Merge pull request #6351 from tausbn/python-hotfix-localsourcenode-typetrackingnode

Python: Hotfix `LocalSourceNode`

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -0,0 +1,97 @@
+name: Check framework coverage changes
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage-pr-comment.yml'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  generate:
+    name: Generate framework coverage artifacts
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql) - MERGE
+      uses: actions/checkout@v2
+      with:
+        path: merge
+    - name: Clone self (github/codeql) - BASE
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 2
+        path: base
+    - run: |
+        git checkout HEAD^1
+        git log -1 --format='%H'
+      working-directory: base
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Generate CSV files on merge commit of the PR
+      run: |
+        echo "Running generator on merge"
+        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
+        mkdir out_merge
+        cp framework-coverage-*.csv out_merge/
+        cp framework-coverage-*.rst out_merge/
+    - name: Generate CSV files on base commit of the PR
+      run: |
+        echo "Running generator on base"
+        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
+        mkdir out_base
+        cp framework-coverage-*.csv out_base/
+        cp framework-coverage-*.rst out_base/
+    - name: Generate diff of coverage reports
+      run: |
+        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-merge
+        path: |
+          out_merge/framework-coverage-*.csv
+          out_merge/framework-coverage-*.rst
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-base
+        path: |
+          out_base/framework-coverage-*.csv
+          out_base/framework-coverage-*.rst
+    - name: Upload comparison results
+      uses: actions/upload-artifact@v2
+      with:
+        name: comparison
+        path: |
+          comparison.md
+    - name: Save PR number
+      run: |
+        mkdir -p pr
+        echo ${{ github.event.pull_request.number }} > pr/NR
+    - name: Upload PR number
+      uses: actions/upload-artifact@v2
+      with:
+        name: pr
+        path: pr/

.github/workflows/csv-coverage-pr-comment.yml

@@ -0,0 +1,34 @@
+name: Comment on PR with framework coverage changes
+
+on:
+  workflow_run:
+    workflows: ["Check framework coverage changes"]
+    types:
+      - completed
+
+jobs:
+  check:
+    name: Check framework coverage differences and comment
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+
+    - name: Check coverage difference file and comment
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"

.github/workflows/csv-coverage-timeseries.yml

@@ -0,0 +1,42 @@
+name: Build framework coverage timeseries reports
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) for analysis
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        CLI=$(realpath "codeql-cli/codeql")
+        echo $CLI
+        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
+    - name: Upload timeseries CSV
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-timeseries
+        path: framework-coverage-timeseries-*.csv
+

.github/workflows/csv-coverage-update.yml

@@ -0,0 +1,44 @@
+name: Update framework coverage reports
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  update:
+    name: Update framework coverage report
+    if: github.event.repository.fork == false
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: ql
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+
+    - name: Generate coverage files
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
+
+    - name: Create pull request with changes
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"

.github/workflows/csv-coverage.yml

@@ -1,4 +1,4 @@
-name: Build/check CSV flow coverage report
+name: Build framework coverage reports
 
 on:
   workflow_dispatch:
@@ -6,22 +6,6 @@ on:
       qlModelShaOverride:
         description: 'github/codeql repo SHA used for looking up the CSV models'
         required: false
-  push:
-    branches:
-     - main
-     - 'rc/**'
-  pull_request:
-    paths:
-      - '.github/workflows/csv-coverage.yml'
-      - '*/ql/src/**/*.ql'
-      - '*/ql/src/**/*.qll'
-      - 'misc/scripts/library-coverage/*.py'
-      # input data files
-      - '*/documentation/library-coverage/cwe-sink.csv'
-      - '*/documentation/library-coverage/frameworks.csv'
-      # coverage report files
-      - '*/documentation/library-coverage/flow-model-coverage.csv'
-      - '*/documentation/library-coverage/flow-model-coverage.rst'
 
 jobs:
   build:
@@ -33,28 +17,20 @@ jobs:
       uses: actions/checkout@v2
       with:
         path: script
-    - name: Clone self (github/codeql) at a given SHA for analysis
-      if: github.event.inputs.qlModelShaOverride != ''
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        ref: github.event.inputs.qlModelShaOverride
     - name: Clone self (github/codeql) for analysis
-      if: github.event.inputs.qlModelShaOverride == ''
       uses: actions/checkout@v2
       with:
         path: codeqlModels
+        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
     - name: Set up Python 3.8
       uses: actions/setup-python@v2
       with:
         python-version: 3.8
     - name: Download CodeQL CLI
-      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
-      with:
-        repo: "github/codeql-cli-binaries"
-        version: "latest"
-        file: "codeql-linux64.zip"
-        token: ${{ secrets.GITHUB_TOKEN }}
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
     - name: Unzip CodeQL CLI
       run: unzip -d codeql-cli codeql-linux64.zip
     - name: Build modeled package list
@@ -63,15 +39,11 @@ jobs:
     - name: Upload CSV package list
       uses: actions/upload-artifact@v2
       with:
-        name: csv-flow-model-coverage
-        path: flow-model-coverage-*.csv
+        name: framework-coverage-csv
+        path: framework-coverage-*.csv
     - name: Upload RST package list
       uses: actions/upload-artifact@v2
       with:
-        name: rst-flow-model-coverage
-        path: flow-model-coverage-*.rst
-    # - name: Check coverage files
-    #   if: github.event.pull_request
-    #   run: |
-    #     python script/misc/scripts/library-coverage/compare-files.py codeqlModels
+        name: framework-coverage-rst
+        path: framework-coverage-*.rst
 

config/identical-files.json

@@ -448,5 +448,17 @@
   "SensitiveDataHeuristics Python/JS": [
     "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
     "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
+  ],
+  "ReDoS Util Python/JS": [
+    "javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll",
+    "python/ql/src/semmle/python/security/performance/ReDoSUtil.qll"
+  ],
+  "ReDoS Exponential Python/JS": [
+    "javascript/ql/src/semmle/javascript/security/performance/ExponentialBackTracking.qll",
+    "python/ql/src/semmle/python/security/performance/ExponentialBackTracking.qll"
+  ],
+  "ReDoS Polynomial Python/JS": [
+    "javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
+    "python/ql/src/semmle/python/security/performance/SuperlinearBackTracking.qll"
   ]
 }

cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

cpp/change-notes/2021-06-24-dataflow-implicit-reads.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.

cpp/change-notes/2021-06-30-wrong-type-format-argument.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.2
  * @precision medium
  * @tags reliability
  *       security

cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-never-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileMayNotBeClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/file-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileNeverClosed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/file-never-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/GlobalUseBeforeInit.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/global-use-before-init
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-457

cpp/ql/src/Critical/InconsistentNullnessTesting.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/inconsistent-nullness-testing
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/InitialisationNotRun.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/initialization-not-run
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-456

cpp/ql/src/Critical/LateNegativeTest.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/late-negative-test
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MemoryMayNotBeFreed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/memory-may-not-be-freed
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MemoryNeverFreed.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/memory-never-freed
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MissingNegativityTest.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/missing-negativity-test
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MissingNullTest.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/missing-null-test
  * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/NewFreeMismatch.ql

@@ -3,7 +3,7 @@
  * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id cpp/new-free-mismatch
  * @tags reliability

cpp/ql/src/Critical/OverflowCalculated.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/overflow-calculated
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-131

cpp/ql/src/Critical/OverflowDestination.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/overflow-destination
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision low
  * @tags reliability
  *       security

cpp/ql/src/Critical/OverflowStatic.ql

@@ -4,7 +4,7 @@
  *              may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/static-buffer-overflow
  * @tags reliability

cpp/ql/src/Critical/ReturnStackAllocatedObject.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/return-stack-allocated-object
  * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 2.1
  * @tags reliability
  *       security
  *       external/cwe/cwe-562

cpp/ql/src/Critical/SizeCheck.ql

@@ -4,7 +4,7 @@
  *              an instance of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/allocation-too-small
  * @tags reliability

cpp/ql/src/Critical/SizeCheck2.ql

@@ -4,7 +4,7 @@
  *              multiple instances of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/suspicious-allocation-size
  * @tags reliability

cpp/ql/src/Critical/UseAfterFree.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/use-after-free
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-416

cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql

@@ -7,10 +7,6 @@
 
 import cpp
 
-class AnonymousCompilation extends Compilation {
-  override string toString() { result = "<compilation>" }
-}
-
 string describe(Compilation c) {
   if c.getArgument(1) = "--mimic"
   then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
@@ -19,4 +15,4 @@ string describe(Compilation c) {
 
 from Compilation c
 where not c.normalTermination()
-select c, "Extraction aborted for " + describe(c), 2
+select "Extraction aborted for " + describe(c)

cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql

@@ -6,7 +6,7 @@
  *              to a larger type.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision very-high
  * @id cpp/bad-addition-overflow-check
  * @tags reliability

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -4,7 +4,7 @@
  *              be a sign that the result can overflow the type converted from.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision high
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability

cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql

@@ -5,7 +5,7 @@
  *              unsigned integer values.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision high
  * @id cpp/signed-overflow-check
  * @tags correctness

cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql

@@ -6,7 +6,7 @@
  *              use the width of the base type, leading to misaligned reads.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id cpp/upcast-array-pointer-arithmetic
  * @tags correctness

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -6,7 +6,7 @@
  *              from an untrusted source, this can be used for exploits.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/non-constant-format
  * @tags maintainability

cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql

@@ -3,7 +3,7 @@
  * @description Using the return value from snprintf without proper checks can cause overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision high
  * @id cpp/overflowing-snprintf
  * @tags reliability

cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql

@@ -4,7 +4,7 @@
  *              a source of security issues.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision high
  * @id cpp/wrong-number-format-arguments
  * @tags reliability

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -4,7 +4,7 @@
  *              behavior.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id cpp/wrong-type-format-argument
  * @tags reliability
@@ -19,28 +19,32 @@ import cpp
  * Holds if the argument corresponding to the `pos` conversion specifier
  * of `ffc` is expected to have type `expected`.
  */
-pragma[noopt]
 private predicate formattingFunctionCallExpectedType(
   FormattingFunctionCall ffc, int pos, Type expected
 ) {
-  exists(FormattingFunction f, int i, FormatLiteral fl |
-    ffc instanceof FormattingFunctionCall and
-    ffc.getTarget() = f and
-    f.getFormatParameterIndex() = i and
-    ffc.getArgument(i) = fl and
-    fl.getConversionType(pos) = expected
-  )
+  ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
 }
 
 /**
  * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` is expected to have type `expected` and the corresponding
- * argument `arg` has type `actual`.
+ * of `ffc` could alternatively have type `expected`, for example on a different
+ * platform.
+ */
+private predicate formattingFunctionCallAlternateType(
+  FormattingFunctionCall ffc, int pos, Type expected
+) {
+  ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
+}
+
+/**
+ * Holds if the argument corresponding to the `pos` conversion specifier
+ * of `ffc` is `arg` and has type `actual`.
  */
 pragma[noopt]
-predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
+predicate formattingFunctionCallActualType(
+  FormattingFunctionCall ffc, int pos, Expr arg, Type actual
+) {
   exists(Expr argConverted |
-    formattingFunctionCallExpectedType(ffc, pos, expected) and
     ffc.getConversionArgument(pos) = arg and
     argConverted = arg.getFullyConverted() and
     actual = argConverted.getType()
@@ -72,7 +76,8 @@ class ExpectedType extends Type {
   ExpectedType() {
     exists(Type t |
       (
-        formatArgType(_, _, t, _, _) or
+        formattingFunctionCallExpectedType(_, _, t) or
+        formattingFunctionCallAlternateType(_, _, t) or
         formatOtherArgType(_, _, t, _, _)
       ) and
       this = t.getUnspecifiedType()
@@ -91,7 +96,11 @@ class ExpectedType extends Type {
  */
 predicate trivialConversion(ExpectedType expected, Type actual) {
   exists(Type exp, Type act |
-    formatArgType(_, _, exp, _, act) and
+    (
+      formattingFunctionCallExpectedType(_, _, exp) or
+      formattingFunctionCallAlternateType(_, _, exp)
+    ) and
+    formattingFunctionCallActualType(_, _, _, act) and
     expected = exp.getUnspecifiedType() and
     actual = act.getUnspecifiedType()
   ) and
@@ -146,9 +155,13 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
   (
-    formatArgType(ffc, n, expected, arg, actual) and
+    formattingFunctionCallExpectedType(ffc, n, expected) and
+    formattingFunctionCallActualType(ffc, n, arg, actual) and
     not exists(Type anyExpected |
-      formatArgType(ffc, n, anyExpected, arg, actual) and
+      (
+        formattingFunctionCallExpectedType(ffc, n, anyExpected) or
+        formattingFunctionCallAlternateType(ffc, n, anyExpected)
+      ) and
       trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
     )
     or

cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/incorrect-not-operator-usage
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision medium
  * @tags security
  *       external/cwe/cwe-480

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -3,7 +3,7 @@
  * @description Using alloca in a loop can lead to a stack overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id cpp/alloca-in-loop
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/improper-null-termination
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security
  *       external/cwe/cwe-170
  *       external/cwe/cwe-665

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql

@@ -4,7 +4,7 @@
  *              on undefined behavior and may lead to memory corruption.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 2.1
  * @precision high
  * @id cpp/pointer-overflow-check
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql

@@ -4,7 +4,7 @@
  *              as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/bad-strncpy-size
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql

@@ -3,7 +3,7 @@
  * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/unsafe-strncat
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql

@@ -5,7 +5,7 @@
  *              the machine pointer size.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/suspicious-sizeof
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/uninitialized-local
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @tags security
  *       external/cwe/cwe-665

cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql

@@ -4,7 +4,7 @@
  *              may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id cpp/unsafe-strcat
  * @tags reliability

cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/self-assignment-check
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-826

cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql

@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id cpp/unsafe-use-of-this
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision very-high
  * @tags correctness
  *       language-features

cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql

@@ -7,7 +7,7 @@
  *              undefined data.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision very-high
  * @id cpp/too-few-arguments
  * @tags correctness

cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql

@@ -9,7 +9,6 @@
  * @tags reliability
  *       external/cwe/cwe-573
  *       external/cwe/cwe-252
- * @opaque-id SM02344
  * @microsoft.severity Important
  */
 

cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/memset-may-be-deleted
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-14

cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql

@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 

cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql

@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -4,7 +4,7 @@
  *              attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/path-injection
  * @tags security

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -5,7 +5,7 @@
  *              to command injection.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id cpp/command-line-injection
  * @tags security

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id cpp/cgi-xss
  * @tags security

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -5,7 +5,7 @@
  *              to SQL Injection.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id cpp/sql-injection
  * @tags security

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -5,7 +5,7 @@
  *              commands.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.0
+ * @security-severity 8.2
  * @precision medium
  * @id cpp/uncontrolled-process-operation
  * @tags security

cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/overflow-buffer
  * @problem.severity recommendation
- * @security-severity 10.0
+ * @security-severity 9.3
  * @tags security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-121

cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql

@@ -5,7 +5,7 @@
  *              overflow.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/badly-bounded-write
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql

@@ -4,7 +4,7 @@
  *              of data written may overflow.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/overrunning-write
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql

@@ -5,7 +5,7 @@
  *              take extreme values.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/overrunning-write-with-float
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -4,7 +4,7 @@
  *              of data written may overflow.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/unbounded-write
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql

@@ -5,7 +5,7 @@
  *              a specific value to terminate the argument list.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/unterminated-variadic-call
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/unclear-array-index-validation
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @tags security
  *       external/cwe/cwe-129
  */

cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql

@@ -5,7 +5,7 @@
  *              terminator can cause a buffer overrun.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cpp/no-space-for-terminator
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -5,7 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/tainted-format-string
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql

@@ -5,7 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/tainted-format-string-through-global
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -2,9 +2,9 @@
  * @name User-controlled data in arithmetic expression
  * @description Arithmetic operations on user-controlled data that is
  *              not validated can cause overflows.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision low
  * @id cpp/tainted-arithmetic
  * @tags security
@@ -16,22 +16,39 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
+import Bounded
 
-from Expr origin, Operation op, Expr e, string effect
+bindingset[op]
+predicate missingGuard(Operation op, Expr e, string effect) {
+  missingGuardAgainstUnderflow(op, e) and effect = "underflow"
+  or
+  missingGuardAgainstOverflow(op, e) and effect = "overflow"
+  or
+  not e instanceof VariableAccess and effect = "overflow"
+}
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element e) {
+    exists(Operation op |
+      missingGuard(op, e, _) and
+      op.getAnOperand() = e
+    |
+      op instanceof UnaryArithmeticOperation or
+      op instanceof BinaryArithmeticOperation
+    )
+  }
+
+  override predicate isBarrier(Expr e) {
+    super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
+  }
+}
+
+from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
 where
-  isUserInput(origin, _) and
-  tainted(origin, e) and
+  taintedWithPath(origin, e, sourceNode, sinkNode) and
   op.getAnOperand() = e and
-  (
-    missingGuardAgainstUnderflow(op, e) and effect = "underflow"
-    or
-    missingGuardAgainstOverflow(op, e) and effect = "overflow"
-    or
-    not e instanceof VariableAccess and effect = "overflow"
-  ) and
-  (
-    op instanceof UnaryArithmeticOperation or
-    op instanceof BinaryArithmeticOperation
-  )
-select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  origin, "User-provided value"
+  missingGuard(op, e, effect)
+select e, sourceNode, sinkNode,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
+  "User-provided value"

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -4,7 +4,7 @@
  *              validated can cause overflows.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id cpp/uncontrolled-arithmetic
  * @tags security
@@ -15,108 +15,63 @@
 import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.TaintTracking
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import DataFlow::PathGraph
+import Bounded
 
-predicate isUnboundedRandCall(FunctionCall fc) {
-  exists(Function func | func = fc.getTarget() |
-    func.hasGlobalOrStdOrBslName("rand") and
-    not bounded(fc) and
-    func.getNumberOfParameters() = 0
-  )
+/**
+ * A function that outputs random data such as `std::rand`.
+ */
+abstract class RandomFunction extends Function {
+  /**
+   * Gets the `FunctionOutput` that describes how this function returns the random data.
+   */
+  FunctionOutput getFunctionOutput() { result.isReturnValue() }
 }
 
 /**
- * An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
- * a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
+ * The standard function `std::rand`.
  */
-pragma[inline]
-predicate boundedDiv(Expr e, Expr left) { e = left }
-
-/**
- * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
- * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
- * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
- * allowed by the result type of `rem`.
- */
-pragma[inline]
-predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
-  e = left and
-  upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
-}
-
-/**
- * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
- * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
- * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
- */
-pragma[inline]
-predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
-  operand1 != operand2 and
-  e = operand1 and
-  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
-}
-
-/**
- * Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
- * of possible values.
- */
-predicate bounded(Expr e) {
-  //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
-  //  maximum possible value of the result type of the operation.
-  //  For example, the function call `rand()` is considered bounded in the following program:
-  //  ```
-  //  int i = rand() % (UINT8_MAX + 1);
-  //  ```
-  //  but not in:
-  //  ```
-  //  unsigned char uc = rand() % (UINT8_MAX + 1);
-  //  ```
-  exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
-  or
-  exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
-  or
-  exists(BitwiseAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
-  )
-  or
-  exists(AssignAndExpr andExpr |
-    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
-  )
-  or
-  // Optimitically assume that a division always yields a much smaller value.
-  boundedDiv(e, any(DivExpr div).getLeftOperand())
-  or
-  boundedDiv(e, any(AssignDivExpr div).getLValue())
-  or
-  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
-  or
-  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
-}
-
-predicate isUnboundedRandCallOrParent(Expr e) {
-  isUnboundedRandCall(e)
-  or
-  isUnboundedRandCallOrParent(e.getAChild())
-}
-
-predicate isUnboundedRandValue(Expr e) {
-  isUnboundedRandCall(e)
-  or
-  exists(MacroInvocation mi |
-    e = mi.getExpr() and
-    isUnboundedRandCallOrParent(e)
-  )
-}
-
-class SecurityOptionsArith extends SecurityOptions {
-  override predicate isUserInput(Expr expr, string cause) {
-    isUnboundedRandValue(expr) and
-    cause = "rand"
+private class StdRand extends RandomFunction {
+  StdRand() {
+    this.hasGlobalOrStdOrBslName("rand") and
+    this.getNumberOfParameters() = 0
   }
 }
 
+/**
+ * The Unix function `rand_r`.
+ */
+private class RandR extends RandomFunction {
+  RandR() {
+    this.hasGlobalName("rand_r") and
+    this.getNumberOfParameters() = 1
+  }
+}
+
+/**
+ * The Unix function `random`.
+ */
+private class Random extends RandomFunction {
+  Random() {
+    this.hasGlobalName("random") and
+    this.getNumberOfParameters() = 1
+  }
+}
+
+/**
+ * The Windows `rand_s` function.
+ */
+private class RandS extends RandomFunction {
+  RandS() {
+    this.hasGlobalName("rand_s") and
+    this.getNumberOfParameters() = 1
+  }
+
+  override FunctionOutput getFunctionOutput() { result.isParameterDeref(0) }
+}
+
 predicate missingGuard(VariableAccess va, string effect) {
   exists(Operation op | op.getAnOperand() = va |
     missingGuardAgainstUnderflow(op, va) and effect = "underflow"
@@ -125,16 +80,47 @@ predicate missingGuard(VariableAccess va, string effect) {
   )
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element e) { missingGuard(e, _) }
+class UncontrolledArithConfiguration extends TaintTracking::Configuration {
+  UncontrolledArithConfiguration() { this = "UncontrolledArithConfiguration" }
 
-  override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
+  override predicate isSource(DataFlow::Node source) {
+    exists(RandomFunction rand, Call call | call.getTarget() = rand |
+      rand.getFunctionOutput().isReturnValue() and
+      source.asExpr() = call
+      or
+      exists(int n |
+        source.asDefiningArgument() = call.getArgument(n) and
+        rand.getFunctionOutput().isParameterDeref(n)
+      )
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    bounded(node.asExpr())
+    or
+    // If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
+    // only used as a bit pattern.
+    node.asExpr() =
+      any(Operation op |
+        op instanceof BitwiseOrExpr or
+        op instanceof BitwiseAndExpr or
+        op instanceof ComplementExpr
+      ).getAnOperand*()
+  }
 }
 
-from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
+/** Gets the expression that corresponds to `node`, if any. */
+Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
+
+from
+  UncontrolledArithConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  VariableAccess va, string effect
 where
-  taintedWithPath(origin, va, sourceNode, sinkNode) and
+  config.hasFlowPath(source, sink) and
+  sink.getNode().asExpr() = va and
   missingGuard(va, effect)
-select va, sourceNode, sinkNode,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
-  "Uncontrolled value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
+  getExpr(source.getNode()), "Uncontrolled value"

cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/arithmetic-with-extreme-values
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision low
  * @tags security
  *       reliability

cpp/ql/src/Security/CWE/CWE-190/Bounded.qll

@@ -0,0 +1,55 @@
+/**
+ * This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
+ * and `cpp/tainted-arithmetic`.
+ */
+
+private import cpp
+private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
+
+/**
+ * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
+ * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
+ * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
+ */
+pragma[inline]
+private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
+  operand1 != operand2 and
+  e = operand1 and
+  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
+}
+
+/**
+ * Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
+ * operation that may greatly reduce the range of possible values.
+ */
+predicate bounded(Expr e) {
+  (
+    e instanceof UnaryArithmeticOperation or
+    e instanceof BinaryArithmeticOperation or
+    e instanceof AssignArithmeticOperation
+  ) and
+  not convertedExprMightOverflow(e)
+  or
+  // Optimitically assume that a remainder expression always yields a much smaller value.
+  e = any(RemExpr rem).getLeftOperand()
+  or
+  e = any(AssignRemExpr rem).getLValue()
+  or
+  exists(BitwiseAndExpr andExpr |
+    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
+  )
+  or
+  exists(AssignAndExpr andExpr |
+    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
+  )
+  or
+  // Optimitically assume that a division always yields a much smaller value.
+  e = any(DivExpr div).getLeftOperand()
+  or
+  e = any(AssignDivExpr div).getLValue()
+  or
+  e = any(RShiftExpr shift).getLeftOperand()
+  or
+  e = any(AssignRShiftExpr div).getLValue()
+}

cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql

@@ -5,7 +5,7 @@
  * @id cpp/comparison-with-wider-type
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @tags reliability
  *       security

cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/integer-overflow-tainted
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision low
  * @tags security
  *       external/cwe/cwe-190

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -4,7 +4,7 @@
  *              user can result in integer overflow.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/uncontrolled-allocation-size
  * @tags reliability

cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/unsigned-difference-expression-compared-zero
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @tags security
  *       correctness

cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/hresult-boolean-conversion
  * @problem.severity error
- * @security-severity 4.2
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-253

cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql

@@ -5,7 +5,7 @@
  *              vulnerable to spoofing attacks.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.8
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/user-controlled-bypass
  * @tags security

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

@@ -4,7 +4,7 @@
  *              to an attacker.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/cleartext-storage-buffer
  * @tags security

cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql

@@ -4,7 +4,7 @@
  *              to an attacker.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/cleartext-storage-file
  * @tags security

cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql

@@ -4,7 +4,7 @@
  *              database can expose it to an attacker.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/cleartext-storage-database
  * @tags security

cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

@@ -4,8 +4,8 @@
  *              an attacker to compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
- * @precision medium
+ * @security-severity 7.5
+ * @precision high
  * @id cpp/weak-cryptographic-algorithm
  * @tags security
  *       external/cwe/cwe-327
@@ -70,9 +70,12 @@ EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(r
 predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
   // find use of an insecure algorithm name
   (
-    fc.getTarget() = getAnInsecureEncryptionFunction() and
-    blame = fc and
-    description = "call to " + fc.getTarget().getName()
+    exists(FunctionCall fc2 |
+      fc.getAChild*() = fc2 and
+      fc2.getTarget() = getAnInsecureEncryptionFunction() and
+      blame = fc2 and
+      description = "call to " + fc.getTarget().getName()
+    )
     or
     exists(MacroInvocation mi |
       (
@@ -93,7 +96,10 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
   ) and
   // find additional evidence that this function is related to encryption.
   (
-    fc.getTarget() = getAnAdditionalEvidenceFunction()
+    exists(FunctionCall fc2 |
+      fc.getAChild*() = fc2 and
+      fc2.getTarget() = getAnAdditionalEvidenceFunction()
+    )
     or
     exists(MacroInvocation mi |
       (
@@ -107,6 +113,27 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
       ec = fc.getAnArgument() and
       ec.getTarget() = getAdditionalEvidenceEnumConst()
     )
+  ) and
+  // exclude calls from templates as this is rarely the right place to flag an
+  // issue
+  not fc.isFromTemplateInstantiation(_) and
+  (
+    // the function should have an input that looks like a non-constant buffer
+    exists(Expr e |
+      fc.getAnArgument() = e and
+      (
+        e.getUnspecifiedType() instanceof PointerType or
+        e.getUnspecifiedType() instanceof ReferenceType or
+        e.getUnspecifiedType() instanceof ArrayType
+      ) and
+      not e.getType().isDeeplyConstBelow() and
+      not e.isConstant()
+    )
+    or
+    // or be a non-const member function of an object
+    fc.getTarget() instanceof MemberFunction and
+    not fc.getTarget() instanceof ConstMemberFunction and
+    not fc.getTarget().isStatic()
   )
 }
 

cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql

@@ -4,7 +4,7 @@
  *              attackers to retrieve portions of memory.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision very-high
  * @id cpp/openssl-heartbleed
  * @tags security

cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql

@@ -5,7 +5,7 @@
  *              the two operations.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.7
  * @precision medium
  * @id cpp/toctou-race-condition
  * @tags security

cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql

@@ -4,7 +4,7 @@
  * @id cpp/unsafe-create-process-call
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @msrc.severity important
  * @tags security

cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql

@@ -5,8 +5,7 @@
  *              state, and reading the variable may result in undefined behavior.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.9
- * @opaque-id SM02313
+ * @security-severity 7.8
  * @id cpp/conditionally-uninitialized-variable
  * @tags security
  *       external/cwe/cwe-457

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql

@@ -4,7 +4,7 @@
  *              can cause buffer overflow conditions.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/suspicious-pointer-scaling
  * @tags security

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/incorrect-pointer-scaling-char
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision low
  * @tags security
  *       external/cwe/cwe-468

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql

@@ -4,7 +4,7 @@
  *              can cause buffer overflow conditions.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/suspicious-pointer-scaling-void
  * @tags security

cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql

@@ -5,7 +5,7 @@
  *              implicitly scaled.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision high
  * @id cpp/suspicious-add-sizeof
  * @tags security

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -5,7 +5,7 @@
  *              attack plan.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
  * @precision medium
  * @id cpp/system-data-exposure
  * @tags security

cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/incorrect-string-type-conversion
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-704

cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql

@@ -3,7 +3,7 @@
  * @description Creating a file that is world-writable can allow an attacker to write to the file.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id cpp/world-writable-file-creation
  * @tags security

cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql

@@ -7,7 +7,7 @@
  * @id cpp/unsafe-dacl-security-descriptor
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-732

cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/lock-order-cycle
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @tags security
  *       external/cwe/cwe-764
  *       external/cwe/cwe-833

cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/twice-locked
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @precision low
  * @tags security
  *       external/cwe/cwe-764

cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/unreleased-lock
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @precision low
  * @tags security
  *       external/cwe/cwe-764