Revert "C#: Extract relational patterns"

.codeqlmanifest.json

@@ -1,6 +1,5 @@
 { "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
-               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",

.github/workflows/check-change-note.yml

@@ -1,23 +0,0 @@
-name: Check change note
-
-on:
-  pull_request_target:
-    types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
-    paths:
-      - "*/ql/src/**/*.ql"
-      - "*/ql/src/**/*.qll"
-      - "!**/experimental/**"
-
-jobs:
-  check-change-note:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
-        if: |
-          github.event.pull_request.draft == false &&
-          !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
-          grep true -c

.github/workflows/close-stale.yml

@@ -1,30 +0,0 @@
-name: Mark stale issues
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "30 1 * * *"
-
-jobs:
-  stale:
-    if: github.repository == 'github/codeql'
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/stale@v3
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
-        close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
-        days-before-stale: 14
-        days-before-close: 7
-        only-labels: awaiting-response
-
-        # do not mark PRs as stale
-        days-before-pr-stale: -1
-        days-before-pr-close: -1
-
-        # Uncomment for dry-run
-        # debug-only: true
-        # operations-per-run: 1000

.github/workflows/codeql-analysis.yml

@@ -2,15 +2,7 @@ name: "Code scanning - action"
 
 on:
   push:
-    branches:
-      - main
-      - 'rc/*'
   pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - 'csharp/**'
   schedule:
     - cron: '0 9 * * 1'
 
@@ -19,18 +11,22 @@ jobs:
 
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: read
-
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
 
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+      
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
+      uses: github/codeql-action/init@v1
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: csharp
@@ -39,7 +35,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@main
+      uses: github/codeql-action/autobuild@v1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -53,4 +49,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main
+      uses: github/codeql-action/analyze@v1

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -1,97 +0,0 @@
-name: Check framework coverage changes
-
-on:
-  pull_request:
-    paths:
-      - '.github/workflows/csv-coverage-pr-comment.yml'
-      - '*/ql/src/**/*.ql'
-      - '*/ql/src/**/*.qll'
-      - 'misc/scripts/library-coverage/*.py'
-      # input data files
-      - '*/documentation/library-coverage/cwe-sink.csv'
-      - '*/documentation/library-coverage/frameworks.csv'
-    branches:
-      - main
-      - 'rc/*'
-
-jobs:
-  generate:
-    name: Generate framework coverage artifacts
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Clone self (github/codeql) - MERGE
-      uses: actions/checkout@v2
-      with:
-        path: merge
-    - name: Clone self (github/codeql) - BASE
-      uses: actions/checkout@v2
-      with:
-        fetch-depth: 2
-        path: base
-    - run: |
-        git checkout HEAD^1
-        git log -1 --format='%H'
-      working-directory: base
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Generate CSV files on merge commit of the PR
-      run: |
-        echo "Running generator on merge"
-        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
-        mkdir out_merge
-        cp framework-coverage-*.csv out_merge/
-        cp framework-coverage-*.rst out_merge/
-    - name: Generate CSV files on base commit of the PR
-      run: |
-        echo "Running generator on base"
-        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
-        mkdir out_base
-        cp framework-coverage-*.csv out_base/
-        cp framework-coverage-*.rst out_base/
-    - name: Generate diff of coverage reports
-      run: |
-        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
-    - name: Upload CSV package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: csv-framework-coverage-merge
-        path: |
-          out_merge/framework-coverage-*.csv
-          out_merge/framework-coverage-*.rst
-    - name: Upload CSV package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: csv-framework-coverage-base
-        path: |
-          out_base/framework-coverage-*.csv
-          out_base/framework-coverage-*.rst
-    - name: Upload comparison results
-      uses: actions/upload-artifact@v2
-      with:
-        name: comparison
-        path: |
-          comparison.md
-    - name: Save PR number
-      run: |
-        mkdir -p pr
-        echo ${{ github.event.pull_request.number }} > pr/NR
-    - name: Upload PR number
-      uses: actions/upload-artifact@v2
-      with:
-        name: pr
-        path: pr/

.github/workflows/csv-coverage-pr-comment.yml

@@ -1,34 +0,0 @@
-name: Comment on PR with framework coverage changes
-
-on:
-  workflow_run:
-    workflows: ["Check framework coverage changes"]
-    types:
-      - completed
-
-jobs:
-  check:
-    name: Check framework coverage differences and comment
-    runs-on: ubuntu-latest
-    if: >
-      ${{ github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.conclusion == 'success' }}
-
-    steps:
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-
-    - name: Check coverage difference file and comment
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        RUN_ID: ${{ github.event.workflow_run.id }}
-      run: |
-        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"

.github/workflows/csv-coverage-timeseries.yml

@@ -1,42 +0,0 @@
-name: Build framework coverage timeseries reports
-
-on:
-  workflow_dispatch:
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: script
-    - name: Clone self (github/codeql) for analysis
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        fetch-depth: 0
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Build modeled package list
-      run: |
-        CLI=$(realpath "codeql-cli/codeql")
-        echo $CLI
-        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
-    - name: Upload timeseries CSV
-      uses: actions/upload-artifact@v2
-      with:
-        name: framework-coverage-timeseries
-        path: framework-coverage-timeseries-*.csv
-

.github/workflows/csv-coverage-update.yml

@@ -1,44 +0,0 @@
-name: Update framework coverage reports
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *"
-
-jobs:
-  update:
-    name: Update framework coverage report
-    if: github.event.repository.fork == false
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: ql
-        fetch-depth: 0
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-
-    - name: Generate coverage files
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
-
-    - name: Create pull request with changes
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"

.github/workflows/csv-coverage.yml

@@ -1,49 +0,0 @@
-name: Build framework coverage reports
-
-on:
-  workflow_dispatch:
-    inputs:
-      qlModelShaOverride:
-        description: 'github/codeql repo SHA used for looking up the CSV models'
-        required: false
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: script
-    - name: Clone self (github/codeql) for analysis
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Build modeled package list
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
-    - name: Upload CSV package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: framework-coverage-csv
-        path: framework-coverage-*.csv
-    - name: Upload RST package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: framework-coverage-rst
-        path: framework-coverage-*.rst
-

.gitignore

@@ -17,9 +17,6 @@
 # Byte-compiled python files
 *.pyc
 
-# python virtual environment folder 
-.venv/
-
 # It's useful (though not required) to be able to unpack codeql in the ql checkout itself
 /codeql/
 

.vscode/settings.json

@@ -1,3 +1,3 @@
 {
     "omnisharp.autoStart": false
-}
+}

CODEOWNERS

@@ -4,16 +4,17 @@
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
 
-# Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
-/cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
-/csharp/**/experimental/**/* @github/codeql-csharp @xcorail
-/java/**/experimental/**/* @github/codeql-java @xcorail
-/javascript/**/experimental/**/* @github/codeql-javascript @xcorail
-/python/**/experimental/**/* @github/codeql-python @xcorail
+# Assign query help for docs review
+/cpp/**/*.qhelp @hubwriter
+/csharp/**/*.qhelp @jf205
+/java/**/*.qhelp @felicitymay
+/javascript/**/*.qhelp @mchammer01
+/python/**/*.qhelp @felicitymay
+/docs/language/ @shati-patel @jf205
 
-# Notify members of codeql-go about PRs to the shared data-flow library files
-/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+# Exclude help for experimental queries from docs review
+/cpp/**/experimental/**/*.qhelp @github/codeql-c-analysis
+/csharp/**/experimental/**/*.qhelp @github/codeql-csharp
+/java/**/experimental/**/*.qhelp @github/codeql-java
+/javascript/**/experimental/**/*.qhelp @github/codeql-javascript
+/python/**/experimental/**/*.qhelp @github/codeql-python

CONTRIBUTING.md

@@ -38,8 +38,6 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html).
 
-    If you prefer, you can use this [pre-commit hook](misc/scripts/pre-commit) that automatically checks whether your files are correctly formatted. See the [pre-commit hook installation guide](docs/pre-commit-hook-setup.md) for instructions on how to install the hook.
-
 4. **Compilation**
 
     - Compilation of the query and any associated libraries and tests must be resilient to future development of the [supported](docs/supported-queries.md) libraries. This means that the functionality cannot use internal libraries, cannot depend on the output of `getAQlClass`, and cannot make use of regexp matching on `toString`.
@@ -49,11 +47,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
     - The query must have at least one true positive result on some revision of a real project.
 
-6. **Query help files and unit tests**
-
-	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories. For more information about contributing query help files and unit tests, see [Supported CodeQL queries and libraries](docs/supported-queries.md).
-
-Experimental queries and libraries may not be actively maintained as the supported libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
+Experimental queries and libraries may not be actively maintained as the [supported](docs/supported-queries.md) libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
 
 After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
 

change-notes/1.26/analysis-python.md

@@ -4,34 +4,19 @@ The following changes in version 1.26 affect Python analysis in all applications
 
 ## General improvements
 
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
-|`py/unsafe-deserialization` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/path-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/command-line-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/reflective-xss` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/sql-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/code-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
+
+
 ## Changes to libraries
-* Some of the security queries now use the shared data flow library for data flow and taint tracking. This has resulted in an overall more robust and accurate analysis. The libraries mentioned below have been modelled in this new framework. Other libraries (e.g. the web framework `CherryPy`) have not been modelled yet, and this may lead to a temporary loss of results for these frameworks.
-* Improved modelling of the following serialization libraries:
-  - `PyYAML`
-  - `dill`
-  - `pickle`
-  - `marshal`
-* Improved modelling of the following web frameworks:
-  - `Django` (Note that modelling of class-based response handlers is currently incomplete.)
-  - `Flask`
-* Support for Werkzeug `MultiDict`.
-* Support for the [Python Database API Specification v2.0 (PEP-249)](https://www.python.org/dev/peps/pep-0249/), including the following libraries:
-  - `MySQLdb`
-  - `mysql-connector-python`
-  - `django.db`
-* Improved modelling of the following command execution libraries:
-  - `Fabric`
-  - `Invoke`
-* Improved modelling of security-related standard library modules, such as `os`, `popen2`, `platform`, and `base64`.
-* The original versions of the updated queries have been preserved [here](https://github.com/github/codeql/tree/main/python/ql/src/experimental/Security-old-dataflow).
+
 * Added taint tracking support for string formatting through f-strings.

config/identical-files.json

@@ -5,7 +5,6 @@
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
@@ -37,7 +36,6 @@
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -57,10 +55,6 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
     "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
   ],
-  "DataFlow Java/C# Flow Summaries": [
-    "java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
-  ],
   "SsaReadPosition Java/C#": [
     "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
@@ -250,10 +244,6 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
-  "SSA PrintAliasAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
-  ],
   "C++ SSA AliasAnalysisImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
@@ -366,7 +356,6 @@
   ],
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [
@@ -384,49 +373,50 @@
     "javascript/ql/src/semmle/javascript/XML.qll",
     "python/ql/src/semmle/python/xml/XML.qll"
   ],
-  "DuplicationProblems.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
-    "javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
-    "python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
+  "DuplicationProblems.qhelp": [
+    "cpp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
+    "csharp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
+    "javascript/ql/src/Metrics/DuplicationProblems.qhelp",
+    "python/ql/src/Metrics/DuplicationProblems.qhelp"
   ],
-  "CommentedOutCodeQuery.inc.qhelp": [
-    "cpp/ql/src/Documentation/CommentedOutCodeQuery.inc.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeQuery.inc.qhelp",
-    "csharp/ql/src/Bad Practices/Comments/CommentedOutCodeQuery.inc.qhelp",
-    "java/ql/src/Violations of Best Practice/Comments/CommentedOutCodeQuery.inc.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeQuery.inc.qhelp"
+  "CommentedOutCodeQuery.qhelp": [
+    "cpp/ql/src/Documentation/CommentedOutCodeQuery.qhelp",
+    "python/ql/src/Lexical/CommentedOutCodeQuery.qhelp",
+    "csharp/ql/src/Bad Practices/Comments/CommentedOutCodeQuery.qhelp",
+    "java/ql/src/Violations of Best Practice/Comments/CommentedOutCodeQuery.qhelp",
+    "javascript/ql/src/Comments/CommentedOutCodeQuery.qhelp"
   ],
-  "FLinesOfCodeReferences.inc.qhelp": [
-    "java/ql/src/Metrics/Files/FLinesOfCodeReferences.inc.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfCodeReferences.inc.qhelp"
+  "FLinesOfCodeReferences.qhelp": [
+    "java/ql/src/Metrics/Files/FLinesOfCodeReferences.qhelp",
+    "javascript/ql/src/Metrics/FLinesOfCodeReferences.qhelp"
   ],
-  "FCommentRatioCommon.inc.qhelp": [
-    "java/ql/src/Metrics/Files/FCommentRatioCommon.inc.qhelp",
-    "javascript/ql/src/Metrics/FCommentRatioCommon.inc.qhelp"
+  "FCommentRatioCommon.qhelp": [
+    "java/ql/src/Metrics/Files/FCommentRatioCommon.qhelp",
+    "javascript/ql/src/Metrics/FCommentRatioCommon.qhelp"
   ],
-  "FLinesOfCodeOverview.inc.qhelp": [
-    "java/ql/src/Metrics/Files/FLinesOfCodeOverview.inc.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfCodeOverview.inc.qhelp"
+  "FLinesOfCodeOverview.qhelp": [
+    "java/ql/src/Metrics/Files/FLinesOfCodeOverview.qhelp",
+    "javascript/ql/src/Metrics/FLinesOfCodeOverview.qhelp"
   ],
-  "CommentedOutCodeMetricOverview.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
-    "csharp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
-    "java/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeMetricOverview.inc.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeMetricOverview.inc.qhelp"
+  "CommentedOutCodeMetricOverview.qhelp": [
+    "cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
+    "csharp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
+    "java/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
+    "javascript/ql/src/Comments/CommentedOutCodeMetricOverview.qhelp",
+    "python/ql/src/Lexical/CommentedOutCodeMetricOverview.qhelp"
   ],
-  "FLinesOfDuplicatedCodeCommon.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.inc.qhelp",
-    "java/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.inc.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.inc.qhelp",
-    "python/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.inc.qhelp"
+  "FLinesOfDuplicatedCodeCommon.qhelp": [
+    "cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
+    "java/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
+    "javascript/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp",
+    "python/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp"
   ],
-  "CommentedOutCodeReferences.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
-    "csharp/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
-    "java/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeReferences.inc.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
+  "CommentedOutCodeReferences.qhelp": [
+    "cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
+    "csharp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
+    "java/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
+    "javascript/ql/src/Comments/CommentedOutCodeReferences.qhelp",
+    "python/ql/src/Lexical/CommentedOutCodeReferences.qhelp"
   ],
   "IDE Contextual Queries": [
     "cpp/ql/src/IDEContextual.qll",
@@ -434,19 +424,5 @@
     "java/ql/src/IDEContextual.qll",
     "javascript/ql/src/IDEContextual.qll",
     "python/ql/src/analysis/IDEContextual.qll"
-  ],
-  "SSA C#": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
-  ],
-  "CryptoAlgorithms Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
-  ],
-  "SensitiveDataHeuristics Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
-    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
   ]
 }

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -5,7 +5,6 @@ using System;
 using System.Linq;
 using Microsoft.Build.Construction;
 using System.Xml;
-using System.IO;
 
 namespace Semmle.Autobuild.Cpp.Tests
 {
@@ -44,8 +43,6 @@ namespace Semmle.Autobuild.Cpp.Tests
         public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
         public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
         public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
-        public HashSet<string> CreateDirectories { get; } = new HashSet<string>();
-        public HashSet<(string, string)> DownloadFiles { get; } = new HashSet<(string, string)>();
 
         int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
         {
@@ -138,14 +135,6 @@ namespace Semmle.Autobuild.Cpp.Tests
 
         string IBuildActions.GetFullPath(string path) => path;
 
-        string? IBuildActions.GetFileName(string? path) => Path.GetFileName(path?.Replace('\\', '/'));
-
-        public string? GetDirectoryName(string? path)
-        {
-            var dir = Path.GetDirectoryName(path?.Replace('\\', '/'));
-            return dir is null ? path : path?.Substring(0, dir.Length);
-        }
-
         void IBuildActions.WriteAllText(string filename, string contents)
         {
         }
@@ -164,18 +153,6 @@ namespace Semmle.Autobuild.Cpp.Tests
                 s = s.Replace($"%{kvp.Key}%", kvp.Value);
             return s;
         }
-
-        public void CreateDirectory(string path)
-        {
-            if (!CreateDirectories.Contains(path))
-                throw new ArgumentException($"Missing CreateDirectory, {path}");
-        }
-
-        public void DownloadFile(string address, string fileName)
-        {
-            if (!DownloadFiles.Contains((address, fileName)))
-                throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
-        }
     }
 
     /// <summary>
@@ -236,7 +213,6 @@ namespace Semmle.Autobuild.Cpp.Tests
             Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
             Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
             Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
-            Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
             Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
             Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
             Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
@@ -297,8 +273,7 @@ namespace Semmle.Autobuild.Cpp.Tests
         [Fact]
         public void TestCppAutobuilderSuccess()
         {
-            Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
-            Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test.sln"] = 1;
             Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
             Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
             Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
@@ -311,13 +286,11 @@ namespace Semmle.Autobuild.Cpp.Tests
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
             Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
             Actions.EnumerateDirectories[@"C:\Project"] = "";
-            Actions.CreateDirectories.Add(@"C:\Project\.nuget");
-            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
 
             var autobuilder = CreateAutoBuilder(true);
             var solution = new TestSolution(@"C:\Project\test.sln");
             autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
-            TestAutobuilderScript(autobuilder, 0, 3);
+            TestAutobuilderScript(autobuilder, 0, 2);
         }
     }
 }

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net5.0</TargetFramework>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
     <Nullable>enable</Nullable>

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
     <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
     <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
     <ApplicationIcon />
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
+    <PackageReference Include="Microsoft.Build" Version="16.0.461" />
   </ItemGroup>
 
   <ItemGroup>

cpp/change-notes/2020-11-05-formatting-function.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* `FormattingFunction.getOutputParameterIndex` now has a parameter identifying whether the output at that index is a buffer or a stream.
-* `FormattingFunction` now has a predicate `isOutputGlobal` indicating when the output is to a global stream.
-* The `primitiveVariadicFormatter` and `variadicFormatter` predicates have more parameters exposing information about the function.

cpp/change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md

@@ -1,2 +0,0 @@
-lgtm
-* A new query (`cpp/unsigned-difference-expression-compared-zero`) is run but not yet displayed on LGTM. The query finds unsigned subtractions used in relational comparisons with the value 0. This query was originally submitted as an experimental query by @ihsinme in https://github.com/github/codeql/pull/4745.

cpp/change-notes/2021-02-24-memset-may-be-deleted.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* A new query (`cpp/memset-may-be-deleted`) is added to the default query suite. The query finds calls to `memset` that may be removed by the compiler. This behavior can make information-leak vulnerabilities easier to exploit. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/4953).

cpp/change-notes/2021-03-01-fluent-interface-data-flow.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The data-flow library now recognises more side-effects of method chaining (e.g. `someObject.setX(clean).setY(tainted).setZ...` having a side-effect on `someObject`), as well as other related circumstances where a function input is directly passed to its output. All queries that use data-flow analysis, including most security queries, may return more results accordingly.

cpp/change-notes/2021-03-11-failed-extractions.md

@@ -1,2 +0,0 @@
-codescanning
-* Added cpp/diagnostics/failed-extractions. This query gives information about which extractions did not run to completion.

cpp/change-notes/2021-03-11-overflow-abs.md

@@ -1,2 +0,0 @@
-lgtm
-* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

cpp/change-notes/2021-03-17-av-rule-79.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Resource not released in destructor' (cpp/resource-not-released-in-destructor) query has been improved to recognize more releases of resources.

cpp/change-notes/2021-04-06-assign-where-compare-meant.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.

cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.

cpp/change-notes/2021-04-13-arithmetic-queries.md

@@ -1,2 +0,0 @@
-lgtm
-* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

cpp/change-notes/2021-04-21-return-stack-allocated-object.md

@@ -1,2 +0,0 @@
-codescanning
-* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).

cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.

cpp/change-notes/2021-05-10-comparison-with-wider-type.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.

cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-18-static-buffer-overflow.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md

@@ -1,2 +0,0 @@
-lgtm
-* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

cpp/change-notes/2021-05-20-ref-qualifiers.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).

cpp/change-notes/2021-05-21-unsafe-strncat.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

cpp/change-notes/2021-06-10-std-types.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
-* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
-* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

cpp/change-notes/2021-06-24-dataflow-implicit-reads.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

cpp/config/suites/cpp/correctness

@@ -10,7 +10,6 @@
 + semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/OO/UnsafeUseOfThis.ql: /Correctness/Dangerous Conversions
-+ semmlecode-cpp-queries/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql: /Correctness/Dangerous Conversions
   # Consistent Use
 + semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use

cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql

@@ -4,6 +4,9 @@
  * @kind graph
  * @id cpp/architecture/class-hierarchies
  * @graph.layout organic
+ * @workingset jhotdraw
+ * @result succeed 48
+ * @result_ondemand succeed 48
  * @tags maintainability
  */
 

cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql

@@ -4,6 +4,9 @@
  * @kind chart
  * @id cpp/architecture/inheritance-depth-distribution
  * @chart.type line
+ * @workingset jhotdraw
+ * @result succeed 48
+ * @result_ondemand succeed 48
  * @tags maintainability
  */
 

cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql

@@ -1,8 +1,7 @@
 /**
  * @name Global namespace classes
  * @description Finds classes that belong to no namespace.
- * @kind problem
- * @problem.severity recommendation
+ * @kind table
  * @id cpp/architecture/global-namespace-classes
  * @tags maintainability
  *       modularity

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/architecture/classes-with-many-dependencies
  * @problem.severity recommendation
+ * @workingset jhotdraw
+ * @result succeed 20
+ * @result_ondemand succeed 20
  * @tags maintainability
  *       statistical
  *       non-attributable

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
- * @security-severity 8.2
  * @precision medium
  * @tags reliability
  *       security

cpp/ql/src/Best Practices/Magic Constants/MagicConstants.qll

@@ -8,41 +8,168 @@ import semmle.code.cpp.AutogeneratedFile
 predicate trivialPositiveIntValue(string s) {
   // Small numbers
   s = [0 .. 20].toString() or
-  s =
-    [
-      // Popular powers of two (decimal)
-      "16", "24", "32", "64", "128", "256", "512", "1024", "2048", "4096", "16384", "32768",
-      "65536", "1048576", "2147483648", "4294967296",
-      // Popular powers of two, minus one (decimal)
-      "15", "31", "63", "127", "255", "511", "1023", "2047", "4095", "16383", "32767", "65535",
-      "1048577", "2147483647", "4294967295",
-      // Popular powers of two (32-bit hex)
-      "0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010", "0x00000020",
-      "0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400", "0x00000800",
-      "0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000", "0x00020000",
-      "0x00040000", "0x00080000", "0x00100000", "0x00200000", "0x00400000", "0x00800000",
-      "0x01000000", "0x02000000", "0x04000000", "0x08000000", "0x10000000", "0x20000000",
-      "0x40000000", "0x80000000",
-      // Popular powers of two, minus one (32-bit hex)
-      "0x00000001", "0x00000003", "0x00000007", "0x0000000f", "0x0000001f", "0x0000003f",
-      "0x0000007f", "0x000000ff", "0x000001ff", "0x000003ff", "0x000007ff", "0x00000fff",
-      "0x00001fff", "0x00003fff", "0x00007fff", "0x0000ffff", "0x0001ffff", "0x0003ffff",
-      "0x0007ffff", "0x000fffff", "0x001fffff", "0x003fffff", "0x007fffff", "0x00ffffff",
-      "0x01ffffff", "0x03ffffff", "0x07ffffff", "0x0fffffff", "0x1fffffff", "0x3fffffff",
-      "0x7fffffff", "0xffffffff",
-      // Popular powers of two (16-bit hex)
-      "0x0001", "0x0002", "0x0004", "0x0008", "0x0010", "0x0020", "0x0040", "0x0080", "0x0100",
-      "0x0200", "0x0400", "0x0800", "0x1000", "0x2000", "0x4000", "0x8000",
-      // Popular powers of two, minus one (16-bit hex)
-      "0x0001", "0x0003", "0x0007", "0x000f", "0x001f", "0x003f", "0x007f", "0x00ff", "0x01ff",
-      "0x03ff", "0x07ff", "0x0fff", "0x1fff", "0x3fff", "0x7fff", "0xffff",
-      // Popular powers of two (8-bit hex)
-      "0x01", "0x02", "0x04", "0x08", "0x10", "0x20", "0x40", "0x80",
-      // Popular powers of two, minus one (8-bit hex)
-      "0x01", "0x03", "0x07", "0x0f", "0x1f", "0x3f", "0x7f", "0xff", "0x00",
-      // Powers of ten
-      "10", "100", "1000", "10000", "100000", "1000000", "10000000", "100000000", "1000000000"
-    ]
+  // Popular powers of two (decimal)
+  s = "16" or
+  s = "24" or
+  s = "32" or
+  s = "64" or
+  s = "128" or
+  s = "256" or
+  s = "512" or
+  s = "1024" or
+  s = "2048" or
+  s = "4096" or
+  s = "16384" or
+  s = "32768" or
+  s = "65536" or
+  s = "1048576" or
+  s = "2147483648" or
+  s = "4294967296" or
+  // Popular powers of two, minus one (decimal)
+  s = "15" or
+  s = "31" or
+  s = "63" or
+  s = "127" or
+  s = "255" or
+  s = "511" or
+  s = "1023" or
+  s = "2047" or
+  s = "4095" or
+  s = "16383" or
+  s = "32767" or
+  s = "65535" or
+  s = "1048577" or
+  s = "2147483647" or
+  s = "4294967295" or
+  // Popular powers of two (32-bit hex)
+  s = "0x00000001" or
+  s = "0x00000002" or
+  s = "0x00000004" or
+  s = "0x00000008" or
+  s = "0x00000010" or
+  s = "0x00000020" or
+  s = "0x00000040" or
+  s = "0x00000080" or
+  s = "0x00000100" or
+  s = "0x00000200" or
+  s = "0x00000400" or
+  s = "0x00000800" or
+  s = "0x00001000" or
+  s = "0x00002000" or
+  s = "0x00004000" or
+  s = "0x00008000" or
+  s = "0x00010000" or
+  s = "0x00020000" or
+  s = "0x00040000" or
+  s = "0x00080000" or
+  s = "0x00100000" or
+  s = "0x00200000" or
+  s = "0x00400000" or
+  s = "0x00800000" or
+  s = "0x01000000" or
+  s = "0x02000000" or
+  s = "0x04000000" or
+  s = "0x08000000" or
+  s = "0x10000000" or
+  s = "0x20000000" or
+  s = "0x40000000" or
+  s = "0x80000000" or
+  // Popular powers of two, minus one (32-bit hex)
+  s = "0x00000001" or
+  s = "0x00000003" or
+  s = "0x00000007" or
+  s = "0x0000000f" or
+  s = "0x0000001f" or
+  s = "0x0000003f" or
+  s = "0x0000007f" or
+  s = "0x000000ff" or
+  s = "0x000001ff" or
+  s = "0x000003ff" or
+  s = "0x000007ff" or
+  s = "0x00000fff" or
+  s = "0x00001fff" or
+  s = "0x00003fff" or
+  s = "0x00007fff" or
+  s = "0x0000ffff" or
+  s = "0x0001ffff" or
+  s = "0x0003ffff" or
+  s = "0x0007ffff" or
+  s = "0x000fffff" or
+  s = "0x001fffff" or
+  s = "0x003fffff" or
+  s = "0x007fffff" or
+  s = "0x00ffffff" or
+  s = "0x01ffffff" or
+  s = "0x03ffffff" or
+  s = "0x07ffffff" or
+  s = "0x0fffffff" or
+  s = "0x1fffffff" or
+  s = "0x3fffffff" or
+  s = "0x7fffffff" or
+  s = "0xffffffff" or
+  // Popular powers of two (16-bit hex)
+  s = "0x0001" or
+  s = "0x0002" or
+  s = "0x0004" or
+  s = "0x0008" or
+  s = "0x0010" or
+  s = "0x0020" or
+  s = "0x0040" or
+  s = "0x0080" or
+  s = "0x0100" or
+  s = "0x0200" or
+  s = "0x0400" or
+  s = "0x0800" or
+  s = "0x1000" or
+  s = "0x2000" or
+  s = "0x4000" or
+  s = "0x8000" or
+  // Popular powers of two, minus one (16-bit hex)
+  s = "0x0001" or
+  s = "0x0003" or
+  s = "0x0007" or
+  s = "0x000f" or
+  s = "0x001f" or
+  s = "0x003f" or
+  s = "0x007f" or
+  s = "0x00ff" or
+  s = "0x01ff" or
+  s = "0x03ff" or
+  s = "0x07ff" or
+  s = "0x0fff" or
+  s = "0x1fff" or
+  s = "0x3fff" or
+  s = "0x7fff" or
+  s = "0xffff" or
+  // Popular powers of two (8-bit hex)
+  s = "0x01" or
+  s = "0x02" or
+  s = "0x04" or
+  s = "0x08" or
+  s = "0x10" or
+  s = "0x20" or
+  s = "0x40" or
+  s = "0x80" or
+  // Popular powers of two, minus one (8-bit hex)
+  s = "0x01" or
+  s = "0x03" or
+  s = "0x07" or
+  s = "0x0f" or
+  s = "0x1f" or
+  s = "0x3f" or
+  s = "0x7f" or
+  s = "0xff" or
+  s = "0x00" or
+  // Powers of ten
+  s = "10" or
+  s = "100" or
+  s = "1000" or
+  s = "10000" or
+  s = "100000" or
+  s = "1000000" or
+  s = "10000000" or
+  s = "100000000" or
+  s = "1000000000"
 }
 
 predicate trivialIntValue(string s) {
@@ -108,7 +235,10 @@ predicate joiningStringTrivial(Literal lit) {
   // understand (which is against the spirit of these queries).
   stringLiteral(lit) and
   exists(FunctionCall fc |
-    fc.getTarget().getName() = ["operator+", "operator<<"] and
+    (
+      fc.getTarget().getName() = "operator+" or
+      fc.getTarget().getName() = "operator<<"
+    ) and
     fc.getAnArgument().getAChild*() = lit
   ) and
   lit.getValue().length() < 16
@@ -161,7 +291,8 @@ predicate arrayInitializerChild(AggregateLiteral parent, Expr e) {
 
 // i.e. not a constant folded expression
 predicate literallyLiteral(Literal lit) {
-  lit.getValueText()
+  lit
+      .getValueText()
       .regexpMatch(".*\".*|\\s*+[-+]?+\\s*+(0[xob][0-9a-fA-F]|[0-9])[0-9a-fA-F,._]*+([eE][-+]?+[0-9,._]*+)?+\\s*+[a-zA-Z]*+\\s*+")
 }
 

cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.qhelp

@@ -39,7 +39,7 @@ then replace all the relevant occurrences in the code.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.qhelp

@@ -38,7 +38,7 @@ constant.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

cpp/ql/src/Best Practices/SloppyGlobal.qhelp

@@ -21,7 +21,7 @@ Review the purpose of the each global variable flagged by this rule and update e
 
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 1: Naming, Rec 1.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 1: Naming, Rec 1.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.

cpp/ql/src/Best Practices/UseOfGoto.qhelp

@@ -45,7 +45,7 @@ this rule.
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
-  (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.

cpp/ql/src/Critical/DeadCodeCondition.qhelp

@@ -9,7 +9,7 @@
 It is likely that these conditions indicate an error in the branching condition. 
 Alternatively, the conditions may have been left behind after debugging.</p>
 
-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/DeadCodeFunction.qhelp

@@ -13,7 +13,7 @@ If left in the code base they increase object code size, decrease code comprehen
 This type of function may be part of the program's API and could be used by external programs.
 </p>
 
-<include src="callGraphWarning.inc.qhelp" />
+<include src="callGraphWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/DescriptorMayNotBeClosed.qhelp

@@ -10,7 +10,7 @@ This query looks at functions that return file or socket descriptors, but may re
 This can occur when an operation performed on the open descriptor fails, and the function returns with an error before it closes the open resource. An improperly handled error could cause the function to leak resource descriptors. Failing to close resources in the function that opened them also makes it more difficult to detect leaks.
 </p> 
 
-<include src="dataFlowWarning.inc.qhelp" />
+<include src="dataFlowWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/descriptor-may-not-be-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/DescriptorNeverClosed.qhelp

@@ -10,7 +10,7 @@ This rule finds calls to <code>socket</code> where there is no corresponding <co
 Leaving descriptors open will cause a resource leak that will persist even after the program terminates.
 </p>
 
-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/descriptor-never-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileMayNotBeClosed.qhelp

@@ -10,7 +10,7 @@ This rule looks at functions that return a <code>FILE*</code>, but may return an
 This can occur when an operation performed on the open descriptor fails, and the function returns with an error before closing the open resource. An improperly handled error may cause the function to leak file descriptors.
 </p> 
 
-<include src="dataFlowWarning.inc.qhelp" />
+<include src="dataFlowWarning.qhelp" />
 
 </overview>
 <recommendation>

cpp/ql/src/Critical/FileMayNotBeClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/file-may-not-be-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileNeverClosed.qhelp

@@ -10,7 +10,7 @@ This rule finds calls to <code>fopen</code> with no corresponding <code>fclose</
 Leaving files open will cause a resource leak that will persist even after the program terminates.
 </p>
 
-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 
 </overview>
 <recommendation>

cpp/ql/src/Critical/FileNeverClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/file-never-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/GlobalUseBeforeInit.qhelp

@@ -10,7 +10,7 @@ Not all compilers generate code that zero-out memory, especially when optimizati
 is not compliant with the latest language standards. Accessing uninitialized memory will lead to undefined results.
 </p>
 
-<include src="dataFlowWarning.inc.qhelp" />
+<include src="dataFlowWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/GlobalUseBeforeInit.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/global-use-before-init
  * @problem.severity warning
- * @security-severity 7.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-457

cpp/ql/src/Critical/InconsistentNullnessTesting.qhelp

@@ -12,7 +12,7 @@ Dereferencing a null pointer and attempting to modify its contents can lead to a
 important system data (including the interrupt table in some architectures).
 </p>
 
-<include src="pointsToWarning.inc.qhelp" />
+<include src="pointsToWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/InconsistentNullnessTesting.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/inconsistent-nullness-testing
  * @problem.severity warning
- * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/InitialisationNotRun.qhelp

@@ -11,7 +11,7 @@ Uninitialized variables may contain any value, as not all compilers generate cod
 optimizations are enabled or the compiler is not compliant with the latest language standards.
 </p>
 
-<include src="callGraphWarning.inc.qhelp" />
+<include src="callGraphWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/InitialisationNotRun.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/initialization-not-run
  * @problem.severity warning
- * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-456

cpp/ql/src/Critical/LateNegativeTest.qhelp

@@ -13,7 +13,7 @@ after. Otherwise, if the value is negative then the program will have failed
 before performing the test.
 </p>
 
-<include src="dataFlowWarning.inc.qhelp" />
+<include src="dataFlowWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/LateNegativeTest.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/late-negative-test
  * @problem.severity warning
- * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MemoryMayNotBeFreed.qhelp

@@ -9,7 +9,7 @@
 This rule looks for functions that allocate memory, but may return without freeing it.  This can occur when an operation performed on the memory block fails, and the function returns with an error before freeing the allocated block.  This causes the function to leak memory and may eventually lead to software failure.
 </p> 
 
-<include src="dataFlowWarning.inc.qhelp" />
+<include src="dataFlowWarning.qhelp" />
 
 </overview>
 <recommendation>

cpp/ql/src/Critical/MemoryMayNotBeFreed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/memory-may-not-be-freed
  * @problem.severity warning
- * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MemoryNeverFreed.qhelp

@@ -10,7 +10,7 @@ This rule finds calls to the <code>alloc</code> family of functions without a co
 This leads to memory leaks.
 </p>
 
-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 
 </overview>
 <recommendation>

cpp/ql/src/Critical/MemoryNeverFreed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/memory-never-freed
  * @problem.severity warning
- * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MissingNegativityTest.qhelp

@@ -16,7 +16,7 @@ buffer overruns.
 The query looks only at the return values of functions that may return a negative value (not all functions).
 </p>
 
-<include src="dataFlowWarning.inc.qhelp" />
+<include src="dataFlowWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/MissingNegativityTest.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/missing-negativity-test
  * @problem.severity warning
- * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MissingNullTest.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/missing-null-test
  * @problem.severity recommendation
- * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/NewArrayDeleteMismatch.qhelp

@@ -63,7 +63,7 @@ destructors likely not be called (as previously noted), but the pointer will als
 potentially less of a serious issue than that posed by the first approach, but it should still be avoided.</li>
 </ul>
 
-<include src="pointsToWarning.inc.qhelp" />
+<include src="pointsToWarning.qhelp" />
 
 </overview>
 <recommendation>

cpp/ql/src/Critical/NewDeleteArrayMismatch.qhelp

@@ -18,7 +18,7 @@ an array (which could have header data specifying the length of the array) and w
 element of the 'array', which would likely lead to a segfault due to the invalid header data.
 </p>
 
-<include src="pointsToWarning.inc.qhelp" />
+<include src="pointsToWarning.qhelp" />
 
 </overview>
 <recommendation>

cpp/ql/src/Critical/NewFreeMismatch.ql

@@ -3,7 +3,6 @@
  * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
  * @kind problem
  * @problem.severity warning
- * @security-severity 7.5
  * @precision high
  * @id cpp/new-free-mismatch
  * @tags reliability

cpp/ql/src/Critical/OverflowCalculated.qhelp

@@ -19,7 +19,7 @@ the data being copied. Buffer overflows can result to anything from a segmentati
 if the array is on stack-allocated memory).
 </p>
 
-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/OverflowCalculated.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/overflow-calculated
  * @problem.severity warning
- * @security-severity 9.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-131

cpp/ql/src/Critical/OverflowDestination.qhelp

@@ -14,7 +14,7 @@ Buffer overflows can lead to anything from a segmentation fault to a security vu
 Ensure that the size parameter is derived from the size of the destination buffer, and 
 not the source buffer.</p>
 
-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 </recommendation>
 
 

cpp/ql/src/Critical/OverflowDestination.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/overflow-destination
  * @problem.severity warning
- * @security-severity 9.3
  * @precision low
  * @tags reliability
  *       security

cpp/ql/src/Critical/OverflowStatic.ql

@@ -4,7 +4,6 @@
  *              may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 9.3
  * @precision medium
  * @id cpp/static-buffer-overflow
  * @tags reliability
@@ -15,7 +14,6 @@
 
 import cpp
 import semmle.code.cpp.commons.Buffer
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import LoopBounds
 
 private predicate staticBufferBase(VariableAccess access, Variable v) {
@@ -53,8 +51,6 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
     loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
     loop.limit() >= bufaccess.bufferSize() and
     loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
-    // Ensure that we don't have an upper bound on the array index that's less than the buffer size.
-    not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
     msg =
       "Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
         loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -98,22 +94,17 @@ class CallWithBufferSize extends FunctionCall {
   }
 
   int statedSizeValue() {
-    // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
-    // result in this case we pick the minimum value obtainable from dataflow and range analysis.
-    result =
-      upperBound(statedSizeExpr())
-          .minimum(min(Expr statedSizeSrc |
-              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
-            |
-              statedSizeSrc.getValue().toInt()
-            ))
+    exists(Expr statedSizeSrc |
+      DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
+      result = statedSizeSrc.getValue().toInt()
+    )
   }
 }
 
 predicate wrongBufferSize(Expr error, string msg) {
   exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
     staticBuffer(call.buffer(), buf, bufsize) and
-    statedSize = call.statedSizeValue() and
+    statedSize = min(call.statedSizeValue()) and
     statedSize > bufsize and
     error = call.statedSizeExpr() and
     msg =

cpp/ql/src/Critical/ReturnStackAllocatedObject.qhelp

@@ -12,7 +12,7 @@ the contents of that memory become undefined after that. Clearly, using a pointe
 memory after the function has already returned will have undefined results.
 </p>
 
-<include src="pointsToWarning.inc.qhelp" />
+<include src="pointsToWarning.qhelp" />
 </overview>
 
 <recommendation>

cpp/ql/src/Critical/ReturnStackAllocatedObject.ql

@@ -4,12 +4,9 @@
  * @kind problem
  * @id cpp/return-stack-allocated-object
  * @problem.severity warning
- * @security-severity 2.1
  * @tags reliability
  *       security
  *       external/cwe/cwe-562
- * @deprecated This query is not suitable for production use and has been deprecated. Use
- *             cpp/return-stack-allocated-memory instead.
  */
 
 import semmle.code.cpp.pointsto.PointsTo

cpp/ql/src/Critical/ReturnValueIgnored.qhelp

@@ -7,7 +7,7 @@
 <overview>
 <p>
 This rule finds calls to a function that ignore the return value. A function call is only marked 
-as a violation if at least 90% of the total calls to that function check the return value. Not
+as a violation if at least 80% of the total calls to that function check the return value. Not 
 checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
 These functions return the status information and the return values should always be checked 
 to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
@@ -32,7 +32,7 @@ Check the return value of functions that return status information.
 <references>
 
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
 </li>
 <li>
   The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.

cpp/ql/src/Critical/ReturnValueIgnored.ql

@@ -1,6 +1,6 @@
 /**
  * @name Return value of a function is ignored
- * @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
+ * @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
  * @kind problem
  * @id cpp/return-value-ignored
  * @problem.severity recommendation

cpp/ql/src/Critical/SizeCheck.ql

@@ -4,7 +4,6 @@
  *              an instance of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.1
  * @precision medium
  * @id cpp/allocation-too-small
  * @tags reliability

cpp/ql/src/Critical/SizeCheck2.ql

@@ -4,7 +4,6 @@
  *              multiple instances of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.1
  * @precision medium
  * @id cpp/suspicious-allocation-size
  * @tags reliability

cpp/ql/src/Critical/UseAfterFree.qhelp

@@ -12,7 +12,7 @@ from a segfault to memory corruption that would cause subsequent calls to the dy
 erratically, to a possible security vulnerability.
 </p>
 
-<include src="pointsToWarning.inc.qhelp" />
+<include src="pointsToWarning.qhelp" />
 
 </overview>
 <recommendation>

cpp/ql/src/Critical/UseAfterFree.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/use-after-free
  * @problem.severity warning
- * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-416

cpp/ql/src/DefaultOptions.qll

@@ -59,9 +59,14 @@ class Options extends string {
   predicate exits(Function f) {
     f.getAnAttribute().hasName("noreturn")
     or
-    f.hasGlobalOrStdName([
-        "exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
-      ])
+    exists(string name | f.hasGlobalOrStdName(name) |
+      name = "exit" or
+      name = "_exit" or
+      name = "abort" or
+      name = "__assert_fail" or
+      name = "longjmp" or
+      name = "__builtin_unreachable"
+    )
     or
     CustomOptions::exits(f) // old Options.qll
   }

cpp/ql/src/Diagnostics/ExtractionErrors.ql

@@ -1,16 +0,0 @@
-/**
- * @name Extraction errors
- * @description List all extraction errors for files in the source code directory.
- * @kind diagnostic
- * @id cpp/diagnostics/extraction-errors
- */
-
-import cpp
-import ExtractionErrors
-
-from ExtractionError error
-where
-  error instanceof ExtractionUnknownError or
-  exists(error.getFile().getRelativePath())
-select error, "Extraction failed in " + error.getFile() + " with error " + error.getErrorMessage(),
-  error.getSeverity()

cpp/ql/src/Diagnostics/ExtractionErrors.qll

@@ -1,137 +0,0 @@
-/**
- * Provides a common hierarchy of all types of errors that can occur during extraction.
- */
-
-import cpp
-
-/*
- * A note about how the C/C++ extractor emits diagnostics:
- * When the extractor frontend encounters an error, it emits a diagnostic message,
- * that includes a message, location and severity.
- * However, that process is best-effort and may fail (e.g. due to lack of memory).
- * Thus, if the extractor emitted at least one diagnostic of severity discretionary
- * error (or higher), it *also* emits a simple "There was an error during this compilation"
- * error diagnostic, without location information.
- * In the common case, this means that a compilation during which one or more errors happened also gets
- * the catch-all diagnostic.
- * This diagnostic has the empty string as file path.
- * We filter out these useless diagnostics if there is at least one error-level diagnostic
- * for the affected compilation in the database.
- * Otherwise, we show it to indicate that something went wrong and that we
- * don't know what exactly happened.
- */
-
-/**
- * An error that, if present, leads to a file being marked as non-successfully extracted.
- */
-class ReportableError extends Diagnostic {
-  ReportableError() {
-    (
-      this instanceof CompilerDiscretionaryError or
-      this instanceof CompilerError or
-      this instanceof CompilerCatastrophe
-    ) and
-    // Filter for the catch-all diagnostic, see note above.
-    not this.getFile().getAbsolutePath() = ""
-  }
-}
-
-private newtype TExtractionError =
-  TReportableError(ReportableError err) or
-  TCompilationFailed(Compilation c, File f) {
-    f = c.getAFileCompiled() and not c.normalTermination()
-  } or
-  // Show the catch-all diagnostic (see note above) only if we haven't seen any other error-level diagnostic
-  // for that compilation
-  TUnknownError(CompilerError err) {
-    not exists(ReportableError e | e.getCompilation() = err.getCompilation())
-  }
-
-/**
- * Superclass for the extraction error hierarchy.
- */
-class ExtractionError extends TExtractionError {
-  /** Gets the string representation of the error. */
-  string toString() { none() }
-
-  /** Gets the error message for this error. */
-  string getErrorMessage() { none() }
-
-  /** Gets the file this error occured in. */
-  File getFile() { none() }
-
-  /** Gets the location this error occured in. */
-  Location getLocation() { none() }
-
-  /** Gets the SARIF severity of this error. */
-  int getSeverity() {
-    // Unfortunately, we can't distinguish between errors and fatal errors in SARIF,
-    // so all errors have severity 2.
-    result = 2
-  }
-}
-
-/**
- * An unrecoverable extraction error, where extraction was unable to finish.
- * This can be caused by a multitude of reasons, for example:
- *  - hitting a frontend assertion
- *  - crashing due to dereferencing an invalid pointer
- *  - stack overflow
- *  - out of memory
- */
-class ExtractionUnrecoverableError extends ExtractionError, TCompilationFailed {
-  Compilation c;
-  File f;
-
-  ExtractionUnrecoverableError() { this = TCompilationFailed(c, f) }
-
-  override string toString() {
-    result = "Unrecoverable extraction error while compiling " + f.toString()
-  }
-
-  override string getErrorMessage() { result = "unrecoverable compilation failure." }
-
-  override File getFile() { result = f }
-
-  override Location getLocation() { result = f.getLocation() }
-}
-
-/**
- * A recoverable extraction error.
- * These are compiler errors from the frontend.
- * Upon encountering one of these, we still continue extraction, but the
- * database will be incomplete for that file.
- */
-class ExtractionRecoverableError extends ExtractionError, TReportableError {
-  ReportableError err;
-
-  ExtractionRecoverableError() { this = TReportableError(err) }
-
-  override string toString() { result = "Recoverable extraction error: " + err }
-
-  override string getErrorMessage() { result = err.getFullMessage() }
-
-  override File getFile() { result = err.getFile() }
-
-  override Location getLocation() { result = err.getLocation() }
-}
-
-/**
- * An unknown error happened during extraction.
- * These are only displayed if we know that we encountered an error during extraction,
- * but, for some reason, failed to emit a proper diagnostic with location information
- * and error message.
- */
-class ExtractionUnknownError extends ExtractionError, TUnknownError {
-  CompilerError err;
-
-  ExtractionUnknownError() { this = TUnknownError(err) }
-
-  override string toString() { result = "Unknown extraction error: " + err }
-
-  override string getErrorMessage() { result = err.getFullMessage() }
-
-  override File getFile() { result = err.getFile() }
-
-  override Location getLocation() { result = err.getLocation() }
-}