semmle.label | *command [Return] |
-| test.cpp:186:47:186:54 | *filename | semmle.label | *filename |
-| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:187:18:187:25 | *filename | semmle.label | *filename |
-| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
-| test.cpp:188:20:188:24 | *flags | semmle.label | *flags |
-| test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
-| test.cpp:196:10:196:16 | concat output argument | semmle.label | concat output argument |
-| test.cpp:196:26:196:33 | *filename | semmle.label | *filename |
-| test.cpp:198:32:198:38 | *command | semmle.label | *command |
-| test.cpp:198:32:198:38 | *command | semmle.label | *command |
-| test.cpp:218:9:218:16 | fread output argument | semmle.label | fread output argument |
-| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:220:10:220:16 | strncat output argument | semmle.label | strncat output argument |
-| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
-| test.cpp:220:19:220:26 | *filename | semmle.label | *filename |
-| test.cpp:222:32:222:38 | *command | semmle.label | *command |
-| test.cpp:222:32:222:38 | *command | semmle.label | *command |
+| test.cpp:63:9:63:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:65:11:65:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:65:20:65:27 | *filename | semmle.label | *filename |
+| test.cpp:66:10:66:16 | *command | semmle.label | *command |
+| test.cpp:83:9:83:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:85:11:85:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:85:20:85:27 | *filename | semmle.label | *filename |
+| test.cpp:86:32:86:38 | *command | semmle.label | *command |
+| test.cpp:92:9:92:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:94:11:94:14 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:94:17:94:24 | *filename | semmle.label | *filename |
+| test.cpp:95:45:95:48 | *path | semmle.label | *path |
+| test.cpp:107:20:107:38 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:108:31:108:31 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:108:31:108:31 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:108:33:108:36 | *path | semmle.label | *path |
+| test.cpp:109:18:109:22 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:114:20:114:38 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:115:10:115:23 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:115:10:115:23 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:115:17:115:17 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:115:19:115:22 | *path | semmle.label | *path |
+| test.cpp:115:25:115:29 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:115:25:115:29 | *call to c_str | semmle.label | *call to c_str |
+| test.cpp:120:20:120:38 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:121:10:121:30 | *call to data | semmle.label | *call to data |
+| test.cpp:121:17:121:17 | call to operator+ | semmle.label | call to operator+ |
+| test.cpp:121:19:121:22 | *path | semmle.label | *path |
+| test.cpp:141:9:141:11 | fread output argument | semmle.label | fread output argument |
+| test.cpp:143:11:143:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:143:31:143:33 | *str | semmle.label | *str |
+| test.cpp:144:10:144:16 | *command | semmle.label | *command |
+| test.cpp:175:9:175:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:178:13:178:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:178:13:178:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:178:20:178:27 | *filename | semmle.label | *filename |
+| test.cpp:179:13:179:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:179:13:179:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:179:22:179:26 | *flags | semmle.label | *flags |
+| test.cpp:179:22:179:26 | *flags | semmle.label | *flags |
+| test.cpp:181:13:181:19 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:181:22:181:29 | *filename | semmle.label | *filename |
+| test.cpp:184:32:184:38 | *command | semmle.label | *command |
+| test.cpp:184:32:184:38 | *command | semmle.label | *command |
+| test.cpp:184:32:184:38 | *command | semmle.label | *command |
+| test.cpp:187:19:187:25 | *command | semmle.label | *command |
+| test.cpp:187:19:187:25 | *command | semmle.label | *command |
+| test.cpp:187:19:187:25 | *command [Return] | semmle.label | *command [Return] |
+| test.cpp:187:19:187:25 | *command [Return] | semmle.label | *command [Return] |
+| test.cpp:187:47:187:54 | *filename | semmle.label | *filename |
+| test.cpp:188:11:188:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:188:11:188:15 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:188:18:188:25 | *filename | semmle.label | *filename |
+| test.cpp:189:11:189:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:189:11:189:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:189:20:189:24 | *flags | semmle.label | *flags |
+| test.cpp:189:20:189:24 | *flags | semmle.label | *flags |
+| test.cpp:195:9:195:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:197:10:197:16 | concat output argument | semmle.label | concat output argument |
+| test.cpp:197:10:197:16 | concat output argument | semmle.label | concat output argument |
+| test.cpp:197:26:197:33 | *filename | semmle.label | *filename |
+| test.cpp:199:32:199:38 | *command | semmle.label | *command |
+| test.cpp:199:32:199:38 | *command | semmle.label | *command |
+| test.cpp:219:9:219:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:221:10:221:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:221:19:221:26 | *filename | semmle.label | *filename |
+| test.cpp:221:19:221:26 | *filename | semmle.label | *filename |
+| test.cpp:223:32:223:38 | *command | semmle.label | *command |
+| test.cpp:223:32:223:38 | *command | semmle.label | *command |
+| test.cpp:231:11:231:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:231:19:231:33 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:232:11:232:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:232:11:232:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:232:19:232:33 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:233:11:233:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:233:11:233:16 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:234:10:234:15 | *buffer | semmle.label | *buffer |
+| test.cpp:234:10:234:15 | *buffer | semmle.label | *buffer |
+| test.cpp:242:11:242:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:242:11:242:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:243:5:243:10 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:244:5:244:10 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:245:11:245:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:247:5:247:11 | *buffer1 | semmle.label | *buffer1 |
+| test.cpp:247:5:247:11 | *buffer1 | semmle.label | *buffer1 |
+| test.cpp:248:5:248:10 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
+| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
+| test.cpp:249:10:249:16 | *buffer2 | semmle.label | *buffer2 |
+| test.cpp:259:13:259:18 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:259:21:259:35 | *call to getenv | semmle.label | *call to getenv |
+| test.cpp:261:10:261:15 | *buffer | semmle.label | *buffer |
 subpaths
-| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
-| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command | test.cpp:196:10:196:16 | concat output argument |
-| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command [Return] | test.cpp:196:10:196:16 | concat output argument |
-| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | test.cpp:186:19:186:25 | *command [Return] | test.cpp:196:10:196:16 | concat output argument |
+| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument |
+| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument |
+| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument |
+| test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument |
 #select
 | test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
 | test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
-| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
-| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
-| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
-| test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:38 | *call to getenv | test.cpp:108:18:108:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:38 | *call to getenv | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
-| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:10:114:23 | call to operator+ | call to operator+ |
-| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:25:114:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:38 | *call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | call to operator+ | call to operator+ |
-| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:10:120:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:38 | *call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | call to operator+ | call to operator+ |
-| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
-| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
-| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
-| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
-| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
+| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument |
+| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument |
+| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument |
+| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ |
+| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ |
+| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ |
+| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ |
+| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument |
+| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument |
+| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument |
+| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument |
+| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument |
+| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument |
+| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument |
+| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument |
+| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument |
+| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument |
+| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
+| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument |
+| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
+| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument |
+| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

@@ -14,7 +14,7 @@ extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
 
 int main(int argc, char** argv) {
   char *userName = argv[2];
-  
+
   {
     // BAD: a string from the user is injected directly into
     // a command.
@@ -23,10 +23,10 @@ int main(int argc, char** argv) {
     system(command1);
   }
 
-  {  
+  {
     // GOOD: the user string is encoded by a library routine.
     char userNameQuoted[1000] = {0};
-    encodeShellString(userNameQuoted, 1000, userName); 
+    encodeShellString(userNameQuoted, 1000, userName);
     char command2[1000] = {0};
     sprintf(command2, "userinfo -v %s", userNameQuoted);
     system(command2);
@@ -36,16 +36,16 @@ int main(int argc, char** argv) {
 void test2(char* arg2) {
   // GOOD?: the user string is the *first* part of the command, like $CC in many environments
   char *envCC = getenv("CC");
-  
+
   char command[1000];
-  sprintf("%s %s", envCC, arg2);
+  sprintf(command, "%s %s", envCC, arg2);
   system(command);
 }
 
 void test3(char* arg1) {
   // GOOD?: the user string is a `$CFLAGS` environment variable
   char *envCflags = getenv("CFLAGS");
-  
+
   char command[1000];
   sprintf(command, "%s %s", arg1, envCflags);
   system(command);
@@ -54,6 +54,7 @@ void test3(char* arg1) {
 typedef unsigned long size_t;
 typedef void FILE;
 size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
+char *strncpy(char *s1, const char *s2, size_t n);
 char *strncat(char *s1, const char *s2, size_t n);
 
 void test4(FILE *f) {
@@ -160,7 +161,7 @@ void test15(FILE *f) {
   fread(temp, 1, 10, f);
 
   int x = atoi(temp);
-  
+
   char temp2[10];
   sprintf(temp2, "%d", x);
     sprintf(command, "tail -n %s foo.log", temp2);
@@ -222,4 +223,42 @@ void test19(FILE *f) {
   execl("/bin/sh", "sh", "-c", command);
 }
 
+void test20() {
+  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
+  char buffer[1024 * 4];
+
+  strncpy(buffer, getenv("var_a"), 1024);
+  strncat(buffer, getenv("var_b"), 1024);
+  strncat(buffer, getenv("var_c"), 1024);
+  strncat(buffer, " ", 1024);
+  system(buffer);
+}
+
+void test21() {
+  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
+  char buffer1[1024];
+  char buffer2[1024];
+
+  sprintf(buffer1, "%s %s",
+    getenv("var_a"),
+    getenv("var_b"));
+  sprintf(buffer2, "%s %s %s",
+    " ",
+    buffer1,
+    getenv("var_c"));
+  system(buffer2);
+}
+
+void test22() {
+  // BAD: the user strings `var_a` are injected directly into a command
+  char buffer[1024 * 11];
+  int i;
+
+  strncpy(buffer, "command ", 1024);
+  for (i = 0; i < 10; i++) {
+    strncat(buffer, getenv("var_a"), 1024);
+  }
+  system(buffer);
+}
+
 // open question: do we want to report certain sources even when they're the start of the string?

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.expected

@@ -1,5 +1,3 @@
-| tests.cpp:45:9:45:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
-| tests.cpp:60:9:60:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
 | tests.cpp:171:9:171:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | destination buffer |
 | tests.cpp:172:9:172:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | array |
 | tests.cpp:192:9:192:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.expected

@@ -1,2 +0,0 @@
-| tests.cpp:45:51:45:72 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |
-| tests.cpp:60:52:60:74 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp

@@ -42,7 +42,7 @@ void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
         /* Print the initial block pointed to by structCharVoid.voidSecond */
         printLine((char *)structCharVoid.voidSecond);
         /* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */
-        memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));
+        memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid)); // [NOT DETECTED]
         structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
         printLine((char *)structCharVoid.charFirst);
         printLine((char *)structCharVoid.voidSecond);
@@ -57,7 +57,7 @@ void CWE122_Heap_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
         /* Print the initial block pointed to by structCharVoid->voidSecond */
         printLine((char *)structCharVoid->voidSecond);
         /* FLAW: Use the sizeof(*structCharVoid) which will overwrite the pointer y */
-        memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid));
+        memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid)); // [NOT DETECTED]
         structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
         printLine((char *)structCharVoid->charFirst);
         printLine((char *)structCharVoid->voidSecond);
@@ -292,7 +292,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01
             delete [] data;
         }
     }
-    
+
     static void goodG2B()
 	{
 		wchar_t * data;
@@ -459,7 +459,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_01_bad()
 #ifdef _WIN32
 int _snwprintf(wchar_t *buffer, size_t count, const wchar_t *format, ...);
 #define SNPRINTF _snwprintf
-#else 
+#else
 int snprintf(char *s, size_t n, const char *format, ...);
 int swprintf(wchar_t *wcs, size_t maxlen, const wchar_t *format, ...);
 //#define SNPRINTF snprintf --- original code; using snprintf appears to be a mistake in samate?
@@ -485,14 +485,14 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_01_bad()
 }
 
 /* classes used in some test cases as a custom type */
-class TwoIntsClass 
+class TwoIntsClass
 {
     public: // Needed to access variables from label files
         int intOne;
         int intTwo;
 };
 
-class OneIntClass 
+class OneIntClass
 {
     public: // Needed to access variables from label files
         int intOne;
@@ -636,7 +636,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_31_bad()
 
 int rand(void);
 
-int globalReturnsTrueOrFalse() 
+int globalReturnsTrueOrFalse()
 {
     return (rand() % 2);
 }

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.expected

@@ -1,2 +1,4 @@
+| tests.cpp:1055:2:1055:8 | call to strncpy | This 'call to strncpy' operation is limited to 131 bytes but the destination is only 128 bytes. |
+| tests.cpp:1057:2:1057:8 | call to strncpy | This 'call to strncpy' operation is limited to 131 bytes but the destination is only 64 bytes. |
 | var_size_struct.cpp:73:3:73:9 | call to strncpy | This 'call to strncpy' operation is limited to 1025 bytes but the destination is only 1024 bytes. |
 | var_size_struct.cpp:103:3:103:9 | call to strncpy | This 'call to strncpy' operation is limited to 129 bytes but the destination is only 128 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected

@@ -17,69 +17,81 @@
 | tests.cpp:285:3:285:8 | call to memset | This 'memset' operation accesses 128 bytes but the $@ is only 64 bytes. | tests.cpp:283:12:283:23 | new[] | destination buffer |
 | tests.cpp:292:3:292:8 | call to memset | This 'memset' operation accesses 11 bytes but the $@ is only 10 bytes. | tests.cpp:289:8:289:12 | array | destination buffer |
 | tests.cpp:310:2:310:7 | call to memset | This 'memset' operation accesses 21 bytes but the $@ is only 20 bytes. | tests.cpp:301:10:301:14 | myVar | destination buffer |
-| tests.cpp:312:2:312:7 | call to memset | This 'memset' operation accesses 17 bytes but the $@ is only 16 bytes. | tests.cpp:298:7:298:12 | buffer | destination buffer |
 | tests.cpp:314:2:314:7 | call to memset | This 'memset' operation accesses 8 bytes but the $@ is only 4 bytes. | tests.cpp:299:6:299:10 | field | destination buffer |
-| tests.cpp:346:2:346:14 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:342:7:342:15 | charArray | array |
-| tests.cpp:349:2:349:14 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
-| tests.cpp:350:17:350:29 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
-| tests.cpp:352:2:352:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:343:6:343:13 | intArray | array |
-| tests.cpp:355:2:355:13 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:343:6:343:13 | intArray | array |
-| tests.cpp:356:16:356:27 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:343:6:343:13 | intArray | array |
-| tests.cpp:358:2:358:16 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:344:11:344:21 | structArray | array |
-| tests.cpp:361:2:361:16 | access to array | This array indexing operation accesses byte offset 219 but the $@ is only 200 bytes. | tests.cpp:344:11:344:21 | structArray | array |
-| tests.cpp:362:25:362:39 | access to array | This array indexing operation accesses byte offset 219 but the $@ is only 200 bytes. | tests.cpp:344:11:344:21 | structArray | array |
-| tests.cpp:365:23:365:34 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:343:6:343:13 | intArray | array |
-| tests.cpp:373:3:373:13 | access to array | This array indexing operation accesses byte offset 101 but the $@ is only 100 bytes. | tests.cpp:368:47:368:52 | call to malloc | array |
-| tests.cpp:376:3:376:13 | access to array | This array indexing operation accesses byte offset 101 but the $@ is only 101 bytes. | tests.cpp:369:47:369:52 | call to malloc | array |
-| tests.cpp:446:3:446:24 | access to array | This array indexing operation accesses a negative index -3 on the $@. | tests.cpp:444:7:444:14 | intArray | array |
-| tests.cpp:454:3:454:11 | access to array | This array indexing operation accesses a negative index -21 on the $@. | tests.cpp:450:7:450:11 | multi | array |
-| tests.cpp:456:3:456:11 | access to array | This array indexing operation accesses a negative index -21 on the $@. | tests.cpp:450:7:450:11 | multi | array |
-| tests.cpp:459:3:459:11 | access to array | This array indexing operation accesses byte offset 639 but the $@ is only 400 bytes. | tests.cpp:450:7:450:11 | multi | array |
-| tests.cpp:461:3:461:11 | access to array | This array indexing operation accesses byte offset 639 but the $@ is only 400 bytes. | tests.cpp:450:7:450:11 | multi | array |
-| tests.cpp:476:2:476:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:469:7:469:12 | buffer | array |
-| tests.cpp:477:2:477:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:469:7:469:12 | buffer | array |
-| tests.cpp:481:2:481:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:469:7:469:12 | buffer | array |
-| tests.cpp:487:2:487:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:473:21:473:26 | call to malloc | array |
-| tests.cpp:491:2:491:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:474:21:474:26 | call to malloc | array |
-| tests.cpp:519:3:519:8 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:502:15:502:20 | call to malloc | destination buffer |
-| tests.cpp:519:3:519:8 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:510:16:510:21 | call to malloc | destination buffer |
-| tests.cpp:541:6:541:10 | call to fread | This 'fread' operation may access 101 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
-| tests.cpp:546:6:546:10 | call to fread | This 'fread' operation may access 400 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
-| tests.cpp:569:6:569:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
-| tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
-| tests.cpp:637:6:637:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:633:7:633:12 | buffer | array |
-| tests.cpp:645:7:645:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:633:7:633:12 | buffer | array |
-| tests.cpp:708:3:708:8 | call to memset | This 'memset' operation accesses 24 bytes but the $@ is only 8 bytes. | tests.cpp:693:16:693:16 | c | destination buffer |
-| tests.cpp:712:3:712:8 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:693:16:693:16 | c | destination buffer |
-| tests.cpp:716:3:716:8 | call to memset | This 'memset' operation accesses 24 bytes but the $@ is only 16 bytes. | tests.cpp:692:16:692:16 | b | destination buffer |
-| tests.cpp:727:2:727:7 | call to memset | This 'memset' operation accesses 24 bytes but the $@ is only 8 bytes. | tests.cpp:693:16:693:16 | c | destination buffer |
-| tests.cpp:753:5:753:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:735:20:735:22 | b_1 | destination buffer |
-| tests.cpp:756:5:756:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:735:20:735:22 | b_1 | destination buffer |
-| tests.cpp:760:5:760:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:736:20:736:22 | c_1 | destination buffer |
-| tests.cpp:761:5:761:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 8 bytes. | tests.cpp:736:20:736:22 | c_1 | destination buffer |
-| tests.cpp:763:5:763:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:736:20:736:22 | c_1 | destination buffer |
-| tests.cpp:764:5:764:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 8 bytes. | tests.cpp:736:20:736:22 | c_1 | destination buffer |
-| tests.cpp:774:5:774:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:740:20:740:22 | b_2 | destination buffer |
-| tests.cpp:777:5:777:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:740:20:740:22 | b_2 | destination buffer |
-| tests.cpp:795:5:795:10 | call to memset | This 'memset' operation accesses 8 bytes but the $@ is only 4 bytes. | tests.cpp:790:16:790:16 | b | destination buffer |
-| tests.cpp:822:5:822:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 16 bytes. | tests.cpp:801:16:801:16 | b | destination buffer |
-| tests.cpp:825:5:825:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 16 bytes. | tests.cpp:801:16:801:16 | b | destination buffer |
-| tests.cpp:827:5:827:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 16 bytes. | tests.cpp:801:16:801:16 | b | destination buffer |
-| tests.cpp:830:5:830:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 12 bytes. | tests.cpp:802:16:802:16 | c | destination buffer |
-| tests.cpp:831:5:831:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:802:16:802:16 | c | destination buffer |
-| tests.cpp:833:5:833:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 12 bytes. | tests.cpp:802:16:802:16 | c | destination buffer |
-| tests.cpp:835:5:835:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 12 bytes. | tests.cpp:802:16:802:16 | c | destination buffer |
-| tests.cpp:846:5:846:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 8 bytes. | tests.cpp:807:16:807:16 | x | destination buffer |
-| tests.cpp:847:5:847:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:807:16:807:16 | x | destination buffer |
-| tests.cpp:848:5:848:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 8 bytes. | tests.cpp:807:16:807:16 | x | destination buffer |
-| tests.cpp:849:5:849:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 8 bytes. | tests.cpp:807:16:807:16 | x | destination buffer |
-| tests.cpp:851:5:851:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 8 bytes. | tests.cpp:807:16:807:16 | x | destination buffer |
-| tests.cpp:862:5:862:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 4 bytes. | tests.cpp:812:12:812:12 | u | destination buffer |
-| tests.cpp:863:5:863:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 4 bytes. | tests.cpp:812:12:812:12 | u | destination buffer |
-| tests.cpp:864:5:864:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 4 bytes. | tests.cpp:812:12:812:12 | u | destination buffer |
-| tests.cpp:865:5:865:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 4 bytes. | tests.cpp:812:12:812:12 | u | destination buffer |
-| tests.cpp:866:5:866:10 | call to memset | This 'memset' operation accesses 8 bytes but the $@ is only 4 bytes. | tests.cpp:812:12:812:12 | u | destination buffer |
-| tests.cpp:867:5:867:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 4 bytes. | tests.cpp:812:12:812:12 | u | destination buffer |
+| tests.cpp:348:2:348:14 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:351:2:351:14 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:352:17:352:29 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:354:2:354:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:343:6:343:13 | intArray | array |
+| tests.cpp:357:2:357:13 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:343:6:343:13 | intArray | array |
+| tests.cpp:358:16:358:27 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:343:6:343:13 | intArray | array |
+| tests.cpp:360:2:360:16 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:344:11:344:21 | structArray | array |
+| tests.cpp:363:2:363:16 | access to array | This array indexing operation accesses byte offset 219 but the $@ is only 200 bytes. | tests.cpp:344:11:344:21 | structArray | array |
+| tests.cpp:364:25:364:39 | access to array | This array indexing operation accesses byte offset 219 but the $@ is only 200 bytes. | tests.cpp:344:11:344:21 | structArray | array |
+| tests.cpp:367:23:367:34 | access to array | This array indexing operation accesses byte offset 43 but the $@ is only 40 bytes. | tests.cpp:343:6:343:13 | intArray | array |
+| tests.cpp:369:2:369:13 | access to array | This array indexing operation accesses a negative index -2 on the $@. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:370:2:370:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:374:2:374:13 | access to array | This array indexing operation accesses byte offset 10 but the $@ is only 10 bytes. | tests.cpp:342:7:342:15 | charArray | array |
+| tests.cpp:394:3:394:13 | access to array | This array indexing operation accesses byte offset 101 but the $@ is only 100 bytes. | tests.cpp:389:47:389:52 | call to malloc | array |
+| tests.cpp:397:3:397:13 | access to array | This array indexing operation accesses byte offset 101 but the $@ is only 101 bytes. | tests.cpp:390:47:390:52 | call to malloc | array |
+| tests.cpp:467:3:467:24 | access to array | This array indexing operation accesses a negative index -3 on the $@. | tests.cpp:465:7:465:14 | intArray | array |
+| tests.cpp:475:3:475:11 | access to array | This array indexing operation accesses a negative index -21 on the $@. | tests.cpp:471:7:471:11 | multi | array |
+| tests.cpp:477:3:477:11 | access to array | This array indexing operation accesses a negative index -21 on the $@. | tests.cpp:471:7:471:11 | multi | array |
+| tests.cpp:480:3:480:11 | access to array | This array indexing operation accesses byte offset 639 but the $@ is only 400 bytes. | tests.cpp:471:7:471:11 | multi | array |
+| tests.cpp:482:3:482:11 | access to array | This array indexing operation accesses byte offset 639 but the $@ is only 400 bytes. | tests.cpp:471:7:471:11 | multi | array |
+| tests.cpp:497:2:497:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:490:7:490:12 | buffer | array |
+| tests.cpp:498:2:498:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:490:7:490:12 | buffer | array |
+| tests.cpp:502:2:502:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:490:7:490:12 | buffer | array |
+| tests.cpp:508:2:508:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:494:21:494:26 | call to malloc | array |
+| tests.cpp:512:2:512:7 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:495:21:495:26 | call to malloc | array |
+| tests.cpp:540:3:540:8 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:523:15:523:20 | call to malloc | destination buffer |
+| tests.cpp:540:3:540:8 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 10 bytes. | tests.cpp:531:16:531:21 | call to malloc | destination buffer |
+| tests.cpp:562:6:562:10 | call to fread | This 'fread' operation may access 101 bytes but the $@ is only 100 bytes. | tests.cpp:553:7:553:16 | charBuffer | destination buffer |
+| tests.cpp:567:6:567:10 | call to fread | This 'fread' operation may access 400 bytes but the $@ is only 100 bytes. | tests.cpp:553:7:553:16 | charBuffer | destination buffer |
+| tests.cpp:590:6:590:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:586:7:586:12 | buffer | array |
+| tests.cpp:598:7:598:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:586:7:586:12 | buffer | array |
+| tests.cpp:658:6:658:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:654:7:654:12 | buffer | array |
+| tests.cpp:666:7:666:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:654:7:654:12 | buffer | array |
+| tests.cpp:729:3:729:8 | call to memset | This 'memset' operation accesses 24 bytes but the $@ is only 8 bytes. | tests.cpp:714:16:714:16 | c | destination buffer |
+| tests.cpp:733:3:733:8 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:714:16:714:16 | c | destination buffer |
+| tests.cpp:737:3:737:8 | call to memset | This 'memset' operation accesses 24 bytes but the $@ is only 16 bytes. | tests.cpp:713:16:713:16 | b | destination buffer |
+| tests.cpp:748:2:748:7 | call to memset | This 'memset' operation accesses 24 bytes but the $@ is only 8 bytes. | tests.cpp:714:16:714:16 | c | destination buffer |
+| tests.cpp:774:5:774:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:756:20:756:22 | b_1 | destination buffer |
+| tests.cpp:777:5:777:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:756:20:756:22 | b_1 | destination buffer |
+| tests.cpp:781:5:781:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:757:20:757:22 | c_1 | destination buffer |
+| tests.cpp:782:5:782:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 8 bytes. | tests.cpp:757:20:757:22 | c_1 | destination buffer |
+| tests.cpp:784:5:784:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:757:20:757:22 | c_1 | destination buffer |
+| tests.cpp:785:5:785:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 8 bytes. | tests.cpp:757:20:757:22 | c_1 | destination buffer |
+| tests.cpp:795:5:795:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:761:20:761:22 | b_2 | destination buffer |
+| tests.cpp:798:5:798:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:761:20:761:22 | b_2 | destination buffer |
+| tests.cpp:816:5:816:10 | call to memset | This 'memset' operation accesses 8 bytes but the $@ is only 4 bytes. | tests.cpp:811:16:811:16 | b | destination buffer |
+| tests.cpp:843:5:843:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 16 bytes. | tests.cpp:822:16:822:16 | b | destination buffer |
+| tests.cpp:846:5:846:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 16 bytes. | tests.cpp:822:16:822:16 | b | destination buffer |
+| tests.cpp:848:5:848:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 16 bytes. | tests.cpp:822:16:822:16 | b | destination buffer |
+| tests.cpp:851:5:851:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 12 bytes. | tests.cpp:823:16:823:16 | c | destination buffer |
+| tests.cpp:852:5:852:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 12 bytes. | tests.cpp:823:16:823:16 | c | destination buffer |
+| tests.cpp:854:5:854:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 12 bytes. | tests.cpp:823:16:823:16 | c | destination buffer |
+| tests.cpp:856:5:856:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 12 bytes. | tests.cpp:823:16:823:16 | c | destination buffer |
+| tests.cpp:867:5:867:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 8 bytes. | tests.cpp:828:16:828:16 | x | destination buffer |
+| tests.cpp:868:5:868:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 8 bytes. | tests.cpp:828:16:828:16 | x | destination buffer |
+| tests.cpp:869:5:869:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 8 bytes. | tests.cpp:828:16:828:16 | x | destination buffer |
+| tests.cpp:870:5:870:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 8 bytes. | tests.cpp:828:16:828:16 | x | destination buffer |
+| tests.cpp:872:5:872:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 8 bytes. | tests.cpp:828:16:828:16 | x | destination buffer |
+| tests.cpp:883:5:883:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 4 bytes. | tests.cpp:833:12:833:12 | u | destination buffer |
+| tests.cpp:884:5:884:10 | call to memset | This 'memset' operation accesses 16 bytes but the $@ is only 4 bytes. | tests.cpp:833:12:833:12 | u | destination buffer |
+| tests.cpp:885:5:885:10 | call to memset | This 'memset' operation accesses 12 bytes but the $@ is only 4 bytes. | tests.cpp:833:12:833:12 | u | destination buffer |
+| tests.cpp:886:5:886:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 4 bytes. | tests.cpp:833:12:833:12 | u | destination buffer |
+| tests.cpp:887:5:887:10 | call to memset | This 'memset' operation accesses 8 bytes but the $@ is only 4 bytes. | tests.cpp:833:12:833:12 | u | destination buffer |
+| tests.cpp:888:5:888:10 | call to memset | This 'memset' operation accesses 20 bytes but the $@ is only 4 bytes. | tests.cpp:833:12:833:12 | u | destination buffer |
+| tests.cpp:984:2:984:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:989:2:989:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:994:2:994:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:1001:2:1001:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:1009:2:1009:9 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:981:6:981:8 | arr | array |
+| tests.cpp:1031:2:1031:7 | call to memset | This 'memset' operation accesses 130 bytes but the $@ is only 120 bytes. | tests.cpp:1020:12:1020:15 | arr1 | destination buffer |
+| tests.cpp:1050:2:1050:7 | call to memset | This 'memset' operation accesses 132 bytes but the $@ is only 128 bytes. | tests.cpp:1037:8:1037:14 | buffer1 | destination buffer |
+| tests.cpp:1052:2:1052:7 | call to memset | This 'memset' operation accesses 132 bytes but the $@ is only 64 bytes. | tests.cpp:1041:8:1041:14 | buffer2 | destination buffer |
+| tests.cpp:1055:2:1055:8 | call to strncpy | This 'strncpy' operation may access 131 bytes but the $@ is only 128 bytes. | tests.cpp:1037:8:1037:14 | buffer1 | destination buffer |
+| tests.cpp:1057:2:1057:8 | call to strncpy | This 'strncpy' operation may access 131 bytes but the $@ is only 64 bytes. | tests.cpp:1041:8:1041:14 | buffer2 | destination buffer |
 | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
 | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
@@ -88,5 +100,4 @@
 | var_size_struct.cpp:73:3:73:9 | call to strncpy | This 'strncpy' operation may access 1025 bytes but the $@ is only 1024 bytes. | var_size_struct.cpp:63:8:63:11 | data | destination buffer |
 | var_size_struct.cpp:87:3:87:19 | access to array | This array indexing operation accesses byte offset 67 but the $@ is only 64 bytes. | var_size_struct.cpp:78:7:78:14 | elements | array |
 | var_size_struct.cpp:99:3:99:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
-| var_size_struct.cpp:101:3:101:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
 | var_size_struct.cpp:103:3:103:9 | call to strncpy | This 'strncpy' operation may access 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected

@@ -3,6 +3,8 @@
 | tests.cpp:163:3:163:11 | access to array | Potential buffer-overflow: counter 'k' <= 100 but 'buffer' has 100 elements. |
 | tests.cpp:164:8:164:16 | access to array | Potential buffer-overflow: counter 'k' <= 100 but 'buffer' has 100 elements. |
 | tests.cpp:245:42:245:42 | 6 | Potential buffer-overflow: 'global_array_5' has size 5 not 6. |
-| tests.cpp:349:2:349:14 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' may be accessed here. |
-| tests.cpp:350:17:350:29 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' may be accessed here. |
+| tests.cpp:351:2:351:14 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' may be accessed here. |
+| tests.cpp:352:17:352:29 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' may be accessed here. |
+| tests.cpp:1055:26:1055:39 | ... - ... | Potential buffer-overflow: 'buffer1' has size 128 not 131. |
+| tests.cpp:1057:26:1057:39 | ... - ... | Potential buffer-overflow: 'buffer2' has size 64 not 131. |
 | var_size_struct.cpp:103:39:103:41 | 129 | Potential buffer-overflow: 'str' has size 128 not 129. |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -27,26 +27,26 @@ edges
 | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | **argv | provenance |  |
 | main.cpp:9:29:9:32 | tests_restrict_main output argument | main.cpp:10:20:10:23 | *argv | provenance |  |
-| main.cpp:10:20:10:23 | **argv | tests.cpp:872:32:872:35 | **argv | provenance |  |
-| main.cpp:10:20:10:23 | *argv | tests.cpp:872:32:872:35 | *argv | provenance |  |
+| main.cpp:10:20:10:23 | **argv | tests.cpp:1060:32:1060:35 | **argv | provenance |  |
+| main.cpp:10:20:10:23 | *argv | tests.cpp:1060:32:1060:35 | *argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance |  |
 | overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:23:45:23:48 | *argv | provenance |  |
 | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | **argv | provenance |  |
 | test_buffer_overrun.cpp:32:46:32:49 | **argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance |  |
 | test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | provenance |  |
-| tests.cpp:613:19:613:24 | *source | tests.cpp:615:17:615:22 | *source | provenance |  |
-| tests.cpp:622:19:622:24 | *source | tests.cpp:625:2:625:16 | *... = ... | provenance |  |
-| tests.cpp:625:2:625:2 | *s [post update] [*home] | tests.cpp:628:14:628:14 | *s [*home] | provenance |  |
-| tests.cpp:625:2:625:16 | *... = ... | tests.cpp:625:2:625:2 | *s [post update] [*home] | provenance |  |
-| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home | provenance |  |
-| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home | provenance |  |
-| tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home | provenance |  |
-| tests.cpp:872:32:872:35 | **argv | tests.cpp:897:9:897:15 | *access to array | provenance |  |
-| tests.cpp:872:32:872:35 | **argv | tests.cpp:898:9:898:15 | *access to array | provenance |  |
-| tests.cpp:872:32:872:35 | *argv | tests.cpp:897:9:897:15 | *access to array | provenance |  |
-| tests.cpp:872:32:872:35 | *argv | tests.cpp:898:9:898:15 | *access to array | provenance |  |
-| tests.cpp:897:9:897:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance |  |
-| tests.cpp:898:9:898:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance |  |
+| tests.cpp:634:19:634:24 | *source | tests.cpp:636:17:636:22 | *source | provenance |  |
+| tests.cpp:643:19:643:24 | *source | tests.cpp:646:2:646:16 | *... = ... | provenance |  |
+| tests.cpp:646:2:646:2 | *s [post update] [*home] | tests.cpp:649:14:649:14 | *s [*home] | provenance |  |
+| tests.cpp:646:2:646:16 | *... = ... | tests.cpp:646:2:646:2 | *s [post update] [*home] | provenance |  |
+| tests.cpp:649:14:649:14 | *s [*home] | tests.cpp:649:14:649:19 | *home | provenance |  |
+| tests.cpp:649:14:649:14 | *s [*home] | tests.cpp:649:16:649:19 | *home | provenance |  |
+| tests.cpp:649:16:649:19 | *home | tests.cpp:649:14:649:19 | *home | provenance |  |
+| tests.cpp:1060:32:1060:35 | **argv | tests.cpp:1085:9:1085:15 | *access to array | provenance |  |
+| tests.cpp:1060:32:1060:35 | **argv | tests.cpp:1086:9:1086:15 | *access to array | provenance |  |
+| tests.cpp:1060:32:1060:35 | *argv | tests.cpp:1085:9:1085:15 | *access to array | provenance |  |
+| tests.cpp:1060:32:1060:35 | *argv | tests.cpp:1086:9:1086:15 | *access to array | provenance |  |
+| tests.cpp:1085:9:1085:15 | *access to array | tests.cpp:634:19:634:24 | *source | provenance |  |
+| tests.cpp:1086:9:1086:15 | *access to array | tests.cpp:643:19:643:24 | *source | provenance |  |
 | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | provenance |  |
 | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | provenance |  |
 nodes
@@ -72,18 +72,18 @@ nodes
 | test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
 | test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
 | test_buffer_overrun.cpp:32:46:32:49 | *argv | semmle.label | *argv |
-| tests.cpp:613:19:613:24 | *source | semmle.label | *source |
-| tests.cpp:615:17:615:22 | *source | semmle.label | *source |
-| tests.cpp:622:19:622:24 | *source | semmle.label | *source |
-| tests.cpp:625:2:625:2 | *s [post update] [*home] | semmle.label | *s [post update] [*home] |
-| tests.cpp:625:2:625:16 | *... = ... | semmle.label | *... = ... |
-| tests.cpp:628:14:628:14 | *s [*home] | semmle.label | *s [*home] |
-| tests.cpp:628:14:628:19 | *home | semmle.label | *home |
-| tests.cpp:628:16:628:19 | *home | semmle.label | *home |
-| tests.cpp:872:32:872:35 | **argv | semmle.label | **argv |
-| tests.cpp:872:32:872:35 | *argv | semmle.label | *argv |
-| tests.cpp:897:9:897:15 | *access to array | semmle.label | *access to array |
-| tests.cpp:898:9:898:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:634:19:634:24 | *source | semmle.label | *source |
+| tests.cpp:636:17:636:22 | *source | semmle.label | *source |
+| tests.cpp:643:19:643:24 | *source | semmle.label | *source |
+| tests.cpp:646:2:646:2 | *s [post update] [*home] | semmle.label | *s [post update] [*home] |
+| tests.cpp:646:2:646:16 | *... = ... | semmle.label | *... = ... |
+| tests.cpp:649:14:649:14 | *s [*home] | semmle.label | *s [*home] |
+| tests.cpp:649:14:649:19 | *home | semmle.label | *home |
+| tests.cpp:649:16:649:19 | *home | semmle.label | *home |
+| tests.cpp:1060:32:1060:35 | **argv | semmle.label | **argv |
+| tests.cpp:1060:32:1060:35 | *argv | semmle.label | *argv |
+| tests.cpp:1085:9:1085:15 | *access to array | semmle.label | *access to array |
+| tests.cpp:1086:9:1086:15 | *access to array | semmle.label | *access to array |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | **argv | semmle.label | **argv |
 | tests_restrict.c:15:41:15:44 | *argv | semmle.label | *argv |
@@ -97,5 +97,5 @@ subpaths
 | main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument |
 | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument |
 #select
-| tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:615:17:615:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |
-| tests.cpp:628:2:628:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:628:14:628:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |
+| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |
+| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

@@ -18,7 +18,7 @@ void test1()
 {
 	char smallbuffer[10];
 	char bigbuffer[20];
-	
+
 	memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD
 	memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read
 	memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD
@@ -29,7 +29,7 @@ void test2()
 {
 	char *smallbuffer = (char *)malloc(sizeof(char) * 10);
 	char *bigbuffer = (char *)malloc(sizeof(char) * 20);
-	
+
 	memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD
 	memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read [NOT DETECTED]
 	memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD
@@ -59,7 +59,7 @@ void test4(int unbounded)
 {
 	int bounded = 100;
 	char buffer1[100], buffer2[100];
-	
+
 	memmove(buffer1, buffer2, bounded); // GOOD
 	memmove(buffer1, buffer2, unbounded); // BAD: may over-write [NOT DETECTED]
 }
@@ -107,11 +107,11 @@ void test6(bool cond)
 	a = -1;
 	buffer[a] = 'x'; // BAD: under-write [NOT DETECTED]
 	ch = buffer[a]; // BAD: under-read [NOT DETECTED]
-	
+
 	b = 0;
 	buffer[b] = 'x'; // GOOD
 	ch = buffer[b]; // GOOD
-	
+
 	c = 100;
 	buffer[c] = 'x'; // BAD: over-write [NOT DETECTED]
 	ch = buffer[c]; // BAD: over-read [NOT DETECTED]
@@ -120,7 +120,7 @@ void test6(bool cond)
 	d = 1000;
 	buffer[d] = 'x'; // BAD: over-write [NOT DETECTED]
 	ch = buffer[d]; // BAD: over-read [NOT DETECTED]
-	
+
 	e = 1000;
 	e = 0;
 	buffer[e] = 'x'; // GOOD
@@ -130,12 +130,12 @@ void test6(bool cond)
 	if (cond) {f = 1000;}
 	buffer[f] = 'x'; // BAD: may over-write [NOT DETECTED]
 	ch = buffer[f]; // BAD: may over-read [NOT DETECTED]
-	
+
 	g = 1000;
 	if (cond) {g = 0;}
 	buffer[g] = 'x'; // BAD: may over-write [NOT DETECTED]
 	ch = buffer[g]; // BAD: may over-read [NOT DETECTED]
-	
+
 	h = 1000;
 	if (cond)
 	{
@@ -151,13 +151,13 @@ void test6(bool cond)
 		buffer[i] = 'x'; // GOOD
 		ch = buffer[i]; // GOOD
 	}
-	
+
 	for (j = -1; j < 100; j++)
 	{
 		buffer[j] = 'x'; // BAD: under-write [NOT DETECTED]
 		ch = buffer[j]; // BAD: under-read [NOT DETECTED]
 	}
-	
+
 	for (k = 0; k <= 100; k++)
 	{
 		buffer[k] = 'x'; // BAD: over-write
@@ -187,7 +187,7 @@ void test8(int unbounded)
 	{
 		buffer[i] = 0; // GOOD
 	}
-	
+
 	for (i = 0; i < v2; i++)
 	{
 		buffer[i] = 0; // BAD: over-write [NOT DETECTED]
@@ -226,7 +226,7 @@ void test9(int param)
 		memset(buffer3, 0, 33); // BAD: overrun write of buffer3
 		memset(buffer4, 0, 32); // GOOD
 		memset(buffer4, 0, 33); // BAD: overrun write of buffer4 (buffer3)
-		
+
 		memcmp(buffer1, buffer2, 32); // GOOD
 		memcmp(buffer1, buffer2, 33); // BAD: overrun read of buffer1, buffer2
 	}
@@ -274,7 +274,7 @@ void test11()
 		memset(string, 0, 14); // GOOD
 		memset(string, 0, 15); // BAD: overrun write of string
 	}
-	
+
 	{
 		char *buffer = new char[128];
 
@@ -284,7 +284,7 @@ void test11()
 
 		memset(buffer, 0, 128); // BAD: overrun write of buffer
 	}
-	
+
 	{
 		char array[10] = "123";
 
@@ -309,7 +309,7 @@ void test12()
 	memset(&myVar, 0, sizeof(myVar)); // GOOD
 	memset(&myVar, 0, sizeof(myVar) + 1); // BAD: overrun write of myVar
 	memset(myVar.buffer, 0, 16); // GOOD
-	memset(myVar.buffer, 0, 17); // BAD: overrun write of myVar.buffer
+	memset(myVar.buffer, 0, 17); // DUBIOUS: overrun write of myVar.buffer, but not out of myVar itself [NOT DETECTED]
 	memset(&(myVar.field), 0, sizeof(int)); // GOOD
 	memset(&(myVar.field), 0, sizeof(int) * 2); // BAD: overrun write of myVar.field
 
@@ -317,7 +317,7 @@ void test12()
 	memset(buf + 8, 0, 9); // BAD: overrun write of buf [NOT DETECTED]
 	memset(dbuf + 8, 0, 8); // GOOD
 	memset(dbuf + 8, 0, 9); // BAD: overrun write of dbuf [NOT DETECTED]
-	
+
 	{
 		myStruct *myPtr1 = &myVar;
 		myStruct *myPtr2;
@@ -331,17 +331,19 @@ void test12()
 
 	{
 		void *myPtr3 = (void *)(&myVar);
-		
+
 		memset(myPtr3, 0, sizeof(myStruct)); // GOOD
 		memset(myPtr3, 0, sizeof(myStruct) + 1); // BAD: overrun write of myVar
 	}
 }
 
-void test13()
+void test13(char *argArray)
 {
 	char charArray[10];
 	int intArray[10];
 	myStruct structArray[10];
+	char *ptrArray = charArray;
+	char *ptrArrayOffset = charArray + 1;
 
 	charArray[-1] = 1; // BAD: underrun write
 	charArray[0] = 1; // GOOD
@@ -363,7 +365,26 @@ void test13()
 
 	charArray[9] = (char)intArray[9]; // GOOD
 	charArray[9] = (char)intArray[10]; // BAD: overrun read
-	
+
+	ptrArray[-2] = 1; // BAD: underrun write
+	ptrArray[-1] = 1; // BAD: underrun write
+	ptrArray[0] = 1; // GOOD
+	ptrArray[8] = 1; // GOOD
+	ptrArray[9] = 1; // GOOD
+	ptrArray[10] = 1; // BAD: overrun write
+
+	ptrArrayOffset[-2] = 1; // BAD: underrun write [NOT DETECTED]
+	ptrArrayOffset[-1] = 1; // GOOD (there is room for this)
+	ptrArrayOffset[0] = 1; // GOOD
+	ptrArrayOffset[8] = 1; // GOOD
+	ptrArrayOffset[9] = 1; // BAD: overrun write [NOT DETECTED]
+	ptrArrayOffset[10] = 1; // BAD: overrun write [NOT DETECTED]
+
+	argArray[-1] = 1; // BAD: underrun write [NOT DETECTED]
+	argArray[0] = 1; // GOOD
+	argArray[1] = 1; // GOOD (we can't tell the length of this array)
+	argArray[999] = 1; // GOOD (we can't tell the length of this array)
+
 	{
 		unsigned short *buffer1 = (unsigned short *)malloc(sizeof(short) * 50);
 		unsigned short *buffer2 = (unsigned short *)malloc(101); // 50.5 shorts
@@ -442,13 +463,13 @@ void test17(long long *longArray)
 
 	{
 		int intArray[5];
-	
+
 		((char *)intArray)[-3] = 0; // BAD: underrun write
 	}
 
 	{
 		int multi[10][10];
-	
+
 		multi[5][5] = 0; // GOOD
 
 		multi[-5][5] = 0; // BAD: underrun write [INCORRECT MESSAGE]
@@ -511,7 +532,7 @@ void test19(bool b)
 		p2 = (char *)malloc(20);
 		p3 = (char *)malloc(20);
 	}
-	
+
 	// ...
 
 	if (b)
@@ -663,7 +684,7 @@ void test27(){
 	char buffer[MAX_SIZE];
 
 	strncpy(dest, src, 8); // GOOD, strncpy will not read past null terminator of source
-		
+
 	if(IND < MAX_SIZE){
 		buffer[IND] = 0; // GOOD: out of bounds, but inaccessible code
 	}
@@ -739,7 +760,7 @@ struct AnonUnionInStruct
       unsigned int a_2;
       unsigned int b_2;
     };
-  };  
+  };
   unsigned int d;
 
   void test37() {
@@ -869,6 +890,173 @@ struct S2 {
   }
 };
 
+typedef int MyArray[10];
+
+typedef struct _MyArrayArray {
+	struct {
+		int as[10];
+	} bs[10];
+
+	union {
+		int i;
+		char cs[4];
+	} ds[10];
+
+	struct {
+		MyArray xs;
+	} ys[10];
+} MyArrayArray;
+
+void test26() {
+	MyArrayArray maa;
+
+	maa.bs[0].as[-1] = 0; // BAD: underrun write [NOT DETECTED]
+	maa.bs[0].as[0] = 0; // GOOD
+	maa.bs[0].as[99] = 0; // GOOD (overflows into bs[9])
+	maa.bs[0].as[100] = 0; // BAD: overrun write [NOT DETECTED]
+	maa.bs[1].as[-1] = 0; // GOOD (underflows into bs[0])
+	maa.bs[1].as[0] = 0; // GOOD
+	maa.bs[1].as[99] = 0; // BAD: overrun write [NOT DETECTED]
+	maa.bs[1].as[100] = 0; // BAD: overrun write[ NOT DETECTED]
+
+	maa.ds[0].i = 0; // GOOD
+	maa.ds[9].i = 0; // GOOD
+	maa.ds[10].i = 0; // BAD: overrun write [NOT DETECTED]
+	maa.ds[0].cs[0] = 0; // GOOD
+	maa.ds[0].cs[3] = 0; // GOOD
+	maa.ds[0].cs[4] = 0; // GOOD (overflows into vs[1])
+	maa.ds[0].cs[39] = 0; // GOOD (overflows into vs[9])
+	maa.ds[0].cs[40] = 0; // BAD: overrun write [NOT DETECTED]
+	maa.ds[9].cs[0] = 0; // GOOD
+	maa.ds[9].cs[3] = 0; // GOOD
+	maa.ds[9].cs[4] = 0; // BAD: overrun write [NOT DETECTED]
+
+	maa.ys[0].xs[-1] = 0; // BAD: underrun write [NOT DETECTED]
+	maa.ys[0].xs[0] = 0; // GOOD
+	maa.ys[0].xs[99] = 0; // GOOD (overflows into bs[9])
+	maa.ys[0].xs[100] = 0; // BAD: overrun write [NOT DETECTED]
+	maa.ys[1].xs[-1] = 0; // GOOD (underflows into ys[0])
+	maa.ys[1].xs[0] = 0; // GOOD
+	maa.ys[1].xs[99] = 0; // BAD: overrun write [NOT DETECTED]
+	maa.ys[1].xs[100] = 0; // BAD: overrun write [NOT DETECTED]
+
+	char zs[2][2];
+	zs[0][-1] = 0; // BAD: underrun write [NOT DETECTED]
+	zs[0][0] = 0; // GOOD
+	zs[0][1] = 0; // GOOD
+	zs[0][2] = 0; // GOOD
+	zs[0][3] = 0; // GOOD
+	zs[0][4] = 0; // BAD: overrun write [NOT DETECTED]
+	zs[1][-3] = 0; // BAD: underrun write [NOT DETECTED]
+	zs[1][-2] = 0; // GOOD
+	zs[1][-1] = 0; // GOOD
+	zs[1][0] = 0; // GOOD
+	zs[1][1] = 0; // GOOD
+	zs[1][2] = 0; // BAD: overrun write [NOT DETECTED]
+}
+
+struct Array10 {
+	int values[10];
+};
+
+void test27(size_t s) {
+	Array10 arr;
+
+	if (s < sizeof(arr.values[10])) { // GOOD (harmless)
+		// ...
+	}
+
+	if (s < offsetof(Array10, values[10])) { // GOOD (harmless)
+		// ...
+	}
+
+	if (s < &(arr.values[10]) - &(arr.values[0])) { // GOOD (harmless)
+		// ...
+	}
+}
+
+bool cond();
+
+void test28() {
+	int arr[10];
+
+	int *ptr1 = arr;
+	ptr1[-1] = 0; // BAD: underrun write
+	ptr1++;
+	ptr1[-1] = 0; // GOOD
+
+	int *ptr2 = arr;
+	ptr2[-1] = 0; // BAD: underrun write
+	*ptr2++;
+	ptr2[-1] = 0; // GOOD
+
+	int *ptr3 = arr;
+	ptr3[-1] = 0; // BAD: underrun write
+	if (cond()) {
+		ptr3++;
+	}
+	ptr3[-1] = 0; // GOOD (depending what cond() does)
+
+	int *ptr4 = arr;
+	ptr4[-1] = 0; // BAD: underrun write
+	while (true) {
+		ptr4++;
+		if (cond()) break;
+	}
+	ptr4[-1] = 0; // GOOD
+
+	int *ptr5 = arr;
+	ptr5[-1] = 0; // BAD: underrun write
+	while (true) {
+		if (cond()) ptr5++;
+		if (cond()) break;
+	}
+	ptr5[-1] = 0; // GOOD (depending what cond() does)
+}
+
+typedef int myInt29;
+typedef myInt29 myArray29[10];
+struct _myStruct29 {
+	myArray29 arr1;
+	myInt29 arr2[20];
+};
+typedef _myStruct29 myStruct29;
+
+void test29() {
+	myStruct29 *ptr;
+
+	memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2)
+	memset(&(ptr->arr1[0]), 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2)
+
+	memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2) + 10); // BAD
+}
+
+struct UnionStruct {
+	int a;
+	union {
+		char buffer1[64];
+		int b;
+	};
+	union {
+		char buffer2[64];
+		int c;
+	};
+};
+
+void test30() {
+	UnionStruct us;
+
+	memset(us.buffer1, 0, sizeof(us.buffer1)); // GOOD
+	memset(us.buffer1, 0, sizeof(us)); // BAD
+	memset(us.buffer2, 0, sizeof(us.buffer2)); // GOOD
+	memset(us.buffer2, 0, sizeof(us)); // BAD
+
+	strncpy(us.buffer1, "", sizeof(us.buffer1) - 1); // GOOD
+	strncpy(us.buffer1, "", sizeof(us) - 1); // BAD
+	strncpy(us.buffer2, "", sizeof(us.buffer2) - 1); // GOOD
+	strncpy(us.buffer2, "", sizeof(us) - 1); // BAD
+}
+
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -896,6 +1084,11 @@ int tests_main(int argc, char *argv[])
 	test23();
 	test24(argv[0]);
 	test25(argv[0]);
+	test26();
+	test27(argc);
+	test28();
+	test29();
+	test30();
 
 	return 0;
 }

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp

@@ -96,9 +96,9 @@ void testNotVarStruct1() {
   notVarStruct1 *nvs1 = (notVarStruct1 *)malloc(sizeof(notVarStruct1) * 2);
 
   memset(nvs1->str, 0, 128); // GOOD
-  memset(nvs1->str, 0, 129); // BAD: buffer overflow
+  memset(nvs1->str, 0, 129); // DUBIOUS: buffer overflow (overflows nvs1->str but not nvs1 overall)
   memset(nvs1[1].str, 0, 128); // GOOD
-  memset(nvs1[1].str, 0, 129); // BAD: buffer overflow
+  memset(nvs1[1].str, 0, 129); // BAD: buffer overflow [NOT DETECTED]
   strncpy(nvs1->str, "Hello, world!", 128); // GOOD
   strncpy(nvs1->str, "Hello, world!", 129); // BAD
 }

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.expected

@@ -16,6 +16,17 @@
 | tests.c:136:2:136:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 10 bytes. |
 | tests.c:186:3:186:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 2 bytes. |
 | tests.c:189:3:189:9 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
-| unions.c:26:2:26:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
-| unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 16 bytes. |
+| unions.c:26:2:26:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 15 bytes. |
+| unions.c:27:2:27:7 | call to strcpy | This 'call to strcpy' operation requires 21 bytes but the destination is only 15 bytes. |
 | var_size_struct.cpp:22:3:22:8 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 9 bytes. |
+| varbuffer.c:15:5:15:10 | call to strcpy | This 'call to strcpy' operation requires 2 bytes but the destination is only 1 bytes. |
+| varbuffer.c:16:5:16:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 1 bytes. |
+| varbuffer.c:23:5:23:10 | call to strcpy | This 'call to strcpy' operation requires 12 bytes but the destination is only 11 bytes. |
+| varbuffer.c:24:5:24:10 | call to strcpy | This 'call to strcpy' operation requires 17 bytes but the destination is only 11 bytes. |
+| varbuffer.c:39:5:39:10 | call to strcpy | This 'call to strcpy' operation requires 3 bytes but the destination is only 2 bytes. |
+| varbuffer.c:40:5:40:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 2 bytes. |
+| varbuffer.c:45:5:45:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 2 bytes. |
+| varbuffer.c:46:5:46:10 | call to strcpy | This 'call to strcpy' operation requires 17 bytes but the destination is only 2 bytes. |
+| varbuffer.c:60:5:60:10 | call to strcpy | This 'call to strcpy' operation requires 2 bytes but the destination is only 1 bytes. |
+| varbuffer.c:61:5:61:10 | call to strcpy | This 'call to strcpy' operation requires 10 bytes but the destination is only 1 bytes. |
+| varbuffer.c:67:5:67:10 | call to strcpy | This 'call to strcpy' operation requires 17 bytes but the destination is only 11 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c

@@ -0,0 +1,69 @@
+// Further test cases for CWE-120.
+
+typedef unsigned long size_t;
+
+typedef struct _MyVarStruct {
+    size_t len;
+    char buffer[1]; // variable size buffer
+} MyVarStruct;
+
+void testMyVarStruct()
+{
+    MyVarStruct *ptr1 = (MyVarStruct*)malloc(sizeof(MyVarStruct));
+    ptr1->len = 0;
+    strcpy(ptr1->buffer, ""); // GOOD
+    strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1
+    strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1
+    // ...
+
+    MyVarStruct *ptr2 = (MyVarStruct*)malloc(sizeof(MyVarStruct) + (sizeof(char) * 10));
+    ptr2->len = 10;
+    strcpy(ptr2->buffer, "123456789"); // GOOD
+    strcpy(ptr2->buffer, "1234567890"); // GOOD
+    strcpy(ptr2->buffer, "1234567890a"); // BAD: length 12, but destination only has length 11
+    strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 11
+    // ...
+}
+
+typedef struct MyFixedStruct1 {
+    int len;
+    char buffer[2]; // assumed to be a fixed size buffer
+} MyFixedStruct1;
+
+void testMyFixedStruct()
+{
+    MyFixedStruct1 *ptr1 = (MyFixedStruct1 *)malloc(sizeof(MyFixedStruct1));
+    ptr1->len = 1;
+    strcpy(ptr1->buffer, ""); // GOOD
+    strcpy(ptr1->buffer, "1"); // GOOD
+    strcpy(ptr1->buffer, "12"); // BAD: length 3, but destination only has length 2
+    strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 2
+    // ...
+
+    MyFixedStruct1 *ptr2 = (MyFixedStruct1*)malloc(sizeof(MyFixedStruct1) + (sizeof(char) * 10));
+    ptr2->len = 11;
+    strcpy(ptr2->buffer, "123456789"); // BAD / DUBIOUS: length 10, but destination only has length 2
+    strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 2
+    // ...
+}
+
+typedef struct _MyFixedStruct2 {
+    char buffer[1]; // fixed size buffer
+    size_t len;
+} MyFixedStruct2;
+
+void testMyFixedStruct2()
+{
+    MyFixedStruct2 *ptr1 = (MyFixedStruct2 *)malloc(sizeof(MyFixedStruct2));
+    ptr1->len = 1;
+    strcpy(ptr1->buffer, ""); // GOOD
+    strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1
+    strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1
+    // ...
+
+    MyFixedStruct2 *ptr2 = (MyFixedStruct2*)malloc(sizeof(MyFixedStruct2) + (sizeof(char) * 10));
+    ptr2->len = 11;
+    strcpy(ptr2->buffer, "123456789"); // BAD: length 10, but destination only has length 1 [NOT DETECTED]
+    strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 1
+    // ...
+}

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.35
+
+No user-facing changes.
+
 ## 1.7.34
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.35.md

@@ -0,0 +1,3 @@
+## 1.7.35
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.34
+lastReleaseVersion: 1.7.35

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.34
+version: 1.7.35
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.35
+
+No user-facing changes.
+
 ## 1.7.34
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.35.md

@@ -0,0 +1,3 @@
+## 1.7.35
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.34
+lastReleaseVersion: 1.7.35

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.34
+version: 1.7.35
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_error/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "9.0.100"
+    }
+}

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 5.1.1
+
+No user-facing changes.
+
 ## 5.1.0
 
 ### Deprecated APIs
@@ -68,7 +72,6 @@
 
 ### Minor Analysis Improvements
 
-* .NET 9 is now required to build the C# extractor.
 * The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.
 
 ## 3.1.0

csharp/ql/lib/change-notes/released/3.1.1.md

@@ -2,5 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* .NET 9 is now required to build the C# extractor.
 * The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.

csharp/ql/lib/change-notes/released/5.1.1.md

@@ -0,0 +1,3 @@
+## 5.1.1
+
+No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.0
+lastReleaseVersion: 5.1.1

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.1.0
+version: 5.1.1
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -664,7 +664,7 @@ module LocalFlow {
       ssaDef.getADefinition() = def and
       ssaDef.getControlFlowNode() = cfn and
       nodeFrom = TAssignableDefinitionNode(def, cfn) and
-      nodeTo.(SsaDefinitionExtNode).getDefinitionExt() = ssaDef
+      nodeTo.(SsaDefinitionNode).getDefinition() = ssaDef
     )
   }
 
@@ -1269,78 +1269,33 @@ predicate nodeIsHidden(Node n) {
 }
 
 /** An SSA node. */
-abstract class SsaNode extends NodeImpl, TSsaNode {
+class SsaNode extends NodeImpl, TSsaNode {
   SsaImpl::DataFlowIntegration::SsaNode node;
-  SsaImpl::DefinitionExt def;
 
-  SsaNode() {
-    this = TSsaNode(node) and
-    def = node.getDefinitionExt()
-  }
-
-  SsaImpl::DefinitionExt getDefinitionExt() { result = def }
+  SsaNode() { this = TSsaNode(node) }
 
   override DataFlowCallable getEnclosingCallableImpl() {
-    result.getAControlFlowNode().getBasicBlock() = def.getBasicBlock()
+    result.getAControlFlowNode().getBasicBlock() = node.getBasicBlock()
   }
 
-  override Type getTypeImpl() { result = def.getSourceVariable().getType() }
+  override Type getTypeImpl() { result = node.getSourceVariable().getType() }
 
-  override ControlFlow::Node getControlFlowNodeImpl() {
-    result = def.(Ssa::Definition).getControlFlowNode()
-  }
+  override ControlFlow::Node getControlFlowNodeImpl() { none() }
 
   override Location getLocationImpl() { result = node.getLocation() }
 
   override string toStringImpl() { result = node.toString() }
 }
 
-/** An (extended) SSA definition, viewed as a node in a data flow graph. */
-class SsaDefinitionExtNode extends SsaNode {
-  override SsaImpl::DataFlowIntegration::SsaDefinitionExtNode node;
-}
+/** An SSA definition, viewed as a node in a data flow graph. */
+class SsaDefinitionNode extends SsaNode {
+  override SsaImpl::DataFlowIntegration::SsaDefinitionNode node;
 
-/**
- * A node that represents an input to an SSA phi (read) definition.
- *
- * This allows for barrier guards to filter input to phi nodes. For example, in
- *
- * ```csharp
- * var x = taint;
- * if (x != "safe")
- * {
- *     x = "safe";
- * }
- * sink(x);
- * ```
- *
- * the `false` edge out of `x != "safe"` guards the input from `x = taint` into the
- * `phi` node after the condition.
- *
- * It is also relevant to filter input into phi read nodes:
- *
- * ```csharp
- * var x = taint;
- * if (b)
- * {
- *     if (x != "safe1")
- *     {
- *         return;
- *     }
- * } else {
- *     if (x != "safe2")
- *     {
- *         return;
- *     }
- * }
- *
- * sink(x);
- * ```
- *
- * both inputs into the phi read node after the outer condition are guarded.
- */
-class SsaInputNode extends SsaNode {
-  override SsaImpl::DataFlowIntegration::SsaInputNode node;
+  Ssa::Definition getDefinition() { result = node.getDefinition() }
+
+  override ControlFlow::Node getControlFlowNodeImpl() {
+    result = this.getDefinition().getControlFlowNode()
+  }
 }
 
 /** A definition, viewed as a node in a data flow graph. */
@@ -1728,12 +1683,12 @@ private module ReturnNodes {
    * A data-flow node that represents an assignment to an `out` or a `ref`
    * parameter.
    */
-  class OutRefReturnNode extends ReturnNode, SsaDefinitionExtNode {
+  class OutRefReturnNode extends ReturnNode, SsaDefinitionNode {
     OutRefReturnKind kind;
 
     OutRefReturnNode() {
       exists(Parameter p |
-        this.getDefinitionExt().(Ssa::Definition).isLiveOutRefParameterDefinition(p) and
+        this.getDefinition().isLiveOutRefParameterDefinition(p) and
         kind.getPosition() = p.getPosition()
       |
         p.isOut() and kind instanceof OutReturnKind
@@ -2464,7 +2419,7 @@ private predicate readContentStep(Node node1, Content c, Node node2) {
     exists(ForeachStmt fs, Ssa::ExplicitDefinition def |
       x.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
         def.getControlFlowNode()) and
-      node2.(SsaDefinitionExtNode).getDefinitionExt() = def and
+      node2.(SsaDefinitionNode).getDefinition() = def and
       c instanceof ElementContent
     )
     or

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -734,7 +734,7 @@ private predicate variableReadPseudo(ControlFlow::BasicBlock bb, int i, Ssa::Sou
 }
 
 pragma[noinline]
-private predicate adjacentDefRead(
+deprecated private predicate adjacentDefRead(
   Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2,
   SsaInput::SourceVariable v
 ) {
@@ -742,7 +742,7 @@ private predicate adjacentDefRead(
   v = def.getSourceVariable()
 }
 
-private predicate adjacentDefReachesRead(
+deprecated private predicate adjacentDefReachesRead(
   Definition def, SsaInput::SourceVariable v, SsaInput::BasicBlock bb1, int i1,
   SsaInput::BasicBlock bb2, int i2
 ) {
@@ -760,18 +760,7 @@ private predicate adjacentDefReachesRead(
   )
 }
 
-/** Same as `adjacentDefRead`, but skips uncertain reads. */
-pragma[nomagic]
-private predicate adjacentDefSkipUncertainReads(
-  Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
-) {
-  exists(SsaInput::SourceVariable v |
-    adjacentDefReachesRead(def, v, bb1, i1, bb2, i2) and
-    SsaInput::variableRead(bb2, i2, v, true)
-  )
-}
-
-private predicate adjacentDefReachesUncertainRead(
+deprecated private predicate adjacentDefReachesUncertainRead(
   Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
 ) {
   exists(SsaInput::SourceVariable v |
@@ -933,10 +922,8 @@ private module Cached {
    */
   cached
   predicate firstReadSameVar(Definition def, ControlFlow::Node cfn) {
-    exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
-      def.definesAt(_, bb1, i1) and
-      adjacentDefSkipUncertainReads(def, bb1, i1, bb2, i2) and
-      cfn = bb2.getNode(i2)
+    exists(ControlFlow::BasicBlock bb, int i |
+      Impl::firstUse(def, bb, i, true) and cfn = bb.getNode(i)
     )
   }
 
@@ -947,25 +934,17 @@ private module Cached {
    */
   cached
   predicate adjacentReadPairSameVar(Definition def, ControlFlow::Node cfn1, ControlFlow::Node cfn2) {
-    exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
+    exists(
+      ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2,
+      Ssa::SourceVariable v
+    |
+      Impl::ssaDefReachesRead(v, def, bb1, i1) and
+      Impl::adjacentUseUse(bb1, i1, bb2, i2, v, true) and
       cfn1 = bb1.getNode(i1) and
-      variableReadActual(bb1, i1, _) and
-      adjacentDefSkipUncertainReads(def, bb1, i1, bb2, i2) and
       cfn2 = bb2.getNode(i2)
     )
   }
 
-  cached
-  predicate lastRefBeforeRedef(Definition def, ControlFlow::BasicBlock bb, int i, Definition next) {
-    Impl::lastRefRedef(def, bb, i, next) and
-    not SsaInput::variableRead(bb, i, def.getSourceVariable(), false)
-    or
-    exists(SsaInput::BasicBlock bb0, int i0 |
-      Impl::lastRefRedef(def, bb0, i0, next) and
-      adjacentDefReachesUncertainRead(def, bb, i, bb0, i0)
-    )
-  }
-
   cached
   Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
     Impl::uncertainWriteDefinitionInput(def, result)

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.0.18
+
+### Minor Analysis Improvements
+
+* C#: Improve precision of the query `cs/call-to-object-tostring` for value tuples.
+
 ## 1.0.17
 
 No user-facing changes.

csharp/ql/src/Useless code/DefaultToStringQuery.qll

@@ -46,6 +46,7 @@ private predicate alwaysInvokesToString(ParameterRead pr) {
  * method from `System.Object` or `System.ValueType`.
  */
 predicate alwaysDefaultToString(ValueOrRefType t) {
+  not t instanceof TupleType and
   exists(ToStringMethod m | t.hasMethod(m) |
     m.getDeclaringType() instanceof SystemObjectClass or
     m.getDeclaringType() instanceof SystemValueTypeClass
@@ -55,6 +56,11 @@ predicate alwaysDefaultToString(ValueOrRefType t) {
     overriding.getABaseType+() = t
   ) and
   ((t.isAbstract() or t instanceof Interface) implies not t.isEffectivelyPublic())
+  or
+  exists(ValueOrRefType elem |
+    elem = t.(TupleType).getElementType(_) and
+    alwaysDefaultToString(elem)
+  )
 }
 
 class DefaultToStringType extends ValueOrRefType {

csharp/ql/src/change-notes/released/1.0.18.md

@@ -0,0 +1,5 @@
+## 1.0.18
+
+### Minor Analysis Improvements
+
+* C#: Improve precision of the query `cs/call-to-object-tostring` for value tuples.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.17
+lastReleaseVersion: 1.0.18

csharp/ql/src/codeql-suites/csharp-ccr.qls

@@ -1 +1,9 @@
-[]
+- queries: .
+- include:
+    id:
+      - cs/index-out-of-bounds
+      - cs/test-for-negative-container-size
+      - cs/unchecked-cast-in-equals
+      - cs/reference-equality-on-valuetypes
+      - cs/self-assignment
+      - cs/inefficient-containskey

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.0.17
+version: 1.0.18
 groups:
   - csharp
   - queries

csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected

@@ -1190,11 +1190,11 @@
 | cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | exit (...) => ... | 6 |
 | cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | exit delegate(...) { ... } | 8 |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:18 | ... == ... | 6 |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | 1 |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | 1 |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... | 1 |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... | 1 |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:23:187:28 | ... == ... | 3 |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:39 | ... == ... | 3 |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:49 | [false] ... && ... | 1 |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:49 | ... && ... | 1 |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | exit LogicalOr | 5 |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:195:17:195:32 | ... > ... | 8 |
 | cflow.cs:193:10:193:17 | exit Booleans | cflow.cs:193:10:193:17 | exit Booleans | 1 |

csharp/ql/test/library-tests/controlflow/graph/Condition.expected

@@ -2303,27 +2303,27 @@ conditionBlock
 | cflow.cs:167:16:167:16 | access to local variable x | cflow.cs:174:9:176:9 | {...} | false |
 | cflow.cs:173:32:173:32 | access to local variable i | cflow.cs:146:10:146:12 | exit For (normal) | false |
 | cflow.cs:173:32:173:32 | access to local variable i | cflow.cs:174:9:176:9 | {...} | true |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | ... \|\| ... | false |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | ... \|\| ... | false |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:23:187:23 | 2 | false |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | [false] ... && ... | false |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | ... && ... | false |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | ... \|\| ... | false |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | ... \|\| ... | false |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | [false] ... && ... | false |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | ... && ... | false |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | [false] ... && ... | false |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | ... \|\| ... | false |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | ... && ... | false |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:190:13:190:52 | ...; | false |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:195:39:195:43 | this access | true |
 | cflow.cs:195:17:195:56 | ... && ... | cflow.cs:197:13:197:47 | [false] !... | false |
 | cflow.cs:195:17:195:56 | ... && ... | cflow.cs:197:13:197:47 | [true] !... | true |
@@ -2964,11 +2964,11 @@ conditionFlow
 | cflow.cs:173:32:173:41 | ... < ... | cflow.cs:146:10:146:12 | exit For (normal) | false |
 | cflow.cs:173:32:173:41 | ... < ... | cflow.cs:174:9:176:9 | {...} | true |
 | cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:23:187:23 | 2 | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
-| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | ... \|\| ... | false |
+| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | ... && ... | false |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
 | cflow.cs:195:17:195:32 | ... > ... | cflow.cs:195:17:195:56 | ... && ... | false |
 | cflow.cs:195:17:195:32 | ... > ... | cflow.cs:195:39:195:43 | this access | true |
 | cflow.cs:197:13:197:47 | [false] !... | cflow.cs:200:9:205:9 | if (...) ... | false |

csharp/ql/test/library-tests/controlflow/graph/Dominance.expected

@@ -4151,15 +4151,15 @@ dominance
 | cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:187:13:187:13 | 1 |
 | cflow.cs:187:13:187:13 | 1 | cflow.cs:187:18:187:18 | 2 |
 | cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:23:187:23 | 2 |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
 | cflow.cs:187:18:187:18 | 2 | cflow.cs:187:13:187:18 | ... == ... |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:28:187:28 | 3 |
-| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
+| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | ... \|\| ... |
 | cflow.cs:187:28:187:28 | 3 | cflow.cs:187:23:187:28 | ... == ... |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:187:39:187:39 | 3 |
-| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | [false] ... && ... |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
+| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | ... && ... |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... |
 | cflow.cs:187:39:187:39 | 3 | cflow.cs:187:34:187:39 | ... == ... |
 | cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:185:10:185:18 | exit LogicalOr (normal) |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:190:31:190:50 | "This should happen" |
@@ -8307,18 +8307,18 @@ postDominance
 | cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:186:5:191:5 | {...} |
 | cflow.cs:187:13:187:13 | 1 | cflow.cs:187:9:190:52 | if (...) ... |
 | cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:18:187:18 | 2 |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:23:187:28 | ... == ... |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:23:187:28 | ... == ... |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... |
 | cflow.cs:187:18:187:18 | 2 | cflow.cs:187:13:187:13 | 1 |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:18 | ... == ... |
 | cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:28:187:28 | 3 |
 | cflow.cs:187:28:187:28 | 3 | cflow.cs:187:23:187:23 | 2 |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | ... \|\| ... |
 | cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:39:187:39 | 3 |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:39 | ... == ... |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:39 | ... == ... |
 | cflow.cs:187:39:187:39 | 3 | cflow.cs:187:34:187:34 | 1 |
 | cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:190:31:190:50 | "This should happen" |
-| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
+| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | ... \|\| ... |
 | cflow.cs:190:31:190:50 | "This should happen" | cflow.cs:190:13:190:52 | ...; |
 | cflow.cs:193:10:193:17 | exit Booleans (abnormal) | cflow.cs:203:17:203:38 | throw ...; |
 | cflow.cs:193:10:193:17 | exit Booleans (normal) | cflow.cs:200:13:200:62 | [false] ... \|\| ... |
@@ -12909,32 +12909,32 @@ blockDominance
 | cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | enter (...) => ... |
 | cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | enter delegate(...) { ... } |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:185:10:185:18 | enter LogicalOr |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | ... \|\| ... |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | ... \|\| ... |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:23:187:23 | 2 |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | [false] ... && ... |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | ... && ... |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:190:13:190:52 | ...; |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | ... \|\| ... |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | ... \|\| ... |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:23:187:23 | 2 |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | [false] ... && ... |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | ... && ... |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:190:13:190:52 | ...; |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | ... \|\| ... |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | [false] ... && ... |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | ... && ... |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:190:13:190:52 | ...; |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:49 | [false] ... && ... |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:190:13:190:52 | ...; |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:49 | ... && ... |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:190:13:190:52 | ...; |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:190:13:190:52 | ...; |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | enter Booleans |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | exit Booleans |
@@ -16126,32 +16126,32 @@ postBlockDominance
 | cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | enter (...) => ... |
 | cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | enter delegate(...) { ... } |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:185:10:185:18 | enter LogicalOr |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:185:10:185:18 | enter LogicalOr |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:23:187:23 | 2 |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:185:10:185:18 | enter LogicalOr |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:23:187:23 | 2 |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:185:10:185:18 | enter LogicalOr |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:28 | ... \|\| ... |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:187:23:187:23 | 2 |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:185:10:185:18 | enter LogicalOr |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:23:187:23 | 2 |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:49 | [false] ... && ... |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:185:10:185:18 | enter LogicalOr |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:28 | ... \|\| ... |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:23:187:23 | 2 |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:34 | 1 |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:49 | ... && ... |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | enter LogicalOr |
-| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:28 | [false] ... \|\| ... |
-| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | [false] ... \|\| ... |
+| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:28 | ... \|\| ... |
+| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:13:187:50 | ... \|\| ... |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:187:23:187:23 | 2 |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:187:34:187:34 | 1 |
-| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:34:187:49 | [false] ... && ... |
+| cflow.cs:190:13:190:52 | ...; | cflow.cs:187:34:187:49 | ... && ... |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:190:13:190:52 | ...; |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | enter Booleans |
 | cflow.cs:193:10:193:17 | exit Booleans | cflow.cs:193:10:193:17 | exit Booleans |

csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected

@@ -4539,15 +4539,15 @@ nodeEnclosing
 | cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:13:187:13 | 1 | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:13:187:18 | ... == ... | cflow.cs:185:10:185:18 | LogicalOr |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:18:187:18 | 2 | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:23:187:28 | ... == ... | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:28:187:28 | 3 | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:34:187:39 | ... == ... | cflow.cs:185:10:185:18 | LogicalOr |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:39:187:39 | 3 | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | LogicalOr |
@@ -6016,11 +6016,11 @@ blockEnclosing
 | cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | (...) => ... |
 | cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | delegate(...) { ... } |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:185:10:185:18 | LogicalOr |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:185:10:185:18 | LogicalOr |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | LogicalOr |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:193:10:193:17 | Booleans |
 | cflow.cs:193:10:193:17 | exit Booleans | cflow.cs:193:10:193:17 | Booleans |

csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected

@@ -4658,15 +4658,15 @@
 | cflow.cs:187:9:190:52 | if (...) ... | cflow.cs:187:13:187:13 | 1 |  |
 | cflow.cs:187:13:187:13 | 1 | cflow.cs:187:18:187:18 | 2 |  |
 | cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:23:187:23 | 2 | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
 | cflow.cs:187:18:187:18 | 2 | cflow.cs:187:13:187:18 | ... == ... |  |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:28:187:28 | 3 |  |
-| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
+| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | ... \|\| ... | false |
 | cflow.cs:187:28:187:28 | 3 | cflow.cs:187:23:187:28 | ... == ... |  |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:187:39:187:39 | 3 |  |
-| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
+| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | ... && ... | false |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
 | cflow.cs:187:39:187:39 | 3 | cflow.cs:187:34:187:39 | ... == ... |  |
 | cflow.cs:190:13:190:51 | call to method WriteLine | cflow.cs:185:10:185:18 | exit LogicalOr (normal) |  |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:190:31:190:50 | "This should happen" |  |

csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -533,8 +533,6 @@
 | LocalDataFlow.cs:381:17:381:29 | "not tainted" | LocalDataFlow.cs:381:13:381:13 | access to local variable x |
 | LocalDataFlow.cs:382:9:382:17 | SSA phi(x) | LocalDataFlow.cs:382:15:382:15 | access to local variable x |
 | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
-| SSA.cs:5:17:5:17 | [input] SSA def(this.S) | SSA.cs:136:23:136:28 | SSA def(this.S) |
-| SSA.cs:5:17:5:17 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
 | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
 | SSA.cs:5:26:5:32 | SSA param(tainted) | SSA.cs:8:24:8:30 | access to parameter tainted |
 | SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | SSA param(tainted) |
@@ -664,28 +662,28 @@
 | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:58:16:58:23 | access to local variable ssaSink3 |
 | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:67:32:67:38 | access to parameter tainted |
 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | SSA.cs:60:15:60:22 | access to local variable ssaSink3 |
-| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:89:13:89:33 | [input] SSA def(ssaSink3) |
+| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
+| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
 | SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
-| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:89:13:89:33 | [input] SSA def(ssaSink3) |
 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | SSA.cs:64:15:64:22 | access to local variable nonSink0 |
-| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:89:13:89:33 | [input] SSA def(nonSink0) |
+| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
+| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
 | SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
-| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:89:13:89:33 | [input] SSA def(nonSink0) |
 | SSA.cs:67:9:67:12 | [post] this access | SSA.cs:68:23:68:26 | this access |
 | SSA.cs:67:9:67:12 | this access | SSA.cs:68:23:68:26 | this access |
 | SSA.cs:67:9:67:14 | [post] access to field S | SSA.cs:68:23:68:28 | access to field S |
 | SSA.cs:67:9:67:14 | access to field S | SSA.cs:68:23:68:28 | access to field S |
 | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) |
-| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldSink0) |
+| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) |
 | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 |
 | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:77:20:77:26 | access to parameter tainted |
 | SSA.cs:68:23:68:26 | [post] this access | SSA.cs:69:15:69:18 | this access |
 | SSA.cs:68:23:68:26 | this access | SSA.cs:69:15:69:18 | this access |
 | SSA.cs:68:23:68:28 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S |
 | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 |
-| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
+| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) |
+| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) |
 | SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) |
-| SSA.cs:68:23:68:28 | access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
 | SSA.cs:69:15:69:18 | [post] this access | SSA.cs:72:9:72:12 | this access |
 | SSA.cs:69:15:69:18 | this access | SSA.cs:72:9:72:12 | this access |
 | SSA.cs:69:15:69:20 | [post] access to field S | SSA.cs:72:9:72:14 | access to field S |
@@ -695,15 +693,15 @@
 | SSA.cs:72:9:72:14 | [post] access to field S | SSA.cs:73:23:73:28 | access to field S |
 | SSA.cs:72:9:72:14 | access to field S | SSA.cs:73:23:73:28 | access to field S |
 | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) |
-| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) |
+| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
 | SSA.cs:72:35:72:36 | "" | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 |
 | SSA.cs:73:23:73:26 | [post] this access | SSA.cs:74:15:74:18 | this access |
 | SSA.cs:73:23:73:26 | this access | SSA.cs:74:15:74:18 | this access |
 | SSA.cs:73:23:73:28 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S |
 | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 |
-| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
+| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) |
+| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) |
 | SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) |
-| SSA.cs:73:23:73:28 | access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
 | SSA.cs:74:15:74:18 | [post] this access | SSA.cs:80:9:80:12 | this access |
 | SSA.cs:74:15:74:18 | this access | SSA.cs:80:9:80:12 | this access |
 | SSA.cs:74:15:74:20 | [post] access to field S | SSA.cs:80:9:80:14 | access to field S |
@@ -752,15 +750,9 @@
 | SSA.cs:89:13:89:22 | [post] access to parameter nonTainted | SSA.cs:92:17:92:26 | access to parameter nonTainted |
 | SSA.cs:89:13:89:22 | access to parameter nonTainted | SSA.cs:89:13:89:33 | [input] SSA phi read(nonTainted) |
 | SSA.cs:89:13:89:22 | access to parameter nonTainted | SSA.cs:92:17:92:26 | access to parameter nonTainted |
-| SSA.cs:89:13:89:33 | [input] SSA def(nonSink0) | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
-| SSA.cs:89:13:89:33 | [input] SSA def(ssaSink3) | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
-| SSA.cs:89:13:89:33 | [input] SSA def(this.S) | SSA.cs:68:23:68:28 | SSA def(this.S) |
-| SSA.cs:89:13:89:33 | [input] SSA def(this.S) | SSA.cs:73:23:73:28 | SSA def(this.S) |
 | SSA.cs:89:13:89:33 | [input] SSA phi read(nonTainted) | SSA.cs:97:9:97:32 | SSA phi read(nonTainted) |
 | SSA.cs:89:13:89:33 | [input] SSA phi read(ssaSink0) | SSA.cs:97:9:97:32 | SSA phi read(ssaSink0) |
 | SSA.cs:89:13:89:33 | [input] SSA phi(ssaSink4) | SSA.cs:97:9:97:32 | SSA phi(ssaSink4) |
-| SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
-| SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) |
 | SSA.cs:91:13:91:20 | access to local variable ssaSink4 | SSA.cs:91:13:91:31 | SSA def(ssaSink4) |
 | SSA.cs:91:13:91:31 | SSA def(ssaSink4) | SSA.cs:93:21:93:28 | access to local variable ssaSink4 |
 | SSA.cs:91:13:91:31 | SSA def(ssaSink4) | SSA.cs:95:21:95:28 | access to local variable ssaSink4 |
@@ -785,9 +777,9 @@
 | SSA.cs:97:9:97:32 | SSA phi read(ssaSink0) | SSA.cs:117:36:117:43 | access to local variable ssaSink0 |
 | SSA.cs:97:9:97:32 | SSA phi(ssaSink4) | SSA.cs:97:23:97:30 | access to local variable ssaSink4 |
 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | SSA.cs:98:15:98:22 | access to local variable ssaSink4 |
-| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:102:13:102:33 | [input] SSA def(ssaSink4) |
+| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
+| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
-| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:102:13:102:33 | [input] SSA def(ssaSink4) |
 | SSA.cs:101:16:101:23 | access to local variable nonSink3 | SSA.cs:101:16:101:28 | SSA def(nonSink3) |
 | SSA.cs:101:16:101:28 | SSA def(nonSink3) | SSA.cs:102:13:102:33 | [input] SSA phi(nonSink3) |
 | SSA.cs:101:27:101:28 | "" | SSA.cs:101:16:101:23 | access to local variable nonSink3 |
@@ -795,7 +787,6 @@
 | SSA.cs:102:13:102:22 | [post] access to parameter nonTainted | SSA.cs:105:17:105:26 | access to parameter nonTainted |
 | SSA.cs:102:13:102:22 | access to parameter nonTainted | SSA.cs:102:13:102:33 | [input] SSA phi read(nonTainted) |
 | SSA.cs:102:13:102:22 | access to parameter nonTainted | SSA.cs:105:17:105:26 | access to parameter nonTainted |
-| SSA.cs:102:13:102:33 | [input] SSA def(ssaSink4) | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonSink0) | SSA.cs:110:9:110:32 | SSA phi read(nonSink0) |
 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonTainted) | SSA.cs:110:9:110:32 | SSA phi read(nonTainted) |
 | SSA.cs:102:13:102:33 | [input] SSA phi(nonSink3) | SSA.cs:110:9:110:32 | SSA phi(nonSink3) |
@@ -823,9 +814,9 @@
 | SSA.cs:110:9:110:32 | SSA phi read(nonTainted) | SSA.cs:115:13:115:22 | access to parameter nonTainted |
 | SSA.cs:110:9:110:32 | SSA phi(nonSink3) | SSA.cs:110:23:110:30 | access to local variable nonSink3 |
 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | SSA.cs:111:15:111:22 | access to local variable nonSink3 |
-| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:115:13:115:33 | [input] SSA def(nonSink3) |
+| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
+| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
-| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:115:13:115:33 | [input] SSA def(nonSink3) |
 | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:117:13:117:16 | this access |
 | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:123:23:123:26 | this access |
 | SSA.cs:114:9:114:12 | this access | SSA.cs:117:13:117:16 | this access |
@@ -841,7 +832,6 @@
 | SSA.cs:115:13:115:22 | [post] access to parameter nonTainted | SSA.cs:118:17:118:26 | access to parameter nonTainted |
 | SSA.cs:115:13:115:22 | access to parameter nonTainted | SSA.cs:115:13:115:33 | [input] SSA phi read(nonTainted) |
 | SSA.cs:115:13:115:22 | access to parameter nonTainted | SSA.cs:118:17:118:26 | access to parameter nonTainted |
-| SSA.cs:115:13:115:33 | [input] SSA def(nonSink3) | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
 | SSA.cs:115:13:115:33 | [input] SSA phi read(nonTainted) | SSA.cs:123:9:123:30 | SSA phi read(nonTainted) |
 | SSA.cs:115:13:115:33 | [input] SSA phi read(this.S) | SSA.cs:123:9:123:30 | SSA phi read(this.S) |
 | SSA.cs:115:13:115:33 | [input] SSA phi(this.S.SsaFieldSink1) | SSA.cs:123:9:123:30 | SSA phi(this.S.SsaFieldSink1) |
@@ -881,14 +871,14 @@
 | SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:121:17:121:41 | [input] SSA phi(this.S.SsaFieldSink1) |
 | SSA.cs:123:9:123:30 | SSA phi read(nonTainted) | SSA.cs:128:13:128:22 | access to parameter nonTainted |
 | SSA.cs:123:9:123:30 | SSA phi read(this.S) | SSA.cs:123:23:123:28 | access to field S |
-| SSA.cs:123:9:123:30 | SSA phi(this.S.SsaFieldSink1) | SSA.cs:128:13:128:33 | [input] SSA qualifier def(this.S.SsaFieldSink1) |
+| SSA.cs:123:9:123:30 | SSA phi(this.S.SsaFieldSink1) | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) |
 | SSA.cs:123:23:123:26 | [post] this access | SSA.cs:124:15:124:18 | this access |
 | SSA.cs:123:23:123:26 | this access | SSA.cs:124:15:124:18 | this access |
 | SSA.cs:123:23:123:28 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S |
 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 |
-| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:128:13:128:33 | [input] SSA def(this.S) |
+| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) |
+| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) |
 | SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) |
-| SSA.cs:123:23:123:28 | access to field S | SSA.cs:128:13:128:33 | [input] SSA def(this.S) |
 | SSA.cs:124:15:124:18 | [post] this access | SSA.cs:127:9:127:12 | this access |
 | SSA.cs:124:15:124:18 | this access | SSA.cs:127:9:127:12 | this access |
 | SSA.cs:124:15:124:20 | [post] access to field S | SSA.cs:127:9:127:14 | access to field S |
@@ -906,10 +896,8 @@
 | SSA.cs:127:35:127:36 | "" | SSA.cs:127:9:127:31 | access to field SsaFieldNonSink0 |
 | SSA.cs:128:13:128:22 | [post] access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted |
 | SSA.cs:128:13:128:22 | access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted |
-| SSA.cs:128:13:128:33 | [input] SSA def(this.S) | SSA.cs:123:23:123:28 | SSA def(this.S) |
 | SSA.cs:128:13:128:33 | [input] SSA phi read(this.S) | SSA.cs:136:9:136:30 | SSA phi read(this.S) |
 | SSA.cs:128:13:128:33 | [input] SSA phi(this.S.SsaFieldNonSink0) | SSA.cs:136:9:136:30 | SSA phi(this.S.SsaFieldNonSink0) |
-| SSA.cs:128:13:128:33 | [input] SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) |
 | SSA.cs:130:13:130:16 | [post] this access | SSA.cs:132:21:132:24 | this access |
 | SSA.cs:130:13:130:16 | [post] this access | SSA.cs:134:21:134:24 | this access |
 | SSA.cs:130:13:130:16 | this access | SSA.cs:132:21:132:24 | this access |
@@ -939,13 +927,13 @@
 | SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:134:17:134:44 | [input] SSA phi(this.S.SsaFieldNonSink0) |
 | SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:134:17:134:44 | [input] SSA phi(this.S.SsaFieldNonSink0) |
 | SSA.cs:136:9:136:30 | SSA phi read(this.S) | SSA.cs:136:23:136:28 | access to field S |
-| SSA.cs:136:9:136:30 | SSA phi(this.S.SsaFieldNonSink0) | SSA.cs:5:17:5:17 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) |
+| SSA.cs:136:9:136:30 | SSA phi(this.S.SsaFieldNonSink0) | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
 | SSA.cs:136:23:136:26 | [post] this access | SSA.cs:137:15:137:18 | this access |
 | SSA.cs:136:23:136:26 | this access | SSA.cs:137:15:137:18 | this access |
 | SSA.cs:136:23:136:28 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S |
 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 |
-| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:5:17:5:17 | [input] SSA def(this.S) |
-| SSA.cs:136:23:136:28 | access to field S | SSA.cs:5:17:5:17 | [input] SSA def(this.S) |
+| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) |
+| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) |
 | SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) |
 | SSA.cs:144:34:144:34 | SSA param(t) | SSA.cs:146:13:146:13 | access to parameter t |
 | SSA.cs:144:34:144:34 | t | SSA.cs:144:34:144:34 | SSA param(t) |

csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected

@@ -643,8 +643,6 @@
 | LocalDataFlow.cs:381:17:381:29 | "not tainted" | LocalDataFlow.cs:381:13:381:13 | access to local variable x |
 | LocalDataFlow.cs:382:9:382:17 | SSA phi(x) | LocalDataFlow.cs:382:15:382:15 | access to local variable x |
 | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
-| SSA.cs:5:17:5:17 | [input] SSA def(this.S) | SSA.cs:136:23:136:28 | SSA def(this.S) |
-| SSA.cs:5:17:5:17 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
 | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
 | SSA.cs:5:26:5:32 | SSA param(tainted) | SSA.cs:8:24:8:30 | access to parameter tainted |
 | SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | SSA param(tainted) |
@@ -780,28 +778,28 @@
 | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:58:16:58:23 | access to local variable ssaSink3 |
 | SSA.cs:58:27:58:33 | access to parameter tainted | SSA.cs:67:32:67:38 | access to parameter tainted |
 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) | SSA.cs:60:15:60:22 | access to local variable ssaSink3 |
-| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:89:13:89:33 | [input] SSA def(ssaSink3) |
+| SSA.cs:59:23:59:30 | [post] access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
+| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
 | SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
-| SSA.cs:59:23:59:30 | access to local variable ssaSink3 | SSA.cs:89:13:89:33 | [input] SSA def(ssaSink3) |
 | SSA.cs:63:23:63:30 | SSA def(nonSink0) | SSA.cs:64:15:64:22 | access to local variable nonSink0 |
-| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:89:13:89:33 | [input] SSA def(nonSink0) |
+| SSA.cs:63:23:63:30 | [post] access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
+| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
 | SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
-| SSA.cs:63:23:63:30 | access to local variable nonSink0 | SSA.cs:89:13:89:33 | [input] SSA def(nonSink0) |
 | SSA.cs:67:9:67:12 | [post] this access | SSA.cs:68:23:68:26 | this access |
 | SSA.cs:67:9:67:12 | this access | SSA.cs:68:23:68:26 | this access |
 | SSA.cs:67:9:67:14 | [post] access to field S | SSA.cs:68:23:68:28 | access to field S |
 | SSA.cs:67:9:67:14 | access to field S | SSA.cs:68:23:68:28 | access to field S |
 | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 | SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) |
-| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldSink0) |
+| SSA.cs:67:9:67:38 | SSA def(this.S.SsaFieldSink0) | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) |
 | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:67:9:67:28 | access to field SsaFieldSink0 |
 | SSA.cs:67:32:67:38 | access to parameter tainted | SSA.cs:77:20:77:26 | access to parameter tainted |
 | SSA.cs:68:23:68:26 | [post] this access | SSA.cs:69:15:69:18 | this access |
 | SSA.cs:68:23:68:26 | this access | SSA.cs:69:15:69:18 | this access |
 | SSA.cs:68:23:68:28 | SSA def(this.S) | SSA.cs:69:15:69:20 | access to field S |
 | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:69:15:69:34 | access to field SsaFieldSink0 |
-| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
+| SSA.cs:68:23:68:28 | [post] access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) |
+| SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) |
 | SSA.cs:68:23:68:28 | access to field S | SSA.cs:68:23:68:28 | SSA def(this.S) |
-| SSA.cs:68:23:68:28 | access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
 | SSA.cs:69:15:69:18 | [post] this access | SSA.cs:72:9:72:12 | this access |
 | SSA.cs:69:15:69:18 | this access | SSA.cs:72:9:72:12 | this access |
 | SSA.cs:69:15:69:20 | [post] access to field S | SSA.cs:72:9:72:14 | access to field S |
@@ -811,15 +809,15 @@
 | SSA.cs:72:9:72:14 | [post] access to field S | SSA.cs:73:23:73:28 | access to field S |
 | SSA.cs:72:9:72:14 | access to field S | SSA.cs:73:23:73:28 | access to field S |
 | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 | SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) |
-| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) |
+| SSA.cs:72:9:72:36 | SSA def(this.S.SsaFieldNonSink0) | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
 | SSA.cs:72:35:72:36 | "" | SSA.cs:72:9:72:31 | access to field SsaFieldNonSink0 |
 | SSA.cs:73:23:73:26 | [post] this access | SSA.cs:74:15:74:18 | this access |
 | SSA.cs:73:23:73:26 | this access | SSA.cs:74:15:74:18 | this access |
 | SSA.cs:73:23:73:28 | SSA def(this.S) | SSA.cs:74:15:74:20 | access to field S |
 | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:74:15:74:37 | access to field SsaFieldNonSink0 |
-| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
+| SSA.cs:73:23:73:28 | [post] access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) |
+| SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) |
 | SSA.cs:73:23:73:28 | access to field S | SSA.cs:73:23:73:28 | SSA def(this.S) |
-| SSA.cs:73:23:73:28 | access to field S | SSA.cs:89:13:89:33 | [input] SSA def(this.S) |
 | SSA.cs:74:15:74:18 | [post] this access | SSA.cs:80:9:80:12 | this access |
 | SSA.cs:74:15:74:18 | this access | SSA.cs:80:9:80:12 | this access |
 | SSA.cs:74:15:74:20 | [post] access to field S | SSA.cs:80:9:80:14 | access to field S |
@@ -869,15 +867,9 @@
 | SSA.cs:89:13:89:22 | access to parameter nonTainted | SSA.cs:89:13:89:33 | [input] SSA phi read(nonTainted) |
 | SSA.cs:89:13:89:22 | access to parameter nonTainted | SSA.cs:92:17:92:26 | access to parameter nonTainted |
 | SSA.cs:89:13:89:29 | access to property Length | SSA.cs:89:13:89:33 | ... > ... |
-| SSA.cs:89:13:89:33 | [input] SSA def(nonSink0) | SSA.cs:63:23:63:30 | SSA def(nonSink0) |
-| SSA.cs:89:13:89:33 | [input] SSA def(ssaSink3) | SSA.cs:59:23:59:30 | SSA def(ssaSink3) |
-| SSA.cs:89:13:89:33 | [input] SSA def(this.S) | SSA.cs:68:23:68:28 | SSA def(this.S) |
-| SSA.cs:89:13:89:33 | [input] SSA def(this.S) | SSA.cs:73:23:73:28 | SSA def(this.S) |
 | SSA.cs:89:13:89:33 | [input] SSA phi read(nonTainted) | SSA.cs:97:9:97:32 | SSA phi read(nonTainted) |
 | SSA.cs:89:13:89:33 | [input] SSA phi read(ssaSink0) | SSA.cs:97:9:97:32 | SSA phi read(ssaSink0) |
 | SSA.cs:89:13:89:33 | [input] SSA phi(ssaSink4) | SSA.cs:97:9:97:32 | SSA phi(ssaSink4) |
-| SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:73:23:73:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
-| SSA.cs:89:13:89:33 | [input] SSA qualifier def(this.S.SsaFieldSink0) | SSA.cs:68:23:68:28 | SSA qualifier def(this.S.SsaFieldSink0) |
 | SSA.cs:91:13:91:20 | access to local variable ssaSink4 | SSA.cs:91:13:91:31 | SSA def(ssaSink4) |
 | SSA.cs:91:13:91:31 | SSA def(ssaSink4) | SSA.cs:93:21:93:28 | access to local variable ssaSink4 |
 | SSA.cs:91:13:91:31 | SSA def(ssaSink4) | SSA.cs:95:21:95:28 | access to local variable ssaSink4 |
@@ -903,9 +895,9 @@
 | SSA.cs:97:9:97:32 | SSA phi read(ssaSink0) | SSA.cs:117:36:117:43 | access to local variable ssaSink0 |
 | SSA.cs:97:9:97:32 | SSA phi(ssaSink4) | SSA.cs:97:23:97:30 | access to local variable ssaSink4 |
 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) | SSA.cs:98:15:98:22 | access to local variable ssaSink4 |
-| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:102:13:102:33 | [input] SSA def(ssaSink4) |
+| SSA.cs:97:23:97:30 | [post] access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
+| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
 | SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
-| SSA.cs:97:23:97:30 | access to local variable ssaSink4 | SSA.cs:102:13:102:33 | [input] SSA def(ssaSink4) |
 | SSA.cs:101:16:101:23 | access to local variable nonSink3 | SSA.cs:101:16:101:28 | SSA def(nonSink3) |
 | SSA.cs:101:16:101:28 | SSA def(nonSink3) | SSA.cs:102:13:102:33 | [input] SSA phi(nonSink3) |
 | SSA.cs:101:27:101:28 | "" | SSA.cs:101:16:101:23 | access to local variable nonSink3 |
@@ -914,7 +906,6 @@
 | SSA.cs:102:13:102:22 | access to parameter nonTainted | SSA.cs:102:13:102:33 | [input] SSA phi read(nonTainted) |
 | SSA.cs:102:13:102:22 | access to parameter nonTainted | SSA.cs:105:17:105:26 | access to parameter nonTainted |
 | SSA.cs:102:13:102:29 | access to property Length | SSA.cs:102:13:102:33 | ... > ... |
-| SSA.cs:102:13:102:33 | [input] SSA def(ssaSink4) | SSA.cs:97:23:97:30 | SSA def(ssaSink4) |
 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonSink0) | SSA.cs:110:9:110:32 | SSA phi read(nonSink0) |
 | SSA.cs:102:13:102:33 | [input] SSA phi read(nonTainted) | SSA.cs:110:9:110:32 | SSA phi read(nonTainted) |
 | SSA.cs:102:13:102:33 | [input] SSA phi(nonSink3) | SSA.cs:110:9:110:32 | SSA phi(nonSink3) |
@@ -943,9 +934,9 @@
 | SSA.cs:110:9:110:32 | SSA phi read(nonTainted) | SSA.cs:115:13:115:22 | access to parameter nonTainted |
 | SSA.cs:110:9:110:32 | SSA phi(nonSink3) | SSA.cs:110:23:110:30 | access to local variable nonSink3 |
 | SSA.cs:110:23:110:30 | SSA def(nonSink3) | SSA.cs:111:15:111:22 | access to local variable nonSink3 |
-| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:115:13:115:33 | [input] SSA def(nonSink3) |
+| SSA.cs:110:23:110:30 | [post] access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
+| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
 | SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
-| SSA.cs:110:23:110:30 | access to local variable nonSink3 | SSA.cs:115:13:115:33 | [input] SSA def(nonSink3) |
 | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:117:13:117:16 | this access |
 | SSA.cs:114:9:114:12 | [post] this access | SSA.cs:123:23:123:26 | this access |
 | SSA.cs:114:9:114:12 | this access | SSA.cs:117:13:117:16 | this access |
@@ -962,7 +953,6 @@
 | SSA.cs:115:13:115:22 | access to parameter nonTainted | SSA.cs:115:13:115:33 | [input] SSA phi read(nonTainted) |
 | SSA.cs:115:13:115:22 | access to parameter nonTainted | SSA.cs:118:17:118:26 | access to parameter nonTainted |
 | SSA.cs:115:13:115:29 | access to property Length | SSA.cs:115:13:115:33 | ... > ... |
-| SSA.cs:115:13:115:33 | [input] SSA def(nonSink3) | SSA.cs:110:23:110:30 | SSA def(nonSink3) |
 | SSA.cs:115:13:115:33 | [input] SSA phi read(nonTainted) | SSA.cs:123:9:123:30 | SSA phi read(nonTainted) |
 | SSA.cs:115:13:115:33 | [input] SSA phi read(this.S) | SSA.cs:123:9:123:30 | SSA phi read(this.S) |
 | SSA.cs:115:13:115:33 | [input] SSA phi(this.S.SsaFieldSink1) | SSA.cs:123:9:123:30 | SSA phi(this.S.SsaFieldSink1) |
@@ -1003,14 +993,14 @@
 | SSA.cs:121:21:121:40 | access to field SsaFieldSink1 | SSA.cs:121:17:121:41 | [input] SSA phi(this.S.SsaFieldSink1) |
 | SSA.cs:123:9:123:30 | SSA phi read(nonTainted) | SSA.cs:128:13:128:22 | access to parameter nonTainted |
 | SSA.cs:123:9:123:30 | SSA phi read(this.S) | SSA.cs:123:23:123:28 | access to field S |
-| SSA.cs:123:9:123:30 | SSA phi(this.S.SsaFieldSink1) | SSA.cs:128:13:128:33 | [input] SSA qualifier def(this.S.SsaFieldSink1) |
+| SSA.cs:123:9:123:30 | SSA phi(this.S.SsaFieldSink1) | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) |
 | SSA.cs:123:23:123:26 | [post] this access | SSA.cs:124:15:124:18 | this access |
 | SSA.cs:123:23:123:26 | this access | SSA.cs:124:15:124:18 | this access |
 | SSA.cs:123:23:123:28 | SSA def(this.S) | SSA.cs:124:15:124:20 | access to field S |
 | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:124:15:124:34 | access to field SsaFieldSink1 |
-| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:128:13:128:33 | [input] SSA def(this.S) |
+| SSA.cs:123:23:123:28 | [post] access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) |
+| SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) |
 | SSA.cs:123:23:123:28 | access to field S | SSA.cs:123:23:123:28 | SSA def(this.S) |
-| SSA.cs:123:23:123:28 | access to field S | SSA.cs:128:13:128:33 | [input] SSA def(this.S) |
 | SSA.cs:124:15:124:18 | [post] this access | SSA.cs:127:9:127:12 | this access |
 | SSA.cs:124:15:124:18 | this access | SSA.cs:127:9:127:12 | this access |
 | SSA.cs:124:15:124:20 | [post] access to field S | SSA.cs:127:9:127:14 | access to field S |
@@ -1029,10 +1019,8 @@
 | SSA.cs:128:13:128:22 | [post] access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted |
 | SSA.cs:128:13:128:22 | access to parameter nonTainted | SSA.cs:131:17:131:26 | access to parameter nonTainted |
 | SSA.cs:128:13:128:29 | access to property Length | SSA.cs:128:13:128:33 | ... > ... |
-| SSA.cs:128:13:128:33 | [input] SSA def(this.S) | SSA.cs:123:23:123:28 | SSA def(this.S) |
 | SSA.cs:128:13:128:33 | [input] SSA phi read(this.S) | SSA.cs:136:9:136:30 | SSA phi read(this.S) |
 | SSA.cs:128:13:128:33 | [input] SSA phi(this.S.SsaFieldNonSink0) | SSA.cs:136:9:136:30 | SSA phi(this.S.SsaFieldNonSink0) |
-| SSA.cs:128:13:128:33 | [input] SSA qualifier def(this.S.SsaFieldSink1) | SSA.cs:123:23:123:28 | SSA qualifier def(this.S.SsaFieldSink1) |
 | SSA.cs:130:13:130:16 | [post] this access | SSA.cs:132:21:132:24 | this access |
 | SSA.cs:130:13:130:16 | [post] this access | SSA.cs:134:21:134:24 | this access |
 | SSA.cs:130:13:130:16 | this access | SSA.cs:132:21:132:24 | this access |
@@ -1063,13 +1051,13 @@
 | SSA.cs:134:21:134:43 | [post] access to field SsaFieldNonSink0 | SSA.cs:134:17:134:44 | [input] SSA phi(this.S.SsaFieldNonSink0) |
 | SSA.cs:134:21:134:43 | access to field SsaFieldNonSink0 | SSA.cs:134:17:134:44 | [input] SSA phi(this.S.SsaFieldNonSink0) |
 | SSA.cs:136:9:136:30 | SSA phi read(this.S) | SSA.cs:136:23:136:28 | access to field S |
-| SSA.cs:136:9:136:30 | SSA phi(this.S.SsaFieldNonSink0) | SSA.cs:5:17:5:17 | [input] SSA qualifier def(this.S.SsaFieldNonSink0) |
+| SSA.cs:136:9:136:30 | SSA phi(this.S.SsaFieldNonSink0) | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) |
 | SSA.cs:136:23:136:26 | [post] this access | SSA.cs:137:15:137:18 | this access |
 | SSA.cs:136:23:136:26 | this access | SSA.cs:137:15:137:18 | this access |
 | SSA.cs:136:23:136:28 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S |
 | SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 |
-| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:5:17:5:17 | [input] SSA def(this.S) |
-| SSA.cs:136:23:136:28 | access to field S | SSA.cs:5:17:5:17 | [input] SSA def(this.S) |
+| SSA.cs:136:23:136:28 | [post] access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) |
+| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) |
 | SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) |
 | SSA.cs:144:34:144:34 | SSA param(t) | SSA.cs:146:13:146:13 | access to parameter t |
 | SSA.cs:144:34:144:34 | t | SSA.cs:144:34:144:34 | SSA param(t) |

csharp/ql/test/query-tests/Useless Code/DefaultToString/DefaultToString.cs

@@ -35,6 +35,16 @@ public class DefaultToString
 
         IPublic g = null;
         Console.WriteLine(g);  // GOOD
+
+        Console.WriteLine(new ValueTuple<int, int>(1, 2)); // GOOD
+
+        Console.WriteLine((1, 2)); // GOOD
+
+        var t1 = new ValueTuple<int, DefaultToString>(1, new DefaultToString());
+        Console.WriteLine(t1); // BAD
+
+        var t2 = new ValueTuple<A, D>(new A(), new D());
+        Console.WriteLine(t2); // GOOD
     }
 
     class A

csharp/ql/test/query-tests/Useless Code/DefaultToString/DefaultToString.expected

@@ -2,7 +2,8 @@
 | DefaultToString.cs:10:28:10:28 | access to local variable d | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | DefaultToString.cs:4:14:4:28 | DefaultToString | DefaultToString |
 | DefaultToString.cs:16:27:16:30 | access to local variable ints | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | file://:0:0:0:0 | Int32[] | Int32[] |
 | DefaultToString.cs:19:24:19:27 | access to local variable ints | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | file://:0:0:0:0 | Int32[] | Int32[] |
-| DefaultToString.cs:34:27:34:27 | access to local variable f | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | DefaultToString.cs:62:23:62:30 | IPrivate | IPrivate |
+| DefaultToString.cs:34:27:34:27 | access to local variable f | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | DefaultToString.cs:72:23:72:30 | IPrivate | IPrivate |
+| DefaultToString.cs:44:27:44:28 | (...) ... | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | file://:0:0:0:0 | (Int32,DefaultToString) | (Int32,DefaultToString) |
 | DefaultToStringBad.cs:8:35:8:35 | access to local variable p | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | DefaultToStringBad.cs:14:11:14:16 | Person | Person |
 | DefaultToStringBad.cs:11:38:11:41 | access to local variable ints | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | file://:0:0:0:0 | Int32[] | Int32[] |
 | WriteLineArray.cs:7:23:7:26 | access to parameter args | Default 'ToString()': $@ inherits 'ToString()' from 'Object', and so is not suitable for printing. | file://:0:0:0:0 | String[] | String[] |

csharp/ql/test/utils/inline-tests/InlineTests.cs

@@ -16,6 +16,14 @@ class C
 
         // correct expectation comment
         x = "Alert"; // $ Alert[problem-query]
+
+        // correct expectation comments with a related location
+        var related = "Related"; // $ RelatedLocation[problem-query-with-related-loc]
+        x = "Alert:1"; // $ Alert[problem-query-with-related-loc]
+
+        // expectation comments missing the related location
+        related = "Related";
+        x = "Alert:1"; // $ Alert[problem-query-with-related-loc]
     }
 
     void PathProblems()
@@ -78,5 +86,17 @@ class C
         // incorrect expectation comments, using an identifier tag; the alert location coincides with the source location
         sink = "Sink"; // $ Sink[path-problem-query]=sink2
         x = "Alert:0:1"; // $ Alert[path-problem-query]=sink1
+
+        // correct expectation comments with a related location
+        source = "Source"; // $ Source[path-problem-query-with-related-loc]
+        sink = "Sink"; // $ Sink[path-problem-query-with-related-loc]
+        var related = "Related"; // $ RelatedLocation[path-problem-query-with-related-loc]
+        x = "Alert:3:2:1"; // $ Alert[path-problem-query-with-related-loc]
+
+        // expectation comments missing the related location
+        source = "Source"; // $ Source[path-problem-query-with-related-loc]
+        sink = "Sink"; // $ Sink[path-problem-query-with-related-loc]
+        related = "Related";
+        x = "Alert:3:2:1"; // $ Alert[path-problem-query-with-related-loc]
     }
-}
+}

csharp/ql/test/utils/inline-tests/PathProblemQuery.expected

@@ -1,31 +1,31 @@
 #select
-| InlineTests.cs:26:17:26:27 | "Alert:2:1" | InlineTests.cs:24:22:24:29 | "Source" | InlineTests.cs:25:20:25:25 | "Sink" | This is a problem |
-| InlineTests.cs:36:13:36:23 | "Alert:2:1" | InlineTests.cs:34:18:34:25 | "Source" | InlineTests.cs:35:16:35:21 | "Sink" | This is a problem |
-| InlineTests.cs:41:13:41:23 | "Alert:2:1" | InlineTests.cs:39:18:39:25 | "Source" | InlineTests.cs:40:16:40:21 | "Sink" | This is a problem |
-| InlineTests.cs:45:13:45:23 | "Alert:1:0" | InlineTests.cs:44:18:44:25 | "Source" | InlineTests.cs:45:13:45:23 | "Alert:1:0" | This is a problem |
-| InlineTests.cs:49:13:49:23 | "Alert:0:1" | InlineTests.cs:49:13:49:23 | "Alert:0:1" | InlineTests.cs:48:16:48:21 | "Sink" | This is a problem |
-| InlineTests.cs:54:13:54:23 | "Alert:2:1" | InlineTests.cs:52:18:52:25 | "Source" | InlineTests.cs:53:16:53:21 | "Sink" | This is a problem |
-| InlineTests.cs:59:13:59:23 | "Alert:2:1" | InlineTests.cs:57:18:57:25 | "Source" | InlineTests.cs:58:16:58:21 | "Sink" | This is a problem |
-| InlineTests.cs:64:13:64:23 | "Alert:2:1" | InlineTests.cs:62:18:62:25 | "Source" | InlineTests.cs:63:16:63:21 | "Sink" | This is a problem |
-| InlineTests.cs:68:13:68:23 | "Alert:1:0" | InlineTests.cs:67:18:67:25 | "Source" | InlineTests.cs:68:13:68:23 | "Alert:1:0" | This is a problem |
-| InlineTests.cs:72:13:72:23 | "Alert:1:0" | InlineTests.cs:71:18:71:25 | "Source" | InlineTests.cs:72:13:72:23 | "Alert:1:0" | This is a problem |
-| InlineTests.cs:76:13:76:23 | "Alert:0:1" | InlineTests.cs:76:13:76:23 | "Alert:0:1" | InlineTests.cs:75:16:75:21 | "Sink" | This is a problem |
-| InlineTests.cs:80:13:80:23 | "Alert:0:1" | InlineTests.cs:80:13:80:23 | "Alert:0:1" | InlineTests.cs:79:16:79:21 | "Sink" | This is a problem |
+| InlineTests.cs:34:17:34:27 | "Alert:2:1" | InlineTests.cs:32:22:32:29 | "Source" | InlineTests.cs:33:20:33:25 | "Sink" | This is a problem |
+| InlineTests.cs:44:13:44:23 | "Alert:2:1" | InlineTests.cs:42:18:42:25 | "Source" | InlineTests.cs:43:16:43:21 | "Sink" | This is a problem |
+| InlineTests.cs:49:13:49:23 | "Alert:2:1" | InlineTests.cs:47:18:47:25 | "Source" | InlineTests.cs:48:16:48:21 | "Sink" | This is a problem |
+| InlineTests.cs:53:13:53:23 | "Alert:1:0" | InlineTests.cs:52:18:52:25 | "Source" | InlineTests.cs:53:13:53:23 | "Alert:1:0" | This is a problem |
+| InlineTests.cs:57:13:57:23 | "Alert:0:1" | InlineTests.cs:57:13:57:23 | "Alert:0:1" | InlineTests.cs:56:16:56:21 | "Sink" | This is a problem |
+| InlineTests.cs:62:13:62:23 | "Alert:2:1" | InlineTests.cs:60:18:60:25 | "Source" | InlineTests.cs:61:16:61:21 | "Sink" | This is a problem |
+| InlineTests.cs:67:13:67:23 | "Alert:2:1" | InlineTests.cs:65:18:65:25 | "Source" | InlineTests.cs:66:16:66:21 | "Sink" | This is a problem |
+| InlineTests.cs:72:13:72:23 | "Alert:2:1" | InlineTests.cs:70:18:70:25 | "Source" | InlineTests.cs:71:16:71:21 | "Sink" | This is a problem |
+| InlineTests.cs:76:13:76:23 | "Alert:1:0" | InlineTests.cs:75:18:75:25 | "Source" | InlineTests.cs:76:13:76:23 | "Alert:1:0" | This is a problem |
+| InlineTests.cs:80:13:80:23 | "Alert:1:0" | InlineTests.cs:79:18:79:25 | "Source" | InlineTests.cs:80:13:80:23 | "Alert:1:0" | This is a problem |
+| InlineTests.cs:84:13:84:23 | "Alert:0:1" | InlineTests.cs:84:13:84:23 | "Alert:0:1" | InlineTests.cs:83:16:83:21 | "Sink" | This is a problem |
+| InlineTests.cs:88:13:88:23 | "Alert:0:1" | InlineTests.cs:88:13:88:23 | "Alert:0:1" | InlineTests.cs:87:16:87:21 | "Sink" | This is a problem |
 edges
 testFailures
 | InlineTests.cs:6:26:6:35 | // ... | Missing result: Alert |
 | InlineTests.cs:12:34:12:43 | // ... | Missing result: Alert |
-| InlineTests.cs:29:28:29:38 | // ... | Missing result: Source |
-| InlineTests.cs:30:24:30:32 | // ... | Missing result: Sink |
-| InlineTests.cs:31:33:31:42 | // ... | Missing result: Alert |
-| InlineTests.cs:34:18:34:25 | "Source" | Unexpected result: Source |
-| InlineTests.cs:35:16:35:21 | "Sink" | Unexpected result: Sink |
-| InlineTests.cs:36:13:36:23 | InlineTests.cs:34:18:34:25 | Unexpected result: Alert |
-| InlineTests.cs:58:16:58:21 | "Sink" | Unexpected result: Sink=source2 |
-| InlineTests.cs:58:24:58:60 | // ... | Missing result: Sink[path-problem-query]=source1 |
-| InlineTests.cs:64:13:64:23 | InlineTests.cs:62:18:62:25 | Unexpected result: Alert=source3 |
-| InlineTests.cs:64:26:64:63 | // ... | Missing result: Alert[path-problem-query]=source2 |
-| InlineTests.cs:72:13:72:23 | "Alert:1:0" | Unexpected result: Alert=source5 |
-| InlineTests.cs:72:26:72:63 | // ... | Missing result: Alert[path-problem-query]=source4 |
-| InlineTests.cs:79:16:79:21 | "Sink" | Unexpected result: Sink=sink1 |
-| InlineTests.cs:79:24:79:58 | // ... | Missing result: Sink[path-problem-query]=sink2 |
+| InlineTests.cs:37:28:37:38 | // ... | Missing result: Source |
+| InlineTests.cs:38:24:38:32 | // ... | Missing result: Sink |
+| InlineTests.cs:39:33:39:42 | // ... | Missing result: Alert |
+| InlineTests.cs:42:18:42:25 | "Source" | Unexpected result: Source |
+| InlineTests.cs:43:16:43:21 | "Sink" | Unexpected result: Sink |
+| InlineTests.cs:44:13:44:23 | InlineTests.cs:42:18:42:25 | Unexpected result: Alert |
+| InlineTests.cs:66:16:66:21 | "Sink" | Unexpected result: Sink=source2 |
+| InlineTests.cs:66:24:66:60 | // ... | Missing result: Sink[path-problem-query]=source1 |
+| InlineTests.cs:72:13:72:23 | InlineTests.cs:70:18:70:25 | Unexpected result: Alert=source3 |
+| InlineTests.cs:72:26:72:63 | // ... | Missing result: Alert[path-problem-query]=source2 |
+| InlineTests.cs:80:13:80:23 | "Alert:1:0" | Unexpected result: Alert=source5 |
+| InlineTests.cs:80:26:80:63 | // ... | Missing result: Alert[path-problem-query]=source4 |
+| InlineTests.cs:87:16:87:21 | "Sink" | Unexpected result: Sink=sink1 |
+| InlineTests.cs:87:24:87:58 | // ... | Missing result: Sink[path-problem-query]=sink2 |

csharp/ql/test/utils/inline-tests/PathProblemQueryRelatedLocs.expected

@@ -0,0 +1,14 @@
+#select
+| InlineTests.cs:94:13:94:25 | "Alert:3:2:1" | InlineTests.cs:91:18:91:25 | "Source" | InlineTests.cs:92:16:92:21 | "Sink" | This is a problem with $@ | InlineTests.cs:93:23:93:31 | "Related" | a related location |
+| InlineTests.cs:100:13:100:25 | "Alert:3:2:1" | InlineTests.cs:97:18:97:25 | "Source" | InlineTests.cs:98:16:98:21 | "Sink" | This is a problem with $@ | InlineTests.cs:99:19:99:27 | "Related" | a related location |
+edges
+testFailures
+| InlineTests.cs:6:26:6:35 | // ... | Missing result: Alert |
+| InlineTests.cs:12:34:12:43 | // ... | Missing result: Alert |
+| InlineTests.cs:32:32:32:42 | // ... | Missing result: Source |
+| InlineTests.cs:33:28:33:36 | // ... | Missing result: Sink |
+| InlineTests.cs:34:30:34:39 | // ... | Missing result: Alert |
+| InlineTests.cs:37:28:37:38 | // ... | Missing result: Source |
+| InlineTests.cs:38:24:38:32 | // ... | Missing result: Sink |
+| InlineTests.cs:39:33:39:42 | // ... | Missing result: Alert |
+| InlineTests.cs:99:19:99:27 | "Related" | Unexpected result: RelatedLocation |

csharp/ql/test/utils/inline-tests/PathProblemQueryRelatedLocs.qlref

@@ -0,0 +1,2 @@
+query: utils/inline-tests/queries/PathProblemQueryRelatedLocs.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

csharp/ql/test/utils/inline-tests/ProblemQuery.expected

@@ -5,5 +5,5 @@
 testFailures
 | InlineTests.cs:12:34:12:43 | // ... | Missing result: Alert |
 | InlineTests.cs:15:13:15:19 | This is a problem | Unexpected result: Alert |
-| InlineTests.cs:26:30:26:39 | // ... | Missing result: Alert |
-| InlineTests.cs:31:33:31:42 | // ... | Missing result: Alert |
+| InlineTests.cs:34:30:34:39 | // ... | Missing result: Alert |
+| InlineTests.cs:39:33:39:42 | // ... | Missing result: Alert |

csharp/ql/test/utils/inline-tests/ProblemQueryRelatedLocs.expected

@@ -0,0 +1,9 @@
+#select
+| InlineTests.cs:22:13:22:21 | "Alert:1" | This is a problem with $@ | InlineTests.cs:21:23:21:31 | "Related" | a related location |
+| InlineTests.cs:26:13:26:21 | "Alert:1" | This is a problem with $@ | InlineTests.cs:25:19:25:27 | "Related" | a related location |
+testFailures
+| InlineTests.cs:6:26:6:35 | // ... | Missing result: Alert |
+| InlineTests.cs:12:34:12:43 | // ... | Missing result: Alert |
+| InlineTests.cs:25:19:25:27 | "Related" | Unexpected result: RelatedLocation |
+| InlineTests.cs:34:30:34:39 | // ... | Missing result: Alert |
+| InlineTests.cs:39:33:39:42 | // ... | Missing result: Alert |

csharp/ql/test/utils/inline-tests/ProblemQueryRelatedLocs.qlref

@@ -0,0 +1,2 @@
+query: utils/inline-tests/queries/ProblemQueryRelatedLocs.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

csharp/ql/test/utils/inline-tests/queries/PathProblemQueryRelatedLocs.expected

@@ -0,0 +1,2 @@
+edges
+#select

csharp/ql/test/utils/inline-tests/queries/PathProblemQueryRelatedLocs.ql

@@ -0,0 +1,22 @@
+/**
+ * @kind path-problem
+ * @id path-problem-query-with-related-loc
+ */
+
+import csharp
+
+query predicate edges(StringLiteral sl1, StringLiteral sl2) { none() }
+
+from StringLiteral alert, StringLiteral source, StringLiteral sink, StringLiteral related
+where
+  exists(string regexp, int sourceOffset, int sinkOffset, int relatedOffset |
+    regexp = "Alert:([0-9]+):([0-9]+):([0-9]+)"
+  |
+    sourceOffset = alert.getValue().regexpCapture(regexp, 1).toInt() and
+    sinkOffset = alert.getValue().regexpCapture(regexp, 2).toInt() and
+    relatedOffset = alert.getValue().regexpCapture(regexp, 3).toInt() and
+    source.getLocation().getStartLine() = alert.getLocation().getStartLine() - sourceOffset and
+    sink.getLocation().getStartLine() = alert.getLocation().getStartLine() - sinkOffset and
+    related.getLocation().getStartLine() = alert.getLocation().getStartLine() - relatedOffset
+  )
+select alert, source, sink, "This is a problem with $@", related, "a related location"

csharp/ql/test/utils/inline-tests/queries/ProblemQueryRelatedLocs.ql

@@ -0,0 +1,12 @@
+/**
+ * @kind problem
+ * @id problem-query-with-related-loc
+ */
+
+import csharp
+
+from StringLiteral sl, StringLiteral related, int offset
+where
+  sl.getValue().regexpCapture("Alert:([0-9]+)", 1).toInt() = offset and
+  related.getLocation().getStartLine() = sl.getLocation().getStartLine() - offset
+select sl, "This is a problem with $@", related, "a related location"

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst

@@ -0,0 +1,165 @@
+.. _codeql-cli-2.20.5:
+
+==========================
+CodeQL 2.20.5 (2025-02-20)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.20.5 runs a total of 450 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 34 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   Removed support for :code:`QlBuiltins::BigInt`\ s in the :code:`avg()` aggregate.
+    
+*   A number of breaking changes have been made to the C and C++ CodeQL test environment as used by :code:`codeql test run`\ :
+
+    *   The :code:`-Xclang-only=<arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, when either :code:`--clang` or :code:`--clang_version` is specified the option should be replaced by :code:`<arg>` only, otherwise the option should be omitted.
+    *   The :code:`--sys_include <arg>` and :code:`--preinclude <arg>` options are no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg <option_name> --edg <arg>` should be specified.
+    *   The :code:`-idirafter <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --sys_include --edg <arg>` should be specified.
+    *   The :code:`-imacros <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --preinclude_macros --edg <arg>` should be specified.
+    *   The :code:`/FI <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --preinclude --edg <arg>` should be specified.
+    *   The :code:`-Wreserved-user-defined-literal`, :code:`-Wno-reserved-user-defined-literal`, :code:`-fwritable-strings`, :code:`/Zc:rvalueCast`, :code:`/Zc:rvalueCast-`, and :code:`/Zc:wchar_t-` options are no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --reserved_user_defined_literal`, :code:`--edg --no-reserved_user_defined_literal`, :code:`--edg --no_const_string_literals`, :code:`--edg --no_preserve_lvalues_with_same_type_casts`, :code:`--edg --preserve_lvalues_with_same_type_casts`, and :code:`--edg --no_wchar_t_keyword` should be specified, respectively.
+    *   The :code:`/Fo <arg>` option is no longer supported by :code:`semmle-extractor-options`. The option should be omitted.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed a recently-introduced bug that prevented taint tracking through :code:`URLSearchParams` objects.
+    The original behaviour has been restored and taint should once again be tracked through such objects.
+*   Fixed a rare issue that would occur when a function declaration inside a block statement was referenced before it was declared.
+    Such code is reliant on legacy web semantics, which is non-standard but nevertheless implemented by most engines.
+    CodeQL now takes legacy web semantics into account and resolves references to these functions correctly.
+*   Fixed a bug that would cause parse errors in :code:`.jsx` files in rare cases where the file contained syntax that was misinterpreted as Flow syntax.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   The following queries have been removed from the :code:`code-scanning` and :code:`security-extended` suites.
+    Any existing alerts for these queries will be closed automatically.
+
+    *   :code:`actions/if-expression-always-true/critical`
+    *   :code:`actions/if-expression-always-true/high`
+    *   :code:`actions/unnecessary-use-of-advanced-config`
+    
+*   The following query has been moved from the :code:`code-scanning` suite to the :code:`security-extended` suite. Any existing alerts for this query will be closed automatically unless the analysis is configured to use the :code:`security-extended` suite.
+
+    *   :code:`actions/unpinned-tag`
+    
+*   The following queries have been added to the :code:`security-extended` suite.
+
+    *   :code:`actions/unversioned-immutable-action`
+    *   :code:`actions/envpath-injection/medium`
+    *   :code:`actions/envvar-injection/medium`
+    *   :code:`actions/code-injection/medium`
+    *   :code:`actions/artifact-poisoning/medium`
+    *   :code:`actions/untrusted-checkout/medium`
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   Added `github.com/gorilla/mux.Vars <https://pkg.go.dev/github.com/gorilla/mux#Vars>`__ to path sanitizers (disabled if `github.com/gorilla/mix.Router.SkipClean <https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean>`__ has been called).
+
+GitHub Actions
+""""""""""""""
+
+*   Fixed false positives in the query :code:`actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
+
+New Queries
+~~~~~~~~~~~
+
+Java/Kotlin
+"""""""""""
+
+*   Added a new query, :code:`java/csrf-unprotected-request-type`, to detect Cross-Site Request Forgery (CSRF) vulnerabilities due to using HTTP request types that are not default-protected from CSRF.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Python
+""""""
+
+*   Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes.
+*   Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
+*   C# 13: Add generated models for .NET 9.
+*   The models for :code:`System.Net.Http.HttpRequestMessage` and :code:`System.UriBuilder` have been modified to better model the flow of tainted URIs.
+*   Blazor :code:`[Parameter]` fields bound to a variable from the route specified in the :code:`@page` directive are now modeled as remote flow sources.
+
+Golang
+""""""
+
+*   Taint models have been added for the :code:`weak` package, which was added in Go 1.24.
+*   Taint models have been added for the interfaces :code:`TextAppender` and :code:`BinaryAppender` in the :code:`encoding` package, which were added in Go 1.24.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for regular expressions using the :code:`v` flag.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
+
+Golang
+""""""
+
+*   The class :code:`NamedType` has been deprecated. Use the new class :code:`DefinedType` instead. This better matches the terminology used in the Go language specification, which was changed in Go 1.9.
+*   The member predicate :code:`getNamedType` on :code:`GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate :code:`getDefinedType` instead.
+*   The member predicate :code:`getNamedType` on :code:`Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate :code:`getDefinedType` instead.
+
+Ruby
+""""
+
+*   The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
+
+Swift
+"""""
+
+*   The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
+
+New Features
+~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   The "Unpinned tag for a non-immutable Action in workflow" query (:code:`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (:code:`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see `Creating a CodeQL Model Pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack>`__.

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.20.5
    codeql-cli-2.20.4
    codeql-cli-2.20.3
    codeql-cli-2.20.2

docs/codeql/reusables/supported-frameworks.rst

@@ -9,6 +9,7 @@ and the CodeQL library pack ``codeql/cpp-all`` (`changelog <https://github.com/g
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    `Berkeley socket API library <https://en.wikipedia.org/wiki/Berkeley_sockets#Socket_API_functions>`__, Network communicator
@@ -26,6 +27,7 @@ and the CodeQL library pack ``codeql/csharp-all`` (`changelog <https://github.co
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    ASP.NET, Web application framework
@@ -49,6 +51,7 @@ and the CodeQL library pack ``codeql/go-all`` (`changelog <https://github.com/gi
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    `AWS Lambda <https://docs.aws.amazon.com/lambda/latest/dg/lambda-golang.html>`_, Serverless framework
@@ -105,6 +108,7 @@ and the CodeQL library pack ``codeql/java-all`` (`changelog <https://github.com/
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    Apache Commons Collections, Data structure utility library
@@ -139,6 +143,7 @@ and the CodeQL library pack ``codeql/javascript-all`` (`changelog <https://githu
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    angular (modern version), HTML framework
@@ -189,6 +194,7 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    AWS Lambda, Serverless framework
@@ -267,6 +273,7 @@ and the CodeQL library pack ``codeql/ruby-all`` (`changelog <https://github.com/
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    excon, HTTP client
@@ -293,6 +300,7 @@ and the CodeQL library pack ``codeql/swift-all`` (`changelog <https://github.com
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
+   :align: left
 
    Name, Category
    `AEXML <https://github.com/tadija/AEXML>`__, XML processing library

docs/codeql/reusables/supported-versions-compilers.rst

@@ -16,8 +16,8 @@
    .NET Core up to 3.1
 
    .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
-   Go (aka Golang), "Go up to 1.23", "Go 1.11 or more recent", ``.go``
-   Java,"Java 7 to 22 [5]_","javac (OpenJDK and Oracle JDK),
+   Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go``
+   Java,"Java 7 to 24 [5]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [6]_",``.java``
    Kotlin,"Kotlin 1.5.0 to 2.1.2\ *x*","kotlinc",``.kt``
@@ -33,7 +33,7 @@
     .. [2] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
     .. [3] Support for the clang-cl compiler is preliminary.
     .. [4] Support for the Arm Compiler (armcc) is preliminary.
-    .. [5] Builds that execute on Java 7 to 22 can be analyzed. The analysis understands standard language features in Java 8 to 22; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
+    .. [5] Builds that execute on Java 7 to 24 can be analyzed. The analysis understands standard language features in Java 8 to 24; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
     .. [6] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
     .. [7] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
     .. [8] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.

go/.gitignore

@@ -0,0 +1,4 @@
+# artifacts of running `make test`
+data/
+lock
+size

go/BUILD.bazel

@@ -35,10 +35,10 @@ genrule(
 pkg_files(
     name = "resources",
     srcs = [
-        "LICENSE",
         "codeql-extractor.yml",
         "ql/lib/go.dbscheme.stats",
         ":dbscheme",
+        "//:LICENSE",
     ],
 )
 

go/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2019-2020 GitHub
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

go/documentation/library-coverage/coverage.csv

@@ -70,6 +70,7 @@ github.com/jinzhu/gorm,13,15,1,,,,,,,,,,,,13,,,,,,15,,,,,1,
 github.com/jmoiron/sqlx,12,49,11,,,,,,,,,,,,12,,,,,,49,,,,,11,
 github.com/joho/godotenv,,4,,,,,,,,,,,,,,,,,,,,4,,,,,
 github.com/json-iterator/go,,,4,,,,,,,,,,,,,,,,,,,,,,,4,
+github.com/kanikanema/gorqlite,24,8,2,,,,,,,,,,,,24,,,,,,8,,,,,2,
 github.com/kataras/iris/context,6,,,,,,,,6,,,,,,,,,,,,,,,,,,
 github.com/kataras/iris/middleware/jwt,2,,,,2,,,,,,,,,,,,,,,,,,,,,,
 github.com/kataras/iris/server/web/context,6,,,,,,,,6,,,,,,,,,,,,,,,,,,
@@ -84,10 +85,10 @@ github.com/masterzen/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,,,
 github.com/moovweb/gokogiri/xml,4,,,,,,,,,,,,,,,,,,4,,,,,,,,
 github.com/moovweb/gokogiri/xpath,1,,,,,,,,,,,,,,,,,,1,,,,,,,,
 github.com/ory/fosite/token/jwt,2,,,,2,,,,,,,,,,,,,,,,,,,,,,
-github.com/raindog308/gorqlite,24,,,,,,,,,,,,,,24,,,,,,,,,,,,
+github.com/raindog308/gorqlite,24,8,2,,,,,,,,,,,,24,,,,,,8,,,,,2,
 github.com/revel/revel,2,23,10,,,,,,1,,,,,,,1,,,,,,,,23,,10,
 github.com/robfig/revel,2,23,10,,,,,,1,,,,,,,1,,,,,,,,23,,10,
-github.com/rqlite/gorqlite,24,,,,,,,,,,,,,,24,,,,,,,,,,,,
+github.com/rqlite/gorqlite,24,8,2,,,,,,,,,,,,24,,,,,,8,,,,,2,
 github.com/santhosh-tekuri/xpathparser,2,,,,,,,,,,,,,,,,,,2,,,,,,,,
 github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
 github.com/sirupsen/logrus,145,,,,,,145,,,,,,,,,,,,,,,,,,,,
@@ -95,7 +96,7 @@ github.com/spf13/afero,34,,,,,,,,34,,,,,,,,,,,,,,,,,,
 github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,,,4,
 github.com/uptrace/bun,63,,,,,,,,,,,,,,63,,,,,,,,,,,,
 github.com/valyala/fasthttp,35,50,5,,,,,,8,,,,17,8,,2,,,,,,,,50,,5,
-go.mongodb.org/mongo-driver/mongo,14,,,,,,,14,,,,,,,,,,,,,,,,,,,
+go.mongodb.org/mongo-driver/mongo,14,11,5,,,,,14,,,,,,,,,,,,,11,,,,,5,
 go.uber.org/zap,33,,11,,,,33,,,,,,,,,,,,,,,,,,,11,
 golang.org/x/crypto/ssh,4,,,4,,,,,,,,,,,,,,,,,,,,,,,
 golang.org/x/net/context,,,5,,,,,,,,,,,,,,,,,,,,,,,5,

go/documentation/library-coverage/coverage.rst

@@ -28,7 +28,7 @@ Go framework & library support
    `Kubernetes <https://kubernetes.io/>`_,"``k8s.io/api*``, ``k8s.io/apimachinery*``",,57,
    `Logrus <https://github.com/sirupsen/logrus>`_,"``github.com/Sirupsen/logrus*``, ``github.com/sirupsen/logrus*``",,,290
    `Macaron <https://gopkg.in/macaron.v1>`_,``gopkg.in/macaron*``,12,1,1
-   `MongoDB Go Driver <https://www.mongodb.com/docs/drivers/go/current/>`_,``go.mongodb.org/mongo-driver*``,,,14
+   `MongoDB Go Driver <https://www.mongodb.com/docs/drivers/go/current/>`_,``go.mongodb.org/mongo-driver*``,11,5,14
    `Revel <http://revel.github.io/>`_,"``github.com/revel/revel*``, ``github.com/robfig/revel*``",46,20,4
    `SendGrid <https://github.com/sendgrid/sendgrid-go>`_,``github.com/sendgrid/sendgrid-go*``,,1,
    `Squirrel <https://github.com/Masterminds/squirrel>`_,"``github.com/Masterminds/squirrel*``, ``github.com/lann/squirrel*``, ``gopkg.in/Masterminds/squirrel``",,,96
@@ -53,7 +53,7 @@ Go framework & library support
    `goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
    `gorilla/mux <https://github.com/gorilla/mux>`_,``github.com/gorilla/mux*``,1,,
    `gorilla/websocket <https://github.com/gorilla/websocket>`_,``github.com/gorilla/websocket*``,3,,
-   `gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``",,,48
+   `gorqlite <https://github.com/rqlite/gorqlite>`_,"``github.com/raindog308/gorqlite*``, ``github.com/rqlite/gorqlite*``",16,4,48
    `goxpath <https://github.com/ChrisTrenkamp/goxpath/wiki>`_,``github.com/ChrisTrenkamp/goxpath*``,,,3
    `htmlquery <https://github.com/antchfx/htmlquery>`_,``github.com/antchfx/htmlquery*``,,,4
    `json-iterator <https://github.com/json-iterator/go>`_,``github.com/json-iterator/go*``,,4,
@@ -73,5 +73,6 @@ Go framework & library support
    `xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
    `yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
    `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
-   Totals,,459,947,1532
+   Others,``github.com/kanikanema/gorqlite``,8,2,24
+   Totals,,494,958,1556
 

go/extractor/configurebaseline/configurebaseline.go

@@ -3,24 +3,12 @@ package configurebaseline
 import (
 	"encoding/json"
 	"io/fs"
-	"os"
 	"path"
 	"path/filepath"
 
 	"github.com/github/codeql-go/extractor/util"
 )
 
-func fileExists(path string) bool {
-	stat, err := os.Stat(path)
-	return err == nil && stat.Mode().IsRegular()
-}
-
-// Decides if `dirPath` is a vendor directory by testing whether it is called `vendor`
-// and contains a `modules.txt` file.
-func isGolangVendorDirectory(dirPath string) bool {
-	return filepath.Base(dirPath) == "vendor" && fileExists(filepath.Join(dirPath, "modules.txt"))
-}
-
 type BaselineConfig struct {
 	PathsIgnore []string `json:"paths-ignore"`
 }
@@ -38,7 +26,7 @@ func GetConfigBaselineAsJSON(rootDir string) ([]byte, error) {
 				// it will not be extracted either.
 				return nil
 			}
-			if isGolangVendorDirectory(dirPath) {
+			if util.IsGolangVendorDirectory(dirPath) {
 				// Note that CodeQL expects a forward-slash-separated path, even on Windows.
 				vendorDirs = append(vendorDirs, path.Join(filepath.ToSlash(dirPath), "**"))
 				return filepath.SkipDir

go/extractor/project/project.go

@@ -184,12 +184,12 @@ func RemoveTemporaryExtractorFiles() {
 
 // Find all go.work files in the working directory and its subdirectories
 func findGoWorkFiles() []string {
-	return util.FindAllFilesWithName(".", "go.work", "vendor")
+	return util.FindAllFilesWithName(".", "go.work", util.SkipVendorChecks...)
 }
 
 // Find all go.mod files in the specified directory and its subdirectories
 func findGoModFiles(root string) []string {
-	return util.FindAllFilesWithName(root, "go.mod", "vendor")
+	return util.FindAllFilesWithName(root, "go.mod", util.SkipVendorChecks...)
 }
 
 // A regular expression for the Go toolchain version syntax.
@@ -315,6 +315,11 @@ func discoverWorkspaces(emitDiagnostics bool) []GoWorkspace {
 		goModFiles := findGoModFiles(".")
 
 		// Return a separate workspace for each `go.mod` file that we found.
+		if len(goModFiles) > 0 {
+			log.Printf("Found %d go.mod files in: %s.\n", len(goModFiles), strings.Join(goModFiles, ", "))
+		} else {
+			log.Println("Found no go.mod files in the workspace.")
+		}
 		results := make([]GoWorkspace, len(goModFiles))
 
 		for i, goModFile := range goModFiles {
@@ -547,8 +552,8 @@ func startsWithAnyOf(str string, prefixes []string) bool {
 // Finds Go workspaces in the current working directory.
 func GetWorkspaceInfo(emitDiagnostics bool) []GoWorkspace {
 	bazelPaths := slices.Concat(
-		util.FindAllFilesWithName(".", "BUILD", "vendor"),
-		util.FindAllFilesWithName(".", "BUILD.bazel", "vendor"),
+		util.FindAllFilesWithName(".", "BUILD", util.SkipVendorChecks...),
+		util.FindAllFilesWithName(".", "BUILD.bazel", util.SkipVendorChecks...),
 	)
 	if len(bazelPaths) > 0 {
 		// currently not supported

go/extractor/util/util.go

@@ -152,7 +152,16 @@ func FindGoFiles(root string) bool {
 	return found
 }
 
-func FindAllFilesWithName(root string, name string, dirsToSkip ...string) []string {
+// The type of check function used by `FindAllFilesWithName` to decide whether to skip the directory named by `path`.
+type FindAllFilesWithNameSkipCheck func(path string) bool
+
+// Commonly we only want to skip `vendor` directories in `FindAllFilesWithName`. This array is a suitable
+// argument for `dirsToSkip` which skips `vendor` directories.
+var SkipVendorChecks = []FindAllFilesWithNameSkipCheck{IsGolangVendorDirectory}
+
+// Returns an array of all files matching `name` within the path at `root`.
+// The `dirsToSkip` array contains check functions used to decide which directories to skip.
+func FindAllFilesWithName(root string, name string, dirsToSkip ...FindAllFilesWithNameSkipCheck) []string {
 	paths := make([]string, 0, 1)
 	filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
@@ -160,7 +169,7 @@ func FindAllFilesWithName(root string, name string, dirsToSkip ...string) []stri
 		}
 		if d.IsDir() {
 			for _, dirToSkip := range dirsToSkip {
-				if path == dirToSkip {
+				if dirToSkip(path) {
 					return filepath.SkipDir
 				}
 			}
@@ -287,3 +296,16 @@ func getImportPathFromRepoURL(repourl string) string {
 	path = regexp.MustCompile(`^/+|\.git$`).ReplaceAllString(path, "")
 	return host + "/" + path
 }
+
+// Decides if `path` refers to a file that exists.
+func fileExists(path string) bool {
+	stat, err := os.Stat(path)
+	return err == nil && stat.Mode().IsRegular()
+}
+
+// Decides if `dirPath` is a vendor directory by testing whether it is called `vendor`
+// and contains a `modules.txt` file.
+func IsGolangVendorDirectory(dirPath string) bool {
+	return filepath.Base(dirPath) == "vendor" &&
+		(fileExists(filepath.Join(dirPath, "modules.txt")) || fileExists(filepath.Join(dirPath, "../glide.yaml")))
+}