Add security-severity tags

Merge pull request #5683 from asgerf/js/typescript-template-literal-type-crash
Approved by erik-krogh
2026-05-18 05:07:06 +02:00 · 2021-04-15 17:47:23 +01:00 · 2021-04-15 05:11:11 -07:00 · 2021-04-15 12:39:34 +01:00 · 2021-04-15 10:16:46 +01:00 · 2021-04-15 09:37:57 +01:00
598 changed files with 6646 additions and 3225 deletions
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -0,0 +1,30 @@
+name: Mark stale issues
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+    if: github.repository == 'github/codeql'
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/stale@v3
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `stale` label in order to avoid having this issue closed in 7 days.'
+        close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
+        days-before-stale: 14
+        days-before-close: 7
+        only-labels: question
+        
+        # do not mark PRs as stale
+        days-before-pr-stale: -1
+        days-before-pr-close: -1
+        
+        # Uncomment for dry-run
+        # debug-only: true
+        # operations-per-run: 1000
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -56,6 +56,10 @@
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
  ],
+  "DataFlow Java/C# Flow Summaries": [
+    "java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
+  ],
  "SsaReadPosition Java/C#": [
    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
--- a/Practices/Exceptions/LeakyCatch.ql
+++ b/Practices/Exceptions/LeakyCatch.ql
@@ -3,6 +3,7 @@
 * @description If an exception is allocated on the heap, then it should be deleted when caught.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @id cpp/catch-missing-free
 * @tags efficiency
--- a/Errors/OffsetUseBeforeRangeCheck.ql
+++ b/Errors/OffsetUseBeforeRangeCheck.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/offset-use-before-range-check
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+++ b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/inconsistent-nullness-testing
 * @problem.severity warning
+ * @problem.security-severity high
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/memory-may-not-be-freed
 * @problem.severity warning
+ * @problem.security-severity high
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MemoryNeverFreed.ql
+++ b/cpp/ql/src/Critical/MemoryNeverFreed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/memory-never-freed
 * @problem.severity warning
+ * @problem.security-severity high
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MissingNullTest.ql
+++ b/cpp/ql/src/Critical/MissingNullTest.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/missing-null-test
 * @problem.severity recommendation
+ * @problem.security-severity high
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/NewFreeMismatch.ql
+++ b/cpp/ql/src/Critical/NewFreeMismatch.ql
@@ -3,6 +3,7 @@
 * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @id cpp/new-free-mismatch
 * @tags reliability
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/overflow-calculated
 * @problem.severity warning
+ * @problem.security-severity critical
 * @tags reliability
 *       security
 *       external/cwe/cwe-131
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/overflow-destination
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision low
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -4,6 +4,7 @@
 *              may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/static-buffer-overflow
 * @tags reliability
--- a/cpp/ql/src/Critical/ReturnValueIgnored.ql
+++ b/cpp/ql/src/Critical/ReturnValueIgnored.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/return-value-ignored
 * @problem.severity recommendation
+ * @problem.security-severity critical
 * @precision medium
 * @tags reliability
 *       correctness
--- a/cpp/ql/src/Critical/SizeCheck.ql
+++ b/cpp/ql/src/Critical/SizeCheck.ql
@@ -4,6 +4,7 @@
 *              an instance of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/allocation-too-small
 * @tags reliability
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -4,6 +4,7 @@
 *              multiple instances of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/suspicious-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/use-after-free
 * @problem.severity warning
+ * @problem.security-severity high
 * @tags reliability
 *       security
 *       external/cwe/cwe-416
--- a/Bugs/AmbiguouslySignedBitField.ql
+++ b/Bugs/AmbiguouslySignedBitField.ql
@@ -7,6 +7,7 @@
 *              overflow.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @id cpp/ambiguously-signed-bit-field
 * @tags reliability
--- a/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+++ b/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
@@ -6,6 +6,7 @@
 *              to a larger type.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision very-high
 * @id cpp/bad-addition-overflow-check
 * @tags reliability
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -4,6 +4,7 @@
 *              be a sign that the result can overflow the type converted from.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @id cpp/integer-multiplication-cast-to-long
 * @tags reliability
--- a/Bugs/Conversion/CastArrayPointerArithmetic.ql
+++ b/Bugs/Conversion/CastArrayPointerArithmetic.ql
@@ -6,6 +6,7 @@
 *              use the width of the base type, leading to misaligned reads.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @tags correctness
 *       reliability
--- a/Bugs/Format/NonConstantFormat.ql
+++ b/Bugs/Format/NonConstantFormat.ql
@@ -6,6 +6,7 @@
 *              from an untrusted source, this can be used for exploits.
 * @kind problem
 * @problem.severity recommendation
+ * @problem.security-severity critical
 * @precision high
 * @id cpp/non-constant-format
 * @tags maintainability
--- a/Bugs/InconsistentCallOnResult.ql
+++ b/Bugs/InconsistentCallOnResult.ql
@@ -3,6 +3,7 @@
 * @description A function is called, and the same operation is usually performed on the return value - for example, free, delete, close etc. However, in some cases it is not performed. These unusual cases may indicate misuse of the API and could cause resource leaks.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity critical
 * @precision medium
 * @id cpp/inconsistent-call-on-result
 * @tags reliability
--- a/Bugs/InconsistentCheckReturnNull.ql
+++ b/Bugs/InconsistentCheckReturnNull.ql
@@ -6,6 +6,7 @@
 *              omitting the check could crash the program.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/inconsistent-null-check
 * @tags reliability
--- a/Typos/inconsistentLoopDirection.ql
+++ b/Typos/inconsistentLoopDirection.ql
@@ -3,6 +3,7 @@
 * @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision high
 * @id cpp/inconsistent-loop-direction
 * @tags correctness
--- a/Management/AllocaInLoop.ql
+++ b/Management/AllocaInLoop.ql
@@ -3,6 +3,7 @@
 * @description Using alloca in a loop can lead to a stack overflow
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @id cpp/alloca-in-loop
 * @tags reliability
--- a/Management/ImproperNullTermination.ql
+++ b/Management/ImproperNullTermination.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/improper-null-termination
 * @problem.severity warning
+ * @problem.security-severity high
 * @tags security
 *       external/cwe/cwe-170
 *       external/cwe/cwe-665
--- a/Management/StrncpyFlippedArgs.ql
+++ b/Management/StrncpyFlippedArgs.ql
@@ -4,6 +4,7 @@
 *              as the third argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/bad-strncpy-size
 * @tags reliability
--- a/Management/SuspiciousCallToStrncat.ql
+++ b/Management/SuspiciousCallToStrncat.ql
@@ -4,6 +4,7 @@
 *              as the third argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/unsafe-strncat
 * @tags reliability
--- a/Management/UninitializedLocal.ql
+++ b/Management/UninitializedLocal.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/uninitialized-local
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @tags security
 *       external/cwe/cwe-665
--- a/Management/UnsafeUseOfStrcat.ql
+++ b/Management/UnsafeUseOfStrcat.ql
@@ -4,6 +4,7 @@
 *              may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity critical
 * @precision medium
 * @id cpp/unsafe-strcat
 * @tags reliability
--- a/Bugs/RedundantNullCheckSimple.ql
+++ b/Bugs/RedundantNullCheckSimple.ql
@@ -5,6 +5,7 @@
 *              it should be moved before the dereference.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @id cpp/redundant-null-check-simple
 * @tags reliability
 *       correctness
--- a/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
+++ b/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/ignore-return-value-sal
 * @problem.severity warning
+ * @problem.security-severity critical
 * @tags reliability
 *       external/cwe/cwe-573
 *       external/cwe/cwe-252
--- a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
+ * @problem.security-severity high
 * @tags security external/cwe/cwe-20
 */

--- a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
+ * @problem.security-severity high
 * @tags security external/cwe/cwe-20
 */

--- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -4,6 +4,7 @@
 *              attacker to access unexpected resources.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/path-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -5,6 +5,7 @@
 *              to command injection.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision low
 * @id cpp/command-line-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,6 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
+ * @problem.security-severity medium
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -5,6 +5,7 @@
 *              to SQL Injection.
 * @kind path-problem
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision high
 * @id cpp/sql-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -5,6 +5,7 @@
 *              commands.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/uncontrolled-process-operation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+++ b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/overflow-buffer
 * @problem.severity recommendation
+ * @problem.security-severity high
 * @tags security
 *       external/cwe/cwe-119
 *       external/cwe/cwe-121
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -5,6 +5,7 @@
 *              overflow.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision high
 * @id cpp/badly-bounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -4,6 +4,7 @@
 *              of data written may overflow.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision medium
 * @id cpp/overrunning-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -5,6 +5,7 @@
 *              take extreme values.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision medium
 * @id cpp/overrunning-write-with-float
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -4,6 +4,7 @@
 *              of data written may overflow.
 * @kind path-problem
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision medium
 * @id cpp/unbounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -5,6 +5,7 @@
 *              a specific value to terminate the argument list.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity critical
 * @precision medium
 * @id cpp/unterminated-variadic-call
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/unclear-array-index-validation
 * @problem.severity warning
+ * @problem.security-severity critical
 * @tags security
 *       external/cwe/cwe-129
 */
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -5,6 +5,7 @@
 *              terminator can cause a buffer overrun.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision high
 * @id cpp/no-space-for-terminator
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -5,6 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity critical
 * @precision high
 * @id cpp/tainted-format-string
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -5,6 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity critical
 * @precision high
 * @id cpp/tainted-format-string-through-global
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/user-controlled-null-termination-tainted
 * @problem.severity warning
+ * @problem.security-severity medium
 * @tags security
 *       external/cwe/cwe-170
 */
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -4,6 +4,7 @@
 *              not validated can cause overflows.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision low
 * @id cpp/tainted-arithmetic
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,6 +4,7 @@
 *              validated can cause overflows.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/uncontrolled-arithmetic
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/arithmetic-with-extreme-values
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision low
 * @tags security
 *       reliability
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -5,6 +5,7 @@
 * @id cpp/comparison-with-wider-type
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @tags reliability
 *       security
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/integer-overflow-tainted
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision low
 * @tags security
 *       external/cwe/cwe-190
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -4,6 +4,7 @@
 *              user can result in integer overflow.
 * @kind path-problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/uncontrolled-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/unsigned-difference-expression-compared-zero
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @tags security
 *       correctness
--- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -5,6 +5,7 @@
 *              vulnerable to spoofing attacks.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/user-controlled-bypass
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -4,6 +4,7 @@
 *              to an attacker.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/cleartext-storage-buffer
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -4,6 +4,7 @@
 *              an attacker to compromise security.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/weak-cryptographic-algorithm
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
@@ -4,6 +4,7 @@
 *              attackers to retrieve portions of memory.
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision very-high
 * @id cpp/openssl-heartbleed
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -5,6 +5,7 @@
 *              the two operations.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/toctou-race-condition
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -4,6 +4,7 @@
 * @id cpp/unsafe-create-process-call
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision medium
 * @msrc.severity important
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-string-type-conversion
 * @problem.severity error
+ * @problem.security-severity critical
 * @precision high
 * @tags security
 *       external/cwe/cwe-704
--- a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
@@ -3,6 +3,7 @@
 * @description Creating a file that is world-writable can allow an attacker to write to the file.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @id cpp/world-writable-file-creation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
@@ -7,6 +7,7 @@
 * @id cpp/unsafe-dacl-security-descriptor
 * @kind problem
 * @problem.severity error
+ * @problem.security-severity high
 * @precision high
 * @tags security
 *       external/cwe/cwe-732
--- a/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
+++ b/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/infinite-loop-with-unsatisfiable-exit-condition
 * @problem.severity warning
+ * @problem.security-severity high
 * @tags security
 *       external/cwe/cwe-835
 */
--- a/Bugs/RedundantNullCheckParam.ql
+++ b/Bugs/RedundantNullCheckParam.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/redundant-null-check-param
 * @problem.severity recommendation
+ * @problem.security-severity high
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/late-check-of-function-argument
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @tags correctness
 *       security
--- a/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
@@ -3,6 +3,7 @@
 * @description Use of one of the scanf functions without a specified length.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity critical
 * @id cpp/memory-unsafe-function-scan
 * @tags reliability
 *       security
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -3,6 +3,7 @@
 * @description Using a multiplication result that may overflow in the size of an allocation may lead to buffer overflows when the allocated memory is used.
 * @kind path-problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision low
 * @tags security
 *       correctness
--- a/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
@@ -6,6 +6,7 @@
 *                from these methods is not checked.
 * @kind problem
 * @problem.severity recommendation
+ * @problem.security-severity critical
 * @id cpp/drop-linux-privileges-outoforder
 * @tags security
 *       external/cwe/cwe-273
--- a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/memory-leak-on-failed-call-to-realloc
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision medium
 * @tags correctness
 *       security
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.c
@@ -0,0 +1,4 @@
+if(len>0 & memset(buf,0,len)) return 1; // BAD: `memset` will be called regardless of the value of the `len` variable. moreover, one cannot be sure that it will happen after verification
+...
+if(len>0 && memset(buf,0,len)) return 1; // GOOD: `memset` will be called after the `len` variable has been checked.
+...
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Using bitwise operations can be a mistake in some situations. For example, if parameters are evaluated in an expression and the function should be called only upon certain test results. These bitwise operations look suspicious and require developer attention.</p>
+
+
+</overview>
+<recommendation>
+
+<p>We recommend that you evaluate the correctness of using the specified bit operations.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates the erroneous and fixed use of bit and logical operations.</p>
+<sample src="InsufficientControlFlowManagementWhenUsingBitOperations.c" />
+
+</example>
+<references>
+
+<li>
+  CWE Common Weakness Enumeration:
+  <a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
+</li>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -0,0 +1,78 @@
+/**
+ * @name Errors When Using Bit Operations
+ * @description Unlike the binary operations `||` and `&&`, there is no sequence point after evaluating an
+ *              operand of a bitwise operation like `|` or `&`. If left-to-right evaluation is expected this may be confusing.
+ * @kind problem
+ * @id cpp/errors-when-using-bit-operations
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-691
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * Dangerous uses of bit operations.
+ * For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
+ * In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
+ */
+class DangerousBitOperations extends BinaryBitwiseOperation {
+  FunctionCall bfc;
+
+  /**
+   * The assignment indicates the conscious use of the bit operator.
+   * Use in comparison, conversion, or return value indicates conscious use of the bit operator.
+   * The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
+   */
+  DangerousBitOperations() {
+    bfc = this.getRightOperand() and
+    not this.getParent*() instanceof Assignment and
+    not this.getParent*() instanceof Initializer and
+    not this.getParent*() instanceof ReturnStmt and
+    not this.getParent*() instanceof EqualityOperation and
+    not this.getParent*() instanceof UnaryLogicalOperation and
+    not this.getParent*() instanceof BinaryLogicalOperation and
+    not this.getAChild*() instanceof BitwiseXorExpr and
+    not this.getAChild*() instanceof LShiftExpr and
+    not this.getAChild*() instanceof RShiftExpr
+  }
+
+  /** Holds when part of a bit expression is used in a logical operation. */
+  predicate useInLogicalOperations() {
+    exists(BinaryLogicalOperation blop, Expr exp |
+      blop.getAChild*() = exp and
+      exp.(FunctionCall).getTarget() = bfc.getTarget() and
+      not exp.getParent() instanceof ComparisonOperation and
+      not exp.getParent() instanceof BinaryBitwiseOperation
+    )
+  }
+
+  /** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */
+  predicate useInOtherCalls() {
+    bfc.hasQualifier() or
+    bfc.getTarget() instanceof Operator or
+    exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or
+    bfc.getTarget() instanceof BuiltInFunction
+  }
+
+  /** Holds when the bit expression contains both arguments and a function call. */
+  predicate dangerousArgumentChecking() {
+    not this.getLeftOperand() instanceof Call and
+    globalValueNumber(this.getLeftOperand().getAChild*()) = globalValueNumber(bfc.getAnArgument())
+  }
+
+  /** Holds when function calls are present in the bit expression. */
+  predicate functionCallsInBitsExpression() {
+    this.getLeftOperand().getAChild*() instanceof FunctionCall
+  }
+}
+
+from DangerousBitOperations dbo
+where
+  not dbo.useInOtherCalls() and
+  dbo.useInLogicalOperations() and
+  (not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
+select dbo, "This bitwise operation appears in a context where a Boolean operation is expected."
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.c
@@ -0,0 +1,11 @@
+if(len=funcReadData()==0) return 1; // BAD: variable `len` will not equal the value returned by function `funcReadData()`
+...
+if((len=funcReadData())==0) return 1; // GOOD: variable `len` equal the value returned by function `funcReadData()`
+...
+bool a=true;
+a++;// BAD: variable `a` does not change its meaning
+bool b;
+b=-a;// BAD: variable `b` equal `true`
+...
+a=false;// GOOD: variable `a` equal `false`
+b=!a;// GOOD: variable `b` equal `false`
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Finding places of confusing use of boolean type. For example, a unary minus does not work before a boolean type and an increment always gives true.</p>
+
+
+</overview>
+<recommendation>
+
+<p>we recommend making the code simpler.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates erroneous and fixed methods for using a boolean data type.</p>
+<sample src="OperatorPrecedenceLogicErrorWhenUseBoolType.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP00-C.+Use+parentheses+for+precedence+of+operation">EXP00-C. Use parentheses for precedence of operation</a>.
+</li>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
@@ -0,0 +1,54 @@
+/**
+ * @name Operator Precedence Logic Error When Use Bool Type
+ * @description --Finding places of confusing use of boolean type.
+ *              --For example, a unary minus does not work before a boolean type and an increment always gives true.
+ * @kind problem
+ * @id cpp/operator-precedence-logic-error-when-use-bool-type
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-783
+ *       external/cwe/cwe-480
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.HashCons
+
+/** Holds if `exp` increments a boolean value. */
+predicate incrementBoolType(IncrementOperation exp) {
+  exp.getOperand().getType() instanceof BoolType
+}
+
+/** Holds if `exp` applies the unary minus operator to a boolean type. */
+predicate revertSignBoolType(UnaryMinusExpr exp) {
+  exp.getAnOperand().getType() instanceof BoolType and
+  exp.getFullyConverted().getType() instanceof BoolType
+}
+
+/** Holds, if this is an expression, uses comparison and assignment outside of execution precedence. */
+predicate assignBoolType(Expr exp) {
+  exists(ComparisonOperation co |
+    exp.(AssignExpr).getRValue() = co and
+    exp.isCondition() and
+    not co.isParenthesised() and
+    not exp.(AssignExpr).getLValue().getType() instanceof BoolType and
+    not exists(Expr exbl |
+      hashCons(exbl.(AssignExpr).getLValue()) = hashCons(exp.(AssignExpr).getLValue()) and
+      not exbl.isCondition() and
+      exbl.(AssignExpr).getRValue().getType() instanceof BoolType and
+      exbl.(AssignExpr).getLValue().getType() = exp.(AssignExpr).getLValue().getType()
+    ) and
+    co.getLeftOperand() instanceof FunctionCall and
+    not co.getRightOperand().getType() instanceof BoolType and
+    not co.getRightOperand().getValue() = "0" and
+    not co.getRightOperand().getValue() = "1"
+  )
+}
+
+from Expr exp
+where
+  incrementBoolType(exp) or
+  revertSignBoolType(exp) or
+  assignBoolType(exp)
+select exp, "this expression needs attention"
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -3,7 +3,7 @@
 * @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
 *              If terminal zero is present, then the specified expression is meaningless.
 * @kind problem
- * @id cpp/access-memory-location-after-end-buffer
+ * @id cpp/access-memory-location-after-end-buffer-strlen
 * @problem.severity warning
 * @precision medium
 * @tags correctness
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
@@ -2,7 +2,7 @@
 * @name Access Of Memory Location After The End Of A Buffer Using Strncat
 * @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
 * @kind problem
- * @id cpp/access-memory-location-after-end-buffer
+ * @id cpp/access-memory-location-after-end-buffer-strncat
 * @problem.severity warning
 * @precision medium
 * @tags correctness
--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,6 +3,7 @@
 * @description All resources acquired by a class should be released by its destructor. Avoid the use of the 'open / close' pattern, since C++ constructors and destructors provide a safer way to handle resource acquisition and release. Best practice in C++ is to use the 'RAII' technique: constructors allocate resources and destructors free them.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision high
 * @id cpp/resource-not-released-in-destructor
 * @tags efficiency
--- a/cpp/ql/src/jsf/4.20
+++ b/cpp/ql/src/jsf/4.20
@@ -4,6 +4,7 @@
 *              may result in unexpected sign extension or overflow.
 * @kind problem
 * @problem.severity warning
+ * @problem.security-severity high
 * @precision low
 * @id cpp/signed-bit-field
 * @tags correctness
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
@@ -15,6 +15,7 @@
 */

 private import cpp
+private import semmle.code.cpp.models.interfaces.PointerWrapper

 /**
 * Holds if `f` is an instantiation of the `std::move` or `std::forward`
@@ -94,6 +95,12 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {

 private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
  lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
+  or
+  exists(PointerWrapper wrapper, Call call | call = referenceOut |
+    referenceOut.getUnspecifiedType() instanceof ReferenceType and
+    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
+    lvalueIn = call.getQualifier().getFullyConverted()
+  )
 }

 private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
@@ -106,6 +113,13 @@ private predicate referenceToPointerStep(Expr referenceIn, Expr pointerOut) {
      stdAddressOf(call.getTarget()) and
      referenceIn = call.getArgument(0).getFullyConverted()
    )
+  or
+  exists(CopyConstructor copy, Call call | call = pointerOut |
+    copy.getDeclaringType() instanceof PointerWrapper and
+    call.getTarget() = copy and
+    // The 0'th argument is the value being copied.
+    referenceIn = call.getArgument(0).getFullyConverted()
+  )
 }

 private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
@@ -190,6 +204,19 @@ private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node
        // See the `lvalueToUpdate` case for an explanation of this conjunct.
        call.getType().isDeeplyConstBelow()
      )
+      or
+      // Pointer wrappers behave as raw pointers for dataflow purposes.
+      outer = call.getAnArgument().getFullyConverted() and
+      exists(PointerWrapper wrapper | wrapper = outer.getType().stripTopLevelSpecifiers() |
+        not wrapper.pointsToConst()
+      )
+      or
+      outer = call.getQualifier().getFullyConverted() and
+      outer.getUnspecifiedType() instanceof PointerWrapper and
+      not (
+        call.getTarget().hasSpecifier("const") and
+        call.getType().isDeeplyConstBelow()
+      )
    )
    or
    exists(PointerFieldAccess fa |
@@ -218,7 +245,9 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
    not stdIdentityFunction(call.getTarget()) and
    not stdAddressOf(call.getTarget()) and
    exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
-      not rt.getBaseType().isConst()
+      not rt.getBaseType().isConst() or
+      rt.getBaseType().getUnspecifiedType() =
+        any(PointerWrapper wrapper | not wrapper.pointsToConst())
    )
  ) and
  reference = outer
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -46,7 +46,7 @@ class Node extends TNode {
  /**
   * INTERNAL: Do not use. Alternative name for `getFunction`.
   */
-  final Function getEnclosingCallable() { result = unique(Function f | f = this.getFunction() | f) }
+  final Function getEnclosingCallable() { result = this.getFunction() }

  /** Gets the type of this node. */
  Type getType() { none() } // overridden in subclasses
@@ -324,7 +324,7 @@ private class VariablePartialDefinitionNode extends PartialDefinitionNode {
 * A synthetic data flow node used for flow into a collection when an iterator
 * write occurs in a callee.
 */
-class IteratorPartialDefinitionNode extends PartialDefinitionNode {
+private class IteratorPartialDefinitionNode extends PartialDefinitionNode {
  override IteratorPartialDefinition pd;

  override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
@@ -715,6 +715,7 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
 }

 private module FieldFlow {
+  private import DataFlowImplCommon
  private import DataFlowImplLocal
  private import DataFlowPrivate

@@ -747,7 +748,7 @@ private module FieldFlow {
    exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
    // This configuration should not be able to cross function boundaries, but
    // we double-check here just to be sure.
-    node1.getEnclosingCallable() = node2.getEnclosingCallable()
+    getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2)
  }
 }

--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -7,6 +7,7 @@ private import semmle.code.cpp.controlflow.SSA
 private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
 private import semmle.code.cpp.dataflow.internal.AddressFlow
 private import semmle.code.cpp.models.implementations.Iterator
+private import semmle.code.cpp.models.interfaces.PointerWrapper

 /**
 * A conceptual variable that is assigned only once, like an SSA variable. This
@@ -158,18 +159,14 @@ private module PartialDefinitions {
    Expr innerDefinedExpr;

    IteratorPartialDefinition() {
-      exists(Expr convertedInner |
-        not this instanceof Conversion and
-        valueToUpdate(convertedInner, this.getFullyConverted(), node) and
-        innerDefinedExpr = convertedInner.getUnconverted() and
-        (
-          innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
-          or
-          innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
-          collection instanceof IteratorParameter
-        ) and
-        innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
-      )
+      innerDefinedExpr = getInnerDefinedExpr(this, node) and
+      (
+        innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
+        or
+        innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
+        collection instanceof IteratorParameter
+      ) and
+      innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
      or
      // iterators passed by value without a copy constructor
      exists(Call call |
@@ -207,16 +204,18 @@ private module PartialDefinitions {
    }
  }

+  private Expr getInnerDefinedExpr(Expr e, ControlFlowNode node) {
+    not e instanceof Conversion and
+    exists(Expr convertedInner |
+      valueToUpdate(convertedInner, e.getFullyConverted(), node) and
+      result = convertedInner.getUnconverted()
+    )
+  }
+
  class VariablePartialDefinition extends PartialDefinition {
    Expr innerDefinedExpr;

-    VariablePartialDefinition() {
-      not this instanceof Conversion and
-      exists(Expr convertedInner |
-        valueToUpdate(convertedInner, this.getFullyConverted(), node) and
-        innerDefinedExpr = convertedInner.getUnconverted()
-      )
-    }
+    VariablePartialDefinition() { innerDefinedExpr = getInnerDefinedExpr(this, node) }

    deprecated override predicate partiallyDefines(Variable v) {
      innerDefinedExpr = v.getAnAccess()
@@ -296,7 +295,8 @@ module FlowVar_internal {
    // treating them as immutable, but for data flow it gives better results in
    // practice to make the variable synonymous with its contents.
    not v.getUnspecifiedType() instanceof ReferenceType and
-    not v instanceof IteratorParameter
+    not v instanceof IteratorParameter and
+    not v instanceof PointerWrapperParameter
  }

  /**
@@ -644,10 +644,19 @@ module FlowVar_internal {
  predicate parameterIsNonConstReference(Parameter p) {
    exists(ReferenceType refType |
      refType = p.getUnderlyingType() and
-      not refType.getBaseType().isConst()
+      (
+        not refType.getBaseType().isConst()
+        or
+        // A field of a parameter of type `const std::shared_ptr<A>& p` can still be changed even though
+        // the base type of the reference is `const`.
+        refType.getBaseType().getUnspecifiedType() =
+          any(PointerWrapper wrapper | not wrapper.pointsToConst())
+      )
    )
    or
    p instanceof IteratorParameter
+    or
+    p instanceof PointerWrapperParameter
  }

  /**
@@ -836,6 +845,10 @@ module FlowVar_internal {
    IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
  }

+  class PointerWrapperParameter extends Parameter {
+    PointerWrapperParameter() { this.getUnspecifiedType() instanceof PointerWrapper }
+  }
+
  /**
   * Holds if `v` is initialized to have value `assignedExpr`.
   */
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -11,6 +11,7 @@
 private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.models.interfaces.Taint
 private import semmle.code.cpp.models.interfaces.Iterator
+private import semmle.code.cpp.models.interfaces.PointerWrapper

 private module DataFlow {
  import semmle.code.cpp.dataflow.internal.DataFlowUtil
@@ -141,7 +142,10 @@ private predicate noFlowFromChildExpr(Expr e) {
  or
  e instanceof LogicalOrExpr
  or
-  e instanceof Call
+  // Allow taint from `operator*` on smart pointers.
+  exists(Call call | e = call |
+    not call.getTarget() = any(PointerWrapper wrapper).getAnUnwrapperFunction()
+  )
  or
  e instanceof SizeofOperator
  or
--- a/cpp/ql/src/semmle/code/cpp/exprs/Call.qll
+++ b/cpp/ql/src/semmle/code/cpp/exprs/Call.qll
@@ -314,6 +314,7 @@ class OverloadedPointerDereferenceFunction extends Function {
 * T1 operator*(const T2 &);
 * T1 a; T2 b;
 * a = *b;
+ * ```
 */
 class OverloadedPointerDereferenceExpr extends FunctionCall {
  OverloadedPointerDereferenceExpr() {
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -2133,11 +2133,8 @@ private module Stage4 {

  bindingset[node, cc, config]
  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
  }

  private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
    conf = mid.getConfiguration() and
    cc = mid.getCallContext() and
    sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
    ap0 = mid.getAp()
  |
    localFlowBigStep(midnode, node, true, _, conf, localCC) and
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -362,15 +362,22 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {

 /**
 * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
- * For instance, an update to a field of a struct containing only one field. For these cases we
- * attach the PostUpdateNode to the store instruction. There's no obvious pre update node for this case
- * (as the entire memory is updated), so `getPreUpdateNode` is implemented as `none()`.
+ * For instance, an update to a field of a struct containing only one field. Even if the store does
+ * have a chi instruction, a subsequent use of the result of the store may be linked directly to the
+ * result of the store as an inexact definition if the store totally overlaps the use. For these
+ * cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node
+ * for this case (as the entire memory is updated), so `getPreUpdateNode` is implemented as
+ * `none()`.
 */
 private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
  override StoreInstruction instr;

  ExplicitSingleFieldStoreQualifierNode() {
-    not exists(ChiInstruction chi | chi.getPartial() = instr) and
+    (
+      instr.getAUse().isDefinitionInexact()
+      or
+      not exists(ChiInstruction chi | chi.getPartial() = instr)
+    ) and
    // Without this condition any store would create a `PostUpdateNode`.
    instr.getDestinationAddress() instanceof FieldAddressInstruction
  }
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
@@ -6,34 +6,7 @@ private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-
-/**
- * Gets a short ID for an IR dataflow node.
- * - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
- * - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
- *   instruction and a dot (e.g. `m128.left`).
- * - For `Variable`s, this is the qualified name of the variable.
- */
-private string nodeId(DataFlow::Node node, int order1, int order2) {
-  exists(Instruction instruction | instruction = node.asInstruction() |
-    result = instruction.getResultId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  exists(Operand operand, Instruction instruction |
-    operand = node.asOperand() and
-    instruction = operand.getUse()
-  |
-    result = instruction.getResultId() + "." + operand.getDumpId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  result = "var(" + node.asVariable().getQualifiedName() + ")" and
-  order1 = 1000000 and
-  order2 = 0
-}
+private import PrintIRUtilities

 /**
 * Gets the local dataflow from other nodes in the same function to this node.
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll
@@ -0,0 +1,33 @@
+/**
+ * Print the dataflow local store steps in IR dumps.
+ */
+
+private import cpp
+// The `ValueNumbering` library has to be imported right after `cpp` to ensure
+// that the cached IR gets the same checksum here as it does in queries that use
+// `ValueNumbering` without `DataFlow`.
+private import semmle.code.cpp.ir.ValueNumbering
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import PrintIRUtilities
+
+/**
+ * Property provider for local IR dataflow store steps.
+ */
+class LocalFlowPropertyProvider extends IRPropertyProvider {
+  override string getInstructionProperty(Instruction instruction, string key) {
+    exists(DataFlow::Node objectNode, Content content |
+      key = "content[" + content.toString() + "]" and
+      instruction = objectNode.asInstruction() and
+      result =
+        strictconcat(string element, DataFlow::Node fieldNode |
+          storeStep(fieldNode, content, objectNode) and
+          element = nodeId(fieldNode, _, _)
+        |
+          element, ", "
+        )
+    )
+  }
+}
--- a/Show More
+++ b/Show More