Merge pull request #7150 from bmuskalla/removeClassFile

Java: Remove class file

.codeqlmanifest.json

@@ -1,6 +1,11 @@
-{ "provide": [ "*/ql/src/qlpack.yml",
+{ "provide": [ "ruby/.codeqlmanifest.json",
+                "*/ql/src/qlpack.yml",
+               "*/ql/lib/qlpack.yml",
                "*/ql/test/qlpack.yml",
+               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
+               "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
+               "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",
                "misc/suite-helpers/qlpack.yml" ] }

.devcontainer/devcontainer.json

@@ -1,9 +1,14 @@
 {
   "extensions": [
+    "rust-lang.rust",
+    "bungcip.better-toml",
     "github.vscode-codeql",
     "slevesque.vscode-zipexplorer"
   ],
   "settings": {
+    "files.watcherExclude": {
+      "**/target/**": true
+    },
     "codeQL.runningQueries.memory": 2048
   }
 }

.gitattributes

@@ -48,3 +48,6 @@
 *.gif -text
 *.dll -text
 *.pdb -text
+
+java/ql/test/stubs/**/*.java linguist-generated=true
+java/ql/test/experimental/stubs/**/*.java linguist-generated=true

.github/actions/fetch-codeql/action.yml

@@ -0,0 +1,14 @@
+name: Fetch CodeQL
+description: Fetches the latest version of CodeQL
+runs:
+  using: composite
+  steps:
+    - name: Fetch CodeQL
+      shell: bash
+      run: |
+        LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
+        gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
+        unzip -q -d "${RUNNER_TEMP}" codeql-linux64.zip
+        echo "${RUNNER_TEMP}/codeql" >> "${GITHUB_PATH}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "ruby/node-types"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/generator"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/extractor"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/autobuilder"
+    schedule:
+      interval: "daily"

.github/labeler.yml

@@ -18,6 +18,10 @@ Python:
   - python/**/*
   - change-notes/**/*python*
 
+Ruby:
+  - ruby/**/*
+  - change-notes/**/*ruby*
+
 documentation:
   - "**/*.qhelp"
   - "**/*.md"

.github/workflows/check-change-note.yml

@@ -19,5 +19,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
-          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
+          grep true -c

.github/workflows/close-stale.yml

@@ -0,0 +1,30 @@
+name: Mark stale issues
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+    if: github.repository == 'github/codeql'
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/stale@v3
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
+        close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
+        days-before-stale: 14
+        days-before-close: 7
+        only-labels: awaiting-response
+
+        # do not mark PRs as stale
+        days-before-pr-stale: -1
+        days-before-pr-close: -1
+
+        # Uncomment for dry-run
+        # debug-only: true
+        # operations-per-run: 1000

.github/workflows/codeql-analysis.yml

@@ -11,6 +11,8 @@ on:
       - 'rc/*'
     paths:
       - 'csharp/**'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql-analysis.yml'
   schedule:
     - cron: '0 9 * * 1'
 
@@ -19,13 +21,18 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: read
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@main
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: csharp
@@ -33,8 +40,8 @@ jobs:
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+    #- name: Autobuild
+    #  uses: github/codeql-action/autobuild@main
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -43,9 +50,8 @@ jobs:
     #    and modify them (or add more) to build your code if your project
     #    uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+    - run: |
+       dotnet build csharp
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@main

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -0,0 +1,99 @@
+name: Check framework coverage changes
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage-pr-comment.yml'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
+      - '*/ql/lib/**/*.ql'
+      - '*/ql/lib/**/*.qll'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  generate:
+    name: Generate framework coverage artifacts
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql) - MERGE
+      uses: actions/checkout@v2
+      with:
+        path: merge
+    - name: Clone self (github/codeql) - BASE
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 2
+        path: base
+    - run: |
+        git checkout HEAD^1
+        git log -1 --format='%H'
+      working-directory: base
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Generate CSV files on merge commit of the PR
+      run: |
+        echo "Running generator on merge"
+        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
+        mkdir out_merge
+        cp framework-coverage-*.csv out_merge/
+        cp framework-coverage-*.rst out_merge/
+    - name: Generate CSV files on base commit of the PR
+      run: |
+        echo "Running generator on base"
+        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
+        mkdir out_base
+        cp framework-coverage-*.csv out_base/
+        cp framework-coverage-*.rst out_base/
+    - name: Generate diff of coverage reports
+      run: |
+        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-merge
+        path: |
+          out_merge/framework-coverage-*.csv
+          out_merge/framework-coverage-*.rst
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-base
+        path: |
+          out_base/framework-coverage-*.csv
+          out_base/framework-coverage-*.rst
+    - name: Upload comparison results
+      uses: actions/upload-artifact@v2
+      with:
+        name: comparison
+        path: |
+          comparison.md
+    - name: Save PR number
+      run: |
+        mkdir -p pr
+        echo ${{ github.event.pull_request.number }} > pr/NR
+    - name: Upload PR number
+      uses: actions/upload-artifact@v2
+      with:
+        name: pr
+        path: pr/

.github/workflows/csv-coverage-pr-comment.yml

@@ -0,0 +1,34 @@
+name: Comment on PR with framework coverage changes
+
+on:
+  workflow_run:
+    workflows: ["Check framework coverage changes"]
+    types:
+      - completed
+
+jobs:
+  check:
+    name: Check framework coverage differences and comment
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+
+    - name: Check coverage difference file and comment
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"

.github/workflows/csv-coverage-timeseries.yml

@@ -0,0 +1,42 @@
+name: Build framework coverage timeseries reports
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) for analysis
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        CLI=$(realpath "codeql-cli/codeql")
+        echo $CLI
+        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
+    - name: Upload timeseries CSV
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-timeseries
+        path: framework-coverage-timeseries-*.csv
+

.github/workflows/csv-coverage-update.yml

@@ -0,0 +1,44 @@
+name: Update framework coverage reports
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  update:
+    name: Update framework coverage report
+    if: github.repository == 'github/codeql'
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: ql
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+
+    - name: Generate coverage files
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
+
+    - name: Create pull request with changes
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"

.github/workflows/csv-coverage.yml

@@ -0,0 +1,49 @@
+name: Build framework coverage reports
+
+on:
+  workflow_dispatch:
+    inputs:
+      qlModelShaOverride:
+        description: 'github/codeql repo SHA used for looking up the CSV models'
+        required: false
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) for analysis
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-csv
+        path: framework-coverage-*.csv
+    - name: Upload RST package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-rst
+        path: framework-coverage-*.rst
+

.github/workflows/post-pr-comment.yml

@@ -0,0 +1,31 @@
+name: Post pull-request comment
+on:
+  workflow_run:
+    workflows: ["Query help preview"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+
+jobs:
+  post_comment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact
+        run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
+      - run: |
+          PR="$(grep -o '^[0-9]\+$' pr.txt)"
+          PR_HEAD_SHA="$(gh api "/repos/${GITHUB_REPOSITORY}/pulls/${PR}" --jq .head.sha)"
+          # Check that the pull-request head SHA matches the head SHA of the workflow run
+          if [ "${WORKFLOW_RUN_HEAD_SHA}" != "${PR_HEAD_SHA}" ]; then
+            echo "PR head SHA ${PR_HEAD_SHA} does not match workflow_run event SHA ${WORKFLOW_RUN_HEAD_SHA}. Stopping." 1>&2
+            exit 1
+          fi
+          gh pr comment "${PR}" --repo "${GITHUB_REPOSITORY}" -F comment.txt
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_commit.id }}

.github/workflows/qhelp-pr-preview.yml

@@ -0,0 +1,63 @@
+name: Query help preview
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - "ruby/**/*.qhelp"
+
+jobs:
+  qhelp:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "${{  github.event.number }}" > pr.txt
+      - uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: pr.txt
+          retention-days: 1
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+          persist-credentials: false
+      - uses: ./.github/actions/fetch-codeql
+      - name: Determine changed files
+        id: changes
+        run: |
+          (git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp';
+           git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) |
+           grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt"
+
+      - name: QHelp preview
+        run: |
+          EXIT_CODE=0
+          echo "QHelp previews:" > comment.txt
+          while read -r -d $'\0' path; do
+            if [ ! -f "${path}" ]; then
+               exit 1
+            fi
+            echo "<details> <summary>${path}</summary>"
+            echo
+            codeql generate query-help --format=markdown -- "./${path}" 2> errors.txt || EXIT_CODE="$?"
+            if [ -s errors.txt ]; then
+               echo "# errors/warnings:"
+               echo '```'
+               cat errors.txt
+               cat errors.txt 1>&2
+               echo '```'
+            fi
+            echo "</details>"
+          done < "${RUNNER_TEMP}/paths.txt" >> comment.txt
+          exit "${EXIT_CODE}"
+
+      - if: always()
+        uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: comment.txt
+          retention-days: 1

.github/workflows/ruby-build.yml

@@ -0,0 +1,224 @@
+name: "Ruby: Build"
+
+on:
+  push:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-build.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-build.yml
+    branches:
+      - main
+      - "rc/*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Version tag to create"
+        required: false
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install GNU tar
+        if: runner.os == 'macOS'
+        run: |
+          brew install gnu-tar
+          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ruby/target
+          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+      - name: Build
+        run: cargo build --verbose
+      - name: Run tests
+        run: cargo test --verbose
+      - name: Release build
+        run: cargo build --release
+      - name: Generate dbscheme
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v2
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: ruby.dbscheme
+          path: ruby/ql/lib/ruby.dbscheme
+      - uses: actions/upload-artifact@v2
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: TreeSitter.qll
+          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v2
+        with:
+          name: extractor-${{ matrix.os }}
+          path: |
+            ruby/target/release/ruby-autobuilder
+            ruby/target/release/ruby-autobuilder.exe
+            ruby/target/release/ruby-extractor
+            ruby/target/release/ruby-extractor.exe
+          retention-days: 1
+  compile-queries:
+    runs-on: ubuntu-latest
+    env:
+      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    steps:
+      - uses: actions/checkout@v2
+      - name: Fetch CodeQL
+        run: |
+          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
+          unzip -q codeql-linux64.zip
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Build Query Pack
+        run: |
+          codeql/codeql pack create ql/lib --output target/packs
+          codeql/codeql pack install ql/src
+          codeql/codeql pack create ql/src --output target/packs
+          PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
+          codeql/codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
+          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ruby-queries
+          path: |
+            ruby/target/packs/*
+          retention-days: 1
+
+  package:
+    runs-on: ubuntu-latest
+    needs: [build, compile-queries]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: ruby.dbscheme
+          path: ruby/ruby
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-ubuntu-latest
+          path: ruby/linux64
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-windows-latest
+          path: ruby/win64
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-macos-latest
+          path: ruby/osx64
+      - run: |
+          mkdir -p ruby
+          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
+          mkdir -p ruby/tools/{linux64,osx64,win64}
+          cp linux64/ruby-autobuilder ruby/tools/linux64/autobuilder
+          cp osx64/ruby-autobuilder ruby/tools/osx64/autobuilder
+          cp win64/ruby-autobuilder.exe ruby/tools/win64/autobuilder.exe
+          cp linux64/ruby-extractor ruby/tools/linux64/extractor
+          cp osx64/ruby-extractor ruby/tools/osx64/extractor
+          cp win64/ruby-extractor.exe ruby/tools/win64/extractor.exe
+          chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
+          zip -rq codeql-ruby.zip ruby
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ruby-pack
+          path: ruby/codeql-ruby.zip
+          retention-days: 1
+      - uses: actions/download-artifact@v2
+        with:
+          name: codeql-ruby-queries
+          path: ruby/qlpacks
+      - run: |
+          echo '{
+            "provide": [
+            "ruby/codeql-extractor.yml",
+            "qlpacks/*/*/*/qlpack.yml"
+            ]
+          }' > .codeqlmanifest.json
+          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ruby-bundle
+          path: ruby/codeql-ruby-bundle.zip
+          retention-days: 1
+
+  test:
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+    needs: [package]
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          repository: Shopify/example-ruby-app
+          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
+      - name: Fetch CodeQL
+        shell: bash
+        run: |
+          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | grep -v beta | sort --version-sort | tail -1)
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql.zip "$LATEST"
+          unzip -q codeql.zip
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        working-directory: ${{ runner.temp }}
+      - name: Download Ruby bundle
+        uses: actions/download-artifact@v2
+        with:
+          name: codeql-ruby-bundle
+          path: ${{ runner.temp }}
+      - name: Unzip Ruby bundle
+        shell: bash
+        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
+      - name: Prepare test files
+        shell: bash
+        run: |
+          echo "import ruby select count(File f)" > "test.ql"
+          echo "| 4 |" > "test.expected"
+          echo 'name: sample-tests
+          version: 0.0.0
+          dependencies:
+            codeql/ruby-all: 0.0.1
+          extractor: ruby
+          tests: .
+          ' > qlpack.yml
+      - name: Run QL test
+        shell: bash
+        run: |
+          "${{ runner.temp }}/codeql/codeql" test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
+      - name: Create database
+        shell: bash
+        run: |
+          "${{ runner.temp }}/codeql/codeql" database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
+      - name: Analyze database
+        shell: bash
+        run: |
+          "${{ runner.temp }}/codeql/codeql" database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

.github/workflows/ruby-dataset-measure.yml

@@ -0,0 +1,73 @@
+name: "Ruby: Collect database stats"
+
+on:
+  push:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - ruby/ql/lib/ruby.dbscheme
+      - .github/workflows/ruby-dataset-measure.yml
+  pull_request:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - ruby/ql/lib/ruby.dbscheme
+      - .github/workflows/ruby-dataset-measure.yml
+  workflow_dispatch:
+
+jobs:
+  measure:
+    env:
+      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    strategy:
+      fail-fast: false
+      matrix:
+        repo: [rails/rails, discourse/discourse, spree/spree]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - uses: ./ruby/actions/create-extractor-pack
+
+      - name: Checkout ${{ matrix.repo }}
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ matrix.repo }}
+          path: ${{ github.workspace }}/repo
+      - name: Create database
+        run: |
+          codeql database create \
+            --search-path "${{ github.workspace }}/ruby" \
+            --threads 4 \
+            --language ruby --source-root "${{ github.workspace }}/repo" \
+            "${{ runner.temp }}/database"
+      - name: Measure database
+        run: |
+          mkdir -p "stats/${{ matrix.repo }}"
+          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
+      - uses: actions/upload-artifact@v2
+        with:
+          name: measurements
+          path: stats
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: measure
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: measurements
+          path: stats
+      - run: |
+          python -m pip install --user lxml
+          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
+      - uses: actions/upload-artifact@v2
+        with:
+          name: ruby.dbscheme.stats
+          path: ruby/ql/lib/ruby.dbscheme.stats

.github/workflows/ruby-qltest.yml

@@ -0,0 +1,50 @@
+name: "Ruby: Run QL Tests"
+
+on:
+  push:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-qltest.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "ruby/**"
+      - .github/workflows/ruby-qltest.yml
+    branches:
+      - main
+      - "rc/*"
+
+env:
+  CARGO_TERM_COLOR: always
+
+defaults:
+  run:
+    working-directory: ruby
+
+jobs:
+  qltest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./ruby/actions/create-extractor-pack
+      - name: Run QL tests
+        run: |
+          codeql test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}"  --consistency-queries ql/consistency-queries ql/test
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Check QL formatting
+        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql query format --check-only
+      - name: Check QL compilation
+        run: |
+          codeql query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}/ruby" --additional-packs "${{ github.workspace }}" "ql/src" "ql/examples"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Check DB upgrade scripts
+        run: |
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme

.github/workflows/sync-files.yml

@@ -0,0 +1,20 @@
+name: Check synchronized files
+
+on:
+  push:
+    branches:
+      - main
+      - 'rc/*'
+  pull_request:
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Check synchronized files
+        run: python config/sync-files.py
+

.gitignore

@@ -24,3 +24,9 @@
 /codeql/
 
 csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
+
+# Avoid committing cached package components
+.codeql
+
+# Compiled class file
+*.class

CODEOWNERS

@@ -3,6 +3,7 @@
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
+/ruby/ @github/codeql-ruby
 
 # Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
 /cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
@@ -10,6 +11,7 @@
 /java/**/experimental/**/* @github/codeql-java @xcorail
 /javascript/**/experimental/**/* @github/codeql-javascript @xcorail
 /python/**/experimental/**/* @github/codeql-python @xcorail
+/ruby/**/experimental/**/* @github/codeql-ruby @xcorail
 
 # Notify members of codeql-go about PRs to the shared data-flow library files
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
@@ -17,3 +19,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+
+# CodeQL tools and associated docs
+/docs/codeql-cli/ @github/codeql-cli-reviewers
+/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
+/docs/ql-language-reference/ @github/codeql-frontend-reviewers
+/docs/query-*-style-guide.md @github/codeql-analysis-reviewers

CONTRIBUTING.md

@@ -11,13 +11,14 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
 1. **Directory structure**
 
-    There are five language-specific query directories in this repository:
+    There are six language-specific query directories in this repository:
 
       * C/C++: `cpp/ql/src`
       * C#: `csharp/ql/src`
       * Java: `java/ql/src`
       * JavaScript: `javascript/ql/src`
       * Python: `python/ql/src`
+      * Ruby: `ruby/ql/src`
 
     Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
     - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.

README.md

@@ -4,8 +4,8 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 

config/identical-files.json

@@ -1,323 +1,339 @@
 {
   "DataFlow Java/C++/C#/Python": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
+    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll"
+  ],
+  "DataFlow Java/C# Flow Summaries": [
+    "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll"
   ],
   "SsaReadPosition Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
   "Sign Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
   ],
   "SignAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
+    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
   "Bound Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
+    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
   ],
   "ModulusAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+    "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
   ],
   "C++ SubBasicBlocks": [
-    "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
+    "cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
   ],
   "IR Instruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
   ],
   "IR IRType": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
     "csharp/ql/src/experimental/ir/implementation/IRType.qll"
   ],
   "IR IRConfiguration": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
   ],
   "IR UseSoundEscapeAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
   ],
   "IR IRFunctionBase": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
   ],
   "IR Operand Tag": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
   ],
   "IR TInstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
   ],
   "IR TIRVariable": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
   "IR IR": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
   ],
   "IR IRConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
   ],
   "IR PrintIR": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
   ],
   "IR IntegerConstant": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
   ],
   "IR IntegerInteval": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
   ],
   "IR IntegerPartial": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
     "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
   ],
   "IR Overlap": [
-    "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
     "csharp/ql/src/experimental/ir/internal/Overlap.qll"
   ],
   "IR EdgeKind": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
     "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
   ],
   "IR MemoryAccessKind": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
     "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
   ],
   "IR TempVariableTag": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
     "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
   ],
   "IR Opcode": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
     "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
   ],
   "IR SSAConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
   ],
   "C++ IR InstructionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
   ],
   "C++ IR IRImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
   ],
   "C++ IR IRBlockImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
   ],
   "C++ IR IRFunctionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
   ],
   "C++ IR IRVariableImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
   ],
   "C++ IR OperandImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
   ],
   "C++ IR PrintIRImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
   ],
   "C++ SSA SSAConstructionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
   ],
   "SSA AliasAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
+  "SSA PrintAliasAnalysis": [
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
+  ],
   "C++ SSA AliasAnalysisImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
   ],
   "C++ IR ValueNumberingImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "IR SSA SimpleSSA": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
   ],
   "IR AliasConfiguration (unaliased_ssa)": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
   ],
   "IR SSA SSAConstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/ConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/ConstantAnalysis.qll"
   ],
   "C++ IR PrintConstantAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/constant/PrintConstantAnalysis.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/constant/PrintConstantAnalysis.qll"
   ],
   "C++ IR ReachableBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/ReachableBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/ReachableBlock.qll"
   ],
   "C++ IR PrintReachableBlock": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintReachableBlock.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintReachableBlock.qll"
   ],
   "C++ IR Dominance": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
   ],
   "C++ IR PrintDominance": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
   "C# IR InstructionImports": [
     "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
@@ -352,13 +368,15 @@
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
   "C# ControlFlowReachability": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
   ],
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
+    "python/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "ruby/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [
     "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
@@ -369,11 +387,11 @@
     "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
   ],
   "XML": [
-    "cpp/ql/src/semmle/code/cpp/XML.qll",
-    "csharp/ql/src/semmle/code/csharp/XML.qll",
-    "java/ql/src/semmle/code/xml/XML.qll",
-    "javascript/ql/src/semmle/javascript/XML.qll",
-    "python/ql/src/semmle/python/xml/XML.qll"
+    "cpp/ql/lib/semmle/code/cpp/XML.qll",
+    "csharp/ql/lib/semmle/code/csharp/XML.qll",
+    "java/ql/lib/semmle/code/xml/XML.qll",
+    "javascript/ql/lib/semmle/javascript/XML.qll",
+    "python/ql/lib/semmle/python/xml/XML.qll"
   ],
   "DuplicationProblems.inc.qhelp": [
     "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
@@ -427,13 +445,48 @@
     "python/ql/src/analysis/IDEContextual.qll"
   ],
   "SSA C#": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
+    "csharp/ql/lib/semmle/code/cil/internal/SsaImplCommon.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll"
   ],
   "CryptoAlgorithms Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/crypto/Crypto.qll"
+    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
+    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll"
+  ],
+  "SensitiveDataHeuristics Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
+    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll"
+  ],
+  "ReDoS Util Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll",
+    "python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll"
+  ],
+  "ReDoS Exponential Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll",
+    "python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll"
+  ],
+  "ReDoS Polynomial Python/JS": [
+    "javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
+    "python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll",
+    "ruby/ql/lib/codeql/ruby/regexp/SuperlinearBackTracking.qll"
+  ],
+  "CFG": [
+    "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll",
+    "ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImplShared.qll"
+  ],
+  "TypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
+  ],
+  "CodeQL Tutorial": [
+    "cpp/ql/lib/tutorial.qll",
+    "csharp/ql/lib/tutorial.qll",
+    "java/ql/lib/tutorial.qll",
+    "javascript/ql/lib/tutorial.qll",
+    "python/ql/lib/tutorial.qll",
+    "ruby/ql/lib/tutorial.qll"
   ]
-}
+}

cpp/change-notes/2021-03-11-overflow-abs.md

@@ -0,0 +1,2 @@
+lgtm
+* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

cpp/change-notes/2021-04-06-assign-where-compare-meant.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.

cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.

cpp/change-notes/2021-04-13-arithmetic-queries.md

@@ -0,0 +1,2 @@
+lgtm
+* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

cpp/change-notes/2021-04-21-return-stack-allocated-object.md

@@ -0,0 +1,2 @@
+codescanning
+* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).

cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.

cpp/change-notes/2021-05-10-comparison-with-wider-type.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.

cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md

@@ -0,0 +1,2 @@
+lgtm
+* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-18-static-buffer-overflow.md

@@ -0,0 +1,2 @@
+lgtm
+* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md

@@ -0,0 +1,2 @@
+lgtm
+* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

cpp/change-notes/2021-05-20-ref-qualifiers.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).

cpp/change-notes/2021-05-21-unsafe-strncat.md

@@ -0,0 +1,2 @@
+lgtm
+* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

cpp/change-notes/2021-06-10-cleartext-transmission.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query (`cpp/cleartext-transmission`) has been added. This is similar to the `cpp/cleartext-storage-file`, `cpp/cleartext-storage-buffer` and `cpp/cleartext-storage-database` queries but looks for cases where sensitive information is most likely transmitted over a network.

cpp/change-notes/2021-06-10-std-types.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
+* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
+* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

cpp/change-notes/2021-06-22-sql-tainted.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Uncontrolled data in SQL query' (cpp/sql-injection) query now supports the `libpqxx` library.

cpp/change-notes/2021-06-24-dataflow-implicit-reads.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.

cpp/change-notes/2021-06-30-wrong-type-format-argument.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.

cpp/change-notes/2021-07-13-cleartext-storage-file.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file) query now uses dataflow to produce additional results.
+* Heuristics in the SensitiveExprs.qll library have been improved, making the "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file), "Cleartext storage of sensitive information in buffer" (cpp/cleartext-storage-buffer) and "Cleartext storage of sensitive information in an SQLite" (cpp/cleartext-storage-database) queries more accurate.

cpp/change-notes/2021-07-20-toctou-race-condition.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Improvements have been made to the `cpp/toctou-race-condition` query, both to find more correct results and fewer false positive results.

cpp/change-notes/2021-07-27-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* Improvements made to the (`cpp/uncontrolled-arithmetic`) query, reducing the frequency of false positive results.

cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Virtual function specifiers are now accessible via the new predicates on `Function` (`.isDeclaredVirtual`, `.isOverride`, and `.isFinal`).

cpp/change-notes/2021-08-10-has-trailing-return-type.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `Function.hasTrailingReturnType` predicate to check whether a function was declared with a trailing return type.

cpp/change-notes/2021-08-17-has-c-linkage.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `RoutineType.hasCLinkage` predicate to check whether a function type has "C" language linkage.

cpp/change-notes/2021-08-23-ctime-weaken-claims.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Lowered the precision of `cpp/potentially-dangerous-function` so it is run but not displayed on LGTM by default and so it's only run and displayed on Code Scanning if a broader suite like `cpp-security-extended` is opted into.

cpp/change-notes/2021-08-23-getPrimaryQlClasses.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `Element.getPrimaryQlClasses()` predicate, which gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.

cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query `cpp/implicit-bitfield-downcast` now accounts for C++ reference types, which leads to more true positive results.

cpp/change-notes/2021-08-31-range-analysis-upper-bound.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `SimpleRangeAnalysis` library includes information from the
+  immediate guard for determining the upper bound of a stack
+  variable for improved accuracy.

cpp/change-notes/2021-09-13-overflow-static.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `memberMayBeVarSize` predicate considers more fields to be variable size.
+  As a result, the "Static buffer overflow" query (cpp/static-buffer-overflow)
+  produces fewer false positives.

cpp/change-notes/2021-09-27-command-line-injection.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Uncontrolled data used in OS command" (`cpp/command-line-injection`) query has been enhanced to reduce false positive results and its `@precision` increased to `high`

cpp/change-notes/2021-09-27-overflow-static.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Increase precision to high for the "Static buffer overflow" query
+  (`cpp/static-buffer-overflow`). This means the query is run and displayed by default on Code Scanning and LGTM.

cpp/change-notes/2021-10-01-improper-null-termination.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Several improvements made to the `NullTermination.qll` library and the 'Potential improper null termination' (cpp/improper-null-termination). These changes reduce the number of false positive results for this query and related query 'User-controlled data may not be null terminated' (cpp/user-controlled-null-termination-tainted).

cpp/change-notes/2021-10-07-extraction-errors.md

@@ -0,0 +1,3 @@
+codescanning
+* Problems with extraction that in most cases won't break the analysis in a significant way are now reported as warnings rather than errors.
+* The failed extractor invocations query now has severity `error`.

cpp/change-notes/2021-11-01-isFromSystemMacroDefinition.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
+  `isFromSystemMacroDefinition` for identifying code that originates from a
+  macro outside the project being analyzed.

cpp/change-notes/2021-11-09-use-of-http.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/examples/qlpack.lock.yml

@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0

cpp/ql/examples/qlpack.yml

@@ -1,3 +1,4 @@
-name: codeql-cpp-examples
-version: 0.0.0
-libraryPathDependencies: codeql-cpp
+name: codeql/cpp-examples
+version: 0.0.2
+dependencies:
+  codeql/cpp-all: "*"

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -52,11 +52,8 @@ module PrivateCleartextWrite {
 
   class WriteSink extends Sink {
     WriteSink() {
-      exists(FileWrite f, BufferWrite b |
-        this.asExpr() = f.getASource()
-        or
-        this.asExpr() = b.getAChild()
-      )
+      this.asExpr() = any(FileWrite f).getASource() or
+      this.asExpr() = any(BufferWrite b).getAChild()
     }
   }
 }

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll

@@ -0,0 +1,52 @@
+/**
+ * Provides classes and predicates for identifying private data and functions for security.
+ *
+ * 'Private' data in general is anything that would compromise user privacy if exposed. This
+ * library tries to guess where private data may either be stored in a variable or produced by a
+ * function.
+ *
+ * This library is not concerned with credentials. See `SensitiveActions` for expressions related
+ * to credentials.
+ */
+
+import cpp
+
+/** A string for `match` that identifies strings that look like they represent private data. */
+private string privateNames() {
+  result =
+    [
+      // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
+      // Government identifiers, such as Social Security Numbers
+      "%social%security%number%",
+      // Contact information, such as home addresses and telephone numbers
+      "%postcode%", "%zipcode%",
+      // result = "%telephone%" or
+      // Geographic location - where the user is (or was)
+      "%latitude%", "%longitude%",
+      // Financial data - such as credit card numbers, salary, bank accounts, and debts
+      "%creditcard%", "%salary%", "%bankaccount%",
+      // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
+      // result = "%email%" or
+      // result = "%mobile%" or
+      "%employer%",
+      // Health - medical conditions, insurance status, prescription records
+      "%medical%"
+    ]
+}
+
+/** An expression that might contain private data. */
+abstract class PrivateDataExpr extends Expr { }
+
+/** A functiond call that might produce private data. */
+class PrivateFunctionCall extends PrivateDataExpr, FunctionCall {
+  PrivateFunctionCall() {
+    exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
+  }
+}
+
+/** An access to a variable that might contain private data. */
+class PrivateVariableAccess extends PrivateDataExpr, VariableAccess {
+  PrivateVariableAccess() {
+    exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
+  }
+}

cpp/ql/lib/external/ExternalArtifact.qll

@@ -0,0 +1,60 @@
+/**
+ * Provides classes for working with external data.
+ */
+
+import cpp
+
+/**
+ * An external data item.
+ */
+class ExternalData extends @externalDataElement {
+  /** Gets the path of the file this data was loaded from. */
+  string getDataPath() { externalData(this, result, _, _) }
+
+  /**
+   * Gets the path of the file this data was loaded from, with its
+   * extension replaced by `.ql`.
+   */
+  string getQueryPath() { result = this.getDataPath().regexpReplaceAll("\\.[^.]*$", ".ql") }
+
+  /** Gets the number of fields in this data item. */
+  int getNumFields() { result = 1 + max(int i | externalData(this, _, i, _) | i) }
+
+  /** Gets the value of the `i`th field of this data item. */
+  string getField(int i) { externalData(this, _, i, result) }
+
+  /** Gets the integer value of the `i`th field of this data item. */
+  int getFieldAsInt(int i) { result = this.getField(i).toInt() }
+
+  /** Gets the floating-point value of the `i`th field of this data item. */
+  float getFieldAsFloat(int i) { result = this.getField(i).toFloat() }
+
+  /** Gets the value of the `i`th field of this data item, interpreted as a date. */
+  date getFieldAsDate(int i) { result = this.getField(i).toDate() }
+
+  /** Gets a textual representation of this data item. */
+  string toString() { result = this.getQueryPath() + ": " + this.buildTupleString(0) }
+
+  /** Gets a textual representation of this data item, starting with the `n`th field. */
+  private string buildTupleString(int n) {
+    n = this.getNumFields() - 1 and result = this.getField(n)
+    or
+    n < this.getNumFields() - 1 and result = this.getField(n) + "," + this.buildTupleString(n + 1)
+  }
+}
+
+/**
+ * External data with a location, and a message, as produced by tools that used to produce QLDs.
+ */
+class DefectExternalData extends ExternalData {
+  DefectExternalData() {
+    this.getField(0).regexpMatch("\\w+://.*:[0-9]+:[0-9]+:[0-9]+:[0-9]+$") and
+    this.getNumFields() = 2
+  }
+
+  /** Gets the URL associated with this data item. */
+  string getURL() { result = this.getField(0) }
+
+  /** Gets the message associated with this data item. */
+  string getMessage() { result = this.getField(1) }
+}

cpp/ql/lib/qlpack.lock.yml

@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0

cpp/ql/lib/qlpack.yml

@@ -0,0 +1,7 @@
+name: codeql/cpp-all
+version: 0.0.2
+dbscheme: semmlecode.cpp.dbscheme
+extractor: cpp
+library: true
+dependencies:
+  codeql/cpp-upgrades: 0.0.2

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -237,7 +237,7 @@ class Class extends UserType {
     exists(ClassDerivation cd | cd.getBaseClass() = base |
       result =
         this.accessOfBaseMemberMulti(cd.getDerivedClass(),
-          fieldInBase.accessInDirectDerived(cd.getASpecifier().(AccessSpecifier)))
+          fieldInBase.accessInDirectDerived(cd.getASpecifier()))
     )
   }
 
@@ -261,21 +261,20 @@ class Class extends UserType {
    * includes the case of `base` = `this`.
    */
   AccessSpecifier accessOfBaseMember(Declaration member) {
-    result =
-      this.accessOfBaseMember(member.getDeclaringType(), member.getASpecifier().(AccessSpecifier))
+    result = this.accessOfBaseMember(member.getDeclaringType(), member.getASpecifier())
   }
 
   /**
    * DEPRECATED: name changed to `hasImplicitCopyConstructor` to reflect that
    * `= default` members are no longer included.
    */
-  deprecated predicate hasGeneratedCopyConstructor() { hasImplicitCopyConstructor() }
+  deprecated predicate hasGeneratedCopyConstructor() { this.hasImplicitCopyConstructor() }
 
   /**
    * DEPRECATED: name changed to `hasImplicitCopyAssignmentOperator` to
    * reflect that `= default` members are no longer included.
    */
-  deprecated predicate hasGeneratedCopyAssignmentOperator() { hasImplicitCopyConstructor() }
+  deprecated predicate hasGeneratedCopyAssignmentOperator() { this.hasImplicitCopyConstructor() }
 
   /**
    * Holds if this class, struct or union has an implicitly-declared copy
@@ -319,7 +318,7 @@ class Class extends UserType {
     exists(Type t | t = this.getAFieldSubobjectType().getUnspecifiedType() |
       // Note: Overload resolution is not implemented -- all copy
       // constructors are considered equal.
-      this.cannotAccessCopyConstructorOnAny(t.(Class))
+      this.cannotAccessCopyConstructorOnAny(t)
     )
     or
     // - T has direct or virtual base class that cannot be copied (has deleted,
@@ -392,7 +391,7 @@ class Class extends UserType {
     exists(Type t | t = this.getAFieldSubobjectType().getUnspecifiedType() |
       // Note: Overload resolution is not implemented -- all copy assignment
       // operators are considered equal.
-      this.cannotAccessCopyAssignmentOperatorOnAny(t.(Class))
+      this.cannotAccessCopyAssignmentOperatorOnAny(t)
     )
     or
     exists(Class c | c = this.getADirectOrVirtualBase() |
@@ -487,7 +486,7 @@ class Class extends UserType {
     exists(ClassDerivation cd |
       // Add the offset of the direct base class and the offset of `baseClass`
       // within that direct base class.
-      cd = getADerivation() and
+      cd = this.getADerivation() and
       result = cd.getBaseClass().getANonVirtualBaseClassByteOffset(baseClass) + cd.getByteOffset()
     )
   }
@@ -502,12 +501,12 @@ class Class extends UserType {
    */
   int getABaseClassByteOffset(Class baseClass) {
     // Handle the non-virtual case.
-    result = getANonVirtualBaseClassByteOffset(baseClass)
+    result = this.getANonVirtualBaseClassByteOffset(baseClass)
     or
     exists(Class virtualBaseClass, int virtualBaseOffset, int offsetFromVirtualBase |
       // Look for the base class as a non-virtual base of a direct or indirect
       // virtual base, adding the two offsets.
-      getVirtualBaseClassByteOffset(virtualBaseClass) = virtualBaseOffset and
+      this.getVirtualBaseClassByteOffset(virtualBaseClass) = virtualBaseOffset and
       offsetFromVirtualBase = virtualBaseClass.getANonVirtualBaseClassByteOffset(baseClass) and
       result = virtualBaseOffset + offsetFromVirtualBase
     )
@@ -623,11 +622,11 @@ class Class extends UserType {
    * inherits one).
    */
   predicate isPolymorphic() {
-    exists(MemberFunction f | f.getDeclaringType() = getABaseClass*() and f.isVirtual())
+    exists(MemberFunction f | f.getDeclaringType() = this.getABaseClass*() and f.isVirtual())
   }
 
   override predicate involvesTemplateParameter() {
-    getATemplateArgument().(Type).involvesTemplateParameter()
+    this.getATemplateArgument().(Type).involvesTemplateParameter()
   }
 
   /** Holds if this class, struct or union was declared 'final'. */
@@ -765,7 +764,7 @@ class ClassDerivation extends Locatable, @derivation {
    * };
    * ```
    */
-  Class getBaseClass() { result = getBaseType().getUnderlyingType() }
+  Class getBaseClass() { result = this.getBaseType().getUnderlyingType() }
 
   override string getAPrimaryQlClass() { result = "ClassDerivation" }
 
@@ -818,7 +817,7 @@ class ClassDerivation extends Locatable, @derivation {
   predicate hasSpecifier(string s) { this.getASpecifier().hasName(s) }
 
   /** Holds if the derivation is for a virtual base class. */
-  predicate isVirtual() { hasSpecifier("virtual") }
+  predicate isVirtual() { this.hasSpecifier("virtual") }
 
   /** Gets the location of the derivation. */
   override Location getLocation() { derivations(underlyingElement(this), _, _, _, result) }
@@ -846,7 +845,7 @@ class ClassDerivation extends Locatable, @derivation {
  * ```
  */
 class LocalClass extends Class {
-  LocalClass() { isLocal() }
+  LocalClass() { this.isLocal() }
 
   override string getAPrimaryQlClass() { not this instanceof LocalStruct and result = "LocalClass" }
 
@@ -989,9 +988,9 @@ class ClassTemplateSpecialization extends Class {
   TemplateClass getPrimaryTemplate() {
     // Ignoring template arguments, the primary template has the same name
     // as each of its specializations.
-    result.getSimpleName() = getSimpleName() and
+    result.getSimpleName() = this.getSimpleName() and
     // It is in the same namespace as its specializations.
-    result.getNamespace() = getNamespace() and
+    result.getNamespace() = this.getNamespace() and
     // It is distinguished by the fact that each of its template arguments
     // is a distinct template parameter.
     count(TemplateParameter tp | tp = result.getATemplateArgument()) =
@@ -1108,7 +1107,7 @@ deprecated class Interface extends Class {
  * ```
  */
 class VirtualClassDerivation extends ClassDerivation {
-  VirtualClassDerivation() { hasSpecifier("virtual") }
+  VirtualClassDerivation() { this.hasSpecifier("virtual") }
 
   override string getAPrimaryQlClass() { result = "VirtualClassDerivation" }
 }
@@ -1136,7 +1135,7 @@ class VirtualBaseClass extends Class {
   VirtualClassDerivation getAVirtualDerivation() { result.getBaseClass() = this }
 
   /** A class/struct that is derived from this one using virtual inheritance. */
-  Class getAVirtuallyDerivedClass() { result = getAVirtualDerivation().getDerivedClass() }
+  Class getAVirtuallyDerivedClass() { result = this.getAVirtualDerivation().getDerivedClass() }
 }
 
 /**
@@ -1155,7 +1154,7 @@ class ProxyClass extends UserType {
   override string getAPrimaryQlClass() { result = "ProxyClass" }
 
   /** Gets the location of the proxy class. */
-  override Location getLocation() { result = getTemplateParameter().getDefinitionLocation() }
+  override Location getLocation() { result = this.getTemplateParameter().getDefinitionLocation() }
 
   /** Gets the template parameter for which this is the proxy class. */
   TemplateParameter getTemplateParameter() {

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -0,0 +1,719 @@
+/**
+ * Provides classes for working with C and C++ declarations.
+ */
+
+import semmle.code.cpp.Element
+import semmle.code.cpp.Specifier
+import semmle.code.cpp.Namespace
+private import semmle.code.cpp.internal.QualifiedName as Q
+
+/**
+ * A C/C++ declaration: for example, a variable declaration, a type
+ * declaration, or a function declaration.
+ *
+ * This file defines two closely related classes: `Declaration` and
+ * `DeclarationEntry`. Some declarations do not correspond to a unique
+ * location in the source code. For example, a global variable might
+ * be declared in multiple source files:
+ * ```
+ *   extern int myglobal;
+ * ```
+ * and defined in one:
+ * ```
+ *   int myglobal;
+ * ```
+ * Each of these declarations (including the definition) is given its own
+ * distinct `DeclarationEntry`, but they all share the same `Declaration`.
+ *
+ * Some derived class of `Declaration` do not have a corresponding
+ * `DeclarationEntry`, because they always have a unique source location.
+ * `EnumConstant` and `FriendDecl` are both examples of this.
+ */
+class Declaration extends Locatable, @declaration {
+  /**
+   * Gets the innermost namespace which contains this declaration.
+   *
+   * The result will either be `GlobalNamespace`, or the tightest lexically
+   * enclosing namespace block. In particular, note that for declarations
+   * within structures, the namespace of the declaration is the same as the
+   * namespace of the structure.
+   */
+  Namespace getNamespace() {
+    result = underlyingElement(this).(Q::Declaration).getNamespace()
+    or
+    exists(Parameter p | p = this and result = p.getFunction().getNamespace())
+    or
+    exists(LocalVariable v | v = this and result = v.getFunction().getNamespace())
+  }
+
+  /**
+   * Gets the name of the declaration, fully qualified with its
+   * namespace and declaring type.
+   *
+   * For performance, prefer the multi-argument `hasQualifiedName` or
+   * `hasGlobalName` predicates since they don't construct so many intermediate
+   * strings. For debugging, the `semmle.code.cpp.Print` module produces more
+   * detailed output but are also more expensive to compute.
+   *
+   * Example: `getQualifiedName() =
+   * "namespace1::namespace2::TemplateClass1<int>::Class2::memberName"`.
+   */
+  string getQualifiedName() { result = underlyingElement(this).(Q::Declaration).getQualifiedName() }
+
+  /**
+   * DEPRECATED: Prefer `hasGlobalName` or the 2-argument or 3-argument
+   * `hasQualifiedName` predicates. To get the exact same results as this
+   * predicate in all edge cases, use `getQualifiedName()`.
+   *
+   * Holds if this declaration has the fully-qualified name `qualifiedName`.
+   * See `getQualifiedName`.
+   */
+  predicate hasQualifiedName(string qualifiedName) { this.getQualifiedName() = qualifiedName }
+
+  /**
+   * Holds if this declaration has a fully-qualified name with a name-space
+   * component of `namespaceQualifier`, a declaring type of `typeQualifier`,
+   * and a base name of `baseName`. Template parameters and arguments are
+   * stripped from all components. Missing components are `""`.
+   *
+   * Example: `hasQualifiedName("namespace1::namespace2",
+   * "TemplateClass1::Class2", "memberName")`.
+   *
+   * Example (the class `std::vector`): `hasQualifiedName("std", "", "vector")`
+   * or `hasQualifiedName("std", "vector")`.
+   *
+   * Example (the `size` member function of class `std::vector`):
+   * `hasQualifiedName("std", "vector", "size")`.
+   */
+  predicate hasQualifiedName(string namespaceQualifier, string typeQualifier, string baseName) {
+    underlyingElement(this)
+        .(Q::Declaration)
+        .hasQualifiedName(namespaceQualifier, typeQualifier, baseName)
+  }
+
+  /**
+   * Holds if this declaration has a fully-qualified name with a name-space
+   * component of `namespaceQualifier`, no declaring type, and a base name of
+   * `baseName`.
+   *
+   * See the 3-argument `hasQualifiedName` for examples.
+   */
+  predicate hasQualifiedName(string namespaceQualifier, string baseName) {
+    this.hasQualifiedName(namespaceQualifier, "", baseName)
+  }
+
+  /**
+   * Gets a description of this `Declaration` for display purposes.
+   */
+  string getDescription() { result = this.getName() }
+
+  final override string toString() { result = this.getDescription() }
+
+  /**
+   * Gets the name of this declaration.
+   *
+   * This name doesn't include a namespace or any argument types, so
+   * for example both functions `::open()` and `::std::ifstream::open(...)`
+   * have the same name. The name of a template _class_ includes a string
+   * representation of its parameters, and the names of its instantiations
+   * include string representations of their arguments. Template _functions_
+   * and their instantiations do not include template parameters or arguments.
+   *
+   * To get the name including the namespace, use `hasQualifiedName`.
+   *
+   * To test whether this declaration has a particular name in the global
+   * namespace, use `hasGlobalName`.
+   */
+  string getName() { none() } // overridden in subclasses
+
+  /** Holds if this declaration has the given name. */
+  predicate hasName(string name) { name = this.getName() }
+
+  /** Holds if this declaration has the given name in the global namespace. */
+  predicate hasGlobalName(string name) { this.hasQualifiedName("", "", name) }
+
+  /** Holds if this declaration has the given name in the global namespace or the `std` namespace. */
+  predicate hasGlobalOrStdName(string name) {
+    this.hasGlobalName(name)
+    or
+    this.hasQualifiedName("std", "", name)
+  }
+
+  /**
+   * Holds if this declaration has the given name in the global namespace,
+   * the `std` namespace or the `bsl` namespace.
+   * We treat `std` and `bsl` as the same in some of our models.
+   */
+  predicate hasGlobalOrStdOrBslName(string name) {
+    this.hasGlobalName(name)
+    or
+    this.hasQualifiedName("std", "", name)
+    or
+    this.hasQualifiedName("bsl", "", name)
+  }
+
+  /** Gets a specifier of this declaration. */
+  Specifier getASpecifier() { none() } // overridden in subclasses
+
+  /** Holds if this declaration has a specifier with the given name. */
+  predicate hasSpecifier(string name) { this.getASpecifier().hasName(name) }
+
+  /**
+   * Gets a declaration entry corresponding to this declaration. See the
+   * comment above this class for an explanation of the relationship
+   * between `Declaration` and `DeclarationEntry`.
+   */
+  DeclarationEntry getADeclarationEntry() { none() }
+
+  /**
+   * Gets the location of a declaration entry corresponding to this
+   * declaration.
+   */
+  Location getADeclarationLocation() { none() } // overridden in subclasses
+
+  /**
+   * Gets the declaration entry corresponding to this declaration that is a
+   * definition, if any.
+   */
+  DeclarationEntry getDefinition() { none() }
+
+  /** Gets the location of the definition, if any. */
+  Location getDefinitionLocation() { none() } // overridden in subclasses
+
+  /** Holds if the declaration has a definition. */
+  predicate hasDefinition() { exists(this.getDefinition()) }
+
+  /** DEPRECATED: Use `hasDefinition` instead. */
+  predicate isDefined() { this.hasDefinition() }
+
+  /** Gets the preferred location of this declaration, if any. */
+  override Location getLocation() { none() }
+
+  /** Gets a file where this element occurs. */
+  File getAFile() { result = this.getADeclarationLocation().getFile() }
+
+  /** Holds if this declaration is a top-level declaration. */
+  predicate isTopLevel() {
+    not (
+      this.isMember() or
+      this instanceof EnumConstant or
+      this instanceof Parameter or
+      this instanceof ProxyClass or
+      this instanceof LocalVariable or
+      this instanceof TemplateParameter or
+      this.(UserType).isLocal()
+    )
+  }
+
+  /** Holds if this declaration is static. */
+  predicate isStatic() { this.hasSpecifier("static") }
+
+  /** Holds if this declaration is a member of a class/struct/union. */
+  predicate isMember() { this.hasDeclaringType() }
+
+  /** Holds if this declaration is a member of a class/struct/union. */
+  predicate hasDeclaringType() { exists(this.getDeclaringType()) }
+
+  /**
+   * Gets the class where this member is declared, if it is a member.
+   * For templates, both the template itself and all instantiations of
+   * the template are considered to have the same declaring class.
+   */
+  Class getDeclaringType() { this = result.getAMember() }
+
+  /**
+   * Gets a template argument used to instantiate this declaration from a template.
+   * When called on a template, this will return a template parameter type for
+   * both typed and non-typed parameters.
+   */
+  final Locatable getATemplateArgument() { result = this.getTemplateArgument(_) }
+
+  /**
+   * Gets a template argument used to instantiate this declaration from a template.
+   * When called on a template, this will return a non-typed template
+   * parameter value.
+   */
+  final Locatable getATemplateArgumentKind() { result = this.getTemplateArgumentKind(_) }
+
+  /**
+   * Gets the `i`th template argument used to instantiate this declaration from a
+   * template.
+   *
+   * For example:
+   *
+   * `template<typename T, T X> class Foo;`
+   *
+   * Will have `getTemplateArgument(0)` return `T`, and
+   * `getTemplateArgument(1)` return `X`.
+   *
+   * `Foo<int, 1> bar;`
+   *
+   * Will have `getTemplateArgument())` return `int`, and
+   * `getTemplateArgument(1)` return `1`.
+   */
+  final Locatable getTemplateArgument(int index) {
+    if exists(this.getTemplateArgumentValue(index))
+    then result = this.getTemplateArgumentValue(index)
+    else result = this.getTemplateArgumentType(index)
+  }
+
+  /**
+   * Gets the `i`th template argument value used to instantiate this declaration
+   * from a template. When called on a template, this will return the `i`th template
+   * parameter value if it exists.
+   *
+   * For example:
+   *
+   * `template<typename T, T X> class Foo;`
+   *
+   * Will have `getTemplateArgumentKind(1)` return `T`, and no result for
+   * `getTemplateArgumentKind(0)`.
+   *
+   * `Foo<int, 10> bar;
+   *
+   * Will have `getTemplateArgumentKind(1)` return `int`, and no result for
+   * `getTemplateArgumentKind(0)`.
+   */
+  final Locatable getTemplateArgumentKind(int index) {
+    exists(this.getTemplateArgumentValue(index)) and
+    result = this.getTemplateArgumentType(index)
+  }
+
+  /** Gets the number of template arguments for this declaration. */
+  final int getNumberOfTemplateArguments() {
+    result = count(int i | exists(this.getTemplateArgument(i)))
+  }
+
+  private Type getTemplateArgumentType(int index) {
+    class_template_argument(underlyingElement(this), index, unresolveElement(result))
+    or
+    function_template_argument(underlyingElement(this), index, unresolveElement(result))
+    or
+    variable_template_argument(underlyingElement(this), index, unresolveElement(result))
+  }
+
+  private Expr getTemplateArgumentValue(int index) {
+    class_template_argument_value(underlyingElement(this), index, unresolveElement(result))
+    or
+    function_template_argument_value(underlyingElement(this), index, unresolveElement(result))
+    or
+    variable_template_argument_value(underlyingElement(this), index, unresolveElement(result))
+  }
+}
+
+private class TDeclarationEntry = @var_decl or @type_decl or @fun_decl;
+
+/**
+ * A C/C++ declaration entry. For example the following code contains five
+ * declaration entries:
+ * ```
+ * extern int myGlobal;
+ * int myVariable;
+ * typedef char MyChar;
+ * void myFunction();
+ * void myFunction() {
+ *   // ...
+ * }
+ * ```
+ * See the comment above `Declaration` for an explanation of the relationship
+ * between `Declaration` and `DeclarationEntry`.
+ */
+class DeclarationEntry extends Locatable, TDeclarationEntry {
+  /** Gets a specifier associated with this declaration entry. */
+  string getASpecifier() { none() } // overridden in subclasses
+
+  /**
+   * Gets the name associated with the corresponding definition (where
+   * available), or the name declared by this entry otherwise.
+   */
+  string getCanonicalName() {
+    if this.getDeclaration().hasDefinition()
+    then result = this.getDeclaration().getDefinition().getName()
+    else result = this.getName()
+  }
+
+  /**
+   * Gets the declaration for which this is a declaration entry.
+   *
+   * Note that this is *not* always the inverse of
+   * `Declaration.getADeclarationEntry()`, for example if `C` is a
+   * `TemplateClass`, `I` is an instantiation of `C`, and `D` is a
+   * `Declaration` of `C`, then:
+   *  `C.getADeclarationEntry()` returns `D`
+   *  `I.getADeclarationEntry()` returns `D`
+   *  but `D.getDeclaration()` only returns `C`
+   */
+  Declaration getDeclaration() { none() } // overridden in subclasses
+
+  /** Gets the name associated with this declaration entry, if any. */
+  string getName() { none() } // overridden in subclasses
+
+  /**
+   * Gets the type associated with this declaration entry.
+   *
+   * For variable declarations, get the type of the variable.
+   * For function declarations, get the return type of the function.
+   * For type declarations, get the type being declared.
+   */
+  Type getType() { none() } // overridden in subclasses
+
+  /**
+   * Gets the type associated with this declaration entry after specifiers
+   * have been deeply stripped and typedefs have been resolved.
+   *
+   * For variable declarations, get the type of the variable.
+   * For function declarations, get the return type of the function.
+   * For type declarations, get the type being declared.
+   */
+  Type getUnspecifiedType() { result = this.getType().getUnspecifiedType() }
+
+  /**
+   * Holds if this declaration entry has a specifier with the given name.
+   */
+  predicate hasSpecifier(string specifier) { this.getASpecifier() = specifier }
+
+  /** Holds if this declaration entry is a definition. */
+  predicate isDefinition() { none() } // overridden in subclasses
+
+  override string toString() {
+    if this.isDefinition()
+    then result = "definition of " + this.getName()
+    else
+      if this.getName() = this.getCanonicalName()
+      then result = "declaration of " + this.getName()
+      else result = "declaration of " + this.getCanonicalName() + " as " + this.getName()
+  }
+}
+
+private class TAccessHolder = @function or @usertype;
+
+/**
+ * A declaration that can potentially have more C++ access rights than its
+ * enclosing element. This comprises `Class` (they have access to their own
+ * private members) along with other `UserType`s and `Function` (they can be
+ * the target of `friend` declarations).  For example `MyClass` and
+ * `myFunction` in the following code:
+ * ```
+ * class MyClass
+ * {
+ * public:
+ *   ...
+ * };
+ *
+ * void myFunction() {
+ *   // ...
+ * }
+ * ```
+ * In the C++ standard (N4140 11.2), rules for access control revolve around
+ * the informal phrase "_R_ occurs in a member or friend of class C", where
+ * `AccessHolder` corresponds to this _R_.
+ */
+class AccessHolder extends Declaration, TAccessHolder {
+  /**
+   * Holds if `this` can access private members of class `c`.
+   *
+   * This predicate encodes the phrase "occurs in a member or friend" that is
+   * repeated many times in the C++14 standard, section 11.2.
+   */
+  predicate inMemberOrFriendOf(Class c) {
+    this.getEnclosingAccessHolder*() = c
+    or
+    exists(FriendDecl fd | fd.getDeclaringClass() = c |
+      this.getEnclosingAccessHolder*() = fd.getFriend()
+    )
+  }
+
+  /**
+   * Gets the nearest enclosing `AccessHolder`.
+   */
+  AccessHolder getEnclosingAccessHolder() { none() } // overridden in subclasses
+
+  /**
+   * Holds if a base class `base` of `derived` _is accessible at_ `this` (N4140
+   * 11.2/4). When this holds, and `derived` has only one base subobject of
+   * type `base`, code in `this` can implicitly convert a pointer to `derived`
+   * into a pointer to `base`. Conversely, if such a conversion is possible
+   * then this predicate holds.
+   *
+   * For the sake of generality, this predicate also holds whenever `base` =
+   * `derived`.
+   *
+   * This predicate is `pragma[inline]` because it is infeasible to fully
+   * compute it on large code bases: all classes `derived` can be converted to
+   * their public bases `base` from everywhere (`this`), so this predicate
+   * could yield a number of tuples that is quadratic in the size of the
+   * program. To avoid this combinatorial explosion, only use this predicate in
+   * a context where `this` together with `base` or `derived` are sufficiently
+   * restricted.
+   */
+  pragma[inline]
+  predicate canAccessClass(Class base, Class derived) {
+    // This predicate is marked `inline` and implemented in a very particular
+    // way. If we allowed this predicate to be fully computed, it would relate
+    // all `AccessHolder`s to all classes, which would be too much.
+    // There are four rules in N4140 11.2/4. Only the one named (4.4) is
+    // recursive, and it describes a transitive closure: intuitively, if A can
+    // be converted to B, and B can be converted to C, then A can be converted
+    // to C. To limit the number of tuples in the non-inline helper predicates,
+    // we first separate the derivation of 11.2/4 into two cases:
+    // Derivations using only (4.1) and (4.4). Note that these derivations are
+    // independent of `this`, which is why users of this predicate must take
+    // care to avoid a combinatorial explosion.
+    isDirectPublicBaseOf*(base, derived)
+    or
+    exists(DirectAccessHolder n |
+      this.getEnclosingAccessHolder*() = n and
+      // Derivations using (4.2) or (4.3) at least once.
+      n.thisCanAccessClassTrans(base, derived)
+    )
+  }
+
+  /**
+   * Holds if a non-static member `member` _is accessible at_ `this` when named
+   * in a class `derived` that is derived from or equal to the declaring class
+   * of `member` (N4140 11.2/5 and 11.4).
+   *
+   * This predicate determines whether an expression `x.member` would be
+   * allowed in `this` when `x` has type `derived`. The more general syntax
+   * `x.N::member`, where `N` may be a base class of `derived`, is not
+   * supported. This should only affect very rare edge cases of 11.4. This
+   * predicate concerns only _access_ and thus does not determine whether
+   * `member` can be unambiguously named at `this`: multiple overloads may
+   * apply, or `member` may be declared in an ambiguous base class.
+   *
+   * This predicate is `pragma[inline]` because it is infeasible to fully
+   * compute it on large code bases: all public members `member` are accessible
+   * from everywhere (`this`), so this predicate could yield a number of tuples
+   * that is quadratic in the size of the program. To avoid this combinatorial
+   * explosion, only use this predicate in a context where `this` and `member`
+   * are sufficiently restricted when `member` is public.
+   */
+  pragma[inline]
+  predicate canAccessMember(Declaration member, Class derived) {
+    this.couldAccessMember(member.getDeclaringType(), member.getASpecifier(), derived)
+  }
+
+  /**
+   * Holds if a hypothetical non-static member of `memberClass` with access
+   * specifier `memberAccess` _is accessible at_ `this` when named in a class
+   * `derived` that is derived from or equal to `memberClass` (N4140 11.2/5 and
+   * 11.4).
+   *
+   * This predicate determines whether an expression `x.m` would be
+   * allowed in `this` when `x` has type `derived` and `m` has `memberAccess`
+   * in `memberClass`. The more general syntax `x.N::n`, where `N` may be a
+   * base class of `derived`, is not supported. This should only affect very
+   * rare edge cases of 11.4.
+   *
+   * This predicate is `pragma[inline]` because it is infeasible to fully
+   * compute it on large code bases: all classes `memberClass` have their
+   * public members accessible from everywhere (`this`), so this predicate
+   * could yield a number of tuples that is quadratic in the size of the
+   * program. To avoid this combinatorial explosion, only use this predicate in
+   * a context where `this` and `memberClass` are sufficiently restricted when
+   * `memberAccess` is public.
+   */
+  pragma[inline]
+  predicate couldAccessMember(Class memberClass, AccessSpecifier memberAccess, Class derived) {
+    // There are four rules in N4140 11.2/5. To limit the number of tuples in
+    // the non-inline helper predicates, we first separate the derivation of
+    // 11.2/5 into two cases:
+    // Rule (5.1) directly: the member is public, and `derived` uses public
+    // inheritance all the way up to `memberClass`. Note that these derivations
+    // are independent of `this`, which is why users of this predicate must
+    // take care to avoid a combinatorial explosion.
+    everyoneCouldAccessMember(memberClass, memberAccess, derived)
+    or
+    exists(DirectAccessHolder n |
+      this.getEnclosingAccessHolder*() = n and
+      // Any other derivation.
+      n.thisCouldAccessMember(memberClass, memberAccess, derived)
+    )
+  }
+}
+
+/**
+ * A declaration that very likely has more C++ access rights than its
+ * enclosing element. This comprises `Class` (they have access to their own
+ * private members) along with any target of a `friend` declaration.  For
+ * example `MyClass` and `friendFunction` in the following code:
+ * ```
+ * class MyClass
+ * {
+ * public:
+ *   friend void friendFunction();
+ * };
+ *
+ * void friendFunction() {
+ *   // ...
+ * }
+ * ```
+ * Most access rights are computed for `DirectAccessHolder` instead of
+ * `AccessHolder` -- that's more efficient because there are fewer
+ * `DirectAccessHolder`s. If a `DirectAccessHolder` contains an `AccessHolder`,
+ * then the contained `AccessHolder` inherits its access rights.
+ */
+private class DirectAccessHolder extends Element {
+  DirectAccessHolder() {
+    this instanceof Class
+    or
+    exists(FriendDecl fd | fd.getFriend() = this)
+  }
+
+  /**
+   * Holds if a base class `base` of `derived` _is accessible at_ `this` when
+   * the derivation of that fact uses rule (4.2) and (4.3) of N4140 11.2/4 at
+   * least once. In other words, the `this` parameter is not ignored. This
+   * restriction makes it feasible to fully enumerate this predicate even on
+   * large code bases.
+   */
+  predicate thisCanAccessClassTrans(Class base, Class derived) {
+    // This implementation relies on the following property of our predicates:
+    // if `this.thisCanAccessClassStep(b, d)` and
+    // `isDirectPublicBaseOf(b2, b)`, then
+    // `this.thisCanAccessClassStep(b2, d)`. In other words, if a derivation
+    // uses (4.2) or (4.3) somewhere and uses (4.1) directly above that in the
+    // transitive chain, then the use of (4.1) is redundant. This means we only
+    // need to consider derivations that use (4.2) or (4.3) as the "first"
+    // step, that is, towards `base`, so this implementation is essentially a
+    // transitive closure with a restricted base case.
+    this.thisCanAccessClassStep(base, derived)
+    or
+    exists(Class between | this.thisCanAccessClassTrans(base, between) |
+      isDirectPublicBaseOf(between, derived) or
+      this.thisCanAccessClassStep(between, derived)
+    )
+    // It is possible that this predicate could be computed faster for deep
+    // hierarchies if we can prove and utilize that all derivations of 11.2/4
+    // can be broken down into steps where `base` is a _direct_ base of
+    // `derived` in each step.
+  }
+
+  /**
+   * Holds if a base class `base` of `derived` _is accessible at_ `this` using
+   * only a single application of rule (4.2) and (4.3) of N4140 11.2/4.
+   */
+  private predicate thisCanAccessClassStep(Class base, Class derived) {
+    exists(AccessSpecifier public | public.hasName("public") |
+      // Rules (4.2) and (4.3) are implemented together as one here with
+      // reflexive-transitive inheritance, where (4.3) is the transitive case,
+      // and (4.2) is the reflexive case.
+      exists(Class p | p = derived.getADerivedClass*() |
+        this.isFriendOfOrEqualTo(p) and
+        // Note: it's crucial that this is `!=` rather than `not =` since
+        // `accessOfBaseMember` does not have a result when the member would be
+        // inaccessible.
+        p.accessOfBaseMember(base, public) != public
+      )
+    ) and
+    // This is the only case that doesn't in itself guarantee that
+    // `derived` < `base`, so we add the check here. The standard suggests
+    // computing `canAccessClass` only for derived classes, but that seems
+    // incompatible with the execution model of QL, so we instead construct
+    // every case to guarantee `derived` < `base`.
+    derived = base.getADerivedClass+()
+  }
+
+  /**
+   * Like `couldAccessMember` but only contains derivations in which either
+   * (5.2), (5.3) or (5.4) must be invoked. In other words, the `this`
+   * parameter is not ignored. This restriction makes it feasible to fully
+   * enumerate this predicate even on large code bases. We check for 11.4 as
+   * part of (5.3), since this further limits the number of tuples produced by
+   * this predicate.
+   */
+  predicate thisCouldAccessMember(Class memberClass, AccessSpecifier memberAccess, Class derived) {
+    // Only (5.4) is recursive, and chains of invocations of (5.4) can always
+    // be collapsed to one invocation by the transitivity of 11.2/4.
+    // Derivations not using (5.4) can always be rewritten to have a (5.4) rule
+    // in front because our encoding of 11.2/4 in `canAccessClass` is
+    // reflexive. Thus, we only need to consider three cases: rule (5.4)
+    // followed by either (5.1), (5.2) or (5.3).
+    // Rule (5.4), using a non-trivial derivation of 11.2/4, followed by (5.1).
+    // If the derivation of 11.2/4 is trivial (only uses (4.1) and (4.4)), this
+    // case can be replaced with purely (5.1) and thus does not need to be in
+    // this predicate.
+    exists(Class between | this.thisCanAccessClassTrans(between, derived) |
+      everyoneCouldAccessMember(memberClass, memberAccess, between)
+    )
+    or
+    // Rule (5.4) followed by Rule (5.2)
+    exists(Class between | this.(AccessHolder).canAccessClass(between, derived) |
+      between.accessOfBaseMember(memberClass, memberAccess).hasName("private") and
+      this.isFriendOfOrEqualTo(between)
+    )
+    or
+    // Rule (5.4) followed by Rule (5.3), integrating 11.4. We integrate 11.4
+    // here because we would otherwise generate too many tuples. This code is
+    // very performance-sensitive, and any changes should be benchmarked on
+    // LibreOffice.
+    // Rule (5.4) requires that `this.canAccessClass(between, derived)`
+    // (implying that `derived <= between` in the class hierarchy) and that
+    // `p <= between`. Rule 11.4 additionally requires `derived <= p`, but
+    // all these rules together result in too much freedom and overlap between
+    // cases. Therefore, for performance, we split into three cases for how
+    // `between` as a base of `derived` is accessible at `this`, where `this`
+    // is the implementation of `p`:
+    // 1. `between` is an accessible base of `derived` by going through `p` as
+    //    an intermediate step.
+    // 2. `this` is part of the implementation of `derived` because it's a
+    //    member or a friend. In this case, we do not need `p` to perform this
+    //    derivation, so we can set `p = derived` and proceed as in case 1.
+    // 3. `derived` has an alternative inheritance path up to `between` that
+    //    bypasses `p`. Then that path must be public, or we are in case 2.
+    exists(AccessSpecifier public | public.hasName("public") |
+      exists(Class between, Class p |
+        between.accessOfBaseMember(memberClass, memberAccess).hasName("protected") and
+        this.isFriendOfOrEqualTo(p) and
+        (
+          // This is case 1 from above. If `p` derives privately from `between`
+          // then the member we're trying to access is private or inaccessible
+          // in `derived`, so either rule (5.2) applies instead, or the member
+          // is inaccessible. Therefore, in this case, `p` must derive at least
+          // protected from `between`. Further, since the access of `derived`
+          // to its base `between` must pass through `p` in this case, we know
+          // that `derived` must derived publicly from `p` unless we are in
+          // case 2; there are no other cases of 11.2/4 where the
+          // implementation of a base class can access itself as a base.
+          p.accessOfBaseMember(between, public).getName() >= "protected" and
+          derived.accessOfBaseMember(p, public) = public
+          or
+          // This is case 3 above.
+          derived.accessOfBaseMember(between, public) = public and
+          derived = p.getADerivedClass*() and
+          exists(p.accessOfBaseMember(between, memberAccess))
+        )
+      )
+    )
+  }
+
+  private predicate isFriendOfOrEqualTo(Class c) {
+    exists(FriendDecl fd | fd.getDeclaringClass() = c | this = fd.getFriend())
+    or
+    this = c
+  }
+}
+
+/**
+ * Holds if `base` is a direct public base of `derived`, possibly virtual and
+ * possibly through typedefs. The transitive closure of this predicate encodes
+ * derivations of N4140 11.2/4 that use only (4.1) and (4.4).
+ */
+private predicate isDirectPublicBaseOf(Class base, Class derived) {
+  exists(ClassDerivation cd |
+    cd.getBaseClass() = base and
+    cd.getDerivedClass() = derived and
+    cd.getASpecifier().hasName("public")
+  )
+}
+
+/**
+ * Holds if a hypothetical member of `memberClass` with access specifier
+ * `memberAccess` would be public when named as a member of `derived`.
+ * This encodes N4140 11.2/5 case (5.1).
+ */
+private predicate everyoneCouldAccessMember(
+  Class memberClass, AccessSpecifier memberAccess, Class derived
+) {
+  derived.accessOfBaseMember(memberClass, memberAccess).hasName("public")
+}

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -0,0 +1,297 @@
+/**
+ * Provides the `Element` class, which is the base class for all classes representing C or C++
+ * program elements.
+ */
+
+import semmle.code.cpp.Location
+private import semmle.code.cpp.Enclosing
+private import semmle.code.cpp.internal.ResolveClass
+
+/**
+ * Get the `Element` that represents this `@element`.
+ * Normally this will simply be a cast of `e`, but sometimes it is not.
+ * For example, for an incomplete struct `e` the result may be a
+ * complete struct with the same name.
+ */
+pragma[inline]
+Element mkElement(@element e) { unresolveElement(result) = e }
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Gets an `@element` that resolves to the `Element`. This should
+ * normally only be called from member predicates, where `e` is not
+ * `this` and you need the result for an argument to a database
+ * extensional.
+ * See `underlyingElement` for when `e` is `this`.
+ */
+pragma[inline]
+@element unresolveElement(Element e) {
+  not result instanceof @usertype and
+  result = e
+  or
+  e = resolveClass(result)
+}
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Gets the `@element` that this `Element` extends. This should normally
+ * only be called from member predicates, where `e` is `this` and you
+ * need the result for an argument to a database extensional.
+ * See `unresolveElement` for when `e` is not `this`.
+ */
+@element underlyingElement(Element e) { result = e }
+
+/**
+ * A C/C++ element with no member predicates other than `toString`. Not for
+ * general use. This class does not define a location, so classes wanting to
+ * change their location without affecting other classes can extend
+ * `ElementBase` instead of `Element` to create a new rootdef for `getURL`,
+ * `getLocation`, or `hasLocationInfo`.
+ */
+class ElementBase extends @element {
+  /** Gets a textual representation of this element. */
+  cached
+  string toString() { none() }
+
+  /** DEPRECATED: use `getAPrimaryQlClass` instead. */
+  deprecated string getCanonicalQLClass() { result = this.getAPrimaryQlClass() }
+
+  /**
+   * Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
+   */
+  final string getPrimaryQlClasses() { result = concat(this.getAPrimaryQlClass(), ",") }
+
+  /**
+   * Gets the name of a primary CodeQL class to which this element belongs.
+   *
+   * For most elements, this is simply the most precise syntactic category to
+   * which they belong; for example, `AddExpr` is a primary class, but
+   * `BinaryOperation` is not.
+   *
+   * This predicate can have multiple results if multiple primary classes match.
+   * For some elements, this predicate may not have a result.
+   */
+  string getAPrimaryQlClass() { none() }
+}
+
+/**
+ * A C/C++ element. This class is the base class for all C/C++
+ * elements, such as functions, classes, expressions, and so on.
+ */
+class Element extends ElementBase {
+  /** Gets the primary file where this element occurs. */
+  File getFile() { result = this.getLocation().getFile() }
+
+  /**
+   * Holds if this element may be from source. This predicate holds for all
+   * elements, except for those in the dummy file, whose name is the empty string.
+   * The dummy file contains declarations that are built directly into the compiler.
+   */
+  predicate fromSource() { this.getFile().fromSource() }
+
+  /**
+   * Holds if this element may be from a library.
+   *
+   * DEPRECATED: always true.
+   */
+  deprecated predicate fromLibrary() { this.getFile().fromLibrary() }
+
+  /** Gets the primary location of this element. */
+  Location getLocation() { none() }
+
+  /**
+   * Gets the source of this element: either itself or a macro that expanded
+   * to this element.
+   *
+   * If the element is not in a macro expansion, then the "root" is just
+   * the element itself. Otherwise, it is the definition of the innermost
+   * macro whose expansion the element is in.
+   *
+   * This method is useful for filtering macro results in checks: simply
+   * blame `e.findRootCause` rather than `e`. This will report only bugs
+   * that are not in macros, and in addition report macros that (somewhere)
+   * expand to a bug.
+   */
+  Element findRootCause() {
+    if exists(MacroInvocation mi | this = mi.getAGeneratedElement())
+    then
+      exists(MacroInvocation mi |
+        this = mi.getAGeneratedElement() and
+        not exists(MacroInvocation closer |
+          this = closer.getAGeneratedElement() and
+          mi = closer.getParentInvocation+()
+        ) and
+        result = mi.getMacro()
+      )
+    else result = this
+  }
+
+  /**
+   * Gets the parent scope of this `Element`, if any.
+   * A scope is a `Type` (`Class` / `Enum`), a `Namespace`, a `BlockStmt`, a `Function`,
+   * or certain kinds of `Statement`.
+   */
+  Element getParentScope() {
+    // result instanceof class
+    exists(Declaration m |
+      m = this and
+      result = m.getDeclaringType() and
+      not this instanceof EnumConstant
+    )
+    or
+    exists(TemplateClass tc | this = tc.getATemplateArgument() and result = tc)
+    or
+    // result instanceof namespace
+    exists(Namespace n | result = n and n.getADeclaration() = this)
+    or
+    exists(FriendDecl d, Namespace n | this = d and n.getADeclaration() = d and result = n)
+    or
+    exists(Namespace n | this = n and result = n.getParentNamespace())
+    or
+    // result instanceof stmt
+    exists(LocalVariable v |
+      this = v and
+      exists(DeclStmt ds | ds.getADeclaration() = v and result = ds.getParent())
+    )
+    or
+    exists(Parameter p | this = p and result = p.getFunction())
+    or
+    exists(GlobalVariable g, Namespace n | this = g and n.getADeclaration() = g and result = n)
+    or
+    exists(EnumConstant e | this = e and result = e.getDeclaringEnum())
+    or
+    // result instanceof block|function
+    exists(BlockStmt b | this = b and blockscope(unresolveElement(b), unresolveElement(result)))
+    or
+    exists(TemplateFunction tf | this = tf.getATemplateArgument() and result = tf)
+    or
+    // result instanceof stmt
+    exists(ControlStructure s | this = s and result = s.getParent())
+    or
+    using_container(unresolveElement(result), underlyingElement(this))
+  }
+
+  /**
+   * Holds if this element comes from a macro expansion. Only elements that
+   * are entirely generated by a macro are included - for elements that
+   * partially come from a macro, see `isAffectedByMacro`.
+   */
+  predicate isInMacroExpansion() { inMacroExpansion(this) }
+
+  /**
+   * Holds if this element is affected in any way by a macro. All elements
+   * that are totally or partially generated by a macro are included, so
+   * this is a super-set of `isInMacroExpansion`.
+   */
+  predicate isAffectedByMacro() { affectedByMacro(this) }
+
+  private Element getEnclosingElementPref() {
+    enclosingfunction(underlyingElement(this), unresolveElement(result)) or
+    result.(Function) = stmtEnclosingElement(this) or
+    this.(LocalScopeVariable).getFunction() = result or
+    enumconstants(underlyingElement(this), unresolveElement(result), _, _, _, _) or
+    derivations(underlyingElement(this), unresolveElement(result), _, _, _) or
+    stmtparents(underlyingElement(this), _, unresolveElement(result)) or
+    exprparents(underlyingElement(this), _, unresolveElement(result)) or
+    namequalifiers(underlyingElement(this), unresolveElement(result), _, _) or
+    initialisers(underlyingElement(this), unresolveElement(result), _, _) or
+    exprconv(unresolveElement(result), underlyingElement(this)) or
+    param_decl_bind(underlyingElement(this), _, unresolveElement(result)) or
+    using_container(unresolveElement(result), underlyingElement(this)) or
+    static_asserts(unresolveElement(this), _, _, _, underlyingElement(result))
+  }
+
+  /** Gets the closest `Element` enclosing this one. */
+  cached
+  Element getEnclosingElement() {
+    result = this.getEnclosingElementPref()
+    or
+    not exists(this.getEnclosingElementPref()) and
+    (
+      this = result.(Class).getAMember()
+      or
+      result = exprEnclosingElement(this)
+      or
+      var_decls(underlyingElement(this), unresolveElement(result), _, _, _)
+    )
+  }
+
+  /**
+   * Holds if this `Element` is a part of a template instantiation (but not
+   * the template itself).
+   */
+  predicate isFromTemplateInstantiation(Element instantiation) {
+    exists(Element e | isFromTemplateInstantiationRec(e, instantiation) |
+      this = e or
+      this.(DeclarationEntry).getDeclaration() = e
+    )
+  }
+
+  /**
+   * Holds if this `Element` is part of a template `template` (not if it is
+   * part of an instantiation of `template`). This means it is represented in
+   * the database purely as syntax and without guarantees on the presence or
+   * correctness of type-based operations such as implicit conversions.
+   *
+   * If an element is nested within several templates, this predicate holds with
+   * a value of `template` for each containing template.
+   */
+  predicate isFromUninstantiatedTemplate(Element template) {
+    exists(Element e | isFromUninstantiatedTemplateRec(e, template) |
+      this = e or
+      this.(DeclarationEntry).getDeclaration() = e
+    )
+  }
+}
+
+private predicate isFromTemplateInstantiationRec(Element e, Element instantiation) {
+  instantiation.(Function).isConstructedFrom(_) and
+  e = instantiation
+  or
+  instantiation.(Class).isConstructedFrom(_) and
+  e = instantiation
+  or
+  instantiation.(Variable).isConstructedFrom(_) and
+  e = instantiation
+  or
+  isFromTemplateInstantiationRec(e.getEnclosingElement(), instantiation)
+}
+
+private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
+  is_class_template(unresolveElement(template)) and
+  e = template
+  or
+  is_function_template(unresolveElement(template)) and
+  e = template
+  or
+  is_variable_template(unresolveElement(template)) and
+  e = template
+  or
+  isFromUninstantiatedTemplateRec(e.getEnclosingElement(), template)
+}
+
+/**
+ * A C++11 `static_assert` or C11 `_Static_assert` construct. For example each
+ * line in the following example contains a static assert:
+ * ```
+ * static_assert(sizeof(MyStruct) <= 4096);
+ * static_assert(sizeof(MyStruct) <= 4096, "MyStruct is too big!");
+ * ```
+ */
+class StaticAssert extends Locatable, @static_assert {
+  override string toString() { result = "static_assert(..., \"" + this.getMessage() + "\")" }
+
+  /**
+   * Gets the expression which this static assertion ensures is true.
+   */
+  Expr getCondition() { static_asserts(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  /**
+   * Gets the message which will be reported by the compiler if this static assertion fails.
+   */
+  string getMessage() { static_asserts(underlyingElement(this), _, result, _, _) }
+
+  override Location getLocation() { static_asserts(underlyingElement(this), _, _, result, _) }
+}

cpp/ql/lib/semmle/code/cpp/Enum.qll

@@ -85,7 +85,7 @@ class Enum extends UserType, IntegralOrEnumType {
  * ```
  */
 class LocalEnum extends Enum {
-  LocalEnum() { isLocal() }
+  LocalEnum() { this.isLocal() }
 
   override string getAPrimaryQlClass() { result = "LocalEnum" }
 }

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -0,0 +1,452 @@
+/**
+ * Provides classes representing files and folders.
+ */
+
+import semmle.code.cpp.Element
+import semmle.code.cpp.Declaration
+import semmle.code.cpp.metrics.MetricFile
+
+/** A file or folder. */
+class Container extends Locatable, @container {
+  /**
+   * Gets the absolute, canonical path of this container, using forward slashes
+   * as path separator.
+   *
+   * The path starts with a _root prefix_ followed by zero or more _path
+   * segments_ separated by forward slashes.
+   *
+   * The root prefix is of one of the following forms:
+   *
+   *   1. A single forward slash `/` (Unix-style)
+   *   2. An upper-case drive letter followed by a colon and a forward slash,
+   *      such as `C:/` (Windows-style)
+   *   3. Two forward slashes, a computer name, and then another forward slash,
+   *      such as `//FileServer/` (UNC-style)
+   *
+   * Path segments are never empty (that is, absolute paths never contain two
+   * contiguous slashes, except as part of a UNC-style root prefix). Also, path
+   * segments never contain forward slashes, and no path segment is of the
+   * form `.` (one dot) or `..` (two dots).
+   *
+   * Note that an absolute path never ends with a forward slash, except if it is
+   * a bare root prefix, that is, the path has no path segments. A container
+   * whose absolute path has no segments is always a `Folder`, not a `File`.
+   */
+  string getAbsolutePath() { none() } // overridden by subclasses
+
+  /**
+   * DEPRECATED: Use `getLocation` instead.
+   * Gets a URL representing the location of this container.
+   *
+   * For more information see [Providing URLs](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls).
+   */
+  deprecated string getURL() { none() } // overridden by subclasses
+
+  /**
+   * Gets the relative path of this file or folder from the root folder of the
+   * analyzed source location. The relative path of the root folder itself is
+   * the empty string.
+   *
+   * This has no result if the container is outside the source root, that is,
+   * if the root folder is not a reflexive, transitive parent of this container.
+   */
+  string getRelativePath() {
+    exists(string absPath, string pref |
+      absPath = this.getAbsolutePath() and sourceLocationPrefix(pref)
+    |
+      absPath = pref and result = ""
+      or
+      absPath = pref.regexpReplaceAll("/$", "") + "/" + result and
+      not result.matches("/%")
+    )
+  }
+
+  /**
+   * Gets the base name of this container including extension, that is, the last
+   * segment of its absolute path, or the empty string if it has no segments.
+   *
+   * Here are some examples of absolute paths and the corresponding base names
+   * (surrounded with quotes to avoid ambiguity):
+   *
+   * <table border="1">
+   * <tr><th>Absolute path</th><th>Base name</th></tr>
+   * <tr><td>"/tmp/tst.js"</td><td>"tst.js"</td></tr>
+   * <tr><td>"C:/Program Files (x86)"</td><td>"Program Files (x86)"</td></tr>
+   * <tr><td>"/"</td><td>""</td></tr>
+   * <tr><td>"C:/"</td><td>""</td></tr>
+   * <tr><td>"D:/"</td><td>""</td></tr>
+   * <tr><td>"//FileServer/"</td><td>""</td></tr>
+   * </table>
+   */
+  string getBaseName() {
+    result = this.getAbsolutePath().regexpCapture(".*/(([^/]*?)(?:\\.([^.]*))?)", 1)
+  }
+
+  /**
+   * Gets the extension of this container, that is, the suffix of its base name
+   * after the last dot character, if any.
+   *
+   * In particular,
+   *
+   *  - if the name does not include a dot, there is no extension, so this
+   *    predicate has no result;
+   *  - if the name ends in a dot, the extension is the empty string;
+   *  - if the name contains multiple dots, the extension follows the last dot.
+   *
+   * Here are some examples of absolute paths and the corresponding extensions
+   * (surrounded with quotes to avoid ambiguity):
+   *
+   * <table border="1">
+   * <tr><th>Absolute path</th><th>Extension</th></tr>
+   * <tr><td>"/tmp/tst.js"</td><td>"js"</td></tr>
+   * <tr><td>"/tmp/.classpath"</td><td>"classpath"</td></tr>
+   * <tr><td>"/bin/bash"</td><td>not defined</td></tr>
+   * <tr><td>"/tmp/tst2."</td><td>""</td></tr>
+   * <tr><td>"/tmp/x.tar.gz"</td><td>"gz"</td></tr>
+   * </table>
+   */
+  string getExtension() {
+    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(\\.([^.]*))?", 3)
+  }
+
+  /**
+   * Gets the stem of this container, that is, the prefix of its base name up to
+   * (but not including) the last dot character if there is one, or the entire
+   * base name if there is not.
+   *
+   * Here are some examples of absolute paths and the corresponding stems
+   * (surrounded with quotes to avoid ambiguity):
+   *
+   * <table border="1">
+   * <tr><th>Absolute path</th><th>Stem</th></tr>
+   * <tr><td>"/tmp/tst.js"</td><td>"tst"</td></tr>
+   * <tr><td>"/tmp/.classpath"</td><td>""</td></tr>
+   * <tr><td>"/bin/bash"</td><td>"bash"</td></tr>
+   * <tr><td>"/tmp/tst2."</td><td>"tst2"</td></tr>
+   * <tr><td>"/tmp/x.tar.gz"</td><td>"x.tar"</td></tr>
+   * </table>
+   */
+  string getStem() {
+    result = this.getAbsolutePath().regexpCapture(".*/([^/]*?)(?:\\.([^.]*))?", 1)
+  }
+
+  /** Gets the parent container of this file or folder, if any. */
+  Container getParentContainer() {
+    containerparent(unresolveElement(result), underlyingElement(this))
+  }
+
+  /** Gets a file or sub-folder in this container. */
+  Container getAChildContainer() { this = result.getParentContainer() }
+
+  /** Gets a file in this container. */
+  File getAFile() { result = this.getAChildContainer() }
+
+  /** Gets the file in this container that has the given `baseName`, if any. */
+  File getFile(string baseName) {
+    result = this.getAFile() and
+    result.getBaseName() = baseName
+  }
+
+  /** Gets a sub-folder in this container. */
+  Folder getAFolder() { result = this.getAChildContainer() }
+
+  /** Gets the sub-folder in this container that has the given `baseName`, if any. */
+  Folder getFolder(string baseName) {
+    result = this.getAFolder() and
+    result.getBaseName() = baseName
+  }
+
+  /**
+   * Gets a textual representation of the path of this container.
+   *
+   * This is the absolute path of the container.
+   */
+  override string toString() { result = this.getAbsolutePath() }
+}
+
+/**
+ * A folder that was observed on disk during the build process.
+ *
+ * For the example folder name of "/usr/home/me", the path decomposes to:
+ *
+ *  1. "/usr/home" - see `getParentContainer`.
+ *  2. "me" - see `getBaseName`.
+ *
+ * To get the full path, use `getAbsolutePath`.
+ */
+class Folder extends Container, @folder {
+  override string getAbsolutePath() { folders(underlyingElement(this), result) }
+
+  override Location getLocation() {
+    result.getContainer() = this and
+    result.hasLocationInfo(_, 0, 0, 0, 0)
+  }
+
+  override string getAPrimaryQlClass() { result = "Folder" }
+
+  /**
+   * DEPRECATED: Use `getLocation` instead.
+   * Gets the URL of this folder.
+   */
+  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
+
+  /**
+   * DEPRECATED: use `getAbsolutePath` instead.
+   * Gets the name of this folder.
+   */
+  deprecated string getName() { folders(underlyingElement(this), result) }
+
+  /**
+   * DEPRECATED: use `getAbsolutePath` instead.
+   * Holds if this element is named `name`.
+   */
+  deprecated predicate hasName(string name) { name = this.getName() }
+
+  /**
+   * DEPRECATED: use `getAbsolutePath` instead.
+   * Gets the full name of this folder.
+   */
+  deprecated string getFullName() { result = this.getName() }
+
+  /**
+   * DEPRECATED: use `getBaseName` instead.
+   * Gets the last part of the folder name.
+   */
+  deprecated string getShortName() { result = this.getBaseName() }
+
+  /**
+   * DEPRECATED: use `getParentContainer` instead.
+   * Gets the parent folder.
+   */
+  deprecated Folder getParent() {
+    containerparent(unresolveElement(result), underlyingElement(this))
+  }
+}
+
+/**
+ * A file that was observed on disk during the build process.
+ *
+ * For the example filename of "/usr/home/me/myprogram.c", the filename
+ * decomposes to:
+ *
+ *  1. "/usr/home/me" - see `getParentContainer`.
+ *  2. "myprogram.c" - see `getBaseName`.
+ *
+ * The base name further decomposes into the _stem_ and _extension_ -- see
+ * `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
+ */
+class File extends Container, @file {
+  override string getAbsolutePath() { files(underlyingElement(this), result) }
+
+  override string toString() { result = Container.super.toString() }
+
+  override string getAPrimaryQlClass() { result = "File" }
+
+  override Location getLocation() {
+    result.getContainer() = this and
+    result.hasLocationInfo(_, 0, 0, 0, 0)
+  }
+
+  /**
+   * DEPRECATED: Use `getLocation` instead.
+   * Gets the URL of this file.
+   */
+  deprecated override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
+
+  /** Holds if this file was compiled as C (at any point). */
+  predicate compiledAsC() { fileannotations(underlyingElement(this), 1, "compiled as c", "1") }
+
+  /** Holds if this file was compiled as C++ (at any point). */
+  predicate compiledAsCpp() { fileannotations(underlyingElement(this), 1, "compiled as c++", "1") }
+
+  /**
+   * Holds if this file was compiled by a Microsoft compiler (at any point).
+   *
+   * Note: currently unreliable - on some projects only some of the files that
+   * are compiled by a Microsoft compiler are detected by this predicate.
+   */
+  predicate compiledAsMicrosoft() {
+    exists(File f, Compilation c |
+      c.getAFileCompiled() = f and
+      (
+        c.getAnArgument() = "--microsoft" or
+        c.getAnArgument()
+            .toLowerCase()
+            .replaceAll("\\", "/")
+            .matches(["%/cl.exe", "%/clang-cl.exe"])
+      ) and
+      f.getAnIncludedFile*() = this
+    )
+  }
+
+  /** Gets a top-level element declared in this file. */
+  Declaration getATopLevelDeclaration() { result.getAFile() = this and result.isTopLevel() }
+
+  /** Gets a declaration in this file. */
+  Declaration getADeclaration() { result.getAFile() = this }
+
+  /** Holds if this file uses the given macro. */
+  predicate usesMacro(Macro m) {
+    exists(MacroInvocation mi |
+      mi.getFile() = this and
+      mi.getMacro() = m
+    )
+  }
+
+  /**
+   * Gets a file that is directly included from this file (using a
+   * pre-processor directive like `#include`).
+   */
+  File getAnIncludedFile() {
+    exists(Include i | i.getFile() = this and i.getIncludedFile() = result)
+  }
+
+  /**
+   * Holds if this file may be from source. This predicate holds for all files
+   * except the dummy file, whose name is the empty string, which contains
+   * declarations that are built into the compiler.
+   */
+  override predicate fromSource() { numlines(underlyingElement(this), _, _, _) }
+
+  /**
+   * Holds if this file may be from a library.
+   *
+   * DEPRECATED: For historical reasons this is true for any file.
+   */
+  deprecated override predicate fromLibrary() { any() }
+
+  /** Gets the metric file. */
+  MetricFile getMetrics() { result = this }
+
+  /**
+   * Gets the remainder of the base name after the first dot character. Note
+   * that the name of this predicate is in plural form, unlike `getExtension`,
+   * which gets the remainder of the base name after the _last_ dot character.
+   *
+   * Predicates `getStem` and `getExtension` should be preferred over
+   * `getShortName` and `getExtensions` since the former pair is compatible
+   * with the file libraries of other languages.
+   * Note the slight difference between this predicate and `getStem`:
+   * for example, for "file.tar.gz", this predicate will have the result
+   * "tar.gz", while `getExtension` will have the result "gz".
+   */
+  string getExtensions() {
+    exists(string name, int firstDotPos |
+      name = this.getBaseName() and
+      firstDotPos = min([name.indexOf("."), name.length() - 1]) and
+      result = name.suffix(firstDotPos + 1)
+    )
+  }
+
+  /**
+   * Gets the short name of this file, that is, the prefix of its base name up
+   * to (but not including) the first dot character if there is one, or the
+   * entire base name if there is not. For example, if the full name is
+   * "/path/to/filename.a.bcd" then the short name is "filename".
+   *
+   * Predicates `getStem` and `getExtension` should be preferred over
+   * `getShortName` and `getExtensions` since the former pair is compatible
+   * with the file libraries of other languages.
+   * Note the slight difference between this predicate and `getStem`:
+   * for example, for "file.tar.gz", this predicate will have the result
+   * "file", while `getStem` will have the result "file.tar".
+   */
+  string getShortName() {
+    exists(string name, int firstDotPos |
+      name = this.getBaseName() and
+      firstDotPos = min([name.indexOf("."), name.length()]) and
+      result = name.prefix(firstDotPos)
+    )
+    or
+    this.getAbsolutePath() = "" and
+    result = ""
+  }
+}
+
+/**
+ * Holds if any file was compiled by a Microsoft compiler.
+ */
+predicate anyFileCompiledAsMicrosoft() { any(File f).compiledAsMicrosoft() }
+
+/**
+ * A C/C++ header file, as determined (mainly) by file extension.
+ *
+ * For the related notion of whether a file is included anywhere (using a
+ * pre-processor directive like `#include`), use `Include.getIncludedFile`.
+ */
+class HeaderFile extends File {
+  HeaderFile() {
+    this.getExtension().toLowerCase() =
+      ["h", "r", "hpp", "hxx", "h++", "hh", "hp", "tcc", "tpp", "txx", "t++"]
+    or
+    not exists(this.getExtension()) and
+    exists(Include i | i.getIncludedFile() = this)
+  }
+
+  override string getAPrimaryQlClass() { result = "HeaderFile" }
+
+  /**
+   * Holds if this header file does not contain any declaration entries or top level
+   * declarations.  For example it might be:
+   *  - a file containing only preprocessor directives and/or comments
+   *  - an empty file
+   *  - a file that contains non-top level code or data that's included in an
+   *    unusual way
+   */
+  predicate noTopLevelCode() {
+    not exists(DeclarationEntry de | de.getFile() = this) and
+    not exists(Declaration d | d.getFile() = this and d.isTopLevel()) and
+    not exists(UsingEntry ue | ue.getFile() = this)
+  }
+}
+
+/**
+ * A C source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as C code, use
+ * `File.compiledAsC`.
+ */
+class CFile extends File {
+  CFile() { this.getExtension().toLowerCase() = ["c", "i"] }
+
+  override string getAPrimaryQlClass() { result = "CFile" }
+}
+
+/**
+ * A C++ source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as C++ code, use
+ * `File.compiledAsCpp`.
+ */
+class CppFile extends File {
+  CppFile() {
+    this.getExtension().toLowerCase() =
+      ["cpp", "cxx", "c++", "cc", "cp", "icc", "ipp", "ixx", "i++", "ii"]
+    // Note: .C files are indistinguishable from .c files on some
+    // file systems, so we just treat them as CFile's.
+  }
+
+  override string getAPrimaryQlClass() { result = "CppFile" }
+}
+
+/**
+ * DEPRECATED: Objective-C is no longer supported.
+ * An Objective C source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as Objective C
+ * code, use `File.compiledAsObjC`.
+ */
+deprecated class ObjCFile extends File {
+  ObjCFile() { none() }
+}
+
+/**
+ * DEPRECATED: Objective-C is no longer supported.
+ * An Objective C++ source file, as determined by file extension.
+ *
+ * For the related notion of whether a file is compiled as Objective C++
+ * code, use `File.compiledAsObjCpp`.
+ */
+deprecated class ObjCppFile extends File {
+  ObjCppFile() { none() }
+}

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -0,0 +1,877 @@
+/**
+ * Provides classes for working with functions, including template functions.
+ */
+
+import semmle.code.cpp.Location
+import semmle.code.cpp.Class
+import semmle.code.cpp.Parameter
+import semmle.code.cpp.exprs.Call
+import semmle.code.cpp.metrics.MetricFunction
+import semmle.code.cpp.Linkage
+private import semmle.code.cpp.internal.ResolveClass
+
+/**
+ * A C/C++ function [N4140 8.3.5]. Both member functions and non-member
+ * functions are included. For example the function `MyFunction` in:
+ * ```
+ * void MyFunction() {
+ *   DoSomething();
+ * }
+ * ```
+ *
+ * Function has a one-to-many relationship with FunctionDeclarationEntry,
+ * because the same function can be declared in multiple locations. This
+ * relationship between `Declaration` and `DeclarationEntry` is explained
+ * in more detail in `Declaration.qll`.
+ */
+class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
+  override string getName() { functions(underlyingElement(this), result, _) }
+
+  /**
+   * DEPRECATED: Use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
+   * Gets the full signature of this function, including return type, parameter
+   * types, and template arguments.
+   *
+   * For example, in the following code:
+   * ```
+   * template<typename T> T min(T x, T y);
+   * int z = min(5, 7);
+   * ```
+   * The full signature of the function called on the last line would be
+   * "min<int>(int, int) -> int", and the full signature of the uninstantiated
+   * template on the first line would be "min<T>(T, T) -> T".
+   */
+  string getFullSignature() {
+    exists(string name, string templateArgs, string args |
+      result = name + templateArgs + args + " -> " + this.getType().toString() and
+      name = this.getQualifiedName() and
+      (
+        if exists(this.getATemplateArgument())
+        then
+          templateArgs =
+            "<" +
+              concat(int i |
+                exists(this.getTemplateArgument(i))
+              |
+                this.getTemplateArgument(i).toString(), ", " order by i
+              ) + ">"
+        else templateArgs = ""
+      ) and
+      args =
+        "(" +
+          concat(int i |
+            exists(this.getParameter(i))
+          |
+            this.getParameter(i).getType().toString(), ", " order by i
+          ) + ")"
+    )
+  }
+
+  /** Gets a specifier of this function. */
+  override Specifier getASpecifier() {
+    funspecifiers(underlyingElement(this), unresolveElement(result)) or
+    result.hasName(this.getADeclarationEntry().getASpecifier())
+  }
+
+  /** Gets an attribute of this function. */
+  Attribute getAnAttribute() { funcattributes(underlyingElement(this), unresolveElement(result)) }
+
+  /** Holds if this function is generated by the compiler. */
+  predicate isCompilerGenerated() { compgenerated(underlyingElement(this)) }
+
+  /** Holds if this function is inline. */
+  predicate isInline() { this.hasSpecifier("inline") }
+
+  /**
+   * Holds if this function is virtual.
+   *
+   * Unlike `isDeclaredVirtual()`, `isVirtual()` holds even if the function
+   * is not explicitly declared with the `virtual` specifier.
+   */
+  predicate isVirtual() { this.hasSpecifier("virtual") }
+
+  /** Holds if this function is declared with the `virtual` specifier. */
+  predicate isDeclaredVirtual() { this.hasSpecifier("declared_virtual") }
+
+  /** Holds if this function is declared with the `override` specifier. */
+  predicate isOverride() { this.hasSpecifier("override") }
+
+  /** Holds if this function is declared with the `final` specifier. */
+  predicate isFinal() { this.hasSpecifier("final") }
+
+  /**
+   * Holds if this function is deleted.
+   * This may be because it was explicitly deleted with an `= delete`
+   * definition, or because the compiler was unable to auto-generate a
+   * definition for it.
+   *
+   * Most implicitly deleted functions are omitted from the database.
+   * `Class.implicitCopyConstructorDeleted` and
+   * `Class.implicitCopyAssignmentOperatorDeleted` can be used to find
+   * whether a class would have had those members implicitly deleted.
+   */
+  predicate isDeleted() { function_deleted(underlyingElement(this)) }
+
+  /**
+   * Holds if this function is explicitly defaulted with the `= default`
+   * specifier.
+   */
+  predicate isDefaulted() { function_defaulted(underlyingElement(this)) }
+
+  /**
+   * Holds if this function is declared to be `constexpr`.
+   *
+   * Note that this does not hold if the function has been declared
+   * `consteval`.
+   */
+  predicate isDeclaredConstexpr() { this.hasSpecifier("declared_constexpr") }
+
+  /**
+   * Holds if this function is `constexpr`. Normally, this holds if and
+   * only if `isDeclaredConstexpr()` holds, but in some circumstances
+   * they differ. For example, with
+   * ```
+   * int f(int i) { return 6; }
+   * template <typename T> constexpr int g(T x) { return f(x); }
+   * ```
+   * `g<int>` is declared constexpr, but is not constexpr.
+   *
+   * Will also hold if this function is `consteval`.
+   */
+  predicate isConstexpr() { this.hasSpecifier("is_constexpr") }
+
+  /**
+   * Holds if this function is declared to be `consteval`.
+   */
+  predicate isConsteval() { this.hasSpecifier("is_consteval") }
+
+  /**
+   * Holds if this function is declared with `__attribute__((naked))` or
+   * `__declspec(naked)`.
+   */
+  predicate isNaked() { this.getAnAttribute().hasName("naked") }
+
+  /**
+   * Holds if this function has a trailing return type.
+   *
+   * Note that this is true whether or not deduction took place. For example,
+   * this holds for both `e` and `f`, but not `g` or `h`:
+   * ```
+   * auto e() -> int { return 0; }
+   * auto f() -> auto { return 0; }
+   * auto g() { return 0; }
+   * int h() { return 0; }
+   * ```
+   */
+  predicate hasTrailingReturnType() { this.hasSpecifier("has_trailing_return_type") }
+
+  /** Gets the return type of this function. */
+  Type getType() { function_return_type(underlyingElement(this), unresolveElement(result)) }
+
+  /**
+   * Gets the return type of this function after specifiers have been deeply
+   * stripped and typedefs have been resolved.
+   */
+  Type getUnspecifiedType() { result = this.getType().getUnspecifiedType() }
+
+  /**
+   * Gets the nth parameter of this function. There is no result for the
+   * implicit `this` parameter, and there is no `...` varargs pseudo-parameter.
+   */
+  Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) }
+
+  /**
+   * Gets a parameter of this function. There is no result for the implicit
+   * `this` parameter, and there is no `...` varargs pseudo-parameter.
+   */
+  Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) }
+
+  /**
+   * Gets an access of this function.
+   *
+   * To get calls to this function, use `getACallToThisFunction` instead.
+   */
+  FunctionAccess getAnAccess() { result.getTarget() = this }
+
+  /**
+   * Gets the number of parameters of this function, _not_ including any
+   * implicit `this` parameter or any `...` varargs pseudo-parameter.
+   */
+  int getNumberOfParameters() { result = count(this.getAParameter()) }
+
+  /**
+   * Gets the number of parameters of this function, _including_ any implicit
+   * `this` parameter but _not_ including any `...` varargs pseudo-parameter.
+   */
+  int getEffectiveNumberOfParameters() {
+    // This method is overridden in `MemberFunction`, where the result is
+    // adjusted to account for the implicit `this` parameter.
+    result = this.getNumberOfParameters()
+  }
+
+  /**
+   * Gets a string representing the parameters of this function.
+   *
+   * For example: for a function `int Foo(int p1, int p2)` this would
+   * return `int p1, int p2`.
+   */
+  string getParameterString() {
+    result = concat(int i | | min(this.getParameter(i).getTypedName()), ", " order by i)
+  }
+
+  /** Gets a call to this function. */
+  FunctionCall getACallToThisFunction() { result.getTarget() = this }
+
+  /**
+   * Gets a declaration entry corresponding to this declaration. The
+   * relationship between `Declaration` and `DeclarationEntry` is explained
+   * in `Declaration.qll`.
+   */
+  override FunctionDeclarationEntry getADeclarationEntry() {
+    if fun_decls(_, underlyingElement(this), _, _, _)
+    then this.declEntry(result)
+    else
+      exists(Function f |
+        this.isConstructedFrom(f) and
+        fun_decls(unresolveElement(result), unresolveElement(f), _, _, _)
+      )
+  }
+
+  private predicate declEntry(FunctionDeclarationEntry fde) {
+    fun_decls(unresolveElement(fde), underlyingElement(this), _, _, _) and
+    // If one .cpp file specializes a function, and another calls the
+    // specialized function, then when extracting the second we only see an
+    // instantiation, not the specialization. We Therefore need to ignore
+    // any non-specialized declarations if there are any specialized ones.
+    (this.isSpecialization() implies fde.isSpecialization())
+  }
+
+  /**
+   * Gets the location of a `FunctionDeclarationEntry` corresponding to this
+   * declaration.
+   */
+  override Location getADeclarationLocation() { result = this.getADeclarationEntry().getLocation() }
+
+  /** Holds if this Function is a Template specialization. */
+  predicate isSpecialization() {
+    exists(FunctionDeclarationEntry fde |
+      fun_decls(unresolveElement(fde), underlyingElement(this), _, _, _) and
+      fde.isSpecialization()
+    )
+  }
+
+  /**
+   * Gets the declaration entry corresponding to this declaration that is a
+   * definition, if any.
+   */
+  override FunctionDeclarationEntry getDefinition() {
+    result = this.getADeclarationEntry() and
+    result.isDefinition()
+  }
+
+  /** Gets the location of the definition, if any. */
+  override Location getDefinitionLocation() {
+    if exists(this.getDefinition())
+    then result = this.getDefinition().getLocation()
+    else exists(Function f | this.isConstructedFrom(f) and result = f.getDefinition().getLocation())
+  }
+
+  /**
+   * Gets the preferred location of this declaration. (The location of the
+   * definition, if possible.)
+   */
+  override Location getLocation() {
+    if exists(this.getDefinition())
+    then result = this.getDefinitionLocation()
+    else result = this.getADeclarationLocation()
+  }
+
+  /** Gets a child declaration of this function. */
+  Declaration getADeclaration() { result = this.getAParameter() }
+
+  /**
+   * Gets the block that is the function body.
+   *
+   * For C++ functions whose body is a function try statement rather than a
+   * block, this gives the block guarded by the try statement. See
+   * `FunctionTryStmt` for further information.
+   */
+  BlockStmt getBlock() { result.getParentScope() = this }
+
+  /** Holds if this function has an entry point. */
+  predicate hasEntryPoint() { exists(this.getEntryPoint()) }
+
+  /**
+   * Gets the first node in this function's control flow graph.
+   *
+   * For most functions, this first node will be the `BlockStmt` returned by
+   * `getBlock`. However in C++, the first node can also be a
+   * `FunctionTryStmt`.
+   */
+  Stmt getEntryPoint() { function_entry_point(underlyingElement(this), unresolveElement(result)) }
+
+  /**
+   * Gets the metric class. `MetricFunction` has methods for computing
+   * various metrics, such as "number of lines of code" and "number of
+   * function calls".
+   */
+  MetricFunction getMetrics() { result = this }
+
+  /** Holds if this function calls the function `f`. */
+  predicate calls(Function f) { exists(Locatable l | this.calls(f, l)) }
+
+  /**
+   * Holds if this function calls the function `f` in the `FunctionCall`
+   * expression `l`.
+   */
+  predicate calls(Function f, Locatable l) {
+    exists(FunctionCall call |
+      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
+    )
+    or
+    exists(DestructorCall call |
+      call.getEnclosingFunction() = this and call.getTarget() = f and call = l
+    )
+  }
+
+  /** Holds if this function accesses a function or variable or enumerator `a`. */
+  predicate accesses(Declaration a) { exists(Locatable l | this.accesses(a, l)) }
+
+  /**
+   * Holds if this function accesses a function or variable or enumerator `a`
+   * in the `Access` expression `l`.
+   */
+  predicate accesses(Declaration a, Locatable l) {
+    exists(Access access |
+      access.getEnclosingFunction() = this and
+      a = access.getTarget() and
+      access = l
+    )
+  }
+
+  /** Gets a variable that is written-to in this function. */
+  Variable getAWrittenVariable() {
+    exists(ConstructorFieldInit cfi |
+      cfi.getEnclosingFunction() = this and result = cfi.getTarget()
+    )
+    or
+    exists(VariableAccess va |
+      va = result.getAnAccess() and
+      va.isUsedAsLValue() and
+      va.getEnclosingFunction() = this
+    )
+  }
+
+  /**
+   * Gets the class of which this function, called `memberName`, is a member.
+   *
+   * Prefer to use `getDeclaringType()` or `getName()` directly if you do not
+   * need to reason about both.
+   */
+  pragma[nomagic]
+  Class getClassAndName(string memberName) {
+    this.hasName(memberName) and
+    this.getDeclaringType() = result
+  }
+
+  /**
+   * Implements `ControlFlowNode.getControlFlowScope`. The `Function` is
+   * used to represent the exit node of the control flow graph, so it is
+   * its own scope.
+   */
+  override Function getControlFlowScope() { result = this }
+
+  /**
+   * Implements `ControlFlowNode.getEnclosingStmt`. The `Function` is
+   * used to represent the exit node of the control flow graph, so it
+   * has no enclosing statement.
+   */
+  override Stmt getEnclosingStmt() { none() }
+
+  /**
+   * Holds if this function has C linkage, as specified by one of its
+   * declaration entries. For example: `extern "C" void foo();`.
+   */
+  predicate hasCLinkage() { this.getADeclarationEntry().hasCLinkage() }
+
+  /**
+   * Holds if this function is constructed from `f` as a result
+   * of template instantiation. If so, it originates either from a template
+   * function or from a function nested in a template class.
+   */
+  predicate isConstructedFrom(Function f) {
+    function_instantiation(underlyingElement(this), unresolveElement(f))
+  }
+
+  /**
+   * Holds if this function is defined in several files. This is illegal in
+   * C (though possible in some C++ compilers), and likely indicates that
+   * several functions that are not linked together have been compiled. An
+   * example would be a project with many 'main' functions.
+   */
+  predicate isMultiplyDefined() { strictcount(this.getFile()) > 1 }
+
+  /** Holds if this function is a varargs function. */
+  predicate isVarargs() { this.hasSpecifier("varargs") }
+
+  /** Gets a type that is specified to be thrown by the function. */
+  Type getAThrownType() { result = this.getADeclarationEntry().getAThrownType() }
+
+  /**
+   * Gets the `i`th type specified to be thrown by the function.
+   */
+  Type getThrownType(int i) { result = this.getADeclarationEntry().getThrownType(i) }
+
+  /** Holds if the function has an exception specification. */
+  predicate hasExceptionSpecification() { this.getADeclarationEntry().hasExceptionSpecification() }
+
+  /** Holds if this function has a `throw()` exception specification. */
+  predicate isNoThrow() { this.getADeclarationEntry().isNoThrow() }
+
+  /** Holds if this function has a `noexcept` exception specification. */
+  predicate isNoExcept() { this.getADeclarationEntry().isNoExcept() }
+
+  /**
+   * Gets a function that overloads this one.
+   *
+   * Note: if _overrides_ are wanted rather than _overloads_ then
+   * `MemberFunction::getAnOverridingFunction` should be used instead.
+   */
+  Function getAnOverload() {
+    (
+      // If this function is declared in a class, only consider other
+      // functions from the same class.
+      exists(string name, Class declaringType |
+        candGetAnOverloadMember(name, declaringType, this) and
+        candGetAnOverloadMember(name, declaringType, result)
+      )
+      or
+      // Conversely, if this function is not
+      // declared in a class, only consider other functions not declared in a
+      // class.
+      exists(string name, Namespace namespace |
+        candGetAnOverloadNonMember(name, namespace, this) and
+        candGetAnOverloadNonMember(name, namespace, result)
+      )
+    ) and
+    result != this and
+    // Instantiations and specializations don't participate in overload
+    // resolution.
+    not (
+      this instanceof FunctionTemplateInstantiation or
+      result instanceof FunctionTemplateInstantiation
+    ) and
+    not (
+      this instanceof FunctionTemplateSpecialization or
+      result instanceof FunctionTemplateSpecialization
+    )
+  }
+
+  /** Gets a link target which compiled or referenced this function. */
+  LinkTarget getALinkTarget() { this = result.getAFunction() }
+
+  /**
+   * Holds if this function is side-effect free (conservative
+   * approximation).
+   */
+  predicate isSideEffectFree() { not this.mayHaveSideEffects() }
+
+  /**
+   * Holds if this function may have side-effects; if in doubt, we assume it
+   * may.
+   */
+  predicate mayHaveSideEffects() {
+    // If we cannot see the definition then we assume that it may have
+    // side-effects.
+    if exists(this.getEntryPoint())
+    then
+      // If it might be globally impure (we don't care about it modifying
+      // temporaries) then it may have side-effects.
+      this.getEntryPoint().mayBeGloballyImpure()
+      or
+      // Constructor initializers are separate from the entry point ...
+      this.(Constructor).getAnInitializer().mayBeGloballyImpure()
+      or
+      // ... and likewise for destructors.
+      this.(Destructor).getADestruction().mayBeGloballyImpure()
+    else
+      // Unless it's a function that we know is side-effect free, it may
+      // have side-effects.
+      not this.hasGlobalOrStdName([
+          "strcmp", "wcscmp", "_mbscmp", "strlen", "wcslen", "_mbslen", "_mbslen_l", "_mbstrlen",
+          "_mbstrlen_l", "strnlen", "strnlen_s", "wcsnlen", "wcsnlen_s", "_mbsnlen", "_mbsnlen_l",
+          "_mbstrnlen", "_mbstrnlen_l", "strncmp", "wcsncmp", "_mbsncmp", "_mbsncmp_l", "strchr",
+          "memchr", "wmemchr", "memcmp", "wmemcmp", "_memicmp", "_memicmp_l", "feof", "isdigit",
+          "isxdigit", "abs", "fabs", "labs", "floor", "ceil", "atoi", "atol", "atoll", "atof"
+        ])
+  }
+
+  /**
+   * Gets the nearest enclosing AccessHolder.
+   */
+  override AccessHolder getEnclosingAccessHolder() { result = this.getDeclaringType() }
+}
+
+pragma[noinline]
+private predicate candGetAnOverloadMember(string name, Class declaringType, Function f) {
+  f.getName() = name and
+  f.getDeclaringType() = declaringType
+}
+
+pragma[noinline]
+private predicate candGetAnOverloadNonMember(string name, Namespace namespace, Function f) {
+  f.getName() = name and
+  f.getNamespace() = namespace and
+  not exists(f.getDeclaringType())
+}
+
+/**
+ * A particular declaration or definition of a C/C++ function. For example the
+ * declaration and definition of `MyFunction` in the following code are each a
+ * `FunctionDeclarationEntry`:
+ * ```
+ * void MyFunction();
+ *
+ * void MyFunction() {
+ *   DoSomething();
+ * }
+ * ```
+ */
+class FunctionDeclarationEntry extends DeclarationEntry, @fun_decl {
+  /** Gets the function which is being declared or defined. */
+  override Function getDeclaration() { result = this.getFunction() }
+
+  override string getAPrimaryQlClass() { result = "FunctionDeclarationEntry" }
+
+  /** Gets the function which is being declared or defined. */
+  Function getFunction() { fun_decls(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  /** Gets the name of the function. */
+  override string getName() { fun_decls(underlyingElement(this), _, _, result, _) }
+
+  /**
+   * Gets the return type of the function which is being declared or
+   * defined.
+   */
+  override Type getType() { fun_decls(underlyingElement(this), _, unresolveElement(result), _, _) }
+
+  /** Gets the location of this declaration entry. */
+  override Location getLocation() { fun_decls(underlyingElement(this), _, _, _, result) }
+
+  /** Gets a specifier associated with this declaration entry. */
+  override string getASpecifier() { fun_decl_specifiers(underlyingElement(this), result) }
+
+  /**
+   * Implements `Element.getEnclosingElement`. A function declaration does
+   * not have an enclosing element.
+   */
+  override Element getEnclosingElement() { none() }
+
+  /**
+   * Gets the typedef type (if any) used for this function declaration. As
+   * an example, the typedef type in the declaration of function foo in the
+   * following is Foo:
+   *
+   * typedef int Foo();
+   * static Foo foo;
+   */
+  TypedefType getTypedefType() {
+    fun_decl_typedef_type(underlyingElement(this), unresolveElement(result))
+  }
+
+  /**
+   * Gets the cyclomatic complexity of this function:
+   *
+   *   The number of branching statements (if, while, do, for, switch,
+   *   case, catch) plus the number of branching expressions (`?`, `&&`,
+   *   `||`) plus one.
+   */
+  int getCyclomaticComplexity() { result = 1 + cyclomaticComplexityBranches(this.getBlock()) }
+
+  /**
+   * If this is a function definition, get the block containing the
+   * function body.
+   */
+  BlockStmt getBlock() {
+    this.isDefinition() and
+    result = this.getFunction().getBlock() and
+    result.getFile() = this.getFile()
+  }
+
+  /**
+   * If this is a function definition, get the number of lines of code
+   * associated with it.
+   */
+  pragma[noopt]
+  int getNumberOfLines() {
+    exists(BlockStmt b, Location l, int start, int end, int diff | b = this.getBlock() |
+      l = b.getLocation() and
+      start = l.getStartLine() and
+      end = l.getEndLine() and
+      diff = end - start and
+      result = diff + 1
+    )
+  }
+
+  /**
+   * Gets the declaration entry for a parameter of this function
+   * declaration.
+   */
+  ParameterDeclarationEntry getAParameterDeclarationEntry() {
+    result = this.getParameterDeclarationEntry(_)
+  }
+
+  /**
+   * Gets the declaration entry for the nth parameter of this function
+   * declaration.
+   */
+  ParameterDeclarationEntry getParameterDeclarationEntry(int n) {
+    param_decl_bind(unresolveElement(result), n, underlyingElement(this))
+  }
+
+  /** Gets the number of parameters of this function declaration. */
+  int getNumberOfParameters() { result = count(this.getAParameterDeclarationEntry()) }
+
+  /**
+   * Gets a string representing the parameters of this function declaration.
+   *
+   * For example: for a function 'int Foo(int p1, int p2)' this would
+   * return 'int p1, int p2'.
+   */
+  string getParameterString() {
+    result =
+      concat(int i | | min(this.getParameterDeclarationEntry(i).getTypedName()), ", " order by i)
+  }
+
+  /**
+   * Holds if this declaration entry specifies C linkage:
+   *
+   *    `extern "C" void foo();`
+   */
+  predicate hasCLinkage() { this.getASpecifier() = "c_linkage" }
+
+  /** Holds if this declaration entry has a void parameter list. */
+  predicate hasVoidParamList() { this.getASpecifier() = "void_param_list" }
+
+  /** Holds if this declaration is also a definition of its function. */
+  override predicate isDefinition() { fun_def(underlyingElement(this)) }
+
+  /** Holds if this declaration is a Template specialization. */
+  predicate isSpecialization() { fun_specialized(underlyingElement(this)) }
+
+  /**
+   * Holds if this declaration is an implicit function declaration, that is,
+   * where a function is used before it is declared (under older C standards).
+   */
+  predicate isImplicit() { fun_implicit(underlyingElement(this)) }
+
+  /** Gets a type that is specified to be thrown by the declared function. */
+  Type getAThrownType() { result = this.getThrownType(_) }
+
+  /**
+   * Gets the `i`th type specified to be thrown by the declared function
+   * (where `i` is indexed from 0). For example, if a function is declared
+   * to `throw(int,float)`, then the thrown type with index 0 would be
+   * `int`, and that with index 1 would be `float`.
+   */
+  Type getThrownType(int i) {
+    fun_decl_throws(underlyingElement(this), i, unresolveElement(result))
+  }
+
+  /**
+   * If this declaration has a noexcept-specification [N4140 15.4], then
+   * this predicate returns the argument to `noexcept` if one was given.
+   */
+  Expr getNoExceptExpr() { fun_decl_noexcept(underlyingElement(this), unresolveElement(result)) }
+
+  /**
+   * Holds if the declared function has an exception specification [N4140
+   * 15.4].
+   */
+  predicate hasExceptionSpecification() {
+    fun_decl_throws(underlyingElement(this), _, _) or
+    fun_decl_noexcept(underlyingElement(this), _) or
+    this.isNoThrow() or
+    this.isNoExcept()
+  }
+
+  /**
+   * Holds if the declared function has a `throw()` exception specification.
+   */
+  predicate isNoThrow() { fun_decl_empty_throws(underlyingElement(this)) }
+
+  /**
+   * Holds if the declared function has an empty `noexcept` exception
+   * specification.
+   */
+  predicate isNoExcept() { fun_decl_empty_noexcept(underlyingElement(this)) }
+}
+
+/**
+ * A C/C++ non-member function (a function that is not a member of any
+ * class). For example, in the following code, `MyFunction` is a
+ * `TopLevelFunction` but `MyMemberFunction` is not:
+ * ```
+ * void MyFunction() {
+ *   DoSomething();
+ * }
+ *
+ * class MyClass {
+ * public:
+ *   void MyMemberFunction() {
+ *     DoSomething();
+ *   }
+ * };
+ * ```
+ */
+class TopLevelFunction extends Function {
+  TopLevelFunction() { not this.isMember() }
+
+  override string getAPrimaryQlClass() { result = "TopLevelFunction" }
+}
+
+/**
+ * A C++ user-defined operator [N4140 13.5].
+ */
+class Operator extends Function {
+  Operator() { functions(underlyingElement(this), _, 5) }
+
+  override string getAPrimaryQlClass() {
+    not this instanceof MemberFunction and result = "Operator"
+  }
+}
+
+/**
+ * A C++ function which has a non-empty template argument list. For example
+ * the function `myTemplateFunction` in the following code:
+ * ```
+ * template<class T>
+ * void myTemplateFunction(T t) {
+ *   ...
+ * }
+ * ```
+ *
+ * This comprises function declarations which are immediately preceded by
+ * `template <...>`, where the "..." part is not empty, and therefore it does
+ * not include:
+ *
+ *   1. Full specializations of template functions, as they have an empty
+ *      template argument list.
+ *   2. Instantiations of template functions, as they don't have an
+ *      explicit template argument list.
+ *   3. Member functions of template classes - unless they have their own
+ *      (non-empty) template argument list.
+ */
+class TemplateFunction extends Function {
+  TemplateFunction() {
+    is_function_template(underlyingElement(this)) and exists(this.getATemplateArgument())
+  }
+
+  override string getAPrimaryQlClass() { result = "TemplateFunction" }
+
+  /**
+   * Gets a compiler-generated instantiation of this function template.
+   */
+  Function getAnInstantiation() {
+    result.isConstructedFrom(this) and
+    not result.isSpecialization()
+  }
+
+  /**
+   * Gets a full specialization of this function template.
+   *
+   * Note that unlike classes, functions overload rather than specialize
+   * partially. Therefore this does not include things which "look like"
+   * partial specializations, nor does it include full specializations of
+   * such things -- see FunctionTemplateSpecialization for further details.
+   */
+  FunctionTemplateSpecialization getASpecialization() { result.getPrimaryTemplate() = this }
+}
+
+/**
+ * A function that is an instantiation of a template. For example
+ * the instantiation `myTemplateFunction<int>` in the following code:
+ * ```
+ * template<class T>
+ * void myTemplateFunction(T t) {
+ *   ...
+ * }
+ *
+ * void caller(int i) {
+ *   myTemplateFunction<int>(i);
+ * }
+ * ```
+ */
+class FunctionTemplateInstantiation extends Function {
+  TemplateFunction tf;
+
+  FunctionTemplateInstantiation() { tf.getAnInstantiation() = this }
+
+  override string getAPrimaryQlClass() { result = "FunctionTemplateInstantiation" }
+
+  /**
+   * Gets the function template from which this instantiation was instantiated.
+   *
+   * Example: For `int const& std::min<int>(int const&, int const&)`, returns `T const& min<T>(T const&, T const&)`.
+   */
+  TemplateFunction getTemplate() { result = tf }
+}
+
+/**
+ * An explicit specialization of a C++ function template. For example the
+ * function `myTemplateFunction<int>` in the following code:
+ * ```
+ * template<class T>
+ * void myTemplateFunction(T t) {
+ *   ...
+ * }
+ *
+ * template<>
+ * void myTemplateFunction<int>(int i) {
+ *   ...
+ * }
+ * ```
+ *
+ * Note that unlike classes, functions overload rather than specialize
+ * partially. Therefore this only includes the last two of the following
+ * four definitions, and in particular does not include the second one:
+ *
+ * ```
+ * template <typename T> void f(T) {...}
+ * template <typename T> void f(T*) {...}
+ * template <> void f<int>(int *) {...}
+ * template <> void f<int*>(int *) {...}
+ * ```
+ *
+ * Furthermore, this does not include compiler-generated instantiations of
+ * function templates.
+ *
+ * For further reference on function template specializations, see:
+ *   http://www.gotw.ca/publications/mill17.htm
+ */
+class FunctionTemplateSpecialization extends Function {
+  FunctionTemplateSpecialization() { this.isSpecialization() }
+
+  override string getAPrimaryQlClass() { result = "FunctionTemplateSpecialization" }
+
+  /**
+   * Gets the primary template for the specialization (the function template
+   * this specializes).
+   */
+  TemplateFunction getPrimaryTemplate() { this.isConstructedFrom(result) }
+}
+
+/**
+ * A GCC built-in function. For example: `__builtin___memcpy_chk`.
+ */
+class BuiltInFunction extends Function {
+  BuiltInFunction() { functions(underlyingElement(this), _, 6) }
+
+  /** Gets a dummy location for the built-in function. */
+  override Location getLocation() {
+    suppressUnusedThis(this) and
+    result instanceof UnknownDefaultLocation
+  }
+}
+
+private predicate suppressUnusedThis(Function f) { any() }

cpp/ql/lib/semmle/code/cpp/Include.qll

@@ -23,7 +23,7 @@ class Include extends PreprocessorDirective, @ppd_include {
    * Gets the token which occurs after `#include`, for example `"filename"`
    * or `<filename>`.
    */
-  string getIncludeText() { result = getHead() }
+  string getIncludeText() { result = this.getHead() }
 
   /** Gets the file directly included by this `#include`. */
   File getIncludedFile() { includes(underlyingElement(this), unresolveElement(result)) }
@@ -53,7 +53,7 @@ class Include extends PreprocessorDirective, @ppd_include {
  * ```
  */
 class IncludeNext extends Include, @ppd_include_next {
-  override string toString() { result = "#include_next " + getIncludeText() }
+  override string toString() { result = "#include_next " + this.getIncludeText() }
 }
 
 /**
@@ -65,5 +65,5 @@ class IncludeNext extends Include, @ppd_include_next {
  * ```
  */
 class Import extends Include, @ppd_objc_import {
-  override string toString() { result = "#import " + getIncludeText() }
+  override string toString() { result = "#import " + this.getIncludeText() }
 }

cpp/ql/lib/semmle/code/cpp/Initializer.qll

@@ -18,6 +18,12 @@ import semmle.code.cpp.controlflow.ControlFlowGraph
  *   ...
  * }
  * ```
+ * But _not_ `4` in the following code:
+ * ```
+ * int myUninitializedVariable;
+ * myUninitializedVariable = 4;
+ * ```
+ * Instead, this is an `Assignment`.
  */
 class Initializer extends ControlFlowNode, @initialiser {
   override Location getLocation() { initialisers(underlyingElement(this), _, _, result) }
@@ -28,8 +34,8 @@ class Initializer extends ControlFlowNode, @initialiser {
   override predicate fromSource() { not this.getLocation() instanceof UnknownLocation }
 
   override string toString() {
-    if exists(getDeclaration())
-    then result = "initializer for " + max(getDeclaration().getName())
+    if exists(this.getDeclaration())
+    then result = "initializer for " + max(this.getDeclaration().getName())
     else result = "initializer"
   }