Merge branch 'main' into redsun82/kotlin-2.2.0-support

Bump golang.org/x/tools from 0.32.0 to 0.33.0 in /go/extractor in the extractor-dependencies group

MODULE.bazel

@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.3")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -193,10 +193,6 @@ use_repo(
     kotlin_extractor_deps,
     "codeql_kotlin_defaults",
     "codeql_kotlin_embeddable",
-    "kotlin-compiler-1.5.0",
-    "kotlin-compiler-1.5.10",
-    "kotlin-compiler-1.5.20",
-    "kotlin-compiler-1.5.30",
     "kotlin-compiler-1.6.0",
     "kotlin-compiler-1.6.20",
     "kotlin-compiler-1.7.0",
@@ -208,10 +204,7 @@ use_repo(
     "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-1.5.0",
-    "kotlin-compiler-embeddable-1.5.10",
-    "kotlin-compiler-embeddable-1.5.20",
-    "kotlin-compiler-embeddable-1.5.30",
+    "kotlin-compiler-2.2.0-Beta1",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -223,10 +216,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-stdlib-1.5.0",
-    "kotlin-stdlib-1.5.10",
-    "kotlin-stdlib-1.5.20",
-    "kotlin-stdlib-1.5.30",
+    "kotlin-compiler-embeddable-2.2.0-Beta1",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -238,6 +228,7 @@ use_repo(
     "kotlin-stdlib-2.0.20-Beta2",
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
+    "kotlin-stdlib-2.2.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.8
+version: 0.4.9-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/codeql-suites/actions-code-quality.qls

@@ -1 +1,3 @@
-[]
+- queries: .
+- apply: code-quality-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.0
+version: 0.6.1-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/integration-tests/header-variant-tests/clang-pch/a.c

@@ -0,0 +1,2 @@
+#include "a.h"
+#define FOUR 4

cpp/ql/integration-tests/header-variant-tests/clang-pch/c.c

@@ -0,0 +1,3 @@
+int main() {
+  return ONE + FOUR;
+}

cpp/ql/integration-tests/header-variant-tests/clang-pch/d.c

@@ -0,0 +1 @@
+#import "d.h"

cpp/ql/integration-tests/header-variant-tests/clang-pch/e.c

@@ -0,0 +1,3 @@
+int main() {
+  return SEVENTEEN;
+}

cpp/ql/integration-tests/header-variant-tests/clang-pch/f.c

@@ -0,0 +1,5 @@
+#if 1
+#pragma hdrstop
+extern int x;
+#define SEEN_F
+#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/g.c

@@ -0,0 +1,5 @@
+#ifdef SEEN_F
+static int g() {
+  return 20;
+}
+#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/h.c

@@ -0,0 +1,4 @@
+#include "h1.h"
+#pragma hdrstop
+#include "h2.h"
+#define SEEN_H

cpp/ql/integration-tests/header-variant-tests/clang-pch/i.c

@@ -13,4 +13,3 @@ static int h2() {
   return 32;
 }
 #endif
-// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/h.pch

cpp/ql/integration-tests/header-variant-tests/clang-pch/test.py

@@ -0,0 +1,17 @@
+import os
+
+
+def test(codeql, cpp):
+    os.mkdir("pch")
+    extractor = cpp.get_tool("extractor")
+    codeql.database.create(command=[
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/a.pch a.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/a.pch -Iextra_dummy_path b.c',
+        f'"{extractor}" --mimic-clang -include pch/a -Iextra_dummy_path c.c',
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/d.pch d.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/d.pch e.c',
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/f.pch f.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/f.pch g.c',
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/h.pch h.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/h.pch i.c',
+    ])

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/a.c

@@ -0,0 +1 @@
+#include "a.h"

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/b.c

@@ -0,0 +1,6 @@
+#pragma hdrstop
+#include "b.h"
+
+int b() {
+  return A;
+}

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/c.c

@@ -0,0 +1,6 @@
+#include "d.h"
+#include "c.h"
+
+int c() {
+  return A;
+}

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/test.py

@@ -0,0 +1,11 @@
+import os
+
+
+def test(codeql, cpp):
+    os.mkdir("pch")
+    extractor = cpp.get_tool("extractor")
+    codeql.database.create(command=[
+        f'"{extractor}" --mimic-cl /Yca.h /Fppch/a.pch a.c',
+        f'"{extractor}" --mimic-cl /Yub.h /Fppch/a.pch b.c',
+        f'"{extractor}" --mimic-cl /Yuc.h /Fppch/a.pch c.c',
+    ])

cpp/ql/integration-tests/query-suite/cpp-code-quality.qls.expected

@@ -0,0 +1 @@
+

cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected

@@ -0,0 +1,60 @@
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected

@@ -0,0 +1,181 @@
+ql/cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql
+ql/cpp/ql/src/Best Practices/ComplexCondition.ql
+ql/cpp/ql/src/Best Practices/Exceptions/AccidentalRethrow.ql
+ql/cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql
+ql/cpp/ql/src/Best Practices/Exceptions/LeakyCatch.ql
+ql/cpp/ql/src/Best Practices/Exceptions/ThrowingPointers.ql
+ql/cpp/ql/src/Best Practices/GuardedFree.ql
+ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesParameter.ql
+ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql
+ql/cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/Slicing.ql
+ql/cpp/ql/src/Best Practices/RuleOfTwo.ql
+ql/cpp/ql/src/Best Practices/SloppyGlobal.ql
+ql/cpp/ql/src/Best Practices/SwitchLongCase.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql
+ql/cpp/ql/src/Best Practices/UseOfGoto.ql
+ql/cpp/ql/src/Critical/DeadCodeGoto.ql
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/LargeParameter.ql
+ql/cpp/ql/src/Critical/MissingCheckScanf.ql
+ql/cpp/ql/src/Critical/NewArrayDeleteMismatch.ql
+ql/cpp/ql/src/Critical/NewDeleteArrayMismatch.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/SizeCheck.ql
+ql/cpp/ql/src/Critical/SizeCheck2.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Documentation/CommentedOutCode.ql
+ql/cpp/ql/src/Documentation/FixmeComments.ql
+ql/cpp/ql/src/Documentation/UncommentedFunction.ql
+ql/cpp/ql/src/Header Cleanup/Cleanup-DuplicateIncludeGuard.ql
+ql/cpp/ql/src/Likely Bugs/AmbiguouslySignedBitField.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/UnsignedGEZero.ql
+ql/cpp/ql/src/Likely Bugs/ContinueInFalseLoop.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.ql
+ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/TooManyFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/InconsistentCallOnResult.ql
+ql/cpp/ql/src/Likely Bugs/InconsistentCheckReturnNull.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/DubiousNullCheck.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/FutileConditional.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StackAddressEscapes.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/NestedLoopSameVar.ql
+ql/cpp/ql/src/Likely Bugs/OO/IncorrectConstructorDelegation.ql
+ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql
+ql/cpp/ql/src/Likely Bugs/OO/ThrowInDestructor.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/ReturnConstType.ql
+ql/cpp/ql/src/Likely Bugs/ReturnConstTypeMember.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.ql
+ql/cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 35.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 89.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 95.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 107.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql
+ql/cpp/ql/src/jsf/4.17 Types/AV Rule 148.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 166.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 196.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 197.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.ql

cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected

@@ -0,0 +1,97 @@
+ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/MissingCheckScanf.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/SizeCheck.ql
+ql/cpp/ql/src/Critical/SizeCheck2.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

cpp/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -0,0 +1,447 @@
+ql/cpp/ql/src/AlertSuppression.ql
+ql/cpp/ql/src/Architecture/FeatureEnvy.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/CyclicNamespaces.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/NamespaceDependencies.ql
+ql/cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql
+ql/cpp/ql/src/Architecture/InappropriateIntimacy.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/CyclomaticComplexity.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/JapaneseEraDate.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicNumbersUseConstant.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicStringsUseConstant.ql
+ql/cpp/ql/src/Best Practices/NVI.ql
+ql/cpp/ql/src/Best Practices/NVIHub.ql
+ql/cpp/ql/src/Best Practices/RuleOfThree.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedIncludes.ql
+ql/cpp/ql/src/Critical/DeadCodeCondition.ql
+ql/cpp/ql/src/Critical/DeadCodeFunction.ql
+ql/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+ql/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+ql/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+ql/cpp/ql/src/Critical/FileNeverClosed.ql
+ql/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+ql/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+ql/cpp/ql/src/Critical/InitialisationNotRun.ql
+ql/cpp/ql/src/Critical/LateNegativeTest.ql
+ql/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+ql/cpp/ql/src/Critical/MemoryNeverFreed.ql
+ql/cpp/ql/src/Critical/MissingNegativityTest.ql
+ql/cpp/ql/src/Critical/MissingNullTest.ql
+ql/cpp/ql/src/Critical/NotInitialised.ql
+ql/cpp/ql/src/Critical/OverflowCalculated.ql
+ql/cpp/ql/src/Critical/OverflowDestination.ql
+ql/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+ql/cpp/ql/src/Critical/ReturnValueIgnored.ql
+ql/cpp/ql/src/Critical/Unused.ql
+ql/cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql
+ql/cpp/ql/src/Documentation/DocumentApi.ql
+ql/cpp/ql/src/Documentation/TodoComments.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/ExitNonterminatingLoop.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/LoopBounds.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 04/Recursion.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 05/HeapMemory.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 07/ThreadSafety.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidNestedSemaphores.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidSemaphores.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/OutOfOrderLocks.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/ReleaseLocksWhenAcquired.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowGoto.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 12/EnumInitialization.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/ExternDeclsInHeader.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeLocalHidesGlobal.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 14/CheckingReturnValues.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 15/CheckingParameterValues.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsConstant.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsDensity.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsNonBoolean.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsSideEffect.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 18/CompoundExpressions.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 19/NoBooleanSideEffects.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUse.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseIfdef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUsePartial.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseUndisciplined.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 21/MacroInBlock.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 22/UseOfUndef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleStmtsPerLine.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleVarDeclsPerLine.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 25/FunctionSizeLimits.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 26/DeclarationPointerNesting.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 27/PointerDereferenceInStmt.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerDereferenceMacro.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerIndirectionTypedef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 31/IncludesFirst.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ConversionChangesSign.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql
+ql/cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql
+ql/cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/BoolValueInBitOp.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/LogicalExprCouldBeSimplified.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/More64BitWaste.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
+ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.ql
+ql/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
+ql/cpp/ql/src/Likely Bugs/OO/VirtualCallInStructor.ql
+ql/cpp/ql/src/Likely Bugs/ShortLoopVarName.ql
+ql/cpp/ql/src/Metrics/Classes/CAfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Classes/CEfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadBugs.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadDifficulty.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadEffort.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadLength.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadVocabulary.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadVolume.ql
+ql/cpp/ql/src/Metrics/Classes/CInheritanceDepth.ql
+ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionCK.ql
+ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionHS.ql
+ql/cpp/ql/src/Metrics/Classes/CLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfFields.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfFunctions.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfStatements.ql
+ql/cpp/ql/src/Metrics/Classes/CPercentageOfComplexCode.ql
+ql/cpp/ql/src/Metrics/Classes/CResponse.ql
+ql/cpp/ql/src/Metrics/Classes/CSizeOfAPI.ql
+ql/cpp/ql/src/Metrics/Classes/CSpecialisation.ql
+ql/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+ql/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+ql/cpp/ql/src/Metrics/External/FileCompilationDisplayStrings.ql
+ql/cpp/ql/src/Metrics/External/FileCompilationSourceLinks.ql
+ql/cpp/ql/src/Metrics/Files/AutogeneratedLOC.ql
+ql/cpp/ql/src/Metrics/Files/ConditionalSegmentConditions.ql
+ql/cpp/ql/src/Metrics/Files/ConditionalSegmentLines.ql
+ql/cpp/ql/src/Metrics/Files/FAfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Files/FCommentRatio.ql
+ql/cpp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
+ql/cpp/ql/src/Metrics/Files/FDirectIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FEfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadBugs.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadDifficulty.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadEffort.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadLength.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadVocabulary.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadVolume.ql
+ql/cpp/ql/src/Metrics/Files/FLines.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfCommentedOutCode.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfComments.ql
+ql/cpp/ql/src/Metrics/Files/FMacroRatio.ql
+ql/cpp/ql/src/Metrics/Files/FNumberOfClasses.ql
+ql/cpp/ql/src/Metrics/Files/FNumberOfTests.ql
+ql/cpp/ql/src/Metrics/Files/FTimeInFrontend.ql
+ql/cpp/ql/src/Metrics/Files/FTodoComments.ql
+ql/cpp/ql/src/Metrics/Files/FTransitiveIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FunctionLength.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfFunctions.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfGlobals.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfParameters.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfPublicFunctions.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfPublicGlobals.ql
+ql/cpp/ql/src/Metrics/Functions/FunCyclomaticComplexity.ql
+ql/cpp/ql/src/Metrics/Functions/FunIterationNestingDepth.ql
+ql/cpp/ql/src/Metrics/Functions/FunLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Functions/FunLinesOfComments.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfCalls.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfParameters.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfStatements.ql
+ql/cpp/ql/src/Metrics/Functions/FunPercentageOfComments.ql
+ql/cpp/ql/src/Metrics/Functions/StatementNestingDepth.ql
+ql/cpp/ql/src/Metrics/Internal/ASTConsistency.ql
+ql/cpp/ql/src/Metrics/Internal/CallableDisplayStrings.ql
+ql/cpp/ql/src/Metrics/Internal/CallableExtents.ql
+ql/cpp/ql/src/Metrics/Internal/CallableSourceLinks.ql
+ql/cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql
+ql/cpp/ql/src/Metrics/Internal/IRConsistency.ql
+ql/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql
+ql/cpp/ql/src/Metrics/Internal/ReftypeDisplayStrings.ql
+ql/cpp/ql/src/Metrics/Internal/ReftypeSourceLinks.ql
+ql/cpp/ql/src/Metrics/Namespaces/AbstractNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/ConcreteNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighAfferentCouplingNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighDistanceFromMainLineNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighEfferentCouplingNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/StableNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/UnstableNamespaces.ql
+ql/cpp/ql/src/Microsoft/CallWithNullSAL.ql
+ql/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
+ql/cpp/ql/src/Microsoft/InconsistentSAL.ql
+ql/cpp/ql/src/PointsTo/Debug.ql
+ql/cpp/ql/src/PointsTo/PreparedStagedPointsTo.ql
+ql/cpp/ql/src/PointsTo/Stats.ql
+ql/cpp/ql/src/PointsTo/TaintedFormatStrings.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfGoto.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfJmp.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfRecursion.ql
+ql/cpp/ql/src/Power of 10/Rule 2/BoundedLoopIterations.ql
+ql/cpp/ql/src/Power of 10/Rule 2/ExitPermanentLoop.ql
+ql/cpp/ql/src/Power of 10/Rule 3/DynamicAllocAfterInit.ql
+ql/cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql
+ql/cpp/ql/src/Power of 10/Rule 4/OneStmtPerLine.ql
+ql/cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql
+ql/cpp/ql/src/Power of 10/Rule 5/AssertionSideEffect.ql
+ql/cpp/ql/src/Power of 10/Rule 5/ConstantAssertion.ql
+ql/cpp/ql/src/Power of 10/Rule 5/NonBooleanAssertion.ql
+ql/cpp/ql/src/Power of 10/Rule 6/GlobalCouldBeStatic.ql
+ql/cpp/ql/src/Power of 10/Rule 6/VariableScopeTooLarge.ql
+ql/cpp/ql/src/Power of 10/Rule 7/CheckArguments.ql
+ql/cpp/ql/src/Power of 10/Rule 7/CheckReturnValues.ql
+ql/cpp/ql/src/Power of 10/Rule 8/AvoidConditionalCompilation.ql
+ql/cpp/ql/src/Power of 10/Rule 8/PartialMacro.ql
+ql/cpp/ql/src/Power of 10/Rule 8/RestrictPreprocessor.ql
+ql/cpp/ql/src/Power of 10/Rule 8/UndisciplinedMacro.ql
+ql/cpp/ql/src/Power of 10/Rule 9/FunctionPointer.ql
+ql/cpp/ql/src/Power of 10/Rule 9/HiddenPointerIndirection.ql
+ql/cpp/ql/src/Power of 10/Rule 9/PointerNesting.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+ql/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
+ql/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
+ql/cpp/ql/src/definitions.ql
+ql/cpp/ql/src/experimental/Best Practices/UselessTest.ql
+ql/cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql
+ql/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
+ql/cpp/ql/src/experimental/Likely Bugs/DerefNullResult.ql
+ql/cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql
+ql/cpp/ql/src/external/examples/filters/BumpMetricBy10.ql
+ql/cpp/ql/src/external/examples/filters/EditDefectMessage.ql
+ql/cpp/ql/src/external/examples/filters/ExcludeGeneratedCode.ql
+ql/cpp/ql/src/filters/ClassifyFiles.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 1.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 2.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 11.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 12.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 13.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 14.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 9.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 17.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 18.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 19.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 20.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 21.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 22.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 25.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 26.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 27.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 28.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 29.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 30.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 31.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 33.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 39.ql
+ql/cpp/ql/src/jsf/4.08 Implementation Files/AV Rule 40.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 41.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 42.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 43.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 44.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 45.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 46.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 47.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 48.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 49.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 50.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 51.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 52.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 54.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 57.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 58.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 59.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 60.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 61.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 63.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 68.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 69.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 70.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 73.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 74.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 75.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 77.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 78.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 85.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 94.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.1.ql
+ql/cpp/ql/src/jsf/4.11 Namespaces/AV Rule 99.ql
+ql/cpp/ql/src/jsf/4.12 Templates/AV Rule 104.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 108.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 110.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 111.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 113.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 115.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 119.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 126.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 127.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 133.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 135.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 138.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 139.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 140.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 142.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 143.ql
+ql/cpp/ql/src/jsf/4.17 Types/AV Rule 147.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 149.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 150.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.1.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.ql
+ql/cpp/ql/src/jsf/4.19 Variables/AV Rule 152.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 154.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 155.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 156.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 157.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 158.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 159.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 160.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 162.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 163.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 164.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 170.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 171.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 175.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 176.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 178.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 179.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 180.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 181.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 182.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 184.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 185.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 186.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 187.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 188.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 190.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 191.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 192.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 193.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 194.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 195.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 198.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 199.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 200.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.1.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 205.ql
+ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 206.ql
+ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 207.ql
+ql/cpp/ql/src/jsf/4.27 Fault Handling/AV Rule 208.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 209.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 210.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 212.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 213.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 214.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 215.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

cpp/ql/integration-tests/query-suite/test.py

@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['cpp-code-quality.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, cpp, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, cpp, check_queries_not_included):
+    check_queries_not_included('cpp', well_known_query_suites)

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.3.0
+version: 4.3.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -31,4 +31,6 @@ module CppDataFlow implements InputSig<Location> {
   predicate viableImplInCallContext = Private::viableImplInCallContext/2;
 
   predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
+
+  int defaultFieldFlowBranchLimit() { result = 3 }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1652,8 +1652,6 @@ predicate validParameterAliasStep(Node node1, Node node2) {
   )
 }
 
-private predicate isTopLevel(Cpp::Stmt s) { any(Function f).getBlock().getAStmt() = s }
-
 private Cpp::Stmt getAChainedBranch(Cpp::IfStmt s) {
   result = s.getThen()
   or
@@ -1684,11 +1682,9 @@ private Instruction getAnInstruction(Node n) {
 }
 
 private newtype TDataFlowSecondLevelScope =
-  TTopLevelIfBranch(Cpp::Stmt s) {
-    exists(Cpp::IfStmt ifstmt | s = getAChainedBranch(ifstmt) and isTopLevel(ifstmt))
-  } or
+  TTopLevelIfBranch(Cpp::Stmt s) { s = getAChainedBranch(_) } or
   TTopLevelSwitchCase(Cpp::SwitchCase s) {
-    exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase() and isTopLevel(switchstmt))
+    exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase())
   }
 
 /**

cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql

@@ -44,6 +44,10 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
     ) and
     getFullyConvertedType(node) = state
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
+
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
 }
 
 /**

cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql

@@ -8,7 +8,7 @@
  * @security-severity 7.8
  * @precision high
  * @tags security
- *       external/cwe/cwe-14
+ *       external/cwe/cwe-014
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql

@@ -5,7 +5,7 @@
  *              to it.
  * @id cpp/count-untrusted-data-external-api
  * @kind table
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql

@@ -5,7 +5,7 @@
  *              to it.
  * @id cpp/count-untrusted-data-external-api-ir
  * @kind table
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql

@@ -6,7 +6,7 @@
  * @precision low
  * @problem.severity error
  * @security-severity 7.8
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql

@@ -6,7 +6,7 @@
  * @precision low
  * @problem.severity error
  * @security-severity 7.8
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/change-notes/2025-05-01-cwe-tag-changed.md

@@ -0,0 +1,9 @@
+---
+category: queryMetadata
+---
+* The tag `external/cwe/cwe-14` has been removed from `cpp/memset-may-be-deleted` and the tag `external/cwe/cwe-014` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/late-check-of-function-argument` and the tag `external/cwe/cwe-020` has been added.

cpp/ql/src/codeql-suites/cpp-code-quality.qls

@@ -1 +1,3 @@
-[]
+- queries: .
+- apply: code-quality-selectors.yml
+  from: codeql/suite-helpers

cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql

@@ -10,7 +10,7 @@
  * @tags correctness
  *       security
  *       experimental
- *       external/cwe/cwe-20
+ *       external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.9
+version: 1.3.10-dev
 groups:
   - cpp
   - queries

cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

@@ -7,6 +7,7 @@
  */
 
 import internal.CaptureModels
+import SummaryModels
 
 from DataFlowSummaryTargetApi api, string flow
 where flow = ContentSensitive::captureFlow(api, _)

cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql

@@ -7,6 +7,7 @@
  */
 
 import internal.CaptureModels
+import SummaryModels
 
 from DataFlowSummaryTargetApi api, string noflow
 where noflow = captureNeutral(api)

cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql

@@ -7,8 +7,8 @@
  */
 
 import internal.CaptureModels
-import Heuristic
+import SinkModels
 
 from DataFlowSinkTargetApi api, string sink
-where sink = captureSink(api)
+where sink = Heuristic::captureSink(api)
 select sink order by sink

cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql

@@ -7,8 +7,8 @@
  */
 
 import internal.CaptureModels
-import Heuristic
+import SourceModels
 
 from DataFlowSourceTargetApi api, string source
-where source = captureSource(api)
+where source = Heuristic::captureSource(api)
 select source order by source

cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

@@ -7,6 +7,7 @@
  */
 
 import internal.CaptureModels
+import SummaryModels
 
 from DataFlowSummaryTargetApi api, string flow
 where flow = captureFlow(api, _)

cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -2,7 +2,7 @@
  * Provides predicates related to capturing summary models of the Standard or a 3rd party library.
  */
 
-private import cpp
+private import cpp as Cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.dataflow.ExternalFlow as ExternalFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
@@ -10,113 +10,67 @@ private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate
 private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
-private import semmle.code.cpp.dataflow.new.TaintTracking
+private import semmle.code.cpp.dataflow.new.TaintTracking as Tt
+private import semmle.code.cpp.dataflow.new.DataFlow as Df
 private import codeql.mad.modelgenerator.internal.ModelGeneratorImpl
 
-module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFlow> {
+/**
+ * Holds if `f` is a "private" function.
+ *
+ * A "private" function does not contribute any models as it is assumed
+ * to be an implementation detail of some other "public" function for which
+ * we will generate a summary.
+ */
+private predicate isPrivateOrProtected(Cpp::Function f) {
+  f.getNamespace().getParentNamespace*().isAnonymous()
+  or
+  exists(Cpp::MemberFunction mf | mf = f |
+    mf.isPrivate()
+    or
+    mf.isProtected()
+  )
+  or
+  f.isStatic()
+}
+
+private predicate isUninterestingForModels(Callable api) {
+  // Note: This also makes all global/static-local variables
+  // not relevant (which is good!)
+  not api.(Cpp::Function).hasDefinition()
+  or
+  isPrivateOrProtected(api)
+  or
+  api instanceof Cpp::Destructor
+  or
+  api = any(Cpp::LambdaExpression lambda).getLambdaFunction()
+  or
+  api.isFromUninstantiatedTemplate(_)
+}
+
+private predicate relevant(Callable api) {
+  api.fromSource() and
+  not isUninterestingForModels(api)
+}
+
+module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Location, CppDataFlow>
+{
+  private module DataFlow = Df::DataFlow;
+
   class Type = DataFlowPrivate::DataFlowType;
 
   // Note: This also includes `this`
   class Parameter = DataFlow::ParameterNode;
 
-  class Callable = Declaration;
+  class Callable = Cpp::Declaration;
 
   class NodeExtended extends DataFlow::Node {
     Callable getAsExprEnclosingCallable() { result = this.asExpr().getEnclosingDeclaration() }
   }
 
-  Parameter asParameter(NodeExtended n) { result = n }
-
   Callable getEnclosingCallable(NodeExtended n) {
     result = n.getEnclosingCallable().asSourceCallable()
   }
 
-  Callable getAsExprEnclosingCallable(NodeExtended n) {
-    result = n.asExpr().getEnclosingDeclaration()
-  }
-
-  /** Gets `api` if it is relevant. */
-  private Callable liftedImpl(Callable api) { result = api and relevant(api) }
-
-  private predicate hasManualSummaryModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
-    api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
-  }
-
-  private predicate hasManualSourceModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::NeutralSourceCallable sc | sc.hasManualModel())
-  }
-
-  private predicate hasManualSinkModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::NeutralSinkCallable sc | sc.hasManualModel())
-  }
-
-  /**
-   * Holds if `f` is a "private" function.
-   *
-   * A "private" function does not contribute any models as it is assumed
-   * to be an implementation detail of some other "public" function for which
-   * we will generate a summary.
-   */
-  private predicate isPrivateOrProtected(Function f) {
-    f.getNamespace().getParentNamespace*().isAnonymous()
-    or
-    exists(MemberFunction mf | mf = f |
-      mf.isPrivate()
-      or
-      mf.isProtected()
-    )
-    or
-    f.isStatic()
-  }
-
-  private predicate isUninterestingForModels(Callable api) {
-    // Note: This also makes all global/static-local variables
-    // not relevant (which is good!)
-    not api.(Function).hasDefinition()
-    or
-    isPrivateOrProtected(api)
-    or
-    api instanceof Destructor
-    or
-    api = any(LambdaExpression lambda).getLambdaFunction()
-    or
-    api.isFromUninstantiatedTemplate(_)
-  }
-
-  private predicate relevant(Callable api) {
-    api.fromSource() and
-    not isUninterestingForModels(api)
-  }
-
-  class SummaryTargetApi extends Callable {
-    private Callable lift;
-
-    SummaryTargetApi() {
-      lift = liftedImpl(this) and
-      not hasManualSummaryModel(lift)
-    }
-
-    Callable lift() { result = lift }
-
-    predicate isRelevant() {
-      relevant(this) and
-      not hasManualSummaryModel(this)
-    }
-  }
-
-  class SourceOrSinkTargetApi extends Callable {
-    SourceOrSinkTargetApi() { relevant(this) }
-  }
-
-  class SinkTargetApi extends SourceOrSinkTargetApi {
-    SinkTargetApi() { not hasManualSinkModel(this) }
-  }
-
-  class SourceTargetApi extends SourceOrSinkTargetApi {
-    SourceTargetApi() { not hasManualSourceModel(this) }
-  }
-
   class InstanceParameterNode extends DataFlow::ParameterNode {
     InstanceParameterNode() {
       DataFlowPrivate::nodeHasInstruction(this,
@@ -124,7 +78,7 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
     }
   }
 
-  private predicate isFinalMemberFunction(MemberFunction mf) {
+  private predicate isFinalMemberFunction(Cpp::MemberFunction mf) {
     mf.isFinal()
     or
     mf.getDeclaringType().isFinal()
@@ -146,12 +100,12 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
    * - An uninstantiated template, or
    * - A declaration that is not from a template instantiation.
    */
-  private string templateParams(Declaration template) {
+  private string templateParams(Cpp::Declaration template) {
     exists(string params |
       params =
         concat(int i |
           |
-          template.getTemplateArgument(i).(TypeTemplateParameter).getName(), "," order by i
+          template.getTemplateArgument(i).(Cpp::TypeTemplateParameter).getName(), "," order by i
         )
     |
       if params = "" then result = "" else result = "<" + params + ">"
@@ -166,7 +120,7 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
    * - An uninstantiated template, or
    * - A declaration that is not from a template instantiation.
    */
-  private string params(Function functionTemplate) {
+  private string params(Cpp::Function functionTemplate) {
     exists(string params |
       params =
         concat(int i |
@@ -193,7 +147,7 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
     Callable callable, string namespace, string type, string name, string params
   ) {
     exists(
-      Function functionTemplate, string typeWithoutTemplateArgs, string nameWithoutTemplateArgs
+      Cpp::Function functionTemplate, string typeWithoutTemplateArgs, string nameWithoutTemplateArgs
     |
       functionTemplate = ExternalFlow::getFullyTemplatedFunction(callable) and
       functionTemplate.hasQualifiedName(namespace, typeWithoutTemplateArgs, nameWithoutTemplateArgs) and
@@ -201,7 +155,7 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
       name = nameWithoutTemplateArgs + templateParams(functionTemplate) and
       params = params(functionTemplate)
     |
-      exists(Class classTemplate |
+      exists(Cpp::Class classTemplate |
         classTemplate = functionTemplate.getDeclaringType() and
         type = typeWithoutTemplateArgs + templateParams(classTemplate)
       )
@@ -263,10 +217,10 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
 
   /** Holds if this instance access is to an enclosing instance of type `t`. */
   pragma[nomagic]
-  private predicate isEnclosingInstanceAccess(DataFlowPrivate::ReturnNode n, Class t) {
+  private predicate isEnclosingInstanceAccess(DataFlowPrivate::ReturnNode n, Cpp::Class t) {
     n.getKind().isIndirectReturn(-1) and
     t = n.getType().stripType() and
-    t != n.getEnclosingCallable().asSourceCallable().(Function).getDeclaringType()
+    t != n.getEnclosingCallable().asSourceCallable().(Cpp::Function).getDeclaringType()
   }
 
   pragma[nomagic]
@@ -275,24 +229,12 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
     not isEnclosingInstanceAccess(node, _)
   }
 
-  predicate sinkModelSanitizer(DataFlow::Node node) { none() }
-
-  predicate apiSource(DataFlow::Node source) {
-    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1)
-    or
-    source instanceof DataFlow::ParameterNode
-  }
-
-  string getInputArgument(DataFlow::Node source) {
-    exists(DataFlowPrivate::Position pos, int argumentIndex, int indirectionIndex |
-      source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
-      argumentIndex = pos.getArgumentIndex() and
-      indirectionIndex = pos.getIndirectionIndex() and
-      result = "Argument[" + DataFlow::repeatStars(indirectionIndex) + argumentIndex + "]"
+  DataFlowPrivate::ParameterPosition getReturnKindParamPosition(DataFlowPrivate::ReturnKind k) {
+    exists(int argumentIndex, int indirectionIndex |
+      k.isIndirectReturn(argumentIndex) and
+      k.getIndirectionIndex() = indirectionIndex and
+      result = DataFlowPrivate::TIndirectionPosition(argumentIndex, indirectionIndex)
     )
-    or
-    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1) and
-    result = qualifierString()
   }
 
   string getReturnValueString(DataFlowPrivate::ReturnKind k) {
@@ -306,18 +248,71 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
     )
   }
 
-  predicate irrelevantSourceSinkApi(Callable source, SourceTargetApi api) { none() }
-
-  bindingset[kind]
-  predicate isRelevantSourceKind(string kind) { any() }
-
-  bindingset[kind]
-  predicate isRelevantSinkKind(string kind) { any() }
-
   predicate containerContent(DataFlow::ContentSet cs) { cs instanceof DataFlow::ElementContent }
 
+  string partialModelRow(Callable api, int i) {
+    i = 0 and qualifiedName(api, result, _, _, _) // namespace
+    or
+    i = 1 and qualifiedName(api, _, result, _, _) // type
+    or
+    i = 2 and result = isExtensible(api) // extensible
+    or
+    i = 3 and qualifiedName(api, _, _, result, _) // name
+    or
+    i = 4 and qualifiedName(api, _, _, _, result) // parameters
+    or
+    i = 5 and result = "" and exists(api) // ext
+  }
+
+  string partialNeutralModelRow(Callable api, int i) {
+    i = 0 and qualifiedName(api, result, _, _, _) // namespace
+    or
+    i = 1 and qualifiedName(api, _, result, _, _) // type
+    or
+    i = 2 and qualifiedName(api, _, _, result, _) // name
+    or
+    i = 3 and qualifiedName(api, _, _, _, result) // parameters
+  }
+}
+
+private import ModelGeneratorCommonInput
+private import MakeModelGeneratorFactory<Cpp::Location, CppDataFlow, CppTaintTracking, ModelGeneratorCommonInput>
+
+private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
+  private module DataFlow = Df::DataFlow;
+
+  Parameter asParameter(NodeExtended n) { result = n }
+
+  Callable getAsExprEnclosingCallable(NodeExtended n) {
+    result = n.asExpr().getEnclosingDeclaration()
+  }
+
+  private predicate hasManualSummaryModel(Callable api) {
+    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
+    api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
+  }
+
+  /** Gets `api` if it is relevant. */
+  private Callable liftedImpl(Callable api) { result = api and relevant(api) }
+
+  class SummaryTargetApi extends Callable {
+    private Callable lift;
+
+    SummaryTargetApi() {
+      lift = liftedImpl(this) and
+      not hasManualSummaryModel(lift)
+    }
+
+    Callable lift() { result = lift }
+
+    predicate isRelevant() {
+      relevant(this) and
+      not hasManualSummaryModel(this)
+    }
+  }
+
   predicate isAdditionalContentFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    TaintTracking::defaultAdditionalTaintStep(node1, node2, _) and
+    Tt::TaintTracking::defaultAdditionalTaintStep(node1, node2, _) and
     not exists(DataFlow::Content f |
       DataFlowPrivate::readStep(node1, f, node2) and containerContent(f)
     )
@@ -333,7 +328,7 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
   predicate isCallback(DataFlow::ContentSet c) { none() }
 
   string getSyntheticName(DataFlow::ContentSet c) {
-    exists(Field f |
+    exists(Cpp::Field f |
       not f.isPublic() and
       f = c.(DataFlow::FieldContent).getField() and
       result = f.getName()
@@ -365,40 +360,52 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFl
       result = "Element[" + ec.getIndirectionIndex() + "]"
     )
   }
+}
 
-  predicate isUninterestingForDataFlowModels(Callable api) { none() }
-
-  predicate isUninterestingForHeuristicDataFlowModels(Callable api) {
-    isUninterestingForDataFlowModels(api)
+private module SourceModelGeneratorInput implements SourceModelGeneratorInputSig {
+  private predicate hasManualSourceModel(Callable api) {
+    api = any(FlowSummaryImpl::Public::NeutralSourceCallable sc | sc.hasManualModel())
   }
 
-  string partialModelRow(Callable api, int i) {
-    i = 0 and qualifiedName(api, result, _, _, _) // namespace
-    or
-    i = 1 and qualifiedName(api, _, result, _, _) // type
-    or
-    i = 2 and result = isExtensible(api) // extensible
-    or
-    i = 3 and qualifiedName(api, _, _, result, _) // name
-    or
-    i = 4 and qualifiedName(api, _, _, _, result) // parameters
-    or
-    i = 5 and result = "" and exists(api) // ext
-  }
-
-  string partialNeutralModelRow(Callable api, int i) {
-    i = 0 and qualifiedName(api, result, _, _, _) // namespace
-    or
-    i = 1 and qualifiedName(api, _, result, _, _) // type
-    or
-    i = 2 and qualifiedName(api, _, _, result, _) // name
-    or
-    i = 3 and qualifiedName(api, _, _, _, result) // parameters
+  class SourceTargetApi extends Callable {
+    SourceTargetApi() { relevant(this) and not hasManualSourceModel(this) }
   }
 
   predicate sourceNode = ExternalFlow::sourceNode/2;
+}
+
+private module SinkModelGeneratorInput implements SinkModelGeneratorInputSig {
+  private module DataFlow = Df::DataFlow;
+
+  private predicate hasManualSinkModel(Callable api) {
+    api = any(FlowSummaryImpl::Public::NeutralSinkCallable sc | sc.hasManualModel())
+  }
+
+  class SinkTargetApi extends Callable {
+    SinkTargetApi() { relevant(this) and not hasManualSinkModel(this) }
+  }
+
+  predicate apiSource(DataFlow::Node source) {
+    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1)
+    or
+    source instanceof DataFlow::ParameterNode
+  }
+
+  string getInputArgument(DataFlow::Node source) {
+    exists(DataFlowPrivate::Position pos, int argumentIndex, int indirectionIndex |
+      source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
+      argumentIndex = pos.getArgumentIndex() and
+      indirectionIndex = pos.getIndirectionIndex() and
+      result = "Argument[" + DataFlow::repeatStars(indirectionIndex) + argumentIndex + "]"
+    )
+    or
+    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1) and
+    result = qualifierString()
+  }
 
   predicate sinkNode = ExternalFlow::sinkNode/2;
 }
 
-import MakeModelGenerator<Location, CppDataFlow, CppTaintTracking, ModelGeneratorInput>
+import MakeSummaryModelGenerator<SummaryModelGeneratorInput> as SummaryModels
+import MakeSourceModelGenerator<SourceModelGeneratorInput> as SourceModels
+import MakeSinkModelGenerator<SinkModelGeneratorInput> as SinkModels

cpp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll

@@ -1,6 +1,6 @@
 private import cpp as Cpp
 private import codeql.mad.modelgenerator.internal.ModelPrinting
-private import CaptureModels::ModelGeneratorInput as ModelGeneratorInput
+private import CaptureModels::ModelGeneratorCommonInput as ModelGeneratorInput
 
 private module ModelPrintingLang implements ModelPrintingLangSig {
   class Callable = Cpp::Declaration;

cpp/ql/test/header-variant-tests/clang-pch/_.c

@@ -1,3 +0,0 @@
-// This file exists to ensure that the output subdirectory exists prior to
-// a.c being indexed, as said directory needs to exist for the PCH file to
-// be created, and will be created by running the extractor.

cpp/ql/test/header-variant-tests/clang-pch/a.c

@@ -1,3 +0,0 @@
-#include "a.h"
-#define FOUR 4
-// semmle-extractor-options: --clang -emit-pch -o ${testdir}/clang-pch.testproj/a.pch

cpp/ql/test/header-variant-tests/clang-pch/c.c

@@ -1,4 +0,0 @@
-int main() {
-  return ONE + FOUR;
-}
-// semmle-extractor-options: --clang -include ${testdir}/clang-pch.testproj/a -Iextra_dummy_path

cpp/ql/test/header-variant-tests/clang-pch/d.c

@@ -1,2 +0,0 @@
-#import "d.h"
-// semmle-extractor-options: --clang -emit-pch -o ${testdir}/clang-pch.testproj/d.pch

cpp/ql/test/header-variant-tests/clang-pch/e.c

@@ -1,4 +0,0 @@
-int main() {
-  return SEVENTEEN;
-}
-// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/d.pch

cpp/ql/test/header-variant-tests/clang-pch/f.c

@@ -1,6 +0,0 @@
-#if 1
-#pragma hdrstop
-extern int x;
-#define SEEN_F
-#endif
-// semmle-extractor-options: --clang -emit-pch -o ${testdir}/clang-pch.testproj/f.pch

cpp/ql/test/header-variant-tests/clang-pch/g.c

@@ -1,6 +0,0 @@
-#ifdef SEEN_F
-static int g() {
-  return 20;
-}
-#endif
-// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/f.pch

cpp/ql/test/header-variant-tests/clang-pch/h.c

@@ -1,5 +0,0 @@
-#include "h1.h"
-#pragma hdrstop
-#include "h2.h"
-#define SEEN_H
-// semmle-extractor-options: --clang -emit-pch -o ${testdir}/clang-pch.testproj/h.pch

cpp/ql/test/header-variant-tests/microsoft-pch/_.c

@@ -1,3 +0,0 @@
-// This file exists to ensure that the output subdirectory exists prior to
-// a.c being indexed, as said directory needs to exist for the PCH file to
-// be created, and will be created by running the extractor.

cpp/ql/test/header-variant-tests/microsoft-pch/a.c

@@ -1,2 +0,0 @@
-#include "a.h"
-// semmle-extractor-options: --microsoft /Yca.h /Fp${testdir}/microsoft-pch.testproj/a.pch

cpp/ql/test/header-variant-tests/microsoft-pch/b.c

@@ -1,7 +0,0 @@
-#pragma hdrstop
-#include "b.h"
-
-int b() {
-  return A;
-}
-// semmle-extractor-options: --microsoft /Yub.h /Fp${testdir}/microsoft-pch.testproj/a.pch

cpp/ql/test/header-variant-tests/microsoft-pch/c.c

@@ -1,7 +0,0 @@
-#include "d.h"
-#include "c.h"
-
-int c() {
-  return A;
-}
-// semmle-extractor-options: --microsoft /Yuc.h /Fp${testdir}/microsoft-pch.testproj/a.pch

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ql

@@ -1,5 +1,6 @@
 import cpp
 import utils.modelgenerator.internal.CaptureModels
+import SummaryModels
 import InlineModelsAsDataTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql

@@ -1,5 +1,6 @@
 import cpp
 import utils.modelgenerator.internal.CaptureModels
+import SummaryModels
 import InlineModelsAsDataTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {

cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp

@@ -131,6 +131,8 @@ namespace Models {
 
 //heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;df-generated
 //heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;taint;df-generated
+//heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;df-generated
+//contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];Argument[*0];taint;dfc-generated
 //contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;dfc-generated
 //contentbased-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;value;dfc-generated
 int toplevel_function(int* p) {
@@ -199,3 +201,18 @@ int get_x_from_union(U* u) {
 void set_x_in_union(U* u, int x) {
     u->x = x;
 }
+
+struct HasInt {
+    int x;
+};
+
+//contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*0];taint;dfc-generated
+//contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*1];taint;dfc-generated
+//contentbased-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];value;dfc-generated
+//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*0];taint;df-generated
+//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[1];Argument[*1];taint;df-generated
+//heuristic-summary=;;true;copy_struct;(HasInt *,const HasInt *);;Argument[*1];Argument[*0];taint;df-generated
+int copy_struct(HasInt *out, const HasInt *in) {
+    *out = *in;
+    return 1;
+}

cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected

@@ -3,22 +3,13 @@ edges
 | test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b | provenance |  |
 | test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b | provenance |  |
 | test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b | provenance |  |
-| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d | provenance |  |
-| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d | provenance |  |
 | test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b | provenance |  |
-| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d | provenance |  |
 | test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b | provenance |  |
 | test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b | provenance |  |
-| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss | provenance |  |
-| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss | provenance |  |
 | test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b | provenance |  |
-| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss | provenance |  |
 | test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b | provenance |  |
 | test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b | provenance |  |
-| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 | provenance |  |
-| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 | provenance |  |
 | test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b | provenance |  |
-| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 | provenance |  |
 | test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b | provenance |  |
 nodes
 | test.cpp:26:29:26:29 | b | semmle.label | b |
@@ -41,18 +32,9 @@ subpaths
 | test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
 | test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:57:19:57:19 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
-| test.cpp:31:2:31:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
 | test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:57:19:57:19 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:58:25:58:25 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast |
-| test.cpp:35:2:35:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast |
 | test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast |

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected

@@ -11,6 +11,16 @@ edges
 | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | provenance |  |
 | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | provenance |  |
 | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | provenance |  |
+| test.cpp:243:7:243:7 | *s [post update] [i1, data] | test.cpp:248:6:248:6 | *s [i1, data] | provenance |  |
+| test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:243:10:243:11 | *i1 [post update] [data] | provenance |  |
+| test.cpp:243:10:243:11 | *i1 [post update] [data] | test.cpp:243:7:243:7 | *s [post update] [i1, data] | provenance |  |
+| test.cpp:248:6:248:6 | *s [i1, data] | test.cpp:248:9:248:10 | *i1 [data] | provenance |  |
+| test.cpp:248:9:248:10 | *i1 [data] | test.cpp:248:12:248:15 | data | provenance |  |
+| test.cpp:250:7:250:7 | *s [post update] [*i2, data] | test.cpp:255:6:255:6 | *s [*i2, data] | provenance |  |
+| test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:250:10:250:11 | *i2 [post update] [data] | provenance |  |
+| test.cpp:250:10:250:11 | *i2 [post update] [data] | test.cpp:250:7:250:7 | *s [post update] [*i2, data] | provenance |  |
+| test.cpp:255:6:255:6 | *s [*i2, data] | test.cpp:255:9:255:10 | *i2 [data] | provenance |  |
+| test.cpp:255:9:255:10 | *i2 [data] | test.cpp:255:13:255:16 | data | provenance |  |
 nodes
 | test.cpp:39:7:39:10 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test.cpp:41:6:41:9 | data | semmle.label | data |
@@ -35,6 +45,18 @@ nodes
 | test.cpp:209:6:209:9 | data | semmle.label | data |
 | test.cpp:216:9:216:9 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument |
 | test.cpp:217:6:217:6 | x | semmle.label | x |
+| test.cpp:243:7:243:7 | *s [post update] [i1, data] | semmle.label | *s [post update] [i1, data] |
+| test.cpp:243:7:243:16 | pointer to free output argument | semmle.label | pointer to free output argument |
+| test.cpp:243:10:243:11 | *i1 [post update] [data] | semmle.label | *i1 [post update] [data] |
+| test.cpp:248:6:248:6 | *s [i1, data] | semmle.label | *s [i1, data] |
+| test.cpp:248:9:248:10 | *i1 [data] | semmle.label | *i1 [data] |
+| test.cpp:248:12:248:15 | data | semmle.label | data |
+| test.cpp:250:7:250:7 | *s [post update] [*i2, data] | semmle.label | *s [post update] [*i2, data] |
+| test.cpp:250:7:250:17 | pointer to free output argument | semmle.label | pointer to free output argument |
+| test.cpp:250:10:250:11 | *i2 [post update] [data] | semmle.label | *i2 [post update] [data] |
+| test.cpp:255:6:255:6 | *s [*i2, data] | semmle.label | *s [*i2, data] |
+| test.cpp:255:9:255:10 | *i2 [data] | semmle.label | *i2 [data] |
+| test.cpp:255:13:255:16 | data | semmle.label | data |
 subpaths
 #select
 | test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |
@@ -49,3 +71,5 @@ subpaths
 | test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free |
 | test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free |
 | test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete |
+| test.cpp:248:12:248:15 | data | test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:248:12:248:15 | data | Memory may have been previously freed by $@. | test.cpp:243:2:243:5 | call to free | call to free |
+| test.cpp:255:13:255:16 | data | test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:255:13:255:16 | data | Memory may have been previously freed by $@. | test.cpp:250:2:250:5 | call to free | call to free |

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp

@@ -134,7 +134,7 @@ void noReturnWrapper() { noReturn(); }
 
 void test9()
 {
-	char *data, *data2;
+	char *data;
 	free(data);
 	noReturnWrapper();
 	use_if_nonzero(data); // GOOD
@@ -229,3 +229,28 @@ void regression_test_for_static_var_handling()
 	data = (char *)malloc(100*sizeof(char));
 	use(data); // GOOD
 }
+
+struct myInnerStruct {
+	char *data;
+};
+
+struct myStruct {
+	myInnerStruct i1;
+	myInnerStruct *i2;
+};
+
+void malloc_after_free(myStruct *s) {
+	free(s->i1.data);
+	s->i1.data = (char *)malloc(100*sizeof(char));
+	if (s->i1.data == 0) {
+		return;
+	}
+	use(s->i1.data); // GOOD [FALSE POSITIVE]
+
+	free(s->i2->data);
+	s->i2->data = (char *)malloc(100*sizeof(char));
+	if (s->i2->data == 0) {
+		return;
+	}
+	use(s->i2->data); // GOOD [FALSE POSITIVE]
+}

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.39
+version: 1.7.40-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.39
+version: 1.7.40-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected

@@ -5,6 +5,7 @@ ql/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
 ql/csharp/ql/src/Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql
 ql/csharp/ql/src/Likely Bugs/Collections/ContainerSizeCmpZero.ql
 ql/csharp/ql/src/Likely Bugs/DangerousNonShortCircuitLogic.ql
+ql/csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql
 ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
 ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
 ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.1.5
+version: 5.1.6-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/API Abuse/FormatInvalid.ql

@@ -8,6 +8,7 @@
  * @id cs/invalid-string-formatting
  * @tags reliability
  *       maintainability
+ *       quality
  */
 
 import csharp

csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql

@@ -8,6 +8,7 @@
  * @id cs/local-not-disposed
  * @tags efficiency
  *       maintainability
+ *       quality
  *       external/cwe/cwe-404
  *       external/cwe/cwe-459
  *       external/cwe/cwe-460

csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql

@@ -9,6 +9,7 @@
  * @id cs/constant-condition
  * @tags maintainability
  *       readability
+ *       quality
  *       external/cwe/cwe-835
  */
 

csharp/ql/src/Configuration/PasswordInConfigurationFile.ql

@@ -7,7 +7,7 @@
  * @precision medium
  * @id cs/password-in-configuration
  * @tags security
- *       external/cwe/cwe-13
+ *       external/cwe/cwe-013
  *       external/cwe/cwe-256
  *       external/cwe/cwe-313
  */

csharp/ql/src/Dead Code/DeadStoreOfLocal.ql

@@ -6,6 +6,7 @@
  * @problem.severity warning
  * @id cs/useless-assignment-to-local
  * @tags maintainability
+ *       quality
  *       external/cwe/cwe-563
  * @precision very-high
  */

csharp/ql/src/Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql

@@ -9,6 +9,7 @@
  * @tags reliability
  *       correctness
  *       logic
+ *       quality
  *      external/cwe/cwe-193
  */
 

csharp/ql/src/Likely Bugs/Collections/ContainerSizeCmpZero.ql

@@ -8,6 +8,7 @@
  * @tags reliability
  *       correctness
  *       logic
+ *       quality
  */
 
 import csharp

csharp/ql/src/Likely Bugs/DangerousNonShortCircuitLogic.ql

@@ -9,6 +9,7 @@
  * @tags reliability
  *       correctness
  *       logic
+ *       quality
  *       external/cwe/cwe-480
  *       external/cwe/cwe-691
  */

csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql

@@ -5,10 +5,11 @@
  *              computation does not follow the standard rules of algebra.
  * @kind problem
  * @problem.severity warning
- * @precision medium
+ * @precision high
  * @id cs/equality-on-floats
  * @tags reliability
  *       correctness
+ *       quality
  */
 
 import csharp

csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql

@@ -7,6 +7,7 @@
  * @id cs/reference-equality-on-valuetypes
  * @tags reliability
  *       correctness
+ *       quality
  *       external/cwe/cwe-595
  */
 

csharp/ql/src/Likely Bugs/SelfAssignment.ql

@@ -8,6 +8,7 @@
  * @tags reliability
  *       correctness
  *       logic
+ *       quality
  */
 
 import csharp

csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql

@@ -7,6 +7,7 @@
  * @id cs/unchecked-cast-in-equals
  * @tags reliability
  *       maintainability
+ *       quality
  */
 
 import csharp

csharp/ql/src/Performance/UseTryGetValue.ql

@@ -6,7 +6,9 @@
  * @problem.severity recommendation
  * @precision high
  * @id cs/inefficient-containskey
- * @tags maintainability efficiency
+ * @tags maintainability
+ *       efficiency
+ *       quality
  */
 
 import csharp

csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql

@@ -10,7 +10,7 @@
  * @tags security
  *       maintainability
  *       frameworks/asp.net
- *       external/cwe/cwe-11
+ *       external/cwe/cwe-011
  *       external/cwe/cwe-532
  */
 

csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql

@@ -8,7 +8,7 @@
  * @id cs/web/large-max-request-length
  * @tags security
  *       frameworks/asp.net
- *       external/cwe/cwe-16
+ *       external/cwe/cwe-016
  */
 
 import csharp

csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql

@@ -8,7 +8,7 @@
  * @id cs/web/request-validation-disabled
  * @tags security
  *       frameworks/asp.net
- *       external/cwe/cwe-16
+ *       external/cwe/cwe-016
  */
 
 import csharp

csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql

@@ -5,7 +5,7 @@
  *              to it.
  * @id cs/count-untrusted-data-external-api
  * @kind table
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import csharp

csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql

@@ -7,7 +7,7 @@
  * @security-severity 7.8
  * @precision medium
  * @tags security
- *       external/cwe/cwe-20
+ *       external/cwe/cwe-020
  */
 
 import semmle.code.csharp.serialization.Serialization

csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql

@@ -6,7 +6,7 @@
  * @precision low
  * @problem.severity error
  * @security-severity 7.8
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import csharp

csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql

@@ -8,7 +8,7 @@
  * @precision high
  * @id cs/web/missing-global-error-handler
  * @tags security
- *       external/cwe/cwe-12
+ *       external/cwe/cwe-012
  *       external/cwe/cwe-248
  */
 

csharp/ql/src/Useless code/DefaultToString.ql

@@ -8,6 +8,7 @@
  * @id cs/call-to-object-tostring
  * @tags reliability
  *       maintainability
+ *       quality
  */
 
 import DefaultToStringQuery

csharp/ql/src/Useless code/IntGetHashCode.ql

@@ -8,6 +8,7 @@
  * @id cs/useless-gethashcode-call
  * @tags readability
  *       useless-code
+ *       quality
  */
 
 import csharp

csharp/ql/src/change-notes/2025-04-28-equality-on-floats-precision.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Changed the precision of the `cs/equality-on-floats` query from medium to high.

csharp/ql/src/change-notes/2025-05-01-cwe-tag-changed.md

@@ -0,0 +1,12 @@
+---
+category: queryMetadata
+---
+
+* The tag `external/cwe/cwe-13` has been removed from `cs/password-in-configuration` and the tag `external/cwe/cwe-013` has been added.
+* The tag `external/cwe/cwe-11` has been removed from `cs/web/debug-binary` and the tag `external/cwe/cwe-011` has been added.
+* The tag `external/cwe/cwe-16` has been removed from `cs/web/large-max-request-length` and the tag `external/cwe/cwe-016` has been added.
+* The tag `external/cwe/cwe-16` has been removed from `cs/web/request-validation-disabled` and the tag `external/cwe/cwe-016` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cs/count-untrusted-data-external-api` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cs/serialization-check-bypass` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cs/untrusted-data-to-external-api` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-12` has been removed from `cs/web/missing-global-error-handler` and the tag `external/cwe/cwe-012` has been added.