Revert "Python: Use new dataflow API"

.clang-format

@@ -1 +0,0 @@
-DisableFormat: true

.gitattributes

@@ -71,6 +71,3 @@ go/extractor/opencsv/CSVReader.java -text
 # `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
-
-# Auto-generated modeling for Python
-python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true

.github/dependabot.yml

@@ -17,26 +17,3 @@ updates:
     ignore:
       - dependency-name: '*'
         update-types: ['version-update:semver-patch', 'version-update:semver-minor']
-
-  - package-ecosystem: "gomod"
-    directory: "go/extractor"
-    schedule:
-      interval: "daily"
-    allow:
-      - dependency-name: "golang.org/x/mod"
-      - dependency-name: "golang.org/x/tools"
-    groups:
-      extractor-dependencies:
-        patterns:
-          - "golang.org/x/*"
-    reviewers:
-      - "github/codeql-go"
-
-  - package-ecosystem: "gomod"
-    directory: "go/ql/test"
-    schedule:
-      interval: "monthly"
-    ignore:
-      - dependency-name: "*"
-    reviewers:
-      - "github/codeql-go"

.github/labeler.yml

@@ -45,7 +45,11 @@ documentation:
 
 # Since these are all shared files that need to be synced, just pick _one_ copy of each.
 "DataFlow Library":
-  - "shared/dataflow/**/*"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"
 
 "ATM":
   - javascript/ql/experimental/adaptivethreatmodeling/**/*

.github/workflows/check-change-note.yml

@@ -9,42 +9,26 @@ on:
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
       - "*/ql/lib/**/*.yml"
-      - "shared/**/*.ql"
-      - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:
   check-change-note:
-    env: 
-      REPO: ${{ github.repository }}
-      PULL_REQUEST_NUMBER: ${{ github.event.number }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-latest
     steps:
-
       - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
         if: |
           github.event.pull_request.draft == false &&
           !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-          
-          if [ -z "$change_note_files" ]; then
-            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
-            exit 1
-          fi
-
-          echo "Change notes found:"
-          echo "$change_note_files"
-
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
+          grep true -c
       - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
-
-          if [ -n "$bad_change_note_file_names" ]; then
-            echo "The following change note file names are invalid:"
-            echo "$bad_change_note_file_names"
-            exit 1
-          fi
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))] | all(test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$"))' |
+          grep true -c

.github/workflows/check-implicit-this.yml

@@ -13,7 +13,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Check that implicit this warnings is enabled for all packs
         shell: bash
         run: |

.github/workflows/check-qldoc.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 

.github/workflows/check-query-ids.yml

@@ -16,6 +16,6 @@ jobs:
     name: Check query IDs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Check for duplicate query IDs
         run: python3 misc/scripts/check-query-ids.py

.github/workflows/close-stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@v8
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

.github/workflows/codeql-analysis.yml

@@ -28,12 +28,12 @@ jobs:
 
     steps:
     - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: 8.0.101
+        dotnet-version: 7.0.102
 
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/compile-queries.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest-xl
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:
@@ -29,9 +29,9 @@ jobs:
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"

.github/workflows/csharp-qltest.yml

@@ -29,7 +29,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -52,7 +52,8 @@ jobs:
       matrix:
         slice: ["1/2", "2/2"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/fetch-codeql
       - uses: ./csharp/actions/create-extractor-pack
       - name: Cache compilation cache
         id: query-cache
@@ -61,41 +62,25 @@ jobs:
           key: csharp-qltest-${{ matrix.slice }}
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          CODEQL_PATH=$(gh codeql version --format=json | jq -r .unpackedLocation)
+          # The legacy ASP extractor is not in this repo, so take the one from the nightly build
+          mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
+          # Safe guard against using the bundled extractor
+          rm -rf "$CODEQL_PATH/csharp"
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
   unit-tests:
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-2019]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup dotnet
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: 8.0.101
-      - name: Extractor unit tests
-        run: |
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=8.0.1 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
-        shell: bash
-  stubgentest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: ./csharp/actions/create-extractor-pack
-      - name: Run stub generator tests
+      - uses: actions/checkout@v3
+      - name: Setup dotnet
+        uses: actions/setup-dotnet@v3
+        with:
+          dotnet-version: 7.0.102
+      - name: Extractor unit tests
         run: |
-          # Generate (Asp)NetCore stubs
-          STUBS_PATH=stubs_output
-          python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
-          rm -rf ql/test/resources/stubs/_frameworks
-          # Update existing stubs in the repo with the freshly generated ones
-          mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
-          git status
-          codeql test run --threads=0 --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=7.0.2 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"

.github/workflows/csv-coverage-metrics.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -31,11 +31,11 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: merge
       - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 2
           path: base
@@ -89,32 +89,9 @@ jobs:
       - name: Save PR number
         run: |
           mkdir -p pr
-          echo ${PR_NUMBER} > pr/NR
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          echo ${{ github.event.pull_request.number }} > pr/NR
       - name: Upload PR number
         uses: actions/upload-artifact@v3
         with:
           name: pr
           path: pr/
-      - name: Save comment ID (if it exists)
-        run: |
-          # Find the latest comment starting with COMMENT_PREFIX
-          COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
-          COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
-          if [[ -z ${COMMENT_ID} ]]
-          then
-            echo "Comment not found. Not uploading 'comment/ID' artifact."
-          else
-            mkdir -p comment
-            echo ${COMMENT_ID} > comment/ID
-          fi
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-      - name: Upload comment ID (if it exists)
-        uses: actions/upload-artifact@v3
-        with:
-          name: comment
-          path: comment/
-          if-no-files-found: ignore

.github/workflows/csv-coverage-pr-comment.yml

@@ -20,7 +20,7 @@ jobs:
         GITHUB_CONTEXT: ${{ toJSON(github.event) }}
       run: echo "$GITHUB_CONTEXT"
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Set up Python 3.8
       uses: actions/setup-python@v4
       with:

.github/workflows/csv-coverage-timeseries.yml

@@ -9,11 +9,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: codeqlModels
           fetch-depth: 0

.github/workflows/csv-coverage-update.yml

@@ -17,7 +17,7 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: ql
           fetch-depth: 0

.github/workflows/csv-coverage.yml

@@ -13,11 +13,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: codeqlModels
           ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}

.github/workflows/fast-forward.yml

@@ -25,7 +25,7 @@ jobs:
           exit 1
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Git config
         shell: bash

.github/workflows/go-tests-other-os.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql
@@ -50,13 +50,13 @@ jobs:
     runs-on: windows-latest-xl
     steps:
       - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql

.github/workflows/go-tests.yml

@@ -23,13 +23,13 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
         id: go
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
 
       - name: Set up CodeQL CLI
         uses: ./.github/actions/fetch-codeql

.github/workflows/js-ml-tests.yml

@@ -0,0 +1,65 @@
+name: JS ML-powered queries tests
+
+on:
+  push:
+    paths:
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+      - .github/workflows/js-ml-tests.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+      - .github/workflows/js-ml-tests.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+  workflow_dispatch:
+
+defaults:
+  run:
+    working-directory: javascript/ql/experimental/adaptivethreatmodeling
+
+jobs:
+  qltest:
+    name: Test QL
+    runs-on: ubuntu-latest-xl
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - name: Install pack dependencies
+        run: |
+          for pack in modelbuilding src test; do
+            codeql pack install --mode verify -- "${pack}"
+          done
+      
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: js-ml-test
+
+      - name: Check QL compilation
+        run: |
+          codeql query compile \
+            --check-only \
+            --ram 50000 \
+            --additional-packs "${{ github.workspace }}" \
+            --threads=0 \
+            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
+            -- \
+            lib modelbuilding src
+
+      - name: Run QL tests
+        run: |
+          codeql test run \
+            --threads=0 \
+            --ram 50000 \
+            --additional-packs "${{ github.workspace }}" \
+            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
+            -- \
+            test

.github/workflows/mad_modelDiff.yml

@@ -12,7 +12,6 @@ on:
       - main
     paths:
       - "java/ql/src/utils/modelgenerator/**/*.*"
-      - "misc/scripts/models-as-data/*.*"
       - ".github/workflows/mad_modelDiff.yml"
 
 permissions:
@@ -28,12 +27,12 @@ jobs:
         slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
     steps:
       - name: Clone github/codeql from PR
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         if: github.event.pull_request
         with:
           path: codeql-pr
       - name: Clone github/codeql from main
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: codeql-main
           ref: main
@@ -62,9 +61,8 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
-            mkdir -p $MODELS/$SHORTNAME
-            mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
+            mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
             cd ..
           }
 
@@ -87,16 +85,16 @@ jobs:
           set -x
           MODELS=`pwd`/tmp-models
           ls -1 tmp-models/
-          for m in $MODELS/*/main/*.model.yml ; do
+          for m in $MODELS/*_main.model.yml ; do
             t="${m/main/"pr"}"
             basename=`basename $m`
-            name="diff_${basename/.model.yml/""}"
+            name="diff_${basename/_main.model.yml/""}"
             (diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
           done
       - uses: actions/upload-artifact@v3
         with:
           name: models
-          path: tmp-models/**/**/*.model.yml
+          path: tmp-models/*.model.yml
           retention-days: 20
       - uses: actions/upload-artifact@v3
         with:

.github/workflows/mad_regenerate-models.yml

@@ -27,11 +27,11 @@ jobs:
             ref: "placeholder"
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: Setup CodeQL binaries
         uses: ./.github/actions/fetch-codeql
       - name: Clone repositories
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           path: repos/${{ matrix.ref }}
           ref: ${{ matrix.ref }}

.github/workflows/qhelp-pr-preview.yml

@@ -43,7 +43,7 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
           persist-credentials: false

.github/workflows/ql-for-ql-build.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       ### Build the queries ###
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Find codeql

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -21,7 +21,7 @@ jobs:
           - github/codeql
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
 
       - name: Find codeql
         id: find-codeql
@@ -42,7 +42,7 @@ jobs:
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -71,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: actions/download-artifact@v3
         with:
           name: measurements

.github/workflows/ql-for-ql-tests.yml

@@ -21,7 +21,7 @@ jobs:
   qltest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@v2
@@ -61,7 +61,7 @@ jobs:
     needs: [qltest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Install GNU tar 
         if: runner.os == 'macOS'
         run: |

.github/workflows/query-list.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
       with:
         path: codeql 
     - name: Set up Python 3.8

.github/workflows/ruby-build.yml

@@ -42,7 +42,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |
@@ -113,7 +113,7 @@ jobs:
   compile-queries:
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Cache compilation cache
@@ -145,7 +145,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, compile-queries]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: actions/download-artifact@v3
         with:
           name: ruby.dbscheme
@@ -206,7 +206,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [package]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 

.github/workflows/ruby-dataset-measure.yml

@@ -27,14 +27,14 @@ jobs:
         repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
 
       - uses: ./.github/actions/fetch-codeql
 
       - uses: ./ruby/actions/create-extractor-pack
 
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -59,7 +59,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: actions/download-artifact@v3
         with:
           name: measurements

.github/workflows/ruby-qltest.yml

@@ -33,7 +33,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -54,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache

.github/workflows/swift.yml

@@ -39,31 +39,31 @@ jobs:
   build-and-test-macos:
     runs-on: macos-12-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./swift/actions/build-and-test
   build-and-test-linux:
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./swift/actions/build-and-test
   qltests-linux:
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./swift/actions/run-ql-tests
   qltests-macos:
     if : ${{ github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./swift/actions/run-ql-tests
   integration-tests-linux:
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./swift/actions/run-integration-tests
   integration-tests-macos:
     if : ${{ github.event_name == 'pull_request' }}
@@ -71,32 +71,23 @@ jobs:
     runs-on: macos-12-xl
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./swift/actions/run-integration-tests
-  clang-format:
-    if : ${{ github.event_name == 'pull_request' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        name: Check that python code is properly formatted
-        with:
-          extra_args: clang-format --all-files
   codegen:
     if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: bazelbuild/setup-bazelisk@v2
       - uses: actions/setup-python@v4
         with:
           python-version-file: 'swift/.python-version'
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+      - uses: pre-commit/action@v3.0.0
         name: Check that python code is properly formatted
         with:
           extra_args: autopep8 --all-files
       - uses: ./.github/actions/fetch-codeql
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+      - uses: pre-commit/action@v3.0.0
         name: Check that QL generated code was checked in
         with:
           extra_args: swift-codegen --all-files
@@ -111,6 +102,6 @@ jobs:
     if : ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: ./swift/actions/database-upgrade-scripts

.github/workflows/sync-files.yml

@@ -14,7 +14,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Check synchronized files
         run: python config/sync-files.py
       - name: Check dbscheme fragments

.github/workflows/tree-sitter-extractor-test.yml

@@ -27,7 +27,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Check formatting
         run: cargo fmt --all -- --check
       - name: Run tests
@@ -35,12 +35,12 @@ jobs:
   fmt:
     runs-on: ubuntu-latest  
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Check formatting
         run: cargo fmt --check
   clippy:
     runs-on: ubuntu-latest  
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: Run clippy
         run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

.github/workflows/validate-change-notes.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql

.pre-commit-config.yaml

@@ -10,9 +10,10 @@ repos:
         exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
-    rev: v17.0.6
+    rev: v13.0.1
     hooks:
       - id: clang-format
+        files: ^swift/.*\.(h|c|cpp)$
 
   - repo: https://github.com/pre-commit/mirrors-autopep8
     rev: v1.6.0

CODEOWNERS

@@ -8,8 +8,6 @@
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
-/java/ql/test-kotlin1/ @github/codeql-kotlin
-/java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # ML-powered queries
 /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
@@ -44,4 +42,3 @@ WORKSPACE.bazel @github/codeql-ci-reviewers
 
 # Misc
 /misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
-/misc/scripts/generate-code-scanning-query-list.py @RasmusWL

codeql-workspace.yml

@@ -1,12 +1,12 @@
 provide:
   - "*/ql/src/qlpack.yml"
   - "*/ql/lib/qlpack.yml"
-  - "*/ql/test*/qlpack.yml"
+  - "*/ql/test/qlpack.yml"
   - "*/ql/examples/qlpack.yml"
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
-  - "shared/**/qlpack.yml"
+  - "shared/*/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"
@@ -29,7 +29,6 @@ provide:
   - "swift/extractor-pack/codeql-extractor.yml"
   - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
-  - ".github/codeql/extensions/**/codeql-pack.yml"
 
 versionPolicies:
   default:

config/identical-files.json

@@ -28,6 +28,8 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
   ],
   "TaintTracking Legacy Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
@@ -53,6 +55,14 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
+  "DataFlow Java/C#/Go/Ruby/Python/Swift Flow Summaries": [
+    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
+    "go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
+  ],
   "SsaReadPosition Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
@@ -454,6 +464,23 @@
     "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
     "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
   ],
+  "TypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
+  ],
+  "SummaryTypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
+  ],
+  "AccessPathSyntax": [
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
+    "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
+    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/AccessPathSyntax.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/AccessPathSyntax.qll"
+  ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
     "ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
@@ -473,6 +500,26 @@
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
     "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
   ],
+  "TaintedFormatStringQuery Ruby/JS": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"
+  ],
+  "TaintedFormatStringCustomizations Ruby/JS": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringCustomizations.qll",
+    "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringCustomizations.qll"
+  ],
+  "HttpToFileAccessQuery JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll"
+  ],
+  "HttpToFileAccessCustomizations JS/Ruby": [
+    "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
+    "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
+  ],
+  "Typo database": [
+    "javascript/ql/src/Expressions/TypoDatabase.qll",
+    "ql/ql/src/codeql_ql/style/TypoDatabase.qll"
+  ],
   "Swift declarations test file": [
     "swift/ql/test/extractor-tests/declarations/declarations.swift",
     "swift/ql/test/library-tests/ast/declarations.swift"

cpp/BUILD.bazel

@@ -1,17 +1,12 @@
-load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
-
 package(default_visibility = ["//visibility:public"])
 
+load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
+
 alias(
     name = "dbscheme",
     actual = "//cpp/ql/lib:dbscheme",
 )
 
-alias(
-    name = "dbscheme-stats",
-    actual = "//cpp/ql/lib:dbscheme-stats",
-)
-
 pkg_filegroup(
     name = "db-files",
     srcs = [

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -145,9 +145,9 @@ namespace Semmle.Autobuild.Cpp.Tests
 
         bool IBuildActions.IsMacOs() => IsMacOs;
 
-        public bool IsRunningOnAppleSilicon { get; set; }
+        public bool IsArm { get; set; }
 
-        bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
+        bool IBuildActions.IsArm() => IsArm;
 
         string IBuildActions.PathCombine(params string[] parts)
         {
@@ -326,7 +326,7 @@ namespace Semmle.Autobuild.Cpp.Tests
         public void TestCppAutobuilderSuccess()
         {
             Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
-            Actions.RunProcess[@"cmd.exe /C scratch\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
             Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program^ Files^ ^(x86^)\Microsoft^ Visual^ Studio^ 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && msbuild C:\Project\test.sln /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"""] = 0;
             Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
             Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
@@ -337,11 +337,10 @@ namespace Semmle.Autobuild.Cpp.Tests
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = true;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
-            Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CPP_SCRATCH_DIR"] = "scratch";
             Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
             Actions.EnumerateDirectories[@"C:\Project"] = "";
-            Actions.CreateDirectories.Add(@"scratch\.nuget");
-            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"scratch\.nuget\nuget.exe"));
+            Actions.CreateDirectories.Add(@"C:\Project\.nuget");
+            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
 
             var autobuilder = CreateAutoBuilder(true);
             var solution = new TestSolution(@"C:\Project\test.sln");

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
     <Nullable>enable</Nullable>
@@ -11,12 +11,12 @@
   <ItemGroup>
     <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
     <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.6.2" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.4">
+    <PackageReference Include="xunit" Version="2.5.0" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.0">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.7.1" />
   </ItemGroup>
 
   <ItemGroup>

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
     <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
     <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
     <ApplicationIcon />
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="17.8.3" />
+    <PackageReference Include="Microsoft.Build" Version="17.7.2" />
   </ItemGroup>
 
   <ItemGroup>

cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties

@@ -1,3 +0,0 @@
-description: Expose whether a function was prototyped or not
-compatibility: backwards
-function_prototyped.rel: delete

cpp/downgrades/4f9fabab5124d49108782c081579f45a70571d74/mangled_name.ql

@@ -1,11 +0,0 @@
-class Declaration extends @declaration {
-  string toString() { none() }
-}
-
-class MangledName extends @mangledname {
-  string toString() { none() }
-}
-
-from Declaration d, MangledName n
-where mangled_name(d, n, _)
-select d, n

cpp/downgrades/4f9fabab5124d49108782c081579f45a70571d74/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add completness information to mangled name table
-compatibility: full
-mangled_name.rel: run mangled_name.qlo

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/builtintypes.ql

@@ -1,19 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if
-    type instanceof @fp16 or
-    type instanceof @std_bfloat16 or
-    type instanceof @std_float16 or
-    type instanceof @complex_std_float32 or
-    type instanceof @complex_float32x or
-    type instanceof @complex_std_float64 or
-    type instanceof @complex_float64x or
-    type instanceof @complex_std_float128
-  then kind_new = 2
-  else kind_new = kind
-select type, name, kind_new, size, sign, alignment

cpp/downgrades/5b388693c66db1e7dc2e76a90aa67a2b6eb74f0f/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce new floating-point types from C23 and C++23
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/functions.ql

@@ -1,9 +0,0 @@
-class Function extends @function {
-  string toString() { none() }
-}
-
-from Function fun, string name, int kind, int kind_new
-where
-  functions(fun, name, kind) and
-  if kind = 7 or kind = 8 then kind_new = 0 else kind_new = kind
-select fun, name, kind_new

cpp/downgrades/7f34caf73ca98314885030cc5a22b6e328fe687c/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support more function types
-compatibility: full
-functions.rel: run functions.qlo

cpp/downgrades/8cba93a44180e0d50a80a660950800d822b981fc/upgrade.properties

@@ -1,2 +0,0 @@
-description: Removed @assignpaddexpr and @assignpsubexpr from @assign_bitwise_expr
-compatibility: full

cpp/downgrades/cf72c8898d19eb1b3374432cf79d8276cb07ad43/upgrade.properties

@@ -1,6 +1,5 @@
 description: Support C++17 if and switch initializers
 compatibility: partial
-constexpr_if_initialization.rel: delete
 if_initialization.rel: delete
 switch_initialization.rel: delete
 exprparents.rel: run exprparents.qlo

cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/attribute_args.ql

@@ -1,17 +0,0 @@
-class AttributeArg extends @attribute_arg {
-  string toString() { none() }
-}
-
-class Attribute extends @attribute {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-from AttributeArg arg, int kind, int kind_new, Attribute attr, int index, Location location
-where
-  attribute_args(arg, kind, attr, index, location) and
-  if arg instanceof @attribute_arg_expr then kind_new = 0 else kind_new = kind
-select arg, kind_new, attr, index, location

cpp/downgrades/d8149ca90e695fe26f9a0c5a7fa0edd6d4ea3f5d/upgrade.properties

@@ -1,4 +0,0 @@
-description: Support expression attribute arguments
-compatibility: partial
-attribute_arg_expr.rel: delete
-attribute_args.rel: run attribute_args.qlo

cpp/downgrades/dbe9c8eb5fc6f54b7ae08c7317d0795b24961564/upgrade.properties

@@ -1,2 +0,0 @@
-description: Make __is_trivial a builtin operation
-compatibility: full

cpp/downgrades/f79ce79e3b751aeeed59e594633ba5c07a27ef3e/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce extractor version numbers
-compatibility: breaking
-extractor_version.rel: delete

cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties

@@ -1,2 +0,0 @@
-description: Revert removal of uniqueness constraint on link_targets/2
-compatibility: backwards

cpp/ql/lib/BUILD.bazel

@@ -1,7 +1,7 @@
-load("@rules_pkg//:mappings.bzl", "pkg_files")
-
 package(default_visibility = ["//cpp:__pkg__"])
 
+load("@rules_pkg//:mappings.bzl", "pkg_files")
+
 pkg_files(
     name = "dbscheme",
     srcs = ["semmlecode.cpp.dbscheme"],

cpp/ql/lib/CHANGELOG.md

@@ -1,113 +1,3 @@
-## 0.12.5
-
-### New Features
-
-* Added the `PreprocBlock.qll` library to this repository.  This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
-* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.
-
-## 0.12.4
-
-### Minor Analysis Improvements
-
-* Deleted many deprecated predicates and classes with uppercase `XML`, `SSA`, `SAL`, `SQL`, etc. in their names. Use the PascalCased versions instead.
-* Deleted the deprecated `StrcatFunction` class, use `semmle.code.cpp.models.implementations.Strcat.qll` instead.
-
-## 0.12.3
-
-### Deprecated APIs
-
-* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
-
-### New Features
-
-* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
-
-### Minor Analysis Improvements
-
-* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
-* The deprecated `DefaultTaintTracking` library has been removed.
-* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
-
-### Bug Fixes
-
-* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
-
-## 0.12.2
-
-No user-facing changes.
-
-## 0.12.1
-
-### New Features
-
-* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
-
-## 0.12.0
-
-### Breaking Changes
-
-* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
-
-### Minor Analysis Improvements
-
-* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
-* Added models for `strlcpy` and `strlcat`.
-* Added models for the `sprintf` variants from the `StrSafe.h` header.
-* Added SQL API models for `ODBC`.
-* Added taint models for `realloc` and related functions.
-
-## 0.11.0
-
-### Breaking Changes
-
-* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
-
-### New Features
-
-* Added a new class `AdditionalCallTarget` for specifying additional call targets.
-
-### Minor Analysis Improvements
-
-* More field accesses are identified as `ImplicitThisFieldAccess`.
-* Added support for new floating-point types in C23 and C++23.
-
-## 0.10.1
-
-### Minor Analysis Improvements
-
-* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
-* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
-
-## 0.10.0
-
-### Minor Analysis Improvements
-
-* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
- non-returning in the IR and dataflow.
-* Treat functions that reach the end of the function as returning in the IR.
-  They used to be treated as unreachable but it is allowed in C. 
-* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
-
-## 0.9.3
-
-No user-facing changes.
-
-## 0.9.2
-
-### Deprecated APIs
-
-* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
-
-### New Features
-
-* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
-
-### Minor Analysis Improvements
-
-* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
-* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
-
 ## 0.9.1
 
 No user-facing changes.

cpp/ql/lib/DefaultOptions.qll

@@ -52,18 +52,17 @@ class Options extends string {
   /**
    * Holds if a call to this function will never return.
    *
-   * By default, this holds for `exit`, `_exit`, `_Exit`, `abort`,
-   * `__assert_fail`, `longjmp`, `__builtin_unreachable` and any
-   * function with a `noreturn` or `__noreturn__` attribute or
-   * `noreturn` specifier.
+   * By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
+   * `longjmp`, `__builtin_unreachable` and any function with a
+   * `noreturn` attribute or specifier.
    */
   predicate exits(Function f) {
-    f.getAnAttribute().hasName(["noreturn", "__noreturn__"])
+    f.getAnAttribute().hasName("noreturn")
     or
     f.getASpecifier().hasName("noreturn")
     or
     f.hasGlobalOrStdName([
-        "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
+        "exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
     or
     CustomOptions::exits(f) // old Options.qll

cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`

cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.

cpp/ql/lib/change-notes/2023-08-29-delete-ir.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.

cpp/ql/lib/change-notes/released/0.10.0.md

@@ -1,9 +0,0 @@
-## 0.10.0
-
-### Minor Analysis Improvements
-
-* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
- non-returning in the IR and dataflow.
-* Treat functions that reach the end of the function as returning in the IR.
-  They used to be treated as unreachable but it is allowed in C. 
-* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.

cpp/ql/lib/change-notes/released/0.10.1.md

@@ -1,6 +0,0 @@
-## 0.10.1
-
-### Minor Analysis Improvements
-
-* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
-* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

cpp/ql/lib/change-notes/released/0.11.0.md

@@ -1,14 +0,0 @@
-## 0.11.0
-
-### Breaking Changes
-
-* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
-
-### New Features
-
-* Added a new class `AdditionalCallTarget` for specifying additional call targets.
-
-### Minor Analysis Improvements
-
-* More field accesses are identified as `ImplicitThisFieldAccess`.
-* Added support for new floating-point types in C23 and C++23.

cpp/ql/lib/change-notes/released/0.12.0.md

@@ -1,13 +0,0 @@
-## 0.12.0
-
-### Breaking Changes
-
-* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
-
-### Minor Analysis Improvements
-
-* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
-* Added models for `strlcpy` and `strlcat`.
-* Added models for the `sprintf` variants from the `StrSafe.h` header.
-* Added SQL API models for `ODBC`.
-* Added taint models for `realloc` and related functions.

cpp/ql/lib/change-notes/released/0.12.1.md

@@ -1,5 +0,0 @@
-## 0.12.1
-
-### New Features
-
-* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.

cpp/ql/lib/change-notes/released/0.12.2.md

@@ -1,3 +0,0 @@
-## 0.12.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.3.md

@@ -1,20 +0,0 @@
-## 0.12.3
-
-### Deprecated APIs
-
-* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
-
-### New Features
-
-* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
-
-### Minor Analysis Improvements
-
-* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
-* The deprecated `DefaultTaintTracking` library has been removed.
-* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
-
-### Bug Fixes
-
-* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.

cpp/ql/lib/change-notes/released/0.12.4.md

@@ -1,6 +0,0 @@
-## 0.12.4
-
-### Minor Analysis Improvements
-
-* Deleted many deprecated predicates and classes with uppercase `XML`, `SSA`, `SAL`, `SQL`, etc. in their names. Use the PascalCased versions instead.
-* Deleted the deprecated `StrcatFunction` class, use `semmle.code.cpp.models.implementations.Strcat.qll` instead.

cpp/ql/lib/change-notes/released/0.12.5.md

@@ -1,6 +0,0 @@
-## 0.12.5
-
-### New Features
-
-* Added the `PreprocBlock.qll` library to this repository.  This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
-* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.

cpp/ql/lib/change-notes/released/0.9.2.md

@@ -1,14 +0,0 @@
-## 0.9.2
-
-### Deprecated APIs
-
-* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
-
-### New Features
-
-* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
-
-### Minor Analysis Improvements
-
-* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
-* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

cpp/ql/lib/change-notes/released/0.9.3.md

@@ -1,3 +0,0 @@
-## 0.9.3
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.5
+lastReleaseVersion: 0.9.1

cpp/ql/lib/experimental/cryptography/Concepts.qll

@@ -1,3 +0,0 @@
-import experimental.cryptography.CryptoArtifact
-import experimental.cryptography.CryptoAlgorithmNames
-import experimental.cryptography.modules.OpenSSL as OpenSSL

cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll

@@ -1,239 +0,0 @@
-/**
- * Names of known cryptographic algorithms.
- * The names are standardized into upper-case, no spaces, dashes or underscores.
- */
-
-/**
- * Returns a string to represent generally unknown algorithms.
- * Predicate is to be used to get a consistent string representation
- * for unknown algorithms.
- */
-string unknownAlgorithm() { result = "UNKNOWN" }
-
-string getHashType() { result = "HASH" }
-
-string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" }
-
-string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" }
-
-string getKeyDerivationType() { result = "KEY_DERIVATION" }
-
-string getCipherBlockModeType() { result = "BLOCK_MODE" }
-
-string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" }
-
-string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" }
-
-string getEllipticCurveType() { result = "ELLIPTIC_CURVE" }
-
-string getSignatureType() { result = "SIGNATURE" }
-
-string getKeyExchangeType() { result = "KEY_EXCHANGE" }
-
-string getAsymmetricType() {
-  result in [
-      getAsymmetricEncryptionType(), getSignatureType(), getKeyExchangeType(),
-      getEllipticCurveType()
-    ]
-}
-
-predicate isKnownType(string algType) {
-  algType in [
-      getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(),
-      getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(),
-      getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType()
-    ]
-}
-
-predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) }
-
-predicate isKnownAlgorithm(string name, string algType) {
-  isHashingAlgorithm(name) and algType = "HASH"
-  or
-  isEncryptionAlgorithm(name, algType) and
-  algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"]
-  or
-  isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION"
-  or
-  isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE"
-  or
-  isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"]
-  or
-  isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE"
-  or
-  isSignatureAlgorithm(name) and algType = "SIGNATURE"
-  or
-  isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE"
-}
-
-/**
- * Holds if `name` is a known hashing algorithm in the model/library.
- */
-predicate isHashingAlgorithm(string name) {
-  name =
-    [
-      "BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224",
-      "SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256",
-      "SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD",
-      "RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1",
-      "MDC2", "SIPHASH"
-    ]
-}
-
-predicate isEncryptionAlgorithm(string name, string algType) {
-  isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION"
-  or
-  isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION"
-}
-
-predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) }
-
-/**
- * Holds if `name` corresponds to a known symmetric encryption algorithm.
- */
-predicate isSymmetricEncryptionAlgorithm(string name) {
-  // NOTE: AES is meant to caputure all possible key lengths
-  name =
-    [
-      "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5",
-      "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20",
-      "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789",
-      "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012",
-      "GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES",
-      "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5",
-      "RC5", "MAGMA", "KUZNYECHIK"
-    ]
-}
-
-/**
- * Holds if `name` corresponds to a known key derivation algorithm.
- */
-predicate isKeyDerivationAlgorithm(string name) {
-  name =
-    [
-      "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF",
-      "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT",
-      "X963KDF", "EVPKDF"
-    ]
-}
-
-/**
- * Holds if `name` corresponds to a known cipher block mode
- */
-predicate isCipherBlockModeAlgorithm(string name) {
-  name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"]
-}
-
-/**
- * Holds if `name` corresponds to a known padding algorithm
- */
-predicate isPaddingAlgorithm(string name, string algType) {
-  isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING"
-  or
-  isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING"
-}
-
-/**
- * holds if `name` corresponds to a known symmetric padding algorithm
- */
-predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] }
-
-/**
- * Holds if `name` corresponds to a known asymmetric padding algorithm
- */
-predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] }
-
-predicate isBrainpoolCurve(string curveName, int keySize) {
-  // ALL BRAINPOOL CURVES
-  keySize in [160, 192, 224, 256, 320, 384, 512] and
-  (
-    curveName = "BRAINPOOLP" + keySize.toString() + "R1"
-    or
-    curveName = "BRAINPOOLP" + keySize.toString() + "T1"
-  )
-}
-
-predicate isSecCurve(string curveName, int keySize) {
-  // ALL SEC CURVES
-  keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and
-  exists(string suff | suff in ["R1", "R2", "K1"] |
-    curveName = "SECT" + keySize.toString() + suff or
-    curveName = "SECP" + keySize.toString() + suff
-  )
-}
-
-predicate isC2Curve(string curveName, int keySize) {
-  // ALL C2 CURVES
-  keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and
-  exists(string pre, string suff |
-    pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"]
-  |
-    curveName = "C2" + pre + keySize.toString() + suff
-  )
-}
-
-predicate isPrimeCurve(string curveName, int keySize) {
-  // ALL PRIME CURVES
-  keySize in [192, 239, 256] and
-  exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff)
-}
-
-predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) }
-
-/**
- * Holds if `name` corresponds to a known elliptic curve.
- */
-predicate isEllipticCurveAlgorithm(string curveName, int keySize) {
-  isSecCurve(curveName, keySize)
-  or
-  isBrainpoolCurve(curveName, keySize)
-  or
-  isC2Curve(curveName, keySize)
-  or
-  isPrimeCurve(curveName, keySize)
-  or
-  curveName = "ES256" and keySize = 256
-  or
-  curveName = "CURVE25519" and keySize = 255
-  or
-  curveName = "X25519" and keySize = 255
-  or
-  curveName = "ED25519" and keySize = 255
-  or
-  curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size
-  or
-  curveName = "ED448" and keySize = 448
-  or
-  curveName = "X448" and keySize = 448
-  or
-  curveName = "NUMSP256T1" and keySize = 256
-  or
-  curveName = "NUMSP384T1" and keySize = 384
-  or
-  curveName = "NUMSP512T1" and keySize = 512
-  or
-  curveName = "SM2" and keySize in [256, 512]
-}
-
-/**
- * Holds if `name` corresponds to a known signature algorithm.
- */
-predicate isSignatureAlgorithm(string name) {
-  name =
-    [
-      "DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256",
-      "ECDSA384", "ECDSA512"
-    ]
-}
-
-/**
- * Holds if `name` is a key exchange algorithm.
- */
-predicate isKeyExchangeAlgorithm(string name) {
-  name = ["ECDH", "DH", "DIFFIEHELLMAN", "X25519", "X448"]
-}
-
-/**
- * Holds if `name` corresponds to a known asymmetric encryption.
- */
-predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] }

cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll

@@ -1,316 +0,0 @@
-import cpp
-private import experimental.cryptography.CryptoAlgorithmNames
-import semmle.code.cpp.ir.dataflow.TaintTracking
-
-/*
- * A cryptographic artifact is a DataFlow::Node associated with some
- * operation, algorithm, or any other aspect of cryptography.
- */
-
-abstract class CryptographicArtifact extends Expr { }
-
-// /**
-//  * Associates a symmetric encryption algorithm with a block mode.
-//  * The DataFlow::Node representing this association should be the
-//  * point where the algorithm and block mode are combined.
-//  * This may be at the call to encryption or in the construction
-//  * of an object prior to encryption.
-//  */
-// abstract class SymmetricCipher extends CryptographicArtifact{
-//   abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
-//   abstract BlockMode getBlockMode();
-//   final predicate hasBlockMode(){
-//     exists(this.getBlockMode())
-//   }
-// }
-// /**
-//  * A cryptographic operation is a method call that invokes a cryptographic
-//  * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm
-//  * (key generation).
-//  *
-//  * Since operations are related to or in support of algorithms, operations must
-//  * provide a reference to their associated algorithm. Often operataions themselves
-//  * encapsulate algorithms, so operations can also extend CryptographicAlgorithm
-//  * and refer to themselves as the target algorithm.
-//  */
-// abstract class CryptographicOperation extends CryptographicArtifact, Call{
-//   // bindingset[paramName, ind]
-//   // final DataFlow::Node getParameterSource(int ind, string paramName){
-//   //   result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName))
-//   // }
-//   final string getAlgorithmName(){
-//     if exists(this.getAlgorithm().getName())
-//     then result = this.getAlgorithm().getName()
-//     else result = unknownAlgorithm()
-//   }
-//   final predicate hasAlgorithm(){
-//     exists(this.getAlgorithm())
-//   }
-//   final predicate isUnknownAlgorithm(){
-//     this.getAlgorithmName() = unknownAlgorithm()
-//     or
-//     not this.hasAlgorithm()
-//   }
-//   // TODO: this might have to be parameterized by a configuration source for
-//   //       situations where an operation is passed an algorithm
-//   abstract CryptographicAlgorithm getAlgorithm();
-// }
-// /** A key generation operation for asymmetric keys */
-// abstract class KeyGen extends CryptographicOperation{
-//   int getAKeySizeInBits(){
-//     result = getKeySizeInBits(_)
-//   }
-//   final predicate hasKeySize(Expr configSrc){
-//     exists(this.getKeySizeInBits(configSrc))
-//   }
-//   final predicate hasKeySize(){
-//     exists(this.getAKeySizeInBits())
-//   }
-//   abstract Expr getKeyConfigSrc();
-//   abstract int getKeySizeInBits(Expr configSrc);
-// }
-abstract class CryptographicOperation extends CryptographicArtifact, Call { }
-
-abstract class KeyGeneration extends CryptographicOperation {
-  // TODO: what if the algorithm is UNKNOWN?
-  abstract Expr getKeyConfigurationSource(CryptographicAlgorithm alg);
-
-  abstract CryptographicAlgorithm getAlgorithm();
-
-  int getKeySizeInBits(CryptographicAlgorithm alg) {
-    result = this.getKeyConfigurationSource(alg).(Literal).getValue().toInt()
-  }
-
-  predicate hasConstantKeySize(CryptographicAlgorithm alg) { exists(this.getKeySizeInBits(alg)) }
-
-  predicate hasKeyConfigurationSource(CryptographicAlgorithm alg) {
-    exists(this.getKeyConfigurationSource(alg))
-  }
-
-  Expr getAKeyConfigurationSource() { result = this.getKeyConfigurationSource(_) }
-}
-
-abstract class AsymmetricKeyGeneration extends KeyGeneration { }
-
-abstract class SymmetricKeyGeneration extends KeyGeneration { }
-
-/**
- * A cryptographic algorithm is a `CryptographicArtifact`
- * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`).
- * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5)
- * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")).
- * Cryptogrpahic algorithms may also be operations that wrap or abstract one or
- * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7).
- *
- * In principle, this class should model the location where an algorithm enters the program, not
- * necessarily where it is used.
- */
-abstract class CryptographicAlgorithm extends CryptographicArtifact {
-  abstract string getName();
-
-  abstract string getAlgType();
-
-  //  string getAlgType(){
-  //   if this instanceof HashAlgorithm then result = getHashType()
-  //   else if this instanceof KeyDerivationAlgorithm then result = getKeyDerivationType()
-  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricEncryptionType()
-  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricEncryptionType()
-  //   else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricPaddingType()
-  //   else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricPaddingType()
-  //   else if this instanceof EllipticCurveAlgorithm then result = getEllipticCurveType()
-  //   else if this instanceof BlockMode then result = getCipherBlockModeType()
-  //   else if this instanceof KeyExchangeAlgorithm then result = getKeyExchangeType()
-  //   else if this instanceof SigningAlgorithm then result = getSignatureType()
-  //   else result = unknownAlgorithm()
-  // }
-  // TODO: handle case where name isn't known, not just unknown?
-  /**
-   * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
-   * Subclassess should override for more api-specific normalization.
-   * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
-   */
-  bindingset[s]
-  string normalizeName(string s) {
-    exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
-      result = normStr and isKnownAlgorithm(result)
-      or
-      result = unknownAlgorithm() and not isKnownAlgorithm(normStr)
-    )
-  }
-
-  abstract Expr configurationSink();
-
-  predicate hasConfigurationSink() { exists(this.configurationSink()) }
-}
-
-abstract class HashAlgorithm extends CryptographicAlgorithm {
-  final string getHashName() {
-    if exists(string n | n = this.getName() and isHashingAlgorithm(n))
-    then isHashingAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  override string getAlgType() { result = getHashType() }
-}
-
-abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm {
-  final string getKDFName() {
-    if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n))
-    then isKeyDerivationAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  override string getAlgType() { result = getKeyDerivationType() }
-}
-
-// abstract class KeyDerivationOperation extends CryptographicOperation{
-//   DataFlow::Node getIterationSizeSrc(){
-//     none()
-//   }
-//   DataFlow::Node getSaltConfigSrc(){
-//     none()
-//   }
-//   DataFlow::Node getHashConfigSrc(){
-//     none()
-//   }
-//   // TODO: get encryption algorithm for CBC-based KDF?
-//   DataFlow::Node getDerivedKeySizeSrc(){
-//     none()
-//   }
-//   DataFlow::Node getModeSrc(){
-//     none()
-//   }
-//   // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type?
-//   abstract predicate requiresIteration();
-//   abstract predicate requiresSalt();
-//   abstract predicate requiresHash();
-//   //abstract predicate requiresKeySize(); // Going to assume all requires a size
-//   abstract predicate requiresMode();
-// }
-abstract class EncryptionAlgorithm extends CryptographicAlgorithm {
-  final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm }
-
-  final predicate isSymmetric() { not this.isAsymmetric() }
-  // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent
-  //       class does not have this common predicate.
-}
-
-/**
- * A parent class to represent any algorithm for which
- * asymmetric cryptography is involved.
- * Intended to be distinct from AsymmetricEncryptionAlgorithm
- * which is intended only for asymmetric algorithms that specifically encrypt.
- */
-abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { }
-
-/**
- * Algorithms directly or indirectly related to asymmetric encryption,
- * e.g., RSA, DSA, but also RSA padding algorithms
- */
-abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm {
-  final string getEncryptionName() {
-    if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n))
-    then isAsymmetricEncryptionAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  override string getAlgType() { result = getAsymmetricEncryptionType() }
-}
-
-/**
- * Algorithms directly or indirectly related to symmetric encryption,
- * e.g., AES, DES, but also block modes and padding
- */
-abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm {
-  final string getEncryptionName() {
-    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
-    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  // TODO: add a stream cipher predicate?
-  override string getAlgType() { result = getSymmetricEncryptionType() }
-}
-
-// Used only to categorize all padding into a single object,
-// DO_NOT add predicates here. Only for categorization purposes.
-abstract class PaddingAlgorithm extends CryptographicAlgorithm { }
-
-abstract class SymmetricPadding extends PaddingAlgorithm {
-  final string getPaddingName() {
-    if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n))
-    then isSymmetricPaddingAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  override string getAlgType() { result = getSymmetricPaddingType() }
-}
-
-abstract class AsymmetricPadding extends PaddingAlgorithm {
-  final string getPaddingName() {
-    if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n))
-    then isAsymmetricPaddingAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  override string getAlgType() { result = getAsymmetricPaddingType() }
-}
-
-abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm {
-  final string getCurveName() {
-    if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n))
-    then isEllipticCurveAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) }
-
-  override string getAlgType() { result = getEllipticCurveType() }
-}
-
-abstract class BlockModeAlgorithm extends CryptographicAlgorithm {
-  final string getBlockModeName() {
-    if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
-    then isCipherBlockModeAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  /**
-   * Gets the source of the IV configuration.
-   */
-  abstract Expr getIVorNonce();
-
-  final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
-
-  override string getAlgType() { result = getCipherBlockModeType() }
-}
-
-// abstract class KeyWrapOperation extends CryptographicOperation{
-// }
-abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm {
-  final string getAuthticatedEncryptionName() {
-    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
-    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-}
-
-abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm {
-  final string getKeyExchangeName() {
-    if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))
-    then isKeyExchangeAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  override string getAlgType() { result = getKeyExchangeType() }
-}
-
-abstract class SigningAlgorithm extends AsymmetricAlgorithm {
-  final string getSigningName() {
-    if exists(string n | n = this.getName() and isSignatureAlgorithm(n))
-    then isSignatureAlgorithm(result) and result = this.getName()
-    else result = unknownAlgorithm()
-  }
-
-  override string getAlgType() { result = getSignatureType() }
-}

cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll

@@ -1,718 +0,0 @@
-import cpp
-import experimental.cryptography.CryptoAlgorithmNames
-import experimental.cryptography.CryptoArtifact
-import experimental.cryptography.utils.OpenSSL.CryptoFunction
-import experimental.cryptography.utils.OpenSSL.AlgorithmSink
-import experimental.cryptography.utils.OpenSSL.PassthroughFunction
-import experimental.cryptography.utils.OpenSSL.CryptoAlgorithm
-import experimental.cryptography.CryptoArtifact
-// import semmle.code.cpp.ir.dataflow.TaintTracking
-import semmle.code.cpp.ir.dataflow.DataFlow
-
-/**
- *  Problematic case in OpenSSL speed.c
- *    static const char *names[ALGOR_NUM] = {
- *        "md2", "mdc2", "md4", "md5", "sha1", "rmd160",
- *        "sha256", "sha512", "whirlpool", "hmac(md5)",
- *        "des-cbc", "des-ede3", "rc4", "idea-cbc", "seed-cbc",
- *        "rc2-cbc", "rc5-cbc", "blowfish", "cast-cbc",
- *        "aes-128-cbc", "aes-192-cbc", "aes-256-cbc",
- *        "camellia-128-cbc", "camellia-192-cbc", "camellia-256-cbc",
- *        "evp", "ghash", "rand", "cmac"
- *    };
- *
- *    Every entry is considered a block mode, hash, and symmetric encryption algorithm
- *    getEncryptionName for example, will return unknown
- */
-predicate nodeToExpr(DataFlow::Node node, Expr e) {
-  e = node.asExpr() or e = node.asIndirectArgument()
-}
-
-Expr getExprFromNode(DataFlow::Node node) { nodeToExpr(node, result) }
-
-DataFlow::Node getNodeFromExpr(Expr e) { nodeToExpr(result, e) }
-
-predicate isEVP_PKEY_CTX(Type t) { t.getUnderlyingType().stripType().getName() = "evp_pkey_ctx_st" }
-
-/**
- * An expression representing an EVP_PKEY_CTX* at the location of a
- * known AlgorithmSinkArgument.
- * The EVP_PKEY_CTX* represents the location where the CTX is tied to the algorithm,
- * and can be used as a source for tracing EVP_PKEY_CTX to other operations.
- */
-class Known_EVP_PKEY_CTX_Ptr_Source extends Expr {
-  Known_EVP_PKEY_CTX_Ptr_Source() {
-    isEVP_PKEY_CTX(this.getUnderlyingType()) and
-    this.getUnderlyingType() instanceof PointerType and
-    exists(AlgorithmSinkArgument arg, Call sinkCall |
-      arg.getSinkCall() = sinkCall and
-      sinkCall.getAnArgument() = this
-      or
-      this = sinkCall
-    )
-  }
-}
-
-// module CTXFlow implements DataFlow::ConfigSig{
-//     predicate isSource(DataFlow::Node source) {
-//         // ASSUMPTION: at a sink, an algorithm is converted into a CTX through a return of the call only
-//         //             and is the primary source of interest for CTX tracing
-//         source.asExpr() instanceof AlgorithmSinkArgument
-//     }
-//     predicate isSink(DataFlow::Node sink){
-//         sink.asExpr() instanceof CTXSink
-//     }
-//     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-//         //  cls.getName() = "asn1_object_st" flow out on any EVP_PKEY_CTX which is "evp_pkey_ctx_st"
-//         exists(Call c |
-//             isEVP_PKEY_CTX(c.getUnderlyingType()) and
-//             node1.asExpr() = c.getAnArgument() and c = node2.asExpr())
-//     }
-// }
-// module CTXFlowConfig = DataFlow::Global<CTXFlow>;
-// TODO: currently only handles tracing from literals to sinks
-module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof Literal and
-    // Optimization to reduce literal tracing on integers to only those that are known/relevant NIDs.
-    (
-      exists(source.asExpr().getValue().toInt())
-      implies
-      source.asExpr().getValue().toInt() < getNIDMax()
-    ) and
-    // False positives observed inside OBJ_nid2* and OBJ_sn2* functions where NULL is a possible assignment.
-    // While this is a concern, it only occurs if the object being referenced is NULL to begin with
-    // Perhaps a different query should be used to find these caes if they represent a threat.
-    // Filter out any open ssl function source in a function namae Obj_*
-    // False positives in OpenSSL also observed for CRYPTO_strndup (filtering any CRYPTO_* function)
-    // due to setting a null byte in the string
-    (
-      isPossibleOpenSSLFunction(source.getEnclosingCallable())
-      implies
-      (
-        not source.getEnclosingCallable().getName().matches("OBJ_%") and
-        not source.getEnclosingCallable().getName().matches("CRYPTO_%")
-      )
-    )
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    // A sink is a call to a function that takes an algorithm as an argument
-    // must include checks for asIndirectArgument since the input may be a pointer to an object
-    // and the member of the object holds the algorithm on the trace.
-    getExprFromNode(sink) instanceof AlgorithmSinkArgument
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    knownPassThroughStep(node1, node2)
-  }
-
-  predicate isBarrier(DataFlow::Node node) {
-    // If the node is the 'next' argument of a isCallPassThrough, it is only allowed if it is an out parameter
-    // i.e., a defining argument. This barrier says that if the node is an expression not an out parameter, it is filtered.
-    // Out arguments will not be filtered.
-    exists(Call c | knownPassthoughCall(c, _, node.asExpr()) and c.getAnArgument() = node.asExpr())
-    or
-    // False positive reducer, don't flow out through argv
-    node.asVariable().hasName("argv")
-    or
-    node.asIndirectVariable().hasName("argv")
-  }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    // Assume a read on crypto identifying field for any object of type asn1_object_st (i.e., ASN1_OBJECT)
-    exists(Class cls | cls.getName() = "asn1_object_st" |
-      node.getType().getUnspecifiedType().stripType() = cls and
-      c.(DataFlow::FieldContent).getField() = cls.getAMember() and
-      c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]
-    )
-  }
-}
-
-module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;
-
-/**
- * `source` is an expression that is a source of an algorithm of type `algType`.
- * `algType` may be `UNKONWN`.
- *  See CryptoAlgorithmNames for other possible values of `algType`.
- */
-bindingset[sinkAlgType]
-predicate hasLiteralPathToAlgSink(DataFlow::Node source, DataFlow::Node sink, string sinkAlgType) {
-  LiteralAlgorithmTracer::flow(source, sink) and
-  getExprFromNode(sink).(AlgorithmSinkArgument).algType() = sinkAlgType
-}
-
-private predicate knownTracedAlgorithm(Literal e, string srcSinkType) {
-  knownTracedAlgorithm(e, srcSinkType, srcSinkType)
-}
-
-private predicate knownTracedAlgorithm(Literal e, string srcType, string sinkType) {
-  resolveAlgorithmFromLiteral(e, _, srcType) and
-  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
-  isKnownType(sinkType) and
-  isKnownType(srcType)
-}
-
-private predicate unknownTracedLiteralAlgorithm(Literal e, string srcSinkType) {
-  // Asymmetric special case:
-  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
-  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
-  if getAsymmetricType() = srcSinkType
-  then forall(string t | t = getAsymmetricType() | unknownTracedLiteralAlgorithm(e, t, srcSinkType))
-  else unknownTracedLiteralAlgorithm(e, srcSinkType, srcSinkType)
-}
-
-private predicate unknownTracedLiteralAlgorithm(Literal e, string srcType, string sinkType) {
-  // the literal resolves to an algorithm, but not to the sinktype
-  // or generally doesn't resolve to any algorithm type
-  // this case covers 'nonsense' cases e.g., use RSA for symmetric encryption
-  not resolveAlgorithmFromLiteral(e, _, srcType) and
-  isValidAlgorithmLiteral(e) and
-  hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
-  isKnownType(sinkType) and
-  isKnownType(srcType)
-}
-
-private predicate unknownTracedNonLiteralAlgorithm(AlgorithmSinkArgument e, string srcSinkType) {
-  // Asymmetric special case:
-  // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
-  // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
-  if getAsymmetricType() = srcSinkType
-  then
-    forall(string t | t = getAsymmetricType() | unknownTracedNonLiteralAlgorithm(e, t, srcSinkType))
-  else unknownTracedNonLiteralAlgorithm(e, srcSinkType, srcSinkType)
-}
-
-private predicate unknownTracedNonLiteralAlgorithm(
-  AlgorithmSinkArgument e, string srcType, string sinkType
-) {
-  not hasLiteralPathToAlgSink(_, getNodeFromExpr(e), srcType) and
-  LiteralAlgorithmTracerConfig::isSink(getNodeFromExpr(e)) and
-  e.algType() = sinkType and
-  isKnownType(srcType) and
-  isKnownType(sinkType)
-}
-
-private predicate functionAlgorithm(Call c, string algType) {
-  isOpenSSLCryptoFunctionCall(c, _, algType)
-}
-
-abstract class OpenSSLTracedAlgorithm extends CryptographicAlgorithm {
-  override string getName() { resolveAlgorithmFromLiteral(this, result, this.getAlgType()) }
-
-  override Expr configurationSink() {
-    exists(DataFlow::Node sink |
-      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
-    |
-      result = getExprFromNode(sink)
-    )
-  }
-}
-
-abstract class OpenSSLFunctionAlgorithm extends CryptographicAlgorithm {
-  override string getName() { isOpenSSLCryptoFunctionCall(this, result, this.getAlgType()) }
-
-  override Expr configurationSink() { result = this }
-}
-
-abstract class OpenSSLUnknownTracedLiteralAlgorithm extends CryptographicAlgorithm {
-  override string getName() { result = unknownAlgorithm() }
-
-  override Expr configurationSink() {
-    exists(DataFlow::Node sink |
-      hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
-    |
-      result = getExprFromNode(sink)
-    )
-  }
-}
-
-abstract class OpenSSLUnknownTracedNonLiteralAlgorithm extends CryptographicAlgorithm {
-  override string getName() { result = unknownAlgorithm() }
-
-  override Expr configurationSink() { result = this }
-}
-
-module SymmetricEncryption {
-  abstract class OpenSSLSymmetricEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { }
-
-  class OpenSSLSymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
-    OpenSSLSymmetricEncryptionAlgorithm
-  {
-    OpenSSLSymmetricEncryptionTracedAlgorithm() {
-      knownTracedAlgorithm(this, getSymmetricEncryptionType())
-    }
-  }
-
-  class OpenSSLSymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
-    OpenSSLSymmetricEncryptionAlgorithm
-  {
-    OpenSSLSymmetricEncryptionFunctionAlgorithm() {
-      functionAlgorithm(this, getSymmetricEncryptionType())
-    }
-  }
-
-  class OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
-    OpenSSLSymmetricEncryptionAlgorithm
-  {
-    OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm() {
-      unknownTracedLiteralAlgorithm(this, getSymmetricEncryptionType())
-    }
-  }
-
-  class OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
-    OpenSSLSymmetricEncryptionAlgorithm
-  {
-    OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
-      unknownTracedNonLiteralAlgorithm(this, getSymmetricEncryptionType())
-    }
-  }
-}
-
-module BlockModes {
-  /**
-   * In OpenSSL, block modes are associated directly with symmetric encryption algorithms.
-   * As such, OpenSSLBLockModes are modeled as extensions of any openssl symmetric encryption algorithm
-   */
-  class OpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
-  {
-    OpenSSLBlockModeAlgorithm() {
-      //two cases, either the block mode is a literal or it is a function call
-      resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE")
-      or
-      isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
-    }
-
-    override string getName() {
-      resolveAlgorithmFromLiteral(this, result, "BLOCK_MODE")
-      or
-      isOpenSSLCryptoFunctionCall(this, result, "BLOCK_MODE")
-    }
-
-    override Expr configurationSink() {
-      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
-    }
-
-    override Expr getIVorNonce() {
-      // TODO
-      none()
-    }
-  }
-
-  class UnknownOpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
-  {
-    UnknownOpenSSLBlockModeAlgorithm() {
-      //two cases, either the block mode is a literal or it is a function call
-      not resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE") and
-      not isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
-    }
-
-    override string getName() { result = unknownAlgorithm() }
-
-    override Expr configurationSink() {
-      result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
-    }
-
-    override Expr getIVorNonce() { none() }
-  }
-}
-
-module Hashes {
-  abstract class OpenSSLHashAlgorithm extends HashAlgorithm { }
-
-  class OpenSSLHashTracedAlgorithm extends OpenSSLTracedAlgorithm, OpenSSLHashAlgorithm {
-    OpenSSLHashTracedAlgorithm() { knownTracedAlgorithm(this, getHashType()) }
-  }
-
-  class OpenSSLHashFunctionAlgorithm extends OpenSSLFunctionAlgorithm, OpenSSLHashAlgorithm {
-    OpenSSLHashFunctionAlgorithm() { functionAlgorithm(this, getHashType()) }
-  }
-
-  class OpenSSLHashTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
-    OpenSSLHashAlgorithm
-  {
-    OpenSSLHashTracedUnknownLiteralAlgorithm() {
-      unknownTracedLiteralAlgorithm(this, getHashType())
-    }
-  }
-
-  class OpenSSLHashUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
-    OpenSSLHashAlgorithm
-  {
-    OpenSSLHashUnknownNonLiteralTracedAlgorithm() {
-      unknownTracedNonLiteralAlgorithm(this, getHashType())
-    }
-  }
-
-  class OpenSSLNullHash extends HashAlgorithm {
-    OpenSSLNullHash() {
-      exists(Call c |
-        this = c and
-        isPossibleOpenSSLFunction(c.getTarget()) and
-        c.getTarget().getName() in ["EVP_md_null"]
-      )
-    }
-
-    override string getName() { result = unknownAlgorithm() }
-
-    override Expr configurationSink() { result = this }
-  }
-}
-
-module EllipticCurves {
-  // TODO: need to address EVP_PKEY_Q_keygen where the type is "EC" but the curve is UNKNOWN?
-  class OpenSSLEllipticCurveTracedAlgorithm extends OpenSSLTracedAlgorithm, EllipticCurveAlgorithm {
-    OpenSSLEllipticCurveTracedAlgorithm() { knownTracedAlgorithm(this, getEllipticCurveType()) }
-  }
-
-  class OpenSSLEllipticCurveFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
-    EllipticCurveAlgorithm
-  {
-    OpenSSLEllipticCurveFunctionAlgorithm() { functionAlgorithm(this, getEllipticCurveType()) }
-  }
-
-  class OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
-    EllipticCurveAlgorithm
-  {
-    OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm() {
-      unknownTracedLiteralAlgorithm(this, getEllipticCurveType())
-    }
-  }
-
-  class OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
-    EllipticCurveAlgorithm
-  {
-    OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm() {
-      unknownTracedNonLiteralAlgorithm(this, getEllipticCurveType())
-    }
-  }
-
-  // https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_ex.html
-  class OpenSSLNullEllipticCurve extends EllipticCurveAlgorithm {
-    OpenSSLNullEllipticCurve() {
-      exists(Call c |
-        this = c and
-        isPossibleOpenSSLFunction(c.getTarget()) and
-        c.getTarget().getName() in ["EC_KEY_new", "EC_KEY_new_ex"]
-      )
-    }
-
-    override string getName() { result = unknownAlgorithm() }
-
-    override Expr configurationSink() { result = this }
-  }
-}
-
-module AsymmetricEncryption {
-  class OpenSSLAsymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
-    AsymmetricEncryptionAlgorithm
-  {
-    OpenSSLAsymmetricEncryptionTracedAlgorithm() {
-      knownTracedAlgorithm(this, getAsymmetricEncryptionType())
-    }
-  }
-
-  class OpenSSLAsymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
-    AsymmetricEncryptionAlgorithm
-  {
-    OpenSSLAsymmetricEncryptionFunctionAlgorithm() {
-      functionAlgorithm(this, getAsymmetricEncryptionType())
-    }
-  }
-
-  class OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
-    AsymmetricEncryptionAlgorithm
-  {
-    OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm() {
-      unknownTracedLiteralAlgorithm(this, getAsymmetricEncryptionType())
-    }
-  }
-
-  class OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
-    AsymmetricEncryptionAlgorithm
-  {
-    OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
-      unknownTracedNonLiteralAlgorithm(this, getAsymmetricEncryptionType())
-    }
-  }
-}
-
-module SigningAlgorithms {
-  class OpenSSLSignatureTracedAlgorithm extends OpenSSLTracedAlgorithm, SigningAlgorithm {
-    OpenSSLSignatureTracedAlgorithm() { knownTracedAlgorithm(this, getSignatureType()) }
-  }
-
-  class OpenSSLSignatureFunctionAlgorithm extends OpenSSLFunctionAlgorithm, SigningAlgorithm {
-    OpenSSLSignatureFunctionAlgorithm() { functionAlgorithm(this, getSignatureType()) }
-  }
-
-  class OpenSSLSignatureTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
-    SigningAlgorithm
-  {
-    OpenSSLSignatureTracedUnknownLiteralAlgorithm() {
-      unknownTracedLiteralAlgorithm(this, getSignatureType())
-    }
-  }
-
-  class OpenSSLSignatureUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
-    SigningAlgorithm
-  {
-    OpenSSLSignatureUnknownNonLiteralTracedAlgorithm() {
-      unknownTracedNonLiteralAlgorithm(this, getSignatureType())
-    }
-  }
-}
-
-module KeyExchange {
-  class OpenSSLKeyExchangeTracedAlgorithm extends OpenSSLTracedAlgorithm, KeyExchangeAlgorithm {
-    OpenSSLKeyExchangeTracedAlgorithm() { knownTracedAlgorithm(this, getKeyExchangeType()) }
-  }
-
-  class OpenSSLKeyExchangeFunctionAlgorithm extends OpenSSLFunctionAlgorithm, KeyExchangeAlgorithm {
-    OpenSSLKeyExchangeFunctionAlgorithm() { functionAlgorithm(this, getKeyExchangeType()) }
-  }
-
-  class OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
-    KeyExchangeAlgorithm
-  {
-    OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm() {
-      unknownTracedLiteralAlgorithm(this, getKeyExchangeType())
-    }
-  }
-
-  class OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
-    KeyExchangeAlgorithm
-  {
-    OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm() {
-      unknownTracedNonLiteralAlgorithm(this, getKeyExchangeType())
-    }
-  }
-}
-
-module KeyGeneration {
-  /**
-   * Functions that explicitly set key generation parameters.
-   * `sizeInd` is the parameter specifying the size of the key.
-   * `outInd` is the parameter or return value that the key is written to.
-   * `outInd` is -1 if the key is written to the return value.
-   */
-  predicate isAsymmetricKeyGenExplicitAlgorithm(Function func, int sizeInd, int outInd) {
-    isPossibleOpenSSLFunction(func) and
-    exists(string name | func.hasGlobalName(name) |
-      name in [
-          "EVP_PKEY_CTX_set_dsa_paramgen_bits", "DSA_generate_parameters_ex",
-          "EVP_PKEY_CTX_set_rsa_keygen_bits", "RSA_generate_key_ex", "RSA_generate_key_fips",
-          "EVP_PKEY_CTX_set_dh_paramgen_prime_len", "DH_generate_parameters_ex"
-        ] and
-      sizeInd = 1 and
-      outInd = 0
-      or
-      name in ["DSA_generate_parameters", "RSA_generate_key", "DH_generate_parameters"] and
-      sizeInd = 0 and
-      outInd = -1
-    ) and
-    exists(Type t |
-      (
-        if sizeInd = -1
-        then t = func.getType().getUnderlyingType()
-        else t = func.getParameter(sizeInd).getUnderlyingType()
-      ) and
-      t instanceof IntegralType and
-      not t instanceof CharType
-    )
-  }
-
-  module AsymExplicitAlgKeyLengthFlowConfig implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node node) {
-      // Optimizations to avoid tracing all integers
-      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
-      node.asExpr().(Literal).getValue().toInt() < 8500
-    }
-
-    predicate isSink(DataFlow::Node node) {
-      exists(FunctionCall c, int sizeInd |
-        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), sizeInd, _) and
-        c.getArgument(sizeInd) = node.asExpr()
-      )
-    }
-  }
-
-  module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;
-
-  class OpenSSLAsymmetricKeyGenTiedToAlgorithm extends AsymmetricKeyGeneration {
-    OpenSSLAsymmetricKeyGenTiedToAlgorithm() {
-      exists(Call c |
-        this = c and
-        isPossibleOpenSSLFunction(c.getTarget()) and
-        isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), _, _)
-      )
-    }
-
-    override CryptographicAlgorithm getAlgorithm() { result = this }
-
-    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
-      alg = this and
-      exists(int sizeInd |
-        isAsymmetricKeyGenExplicitAlgorithm(this.getTarget(), sizeInd, _) and
-        AsymExplicitAlgKeyLengthFlow::flow(DataFlow::exprNode(result),
-          DataFlow::exprNode(this.getArgument(sizeInd)))
-      )
-    }
-  }
-
-  module Length_to_RSA_EVP_PKEY_Q_keygen_Config implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node node) {
-      // Optimizations to avoid tracing all integers
-      node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
-      node.asExpr().(Literal).getValue().toInt() < 5000
-    }
-
-    predicate isSink(DataFlow::Node node) {
-      exists(FunctionCall c |
-        c.getTarget().getName() = "EVP_PKEY_Q_keygen" and
-        isPossibleOpenSSLFunction(c.getTarget()) and
-        c.getArgument(3) = node.asExpr()
-      )
-    }
-  }
-
-  module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =
-    DataFlow::Global<Length_to_RSA_EVP_PKEY_Q_keygen_Config>;
-
-  class OpenSSL_RSA_EVP_PKEY_Q_keygen extends AsymmetricKeyGeneration {
-    OpenSSL_RSA_EVP_PKEY_Q_keygen() {
-      exists(Call c |
-        this = c and
-        isPossibleOpenSSLFunction(c.getTarget()) and
-        this.getTarget().getName() = "EVP_PKEY_Q_keygen" and
-        this.getArgument(3).getUnderlyingType() instanceof IntegralType
-      )
-    }
-
-    override CryptographicAlgorithm getAlgorithm() {
-      result.configurationSink().(AlgorithmSinkArgument).getSinkCall() = this
-    }
-
-    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
-      alg = this.getAlgorithm() and
-      Length_to_RSA_EVP_PKEY_Q_keygen_Flow::flow(DataFlow::exprNode(result),
-        DataFlow::exprNode(this.getArgument(3)))
-    }
-  }
-
-  predicate isKeyGenOperationWithNoSize(Function func) {
-    isPossibleOpenSSLFunction(func) and
-    exists(string name | func.hasGlobalName(name) |
-      name in ["EVP_PKEY_keygen", "DSA_generate_key", "DH_generate_key", "EVP_PKEY_generate"]
-    )
-  }
-
-  module KeyGenKeySizeInitToKeyGenConfig implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node node) {
-      exists(Call c, Function func, int outInd |
-        isAsymmetricKeyGenExplicitAlgorithm(func, _, outInd) and
-        c.getTarget() = func
-      |
-        if outInd = -1 then node.asExpr() = c else node.asExpr() = c.getArgument(outInd)
-      )
-    }
-
-    predicate isSink(DataFlow::Node node) {
-      exists(Call c |
-        isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()
-      )
-    }
-  }
-
-  module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;
-
-  predicate isEVP_PKEY_CTX_Source(DataFlow::Node node, CryptographicAlgorithm alg) {
-    exists(Call c |
-      alg.configurationSink().(AlgorithmSinkArgument).getSinkCall() = c and
-      (
-        node.asExpr() = c
-        or
-        node.asExpr() = c.getAnArgument()
-        or
-        node.asDefiningArgument() = c.getAnArgument()
-      )
-    ) and
-    (
-      node.asExpr() instanceof Known_EVP_PKEY_CTX_Ptr_Source
-      or
-      node.asDefiningArgument() instanceof Known_EVP_PKEY_CTX_Ptr_Source
-    )
-  }
-
-  predicate isKeyGen_EVP_PKEY_CTX_Sink(DataFlow::Node node, Call c) {
-    isKeyGenOperationWithNoSize(c.getTarget()) and nodeToExpr(node, c.getAnArgument())
-  }
-
-  /**
-   * Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
-   * users can then extrapolatae the matching algorithm from the alg sink to the keygen
-   */
-  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
-
-    predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
-  }
-
-  module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
-    DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize>;
-
-  /**
-   * UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
-   * is it set on context prior to the call). No path from a key configuration to these operations
-   * means the key size is UNKNOWN, or more precisely the key size is DEFAULT but
-   * the defaults can change with each version of OpenSSL, we simply assume the size is generally UNKNOWN.
-   * ASSUMPTION/TODO: we currently model all known locations where a key size is set explicitly.
-   *                 When a key is set implicitly, this usually means a key generation operation
-   *                 is called where the operation takes in no key size, and no flow to this operation
-   *                 initializes the context with a key size.
-   *                 Currently, without a definitive source (set of sources) to start tracing from, we cannot determine
-   *                 determine if a single path exists that initializes the context with a key size and another that doesn't.
-   *                 Rather than attempt to model all possible sources, we assume that if no path
-   *                 from a key config location reaches a generic key generation operation, then the key size is not set.
-   *                 NOTE: while this is true, it is possible a key size is set in one path, but not in another
-   *                 meaning this approach (and other similar approaches used in this model for UNKNOWN)
-   *                 can produce false negatives.
-   */
-  class OpenSSLDefaultKeyGeneration extends AsymmetricKeyGeneration {
-    OpenSSLDefaultKeyGeneration() {
-      // this is a call to a function matching isKeyGenOperationWithNoSize
-      // and there is no flow from a key configuration source to this call
-      exists(Call c |
-        this = c and
-        isKeyGenOperationWithNoSize(this.getTarget()) and
-        not exists(DataFlow::Node src, DataFlow::Node sink |
-          KeyGenKeySizeInitToKeyGenFlow::flow(src, sink) and
-          nodeToExpr(sink, this.getAnArgument())
-        )
-      )
-    }
-
-    override CryptographicAlgorithm getAlgorithm() {
-      if this.getTarget().getName() in ["DSA_generate_key", "DH_generate_key"]
-      then result = this
-      else
-        // NOTE/ASSUMPTION: EVP_PKEY_keygen, EVP_PKEY_generate assume only other possibilities,
-        //        each take in a CTX as the first arg, need to trace from an alg sink from this CTX param
-        // get every alg sink, get the corresponding call, trace out on any CTX type variable
-        // to the key gen
-        // NOTE: looking for any cryptographic algorithm tracing to the keygen to handle
-        //  any odd cases we aren't awaare of where keygen can be used for other algorithm types
-        exists(DataFlow::Node src, DataFlow::Node sink |
-          EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow::flow(src, sink) and
-          isEVP_PKEY_CTX_Source(src, result) and
-          isKeyGen_EVP_PKEY_CTX_Sink(sink, this)
-          // TODO: what if there is no CTX source? then the keygen becomes an UNKNOWN sink
-        )
-    }
-
-    /**
-     * For this class, there is no known configuration source for any algorithm
-     */
-    override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { none() }
-  }
-}

cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll

@@ -1,296 +0,0 @@
-/**
- * Predicates/classes for identifying algorithm sinks.
- * An Algorithm Sink is a function that takes an algorithm as an argument.
- * In particular, any function that takes in an algorithm that until the call
- * the algorithm is not definitely known to be an algorithm (e.g., an integer used as an identifier to fetch an algorithm)
- */
-
-//TODO: enforce a hierarchy of AlgorithmSinkArgument, e.g., so I can get all Asymmetric SinkArguments that includes all the strictly RSA etc.
-import cpp
-import experimental.cryptography.utils.OpenSSL.LibraryFunction
-import experimental.cryptography.CryptoAlgorithmNames
-
-predicate isAlgorithmSink(AlgorithmSinkArgument arg, string algType) { arg.algType() = algType }
-
-abstract class AlgorithmSinkArgument extends Expr {
-  AlgorithmSinkArgument() {
-    exists(Call c | c.getAnArgument() = this and openSSLLibraryFunc(c.getTarget()))
-  }
-
-  /**
-   * Gets the function call in which the argument exists
-   */
-  Call getSinkCall() { result.getAnArgument() = this }
-
-  abstract string algType();
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
-predicate cipherAlgorithmSink(string funcName, int argInd) {
-  funcName in ["EVP_get_cipherbyname", "EVP_get_cipherbynid", "EVP_get_cipherbyobj"] and argInd = 0
-  or
-  funcName = "EVP_CIPHER_fetch" and argInd = 1
-}
-
-class CipherAlgorithmSink extends AlgorithmSinkArgument {
-  CipherAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      cipherAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = getSymmetricEncryptionType() }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_MAC_fetch
-predicate macAlgorithmSink(string funcName, int argInd) {
-  (funcName = "EVP_MAC_fetch" and argInd = 1)
-}
-
-class MACAlgorithmSink extends AlgorithmSinkArgument {
-  MACAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      macAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = "TBD" }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_MD_fetch
-predicate messageDigestAlgorithmSink(string funcName, int argInd) {
-  funcName in ["EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"] and argInd = 0
-  or
-  funcName = "EVP_MD_fetch" and argInd = 1
-}
-
-class MessageDigestAlgorithmSink extends AlgorithmSinkArgument {
-  MessageDigestAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      messageDigestAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = getHashType() }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_KEYEXCH_fetch
-// https://www.openssl.org/docs/manmaster/man3/EVP_KEM_fetch
-predicate keyExchangeAlgorithmSink(string funcName, int argInd) {
-  funcName = "EVP_KEYEXCH_fetch" and argInd = 1
-  or
-  funcName = "EVP_KEM_fetch" and argInd = 1
-}
-
-class KeyExchangeAlgorithmSink extends AlgorithmSinkArgument {
-  KeyExchangeAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      keyExchangeAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = getKeyExchangeType() }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_KEYMGMT_fetch
-predicate keyManagementAlgorithmSink(string funcName, int argInd) {
-  funcName = "EVP_KEYMGMT_fetch" and argInd = 1
-}
-
-class KeyManagementAlgorithmSink extends AlgorithmSinkArgument {
-  KeyManagementAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      keyManagementAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = "TBD" }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_KDF
-predicate keyDerivationAlgorithmSink(string funcName, int argInd) {
-  funcName = "EVP_KDF_fetch" and argInd = 1
-}
-
-class KeyDerivationAlgorithmSink extends AlgorithmSinkArgument {
-  KeyDerivationAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      keyDerivationAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = getKeyDerivationType() }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_ASYM_CIPHER_fetch
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new_CMAC_key.html
-predicate asymmetricCipherAlgorithmSink(string funcName, int argInd) {
-  funcName = "EVP_ASYM_CIPHER_fetch" and argInd = 1
-  or
-  funcName = "EVP_PKEY_new_CMAC_key" and argInd = 3
-  // NOTE: other cases are handled by AsymmetricAlgorithmSink
-}
-
-class AsymmetricCipherAlgorithmSink extends AlgorithmSinkArgument {
-  AsymmetricCipherAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      asymmetricCipherAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
-}
-
-class AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
-  AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen() {
-    exists(Call c, string funcName |
-      funcName = c.getTarget().getName() and
-      this = c.getArgument(3)
-    |
-      funcName = "EVP_PKEY_Q_keygen" and
-      c.getArgument(3).getType().getUnderlyingType() instanceof IntegralType
-    )
-  }
-
-  override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_RAND_fetch
-predicate randomAlgorithmSink(string funcName, int argInd) {
-  funcName = "EVP_RAND_fetch" and argInd = 1
-}
-
-class RandomAlgorithmSink extends AlgorithmSinkArgument {
-  RandomAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      randomAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = "TBD" }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_SIGNATURE_fetch
-predicate signatureAlgorithmSink(string funcName, int argInd) {
-  funcName = "EVP_SIGNATURE_fetch" and argInd = 1
-}
-
-class SignatureAlgorithmSink extends AlgorithmSinkArgument {
-  SignatureAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      signatureAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = getSignatureType() }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_by_curve_name.html
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.html
-predicate ellipticCurveAlgorithmSink(string funcName, int argInd) {
-  funcName in ["EC_KEY_new_by_curve_name", "EVP_EC_gen"] and argInd = 0
-  or
-  funcName = "EC_KEY_new_by_curve_name_ex" and argInd = 2
-  or
-  funcName in ["EVP_PKEY_CTX_set_ec_paramgen_curve_nid"] and argInd = 1
-}
-
-class EllipticCurveAlgorithmSink extends AlgorithmSinkArgument {
-  EllipticCurveAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      ellipticCurveAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = getEllipticCurveType() }
-}
-
-/**
- * Special cased to address the fact that arg index 3 (zero offset based) is the curve name.
- * ASSUMPTION: if the arg ind 3 is a char* assume it is an elliptic curve
- */
-class EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
-  EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen() {
-    exists(Call c, string funcName |
-      funcName = c.getTarget().getName() and
-      this = c.getArgument(3)
-    |
-      funcName = "EVP_PKEY_Q_keygen" and
-      c.getArgument(3).getType().getUnderlyingType() instanceof PointerType and
-      c.getArgument(3).getType().getUnderlyingType().stripType() instanceof CharType
-    )
-  }
-
-  override string algType() { result = getEllipticCurveType() }
-}
-
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id.html
-// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_new_raw_private_key.html
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_Q_keygen.html
-// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
-predicate asymmetricAlgorithmSink(string funcName, int argInd) {
-  funcName = "EVP_PKEY_CTX_new_id" and argInd = 0
-  or
-  funcName = "EVP_PKEY_CTX_new_from_name" and argInd = 1
-  or
-  funcName in [
-      "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key", "EVP_PKEY_new_mac_key"
-    ] and
-  argInd = 0
-  or
-  funcName in ["EVP_PKEY_new_raw_private_key_ex", "EVP_PKEY_new_raw_public_key_ex"] and argInd = 1
-  or
-  // special casing this as arg index 3 must be specified depending on if RSA or ECC, and otherwise not specified for other algs
-  // funcName = "EVP_PKEY_Q_keygen" and argInd = 2
-  funcName in ["EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"] and argInd = 1
-  // TODO consider void cases EVP_PKEY_new
-}
-
-class AsymmetricAlgorithmSink extends AlgorithmSinkArgument {
-  AsymmetricAlgorithmSink() {
-    exists(Call c, string funcName, int argInd |
-      funcName = c.getTarget().getName() and this = c.getArgument(argInd)
-    |
-      asymmetricAlgorithmSink(funcName, argInd)
-    )
-  }
-
-  override string algType() { result = getAsymmetricType() }
-}
-
-class AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
-  AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen() {
-    exists(Call c, string funcName |
-      funcName = c.getTarget().getName() and
-      this = c.getArgument(2)
-    |
-      funcName = "EVP_PKEY_Q_keygen" and
-      not exists(c.getArgument(3))
-    )
-  }
-
-  override string algType() { result = getAsymmetricType() }
-}