Merge pull request #19488 from github/release-prep/2.21.3

Release preparation for version 2.21.3

.github/workflows/mad_modelDiff.yml

@@ -68,7 +68,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
+            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
             mkdir -p $MODELS/$SHORTNAME
             mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
             cd ..

CODEOWNERS

@@ -17,6 +17,7 @@
 
 # Experimental CodeQL cryptography
 **/experimental/quantum/ @github/ps-codeql
+/shared/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers

MODULE.bazel

@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -193,10 +193,6 @@ use_repo(
     kotlin_extractor_deps,
     "codeql_kotlin_defaults",
     "codeql_kotlin_embeddable",
-    "kotlin-compiler-1.5.0",
-    "kotlin-compiler-1.5.10",
-    "kotlin-compiler-1.5.20",
-    "kotlin-compiler-1.5.30",
     "kotlin-compiler-1.6.0",
     "kotlin-compiler-1.6.20",
     "kotlin-compiler-1.7.0",
@@ -208,10 +204,7 @@ use_repo(
     "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-1.5.0",
-    "kotlin-compiler-embeddable-1.5.10",
-    "kotlin-compiler-embeddable-1.5.20",
-    "kotlin-compiler-embeddable-1.5.30",
+    "kotlin-compiler-2.2.0-Beta1",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -223,10 +216,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-stdlib-1.5.0",
-    "kotlin-stdlib-1.5.10",
-    "kotlin-stdlib-1.5.20",
-    "kotlin-stdlib-1.5.30",
+    "kotlin-compiler-embeddable-2.2.0-Beta1",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -238,6 +228,7 @@ use_repo(
     "kotlin-stdlib-2.0.20-Beta2",
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
+    "kotlin-stdlib-2.2.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected

@@ -0,0 +1 @@
+

actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected

@@ -0,0 +1,17 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected

@@ -0,0 +1,27 @@
+ql/actions/ql/src/Debug/SyntaxError.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
+ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql

actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected

@@ -0,0 +1,23 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

actions/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -0,0 +1,17 @@
+ql/actions/ql/src/Debug/partial.ql
+ql/actions/ql/src/Models/CompositeActionsSinks.ql
+ql/actions/ql/src/Models/CompositeActionsSources.ql
+ql/actions/ql/src/Models/CompositeActionsSummaries.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
+ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

actions/ql/integration-tests/query-suite/test.py

@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, actions, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, actions, check_queries_not_included):
+    check_queries_not_included('actions', well_known_query_suites)

actions/ql/lib/CHANGELOG.md

@@ -1,7 +1,17 @@
-## 0.4.7
+## 0.4.9
 
 No user-facing changes.
 
+## 0.4.8
+
+No user-facing changes.
+
+## 0.4.7
+
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ## 0.4.6
 
 ### Bug Fixes

actions/ql/lib/change-notes/released/0.4.7.md

@@ -1,3 +1,5 @@
 ## 0.4.7
 
-No user-facing changes.
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.

actions/ql/lib/change-notes/released/0.4.8.md

@@ -0,0 +1,3 @@
+## 0.4.8
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.9.md

@@ -0,0 +1,3 @@
+## 0.4.9
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.7
+lastReleaseVersion: 0.4.9

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.8-dev
+version: 0.4.9
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,5 +1,33 @@
+## 0.6.1
+
+No user-facing changes.
+
+## 0.6.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `security-and-quality` suite.
+  They are not intended to produce user-facing
+  alerts describing vulnerabilities.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/composite-action-sinks`
+  * `actions/composite-action-sources`
+  * `actions/composite-action-summaries`
+  * `actions/reusable-workflow-sinks`
+    (renamed from `actions/reusable-wokflow-sinks`)
+  * `actions/reusable-workflow-sources`
+  * `actions/reusable-workflow-summaries`
+
+### Bug Fixes
+
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
+
 ## 0.5.4
 
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ### Bug Fixes
 
 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -5,7 +5,7 @@
  * @problem.severity warning
  * @security-severity 9.3
  * @precision high
- * @id actions/reusable-wokflow-sinks
+ * @id actions/reusable-workflow-sinks
  * @tags actions
  *       model-generator
  *       external/cwe/cwe-020

actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.

actions/ql/src/change-notes/released/0.5.4.md

@@ -1,5 +1,9 @@
 ## 0.5.4
 
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ### Bug Fixes
 
 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/change-notes/released/0.6.0.md

@@ -0,0 +1,19 @@
+## 0.6.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `security-and-quality` suite.
+  They are not intended to produce user-facing
+  alerts describing vulnerabilities.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/composite-action-sinks`
+  * `actions/composite-action-sources`
+  * `actions/composite-action-summaries`
+  * `actions/reusable-workflow-sinks`
+    (renamed from `actions/reusable-wokflow-sinks`)
+  * `actions/reusable-workflow-sources`
+  * `actions/reusable-workflow-summaries`
+
+### Bug Fixes
+
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.

actions/ql/src/change-notes/released/0.6.1.md

@@ -0,0 +1,3 @@
+## 0.6.1
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.4
+lastReleaseVersion: 0.6.1

actions/ql/src/codeql-suites/actions-code-quality.qls

@@ -1 +1,3 @@
-[]
+- queries: .
+- apply: code-quality-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.5-dev
+version: 0.6.1
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

annotateOverlayLocal.py

@@ -1,123 +0,0 @@
-#!/usr/bin/python
-
-import os
-
-
-def process_single_file(filename):
-    if not filename.endswith(".qll"):
-        return
-
-    with open(filename, 'r') as file_in:
-        lines = [line for line in file_in]
-
-    configuresDataflow = any(
-        "implements DataFlow::ConfigSig" in line for line in lines)
-
-    moduleAnnotations = ""
-    if any(line for line in lines if line.rstrip().endswith("module;")):
-        for line in lines:
-            moduleAnnotations += line
-            if line.rstrip().endswith("module;"):
-                break
-
-    moduleAnnotations = strip_comments(moduleAnnotations)
-
-    isFileLevelAnnotated = ("overlay[local]" in moduleAnnotations or
-                            "overlay[local?]" in moduleAnnotations)
-
-    if configuresDataflow or isFileLevelAnnotated or filename.endswith("Query.qll"):
-        if isFileLevelAnnotated and configuresDataflow:
-            print("WARNING: file \""+filename +
-                  "\" configures dataflow, but is annotated local")
-        elif configuresDataflow and not filename.endswith("Query.qll"):
-            print("WARNING: file \""+filename +
-                  "\" configures dataflow but is not a [...]Query.qll file")
-        elif filename.endswith("Query.qll") and not configuresDataflow:
-            print("WARNING: file \""+filename +
-                  "\" is a [...]Query.qll file that does not configure dataflow")
-        elif isFileLevelAnnotated and filename.endswith("Query.qll"):
-            print("WARNING: file \""+filename +
-                  "\" is a [...]Query.qll file, but is annotated local")
-    elif any(line for line in lines if line.rstrip().endswith("module;")):
-        print("file \""+filename +
-              " was annotated using an existing file-level module statment")
-        with open(filename, "w") as file_out:
-            for line in lines:
-                if line.rstrip().endswith("module;"):
-                    file_out.write("overlay[local?]\n")
-                file_out.write(line)
-    elif (lines[0].startswith("import ") or lines[0].startswith("private ") or
-          lines[0].startswith("newtype ") or lines[0].startswith("module ") or
-          lines[0].startswith("signature ")):
-        print("file \""+filename+" was annotated at the very start of the file")
-        with open(filename, "w") as file_out:
-            file_out.write("overlay[local?]\nmodule;\n\n")
-            for line in lines:
-                file_out.write(line)
-    elif (strip_comments("".join(lines)).lstrip().startswith("import") or
-          strip_comments("".join(lines)).lstrip().startswith("private import")):
-        print("file \""+filename+" was annotated at the first import statement")
-        with open(filename, "w") as file_out:
-            firstImport = True
-            addEmptyLine = ""
-            for line in lines:
-                if not line.strip():
-                    if addEmptyLine:
-                        file_out.write(addEmptyLine)
-                    addEmptyLine = line
-                else:
-                    if firstImport and (line.startswith("import") or line.startswith("private")):
-                        file_out.write("overlay[local?]\nmodule;\n")
-                        firstImport = False
-
-                    if addEmptyLine:
-                        file_out.write(addEmptyLine)
-                        addEmptyLine = ""
-                    file_out.write(line)
-    elif (len(lines) > 2 and lines[0].startswith("/** ") and lines[0].endswith(" */\n") and
-          not lines[1].strip() and lines[2].startswith("/**")):
-        print("file \""+filename+" was annotated after single-line file module qldoc")
-        with open(filename, "w") as file_out:
-            file_out.write(lines[0])
-            file_out.write("overlay[local?]\nmodule;\n")
-            for line in lines[1:]:
-                file_out.write(line)
-    else:
-        print("ERROR: failure to annotate file \""+filename+"\"")
-
-
-def strip_comments(str):
-    prev = ""
-    in_multiline = False
-    in_singleline = False
-
-    result = ""
-    for c in str:
-        if c == '*' and prev == '/':
-            in_multiline = True
-            prev = ""
-        elif c == '/' and prev == '/':
-            in_singleline = True
-            prev = ""
-        elif in_multiline and c == '/' and prev == '*':
-            in_multiline = False
-            prev = ""
-        elif in_singleline and c == '\n':
-            in_singleline = False
-            result += '\n'
-            prev = ""
-        else:
-            if not in_multiline and not in_singleline:
-                if prev == '/':
-                    result += '/'
-                if c != '/':
-                    result += c
-            prev = c
-    return result
-
-
-for roots in ["java/ql/lib/semmle/code", "shared"]:
-    for dirpath, dirnames, filenames in os.walk(roots):
-        for filename in filenames:
-            if filename.endswith(".qll"):
-                process_single_file(os.path.join(dirpath, filename))

cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql

@@ -0,0 +1,11 @@
+class Type extends @type {
+  string toString() { none() }
+}
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+from Type decltype, Expr expr, Type basetype, boolean parentheses
+where decltypes(decltype, expr, _, basetype, parentheses)
+select decltype, expr, basetype, parentheses

cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql

@@ -0,0 +1,19 @@
+class Type extends @type {
+  string toString() { none() }
+}
+
+predicate derivedType(Type type, string name, int kind, Type type_id) {
+  derivedtypes(type, name, kind, type_id)
+}
+
+predicate typeTransformation(Type type, string name, int kind, Type type_id) {
+  type_operators(type, _, _, type_id) and
+  name = "" and
+  kind = 3 // @type_with_specifiers
+}
+
+from Type type, string name, int kind, Type type_id
+where
+  derivedType(type, name, kind, type_id) or
+  typeTransformation(type, name, kind, type_id)
+select type, name, kind, type_id

cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties

@@ -0,0 +1,5 @@
+description: Support C23 typeof and typeof_unqual
+compatibility: backwards
+decltypes.rel: run decltypes.qlo
+derivedtypes.rel: run derivedtypes.qlo
+type_operators.rel: delete

cpp/ql/integration-tests/header-variant-tests/clang-pch/a.c

@@ -0,0 +1,2 @@
+#include "a.h"
+#define FOUR 4

cpp/ql/integration-tests/header-variant-tests/clang-pch/c.c

@@ -0,0 +1,3 @@
+int main() {
+  return ONE + FOUR;
+}

cpp/ql/integration-tests/header-variant-tests/clang-pch/d.c

@@ -0,0 +1 @@
+#import "d.h"

cpp/ql/integration-tests/header-variant-tests/clang-pch/e.c

@@ -0,0 +1,3 @@
+int main() {
+  return SEVENTEEN;
+}

cpp/ql/integration-tests/header-variant-tests/clang-pch/f.c

@@ -0,0 +1,5 @@
+#if 1
+#pragma hdrstop
+extern int x;
+#define SEEN_F
+#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/g.c

@@ -0,0 +1,5 @@
+#ifdef SEEN_F
+static int g() {
+  return 20;
+}
+#endif

cpp/ql/integration-tests/header-variant-tests/clang-pch/h.c

@@ -0,0 +1,4 @@
+#include "h1.h"
+#pragma hdrstop
+#include "h2.h"
+#define SEEN_H

cpp/ql/integration-tests/header-variant-tests/clang-pch/i.c

@@ -13,4 +13,3 @@ static int h2() {
   return 32;
 }
 #endif
-// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/h.pch

cpp/ql/integration-tests/header-variant-tests/clang-pch/test.py

@@ -0,0 +1,17 @@
+import os
+
+
+def test(codeql, cpp):
+    os.mkdir("pch")
+    extractor = cpp.get_tool("extractor")
+    codeql.database.create(command=[
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/a.pch a.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/a.pch -Iextra_dummy_path b.c',
+        f'"{extractor}" --mimic-clang -include pch/a -Iextra_dummy_path c.c',
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/d.pch d.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/d.pch e.c',
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/f.pch f.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/f.pch g.c',
+        f'"{extractor}" --mimic-clang -emit-pch -o pch/h.pch h.c',
+        f'"{extractor}" --mimic-clang -include-pch pch/h.pch i.c',
+    ])

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/a.c

@@ -0,0 +1 @@
+#include "a.h"

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/b.c

@@ -0,0 +1,6 @@
+#pragma hdrstop
+#include "b.h"
+
+int b() {
+  return A;
+}

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/c.c

@@ -0,0 +1,6 @@
+#include "d.h"
+#include "c.h"
+
+int c() {
+  return A;
+}

cpp/ql/integration-tests/header-variant-tests/microsoft-pch/test.py

@@ -0,0 +1,11 @@
+import os
+
+
+def test(codeql, cpp):
+    os.mkdir("pch")
+    extractor = cpp.get_tool("extractor")
+    codeql.database.create(command=[
+        f'"{extractor}" --mimic-cl /Yca.h /Fppch/a.pch a.c',
+        f'"{extractor}" --mimic-cl /Yub.h /Fppch/a.pch b.c',
+        f'"{extractor}" --mimic-cl /Yuc.h /Fppch/a.pch c.c',
+    ])

cpp/ql/integration-tests/query-suite/cpp-code-quality.qls.expected

@@ -0,0 +1 @@
+

cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected

@@ -0,0 +1,60 @@
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected

@@ -0,0 +1,181 @@
+ql/cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql
+ql/cpp/ql/src/Best Practices/ComplexCondition.ql
+ql/cpp/ql/src/Best Practices/Exceptions/AccidentalRethrow.ql
+ql/cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql
+ql/cpp/ql/src/Best Practices/Exceptions/LeakyCatch.ql
+ql/cpp/ql/src/Best Practices/Exceptions/ThrowingPointers.ql
+ql/cpp/ql/src/Best Practices/GuardedFree.ql
+ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesParameter.ql
+ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql
+ql/cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/Slicing.ql
+ql/cpp/ql/src/Best Practices/RuleOfTwo.ql
+ql/cpp/ql/src/Best Practices/SloppyGlobal.ql
+ql/cpp/ql/src/Best Practices/SwitchLongCase.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql
+ql/cpp/ql/src/Best Practices/UseOfGoto.ql
+ql/cpp/ql/src/Critical/DeadCodeGoto.ql
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/LargeParameter.ql
+ql/cpp/ql/src/Critical/MissingCheckScanf.ql
+ql/cpp/ql/src/Critical/NewArrayDeleteMismatch.ql
+ql/cpp/ql/src/Critical/NewDeleteArrayMismatch.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/SizeCheck.ql
+ql/cpp/ql/src/Critical/SizeCheck2.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Documentation/CommentedOutCode.ql
+ql/cpp/ql/src/Documentation/FixmeComments.ql
+ql/cpp/ql/src/Documentation/UncommentedFunction.ql
+ql/cpp/ql/src/Header Cleanup/Cleanup-DuplicateIncludeGuard.ql
+ql/cpp/ql/src/Likely Bugs/AmbiguouslySignedBitField.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/UnsignedGEZero.ql
+ql/cpp/ql/src/Likely Bugs/ContinueInFalseLoop.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.ql
+ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/TooManyFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/InconsistentCallOnResult.ql
+ql/cpp/ql/src/Likely Bugs/InconsistentCheckReturnNull.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/DubiousNullCheck.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/FutileConditional.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StackAddressEscapes.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/NestedLoopSameVar.ql
+ql/cpp/ql/src/Likely Bugs/OO/IncorrectConstructorDelegation.ql
+ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql
+ql/cpp/ql/src/Likely Bugs/OO/ThrowInDestructor.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/ReturnConstType.ql
+ql/cpp/ql/src/Likely Bugs/ReturnConstTypeMember.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.ql
+ql/cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 35.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 89.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 95.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 107.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql
+ql/cpp/ql/src/jsf/4.17 Types/AV Rule 148.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 166.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 196.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 197.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.ql

cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected

@@ -0,0 +1,97 @@
+ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/MissingCheckScanf.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/SizeCheck.ql
+ql/cpp/ql/src/Critical/SizeCheck2.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

cpp/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -0,0 +1,448 @@
+ql/cpp/ql/src/AlertSuppression.ql
+ql/cpp/ql/src/Architecture/FeatureEnvy.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/CyclicNamespaces.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/NamespaceDependencies.ql
+ql/cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql
+ql/cpp/ql/src/Architecture/InappropriateIntimacy.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/CyclomaticComplexity.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/JapaneseEraDate.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicNumbersUseConstant.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicStringsUseConstant.ql
+ql/cpp/ql/src/Best Practices/NVI.ql
+ql/cpp/ql/src/Best Practices/NVIHub.ql
+ql/cpp/ql/src/Best Practices/RuleOfThree.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedIncludes.ql
+ql/cpp/ql/src/Critical/DeadCodeCondition.ql
+ql/cpp/ql/src/Critical/DeadCodeFunction.ql
+ql/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+ql/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+ql/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+ql/cpp/ql/src/Critical/FileNeverClosed.ql
+ql/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+ql/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+ql/cpp/ql/src/Critical/InitialisationNotRun.ql
+ql/cpp/ql/src/Critical/LateNegativeTest.ql
+ql/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+ql/cpp/ql/src/Critical/MemoryNeverFreed.ql
+ql/cpp/ql/src/Critical/MissingNegativityTest.ql
+ql/cpp/ql/src/Critical/MissingNullTest.ql
+ql/cpp/ql/src/Critical/NotInitialised.ql
+ql/cpp/ql/src/Critical/OverflowCalculated.ql
+ql/cpp/ql/src/Critical/OverflowDestination.ql
+ql/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+ql/cpp/ql/src/Critical/ReturnValueIgnored.ql
+ql/cpp/ql/src/Critical/Unused.ql
+ql/cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql
+ql/cpp/ql/src/Documentation/DocumentApi.ql
+ql/cpp/ql/src/Documentation/TodoComments.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/ExitNonterminatingLoop.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/LoopBounds.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 04/Recursion.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 05/HeapMemory.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 07/ThreadSafety.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidNestedSemaphores.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidSemaphores.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/OutOfOrderLocks.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/ReleaseLocksWhenAcquired.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowGoto.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 12/EnumInitialization.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/ExternDeclsInHeader.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeLocalHidesGlobal.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 14/CheckingReturnValues.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 15/CheckingParameterValues.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsConstant.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsDensity.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsNonBoolean.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsSideEffect.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 18/CompoundExpressions.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 19/NoBooleanSideEffects.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUse.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseIfdef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUsePartial.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseUndisciplined.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 21/MacroInBlock.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 22/UseOfUndef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleStmtsPerLine.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleVarDeclsPerLine.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 25/FunctionSizeLimits.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 26/DeclarationPointerNesting.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 27/PointerDereferenceInStmt.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerDereferenceMacro.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerIndirectionTypedef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 31/IncludesFirst.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ConversionChangesSign.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql
+ql/cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql
+ql/cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/BoolValueInBitOp.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/LogicalExprCouldBeSimplified.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/More64BitWaste.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
+ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.ql
+ql/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
+ql/cpp/ql/src/Likely Bugs/OO/VirtualCallInStructor.ql
+ql/cpp/ql/src/Likely Bugs/ShortLoopVarName.ql
+ql/cpp/ql/src/Metrics/Classes/CAfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Classes/CEfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadBugs.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadDifficulty.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadEffort.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadLength.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadVocabulary.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadVolume.ql
+ql/cpp/ql/src/Metrics/Classes/CInheritanceDepth.ql
+ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionCK.ql
+ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionHS.ql
+ql/cpp/ql/src/Metrics/Classes/CLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfFields.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfFunctions.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfStatements.ql
+ql/cpp/ql/src/Metrics/Classes/CPercentageOfComplexCode.ql
+ql/cpp/ql/src/Metrics/Classes/CResponse.ql
+ql/cpp/ql/src/Metrics/Classes/CSizeOfAPI.ql
+ql/cpp/ql/src/Metrics/Classes/CSpecialisation.ql
+ql/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+ql/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+ql/cpp/ql/src/Metrics/External/FileCompilationDisplayStrings.ql
+ql/cpp/ql/src/Metrics/External/FileCompilationSourceLinks.ql
+ql/cpp/ql/src/Metrics/Files/AutogeneratedLOC.ql
+ql/cpp/ql/src/Metrics/Files/ConditionalSegmentConditions.ql
+ql/cpp/ql/src/Metrics/Files/ConditionalSegmentLines.ql
+ql/cpp/ql/src/Metrics/Files/FAfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Files/FCommentRatio.ql
+ql/cpp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
+ql/cpp/ql/src/Metrics/Files/FDirectIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FEfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadBugs.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadDifficulty.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadEffort.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadLength.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadVocabulary.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadVolume.ql
+ql/cpp/ql/src/Metrics/Files/FLines.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfCommentedOutCode.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfComments.ql
+ql/cpp/ql/src/Metrics/Files/FMacroRatio.ql
+ql/cpp/ql/src/Metrics/Files/FNumberOfClasses.ql
+ql/cpp/ql/src/Metrics/Files/FNumberOfTests.ql
+ql/cpp/ql/src/Metrics/Files/FTimeInFrontend.ql
+ql/cpp/ql/src/Metrics/Files/FTodoComments.ql
+ql/cpp/ql/src/Metrics/Files/FTransitiveIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FunctionLength.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfFunctions.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfGlobals.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfParameters.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfPublicFunctions.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfPublicGlobals.ql
+ql/cpp/ql/src/Metrics/Functions/FunCyclomaticComplexity.ql
+ql/cpp/ql/src/Metrics/Functions/FunIterationNestingDepth.ql
+ql/cpp/ql/src/Metrics/Functions/FunLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Functions/FunLinesOfComments.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfCalls.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfParameters.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfStatements.ql
+ql/cpp/ql/src/Metrics/Functions/FunPercentageOfComments.ql
+ql/cpp/ql/src/Metrics/Functions/StatementNestingDepth.ql
+ql/cpp/ql/src/Metrics/Internal/ASTConsistency.ql
+ql/cpp/ql/src/Metrics/Internal/CallableDisplayStrings.ql
+ql/cpp/ql/src/Metrics/Internal/CallableExtents.ql
+ql/cpp/ql/src/Metrics/Internal/CallableSourceLinks.ql
+ql/cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql
+ql/cpp/ql/src/Metrics/Internal/IRConsistency.ql
+ql/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql
+ql/cpp/ql/src/Metrics/Internal/ReftypeDisplayStrings.ql
+ql/cpp/ql/src/Metrics/Internal/ReftypeSourceLinks.ql
+ql/cpp/ql/src/Metrics/Namespaces/AbstractNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/ConcreteNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighAfferentCouplingNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighDistanceFromMainLineNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighEfferentCouplingNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/StableNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/UnstableNamespaces.ql
+ql/cpp/ql/src/Microsoft/CallWithNullSAL.ql
+ql/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
+ql/cpp/ql/src/Microsoft/InconsistentSAL.ql
+ql/cpp/ql/src/PointsTo/Debug.ql
+ql/cpp/ql/src/PointsTo/PreparedStagedPointsTo.ql
+ql/cpp/ql/src/PointsTo/Stats.ql
+ql/cpp/ql/src/PointsTo/TaintedFormatStrings.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfGoto.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfJmp.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfRecursion.ql
+ql/cpp/ql/src/Power of 10/Rule 2/BoundedLoopIterations.ql
+ql/cpp/ql/src/Power of 10/Rule 2/ExitPermanentLoop.ql
+ql/cpp/ql/src/Power of 10/Rule 3/DynamicAllocAfterInit.ql
+ql/cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql
+ql/cpp/ql/src/Power of 10/Rule 4/OneStmtPerLine.ql
+ql/cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql
+ql/cpp/ql/src/Power of 10/Rule 5/AssertionSideEffect.ql
+ql/cpp/ql/src/Power of 10/Rule 5/ConstantAssertion.ql
+ql/cpp/ql/src/Power of 10/Rule 5/NonBooleanAssertion.ql
+ql/cpp/ql/src/Power of 10/Rule 6/GlobalCouldBeStatic.ql
+ql/cpp/ql/src/Power of 10/Rule 6/VariableScopeTooLarge.ql
+ql/cpp/ql/src/Power of 10/Rule 7/CheckArguments.ql
+ql/cpp/ql/src/Power of 10/Rule 7/CheckReturnValues.ql
+ql/cpp/ql/src/Power of 10/Rule 8/AvoidConditionalCompilation.ql
+ql/cpp/ql/src/Power of 10/Rule 8/PartialMacro.ql
+ql/cpp/ql/src/Power of 10/Rule 8/RestrictPreprocessor.ql
+ql/cpp/ql/src/Power of 10/Rule 8/UndisciplinedMacro.ql
+ql/cpp/ql/src/Power of 10/Rule 9/FunctionPointer.ql
+ql/cpp/ql/src/Power of 10/Rule 9/HiddenPointerIndirection.ql
+ql/cpp/ql/src/Power of 10/Rule 9/PointerNesting.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+ql/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
+ql/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
+ql/cpp/ql/src/definitions.ql
+ql/cpp/ql/src/experimental/Best Practices/UselessTest.ql
+ql/cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql
+ql/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
+ql/cpp/ql/src/experimental/Likely Bugs/DerefNullResult.ql
+ql/cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql
+ql/cpp/ql/src/experimental/quantum/PrintCBOMGraph.ql
+ql/cpp/ql/src/external/examples/filters/BumpMetricBy10.ql
+ql/cpp/ql/src/external/examples/filters/EditDefectMessage.ql
+ql/cpp/ql/src/external/examples/filters/ExcludeGeneratedCode.ql
+ql/cpp/ql/src/filters/ClassifyFiles.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 1.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 2.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 11.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 12.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 13.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 14.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 9.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 17.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 18.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 19.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 20.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 21.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 22.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 25.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 26.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 27.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 28.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 29.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 30.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 31.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 33.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 39.ql
+ql/cpp/ql/src/jsf/4.08 Implementation Files/AV Rule 40.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 41.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 42.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 43.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 44.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 45.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 46.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 47.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 48.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 49.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 50.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 51.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 52.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 54.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 57.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 58.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 59.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 60.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 61.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 63.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 68.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 69.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 70.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 73.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 74.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 75.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 77.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 78.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 85.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 94.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.1.ql
+ql/cpp/ql/src/jsf/4.11 Namespaces/AV Rule 99.ql
+ql/cpp/ql/src/jsf/4.12 Templates/AV Rule 104.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 108.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 110.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 111.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 113.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 115.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 119.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 126.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 127.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 133.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 135.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 138.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 139.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 140.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 142.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 143.ql
+ql/cpp/ql/src/jsf/4.17 Types/AV Rule 147.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 149.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 150.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.1.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.ql
+ql/cpp/ql/src/jsf/4.19 Variables/AV Rule 152.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 154.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 155.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 156.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 157.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 158.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 159.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 160.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 162.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 163.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 164.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 170.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 171.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 175.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 176.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 178.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 179.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 180.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 181.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 182.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 184.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 185.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 186.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 187.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 188.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 190.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 191.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 192.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 193.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 194.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 195.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 198.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 199.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 200.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.1.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 205.ql
+ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 206.ql
+ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 207.ql
+ql/cpp/ql/src/jsf/4.27 Fault Handling/AV Rule 208.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 209.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 210.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 212.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 213.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 214.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 215.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

cpp/ql/integration-tests/query-suite/test.py

@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['cpp-code-quality.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, cpp, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, cpp, check_queries_not_included):
+    check_queries_not_included('cpp', well_known_query_suites)

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 4.3.1
+
+### Bug Fixes
+
+* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.
+
+## 4.3.0
+
+### New Features
+
+* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
+* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
+* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
+* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
+
 ## 4.2.0
 
 ### New Features

cpp/ql/lib/change-notes/2025-04-14-variable-length-arrays.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).

cpp/ql/lib/change-notes/2025-04-15-field-array-designator.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.

cpp/ql/lib/change-notes/released/4.3.0.md

@@ -0,0 +1,8 @@
+## 4.3.0
+
+### New Features
+
+* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
+* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
+* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
+* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).

cpp/ql/lib/change-notes/released/4.3.1.md

@@ -0,0 +1,5 @@
+## 4.3.1
+
+### Bug Fixes
+
+* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.2.0
+lastReleaseVersion: 4.3.1

cpp/ql/lib/experimental/quantum/Language.qll

@@ -0,0 +1,113 @@
+private import cpp as Language
+import semmle.code.cpp.dataflow.new.DataFlow
+import codeql.quantum.experimental.Model
+
+module CryptoInput implements InputSig<Language::Location> {
+  class DataFlowNode = DataFlow::Node;
+
+  class LocatableElement = Language::Locatable;
+
+  class UnknownLocation = Language::UnknownDefaultLocation;
+
+  LocatableElement dfn_to_element(DataFlow::Node node) {
+    result = node.asExpr() or
+    result = node.asParameter() or
+    result = node.asVariable()
+  }
+
+  string locationToFileBaseNameAndLineNumberString(Location location) {
+    result = location.getFile().getBaseName() + ":" + location.getStartLine()
+  }
+
+  predicate artifactOutputFlowsToGenericInput(
+    DataFlow::Node artifactOutput, DataFlow::Node otherInput
+  ) {
+    ArtifactFlow::flow(artifactOutput, otherInput)
+  }
+}
+
+module Crypto = CryptographyBase<Language::Location, CryptoInput>;
+
+module ArtifactFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source = any(Crypto::ArtifactInstance artifact).getOutputNode()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink = any(Crypto::FlowAwareElement other).getInputNode()
+  }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getInputNode()
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getOutputNode()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.(AdditionalFlowInputStep).getOutput() = node2
+  }
+}
+
+module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
+
+/**
+ * Artifact output to node input configuration
+ */
+abstract class AdditionalFlowInputStep extends DataFlow::Node {
+  abstract DataFlow::Node getOutput();
+
+  final DataFlow::Node getInput() { result = this }
+}
+
+/**
+ * Generic data source to node input configuration
+ */
+module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source = any(Crypto::GenericSourceInstance i).getOutputNode()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink = any(Crypto::FlowAwareElement other).getInputNode()
+  }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getInputNode()
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getOutputNode()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.(AdditionalFlowInputStep).getOutput() = node2
+  }
+}
+
+module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source = any(Crypto::ArtifactInstance artifact).getOutputNode()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink = any(Crypto::FlowAwareElement other).getInputNode()
+  }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getInputNode()
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getOutputNode()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.(AdditionalFlowInputStep).getOutput() = node2
+  }
+}
+
+module ArtifactUniversalFlow = DataFlow::Global<ArtifactUniversalFlowConfig>;
+
+import OpenSSL.OpenSSL

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -0,0 +1,170 @@
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+
+/**
+ * Traces 'known algorithms' to AVCs, specifically
+ * algorithms that are in the set of known algorithm constants.
+ * Padding-specific consumers exist that have their own values that
+ * overlap with the known algorithm constants.
+ * Padding consumers (specific padding consumers) are excluded from the set of sinks.
+ */
+module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(OpenSSLAlgorithmValueConsumer c |
+      c.getInputNode() = sink and
+      not c instanceof PaddingAlgorithmValueConsumer
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    // False positive reducer, don't flow out through argv
+    exists(VariableAccess va, Variable v |
+      v.getAnAccess() = va and va = node.asExpr()
+      or
+      va = node.asIndirectExpr()
+    |
+      v.getName().matches("%argv")
+    )
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    knownPassThroughStep(node1, node2)
+  }
+}
+
+module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
+  DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
+
+module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    knownPassThroughStep(node1, node2)
+  }
+}
+
+module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
+  DataFlow::Global<RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
+
+class OpenSSLAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
+  OpenSSLAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
+
+  override DataFlow::Node getOutput() {
+    exists(AlgorithmPassthroughCall c | c.getInNode() = this and c.getOutNode() = result)
+  }
+}
+
+abstract class AlgorithmPassthroughCall extends Call {
+  abstract DataFlow::Node getInNode();
+
+  abstract DataFlow::Node getOutNode();
+}
+
+class CopyAndDupAlgorithmPassthroughCall extends AlgorithmPassthroughCall {
+  DataFlow::Node inNode;
+  DataFlow::Node outNode;
+
+  CopyAndDupAlgorithmPassthroughCall() {
+    // Flow out through any return or other argument of the same type
+    // Assume flow in and out is asIndirectExpr or asDefinitingArgument since a pointer is assumed
+    // to be involved
+    // NOTE: not attempting to detect openssl specific copy/dup functions, but anything suspected to be copy/dup
+    this.getTarget().getName().toLowerCase().matches(["%_dup%", "%_copy%"]) and
+    exists(Expr inArg, Type t |
+      inArg = this.getAnArgument() and t = inArg.getUnspecifiedType().stripType()
+    |
+      inNode.asIndirectExpr() = inArg and
+      (
+        // Case 1: flow through another argument as an out arg of the same type
+        exists(Expr outArg |
+          outArg = this.getAnArgument() and
+          outArg != inArg and
+          outArg.getUnspecifiedType().stripType() = t
+        |
+          outNode.asDefiningArgument() = outArg
+        )
+        or
+        // Case 2: flow through the return value if the result is the same as the intput type
+        exists(Expr outArg | outArg = this and outArg.getUnspecifiedType().stripType() = t |
+          outNode.asIndirectExpr() = outArg
+        )
+      )
+    )
+  }
+
+  override DataFlow::Node getInNode() { result = inNode }
+
+  override DataFlow::Node getOutNode() { result = outNode }
+}
+
+class NIDToPointerPassthroughCall extends AlgorithmPassthroughCall {
+  DataFlow::Node inNode;
+  DataFlow::Node outNode;
+
+  NIDToPointerPassthroughCall() {
+    this.getTarget().getName() in ["OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn"] and
+    inNode.asExpr() = this.getArgument(0) and
+    outNode.asExpr() = this
+    //outNode.asIndirectExpr() = this
+  }
+
+  override DataFlow::Node getInNode() { result = inNode }
+
+  override DataFlow::Node getOutNode() { result = outNode }
+}
+
+class PointerToPointerPassthroughCall extends AlgorithmPassthroughCall {
+  DataFlow::Node inNode;
+  DataFlow::Node outNode;
+
+  PointerToPointerPassthroughCall() {
+    this.getTarget().getName() = "OBJ_txt2obj" and
+    inNode.asIndirectExpr() = this.getArgument(0) and
+    outNode.asIndirectExpr() = this
+    or
+    //outNode.asExpr() = this
+    this.getTarget().getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and
+    inNode.asIndirectExpr() = this.getArgument(2) and
+    outNode.asDefiningArgument() = this.getArgument(0)
+  }
+
+  override DataFlow::Node getInNode() { result = inNode }
+
+  override DataFlow::Node getOutNode() { result = outNode }
+}
+
+class PointerToNIDPassthroughCall extends AlgorithmPassthroughCall {
+  DataFlow::Node inNode;
+  DataFlow::Node outNode;
+
+  PointerToNIDPassthroughCall() {
+    this.getTarget().getName() in ["OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid", "OBJ_txt2nid"] and
+    (
+      inNode.asIndirectExpr() = this.getArgument(0)
+      or
+      inNode.asExpr() = this.getArgument(0)
+    ) and
+    outNode.asExpr() = this
+  }
+
+  override DataFlow::Node getInNode() { result = inNode }
+
+  override DataFlow::Node getOutNode() { result = outNode }
+}
+
+// TODO: pkeys pass through EVP_PKEY_CTX_new and any similar variant
+predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(AlgorithmPassthroughCall c | c.getInNode() = node1 and c.getOutNode() = node2)
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -0,0 +1,76 @@
+import cpp
+import experimental.quantum.Language
+import OpenSSLAlgorithmInstanceBase
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+import AlgToAVCFlow
+
+/**
+ * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
+ * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ */
+predicate knownOpenSSLConstantToBlockModeFamilyType(
+  KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
+) {
+  exists(string name |
+    name = e.getNormalizedName() and
+    (
+      name.matches("CBC") and type instanceof Crypto::CBC
+      or
+      name.matches("CFB%") and type instanceof Crypto::CFB
+      or
+      name.matches("CTR") and type instanceof Crypto::CTR
+      or
+      name.matches("GCM") and type instanceof Crypto::GCM
+      or
+      name.matches("OFB") and type instanceof Crypto::OFB
+      or
+      name.matches("XTS") and type instanceof Crypto::XTS
+      or
+      name.matches("CCM") and type instanceof Crypto::CCM
+      or
+      name.matches("GCM") and type instanceof Crypto::GCM
+      or
+      name.matches("CCM") and type instanceof Crypto::CCM
+      or
+      name.matches("ECB") and type instanceof Crypto::ECB
+    )
+  )
+}
+
+class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::ModeOfOperationAlgorithmInstance instanceof KnownOpenSSLBlockModeAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLBlockModeConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override Crypto::TBlockCipherModeOfOperationType getModeType() {
+    knownOpenSSLConstantToBlockModeFamilyType(this, result)
+    or
+    not knownOpenSSLConstantToBlockModeFamilyType(this, _) and result = Crypto::OtherMode()
+  }
+
+  // NOTE: I'm not going to attempt to parse out the mode specific part, so returning
+  // the same as the raw name for now.
+  override string getRawModeAlgorithmName() { result = this.(Literal).getValue().toString() }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -0,0 +1,126 @@
+import cpp
+import experimental.quantum.Language
+import KnownAlgorithmConstants
+import Crypto::KeyOpAlg as KeyOpAlg
+import OpenSSLAlgorithmInstanceBase
+import PaddingAlgorithmInstance
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+import AlgToAVCFlow
+import BlockAlgorithmInstance
+
+/**
+ * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
+ * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ */
+predicate knownOpenSSLConstantToCipherFamilyType(
+  KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
+) {
+  exists(string name |
+    name = e.getNormalizedName() and
+    (
+      name.matches("AES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
+      or
+      name.matches("ARIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::ARIA())
+      or
+      name.matches("BLOWFISH%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
+      or
+      name.matches("BF%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
+      or
+      name.matches("CAMELLIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAMELLIA())
+      or
+      name.matches("CHACHA20%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CHACHA20())
+      or
+      name.matches("CAST5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAST5())
+      or
+      name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DoubleDES())
+      or
+      name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TripleDES())
+      or
+      name.matches("DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES())
+      or
+      name.matches("DESX%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DESX())
+      or
+      name.matches("GOST%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::GOST())
+      or
+      name.matches("IDEA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA())
+      or
+      name.matches("KUZNYECHIK%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::KUZNYECHIK())
+      or
+      name.matches("MAGMA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::MAGMA())
+      or
+      name.matches("RC2%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2())
+      or
+      name.matches("RC4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4())
+      or
+      name.matches("RC5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC5())
+      or
+      name.matches("RSA%") and type = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA())
+      or
+      name.matches("SEED%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SEED())
+      or
+      name.matches("SM4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SM4())
+    )
+  )
+}
+
+class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSSLCipherAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLCipherConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
+    // if there is a block mode associated with the same element, then that's the block mode
+    // note, if none are associated, we may need to parse if the cipher is a block cipher
+    // to determine if this is an unknown vs not relevant.
+    result = this
+  }
+
+  override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() {
+    //TODO: the padding is either self, or it flows through getter ctx to a set padding call
+    // like EVP_PKEY_CTX_set_rsa_padding
+    result = this
+    // TODO or trace through getter ctx to set padding
+  }
+
+  override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
+
+  override string getKeySizeFixed() {
+    exists(int keySize |
+      this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
+      result = keySize.toString()
+    )
+  }
+
+  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
+    knownOpenSSLConstantToCipherFamilyType(this, result)
+    or
+    not knownOpenSSLConstantToCipherFamilyType(this, _) and
+    result = Crypto::KeyOpAlg::TUnknownKeyOperationAlgorithmType()
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
+    // TODO: trace to any key size initializer, symmetric and asymmetric
+    none()
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -0,0 +1,83 @@
+import cpp
+import experimental.quantum.Language
+import KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+import AlgToAVCFlow
+
+predicate knownOpenSSLConstantToHashFamilyType(
+  KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
+) {
+  exists(string name |
+    name = e.getNormalizedName() and
+    (
+      name.matches("BLAKE2B") and type instanceof Crypto::BLAKE2B
+      or
+      name.matches("BLAKE2S") and type instanceof Crypto::BLAKE2S
+      or
+      name.matches("GOST%") and type instanceof Crypto::GOSTHash
+      or
+      name.matches("MD2") and type instanceof Crypto::MD2
+      or
+      name.matches("MD4") and type instanceof Crypto::MD4
+      or
+      name.matches("MD5") and type instanceof Crypto::MD5
+      or
+      name.matches("MDC2") and type instanceof Crypto::MDC2
+      or
+      name.matches("POLY1305") and type instanceof Crypto::POLY1305
+      or
+      name.matches(["SHA", "SHA1"]) and type instanceof Crypto::SHA1
+      or
+      name.matches("SHA+%") and not name.matches(["SHA1", "SHA3-"]) and type instanceof Crypto::SHA2
+      or
+      name.matches("SHA3-%") and type instanceof Crypto::SHA3
+      or
+      name.matches(["SHAKE"]) and type instanceof Crypto::SHAKE
+      or
+      name.matches("SM3") and type instanceof Crypto::SM3
+      or
+      name.matches("RIPEMD160") and type instanceof Crypto::RIPEMD160
+      or
+      name.matches("WHIRLPOOL") and type instanceof Crypto::WHIRLPOOL
+    )
+  )
+}
+
+class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::HashAlgorithmInstance instanceof KnownOpenSSLHashAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLHashConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override Crypto::THashType getHashFamily() {
+    knownOpenSSLConstantToHashFamilyType(this, result)
+    or
+    not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
+  }
+
+  override string getRawHashAlgorithmName() { result = this.(Literal).getValue().toString() }
+
+  override int getFixedDigestLength() {
+    this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll

@@ -0,0 +1,6 @@
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+
+abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
+  abstract OpenSSLAlgorithmValueConsumer getAVC();
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll

@@ -0,0 +1,5 @@
+import OpenSSLAlgorithmInstanceBase
+import CipherAlgorithmInstance
+import PaddingAlgorithmInstance
+import BlockAlgorithmInstance
+import HashAlgorithmInstance

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -0,0 +1,167 @@
+import cpp
+import experimental.quantum.Language
+import OpenSSLAlgorithmInstanceBase
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import AlgToAVCFlow
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+
+/**
+ * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type.
+ * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ */
+predicate knownOpenSSLConstantToPaddingFamilyType(
+  KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type
+) {
+  exists(string name |
+    name = e.getNormalizedName() and
+    (
+      name.matches("OAEP") and type = Crypto::OAEP()
+      or
+      name.matches("PSS") and type = Crypto::PSS()
+      or
+      name.matches("PKCS7") and type = Crypto::PKCS7()
+      or
+      name.matches("PKCS1V15") and type = Crypto::PKCS1_v1_5()
+    )
+  )
+}
+
+//abstract class OpenSSLPaddingAlgorithmInstance extends OpenSSLAlgorithmInstance, Crypto::PaddingAlgorithmInstance{}
+// TODO: need to alter this to include known padding constants which don't have the
+// same mechanics as those with known nids
+class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::PaddingAlgorithmInstance instanceof Expr
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+  boolean isPaddingSpecificConsumer;
+
+  KnownOpenSSLPaddingConstantAlgorithmInstance() {
+    // three possibilities:
+    // 1) The source is a 'typical' literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // 3) the source is a padding-specific literal flowing to a padding-specific consumer
+    // Possibility 1:
+    this instanceof Literal and
+    this instanceof KnownOpenSSLPaddingAlgorithmConstant and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink) and
+      isPaddingSpecificConsumer = false
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and
+    getterCall = this and
+    this instanceof KnownOpenSSLPaddingAlgorithmConstant and
+    isPaddingSpecificConsumer = false
+    or
+    // Possibility 3:
+    // from rsa.h in openssl:
+    // # define RSA_PKCS1_PADDING          1
+    // # define RSA_NO_PADDING             3
+    // # define RSA_PKCS1_OAEP_PADDING     4
+    // # define RSA_X931_PADDING           5
+    // /* EVP_PKEY_ only */
+    // # define RSA_PKCS1_PSS_PADDING      6
+    // # define RSA_PKCS1_WITH_TLS_PADDING 7
+    // /* internal RSA_ only */
+    // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+    this instanceof Literal and
+    this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a padding-specific consumer
+      RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
+    ) and
+    isPaddingSpecificConsumer = true
+  }
+
+  override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override Crypto::TPaddingType getPaddingType() {
+    isPaddingSpecificConsumer = true and
+    (
+      if this.(Literal).getValue().toInt() in [1, 7, 8]
+      then result = Crypto::PKCS1_v1_5()
+      else
+        if this.(Literal).getValue().toInt() = 3
+        then result = Crypto::NoPadding()
+        else
+          if this.(Literal).getValue().toInt() = 4
+          then result = Crypto::OAEP()
+          else
+            if this.(Literal).getValue().toInt() = 5
+            then result = Crypto::ANSI_X9_23()
+            else
+              if this.(Literal).getValue().toInt() = 6
+              then result = Crypto::PSS()
+              else result = Crypto::OtherPadding()
+    )
+    or
+    isPaddingSpecificConsumer = false and
+    knownOpenSSLConstantToPaddingFamilyType(this, result)
+  }
+}
+
+// // Values used for EVP_PKEY_CTX_set_rsa_padding, these are
+// // not the same as 'typical' constants found in the set of known algorithm constants
+// // they do not have an NID
+// // TODO: what about setting the padding directly?
+// class KnownRSAPaddingConstant extends OpenSSLPaddingAlgorithmInstance, Crypto::PaddingAlgorithmInstance instanceof Literal
+// {
+//   KnownRSAPaddingConstant() {
+//     // from rsa.h in openssl:
+//     // # define RSA_PKCS1_PADDING          1
+//     // # define RSA_NO_PADDING             3
+//     // # define RSA_PKCS1_OAEP_PADDING     4
+//     // # define RSA_X931_PADDING           5
+//     // /* EVP_PKEY_ only */
+//     // # define RSA_PKCS1_PSS_PADDING      6
+//     // # define RSA_PKCS1_WITH_TLS_PADDING 7
+//     // /* internal RSA_ only */
+//     // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+//     this instanceof Literal and
+//     this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8]
+//     // TODO: trace to padding-specific consumers
+//     RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
+//   }
+//   override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
+//   override Crypto::TPaddingType getPaddingType() {
+//     if this.(Literal).getValue().toInt() in [1, 6, 7, 8]
+//     then result = Crypto::PKCS1_v1_5()
+//     else
+//       if this.(Literal).getValue().toInt() = 3
+//       then result = Crypto::NoPadding()
+//       else
+//         if this.(Literal).getValue().toInt() = 4
+//         then result = Crypto::OAEP()
+//         else
+//           if this.(Literal).getValue().toInt() = 5
+//           then result = Crypto::ANSI_X9_23()
+//           else result = Crypto::OtherPadding()
+//   }
+// }
+class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance,
+  KnownOpenSSLPaddingConstantAlgorithmInstance
+{
+  OAEPPaddingAlgorithmInstance() {
+    this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = Crypto::OAEP()
+  }
+
+  override Crypto::HashAlgorithmInstance getOAEPEncodingHashAlgorithm() {
+    none() //TODO
+  }
+
+  override Crypto::HashAlgorithmInstance getMGF1HashAlgorithm() {
+    none() //TODO
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll

@@ -0,0 +1,39 @@
+import cpp
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.LibraryDetector
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+import OpenSSLAlgorithmValueConsumerBase
+
+abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
+class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPCipherAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
+    (
+      this.(Call).getTarget().getName() in [
+          "EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() in ["EVP_CIPHER_fetch", "EVP_ASYM_CIPHER_fetch"] and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  // override DataFlow::Node getInputNode() { result = valueArgNode }
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+    //TODO: As a potential alternative, for OpenSSL only, add a generic source node for literals and only create flow (flowsTo) to
+    // OpenSSL AVCs... the unknown literal sources would have to be any literals not in the known set.
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -0,0 +1,36 @@
+import cpp
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+
+// TODO: can self referential to itself, which is also an algorithm (Known algorithm)
+/**
+ * Cases like EVP_MD5(),
+ * there is no input, rather it directly gets an algorithm
+ * and returns it.
+ */
+class DirectAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer {
+  DataFlow::Node resultNode;
+  Expr resultExpr;
+
+  DirectAlgorithmValueConsumer() {
+    this instanceof KnownOpenSSLAlgorithmConstant and
+    this instanceof Call and
+    resultExpr = this and
+    resultNode.asExpr() = resultExpr
+  }
+
+  /**
+   * These cases take in no explicit value (the value is implicit)
+   */
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  //   override DataFlow::Node getOutputNode() { result = resultNode }
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    // Note: algorithm source definitions enforces that
+    // this class will be a known algorithm source
+    result = this
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

@@ -0,0 +1,35 @@
+// import EVPHashInitializer
+// import EVPHashOperation
+// import EVPHashAlgorithmSource
+import cpp
+import experimental.quantum.Language
+import semmle.code.cpp.dataflow.new.DataFlow
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+import experimental.quantum.OpenSSL.LibraryDetector
+
+abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+/**
+ * EVP_Q_Digest directly consumes algorithm constant values
+ */
+class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
+  EVP_Q_Digest_Algorithm_Consumer() {
+    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
+    this.(Call).getTarget().getName() = "EVP_Q_digest"
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() {
+    result.asExpr() = this.(Call).getArgument(1)
+  }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+
+  override DataFlow::Node getResultNode() {
+    // EVP_Q_Digest directly consumes the algorithm constant value and performs the operation, there is no
+    // algorithm result
+    none()
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll

@@ -0,0 +1,9 @@
+import experimental.quantum.Language
+import semmle.code.cpp.dataflow.new.DataFlow
+
+abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call {
+  /**
+   * Returns the node representing the resulting algorithm
+   */
+  abstract DataFlow::Node getResultNode();
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll

@@ -0,0 +1,5 @@
+import OpenSSLAlgorithmValueConsumerBase
+import CipherAlgorithmValueConsumer
+import DirectAlgorithmValueConsumer
+import PaddingAlgorithmValueConsumer
+import HashAlgorithmValueConsumer

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll

@@ -0,0 +1,36 @@
+import cpp
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.LibraryDetector
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+import OpenSSLAlgorithmValueConsumerBase
+
+abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+// https://docs.openssl.org/master/man7/EVP_ASYM_CIPHER-RSA/#rsa-asymmetric-cipher-parameters
+// TODO: need to handle setting padding through EVP_PKEY_CTX_set_params, where modes like "OSSL_PKEY_RSA_PAD_MODE_OAEP"
+// are set.
+class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
+    (
+      this.(Call).getTarget().getName() in ["EVP_PKEY_CTX_set_rsa_padding"] and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  // override DataFlow::Node getInputNode() { result = valueArgNode }
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+    //TODO: As a potential alternative, for OpenSSL only, add a generic source node for literals and only create flow (flowsTo) to
+    // OpenSSL AVCs... the unknown literal sources would have to be any literals not in the known set.
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll

@@ -0,0 +1,99 @@
+//TODO: model as data on open APIs should be able to get common flows, and obviate some of this
+// e.g., copy/dup calls, need to ingest those models for openSSL and refactor.
+/**
+ * In OpenSSL, flow between 'context' parameters is often used to
+ * store state/config of how an operation will eventually be performed.
+ * Tracing algorithms and configurations to operations therefore
+ * requires tracing context parameters for many OpenSSL apis.
+ *
+ * This library provides a dataflow analysis to track context parameters
+ * between any two functions accepting openssl context parameters.
+ * The dataflow takes into consideration flowing through duplication and copy calls
+ * as well as flow through flow killers (free/reset calls).
+ *
+ * TODO: we may need to revisit 'free' as a dataflow killer, depending on how
+ * we want to model use after frees.
+ *
+ * This library also provides classes to represent context Types and relevant
+ * arguments/expressions.
+ */
+
+import semmle.code.cpp.dataflow.new.DataFlow
+
+class CTXType extends Type {
+  CTXType() {
+    // TODO: should we limit this to an openssl path?
+    this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
+  }
+}
+
+class CTXPointerExpr extends Expr {
+  CTXPointerExpr() {
+    this.getType() instanceof CTXType and
+    this.getType() instanceof PointerType
+  }
+}
+
+class CTXPointerArgument extends CTXPointerExpr {
+  CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) }
+
+  Call getCall() { result.getAnArgument() = this }
+}
+
+class CTXClearCall extends Call {
+  CTXClearCall() {
+    this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and
+    this.getAnArgument() instanceof CTXPointerArgument
+  }
+}
+
+class CTXCopyOutArgCall extends Call {
+  CTXCopyOutArgCall() {
+    this.getTarget().getName().toLowerCase().matches(["%copy%"]) and
+    this.getAnArgument() instanceof CTXPointerArgument
+  }
+}
+
+class CTXCopyReturnCall extends Call {
+  CTXCopyReturnCall() {
+    this.getTarget().getName().toLowerCase().matches(["%dup%"]) and
+    this.getAnArgument() instanceof CTXPointerArgument and
+    this instanceof CTXPointerExpr
+  }
+}
+
+module OpenSSLCTXArgumentFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CTXPointerArgument }
+
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CTXPointerArgument }
+
+  predicate isBarrier(DataFlow::Node node) {
+    exists(CTXClearCall c | c.getAnArgument() = node.asExpr())
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(CTXCopyOutArgCall c |
+      c.getAnArgument() = node1.asExpr() and
+      c.getAnArgument() = node2.asExpr() and
+      node1.asExpr() != node2.asExpr() and
+      node2.asExpr().getType() instanceof CTXType
+    )
+    or
+    exists(CTXCopyReturnCall c |
+      c.getAnArgument() = node1.asExpr() and
+      c = node2.asExpr() and
+      node1.asExpr() != node2.asExpr() and
+      node2.asExpr().getType() instanceof CTXType
+    )
+  }
+}
+
+module OpenSSLCTXArgumentFlow = DataFlow::Global<OpenSSLCTXArgumentFlowConfig>;
+
+predicate ctxArgFlowsToCtxArg(CTXPointerArgument source, CTXPointerArgument sink) {
+  exists(DataFlow::Node a, DataFlow::Node b |
+    OpenSSLCTXArgumentFlow::flow(a, b) and
+    a.asExpr() = source and
+    b.asExpr() = sink
+  )
+}

cpp/ql/lib/experimental/quantum/OpenSSL/LibraryDetector.qll

@@ -0,0 +1,7 @@
+import cpp
+
+predicate isPossibleOpenSSLFunction(Function f) {
+  isPossibleOpenSSLLocation(f.getADeclarationLocation())
+}
+
+predicate isPossibleOpenSSLLocation(Location l) { l.toString().toLowerCase().matches("%openssl%") }

cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll

@@ -0,0 +1,9 @@
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+module OpenSSLModel {
+  import experimental.quantum.Language
+  import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+  import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+  import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll

@@ -0,0 +1,123 @@
+/**
+ * see: https://docs.openssl.org/master/man3/EVP_EncryptInit/
+ * Models cipher initialization for EVP cipher operations.
+ */
+
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+
+module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(EVP_Cipher_Initializer initCall | sink.asExpr() = initCall.getOperationSubtypeArg())
+  }
+}
+
+module EncValToInitEncArgFlow = DataFlow::Global<EncValToInitEncArgConfig>;
+
+int getEncConfigValue(Expr e) {
+  exists(EVP_Cipher_Initializer initCall | e = initCall.getOperationSubtypeArg()) and
+  exists(DataFlow::Node a, DataFlow::Node b |
+    EncValToInitEncArgFlow::flow(a, b) and b.asExpr() = e and result = a.asExpr().getValue().toInt()
+  )
+}
+
+bindingset[i]
+Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {
+  if i = 0
+  then result instanceof Crypto::TEncryptMode
+  else
+    if i = 1
+    then result instanceof Crypto::TDecryptMode
+    else result instanceof Crypto::TUnknownKeyOperationMode
+}
+
+// TODO: need to add key consumer
+abstract class EVP_Cipher_Initializer extends Call {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
+
+  abstract Expr getKeyArg();
+
+  abstract Expr getIVArg();
+
+  //   abstract Crypto::CipherOperationSubtype getCipherOperationSubtype();
+  abstract Expr getOperationSubtypeArg();
+
+  Crypto::KeyOperationSubtype getCipherOperationSubtype() {
+    if this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
+    then result instanceof Crypto::TEncryptMode
+    else
+      if this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
+      then result instanceof Crypto::TDecryptMode
+      else
+        if exists(getEncConfigValue(this.getOperationSubtypeArg()))
+        then result = intToCipherOperationSubtype(getEncConfigValue(this.getOperationSubtypeArg()))
+        else result instanceof Crypto::TUnknownKeyOperationMode
+  }
+}
+
+abstract class EVP_EX_Initializer extends EVP_Cipher_Initializer {
+  override Expr getKeyArg() { result = this.(Call).getArgument(3) }
+
+  override Expr getIVArg() { result = this.(Call).getArgument(4) }
+}
+
+abstract class EVP_EX2_Initializer extends EVP_Cipher_Initializer {
+  override Expr getKeyArg() { result = this.(Call).getArgument(2) }
+
+  override Expr getIVArg() { result = this.(Call).getArgument(3) }
+}
+
+class EVP_Cipher_EX_Init_Call extends EVP_EX_Initializer {
+  EVP_Cipher_EX_Init_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_EncryptInit_ex", "EVP_DecryptInit_ex", "EVP_CipherInit_ex"
+      ]
+  }
+
+  override Expr getOperationSubtypeArg() {
+    this.(Call).getTarget().getName().toLowerCase().matches("%cipherinit%") and
+    result = this.(Call).getArgument(5)
+  }
+}
+
+class EVP_Cipher_EX2_or_Simple_Init_Call extends EVP_EX2_Initializer {
+  EVP_Cipher_EX2_or_Simple_Init_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_EncryptInit_ex2", "EVP_DecryptInit_ex2", "EVP_CipherInit_ex2", "EVP_EncryptInit",
+        "EVP_DecryptInit", "EVP_CipherInit"
+      ]
+  }
+
+  override Expr getOperationSubtypeArg() {
+    this.(Call).getTarget().getName().toLowerCase().matches("%cipherinit%") and
+    result = this.(Call).getArgument(4)
+  }
+}
+
+class EVP_CipherInit_SKEY_Call extends EVP_EX2_Initializer {
+  EVP_CipherInit_SKEY_Call() { this.(Call).getTarget().getName() in ["EVP_CipherInit_SKEY"] }
+
+  override Expr getOperationSubtypeArg() { result = this.(Call).getArgument(5) }
+}
+
+class EVPCipherInitializerAlgorithmArgument extends Expr {
+  EVPCipherInitializerAlgorithmArgument() {
+    exists(EVP_Cipher_Initializer initCall | this = initCall.getAlgorithmArg())
+  }
+}
+
+class EVPCipherInitializerKeyArgument extends Expr {
+  EVPCipherInitializerKeyArgument() {
+    exists(EVP_Cipher_Initializer initCall | this = initCall.getKeyArg())
+  }
+}
+
+class EVPCipherInitializerIVArgument extends Expr {
+  EVPCipherInitializerIVArgument() {
+    exists(EVP_Cipher_Initializer initCall | this = initCall.getIVArg())
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll

@@ -0,0 +1,116 @@
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+import EVPCipherInitializer
+import OpenSSLOperationBase
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+
+private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(EVP_Cipher_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+  }
+}
+
+private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
+
+// import experimental.quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers
+// import OpenSSLOperation
+// class EVPCipherOutput extends CipherOutputArtifact {
+//   EVPCipherOutput() { exists(EVP_Cipher_Operation op | op.getOutputArg() = this) }
+//   override DataFlow::Node getOutputNode() { result.asDefiningArgument() = this }
+// }
+//
+/**
+ * see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
+ * Base configuration for all EVP cipher operations.
+ * NOTE: cannot extend instance of OpenSSLOperation, as we need to override
+ * elements of OpenSSLOperation (i.e., we are creating an instance)
+ */
+abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  override Expr getOutputArg() { result = this.(Call).getArgument(1) }
+
+  override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
+    result instanceof Crypto::TEncryptMode and
+    this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
+    or
+    result instanceof Crypto::TDecryptMode and
+    this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
+    or
+    result = this.getInitCall().getCipherOperationSubtype() and
+    this.(Call).getTarget().getName().toLowerCase().matches("%cipher%")
+  }
+
+  EVP_Cipher_Initializer getInitCall() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getNonceConsumer() {
+    this.getInitCall().getIVArg() = result.asExpr()
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+
+  override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
+    this.getInitCall().getKeyArg() = result.asExpr()
+  }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
+  }
+}
+
+// abstract class EVP_Update_Call extends EVP_Cipher_Operation { }
+abstract class EVP_Final_Call extends EVP_Cipher_Operation {
+  override Expr getInputArg() { none() }
+}
+
+// TODO: only model Final (model final as operation and model update but not as an operation)
+// Updates are multiple input consumers (most important)
+// TODO: assuming update doesn't ouput, otherwise it outputs artifacts, but is not an operation
+class EVP_Cipher_Call extends EVP_Cipher_Operation {
+  EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
+
+  override Expr getInputArg() { result = this.(Call).getArgument(2) }
+}
+
+// ******* TODO: model UPDATE but not as the core operation, rather a step towards final
+// see the JCA
+// class EVP_Encrypt_Decrypt_or_Cipher_Update_Call extends EVP_Update_Call {
+//   EVP_Encrypt_Decrypt_or_Cipher_Update_Call() {
+//     this.(Call).getTarget().getName() in [
+//         "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
+//       ]
+//   }
+//   override Expr getInputArg() { result = this.(Call).getArgument(3) }
+// }
+class EVP_Encrypt_Decrypt_or_Cipher_Final_Call extends EVP_Final_Call {
+  EVP_Encrypt_Decrypt_or_Cipher_Final_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
+        "EVP_DecryptFinal", "EVP_CipherFinal"
+      ]
+  }
+}
+
+class EVP_PKEY_Operation extends EVP_Cipher_Operation {
+  EVP_PKEY_Operation() {
+    this.(Call).getTarget().getName() in ["EVP_PKEY_decrypt", "EVP_PKEY_encrypt"]
+  }
+
+  override Expr getInputArg() { result = this.(Call).getArgument(3) }
+  // TODO: how PKEY is initialized is different that symmetric cipher
+  // Consider making an entirely new class for this and specializing
+  // the get init call
+}
+
+class EVPCipherInputArgument extends Expr {
+  EVPCipherInputArgument() { exists(EVP_Cipher_Operation op | op.getInputArg() = this) }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashInitializer.qll

@@ -0,0 +1,17 @@
+import cpp
+
+abstract class EVP_Hash_Initializer extends Call {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  abstract Expr getAlgorithmArg();
+}
+
+class EVP_DigestInit_Variant_Calls extends EVP_Hash_Initializer {
+  EVP_DigestInit_Variant_Calls() {
+    this.(Call).getTarget().getName() in [
+        "EVP_DigestInit", "EVP_DigestInit_ex", "EVP_DigestInit_ex2"
+      ]
+  }
+
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll

@@ -0,0 +1,117 @@
+/**
+ * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
+ */
+
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+import experimental.quantum.OpenSSL.LibraryDetector
+import OpenSSLOperationBase
+import EVPHashInitializer
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+
+// import EVPHashConsumers
+abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  EVP_Hash_Initializer getInitCall() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+}
+
+private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(EVP_Hash_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+  }
+}
+
+private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
+
+//https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
+class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
+  EVP_Q_Digest_Operation() {
+    this.(Call).getTarget().getName() = "EVP_Q_digest" and
+    isPossibleOpenSSLFunction(this.(Call).getTarget())
+  }
+
+  //override Crypto::AlgorithmConsumer getAlgorithmConsumer() {  }
+  override EVP_Hash_Initializer getInitCall() {
+    // This variant of digest does not use an init
+    // and even if it were used, the init would be ignored/undefined
+    none()
+  }
+
+  override Expr getOutputArg() { result = this.(Call).getArgument(5) }
+
+  override Expr getInputArg() { result = this.(Call).getArgument(3) }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    // The operation is a direct algorithm consumer
+    // NOTE: the operation itself is already modeld as a value consumer, so we can
+    // simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
+    this = result
+  }
+}
+
+class EVP_Digest_Operation extends EVP_Hash_Operation {
+  EVP_Digest_Operation() {
+    this.(Call).getTarget().getName() = "EVP_Digest" and
+    isPossibleOpenSSLFunction(this.(Call).getTarget())
+  }
+
+  // There is no context argument for this function
+  override Expr getContextArg() { none() }
+
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.(Call).getArgument(4)))
+  }
+
+  override EVP_Hash_Initializer getInitCall() {
+    // This variant of digest does not use an init
+    // and even if it were used, the init would be ignored/undefined
+    none()
+  }
+
+  override Expr getOutputArg() { result = this.(Call).getArgument(2) }
+
+  override Expr getInputArg() { result = this.(Call).getArgument(0) }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+}
+// // override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+// //   AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+// //     DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
+// // }
+// // ***** TODO *** complete modelinlg for hash operations, but have consideration for terminal and non-terminal (non intermedaite) steps
+// // see the JCA. May need to update the cipher operations similarly
+// // ALSO SEE cipher for how we currently model initialization of the algorithm through an init call
+// class EVP_DigestUpdate_Operation extends EVP_Hash_Operation {
+//   EVP_DigestUpdate_Operation() {
+//     this.(Call).getTarget().getName() = "EVP_DigestUpdate" and
+//     isPossibleOpenSSLFunction(this.(Call).getTarget())
+//   }
+//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
+//     this.getInitCall().getAlgorithmArg() = result
+//   }
+// }
+// class EVP_DigestFinal_Variants_Operation extends EVP_Hash_Operation {
+//   EVP_DigestFinal_Variants_Operation() {
+//     this.(Call).getTarget().getName() in [
+//         "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
+//       ] and
+//     isPossibleOpenSSLFunction(this.(Call).getTarget())
+//   }
+//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
+//     this.getInitCall().getAlgorithmArg() = result
+//   }
+// }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -0,0 +1,21 @@
+import experimental.quantum.Language
+
+abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
+  abstract Expr getInputArg();
+
+  /**
+   * Can be an argument of a call or a return value of a function.
+   */
+  abstract Expr getOutputArg();
+
+  DataFlow::Node getInputNode() {
+    // Assumed to be default to asExpr
+    result.asExpr() = this.getInputArg()
+  }
+
+  DataFlow::Node getOutputNode() {
+    if exists(Call c | c.getAnArgument() = this)
+    then result.asDefiningArgument() = this
+    else result.asExpr() = this
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll

@@ -0,0 +1,3 @@
+import OpenSSLOperationBase
+import EVPCipherOperation
+import EVPHashOperation

cpp/ql/lib/experimental/quantum/OpenSSL/Random.qll

@@ -0,0 +1,18 @@
+import cpp
+private import experimental.quantum.Language
+private import LibraryDetector
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+class OpenSSLRandomNumberGeneratorInstance extends Crypto::RandomNumberGenerationInstance instanceof Call
+{
+  OpenSSLRandomNumberGeneratorInstance() {
+    this.(Call).getTarget().getName() in ["RAND_bytes", "RAND_pseudo_bytes"] and
+    isPossibleOpenSSLFunction(this.(Call).getTarget())
+  }
+
+  override Crypto::DataFlowNode getOutputNode() {
+    result.asDefiningArgument() = this.(Call).getArgument(0)
+  }
+
+  override string getGeneratorName() { result = this.(Call).getTarget().getName() }
+}

cpp/ql/lib/ext/generated/empty.model.yml

@@ -0,0 +1,5 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: []

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.2.1-dev
+version: 4.3.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -8,6 +8,7 @@ upgrades: upgrades
 dependencies:
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
+  codeql/quantum: ${workspace}
   codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/typeflow: ${workspace}
@@ -16,6 +17,7 @@ dependencies:
   codeql/xml: ${workspace}
 dataExtensions:
   - ext/*.model.yml
+  - ext/generated/*.model.yml
   - ext/deallocation/*.model.yml
   - ext/allocation/*.model.yml
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/Print.qll

@@ -176,6 +176,30 @@ private class DecltypeDumpType extends DumpType, Decltype {
   }
 }
 
+private class TypeofDumpType extends DumpType, TypeofType {
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
+
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
+
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
+}
+
+private class IntrinsicTransformedDumpType extends DumpType, IntrinsicTransformedType {
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
+
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
+
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
+}
+
 private class PointerIshDumpType extends DerivedDumpType {
   PointerIshDumpType() {
     this instanceof PointerType or

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -92,8 +92,9 @@ class Type extends Locatable, @type {
   /**
    * Gets this type after typedefs have been resolved.
    *
-   * The result of this predicate will be the type itself, except in the case of a TypedefType or a Decltype,
-   * in which case the result will be type which results from (possibly recursively) resolving typedefs.
+   * The result of this predicate will be the type itself, except in the case of a TypedefType, a Decltype,
+   * or a TypeofType, in which case the result will be type which results from (possibly recursively)
+   * resolving typedefs.
    */
   pragma[nomagic]
   Type getUnderlyingType() { result = this }
@@ -1117,18 +1118,20 @@ class DerivedType extends Type, @derivedtype {
  * decltype(a) b;
  * ```
  */
-class Decltype extends Type, @decltype {
+class Decltype extends Type {
+  Decltype() { decltypes(underlyingElement(this), _, 0, _, _) }
+
   override string getAPrimaryQlClass() { result = "Decltype" }
 
   /**
-   * The expression whose type is being obtained by this decltype.
+   * Gets the expression whose type is being obtained by this decltype.
    */
-  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _) }
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
 
   /**
-   * The type immediately yielded by this decltype.
+   * Gets the type immediately yielded by this decltype.
    */
-  Type getBaseType() { decltypes(underlyingElement(this), _, unresolveElement(result), _) }
+  Type getBaseType() { decltypes(underlyingElement(this), _, _, unresolveElement(result), _) }
 
   /**
    * Whether an extra pair of parentheses around the expression would change the semantics of this decltype.
@@ -1142,7 +1145,7 @@ class Decltype extends Type, @decltype {
    * ```
    * Please consult the C++11 standard for more details.
    */
-  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, true) }
+  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, _, true) }
 
   override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
 
@@ -1183,6 +1186,215 @@ class Decltype extends Type, @decltype {
   }
 }
 
+/**
+ * An instance of the C23 `typeof` or `typeof_unqual` operator. For example:
+ * ```
+ * int a;
+ * typeof(a) b;
+ * typeof_unqual(const int) b;
+ * ```
+ */
+class TypeofType extends Type {
+  TypeofType() {
+    decltypes(underlyingElement(this), _, 1, _, _) or
+    type_operators(underlyingElement(this), _, 0, _)
+  }
+
+  /**
+   * Gets the type immediately yielded by this typeof.
+   */
+  Type getBaseType() {
+    decltypes(underlyingElement(this), _, _, unresolveElement(result), _)
+    or
+    type_operators(underlyingElement(this), _, _, unresolveElement(result))
+  }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override string toString() { result = "typeof(...)" }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result = "typeof resulting in {" + this.getBaseType().explain() + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
+/**
+ * An instance of the C23 `typeof` or `typeof_unqual` operator taking an expression
+ * as its argument. For example:
+ * ```
+ * int a;
+ * typeof(a) b;
+ * ```
+ */
+class TypeofExprType extends TypeofType {
+  TypeofExprType() { decltypes(underlyingElement(this), _, 1, _, _) }
+
+  override string getAPrimaryQlClass() { result = "TypeofExprType" }
+
+  /**
+   * Gets the expression whose type is being obtained by this typeof.
+   */
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  override Location getLocation() { result = this.getExpr().getLocation() }
+}
+
+/**
+ * A type obtained by C23 `typeof` or `typeof_unqual` operator taking a type as its
+ * argument. For example:
+ * ```
+ * typeof_unqual(const int) b;
+ * ```
+ */
+class TypeofTypeType extends TypeofType {
+  TypeofTypeType() { type_operators(underlyingElement(this), _, 0, _) }
+
+  /**
+   * Gets the expression whose type is being obtained by this typeof.
+   */
+  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
+
+  override string getAPrimaryQlClass() { result = "TypeofTypeType" }
+
+  override string toString() { result = "typeof(...)" }
+}
+
+/**
+ * A type obtained by applying a type transforming intrinsic. For example:
+ * ```
+ * __make_unsigned(int) x;
+ * ```
+ */
+class IntrinsicTransformedType extends Type {
+  int intrinsic;
+
+  IntrinsicTransformedType() {
+    type_operators(underlyingElement(this), _, intrinsic, _) and
+    intrinsic in [1 .. 19]
+  }
+
+  override string getAPrimaryQlClass() { result = "IntrinsicTransformedType" }
+
+  override string toString() { result = this.getIntrinsicName() + "(...)" }
+
+  /**
+   * Gets the type immediately yielded by this transformation.
+   */
+  Type getBaseType() { type_operators(underlyingElement(this), _, _, unresolveElement(result)) }
+
+  /**
+   * Gets the type that is transformed.
+   */
+  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
+
+  /**
+   * Gets the name of the intrinsic used to transform the type.
+   */
+  string getIntrinsicName() {
+    intrinsic = 1 and result = "__underlying_type"
+    or
+    intrinsic = 2 and result = "__bases"
+    or
+    intrinsic = 3 and result = "__direct_bases"
+    or
+    intrinsic = 4 and result = "__add_lvalue_reference"
+    or
+    intrinsic = 5 and result = "__add_pointer"
+    or
+    intrinsic = 6 and result = "__add_rvalue_reference"
+    or
+    intrinsic = 7 and result = "__decay"
+    or
+    intrinsic = 8 and result = "__make_signed"
+    or
+    intrinsic = 9 and result = "__make_unsigned"
+    or
+    intrinsic = 10 and result = "__remove_all_extents"
+    or
+    intrinsic = 11 and result = "__remove_const"
+    or
+    intrinsic = 12 and result = "__remove_cv"
+    or
+    intrinsic = 13 and result = "__remove_cvref"
+    or
+    intrinsic = 14 and result = "__remove_extent"
+    or
+    intrinsic = 15 and result = "__remove_pointer"
+    or
+    intrinsic = 16 and result = "__remove_reference_t"
+    or
+    intrinsic = 17 and result = "__remove_restrict"
+    or
+    intrinsic = 18 and result = "__remove_volatile"
+    or
+    intrinsic = 19 and result = "__remove_reference"
+  }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result =
+      "application of " + this.getIntrinsicName() + " resulting in {" + this.getBaseType().explain()
+        + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
 /**
  * A C/C++ pointer type. See 4.9.1.
  * ```

cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll

@@ -310,6 +310,8 @@ class Expr extends StmtParent, @expr {
     or
     exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
     or
+    exists(TypeofExprType t | t.getExpr() = this.getParentWithConversions*())
+    or
     exists(ConstexprIfStmt constIf |
       constIf.getControllingExpr() = this.getParentWithConversions*()
     )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll

@@ -31,4 +31,6 @@ module CppDataFlow implements InputSig<Location> {
   predicate viableImplInCallContext = Private::viableImplInCallContext/2;
 
   predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
+
+  int defaultFieldFlowBranchLimit() { result = 3 }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1567,7 +1567,7 @@ private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, Parame
         |
           exists(Ssa::UseImpl use | use.hasIndexInBlock(useblock, _, sv))
           or
-          exists(Ssa::DefImpl def | def.hasIndexInBlock(useblock, _, sv))
+          exists(Ssa::DefImpl def | def.hasIndexInBlock(sv, useblock, _))
         )
       )
   )
@@ -1652,8 +1652,6 @@ predicate validParameterAliasStep(Node node1, Node node2) {
   )
 }
 
-private predicate isTopLevel(Cpp::Stmt s) { any(Function f).getBlock().getAStmt() = s }
-
 private Cpp::Stmt getAChainedBranch(Cpp::IfStmt s) {
   result = s.getThen()
   or
@@ -1684,11 +1682,9 @@ private Instruction getAnInstruction(Node n) {
 }
 
 private newtype TDataFlowSecondLevelScope =
-  TTopLevelIfBranch(Cpp::Stmt s) {
-    exists(Cpp::IfStmt ifstmt | s = getAChainedBranch(ifstmt) and isTopLevel(ifstmt))
-  } or
+  TTopLevelIfBranch(Cpp::Stmt s) { s = getAChainedBranch(_) } or
   TTopLevelSwitchCase(Cpp::SwitchCase s) {
-    exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase() and isTopLevel(switchstmt))
+    exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase())
   }
 
 /**
@@ -1818,7 +1814,7 @@ module IteratorFlow {
      */
     private predicate isIteratorWrite(Instruction write, Operand address) {
       exists(Ssa::DefImpl writeDef, IRBlock bb, int i |
-        writeDef.hasIndexInBlock(bb, i, _) and
+        writeDef.hasIndexInBlock(_, bb, i) and
         bb.getInstruction(i) = write and
         address = writeDef.getAddressOperand()
       )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -191,7 +191,7 @@ abstract class DefImpl extends TDefImpl {
    * Holds if this definition (or use) has index `index` in block `block`,
    * and is a definition (or use) of the variable `sv`
    */
-  final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
+  final predicate hasIndexInBlock(SourceVariable sv, IRBlock block, int index) {
     this.hasIndexInBlock(block, index) and
     sv = this.getSourceVariable()
   }
@@ -891,12 +891,12 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
   predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
     DataFlowImplCommon::forceCachingInSameStage() and
     (
-      exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
+      exists(DefImpl def | def.hasIndexInBlock(v, bb, i) |
         if def.isCertain() then certain = true else certain = false
       )
       or
       exists(GlobalDefImpl global |
-        global.hasIndexInBlock(bb, i, v) and
+        global.hasIndexInBlock(v, bb, i) and
         certain = true
       )
     )
@@ -934,10 +934,11 @@ module SsaCached {
 }
 
 /** Gets the `DefImpl` corresponding to `def`. */
+pragma[nomagic]
 private DefImpl getDefImpl(SsaImpl::Definition def) {
   exists(SourceVariable sv, IRBlock bb, int i |
     def.definesAt(sv, bb, i) and
-    result.hasIndexInBlock(bb, i, sv)
+    result.hasIndexInBlock(sv, bb, i)
   )
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll

@@ -58,4 +58,12 @@ class IRFunction extends IRFunctionBase {
    * Gets all blocks in this function.
    */
   final IRBlock getABlock() { result.getEnclosingIRFunction() = this }
+
+  /**
+   * Holds if this function may have incomplete def-use information.
+   *
+   * Def-use information may be omitted for a function when it is too expensive
+   * to compute.
+   */
+  final predicate hasIncompleteSsa() { Construction::hasIncompleteSsa(this) }
 }