Refine Python inline expectation conversions

Python: Implement `ContentApprox`

.github/workflows/go-version-update.yml

@@ -0,0 +1,208 @@
+name: Update Go version
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-go-version:
+    name: Check and update Go version
+    if: github.repository == 'github/codeql'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch latest Go version
+        id: fetch-version
+        run: |
+          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
+          
+          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
+            echo "Error: Failed to fetch latest Go version from go.dev"
+            exit 1
+          fi
+          
+          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
+          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
+          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
+          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
+          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Check current Go version
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
+          
+          if [ -z "$CURRENT_VERSION" ]; then
+            echo "Error: Could not extract Go version from MODULE.bazel"
+            exit 1
+          fi
+          
+          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version
+          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Compare versions
+        id: compare
+        run: |
+          LATEST="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT="${{ steps.current-version.outputs.version }}"
+          
+          echo "Latest: $LATEST"
+          echo "Current: $CURRENT"
+          
+          if [ "$LATEST" = "$CURRENT" ]; then
+            echo "Go version is up to date"
+            echo "needs_update=false" >> $GITHUB_OUTPUT
+          else
+            echo "Go version needs update from $CURRENT to $LATEST"
+            echo "needs_update=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update Go version in files
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
+          
+          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
+          
+          # Escape dots in current version strings for use in sed patterns
+          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
+          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
+          
+          # Update MODULE.bazel
+          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
+          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
+            echo "Error: Failed to update MODULE.bazel"
+            exit 1
+          fi
+          
+          # Update go/extractor/go.mod
+          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
+            echo "Warning: Failed to update go directive in go.mod"
+          fi
+          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
+            echo "Warning: Failed to update toolchain in go.mod"
+          fi
+          
+          # Update go/extractor/autobuilder/build-environment.go
+          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
+            echo "Warning: Failed to update build-environment.go"
+          fi
+          
+          # Update go/actions/test/action.yml
+          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
+            echo "Warning: Failed to update action.yml"
+          fi
+          
+          # Show what changed
+          git diff
+
+      - name: Check for changes
+        id: check-changes
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected"
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for existing PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        id: check-pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
+          
+          if [ -n "$PR_NUMBER" ]; then
+            echo "Existing PR found: #$PR_NUMBER"
+            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          else
+            echo "No existing PR found"
+            echo "pr_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit and push changes
+        if: steps.check-changes.outputs.has_changes == 'true'
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          
+          # Create or switch to branch
+          git checkout -B "$BRANCH_NAME"
+          
+          # Stage and commit changes
+          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
+          git commit -m "Go: Update to $LATEST_VERSION_NUM"
+          
+          # Push changes
+          git push --force-with-lease origin "$BRANCH_NAME"
+
+      - name: Create or update PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          
+          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
+          
+          PR_BODY=$(cat <<EOF
+          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
+
+          Updated files:
+          - \`MODULE.bazel\` - go_sdk.download version
+          - \`go/extractor/go.mod\` - go directive and toolchain
+          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
+          - \`go/actions/test/action.yml\` - default go-test-version
+
+          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
+          EOF
+          )
+          
+          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
+            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
+            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
+          else
+            echo "Creating new PR"
+            gh pr create \
+              --title "$PR_TITLE" \
+              --body "$PR_BODY" \
+              --base main \
+              --head "$BRANCH_NAME" \
+              --label "Go"
+          fi

MODULE.bazel

@@ -273,7 +273,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.0")
+go_sdk.download(version = "1.26.4")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 ### Minor Analysis Improvements
 
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
 
 ## 0.4.36
 

actions/ql/lib/change-notes/released/0.4.37.md

@@ -2,4 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37
+version: 0.4.38-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -15,7 +15,7 @@
 
 ### Bug Fixes
 
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
 
 ## 0.6.28
 

actions/ql/src/change-notes/released/0.6.29.md

@@ -15,4 +15,4 @@
 
 ### Bug Fixes
 
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29
+version: 0.6.30-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

config/identical-files.json

@@ -11,10 +11,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
-  "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
-  ],
   "ModulusAnalysis Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"

cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full

cpp/ql/lib/DefaultOptions.qll

@@ -30,8 +30,6 @@ class Options extends string {
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
-    or
-    CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
 
   /**
@@ -45,8 +43,6 @@ class Options extends string {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
-    or
-    CustomOptions::returnsNull(call) // old Options.qll
   }
 
   /**
@@ -65,8 +61,6 @@ class Options extends string {
     f.hasGlobalOrStdName([
         "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
-    or
-    CustomOptions::exits(f) // old Options.qll
   }
 
   /**
@@ -79,8 +73,7 @@ class Options extends string {
    * runtime, the program's behavior is undefined)
    */
   predicate exprExits(Expr e) {
-    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
-    CustomOptions::exprExits(e) // old Options.qll
+    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0
   }
 
   /**
@@ -88,10 +81,7 @@ class Options extends string {
    *
    * By default holds only for `fgets`.
    */
-  predicate alwaysCheckReturnValue(Function f) {
-    f.hasGlobalOrStdName("fgets") or
-    CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
-  }
+  predicate alwaysCheckReturnValue(Function f) { f.hasGlobalOrStdName("fgets") }
 
   /**
    * Holds if it is reasonable to ignore the return value of function
@@ -107,8 +97,6 @@ class Options extends string {
     // common way of sleeping using select:
     fc.getTarget().hasGlobalName("select") and
     fc.getArgument(0).getValue() = "0"
-    or
-    CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
   }
 }
 

cpp/ql/lib/Options.qll

@@ -98,57 +98,3 @@ class CustomMutexType extends MutexType {
    */
   override predicate unlockAccess(FunctionCall fc, Expr arg) { none() }
 }
-
-/**
- * DEPRECATED: customize `CustomOptions.overrideReturnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate overrideReturnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.returnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate returnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exits(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exprExits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exprExits(Expr e) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.alwaysCheckReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate alwaysCheckReturnValue(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.okToIgnoreReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate okToIgnoreReturnValue(FunctionCall fc) { none() }

cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md

@@ -0,0 +1,15 @@
+---
+category: breaking
+---
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.

cpp/ql/lib/cpp.qll

@@ -32,7 +32,6 @@ import semmle.code.cpp.Class
 import semmle.code.cpp.Struct
 import semmle.code.cpp.Union
 import semmle.code.cpp.Enum
-import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
 import semmle.code.cpp.MemberFunction

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.2.0
+version: 10.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -148,28 +148,3 @@ class UnknownLocation extends Location {
     this.getFile().getAbsolutePath() = "" and locations_default(this, _, 0, 0, 0, 0)
   }
 }
-
-/**
- * A dummy location which is used when something doesn't have a location in
- * the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownDefaultLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when an expression doesn't have a
- * location in the source code but needs to have a `Location` associated
- * with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownExprLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when a statement doesn't have a location
- * in the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownStmtLocation extends UnknownLocation { }

cpp/ql/lib/semmle/code/cpp/Member.qll

@@ -1,6 +0,0 @@
-/**
- * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.Type

cpp/ql/lib/semmle/code/cpp/TemplateParameter.qll

@@ -35,13 +35,6 @@ class NonTypeTemplateParameter extends Literal, TemplateParameterImpl {
   override string getAPrimaryQlClass() { result = "NonTypeTemplateParameter" }
 }
 
-/**
- * A C++ `typename` (or `class`) template parameter.
- *
- * DEPRECATED: Use `TypeTemplateParameter` instead.
- */
-deprecated class TemplateParameter = TypeTemplateParameter;
-
 /**
  * A C++ `typename` (or `class`) template parameter.
  *

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -1071,7 +1071,7 @@ class NullPointerType extends BuiltInType {
  * const float fa[40];
  * ```
  */
-class DerivedType extends Type, @derivedtype {
+class DerivedType extends Type, NameQualifyingElement, @derivedtype {
   override string toString() { result = this.getName() }
 
   override string getName() { derivedtypes(underlyingElement(this), result, _, _) }

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -276,6 +276,45 @@ private predicate isClassConstructedFrom(Class c, Class templateClass) {
   not c.isConstructedFrom(_) and c = templateClass
 }
 
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassOld(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  isClassConstructedFrom(c, result)
+}
+
+private TemplateClass getOriginalClassTemplate(TemplateClass tc) {
+  result = tc.getOriginalTemplate()
+  or
+  not exists(tc.getOriginalTemplate()) and
+  result = tc
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassNew(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  exists(Class mid |
+    c.isConstructedFrom(mid)
+    or
+    not c.isConstructedFrom(_) and c = mid
+  |
+    result = getOriginalClassTemplate(mid)
+    or
+    not mid instanceof TemplateClass and mid = result
+  )
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClass(Class c) {
+  // The `Class::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `class_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `class_template_generated_from` extensional is empty.
+  if class_template_generated_from(_, _)
+  then result = getFullyTemplatedClassNew(c)
+  else result = getFullyTemplatedClassOld(c)
+}
+
 /**
  * Holds if `f` is an instantiation of a function template `templateFunc`, or
  * holds with `f = templateFunc` if `f` is not an instantiation of any function
@@ -292,7 +331,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }
 
 /** Gets the fully templated version of `f`. */
-Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedFunctionOld(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
@@ -306,13 +345,46 @@ Function getFullyTemplatedFunction(Function f) {
   )
 }
 
+private TemplateFunction getOriginalFunctionTemplate(TemplateFunction tf) {
+  result = tf.getOriginalTemplate()
+  or
+  not exists(tf.getOriginalTemplate()) and
+  result = tf
+}
+
+/** Gets the fully templated version of `f`. */
+private Function getFullyTemplatedFunctionNew(Function f) {
+  not f.isFromUninstantiatedTemplate(_) and
+  exists(Function mid |
+    f.isConstructedFrom(mid)
+    or
+    not f.isConstructedFrom(_) and f = mid
+  |
+    result = getOriginalFunctionTemplate(mid)
+    or
+    not mid instanceof TemplateFunction and mid = result
+  )
+}
+
+/** Gets the fully templated version of `f`. */
+Function getFullyTemplatedFunction(Function f) {
+  // The `Function::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `function_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `function_template_generated_from` extensional is empty.
+  if function_template_generated_from(_, _)
+  then result = getFullyTemplatedFunctionNew(f)
+  else result = getFullyTemplatedFunctionOld(f)
+}
+
 /** Prefixes `const` to `s` if `t` is const, or returns `s` otherwise. */
 bindingset[s, t]
 private string withConst(string s, Type t) {
   if t.isConst() then result = "const " + s else result = s
 }
 
-/** Prefixes `volatile` to `s` if `t` is const, or returns `s` otherwise. */
+/** Prefixes `volatile` to `s` if `t` is volatile, or returns `s` otherwise. */
 bindingset[s, t]
 private string withVolatile(string s, Type t) {
   if t.isVolatile() then result = "volatile " + s else result = s
@@ -490,7 +562,7 @@ pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     remaining = getNumberOfSupportedClassTemplateArguments(template) and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -502,7 +574,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     tp = getSupportedClassTemplateArgument(template, remaining)
   |
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -1,59 +1,5 @@
 import semmle.code.cpp.Type
 
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private string getTopLevelClassName(@usertype c) {
-  not mangled_name(_, _, _) and
-  isClass(c) and
-  usertypes(c, result, _) and
-  not namespacembrs(_, c) and // not in a namespace
-  not member(_, _, c) and // not in some structure
-  not class_instantiation(c, _) // not a template instantiation
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `d` is a unique complete class named `name`.
- */
-pragma[noinline]
-private predicate existsCompleteWithName(string name, @usertype d) {
-  not mangled_name(_, _, _) and
-  is_complete(d) and
-  name = getTopLevelClassName(d) and
-  onlyOneCompleteClassExistsWithName(name)
-}
-
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private predicate onlyOneCompleteClassExistsWithName(string name) {
-  not mangled_name(_, _, _) and
-  strictcount(@usertype c | is_complete(c) and getTopLevelClassName(c) = name) = 1
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class named `name`.
- */
-pragma[noinline]
-private predicate existsIncompleteWithName(string name, @usertype c) {
-  not mangled_name(_, _, _) and
-  not is_complete(c) and
-  name = getTopLevelClassName(c)
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class, and there exists a unique complete class `d`
- * with the same name.
- */
-private predicate oldHasCompleteTwin(@usertype c, @usertype d) {
-  not mangled_name(_, _, _) and
-  exists(string name |
-    existsIncompleteWithName(name, c) and
-    existsCompleteWithName(name, d)
-  )
-}
-
 pragma[noinline]
 private @mangledname getClassMangledName(@usertype c) {
   isClass(c) and
@@ -103,10 +49,7 @@ private module Cached {
   @usertype resolveClass(@usertype c) {
     hasCompleteTwin(c, result)
     or
-    oldHasCompleteTwin(c, result)
-    or
     not hasCompleteTwin(c, _) and
-    not oldHasCompleteTwin(c, _) and
     result = c
   }
 

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -1430,7 +1430,8 @@ specialnamequalifyingelements(
 @namequalifyingelement = @namespace
                        | @specialnamequalifyingelement
                        | @usertype
-                       | @decltype;
+                       | @decltype
+                       | @derivedtype;
 
 namequalifiers(
     unique int id: @namequalifier,

cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.4
+version: 1.6.5-dev
 groups:
   - cpp
   - queries

cpp/ql/test/examples/BadLocking/AV Rule 107.qlref

@@ -1 +1,2 @@
-jsf/4.13 Functions/AV Rule 107.ql
+query: jsf/4.13 Functions/AV Rule 107.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref

@@ -1 +1,2 @@
-Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
+query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp

@@ -48,7 +48,7 @@ void test1()
 
 void test2()
 {
-	Lock<Mutex> myLock(); // BAD (interpreted as a function declaration, this does nothing)
+	Lock<Mutex> myLock(); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block]
 
 	// ...
 }
@@ -62,14 +62,14 @@ void test3()
 
 void test4()
 {
-	Lock<Mutex>(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
+	Lock<Mutex>(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended) // $ Alert[cpp/local-variable-hides-global-variable]
 
 	// ...
 }
 
 void test5()
 {
-	Lock<Mutex> myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing)
+	Lock<Mutex> myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block]
 
 	// ...
 }

cpp/ql/test/examples/expressions/PrintAST.qlref

@@ -1 +1 @@
-semmle/code/cpp/PrintAST.ql
+query: semmle/code/cpp/PrintAST.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c

@@ -3,6 +3,6 @@ void workFunction_0(char *s) {
   char buf[80], buf1[8];
   if(len<0) return;
   memset(buf,0,len); //GOOD
-  memset(buf1,0,len1); //BAD
+  memset(buf1,0,len1); //BAD // $ Alert
   if(len1<0) return;
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-078/WordexpTainted.ql
+query: experimental/Security/CWE/CWE-078/WordexpTainted.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp

@@ -19,14 +19,14 @@ enum {
 
 int wordexp(const char *restrict s, wordexp_t *restrict p, int flags);
 
-int main(int argc, char** argv) {
+int main(int argc, char** argv) { // $ Source
   char *filePath = argv[2];
 
   {
     // BAD: the user string is injected directly into `wordexp` which performs command substitution
 
     wordexp_t we;
-    wordexp(filePath, &we, 0);
+    wordexp(filePath, &we, 0); // $ Alert
   }
 
   {

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
+query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp

@@ -20,7 +20,7 @@ void myFclose(FILE * fmy)
 int main(int argc, char *argv[])
 {
   fe = fopen("myFile.txt", "wt");
-  fclose(fe); // BAD
+  fclose(fe); // BAD // $ Alert
   fe = fopen("myFile.txt", "wt");
   myFclose(fe); // GOOD
   return 0;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c

@@ -11,7 +11,7 @@ void workFunction_0(char *s) {
   while(intIndex > 2)
   {
     buf[intIndex] = 1;
-    int intIndex; // BAD
+    int intIndex; // BAD // $ Alert
     intIndex--;
   }
   intIndex = 10;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
+query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp

@@ -8,7 +8,7 @@ int strlen(const char *string);
 
 // the following function is homebrew crypto written for this test.  This is a bad algorithm
 // on multiple levels and should never be used in cryptography.
-void encryptString(char *string, unsigned int key) {
+void encryptString(char *string, unsigned int key) { // $ Alert
 	char *ptr = string;
 	int len = strlen(string);
 
@@ -27,7 +27,7 @@ void encryptString(char *string, unsigned int key) {
 
 // the following function is homebrew crypto written for this test.  This is a bad algorithm
 // on multiple levels and should never be used in cryptography.
-void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) {
+void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { // $ Alert
 	unsigned int state[2];
 	unsigned int t;
 
@@ -48,7 +48,7 @@ void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int d
 // the following function resembles an implementation of the AES "mix columns"
 // step. It is not accurate, efficient or safe and should never be used in
 // cryptography.
-void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
+void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert
 	// The "mix columns" step takes four bytes as inputs. Each byte represents a
 	// polynomial with 8 one-bit coefficients, e.g. input bits 00001101
 	// represent the polynomial x^3 + x^2 + 1.  Arithmetic is reduced modulo
@@ -80,7 +80,7 @@ void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
 // the following function resembles initialization of an S-box as may be done
 // in an implementation of DES, AES and other encryption algorithms. It is not
 // accurate, efficient or safe and should never be used in cryptography.
-void init_aes_sbox(unsigned char data[256]) {
+void init_aes_sbox(unsigned char data[256]) { // $ Alert
 	// initialize `data` in a loop using lots of ^, ^= and << operations and
 	// a few fixed constants.
 	unsigned int state = 0x12345678;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp

@@ -63,7 +63,7 @@ static void badTest1(const char* ptr)
   int ret;
   int len;
   len = strlen(ptr);
-  for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results
+  for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert
     wprintf(L"%lc", wc);
     ptr += ret;
   }
@@ -73,7 +73,7 @@ static void badTest2(const char* ptr)
   int ret;
   int len;
   len = strlen(ptr);
-  for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results
+  for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert
     wprintf(L"%lc", wc);
     ptr += ret;
   }
@@ -103,7 +103,7 @@ static void badTest3(const char* ptr,int wc_len)
   len = wc_len;
   wchar_t *wc = new wchar_t[wc_len];
   while (*ptr && len > 0) {
-    ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD
+    ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD // $ Alert
     if (ret <0)
       break;
     if (ret == 0 || ret > len)
@@ -120,7 +120,7 @@ static void badTest4(const char* ptr,int wc_len)
   len = wc_len;
   wchar_t *wc = new wchar_t[wc_len];
   while (*ptr && len > 0) {
-    ret = mbtowc(wc, ptr, 16); // BAD
+    ret = mbtowc(wc, ptr, 16); // BAD // $ Alert
     if (ret <0)
       break;
     if (ret == 0 || ret > len)
@@ -137,7 +137,7 @@ static void badTest5(const char* ptr,int wc_len)
   len = wc_len;
   wchar_t *wc = new wchar_t[wc_len];
   while (*ptr && len > 0) {
-    ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD
+    ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD // $ Alert
     if (ret <0)
       break;
     if (ret == 0 || ret > len)
@@ -155,7 +155,7 @@ static void badTest6(const char* ptr,int wc_len)
   len = wc_len;
   wchar_t *wc = new wchar_t[wc_len];
   while (*ptr && wc_len > 0) {
-    ret = mbtowc(wc, ptr, wc_len); // BAD
+    ret = mbtowc(wc, ptr, wc_len); // BAD // $ Alert
     if (ret <0)
       if (checkErrors()) {
         ++ptr;
@@ -178,7 +178,7 @@ static void badTest7(const char* ptr,int wc_len)
   len = wc_len;
   wchar_t *wc = new wchar_t[wc_len];
   while (*ptr && wc_len > 0) {
-    ret = mbtowc(wc, ptr, len); // BAD
+    ret = mbtowc(wc, ptr, len); // BAD // $ Alert
     if (ret <0)
         break;
     if (ret == 0 || ret > len)
@@ -194,7 +194,7 @@ static void badTest8(const char* ptr,wchar_t *wc)
   int len;
   len = strlen(ptr);
   while (*ptr && len > 0) {
-    ret = mbtowc(wc, ptr, len); // BAD
+    ret = mbtowc(wc, ptr, len); // BAD // $ Alert
     if (ret <0)
       break;
     if (ret == 0 || ret > len)

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp

@@ -25,8 +25,8 @@ void* calloc (size_t num, size_t size);
 void* malloc (size_t size);
 
 static void badTest1(void *src,  int size) {
-    WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD
-    MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD
+    WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD // $ Alert
+    MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD // $ Alert
 }
 void goodTest2(){
   wchar_t src[] = L"0123456789ABCDEF";
@@ -42,7 +42,7 @@ void goodTest2(){
 static void badTest2(){
   wchar_t src[] = L"0123456789ABCDEF";
   char dst[16];
-  WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD
+  WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD // $ Alert
   printf("%s\n", dst);
 }
 static void goodTest3(){
@@ -55,7 +55,7 @@ static void badTest3(){
   char src[] = "0123456789ABCDEF";
   int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
   wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
-  MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
+  MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert
 }
 static void goodTest4(){
   char src[] = "0123456789ABCDEF";
@@ -67,13 +67,13 @@ static void badTest4(){
   char src[] = "0123456789ABCDEF";
   int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
   wchar_t * dst = (wchar_t*)malloc(size + 1);
-  MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
+  MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert
 }
 static int goodTest5(void *src){
   return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD
 }
 static int badTest5 (void *src) {
-  return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0);  // BAD
+  return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0);  // BAD // $ Alert
 }
 static void goodTest6(WCHAR *src)
 {
@@ -90,6 +90,6 @@ static void goodTest6(WCHAR *src)
 static void badTest6(WCHAR *src)
 {
     char dst[5] ="";
-    WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD
+    WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD // $ Alert
     printf("%s\n", dst);
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp

@@ -12,11 +12,11 @@ size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbsta
 
 
 static void badTest1(void *src,  int size) {
-    mbstowcs((wchar_t*)src,(char*)src,size); // BAD
+    mbstowcs((wchar_t*)src,(char*)src,size); // BAD // $ Alert
     _locale_t locale;
-    _mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD
+    _mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD // $ Alert
     mbstate_t *mbstate;
-    mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD
+    mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD // $ Alert
 }
 static void goodTest2(){
   char src[] = "0123456789ABCDEF";
@@ -32,7 +32,7 @@ static void goodTest2(){
 static void badTest2(){
   char src[] = "0123456789ABCDEF";
   wchar_t dst[16];
-  mbstowcs(dst, src,16); // BAD
+  mbstowcs(dst, src,16); // BAD // $ Alert
   printf("%s\n", dst);
 }
 static void goodTest3(){
@@ -45,7 +45,7 @@ static void badTest3(){
   char src[] = "0123456789ABCDEF";
   int size = mbstowcs(NULL, src,NULL);
   wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
-  mbstowcs(dst, src,size+1); // BAD
+  mbstowcs(dst, src,size+1); // BAD // $ Alert
 }
 static void goodTest4(){
   char src[] = "0123456789ABCDEF";
@@ -57,13 +57,13 @@ static void badTest4(){
   char src[] = "0123456789ABCDEF";
   int size = mbstowcs(NULL, src,NULL);
   wchar_t * dst = (wchar_t*)malloc(size + 1);
-  mbstowcs(dst, src,size+1); // BAD
+  mbstowcs(dst, src,size+1); // BAD // $ Alert
 }
 static int goodTest5(void *src){
   return mbstowcs(NULL, (char*)src,NULL); // GOOD
 }
 static int badTest5 (void *src) {
-  return mbstowcs(NULL, (char*)src,3); // BAD
+  return mbstowcs(NULL, (char*)src,3); // BAD // $ Alert
 }
 static void goodTest6(void *src){
   wchar_t dst[5];
@@ -77,6 +77,6 @@ static void goodTest6(void *src){
 }
 static void badTest6(void *src){
   wchar_t dst[5];
-  mbstowcs(dst, (char*)src,260); // BAD
+  mbstowcs(dst, (char*)src,260); // BAD // $ Alert
   printf("%s\n", dst);
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp

@@ -13,7 +13,7 @@ static size_t badTest1(unsigned char *src){
   int cb = 0;
   unsigned char dst[50];
   while( cb < sizeof(dst) )
-    dst[cb++]=*src++; // BAD
+    dst[cb++]=*src++; // BAD // $ Alert
   return _mbclen(dst);
 }
 static void goodTest2(unsigned char *src){
@@ -33,7 +33,7 @@ static void badTest2(unsigned char *src){
   unsigned char dst[50];
   while( cb < sizeof(dst) )
   {
-    _mbccpy(dst+cb,src); // BAD
+    _mbccpy(dst+cb,src); // BAD // $ Alert
     cb+=_mbclen(src);
     src=_mbsinc(src);
   }
@@ -44,5 +44,5 @@ static void goodTest3(){
 }
 static void badTest3(){
   wchar_t name[50];
-  name[sizeof(name) - 1] = L'\0'; // BAD
+  name[sizeof(name) - 1] = L'\0'; // BAD // $ Alert
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp

@@ -10,31 +10,31 @@ void test()
 	int y = getAnInt();
 
 	char *buffer1 = (char *)malloc(x + y); // GOOD
-	char *buffer2 = (char *)malloc(x * y); // BAD
+	char *buffer2 = (char *)malloc(x * y); // BAD // $ Alert
 	int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD
-	int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD
+	int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD // $ Alert
 
 	if ((x <= 1000) && (y <= 1000))
 	{
-		char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE]
+		char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE] // $ Alert
 	}
 
-	size_t size1 = x * y;
-	char *buffer5 = (char *)malloc(size1); // BAD
+	size_t size1 = x * y; // $ Source
+	char *buffer5 = (char *)malloc(size1); // BAD // $ Alert
 
 	size_t size2 = x;
 	size2 *= y;
 	char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED]
 
 	char *buffer7 = new char[x * 10]; // GOOD
-	char *buffer8 = new char[x * y]; // BAD
-	char *buffer9 = new char[x * x]; // BAD
+	char *buffer8 = new char[x * y]; // BAD // $ Alert
+	char *buffer9 = new char[x * x]; // BAD // $ Alert
 }
 
 
 // --- custom allocators ---
  
-void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
+void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here] // $ Alert
 void *MyMalloc2(size_t size);
 
 void customAllocatorTests()
@@ -42,6 +42,6 @@ void customAllocatorTests()
 	int x = getAnInt();
 	int y = getAnInt();
 
-	char *buffer1 = (char *)MyMalloc1(x * y); // BAD
-	char *buffer2 = (char *)MyMalloc2(x * y); // BAD
+	char *buffer1 = (char *)MyMalloc1(x * y); // BAD // $ Alert Source
+	char *buffer2 = (char *)MyMalloc2(x * y); // BAD // $ Alert
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
+query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp

@@ -6,17 +6,17 @@ void functionWork(char aA[10],unsigned int aUI) {
   int aI;
 
   aI = (aUI*8)/10; // GOOD
-  aI = aUI*8; // BAD
+  aI = aUI*8; // BAD // $ Alert
   aP = aA+aI;
   aI = (int)aUI*8; // GOOD
   
-  aL = (unsigned long)(aI*aI); // BAD
+  aL = (unsigned long)(aI*aI); // BAD // $ Alert
   aL = ((unsigned long)aI*aI); // GOOD
   
-  testCall((unsigned long)(aI*aI)); // BAD
+  testCall((unsigned long)(aI*aI)); // BAD // $ Alert
   testCall(((unsigned long)aI*aI)); // GOOD
   
-  if((unsigned long)(aI*aI) > aL) // BAD
+  if((unsigned long)(aI*aI) > aL) // BAD // $ Alert
     return;
   if(((unsigned long)aI*aI) > aL) // GOOD
     return;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
+query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp

@@ -15,49 +15,49 @@ void test()
 	unsigned short b1 = getAnUnsignedShort();
 	unsigned short c1 = getAnUnsignedShort();
 
-	if (a+b>c) a = c-b; // BAD
-	if (a+b>c) { a = c-b; } // BAD
-	if (b+a>c) a = c-b; // BAD
-	if (b+a>c) { a = c-b; } // BAD
-	if (c>a+b) a = c-b; // BAD
-	if (c>a+b) { a = c-b; } // BAD
-	if (c>b+a) a = c-b; // BAD
-	if (c>b+a) { a = c-b; } // BAD
+	if (a+b>c) a = c-b; // BAD // $ Alert
+	if (a+b>c) { a = c-b; } // BAD // $ Alert
+	if (b+a>c) a = c-b; // BAD // $ Alert
+	if (b+a>c) { a = c-b; } // BAD // $ Alert
+	if (c>a+b) a = c-b; // BAD // $ Alert
+	if (c>a+b) { a = c-b; } // BAD // $ Alert
+	if (c>b+a) a = c-b; // BAD // $ Alert
+	if (c>b+a) { a = c-b; } // BAD // $ Alert
 
-	if (a+b>=c) a = c-b; // BAD
-	if (a+b>=c) { a = c-b; } // BAD
-	if (b+a>=c) a = c-b; // BAD
-	if (b+a>=c) { a = c-b; } // BAD
-	if (c>=a+b) a = c-b; // BAD
-	if (c>=a+b) { a = c-b; } // BAD
-	if (c>=b+a) a = c-b; // BAD
-	if (c>=b+a) { a = c-b; } // BAD
+	if (a+b>=c) a = c-b; // BAD // $ Alert
+	if (a+b>=c) { a = c-b; } // BAD // $ Alert
+	if (b+a>=c) a = c-b; // BAD // $ Alert
+	if (b+a>=c) { a = c-b; } // BAD // $ Alert
+	if (c>=a+b) a = c-b; // BAD // $ Alert
+	if (c>=a+b) { a = c-b; } // BAD // $ Alert
+	if (c>=b+a) a = c-b; // BAD // $ Alert
+	if (c>=b+a) { a = c-b; } // BAD // $ Alert
 
-	if (a+b<c) a = c-b; // BAD
-	if (a+b<c) { a = c-b; } // BAD
-	if (b+a<c) a = c-b; // BAD
-	if (b+a<c) { a = c-b; } // BAD
-	if (c<a+b) a = c-b; // BAD
-	if (c<a+b) { a = c-b; } // BAD
-	if (c<b+a) a = c-b; // BAD
-	if (c<b+a) { a = c-b; } // BAD
+	if (a+b<c) a = c-b; // BAD // $ Alert
+	if (a+b<c) { a = c-b; } // BAD // $ Alert
+	if (b+a<c) a = c-b; // BAD // $ Alert
+	if (b+a<c) { a = c-b; } // BAD // $ Alert
+	if (c<a+b) a = c-b; // BAD // $ Alert
+	if (c<a+b) { a = c-b; } // BAD // $ Alert
+	if (c<b+a) a = c-b; // BAD // $ Alert
+	if (c<b+a) { a = c-b; } // BAD // $ Alert
 
-	if (a+b<=c) a = c-b; // BAD
-	if (a+b<=c) { a = c-b; } // BAD
-	if (b+a<=c) a = c-b; // BAD
-	if (b+a<=c) { a = c-b; } // BAD
-	if (c<=a+b) a = c-b; // BAD
-	if (c<=a+b) { a = c-b; } // BAD
-	if (c<=b+a) a = c-b; // BAD
-	if (c<=b+a) { a = c-b; } // BAD
+	if (a+b<=c) a = c-b; // BAD // $ Alert
+	if (a+b<=c) { a = c-b; } // BAD // $ Alert
+	if (b+a<=c) a = c-b; // BAD // $ Alert
+	if (b+a<=c) { a = c-b; } // BAD // $ Alert
+	if (c<=a+b) a = c-b; // BAD // $ Alert
+	if (c<=a+b) { a = c-b; } // BAD // $ Alert
+	if (c<=b+a) a = c-b; // BAD // $ Alert
+	if (c<=b+a) { a = c-b; } // BAD // $ Alert
 
-	if (a+b>d) a = d-b; // BAD
+	if (a+b>d) a = d-b; // BAD // $ Alert
 	if (a+(double)b>c) a = c-b; // GOOD
 	if (a+(-x)>c) a = c-(-y); // GOOD
 	if (a+b>c) { b++; a = c-b; } // GOOD
 	if (a+d>c) a = c-d; // GOOD
 	if (a1+b1>c1) a1 = c1-b1; // GOOD
 	
-	if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
-	if (a+b<=c) { return; } a = c-b; // BAD
+	if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD // $ Alert
+	if (a+b<=c) { return; } a = c-b; // BAD // $ Alert
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref

@@ -1 +1,2 @@
-experimental/Likely Bugs/ArrayAccessProductFlow.ql
+query: experimental/Likely Bugs/ArrayAccessProductFlow.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp

@@ -1,13 +1,13 @@
 char *malloc(int size);
 
 void test1(int size) {
-    char *arr = malloc(size);
+    char *arr = malloc(size); // $ Source
     for (int i = 0; i < size; i++) {
         arr[i] = 0; // GOOD
     }
 
     for (int i = 0; i <= size; i++) {
-        arr[i] = i; // BAD
+        arr[i] = i; // BAD // $ Alert
     }
 }
 
@@ -18,7 +18,7 @@ typedef struct {
 
 array_t mk_array(int size) {
     array_t arr;
-    arr.p = malloc(size);
+    arr.p = malloc(size); // $ Source
     arr.size = size;
 
     return arr;
@@ -32,7 +32,7 @@ void test2(int size) {
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i; // BAD
+        arr.p[i] = i; // BAD // $ Alert
     }
 }
 
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i; // BAD
+        arr.p[i] = i; // BAD // $ Alert
     }
 }
 
@@ -52,7 +52,7 @@ void test3(int size) {
 
 void test4(int size) {
     array_t arr;
-    arr.p = malloc(size);
+    arr.p = malloc(size); // $ Source
     arr.size = size;
 
     for (int i = 0; i < arr.size; i++) {
@@ -60,13 +60,13 @@ void test4(int size) {
     }
 
     for (int i = 0; i <= arr.size; i++) {
-        arr.p[i] = i; // BAD
+        arr.p[i] = i; // BAD // $ Alert
     }
 }
 
 array_t *mk_array_p(int size) {
     array_t *arr = (array_t*) malloc(sizeof(array_t));
-    arr->p = malloc(size);
+    arr->p = malloc(size); // $ Source
     arr->size = size;
 
     return arr;
@@ -80,7 +80,7 @@ void test5(int size) {
     }
 
     for (int i = 0; i <= arr->size; i++) {
-        arr->p[i] = i; // BAD
+        arr->p[i] = i; // BAD // $ Alert
     }
 }
 
@@ -90,7 +90,7 @@ void test6_callee(array_t *arr) {
     }
 
     for (int i = 0; i <= arr->size; i++) {
-        arr->p[i] = i; // BAD
+        arr->p[i] = i; // BAD // $ Alert
     }
 }
 

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp

@@ -32,60 +32,60 @@ void testOneArray(OneArray *arr) {
 
 void testBig(BigArray *arr) {
     arr->buf[MAX_SIZE-1] = 0; // GOOD
-    arr->buf[MAX_SIZE] = 0;   // BAD
-    arr->buf[MAX_SIZE+1] = 0; // BAD
+    arr->buf[MAX_SIZE] = 0;   // BAD // $ Alert
+    arr->buf[MAX_SIZE+1] = 0; // BAD // $ Alert
 
     for(int i = 0; i < MAX_SIZE; i++) {
         arr->buf[i] = 0; // GOOD
     }
     
     for(int i = 0; i <= MAX_SIZE; i++) {
-        arr->buf[i] = 0; // BAD
+        arr->buf[i] = 0; // BAD // $ Alert
     }
 }
 
 void testFields(ArrayAndFields *arr) {
     arr->buf[MAX_SIZE-1] = 0; // GOOD
-    arr->buf[MAX_SIZE] = 0;   // BAD?
-    arr->buf[MAX_SIZE+1] = 0; // BAD?
+    arr->buf[MAX_SIZE] = 0;   // BAD? // $ Alert
+    arr->buf[MAX_SIZE+1] = 0; // BAD? // $ Alert
 
     for(int i = 0; i < MAX_SIZE; i++) {
         arr->buf[i] = 0; // GOOD
     }
     
     for(int i = 0; i <= MAX_SIZE; i++) {
-        arr->buf[i] = 0; // BAD?
+        arr->buf[i] = 0; // BAD? // $ Alert
     }
 
     for(int i = 0; i < MAX_SIZE+2; i++) {
-        arr->buf[i] = 0; // BAD?
+        arr->buf[i] = 0; // BAD? // $ Alert
     }
     // is this different if it's a memcpy?
 }
 
-void assignThroughPointer(int *p) {
+void assignThroughPointer(int *p) { // $ Sink
     *p = 0; // ??? should the result go at a flow source?
 }
 
 void addToPointerAndAssign(int *p) {
     p[MAX_SIZE-1] = 0; // GOOD
-    p[MAX_SIZE] = 0; // BAD
+    p[MAX_SIZE] = 0; // BAD // $ Alert
 }
 
 void testInterproc(BigArray *arr) {
     assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
-    assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
+    assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD // $ Alert
 
-    addToPointerAndAssign(arr->buf);
+    addToPointerAndAssign(arr->buf); // $ Source
 }
 
 #define MAX_SIZE_BYTES 4096
 
 void testCharIndex(BigArray *arr) {
-    char *charBuf = (char*) arr->buf;
+    char *charBuf = (char*) arr->buf; // $ Source
 
     charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
-    charBuf[MAX_SIZE_BYTES] = 0; // BAD
+    charBuf[MAX_SIZE_BYTES] = 0; // BAD // $ Alert
 }
 
 void testEqRefinement() {
@@ -125,7 +125,7 @@ void testStackAllocated() {
     char *arr[MAX_SIZE];
 
     for(int i = 0; i <= MAX_SIZE; i++) {
-        arr[i] = 0; // BAD
+        arr[i] = 0; // BAD // $ Alert
     }
 }
 
@@ -133,18 +133,18 @@ int strncmp(const char*, const char*, int);
 
 char testStrncmp2(char *arr) {
     if(strncmp(arr, "<test>", 6) == 0) {
-        arr += 6;
+        arr += 6; // $ Alert
     }
-    return *arr; // GOOD [FALSE POSITIVE]
+    return *arr; // GOOD [FALSE POSITIVE] // $ Sink
 }
 
 void testStrncmp1() {
     char asdf[5];
-    testStrncmp2(asdf);
+    testStrncmp2(asdf); // $ Source
 }
 
 void countdownBuf1(int **p) {
-  *--(*p) = 1; // GOOD [FALSE POSITIVE]
+  *--(*p) = 1; // GOOD [FALSE POSITIVE] // $ Sink
   *--(*p) = 2; // GOOD
   *--(*p) = 3; // GOOD
   *--(*p) = 4; // GOOD
@@ -153,7 +153,7 @@ void countdownBuf1(int **p) {
 void countdownBuf2() {
   int buf[4];
 
-  int *x = buf + 4;
+  int *x = buf + 4; // $ Alert
 
   countdownBuf1(&x);
 }
@@ -215,10 +215,10 @@ int countdownLength2() {
 
 void pointer_size_larger_than_array_element_size() {
     unsigned char buffer[100]; // getByteSize() = 100
-    int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
+    int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25 // $ Source
 
     ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99
-    ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103
+    ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103 // $ Alert
 }
 
 struct vec2 { int x, y; };
@@ -226,10 +226,10 @@ struct vec3 { int x, y, z; };
 
 void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() {
     vec3 array[3]; // getByteSize() = 9 * sizeof(int)
-    vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
+    vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4 // $ Source
 
     ptr[3] = vec2{}; // GOOD: writes ints 6, 7
-    ptr[4] = vec2{}; // BAD: writes ints 8, 9
+    ptr[4] = vec2{}; // BAD: writes ints 8, 9 // $ Alert
 }
 
 void pointer_size_larger_than_array_element_size_and_does_not_divide_it() {
@@ -258,7 +258,7 @@ void call_use(unsigned char* p, int n) {
     if(n == 3) {
         unsigned char x = p[0];
         unsigned char y = p[1];
-        unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
+        unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point. // $ Alert
         use(x, y, z);
     }
 }
@@ -283,7 +283,7 @@ void test_call_use2() {
     call_call_use(buffer1,1);
 
     unsigned char buffer2[2];
-    call_call_use(buffer2,2);
+    call_call_use(buffer2,2); // $ Source
 
     unsigned char buffer3[3];
     call_call_use(buffer3,3);
@@ -296,7 +296,7 @@ int guardingCallee(int *arr, int size) {
 
     int sum;
     for (int i = 0; i < size; i++) {
-        sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size
+        sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size // $ Alert
     }
     return sum;
 }
@@ -306,7 +306,7 @@ int guardingCaller() {
     guardingCallee(arr1, MAX_SIZE);
     
     int arr2[10];
-    guardingCallee(arr2, 10);
+    guardingCallee(arr2, 10); // $ Source
 }
 
 // simplified md5 padding
@@ -319,10 +319,10 @@ void correlatedCondition(int num) {
             end = temp + 56;
         }
         else if (num < 64) {
-            end = temp + 64; // GOOD [FALSE POSITVE]
+            end = temp + 64; // GOOD [FALSE POSITVE] // $ Alert
         }
         char *temp2 = temp + num;
-        while(temp2 != end) {
+        while(temp2 != end) { // $ Sink
             *temp2 = 0;
             temp2++;
         }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp

@@ -9,7 +9,7 @@ int main(int argc, char *argv[])
 {
   //umask(0022);
   FILE *fp;
-  fp = fopen("myFile.txt","w"); // BAD
+  fp = fopen("myFile.txt","w"); // BAD // $ Alert
   //chmod("myFile.txt",0644);
   fprintf(fp,"%s\n","data to file");
   fclose(fp);

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp

@@ -9,7 +9,7 @@ int chdir(char *path);
 void exit(int status);
 
 int funTest1(){
-  if (chroot("/myFold/myTmp") == -1) {  // BAD
+  if (chroot("/myFold/myTmp") == -1) {  // BAD // $ Alert
     exit(-1);
   }
   return 0;
@@ -26,7 +26,7 @@ int funTest2(){
 }
 
 int funTest3(){  
-  chdir("/myFold/myTmp"); // BAD
+  chdir("/myFold/myTmp"); // BAD // $ Alert
   return 0;
 }
 int main(int argc, char *argv[])

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp

@@ -6,7 +6,7 @@ int fclose(FILE *stream);
 
 void funcTest1()
 {
-  umask(0666); // BAD
+  umask(0666); // BAD // $ Alert
   FILE *fe;
   fe = fopen("myFile.txt", "wt");
   fclose(fe);
@@ -27,7 +27,7 @@ void funcTest2(int mode)
   FILE *fe;
   fe = fopen("myFile.txt", "wt");
   fclose(fe);
-  chmod("myFile.txt",0555-mode); // BAD
+  chmod("myFile.txt",0555-mode); // BAD // $ Alert
 }
 
 void funcTest2g(int mode)

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-285/PamAuthorization.ql
+query: experimental/Security/CWE/CWE-285/PamAuthorization.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp

@@ -26,7 +26,7 @@ bool PamAuthBad(const std::string &username_in,
         return false;
     }
 
-    err = pam_authenticate(pamh, 0);
+    err = pam_authenticate(pamh, 0); // $ Alert
     if (err != PAM_SUCCESS)
         return err;
 

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp

@@ -22,8 +22,8 @@ char host[] = "codeql.com";
 
 void bad(void) {
 	std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
-	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
-	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); 
+	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); // $ Alert
+	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);  // $ Alert
   	curl_easy_setopt(curl.get(), CURLOPT_URL, host);
   	curl_easy_perform(curl.get());
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-295/CurlSSL.ql
+query: experimental/Security/CWE/CWE-295/CurlSSL.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp

@@ -54,7 +54,7 @@ void file()
   FILE *file;
 
   // BAD: write zipcode to file in cleartext
-  fputs(theZipcode, file);
+  fputs(theZipcode, file); // $ Alert
 
   // GOOD: encrypt first
   char *encrypted = encrypt(theZipcode);
@@ -71,15 +71,15 @@ int main(int argc, char **argv)
   char *buff4;
 
   // BAD: write medical to buffer in cleartext
-  sprintf(buff1, "%s", medical);
+  sprintf(buff1, "%s", medical); // $ Alert Source
 
   // BAD: write medical to buffer in cleartext
-  char *temp = medical;
-  sprintf(buff2, "%s", temp);
+  char *temp = medical; // $ Source
+  sprintf(buff2, "%s", temp); // $ Alert
 
   // BAD: write medical to buffer in cleartext
-  char *buff5 = func(medical);
-  sprintf(buff3, "%s", buff5);
+  char *buff5 = func(medical); // $ Source
+  sprintf(buff3, "%s", buff5); // $ Alert
 
   char *buff6 = encrypt(medical);
   // GOOD: encrypt first
@@ -93,10 +93,10 @@ void stream()
   ofstream mystream;
 
   // BAD: write zipcode to file in cleartext
-  mystream << "the zipcode is: " << theZipcode;
+  mystream << "the zipcode is: " << theZipcode; // $ Alert Source
 
   // BAD: write zipcode to file in cleartext
-  (mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode));
+  (mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); // $ Alert
 
   // GOOD: encrypt first
   char *encrypted = encrypt(theZipcode);

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
+query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp

@@ -44,13 +44,13 @@ int getSize2(int type) {
 
 int badTestf1(int type, int met) {
   int is = getSize(type);
-  if (met == 1) return 123 / is; // BAD
-  else return 123 / getSize2(type); // BAD
+  if (met == 1) return 123 / is; // BAD // $ Alert
+  else return 123 / getSize2(type); // BAD // $ Alert
 }
 int badTestf2(int type) {
   int is;
   is = getSize(type);
-  return 123 / is; // BAD
+  return 123 / is; // BAD // $ Alert
 }
 
 int badTestf3(int type, int met) {
@@ -62,23 +62,23 @@ int badTestf3(int type, int met) {
   case 2:
     if (0 == is) return 123 / is; // BAD [NOT DETECTED]
   case 3:
-    if (!is & 123 / is) // BAD
+    if (!is & 123 / is) // BAD // $ Alert
       return 123;
   case 4:
-    if (!is | 123 / is) // BAD
+    if (!is | 123 / is) // BAD // $ Alert
       return 123;
   case 5:
-    if (123 / is || !is) // BAD 
+    if (123 / is || !is) // BAD  // $ Alert
       return 123;
   case 6:
-    if (123 / is && !is) // BAD
+    if (123 / is && !is) // BAD // $ Alert
       return 123;
   case 7:
-    if (!is) return 123 / is; // BAD
+    if (!is) return 123 / is; // BAD // $ Alert
   case 8:
-    if (is > -1) return 123 / is; // BAD
+    if (is > -1) return 123 / is; // BAD // $ Alert
   case 9:
-    if (is < 2) return 123 / is; // BAD
+    if (is < 2) return 123 / is; // BAD // $ Alert
   }
   if (is != 0) return -1;
   if (is == 0) type += 1;
@@ -125,20 +125,20 @@ int badTestf4(int type) {
   int is = getSize(type);
   int d;
   d = type * is;
-  return 123 / d; // BAD
+  return 123 / d; // BAD // $ Alert
 }
 
 int badTestf5(int type) {
   int is = getSize(type);
   int d;
   d = is / type;
-  return 123 / d; // BAD
+  return 123 / d; // BAD // $ Alert
 }
 int badTestf6(int type) {
   int is = getSize(type);
   int d;
   d = is / type;
-  return type * 123 / d; // BAD
+  return type * 123 / d; // BAD // $ Alert
 }
 
 int badTestf7(int type, int met) {
@@ -150,7 +150,7 @@ int badTestf7(int type, int met) {
       return 123 / is; // GOOD
   }
   quit:
-    return 123 / is; // BAD
+    return 123 / is; // BAD // $ Alert
 }
 
 int goodTestf7(int type, int met) {
@@ -169,8 +169,8 @@ int goodTestf7(int type, int met) {
 
 int badTestf8(int type) {
   int is = getSize(type);
-  type /= is; // BAD
-  type %= is; // BAD
+  type /= is; // BAD // $ Alert
+  type %= is; // BAD // $ Alert
   return type;
 }
 
@@ -184,7 +184,7 @@ float getSizeFloat(float type) {
 }
 float badTestf9(float type) {
   float is = getSizeFloat(type);
-  return 123 / is; // BAD
+  return 123 / is; // BAD // $ Alert
 }
 float goodTestf9(float type) {
   float is = getSizeFloat(type);
@@ -196,18 +196,18 @@ int badTestf10(int type) {
   int out = type;
   int is = getSize(type);
   if (is > -2) {
-    out /= 123 / (is + 1); // BAD
+    out /= 123 / (is + 1); // BAD // $ Alert
   }
   if (is > 0) {
-    return 123 / (is - 1); // BAD
+    return 123 / (is - 1); // BAD // $ Alert
   }
   if (is <= 0) return 0;
-  return 123 / (is - 1); // BAD
+  return 123 / (is - 1); // BAD // $ Alert
   return 0;
 }
 int badTestf11(int type) {
   int is = getSize(type);
-  return 123 / (is - 3); // BAD
+  return 123 / (is - 3); // BAD // $ Alert
 }
 
 int goodTestf11(int type) {
@@ -255,12 +255,12 @@ int badMySubDiv(int type, int is) {
 
 void badTestf13(int type) {
   int is = getSize(type);
-  badMyDiv(type, is); // BAD
-  badMyDiv(type, is - 2); // BAD
-  badMySubDiv(type, is); // BAD
+  badMyDiv(type, is); // BAD // $ Alert
+  badMyDiv(type, is - 2); // BAD // $ Alert
+  badMySubDiv(type, is); // BAD // $ Alert
   goodMyDiv(type, is); // GOOD
   if (is < 5)
-    badMySubDiv(type, is); // BAD
+    badMySubDiv(type, is); // BAD // $ Alert
   if (is < 0)
     badMySubDiv(type, is); // BAD [NOT DETECTED]
   if (is > 5)
@@ -270,9 +270,9 @@ void badTestf13(int type) {
   if (is > 0)
     badMyDiv(type, is); // GOOD
   if (is < 5)
-    badMyDiv(type, is - 3); // BAD
+    badMyDiv(type, is - 3); // BAD // $ Alert
   if (is < 0)
-    badMyDiv(type, is + 1); // BAD
+    badMyDiv(type, is + 1); // BAD // $ Alert
   if (is > 5)
     badMyDiv(type, is - 3); // GOOD
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp

@@ -13,7 +13,7 @@ int fclose(FILE *stream);
 int funcTest1()
 {
   FILE *fp;
-  char *filename = tmpnam(NULL); // BAD
+  char *filename = tmpnam(NULL); // BAD // $ Alert
   fp = fopen(filename,"w");
   fprintf(fp,"%s\n","data to file");
   fclose(fp);

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c

@@ -31,7 +31,7 @@ unsigned char * badResize_0(unsigned char * buffer,size_t currentSize,size_t new
 	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
 	if (currentSize < newSize)
 	{
-		buffer = (unsigned char *)realloc(buffer, newSize);
+		buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
 	}
 	return buffer;
 }
@@ -60,7 +60,7 @@ unsigned char * badResize_1_0(unsigned char * buffer,size_t currentSize,size_t n
 	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
 	if (currentSize < newSize)
 	{
-		buffer = (unsigned char *)realloc(buffer, newSize);
+		buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
 	}
 	return buffer;
 }
@@ -136,7 +136,7 @@ unsigned char * badResize_1_1(unsigned char * buffer,size_t currentSize,size_t n
 	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
 	if (currentSize < newSize)
 	{
-		buffer = (unsigned char *)realloc(buffer, newSize);
+		buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
 	}
 	if(!buffer)
 		aFakeFailed_1(1, 1);
@@ -183,7 +183,7 @@ unsigned char * badResize_2_0(unsigned char * buffer,size_t currentSize,size_t n
 	assert(buffer!=0);
 	if (currentSize < newSize)
 	{
-		buffer = (unsigned char *)realloc(buffer, newSize);
+		buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
 	}
 	return buffer;
 }
@@ -279,7 +279,7 @@ unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t
 	unsigned char *tmp = buffer;
 	if (currentSize < newSize)
 	{
-		buffer = (unsigned char *)realloc(buffer, newSize);
+		buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
 		if (buffer == NULL)
 		{
 			free(tmp);
@@ -296,7 +296,7 @@ unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t
 	unsigned char *tmp = buffer;
 	if (currentSize < newSize)
 	{
-		tmp = (unsigned char *)realloc(tmp, newSize);
+		tmp = (unsigned char *)realloc(tmp, newSize); // $ Alert
 		if (tmp != 0)
 		{
 			buffer = tmp;
@@ -325,7 +325,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t
 	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
 	if (currentSize < newSize)
 	{
-		buffer = (unsigned char *)realloc(buffer, newSize);
+		buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
 	}
 	if (cond)
 	{
@@ -339,7 +339,7 @@ unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t
 	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
 	if (currentSize < newSize)
 	{
-		buffer = (unsigned char *)realloc(buffer, newSize);
+		buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
 		assert(cond); // irrelevant
 	}
 	return buffer;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-409/DecompressionBombs.ql
+query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp

@@ -15,12 +15,12 @@ BrotliDecoderResult BrotliDecoderDecompressStream(
 void brotli_test(int argc, const char **argv) {
     uint8_t output[1024];
     size_t output_size = sizeof(output);
-    BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
+    BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD // $ Alert
 
     size_t input_size = 1024;
     const uint8_t *input_p = (const uint8_t*)argv[2];
     uint8_t *output_p = output;
     size_t out_size;
-    BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
+    BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD // $ Alert
                                   &output_p, &out_size);
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp

@@ -19,7 +19,7 @@ static int read_data(archive *ar) {
         size_t size;
         la_int64_t offset;
 
-        int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
+        int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD // $ Alert
         if (r == ARCHIVE_EOF)
             return ARCHIVE_OK;
         if (r < ARCHIVE_OK)

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp

@@ -4,7 +4,7 @@ void minizip_test(int argc, const char **argv);
 void zlib_test(int argc, const char **argv);
 void zstd_test(int argc, const char **argv);
 
-int main(int argc, const char **argv) {
+int main(int argc, const char **argv) { // $ Source
     brotli_test(argc, argv);
     libarchive_test(argc, argv);
     minizip_test(argc, argv);

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp

@@ -14,7 +14,7 @@ void minizip_test(int argc, const char **argv) {
     int32_t bytes_read;
     char buf[4096];
     while(true) {
-        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
+        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD // $ Alert
         if (bytes_read <= 0) {
             break;
         }
@@ -23,7 +23,7 @@ void minizip_test(int argc, const char **argv) {
     void *zip_reader = mz_zip_reader_create();
     mz_zip_reader_open_file(zip_reader, argv[1]);
     mz_zip_reader_goto_first_entry(zip_reader);
-    mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
+    mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD // $ Alert
 
-    UnzOpen(argv[3]); // BAD
+    UnzOpen(argv[3]); // BAD // $ Alert
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp

@@ -22,7 +22,7 @@ void UnsafeInflate(char *input) {
     infstream.next_out = output; // output char array
 
     inflateInit(&infstream);
-    inflate(&infstream, 0); // BAD
+    inflate(&infstream, 0); // BAD // $ Alert
 }
 
 
@@ -38,7 +38,7 @@ void UnsafeGzread(char *fileName) {
     gzFile inFileZ = gzopen(fileName, "rb");
     unsigned char unzipBuffer[8192];
     while (true) {
-        if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
+        if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD // $ Alert
             break;
         }
     }
@@ -48,7 +48,7 @@ void UnsafeGzfread(char *fileName) {
     gzFile inFileZ = gzopen(fileName, "rb");
     while (true) {
         char buffer[1000];
-        if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
+        if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD // $ Alert
             break;
         }
     }
@@ -59,7 +59,7 @@ void UnsafeGzgets(char *fileName) {
     char *buffer = new char[4000000000];
     char *result;
     while (true) {
-        result = gzgets(inFileZ, buffer, 1000000000); // BAD
+        result = gzgets(inFileZ, buffer, 1000000000); // BAD // $ Alert
         if (result == nullptr) {
             break;
         }
@@ -74,7 +74,7 @@ void InflateString(char *input) {
     uLong source_length = 500;
     uLong destination_length = sizeof(output);
 
-    uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
+    uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD // $ Alert
 }
 
 void zlib_test(int argc, char **argv) {

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp

@@ -36,7 +36,7 @@ void zstd_test(int argc, const char **argv) {
         ZSTD_inBuffer input = {buffIn, read, 0};
         while (input.pos < input.size) {
             ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
-            size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD  
+            size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD   // $ Alert
             CHECK_ZSTD(ret);
         }
     }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-415/DoubleFree.ql
+query: experimental/Security/CWE/CWE-415/DoubleFree.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c

@@ -8,14 +8,14 @@ void workFunction_0(char *s) {
   char *buf;
   buf = (char *) malloc(intSize);
   free(buf); // GOOD
-  if(buf) free(buf); // BAD
+  if(buf) free(buf); // BAD // $ Alert
 }
 void workFunction_1(char *s) {
   int intSize = 10;
   char *buf;
   buf = (char *) malloc(intSize);
   free(buf); // GOOD
-  free(buf); // BAD
+  free(buf); // BAD // $ Alert
 }
 void workFunction_2(char *s) {
   int intSize = 10;
@@ -54,7 +54,7 @@ void workFunction_5(char *s, int intFlag) {
   if(intFlag) {
     free(buf); // GOOD
   }
-  free(buf); // BAD
+  free(buf); // BAD // $ Alert
 }
 void workFunction_6(char *s, int intFlag) {
   int intSize = 10;
@@ -75,7 +75,7 @@ void workFunction_7(char *s) {
   char *buf1;
   buf = (char *) malloc(intSize);
   buf1 = (char *) realloc(buf,intSize*4);
-  free(buf); // BAD
+  free(buf); // BAD // $ Alert
 }
 void workFunction_8(char *s) {
   int intSize = 10;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
+query: experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp

@@ -68,7 +68,7 @@ void funcWork1b() {
     }
     delete [] bufMyData;
 
-  }
+  } // $ Alert
 }
 
 void funcWork1() {
@@ -97,7 +97,7 @@ void funcWork1() {
     }
     delete [] bufMyData;
 
-  }
+  } // $ Alert
 }
 
 void funcWork2() {
@@ -125,7 +125,7 @@ void funcWork2() {
     }
     delete [] bufMyData;
 
-  }
+  } // $ Alert
 }
 void funcWork3() {
   int a;
@@ -148,7 +148,7 @@ void funcWork3() {
     }
     delete [] bufMyData;
 
-  }
+  } // $ Alert
 }
 
 
@@ -180,7 +180,7 @@ void funcWork4b() {
   catch (...) 
   {
     delete valData; // BAD
-  }
+  } // $ Alert
 }
 void funcWork5() {
   int a;
@@ -218,7 +218,7 @@ void funcWork5b() {
   catch (...) 
   {
         delete valData; // BAD
-  }
+  } // $ Alert
 }
 void funcWork6() {
   int a;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
+query: experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c

@@ -25,7 +25,7 @@ void testFunction(char c1,int i1)
     case 9:
       break;
   dafault:
-  }
+  } // $ Alert
 
   switch(c1){ // BAD
       c1=c1*2;
@@ -35,7 +35,7 @@ void testFunction(char c1,int i1)
       break;
     case 9:
       break;
-  }
+  } // $ Alert
 
   if((c1<6)&&(c1>0))
   switch(c1){ // BAD
@@ -47,7 +47,7 @@ void testFunction(char c1,int i1)
       break;
     case 1:
       break;
-  }
+  } // $ Alert
 
   if((c1<6)&&(c1>0))
   switch(c1){ // BAD
@@ -55,6 +55,6 @@ void testFunction(char c1,int i1)
       break;
     case 1:
       break;
-  }
+  } // $ Alert
   
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
+query: experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp

@@ -42,7 +42,7 @@ int gootTest2(SSL *ssl)
 int badTest1(SSL *ssl)
 {
   int ret;
-    switch ((ret = SSL_shutdown(ssl))) {
+    switch ((ret = SSL_shutdown(ssl))) { // $ Alert
     case 1:
       break;
     case 0:
@@ -58,7 +58,7 @@ int badTest1(SSL *ssl)
 int badTest2(SSL *ssl)
 {
   int ret;
-    ret = SSL_shutdown(ssl);
+    ret = SSL_shutdown(ssl); // $ Alert
     switch (ret) {
     case 1:
       break;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-675/DoubleRelease.ql
+query: experimental/Security/CWE/CWE-675/DoubleRelease.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp

@@ -17,7 +17,7 @@ void test2()
   FILE *f;
 	
   f = fopen("myFile.txt", "wt");
-  fclose(f); // BAD
+  fclose(f); // BAD // $ Alert
   fclose(f);
 }
 
@@ -28,14 +28,14 @@ void test3()
 	
   f = fopen("myFile.txt", "wt");
   g = f;
-  fclose(f); // BAD
+  fclose(f); // BAD // $ Alert
   fclose(g);
 }
 
 int fGtest4_1()
 {
   fe = fopen("myFile.txt", "wt"); 
-  fclose(fe); // BAD
+  fclose(fe); // BAD // $ Alert
   return -1;
 }
 

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c

@@ -5,25 +5,25 @@ void workFunction_0(char *s) {
   int intSize;
   char buf[80];
   if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
-  if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
+  if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations]
   if(intSize>0 && tmpFunction()) return;
-  if(intSize<0 & tmpFunction()) return; // BAD
+  if(intSize<0 & tmpFunction()) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations]
 }
 void workFunction_1(char *s) {
   int intA,intB;
 
-  if(intA + intB) return; // BAD
+  if(intA + intB) return; // BAD // $ Alert[cpp/errors-after-refactoring]
   if(intA + intB>4) return; // GOOD
-  if(intA>0 && (intA + intB)) return; // BAD
+  if(intA>0 && (intA + intB)) return; // BAD // $ Alert[cpp/errors-after-refactoring]
   while(intA>0)
   {
     if(intB - intA<10) break;
     intA--;
-  }while(intA>0); // BAD
+  }while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring]
   for(intA=100; intA>0; intA--)
   {
     if(intB - intA<10) break;
-  }while(intA>0); // BAD
+  }while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring]
   while(intA>0)
   {
     if(intB - intA<10) break;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref

@@ -1 +1,2 @@
-experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+query: experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp

@@ -32,13 +32,13 @@ void funcTest2()
 
 void funcTest3()
 {
-  std::runtime_error("msg error"); // BAD
+  std::runtime_error("msg error"); // BAD // $ Alert
   throw std::runtime_error("msg error"); // GOOD
 }
 
 void TestFunc()
 {
-  funcTest1();
-  DllMain();
+  funcTest1(); // $ Alert
+  DllMain(); // $ Alert
   funcTest2();
 }