Add change note for Spring StringUtils

.codeqlmanifest.json

@@ -1,7 +1,5 @@
-{ "provide": [ "*/ql/lib/qlpack.yml",
-               "*/ql/src/qlpack.yml",
+{ "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
-               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",

.github/workflows/check-change-note.yml

@@ -19,5 +19,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
-          grep true -c
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
+          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status

.github/workflows/close-stale.yml

@@ -1,30 +0,0 @@
-name: Mark stale issues
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "30 1 * * *"
-
-jobs:
-  stale:
-    if: github.repository == 'github/codeql'
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/stale@v3
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
-        close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
-        days-before-stale: 14
-        days-before-close: 7
-        only-labels: awaiting-response
-
-        # do not mark PRs as stale
-        days-before-pr-stale: -1
-        days-before-pr-close: -1
-
-        # Uncomment for dry-run
-        # debug-only: true
-        # operations-per-run: 1000

.github/workflows/codeql-analysis.yml

@@ -19,18 +19,13 @@ jobs:
 
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: read
-
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
+      uses: github/codeql-action/init@v1
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: csharp
@@ -39,7 +34,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@main
+      uses: github/codeql-action/autobuild@v1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -53,4 +48,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main
+      uses: github/codeql-action/analyze@v1

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -1,97 +0,0 @@
-name: Check framework coverage changes
-
-on:
-  pull_request:
-    paths:
-      - '.github/workflows/csv-coverage-pr-comment.yml'
-      - '*/ql/src/**/*.ql'
-      - '*/ql/src/**/*.qll'
-      - 'misc/scripts/library-coverage/*.py'
-      # input data files
-      - '*/documentation/library-coverage/cwe-sink.csv'
-      - '*/documentation/library-coverage/frameworks.csv'
-    branches:
-      - main
-      - 'rc/*'
-
-jobs:
-  generate:
-    name: Generate framework coverage artifacts
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Clone self (github/codeql) - MERGE
-      uses: actions/checkout@v2
-      with:
-        path: merge
-    - name: Clone self (github/codeql) - BASE
-      uses: actions/checkout@v2
-      with:
-        fetch-depth: 2
-        path: base
-    - run: |
-        git checkout HEAD^1
-        git log -1 --format='%H'
-      working-directory: base
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Generate CSV files on merge commit of the PR
-      run: |
-        echo "Running generator on merge"
-        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
-        mkdir out_merge
-        cp framework-coverage-*.csv out_merge/
-        cp framework-coverage-*.rst out_merge/
-    - name: Generate CSV files on base commit of the PR
-      run: |
-        echo "Running generator on base"
-        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
-        mkdir out_base
-        cp framework-coverage-*.csv out_base/
-        cp framework-coverage-*.rst out_base/
-    - name: Generate diff of coverage reports
-      run: |
-        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
-    - name: Upload CSV package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: csv-framework-coverage-merge
-        path: |
-          out_merge/framework-coverage-*.csv
-          out_merge/framework-coverage-*.rst
-    - name: Upload CSV package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: csv-framework-coverage-base
-        path: |
-          out_base/framework-coverage-*.csv
-          out_base/framework-coverage-*.rst
-    - name: Upload comparison results
-      uses: actions/upload-artifact@v2
-      with:
-        name: comparison
-        path: |
-          comparison.md
-    - name: Save PR number
-      run: |
-        mkdir -p pr
-        echo ${{ github.event.pull_request.number }} > pr/NR
-    - name: Upload PR number
-      uses: actions/upload-artifact@v2
-      with:
-        name: pr
-        path: pr/

.github/workflows/csv-coverage-pr-comment.yml

@@ -1,34 +0,0 @@
-name: Comment on PR with framework coverage changes
-
-on:
-  workflow_run:
-    workflows: ["Check framework coverage changes"]
-    types:
-      - completed
-
-jobs:
-  check:
-    name: Check framework coverage differences and comment
-    runs-on: ubuntu-latest
-    if: >
-      ${{ github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.conclusion == 'success' }}
-
-    steps:
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-
-    - name: Check coverage difference file and comment
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        RUN_ID: ${{ github.event.workflow_run.id }}
-      run: |
-        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"

.github/workflows/csv-coverage-timeseries.yml

@@ -1,42 +0,0 @@
-name: Build framework coverage timeseries reports
-
-on:
-  workflow_dispatch:
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: script
-    - name: Clone self (github/codeql) for analysis
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        fetch-depth: 0
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Build modeled package list
-      run: |
-        CLI=$(realpath "codeql-cli/codeql")
-        echo $CLI
-        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
-    - name: Upload timeseries CSV
-      uses: actions/upload-artifact@v2
-      with:
-        name: framework-coverage-timeseries
-        path: framework-coverage-timeseries-*.csv
-

.github/workflows/csv-coverage-update.yml

@@ -1,44 +0,0 @@
-name: Update framework coverage reports
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *"
-
-jobs:
-  update:
-    name: Update framework coverage report
-    if: github.event.repository.fork == false
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
-      run: echo "$GITHUB_CONTEXT"
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: ql
-        fetch-depth: 0
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-
-    - name: Generate coverage files
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
-
-    - name: Create pull request with changes
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"

.github/workflows/csv-coverage.yml

@@ -1,49 +0,0 @@
-name: Build framework coverage reports
-
-on:
-  workflow_dispatch:
-    inputs:
-      qlModelShaOverride:
-        description: 'github/codeql repo SHA used for looking up the CSV models'
-        required: false
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: script
-    - name: Clone self (github/codeql) for analysis
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      env:
-         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Build modeled package list
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
-    - name: Upload CSV package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: framework-coverage-csv
-        path: framework-coverage-*.csv
-    - name: Upload RST package list
-      uses: actions/upload-artifact@v2
-      with:
-        name: framework-coverage-rst
-        path: framework-coverage-*.rst
-

.gitignore

@@ -5,7 +5,6 @@
 
 # query compilation caches
 .cache
-data
 
 # qltest projects and artifacts
 */ql/test/**/*.testproj
@@ -24,8 +23,4 @@ data
 # It's useful (though not required) to be able to unpack codeql in the ql checkout itself
 /codeql/
 
-# Exclude output directories for compiled packs.
-.codeql/
-
 csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
-

config/identical-files.json

@@ -1,332 +1,323 @@
 {
   "DataFlow Java/C++/C#/Python": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
-  ],
-  "DataFlow Java/C# Flow Summaries": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
+    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
   ],
   "SsaReadPosition Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
   "Sign Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
   ],
   "SignAnalysis Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
   "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
+    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
   ],
   "ModulusAnalysis Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
   ],
   "C++ SubBasicBlocks": [
-    "cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
+    "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
   ],
   "IR Instruction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
   ],
   "IR IRType": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
     "csharp/ql/src/experimental/ir/implementation/IRType.qll"
   ],
   "IR IRConfiguration": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
   ],
   "IR UseSoundEscapeAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
   ],
   "IR IRFunctionBase": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
   ],
   "IR Operand Tag": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
   ],
   "IR TInstruction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
   ],
   "IR TIRVariable": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
   "IR IR": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
   ],
   "IR IRConsistency": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
   ],
   "IR PrintIR": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
   ],
   "IR IntegerConstant": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
   ],
   "IR IntegerInteval": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
   ],
   "IR IntegerPartial": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
   ],
   "IR Overlap": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
     "csharp/ql/src/experimental/ir/internal/Overlap.qll"
   ],
   "IR EdgeKind": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
     "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
   ],
   "IR MemoryAccessKind": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
     "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
   ],
   "IR TempVariableTag": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
     "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
   ],
   "IR Opcode": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
     "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
   ],
   "IR SSAConsistency": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
   ],
   "C++ IR InstructionImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
   ],
   "C++ IR IRImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
   ],
   "C++ IR IRBlockImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
   ],
   "C++ IR IRFunctionImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
   ],
   "C++ IR IRVariableImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
   ],
   "C++ IR OperandImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
   ],
   "C++ IR PrintIRImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
   ],
   "C++ SSA SSAConstructionImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
   ],
   "SSA AliasAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
-  "SSA PrintAliasAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
-  ],
   "C++ SSA AliasAnalysisImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
   ],
   "C++ IR ValueNumberingImports": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "IR SSA SimpleSSA": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
   ],
   "IR AliasConfiguration (unaliased_ssa)": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
   ],
   "IR SSA SSAConstruction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
   ],
   "C++ IR PrintConstantAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
   ],
   "C++ IR ReachableBlock": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
   ],
   "C++ IR PrintReachableBlock": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
   ],
   "C++ IR Dominance": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
   ],
   "C++ IR PrintDominance": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
   "C# IR InstructionImports": [
     "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
@@ -361,8 +352,8 @@
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "C# ControlFlowReachability": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
   ],
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
@@ -378,11 +369,11 @@
     "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
   ],
   "XML": [
-    "cpp/ql/lib/semmle/code/cpp/XML.qll",
-    "csharp/ql/lib/semmle/code/csharp/XML.qll",
-    "java/ql/lib/semmle/code/xml/XML.qll",
-    "javascript/ql/lib/semmle/javascript/XML.qll",
-    "python/ql/lib/semmle/python/xml/XML.qll"
+    "cpp/ql/src/semmle/code/cpp/XML.qll",
+    "csharp/ql/src/semmle/code/csharp/XML.qll",
+    "java/ql/src/semmle/code/xml/XML.qll",
+    "javascript/ql/src/semmle/javascript/XML.qll",
+    "python/ql/src/semmle/python/xml/XML.qll"
   ],
   "DuplicationProblems.inc.qhelp": [
     "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
@@ -429,36 +420,20 @@
     "python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
   ],
   "IDE Contextual Queries": [
-    "cpp/ql/lib/IDEContextual.qll",
-    "csharp/ql/lib/IDEContextual.qll",
-    "java/ql/lib/IDEContextual.qll",
-    "javascript/ql/lib/IDEContextual.qll",
+    "cpp/ql/src/IDEContextual.qll",
+    "csharp/ql/src/IDEContextual.qll",
+    "java/ql/src/IDEContextual.qll",
+    "javascript/ql/src/IDEContextual.qll",
     "python/ql/src/analysis/IDEContextual.qll"
   ],
   "SSA C#": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
+    "csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
   ],
   "CryptoAlgorithms Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll"
-  ],
-  "SensitiveDataHeuristics Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
-    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll"
-  ],
-  "ReDoS Util Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
-    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll"
-  ],
-  "ReDoS Exponential Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll"
-  ],
-  "ReDoS Polynomial Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
-    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll"
+    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
+    "python/ql/src/semmle/crypto/Crypto.qll"
   ]
-}
+}

cpp/change-notes/2021-03-11-overflow-abs.md

@@ -1,2 +0,0 @@
-lgtm
-* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

cpp/change-notes/2021-04-06-assign-where-compare-meant.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.

cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.

cpp/change-notes/2021-04-13-arithmetic-queries.md

@@ -1,2 +0,0 @@
-lgtm
-* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

cpp/change-notes/2021-04-21-return-stack-allocated-object.md

@@ -1,2 +0,0 @@
-codescanning
-* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).

cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.

cpp/change-notes/2021-05-10-comparison-with-wider-type.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.

cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-18-static-buffer-overflow.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md

@@ -1,2 +0,0 @@
-lgtm
-* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

cpp/change-notes/2021-05-20-ref-qualifiers.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).

cpp/change-notes/2021-05-21-unsafe-strncat.md

@@ -1,2 +0,0 @@
-lgtm
-* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

cpp/change-notes/2021-06-10-std-types.md

@@ -1,4 +0,0 @@
-lgtm,codescanning
-* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
-* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
-* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

cpp/change-notes/2021-06-24-dataflow-implicit-reads.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md

@@ -1,2 +0,0 @@
-lgtm
-* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.

cpp/change-notes/2021-06-30-wrong-type-format-argument.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.

cpp/ql/examples/qlpack.yml

@@ -1,4 +1,3 @@
-name: codeql/cpp-examples
+name: codeql-cpp-examples
 version: 0.0.0
-dependencies:
-  codeql/cpp-all: ^0.0.1
+libraryPathDependencies: codeql-cpp

cpp/ql/lib/qlpack.lock.yml

@@ -1,4 +0,0 @@
----
-dependencies: {}
-compiled: false
-lockVersion: 1.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +0,0 @@
-name: codeql/cpp-all
-version: 0.0.2
-dbscheme: semmlecode.cpp.dbscheme
-extractor: cpp
-library: true

cpp/ql/lib/semmle/code/cpp/commons/CommonType.qll

@@ -1,441 +0,0 @@
-import semmle.code.cpp.Type
-
-/**
- * The C/C++ `char*` type.
- */
-class CharPointerType extends PointerType {
-  CharPointerType() { this.getBaseType() instanceof CharType }
-
-  override string getAPrimaryQlClass() { result = "CharPointerType" }
-}
-
-/**
- * The C/C++ `int*` type.
- */
-class IntPointerType extends PointerType {
-  IntPointerType() { this.getBaseType() instanceof IntType }
-
-  override string getAPrimaryQlClass() { result = "IntPointerType" }
-}
-
-/**
- * The C/C++ `void*` type.
- */
-class VoidPointerType extends PointerType {
-  VoidPointerType() { this.getBaseType() instanceof VoidType }
-
-  override string getAPrimaryQlClass() { result = "VoidPointerType" }
-}
-
-/**
- * The C/C++ `size_t` type.
- */
-class Size_t extends Type {
-  Size_t() {
-    this.getUnderlyingType() instanceof IntegralType and
-    this.hasName("size_t")
-  }
-
-  override string getAPrimaryQlClass() { result = "Size_t" }
-}
-
-/**
- * The C/C++ `ssize_t` type.
- */
-class Ssize_t extends Type {
-  Ssize_t() {
-    this.getUnderlyingType() instanceof IntegralType and
-    this.hasName("ssize_t")
-  }
-
-  override string getAPrimaryQlClass() { result = "Ssize_t" }
-}
-
-/**
- * The C/C++ `ptrdiff_t` type.
- */
-class Ptrdiff_t extends Type {
-  Ptrdiff_t() {
-    this.getUnderlyingType() instanceof IntegralType and
-    this.hasName("ptrdiff_t")
-  }
-
-  override string getAPrimaryQlClass() { result = "Ptrdiff_t" }
-}
-
-/**
- * A parent class representing C/C++ a typedef'd `UserType` such as `int8_t`.
- */
-abstract private class IntegralUnderlyingUserType extends UserType {
-  IntegralUnderlyingUserType() { this.getUnderlyingType() instanceof IntegralType }
-}
-
-abstract private class TFixedWidthIntegralType extends IntegralUnderlyingUserType { }
-
-/**
- * A C/C++ fixed-width numeric type, such as `int8_t`.
- */
-class FixedWidthIntegralType extends TFixedWidthIntegralType {
-  FixedWidthIntegralType() { this instanceof TFixedWidthIntegralType }
-}
-
-abstract private class TMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
-
-/**
- * A C/C++ minimum-width numeric type, such as `int_least8_t`.
- */
-class MinimumWidthIntegralType extends TMinimumWidthIntegralType {
-  MinimumWidthIntegralType() { this instanceof TMinimumWidthIntegralType }
-}
-
-abstract private class TFastestMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
-
-/**
- * A C/C++ minimum-width numeric type, representing the fastest integer type with a
- * width of at least `N` such as `int_fast8_t`.
- */
-class FastestMinimumWidthIntegralType extends TFastestMinimumWidthIntegralType {
-  FastestMinimumWidthIntegralType() { this instanceof TFastestMinimumWidthIntegralType }
-}
-
-abstract private class TMaximumWidthIntegralType extends IntegralUnderlyingUserType { }
-
-/**
- * A C/C++ maximum-width numeric type, either `intmax_t` or `uintmax_t`.
- */
-class MaximumWidthIntegralType extends TMaximumWidthIntegralType {
-  MaximumWidthIntegralType() { this instanceof TMaximumWidthIntegralType }
-}
-
-/**
- * An enum type based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`
- */
-class FixedWidthEnumType extends UserType {
-  FixedWidthEnumType() { this.(Enum).getExplicitUnderlyingType() instanceof FixedWidthIntegralType }
-}
-
-/**
- *  The C/C++ `int8_t` type.
- */
-class Int8_t extends TFixedWidthIntegralType {
-  Int8_t() { this.hasGlobalOrStdName("int8_t") }
-
-  override string getAPrimaryQlClass() { result = "Int8_t" }
-}
-
-/**
- *  The C/C++ `int16_t` type.
- */
-class Int16_t extends TFixedWidthIntegralType {
-  Int16_t() { this.hasGlobalOrStdName("int16_t") }
-
-  override string getAPrimaryQlClass() { result = "Int16_t" }
-}
-
-/**
- *  The C/C++ `int32_t` type.
- */
-class Int32_t extends TFixedWidthIntegralType {
-  Int32_t() { this.hasGlobalOrStdName("int32_t") }
-
-  override string getAPrimaryQlClass() { result = "Int32_t" }
-}
-
-/**
- *  The C/C++ `int64_t` type.
- */
-class Int64_t extends TFixedWidthIntegralType {
-  Int64_t() { this.hasGlobalOrStdName("int64_t") }
-
-  override string getAPrimaryQlClass() { result = "Int64_t" }
-}
-
-/**
- *  The C/C++ `uint8_t` type.
- */
-class UInt8_t extends TFixedWidthIntegralType {
-  UInt8_t() { this.hasGlobalOrStdName("uint8_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt8_t" }
-}
-
-/**
- *  The C/C++ `uint16_t` type.
- */
-class UInt16_t extends TFixedWidthIntegralType {
-  UInt16_t() { this.hasGlobalOrStdName("uint16_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt16_t" }
-}
-
-/**
- *  The C/C++ `uint32_t` type.
- */
-class UInt32_t extends TFixedWidthIntegralType {
-  UInt32_t() { this.hasGlobalOrStdName("uint32_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt32_t" }
-}
-
-/**
- *  The C/C++ `uint64_t` type.
- */
-class UInt64_t extends TFixedWidthIntegralType {
-  UInt64_t() { this.hasGlobalOrStdName("uint64_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt64_t" }
-}
-
-/**
- *  The C/C++ `int_least8_t` type.
- */
-class Int_least8_t extends TMinimumWidthIntegralType {
-  Int_least8_t() { this.hasGlobalOrStdName("int_least8_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_least8_t" }
-}
-
-/**
- *  The C/C++ `int_least16_t` type.
- */
-class Int_least16_t extends TMinimumWidthIntegralType {
-  Int_least16_t() { this.hasGlobalOrStdName("int_least16_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_least16_t" }
-}
-
-/**
- *  The C/C++ `int_least32_t` type.
- */
-class Int_least32_t extends TMinimumWidthIntegralType {
-  Int_least32_t() { this.hasGlobalOrStdName("int_least32_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_least32_t" }
-}
-
-/**
- *  The C/C++ `int_least64_t` type.
- */
-class Int_least64_t extends TMinimumWidthIntegralType {
-  Int_least64_t() { this.hasGlobalOrStdName("int_least64_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_least64_t" }
-}
-
-/**
- *  The C/C++ `uint_least8_t` type.
- */
-class UInt_least8_t extends TMinimumWidthIntegralType {
-  UInt_least8_t() { this.hasGlobalOrStdName("uint_least8_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_least8_t" }
-}
-
-/**
- *  The C/C++ `uint_least16_t` type.
- */
-class UInt_least16_t extends TMinimumWidthIntegralType {
-  UInt_least16_t() { this.hasGlobalOrStdName("uint_least16_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_least16_t" }
-}
-
-/**
- *  The C/C++ `uint_least32_t` type.
- */
-class UInt_least32_t extends TMinimumWidthIntegralType {
-  UInt_least32_t() { this.hasGlobalOrStdName("uint_least32_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_least32_t" }
-}
-
-/**
- *  The C/C++ `uint_least64_t` type.
- */
-class UInt_least64_t extends TMinimumWidthIntegralType {
-  UInt_least64_t() { this.hasGlobalOrStdName("uint_least64_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_least64_t" }
-}
-
-/**
- *  The C/C++ `int_fast8_t` type.
- */
-class Int_fast8_t extends TFastestMinimumWidthIntegralType {
-  Int_fast8_t() { this.hasGlobalOrStdName("int_fast8_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_fast8_t" }
-}
-
-/**
- *  The C/C++ `int_fast16_t` type.
- */
-class Int_fast16_t extends TFastestMinimumWidthIntegralType {
-  Int_fast16_t() { this.hasGlobalOrStdName("int_fast16_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_fast16_t" }
-}
-
-/**
- *  The C/C++ `int_fast32_t` type.
- */
-class Int_fast32_t extends TFastestMinimumWidthIntegralType {
-  Int_fast32_t() { this.hasGlobalOrStdName("int_fast32_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_fast32_t" }
-}
-
-/**
- *  The C/C++ `int_fast64_t` type.
- */
-class Int_fast64_t extends TFastestMinimumWidthIntegralType {
-  Int_fast64_t() { this.hasGlobalOrStdName("int_fast64_t") }
-
-  override string getAPrimaryQlClass() { result = "Int_fast64_t" }
-}
-
-/**
- *  The C/C++ `uint_fast8_t` type.
- */
-class UInt_fast8_t extends TFastestMinimumWidthIntegralType {
-  UInt_fast8_t() { this.hasGlobalOrStdName("uint_fast8_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_fast8_t" }
-}
-
-/**
- *  The C/C++ `uint_fast16_t` type.
- */
-class UInt_fast16_t extends TFastestMinimumWidthIntegralType {
-  UInt_fast16_t() { this.hasGlobalOrStdName("uint_fast16_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_fast16_t" }
-}
-
-/**
- *  The C/C++ `uint_fast32_t` type.
- */
-class UInt_fast32_t extends TFastestMinimumWidthIntegralType {
-  UInt_fast32_t() { this.hasGlobalOrStdName("uint_fast32_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_fast32_t" }
-}
-
-/**
- *  The C/C++ `uint_fast64_t` type.
- */
-class UInt_fast64_t extends TFastestMinimumWidthIntegralType {
-  UInt_fast64_t() { this.hasGlobalOrStdName("uint_fast64_t") }
-
-  override string getAPrimaryQlClass() { result = "UInt_fast64_t" }
-}
-
-/**
- * The C/C++ `intmax_t` type.
- */
-class Intmax_t extends TMaximumWidthIntegralType {
-  Intmax_t() { this.hasGlobalOrStdName("intmax_t") }
-
-  override string getAPrimaryQlClass() { result = "Intmax_t" }
-}
-
-/**
- * The C/C++ `uintmax_t` type.
- */
-class Uintmax_t extends TMaximumWidthIntegralType {
-  Uintmax_t() { this.hasGlobalOrStdName("uintmax_t") }
-
-  override string getAPrimaryQlClass() { result = "Uintmax_t" }
-}
-
-/**
- * The C/C++ `wchar_t` type.
- *
- * Note that on some platforms `wchar_t` doesn't exist as a built-in
- * type but a typedef is provided.  This QL class includes both cases
- * (see also `WideCharType`).
- */
-class Wchar_t extends Type {
-  Wchar_t() {
-    this.getUnderlyingType() instanceof IntegralType and
-    this.hasName("wchar_t")
-  }
-
-  override string getAPrimaryQlClass() { result = "Wchar_t" }
-}
-
-/**
- * The type that the Microsoft C/C++ `__int8` type specifier is a
- * synonym for.  Note that since `__int8` is not a distinct type,
- * `MicrosoftInt8Type` corresponds to an existing `IntegralType` as
- * well.
- *
- * This class is meaningless if a Microsoft compiler was not used.
- */
-class MicrosoftInt8Type extends IntegralType {
-  MicrosoftInt8Type() {
-    this instanceof CharType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
-  }
-}
-
-/**
- * The type that the Microsoft C/C++ `__int16` type specifier is a
- * synonym for.  Note that since `__int16` is not a distinct type,
- * `MicrosoftInt16Type` corresponds to an existing `IntegralType` as
- * well.
- *
- * This class is meaningless if a Microsoft compiler was not used.
- */
-class MicrosoftInt16Type extends IntegralType {
-  MicrosoftInt16Type() {
-    this instanceof ShortType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
-  }
-}
-
-/**
- * The type that the Microsoft C/C++ `__int32` type specifier is a
- * synonym for.  Note that since `__int32` is not a distinct type,
- * `MicrosoftInt32Type` corresponds to an existing `IntegralType` as
- * well.
- *
- * This class is meaningless if a Microsoft compiler was not used.
- */
-class MicrosoftInt32Type extends IntegralType {
-  MicrosoftInt32Type() {
-    this instanceof IntType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
-  }
-}
-
-/**
- * The type that the Microsoft C/C++ `__int64` type specifier is a
- * synonym for.  Note that since `__int64` is not a distinct type,
- * `MicrosoftInt64Type` corresponds to an existing `IntegralType` as
- * well.
- *
- * This class is meaningless if a Microsoft compiler was not used.
- */
-class MicrosoftInt64Type extends IntegralType {
-  MicrosoftInt64Type() {
-    this instanceof LongLongType and
-    not isExplicitlyUnsigned() and
-    not isExplicitlySigned()
-  }
-}
-
-/**
- * The `__builtin_va_list` type, used to provide variadic functionality.
- *
- * This is a complement to the `__builtin_va_start`, `__builtin_va_end`,
- * `__builtin_va_copy` and `__builtin_va_arg` expressions.
- */
-class BuiltInVarArgsList extends Type {
-  BuiltInVarArgsList() { this.hasName("__builtin_va_list") }
-
-  override string getAPrimaryQlClass() { result = "BuiltInVarArgsList" }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll

@@ -1,33 +0,0 @@
-/**
- * Print the dataflow local store steps in IR dumps.
- */
-
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
-private import PrintIRUtilities
-
-/**
- * Property provider for local IR dataflow store steps.
- */
-class LocalFlowPropertyProvider extends IRPropertyProvider {
-  override string getInstructionProperty(Instruction instruction, string key) {
-    exists(DataFlow::Node objectNode, Content content |
-      key = "content[" + content.toString() + "]" and
-      instruction = objectNode.asInstruction() and
-      result =
-        strictconcat(string element, DataFlow::Node fieldNode |
-          storeStep(fieldNode, content, objectNode) and
-          element = nodeId(fieldNode, _, _)
-        |
-          element, ", "
-        )
-    )
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -1,39 +0,0 @@
-/**
- * Shared utilities used when printing dataflow annotations in IR dumps.
- */
-
-private import cpp
-// The `ValueNumbering` library has to be imported right after `cpp` to ensure
-// that the cached IR gets the same checksum here as it does in queries that use
-// `ValueNumbering` without `DataFlow`.
-private import semmle.code.cpp.ir.ValueNumbering
-private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.DataFlow
-
-/**
- * Gets a short ID for an IR dataflow node.
- * - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
- * - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
- *   instruction and a dot (e.g. `m128.left`).
- * - For `Variable`s, this is the qualified name of the variable.
- */
-string nodeId(DataFlow::Node node, int order1, int order2) {
-  exists(Instruction instruction | instruction = node.asInstruction() |
-    result = instruction.getResultId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  exists(Operand operand, Instruction instruction |
-    operand = node.asOperand() and
-    instruction = operand.getUse()
-  |
-    result = instruction.getResultId() + "." + operand.getDumpId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  result = "var(" + node.asVariable().getQualifiedName() + ")" and
-  order1 = 1000000 and
-  order2 = 0
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

@@ -1,120 +0,0 @@
-/**
- * Provides an implementation of global (interprocedural) taint tracking.
- * This file re-exports the local (intraprocedural) taint-tracking analysis
- * from `TaintTrackingParameter::Public` and adds a global analysis, mainly
- * exposed through the `Configuration` class. For some languages, this file
- * exists in several identical copies, allowing queries to use multiple
- * `Configuration` classes that depend on each other without introducing
- * mutual recursion among those configurations.
- */
-
-import TaintTrackingParameter::Public
-private import TaintTrackingParameter::Private
-
-/**
- * A configuration of interprocedural taint tracking analysis. This defines
- * sources, sinks, and any other configurable aspect of the analysis. Each
- * use of the taint tracking library must define its own unique extension of
- * this abstract class.
- *
- * A taint-tracking configuration is a special data flow configuration
- * (`DataFlow::Configuration`) that allows for flow through nodes that do not
- * necessarily preserve values but are still relevant from a taint tracking
- * perspective. (For example, string concatenation, where one of the operands
- * is tainted.)
- *
- * To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string. For example, write
- *
- * ```ql
- * class MyAnalysisConfiguration extends TaintTracking::Configuration {
- *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
- *   // Override `isSource` and `isSink`.
- *   // Optionally override `isSanitizer`.
- *   // Optionally override `isSanitizerIn`.
- *   // Optionally override `isSanitizerOut`.
- *   // Optionally override `isSanitizerGuard`.
- *   // Optionally override `isAdditionalTaintStep`.
- * }
- * ```
- *
- * Then, to query whether there is flow between some `source` and `sink`,
- * write
- *
- * ```ql
- * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
- * ```
- *
- * Multiple configurations can coexist, but it is unsupported to depend on
- * another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
- * overridden predicates that define sources, sinks, or additional steps.
- * Instead, the dependency should go to a `TaintTracking2::Configuration` or a
- * `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
- */
-abstract class Configuration extends DataFlow::Configuration {
-  bindingset[this]
-  Configuration() { any() }
-
-  /**
-   * Holds if `source` is a relevant taint source.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
-
-  /**
-   * Holds if `sink` is a relevant taint sink.
-   *
-   * The smaller this predicate is, the faster `hasFlow()` will converge.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
-
-  /** Holds if the node `node` is a taint sanitizer. */
-  predicate isSanitizer(DataFlow::Node node) { none() }
-
-  final override predicate isBarrier(DataFlow::Node node) {
-    isSanitizer(node) or
-    defaultTaintSanitizer(node)
-  }
-
-  /** Holds if taint propagation into `node` is prohibited. */
-  predicate isSanitizerIn(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
-
-  /** Holds if taint propagation out of `node` is prohibited. */
-  predicate isSanitizerOut(DataFlow::Node node) { none() }
-
-  final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
-
-  /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
-  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
-
-  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
-
-  /**
-   * Holds if the additional taint propagation step from `node1` to `node2`
-   * must be taken into account in the analysis.
-   */
-  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
-
-  final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalTaintStep(node1, node2) or
-    defaultAdditionalTaintStep(node1, node2)
-  }
-
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
-    defaultImplicitTaintRead(node, c)
-  }
-
-  /**
-   * Holds if taint may flow from `source` to `sink` for this configuration.
-   */
-  // overridden to provide taint-tracking specific qldoc
-  override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-    super.hasFlow(source, sink)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll

@@ -1,19 +0,0 @@
-/**
- * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
- */
-
-private import AliasAnalysisInternal
-private import InputIR
-private import AliasAnalysisImports
-private import AliasAnalysis
-private import semmle.code.cpp.ir.internal.IntegerConstant
-
-private class AliasPropertyProvider extends IRPropertyProvider {
-  override string getOperandProperty(Operand operand, string key) {
-    result = Print::getOperandProperty(operand, key)
-  }
-
-  override string getInstructionProperty(Instruction instr, string key) {
-    result = Print::getInstructionProperty(instr, key)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -1,169 +0,0 @@
-/**
- * Predicates to compute the modeled side effects of calls during IR construction.
- *
- * These are used in `TranslatedElement.qll` to generate the `TTranslatedSideEffect` instances, and
- * also in `TranslatedCall.qll` to inject the actual side effect instructions.
- */
-
-private import cpp
-private import semmle.code.cpp.ir.implementation.Opcode
-private import semmle.code.cpp.models.interfaces.PointerWrapper
-private import semmle.code.cpp.models.interfaces.SideEffect
-
-private predicate isDeeplyConst(Type t) {
-  t.isConst() and
-  isDeeplyConstBelow(t)
-  or
-  isDeeplyConst(t.(Decltype).getBaseType())
-  or
-  isDeeplyConst(t.(ReferenceType).getBaseType())
-  or
-  exists(SpecifiedType specType | specType = t |
-    specType.getASpecifier().getName() = "const" and
-    isDeeplyConstBelow(specType.getBaseType())
-  )
-  or
-  isDeeplyConst(t.(ArrayType).getBaseType())
-}
-
-private predicate isDeeplyConstBelow(Type t) {
-  t instanceof BuiltInType
-  or
-  not t instanceof PointerWrapper and
-  t instanceof Class
-  or
-  t instanceof Enum
-  or
-  isDeeplyConstBelow(t.(Decltype).getBaseType())
-  or
-  isDeeplyConst(t.(PointerType).getBaseType())
-  or
-  isDeeplyConst(t.(ReferenceType).getBaseType())
-  or
-  isDeeplyConstBelow(t.(SpecifiedType).getBaseType())
-  or
-  isDeeplyConst(t.(ArrayType).getBaseType())
-  or
-  isDeeplyConst(t.(GNUVectorType).getBaseType())
-  or
-  isDeeplyConst(t.(FunctionPointerIshType).getBaseType())
-  or
-  isDeeplyConst(t.(PointerWrapper).getTemplateArgument(0))
-  or
-  isDeeplyConst(t.(PointerToMemberType).getBaseType())
-  or
-  isDeeplyConstBelow(t.(TypedefType).getBaseType())
-}
-
-private predicate isConstPointerLike(Type t) {
-  (
-    t instanceof PointerWrapper
-    or
-    t instanceof PointerType
-    or
-    t instanceof ArrayType
-    or
-    t instanceof ReferenceType
-  ) and
-  isDeeplyConstBelow(t)
-}
-
-/**
- * Holds if the specified call has a side effect that does not come from a `SideEffectFunction`
- * model.
- */
-private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buffer, boolean isWrite) {
-  not call.getTarget() instanceof SideEffectFunction and
-  (
-    exists(MemberFunction mfunc |
-      // A non-static member function, including a constructor or destructor, may write to `*this`,
-      // and may also read from `*this` if it is not a constructor.
-      i = -1 and
-      mfunc = call.getTarget() and
-      not mfunc.isStatic() and
-      buffer = false and
-      (
-        isWrite = false and not mfunc instanceof Constructor
-        or
-        isWrite = true and not mfunc instanceof ConstMemberFunction
-      )
-    )
-    or
-    exists(Expr expr |
-      // A pointer-like argument is assumed to read from the pointed-to buffer, and may write to the
-      // buffer as well unless the pointer points to a `const` value.
-      i >= 0 and
-      buffer = true and
-      expr = call.getArgument(i).getFullyConverted() and
-      exists(Type t | t = expr.getUnspecifiedType() |
-        t instanceof ArrayType or
-        t instanceof PointerType or
-        t instanceof ReferenceType or
-        t instanceof PointerWrapper
-      ) and
-      (
-        isWrite = true and
-        not isConstPointerLike(call.getTarget().getParameter(i).getUnderlyingType())
-        or
-        isWrite = false
-      )
-    )
-  )
-}
-
-/**
- * Returns a side effect opcode for parameter index `i` of the specified call.
- *
- * This predicate will return at most two results: one read side effect, and one write side effect.
- */
-Opcode getASideEffectOpcode(Call call, ParameterIndex i) {
-  exists(boolean buffer |
-    (
-      call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(i, buffer)
-      or
-      not call.getTarget() instanceof SideEffectFunction and
-      hasDefaultSideEffect(call, i, buffer, false)
-    ) and
-    if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(i))
-    then (
-      buffer = true and
-      result instanceof Opcode::SizedBufferReadSideEffect
-    ) else (
-      buffer = false and result instanceof Opcode::IndirectReadSideEffect
-      or
-      buffer = true and result instanceof Opcode::BufferReadSideEffect
-    )
-  )
-  or
-  exists(boolean buffer, boolean mustWrite |
-    (
-      call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(i, buffer, mustWrite)
-      or
-      not call.getTarget() instanceof SideEffectFunction and
-      hasDefaultSideEffect(call, i, buffer, true) and
-      mustWrite = false
-    ) and
-    if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(i))
-    then (
-      buffer = true and
-      mustWrite = false and
-      result instanceof Opcode::SizedBufferMayWriteSideEffect
-      or
-      buffer = true and
-      mustWrite = true and
-      result instanceof Opcode::SizedBufferMustWriteSideEffect
-    ) else (
-      buffer = false and
-      mustWrite = false and
-      result instanceof Opcode::IndirectMayWriteSideEffect
-      or
-      buffer = false and
-      mustWrite = true and
-      result instanceof Opcode::IndirectMustWriteSideEffect
-      or
-      buffer = true and mustWrite = false and result instanceof Opcode::BufferMayWriteSideEffect
-      or
-      buffer = true and mustWrite = true and result instanceof Opcode::BufferMustWriteSideEffect
-    )
-  )
-}

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll

@@ -1,19 +0,0 @@
-/**
- * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
- */
-
-private import AliasAnalysisInternal
-private import InputIR
-private import AliasAnalysisImports
-private import AliasAnalysis
-private import semmle.code.cpp.ir.internal.IntegerConstant
-
-private class AliasPropertyProvider extends IRPropertyProvider {
-  override string getOperandProperty(Operand operand, string key) {
-    result = Print::getOperandProperty(operand, key)
-  }
-
-  override string getInstructionProperty(Instruction instr, string key) {
-    result = Print::getInstructionProperty(instr, key)
-  }
-}

cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll

@@ -1,70 +0,0 @@
-private newtype TOverlap =
-  TMayPartiallyOverlap() or
-  TMustTotallyOverlap() or
-  TMustExactlyOverlap()
-
-/**
- * Represents a possible overlap between two memory ranges.
- */
-abstract class Overlap extends TOverlap {
-  abstract string toString();
-
-  /**
-   * Gets a value representing how precise this overlap is. The higher the value, the more precise
-   * the overlap. The precision values are ordered as
-   * follows, from most to least precise:
-   * `MustExactlyOverlap`
-   * `MustTotallyOverlap`
-   * `MayPartiallyOverlap`
-   */
-  abstract int getPrecision();
-}
-
-/**
- * Represents a partial overlap between two memory ranges, which may or may not
- * actually occur in practice.
- */
-class MayPartiallyOverlap extends Overlap, TMayPartiallyOverlap {
-  final override string toString() { result = "MayPartiallyOverlap" }
-
-  final override int getPrecision() { result = 0 }
-}
-
-/**
- * Represents an overlap in which the first memory range is known to include all
- * bits of the second memory range, but may be larger or have a different type.
- */
-class MustTotallyOverlap extends Overlap, TMustTotallyOverlap {
-  final override string toString() { result = "MustTotallyOverlap" }
-
-  final override int getPrecision() { result = 1 }
-}
-
-/**
- * Represents an overlap between two memory ranges that have the same extent and
- * the same type.
- */
-class MustExactlyOverlap extends Overlap, TMustExactlyOverlap {
-  final override string toString() { result = "MustExactlyOverlap" }
-
-  final override int getPrecision() { result = 2 }
-}
-
-/**
- * Gets the `Overlap` that best represents the relationship between two memory locations `a` and
- * `c`, where `getOverlap(a, b) = previousOverlap` and `getOverlap(b, c) = newOverlap`, for some
- * intermediate memory location `b`.
- */
-Overlap combineOverlap(Overlap previousOverlap, Overlap newOverlap) {
-  // Note that it's possible that two less precise overlaps could combine to result in a more
-  // precise overlap. For example, both `previousOverlap` and `newOverlap` could be
-  // `MustTotallyOverlap` even though the actual relationship between `a` and `c` is
-  // `MustExactlyOverlap`. We will still return `MustTotallyOverlap` as the best conservative
-  // approximation we can make without additional input information.
-  result =
-    min(Overlap overlap |
-      overlap = [previousOverlap, newOverlap]
-    |
-      overlap order by overlap.getPrecision()
-    )
-}

cpp/ql/lib/semmle/code/cpp/models/implementations/SmartPointer.qll

@@ -1,167 +0,0 @@
-import semmle.code.cpp.models.interfaces.Alias
-import semmle.code.cpp.models.interfaces.SideEffect
-import semmle.code.cpp.models.interfaces.Taint
-import semmle.code.cpp.models.interfaces.DataFlow
-import semmle.code.cpp.models.interfaces.PointerWrapper
-
-/**
- * The `std::shared_ptr`, `std::weak_ptr`, and `std::unique_ptr` template classes.
- */
-private class SmartPtr extends Class, PointerWrapper {
-  SmartPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "weak_ptr", "unique_ptr"]) }
-
-  override MemberFunction getAnUnwrapperFunction() {
-    result.(OverloadedPointerDereferenceFunction).getDeclaringType() = this
-    or
-    result.getClassAndName(["operator->", "get"]) = this
-  }
-
-  override predicate pointsToConst() { this.getTemplateArgument(0).(Type).isConst() }
-}
-
-/**
- * Any function that returns the address wrapped by a `PointerWrapper`, whether as a pointer or a
- * reference.
- *
- * Examples:
- * - `std::unique_ptr<T>::get()`
- * - `std::shared_ptr<T>::operator->()`
- * - `std::weak_ptr<T>::operator*()`
- */
-private class PointerUnwrapperFunction extends MemberFunction, TaintFunction, DataFlowFunction,
-  SideEffectFunction, AliasFunction {
-  PointerUnwrapperFunction() {
-    exists(PointerWrapper wrapper | wrapper.getAnUnwrapperFunction() = this)
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and output.isReturnValue()
-  }
-
-  override predicate hasOnlySpecificReadSideEffects() { any() }
-
-  override predicate hasOnlySpecificWriteSideEffects() { any() }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    // Only reads from `*this`.
-    i = -1 and buffer = false
-  }
-
-  override predicate parameterNeverEscapes(int index) { index = -1 }
-
-  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
-
-  override predicate hasAddressFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and output.isReturnValue()
-  }
-}
-
-/**
- * The `std::make_shared` and `std::make_unique` template functions.
- */
-private class MakeUniqueOrShared extends TaintFunction {
-  MakeUniqueOrShared() { this.hasQualifiedName(["bsl", "std"], ["make_shared", "make_unique"]) }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // Exclude the specializations of `std::make_shared` and `std::make_unique` that allocate arrays
-    // since these just take a size argument, which we don't want to propagate taint through.
-    not this.isArray() and
-    (
-      input.isParameter([0 .. getNumberOfParameters() - 1])
-      or
-      input.isParameterDeref([0 .. getNumberOfParameters() - 1])
-    ) and
-    output.isReturnValue()
-  }
-
-  /**
-   * Holds if the function returns a `shared_ptr<T>` (or `unique_ptr<T>`) where `T` is an
-   * array type (i.e., `U[]` for some type `U`).
-   */
-  predicate isArray() {
-    this.getTemplateArgument(0).(Type).getUnderlyingType() instanceof ArrayType
-  }
-}
-
-/**
- * A function that sets the value of a smart pointer.
- *
- * This could be a constructor, an assignment operator, or a named member function like `reset()`.
- */
-private class SmartPtrSetterFunction extends MemberFunction, AliasFunction, SideEffectFunction {
-  SmartPtrSetterFunction() {
-    this.getDeclaringType() instanceof SmartPtr and
-    not this.isStatic() and
-    (
-      this instanceof Constructor
-      or
-      this.hasName("operator=")
-      or
-      this.hasName("reset")
-    )
-  }
-
-  override predicate hasOnlySpecificReadSideEffects() { none() }
-
-  override predicate hasOnlySpecificWriteSideEffects() { none() }
-
-  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
-    // Always write to the destination smart pointer itself.
-    i = -1 and buffer = false and mustWrite = true
-    or
-    // When taking ownership of a smart pointer via an rvalue reference, always overwrite the input
-    // smart pointer.
-    getPointerInput().isParameterDeref(i) and
-    this.getParameter(i).getUnspecifiedType() instanceof RValueReferenceType and
-    buffer = false and
-    mustWrite = true
-  }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    getPointerInput().isParameterDeref(i) and
-    buffer = false
-    or
-    not this instanceof Constructor and
-    i = -1 and
-    buffer = false
-  }
-
-  override predicate parameterNeverEscapes(int index) { index = -1 }
-
-  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
-
-  override predicate hasAddressFlow(FunctionInput input, FunctionOutput output) {
-    input = getPointerInput() and
-    output.isQualifierObject()
-    or
-    // Assignment operator always returns a reference to `*this`.
-    this.hasName("operator=") and
-    input.isQualifierAddress() and
-    output.isReturnValue()
-  }
-
-  private FunctionInput getPointerInput() {
-    exists(Parameter param0 | param0 = this.getParameter(0) |
-      (
-        param0.getUnspecifiedType().(ReferenceType).getBaseType() instanceof SmartPtr and
-        if this.getParameter(1).getUnspecifiedType() instanceof PointerType
-        then
-          // This is one of the constructors of `std::shared_ptr<T>` that creates a smart pointer that
-          // wraps a raw pointer with ownership controlled by an unrelated smart pointer. We propagate
-          // the raw pointer in the second parameter, rather than the smart pointer in the first
-          // parameter.
-          result.isParameter(1)
-        else result.isParameterDeref(0)
-        or
-        // One of the functions that takes ownership of a raw pointer.
-        param0.getUnspecifiedType() instanceof PointerType and
-        result.isParameter(0)
-      )
-    )
-  }
-}

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
- * @security-severity 8.2
  * @precision medium
  * @tags reliability
  *       security

cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.qhelp

@@ -39,7 +39,7 @@ then replace all the relevant occurrences in the code.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.qhelp

@@ -38,7 +38,7 @@ constant.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

cpp/ql/src/Best Practices/SloppyGlobal.qhelp

@@ -21,7 +21,7 @@ Review the purpose of the each global variable flagged by this rule and update e
 
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 1: Naming, Rec 1.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 1: Naming, Rec 1.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.

cpp/ql/src/Best Practices/UseOfGoto.qhelp

@@ -45,7 +45,7 @@ this rule.
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
-  (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
+  (<a href="http://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.

cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/descriptor-may-not-be-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/DescriptorNeverClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/descriptor-never-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileMayNotBeClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/file-may-not-be-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/FileNeverClosed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/file-never-closed
  * @problem.severity warning
- * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775

cpp/ql/src/Critical/GlobalUseBeforeInit.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/global-use-before-init
  * @problem.severity warning
- * @security-severity 7.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-457

cpp/ql/src/Critical/InconsistentNullnessTesting.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/inconsistent-nullness-testing
  * @problem.severity warning
- * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/InitialisationNotRun.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/initialization-not-run
  * @problem.severity warning
- * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-456

cpp/ql/src/Critical/LateNegativeTest.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/late-negative-test
  * @problem.severity warning
- * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MemoryMayNotBeFreed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/memory-may-not-be-freed
  * @problem.severity warning
- * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MemoryNeverFreed.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/memory-never-freed
  * @problem.severity warning
- * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401

cpp/ql/src/Critical/MissingNegativityTest.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/missing-negativity-test
  * @problem.severity warning
- * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823

cpp/ql/src/Critical/MissingNullTest.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/missing-null-test
  * @problem.severity recommendation
- * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476

cpp/ql/src/Critical/NewArrayDeleteMismatch.ql

@@ -8,7 +8,7 @@
  * @tags reliability
  */
 
-import Critical.NewDelete
+import NewDelete
 
 from Expr alloc, Expr free, Expr freed
 where

cpp/ql/src/Critical/NewDeleteArrayMismatch.ql

@@ -8,7 +8,7 @@
  * @tags reliability
  */
 
-import Critical.NewDelete
+import NewDelete
 
 from Expr alloc, Expr free, Expr freed
 where

cpp/ql/src/Critical/NewFreeMismatch.ql

@@ -3,7 +3,6 @@
  * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
  * @kind problem
  * @problem.severity warning
- * @security-severity 7.5
  * @precision high
  * @id cpp/new-free-mismatch
  * @tags reliability
@@ -11,7 +10,7 @@
  *       external/cwe/cwe-401
  */
 
-import Critical.NewDelete
+import NewDelete
 
 /**
  * Holds if `allocKind` and `freeKind` indicate corresponding

cpp/ql/src/Critical/OverflowCalculated.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/overflow-calculated
  * @problem.severity warning
- * @security-severity 9.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-131

cpp/ql/src/Critical/OverflowDestination.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/overflow-destination
  * @problem.severity warning
- * @security-severity 9.3
  * @precision low
  * @tags reliability
  *       security

cpp/ql/src/Critical/OverflowStatic.ql

@@ -4,7 +4,6 @@
  *              may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 9.3
  * @precision medium
  * @id cpp/static-buffer-overflow
  * @tags reliability
@@ -15,7 +14,6 @@
 
 import cpp
 import semmle.code.cpp.commons.Buffer
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import LoopBounds
 
 private predicate staticBufferBase(VariableAccess access, Variable v) {
@@ -53,8 +51,6 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
     loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
     loop.limit() >= bufaccess.bufferSize() and
     loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
-    // Ensure that we don't have an upper bound on the array index that's less than the buffer size.
-    not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
     msg =
       "Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
         loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -98,22 +94,17 @@ class CallWithBufferSize extends FunctionCall {
   }
 
   int statedSizeValue() {
-    // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
-    // result in this case we pick the minimum value obtainable from dataflow and range analysis.
-    result =
-      upperBound(statedSizeExpr())
-          .minimum(min(Expr statedSizeSrc |
-              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
-            |
-              statedSizeSrc.getValue().toInt()
-            ))
+    exists(Expr statedSizeSrc |
+      DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
+      result = statedSizeSrc.getValue().toInt()
+    )
   }
 }
 
 predicate wrongBufferSize(Expr error, string msg) {
   exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
     staticBuffer(call.buffer(), buf, bufsize) and
-    statedSize = call.statedSizeValue() and
+    statedSize = min(call.statedSizeValue()) and
     statedSize > bufsize and
     error = call.statedSizeExpr() and
     msg =

cpp/ql/src/Critical/ReturnStackAllocatedObject.ql

@@ -4,12 +4,9 @@
  * @kind problem
  * @id cpp/return-stack-allocated-object
  * @problem.severity warning
- * @security-severity 2.1
  * @tags reliability
  *       security
  *       external/cwe/cwe-562
- * @deprecated This query is not suitable for production use and has been deprecated. Use
- *             cpp/return-stack-allocated-memory instead.
  */
 
 import semmle.code.cpp.pointsto.PointsTo

cpp/ql/src/Critical/ReturnValueIgnored.qhelp

@@ -7,7 +7,7 @@
 <overview>
 <p>
 This rule finds calls to a function that ignore the return value. A function call is only marked 
-as a violation if at least 90% of the total calls to that function check the return value. Not
+as a violation if at least 80% of the total calls to that function check the return value. Not 
 checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
 These functions return the status information and the return values should always be checked 
 to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
@@ -32,7 +32,7 @@ Check the return value of functions that return status information.
 <references>
 
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
 </li>
 <li>
   The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.

cpp/ql/src/Critical/ReturnValueIgnored.ql

@@ -1,6 +1,6 @@
 /**
  * @name Return value of a function is ignored
- * @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
+ * @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
  * @kind problem
  * @id cpp/return-value-ignored
  * @problem.severity recommendation

cpp/ql/src/Critical/SizeCheck.ql

@@ -4,7 +4,6 @@
  *              an instance of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.1
  * @precision medium
  * @id cpp/allocation-too-small
  * @tags reliability

cpp/ql/src/Critical/SizeCheck2.ql

@@ -4,7 +4,6 @@
  *              multiple instances of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.1
  * @precision medium
  * @id cpp/suspicious-allocation-size
  * @tags reliability

cpp/ql/src/Critical/UseAfterFree.ql

@@ -4,7 +4,6 @@
  * @kind problem
  * @id cpp/use-after-free
  * @problem.severity warning
- * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-416

cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql

@@ -7,6 +7,10 @@
 
 import cpp
 
+class AnonymousCompilation extends Compilation {
+  override string toString() { result = "<compilation>" }
+}
+
 string describe(Compilation c) {
   if c.getArgument(1) = "--mimic"
   then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
@@ -15,4 +19,4 @@ string describe(Compilation c) {
 
 from Compilation c
 where not c.normalTermination()
-select "Extraction aborted for " + describe(c)
+select c, "Extraction aborted for " + describe(c), 2

cpp/ql/src/Documentation/CommentedOutCode.ql

@@ -9,7 +9,7 @@
  *       documentation
  */
 
-import Documentation.CommentedOutCode
+import CommentedOutCode
 
 from CommentedOutCode comment
 select comment, "This comment appears to contain commented-out code"

cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql

@@ -6,7 +6,6 @@
  *              to a larger type.
  * @kind problem
  * @problem.severity error
- * @security-severity 8.1
  * @precision very-high
  * @id cpp/bad-addition-overflow-check
  * @tags reliability

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -4,7 +4,6 @@
  *              be a sign that the result can overflow the type converted from.
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.1
  * @precision high
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability

cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql

@@ -5,13 +5,10 @@
  *              unsigned integer values.
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.1
  * @precision high
  * @id cpp/signed-overflow-check
  * @tags correctness
  *       security
- *       external/cwe/cwe-128
- *       external/cwe/cwe-190
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql

@@ -6,14 +6,13 @@
  *              use the width of the base type, leading to misaligned reads.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 9.3
  * @precision high
- * @id cpp/upcast-array-pointer-arithmetic
  * @tags correctness
  *       reliability
  *       security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-843
+ * @id cpp/upcast-array-pointer-arithmetic
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -6,7 +6,6 @@
  *              from an untrusted source, this can be used for exploits.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 9.3
  * @precision high
  * @id cpp/non-constant-format
  * @tags maintainability

cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql

@@ -3,14 +3,11 @@
  * @description Using the return value from snprintf without proper checks can cause overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.1
  * @precision high
  * @id cpp/overflowing-snprintf
  * @tags reliability
  *       correctness
  *       security
- *       external/cwe/cwe-190
- *       external/cwe/cwe-253
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql

@@ -4,13 +4,11 @@
  *              a source of security issues.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.0
  * @precision high
  * @id cpp/wrong-number-format-arguments
  * @tags reliability
  *       correctness
  *       security
- *       external/cwe/cwe-234
  *       external/cwe/cwe-685
  */
 

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -4,7 +4,6 @@
  *              behavior.
  * @kind problem
  * @problem.severity error
- * @security-severity 7.5
  * @precision high
  * @id cpp/wrong-type-format-argument
  * @tags reliability
@@ -19,32 +18,28 @@ import cpp
  * Holds if the argument corresponding to the `pos` conversion specifier
  * of `ffc` is expected to have type `expected`.
  */
+pragma[noopt]
 private predicate formattingFunctionCallExpectedType(
   FormattingFunctionCall ffc, int pos, Type expected
 ) {
-  ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
+  exists(FormattingFunction f, int i, FormatLiteral fl |
+    ffc instanceof FormattingFunctionCall and
+    ffc.getTarget() = f and
+    f.getFormatParameterIndex() = i and
+    ffc.getArgument(i) = fl and
+    fl.getConversionType(pos) = expected
+  )
 }
 
 /**
  * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` could alternatively have type `expected`, for example on a different
- * platform.
- */
-private predicate formattingFunctionCallAlternateType(
-  FormattingFunctionCall ffc, int pos, Type expected
-) {
-  ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
-}
-
-/**
- * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` is `arg` and has type `actual`.
+ * of `ffc` is expected to have type `expected` and the corresponding
+ * argument `arg` has type `actual`.
  */
 pragma[noopt]
-predicate formattingFunctionCallActualType(
-  FormattingFunctionCall ffc, int pos, Expr arg, Type actual
-) {
+predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
   exists(Expr argConverted |
+    formattingFunctionCallExpectedType(ffc, pos, expected) and
     ffc.getConversionArgument(pos) = arg and
     argConverted = arg.getFullyConverted() and
     actual = argConverted.getType()
@@ -76,8 +71,7 @@ class ExpectedType extends Type {
   ExpectedType() {
     exists(Type t |
       (
-        formattingFunctionCallExpectedType(_, _, t) or
-        formattingFunctionCallAlternateType(_, _, t) or
+        formatArgType(_, _, t, _, _) or
         formatOtherArgType(_, _, t, _, _)
       ) and
       this = t.getUnspecifiedType()
@@ -96,11 +90,7 @@ class ExpectedType extends Type {
  */
 predicate trivialConversion(ExpectedType expected, Type actual) {
   exists(Type exp, Type act |
-    (
-      formattingFunctionCallExpectedType(_, _, exp) or
-      formattingFunctionCallAlternateType(_, _, exp)
-    ) and
-    formattingFunctionCallActualType(_, _, _, act) and
+    formatArgType(_, _, exp, _, act) and
     expected = exp.getUnspecifiedType() and
     actual = act.getUnspecifiedType()
   ) and
@@ -155,13 +145,9 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
   (
-    formattingFunctionCallExpectedType(ffc, n, expected) and
-    formattingFunctionCallActualType(ffc, n, arg, actual) and
+    formatArgType(ffc, n, expected, arg, actual) and
     not exists(Type anyExpected |
-      (
-        formattingFunctionCallExpectedType(ffc, n, anyExpected) or
-        formattingFunctionCallAlternateType(ffc, n, anyExpected)
-      ) and
+      formatArgType(ffc, n, anyExpected, arg, actual) and
       trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
     )
     or

cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql

@@ -54,7 +54,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
   override predicate isWhitelisted() {
     this.getConversion().(ParenthesisExpr).isParenthesised()
     or
-    // Allow this assignment if all comparison operations in the expression that this
+    // whitelist this assignment if all comparison operations in the expression that this
     // assignment is part of, are not parenthesized. In that case it seems like programmer
     // is fine with unparenthesized comparison operands to binary logical operators, and
     // the parenthesis around this assignment was used to call it out as an assignment.
@@ -62,21 +62,6 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
     forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
       not op.isParenthesised()
     )
-    or
-    // Match a pattern like:
-    // ```
-    // if((a = b) && use_value(a)) { ... }
-    // ```
-    // where the assignment is meant to update the value of `a` before it's used in some other boolean
-    // subexpression that is guarenteed to be evaluate _after_ the assignment.
-    this.isParenthesised() and
-    exists(LogicalAndExpr parent, Variable var, VariableAccess access |
-      var = this.getLValue().(VariableAccess).getTarget() and
-      access = var.getAnAccess() and
-      not access.isUsedAsLValue() and
-      parent.getRightOperand() = access.getParent*() and
-      parent.getLeftOperand() = this.getParent*()
-    )
   }
 }
 

cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/incorrect-not-operator-usage
  * @problem.severity warning
- * @security-severity 7.5
  * @precision medium
  * @tags security
  *       external/cwe/cwe-480

cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp

@@ -26,7 +26,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
   MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
 </li>
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
 </li>
 
 

cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql

@@ -3,7 +3,6 @@
  * @description Using alloca in a loop can lead to a stack overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 7.5
  * @precision high
  * @id cpp/alloca-in-loop
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/improper-null-termination
  * @problem.severity warning
- * @security-severity 7.8
  * @tags security
  *       external/cwe/cwe-170
  *       external/cwe/cwe-665

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql

@@ -4,12 +4,10 @@
  *              on undefined behavior and may lead to memory corruption.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.1
  * @precision high
  * @id cpp/pointer-overflow-check
  * @tags reliability
  *       security
- *       external/cwe/cwe-758
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @id cpp/potential-buffer-overflow
  * @problem.severity warning
- * @security-severity 10.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-676

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -13,7 +13,6 @@
 
 import cpp
 import semmle.code.cpp.dataflow.EscapesTree
-import semmle.code.cpp.models.interfaces.PointerWrapper
 import semmle.code.cpp.dataflow.DataFlow
 
 /**
@@ -40,10 +39,6 @@ predicate hasNontrivialConversion(Expr e) {
     e instanceof ParenthesisExpr
   )
   or
-  // A smart pointer can be stack-allocated while the data it points to is heap-allocated.
-  // So we exclude such "conversions" from this predicate.
-  e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
-  or
   hasNontrivialConversion(e.getConversion())
 }
 

cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql

@@ -4,7 +4,6 @@
  *              as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 9.3
  * @precision medium
  * @id cpp/bad-strncpy-size
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql

@@ -7,7 +7,6 @@
  * @kind problem
  * @id cpp/suspicious-call-to-memset
  * @problem.severity recommendation
- * @security-severity 10.0
  * @precision medium
  * @tags reliability
  *       correctness

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.cpp

@@ -2,7 +2,3 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
 
 strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest. 
                                   //Also fails if dest is a pointer and not an array.
- 
-strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
-
-strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp

@@ -4,17 +4,7 @@
 <qhelp>
 <overview>
 <p>The standard library function <code>strncat</code> appends a source string to a target string. 
-The third argument defines the maximum number of characters to append and should be less than or equal
-to the remaining space in the destination buffer.</p>
-
-<p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
-the third argument to the entire size of the destination buffer.
-Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
-
-<p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
-byte to be written ouside the <code>dest</code> buffer.</p>
-
-<p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
+The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
 
 </overview>
 <recommendation>
@@ -35,10 +25,6 @@ byte to be written ouside the <code>dest</code> buffer.</p>
 <li>
   M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
 </li>
-<li>
-  CERT C Coding Standard:
-<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
-</li>
 
 
 </references>

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql

@@ -1,15 +1,14 @@
 /**
  * @name Potentially unsafe call to strncat
- * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
+ * @description Calling 'strncat' with the size of the destination buffer
+ *              as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 9.3
  * @precision medium
  * @id cpp/unsafe-strncat
  * @tags reliability
  *       correctness
  *       security
- *       external/cwe/cwe-788
  *       external/cwe/cwe-676
  *       external/cwe/cwe-119
  *       external/cwe/cwe-251
@@ -17,53 +16,11 @@
 
 import cpp
 import Buffer
-import semmle.code.cpp.models.implementations.Strcat
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-/**
- * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
- * destination arguments, respectively.
- */
-predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
-  exists(StrcatFunction strcat |
-    strcat = call.getTarget() and
-    sizeArg = call.getArgument(strcat.getParamSize()) and
-    destArg = call.getArgument(strcat.getParamDest())
-  )
-}
-
-/**
- * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
- * argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
- */
-predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
-  interestringCallWithArgs(fc, sizeArg, destArg) and
-  exists(VariableAccess va |
-    va = sizeArg.(BufferSizeExpr).getArg() and
-    destArg.getTarget() = va.getTarget()
-  )
-}
-
-/**
- * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
- * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
- */
-predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
-  interestringCallWithArgs(fc, sizeArg, destArg) and
-  exists(SubExpr sub, int n |
-    // The destination buffer is an array of size n
-    destArg.getUnspecifiedType().(ArrayType).getSize() = n and
-    // The size argument is equivalent to a subtraction
-    globalValueNumber(sizeArg).getAnExpr() = sub and
-    // ... where the left side of the subtraction is the constant n
-    globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
-    // ... and the right side of the subtraction is a call to `strlen` where the argument is the
-    // destination buffer.
-    globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
-      globalValueNumber(destArg).getAnExpr()
-  )
-}
-
-from FunctionCall fc, Expr sizeArg, Expr destArg
-where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
+from FunctionCall fc, VariableAccess va1, VariableAccess va2
+where
+  fc.getTarget().(Function).hasName("strncat") and
+  va1 = fc.getArgument(0) and
+  va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
+  va1.getTarget() = va2.getTarget()
 select fc, "Potentially unsafe call to strncat."

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql

@@ -5,7 +5,6 @@
  *              the machine pointer size.
  * @kind problem
  * @problem.severity warning
- * @security-severity 8.8
  * @precision medium
  * @id cpp/suspicious-sizeof
  * @tags reliability

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -5,7 +5,6 @@
  * @kind problem
  * @id cpp/uninitialized-local
  * @problem.severity warning
- * @security-severity 7.8
  * @precision medium
  * @tags security
  *       external/cwe/cwe-665