C++: Insecure memset

2026-05-17 04:37:07 +02:00 · 2019-10-25 15:03:56 -07:00
11101 changed files with 251870 additions and 852876 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -1,6 +1,3 @@
 { "provide": [ "*/ql/src/qlpack.yml",
-               "*/ql/test/qlpack.yml",
-               "*/ql/examples/qlpack.yml",
-               "*/upgrades/qlpack.yml",
               "misc/legacy-support/*/qlpack.yml",
               "misc/suite-helpers/qlpack.yml" ] }
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,9 +0,0 @@
-{
-  "extensions": [
-    "github.vscode-codeql",
-    "slevesque.vscode-zipexplorer"
-  ],
-  "settings": {
-    "codeQL.runningQueries.memory": 2048
-  }
-}
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -1,11 +0,0 @@
-name: "CodeQL config"
-
-queries:
-  - uses: security-and-quality
-
-paths-ignore:
-  - '/cpp/'
-  - '/java/'
-  - '/python/'
-  - '/javascript/ql/test'
-  - '/javascript/extractor/tests'
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -1,24 +0,0 @@
-"C++":
-  - cpp/**/*
-  - change-notes/**/*cpp*
-
-"C#":
-  - csharp/**/*
-  - change-notes/**/*csharp*
-
-Java:
-  - java/**/*
-  - change-notes/**/*java.*
-
-JS:
-  - javascript/**/*
-  - change-notes/**/*javascript*
-
-Python:
-  - python/**/*
-  - change-notes/**/*python*
-
-documentation:
-  - "**/*.qhelp"
-  - "**/*.md"
-  - docs/**/*
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -1,23 +0,0 @@
-name: Check change note
-
-on:
-  pull_request_target:
-    types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
-    paths:
-      - "*/ql/src/**/*.ql"
-      - "*/ql/src/**/*.qll"
-      - "!**/experimental/**"
-
-jobs:
-  check-change-note:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
-        if: |
-          github.event.pull_request.draft == false &&
-          !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
-          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,51 +0,0 @@
-name: "Code scanning - action"
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - 'csharp/**'
-  schedule:
-    - cron: '0 9 * * 1'
-
-jobs:
-  CodeQL-Build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      # Override language selection by uncommenting this and choosing your languages
-      with:
-        languages: csharp
-        config-file: ./.github/codeql/codeql-config.yml
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,11 +0,0 @@
-name: "Pull Request Labeler"
-on:
- pull_request_target
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/labeler@v2
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -1,49 +0,0 @@
-name: Build code scanning query list
-
-on:
-  push:
-    branches:
-     - main
-     - 'rc/**'
-  pull_request:
-    paths:
-      - '.github/workflows/query-list.yml'
-      - 'misc/scripts/generate-code-scanning-query-list.py'
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: codeql 
-    - name: Clone github/codeql-go
-      uses: actions/checkout@v2
-      with:
-        repository: 'github/codeql-go'
-        path: codeql-go
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
-      with:
-        repo: "github/codeql-cli-binaries"
-        version: "latest"
-        file: "codeql-linux64.zip"
-        token: ${{ secrets.GITHUB_TOKEN }}
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Build code scanning query list
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python codeql/misc/scripts/generate-code-scanning-query-list.py > code-scanning-query-list.csv
-    - name: Upload code scanning query list
-      uses: actions/upload-artifact@v2
-      with:
-        name: code-scanning-query-list
-        path: code-scanning-query-list.csv
-    
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,6 @@
 # editor and OS artifacts
 *~
 .DS_STORE
-*.swp

 # query compilation caches
 .cache
@@ -14,13 +13,5 @@
 .vs/*
 !.vs/VSWorkspaceSettings.json

-# Byte-compiled python files
-*.pyc
-
-# python virtual environment folder 
-.venv/
-
 # It's useful (though not required) to be able to unpack codeql in the ql checkout itself
 /codeql/
-
-csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
--- a/.vscode/.gitattributes
+++ b/.vscode/.gitattributes
@@ -1 +0,0 @@
-*.json  linguist-language=JSON-with-Comments
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,10 +0,0 @@
-{
-    // See https://go.microsoft.com/fwlink/?LinkId=827846 to learn about workspace recommendations.
-    // Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
-    // List of extensions which should be recommended for users of this workspace.
-    "recommendations": [
-        "GitHub.vscode-codeql"
-    ],
-    // List of extensions recommended by VS Code that should not be recommended for users of this workspace.
-    "unwantedRecommendations": []
-}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,3 +0,0 @@
-{
-    "omnisharp.autoStart": false
-}
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -1,27 +0,0 @@
-{
-    // To run a task, select the `Terminal | Run Task...` menu option, and then select the task from
-    // the list in the dropdown, or invoke the `Tasks: Run Task` command from the command palette/
-    // To bind a keyboard shortcut to invoke a task, see https://code.visualstudio.com/docs/editor/tasks#_binding-keyboard-shortcuts-to-tasks.
-    // See https://go.microsoft.com/fwlink/?LinkId=733558
-    // for the documentation about the tasks.json format
-    "version": "2.0.0",
-    "tasks": [
-        {
-            "label": "Sync Identical Files",
-            "type": "process",
-            // Non-Windows OS will usually have Python 3 already installed at /usr/bin/python3.
-            "command": "python3",
-            "args": [
-                "config/sync-files.py",
-                "--latest"
-            ],
-            "group": "build",
-            "windows": {
-                // On Windows, use whatever Python interpreter is configured for this workspace. The default is
-                // just `python`, so if Python is already on the path, this will find it.
-                "command": "${config:python.pythonPath}",
-            },
-            "problemMatcher": []
-        }
-    ]
-}
--- a/29
+++ b/29
@@ -1,19 +1,10 @@
-/cpp/ @github/codeql-c-analysis
-/csharp/ @github/codeql-csharp
-/java/ @github/codeql-java
-/javascript/ @github/codeql-javascript
-/python/ @github/codeql-python
-
-# Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
-/cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
-/csharp/**/experimental/**/* @github/codeql-csharp @xcorail
-/java/**/experimental/**/* @github/codeql-java @xcorail
-/javascript/**/experimental/**/* @github/codeql-javascript @xcorail
-/python/**/experimental/**/* @github/codeql-python @xcorail
-
-# Notify members of codeql-go about PRs to the shared data-flow library files
-/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
-/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
+/csharp/ @Semmle/cs
+/java/ @Semmle/java
+/javascript/ @Semmle/js
+/cpp/ @Semmle/cpp-analysis
+/cpp/**/*.qhelp @hubwriter
+/csharp/**/*.qhelp @jf205
+/java/**/*.qhelp @felicitymay
+/javascript/**/*.qhelp @mchammer01
+/python/**/*.qhelp @felicitymay
+/docs/language/ @shati-patel @jf205
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,126 +1,39 @@
-## Our Pledge
+# Code of Conduct

-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, religion, or sexual identity
-and orientation.
+This code of conduct outlines expectations for participation in the Semmle open source community, including any open source repositories on GitHub.com, as well as steps for reporting unacceptable behavior. We are committed to providing a welcoming and inspiring community for all.

-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
+People violating this code of conduct may be banned from the community.

-## Our Standards
+Our community strives to:
+* Be friendly and patient: Remember you might not be communicating in someone else’s primary spoken or programming language, and others may not have your level of understanding.
+* Be welcoming: Our community welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, color, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.
+* Be respectful: We are a world-wide community of professionals, and we conduct ourselves professionally. Disagreement is no excuse for poor behavior and poor manners. Disrespectful and unacceptable behavior includes, but is not limited to:
+  * Violent threats or language.
+  * Discriminatory or derogatory jokes and language.
+  * Posting sexually explicit or violent material.
+  * Posting, or threatening to post, people’s personally identifying information (“doxing”).
+  * Insults, especially those using discriminatory terms or slurs.
+  * Behavior that could be perceived as sexual attention.
+  * Advocating for or encouraging any of the above behaviors.
+* Understand disagreements: Disagreements, both social and technical, are useful learning opportunities. Seek to understand others’ viewpoints and resolve differences constructively.

-Examples of behavior that contributes to a positive environment for our
-community include:
+This code is not exhaustive or complete. It serves to capture our common understanding of a productive, collaborative environment. We expect the code to be followed in spirit as much as in the letter.

-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
+# Scope

-Examples of unacceptable behavior include:
+This code of conduct applies to all repositories and communities for Semmle open source projects, regardless of whether or not the repository explicitly calls out its use of this code. The code also applies in public spaces when an individual is representing the Semmle open source community. Examples include using an official project email address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 

-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting

-## Enforcement Responsibilities
+# Reporting Code of Conduct Issues
+We encourage members of the community to resolve issues on their own whenever possible. This builds a broader and deeper understanding and ultimately a healthier interaction. In the event that an issue cannot be resolved locally, please feel free to report your concerns by contacting code-of-conduct@semmle.com. 
+In your report please include:
+* Your contact information.
+* Names (real, usernames or pseudonyms) of any individuals involved. If there are additional witnesses, please include them as well.
+* Your account of what occurred, and if you believe the incident is ongoing. If there is a publicly available record (e.g. a mailing list archive or a public chat log), please include a link or attachment.
+* Any additional information that may be helpful.

-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
+All reports will be reviewed by a multi-person team and will result in a response that is deemed necessary and appropriate to the circumstances. Where additional perspectives are needed, the team may seek insight from others with relevant expertise or experience. The confidentiality of the person reporting the incident will be kept at all times. Involved parties are never part of the review team.

-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
+Anyone asked to stop unacceptable behavior is expected to comply immediately. If an individual engages in unacceptable behavior, the review team may take any action they deem appropriate, including a permanent ban from the community.

-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-opensource@github.com.
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series
-of actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or
-permanent ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within
-the community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
-
-Community Impact Guidelines were inspired by [Mozilla's code of conduct
-enforcement ladder](https://github.com/mozilla/diversity).
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see the FAQ at
-https://www.contributor-covenant.org/faq. Translations are available at
-https://www.contributor-covenant.org/translations.
+*This text is licensed under the [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/) license. It is based on a template established by the [TODO Group](http://todogroup.org/) and variants thereof used by numerous other large communities (e.g., [Microsoft](https://microsoft.github.io/codeofconduct/), [Facebook](https://code.fb.com/codeofconduct/), [Yahoo](https://yahoo.github.io/codeofconduct), [Twitter](https://github.com/twitter/code-of-conduct), [GitHub](https://blog.github.com/2015-07-20-adopting-the-open-code-of-conduct/)) and the Scope section from the [Contributor Covenant version 1.4](http://contributor-covenant.org/version/1/4/).*
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,64 +1,88 @@
-# Contributing to CodeQL
+# Contributing to QL

-We welcome contributions to our CodeQL libraries and queries. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
+We welcome contributions to our standard library and standard checks. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request!

-There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
+Before we accept your pull request, we require that you have agreed to our Contributor License Agreement, this is not something that you need to do before you submit your pull request, but until you've done so, we will be unable to accept your contribution.

+## Adding a new query

-## Submitting a new experimental query
+If you have an idea for a query that you would like to share with other Semmle users, please open a pull request to add it to this repository. 
+Follow the steps below to help other users understand what your query does, and to ensure that your query is consistent with the other Semmle queries.

-If you have an idea for a query that you would like to share with other CodeQL users, please open a pull request to add it to this repository. New queries start out in a `<language>/ql/src/experimental` directory, to which they can be merged when they meet the following requirements.
+1. **Consult the QL documentation for query writers**

-1. **Directory structure**
+   There is lots of useful documentation to help you write QL, ranging from information about query file structure to language-specific tutorials. For more information on the documentation available, see [Writing QL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).

-    There are five language-specific query directories in this repository:
+2. **Format your QL correctly**

-      * C/C++: `cpp/ql/src`
-      * C#: `csharp/ql/src`
-      * Java: `java/ql/src`
-      * JavaScript: `javascript/ql/src`
-      * Python: `python/ql/src`
+   All of Semmle's standard QL queries and libraries are uniformly formatted for clarity and consistency, so we strongly recommend that all QL contributions follow the same formatting guidelines. If you use QL for Eclipse, you can auto-format your query in the [QL editor](https://help.semmle.com/ql-for-eclipse/Content/WebHelp/ql-editor.html). For more information, see the [QL style guide](https://github.com/Semmle/ql/blob/master/docs/ql-style-guide.md).

-    Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
-    - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
-    - The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
-    - Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.
+3. **Make sure your query has the correct metadata**

-2. **Query metadata**
+   Query metadata is used by Semmle's analysis to identify your query and make sure the query results are displayed properly. 
+   The most important metadata to include are the `@name`, `@description`, and the `@kind`.
+   Other metadata properties (`@precision`, `@severity`, and `@tags`) are usually added after the query has been reviewed by Semmle staff.
+   For more information on writing query metadata, see the [Query metadata style guide](https://github.com/Semmle/ql/blob/master/docs/query-metadata-style-guide.md).

-    - The query `@id` must conform to all the requirements in the [guide on query metadata](docs/query-metadata-style-guide.md#query-id-id). In particular, it must not clash with any other queries in the repository, and it must start with the appropriate language-specific prefix.
-    - The query must have a `@name` and `@description` to explain its purpose.
-    - The query must have a `@kind` and `@problem.severity` as required by CodeQL tools.
+4. **Make sure the `select` statement is compatible with the query type**

-    For details, see the [guide on query metadata](docs/query-metadata-style-guide.md).
+   The `select` statement of your query must be compatible with the query type (determined by the `@kind` metadata property) for alert or path results to be displayed correctly in LGTM and QL for Eclipse.
+   For more information on `select` statement format, see [Introduction to query files](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.

-    Make sure the `select` statement is compatible with the query `@kind`. See [About CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
+5. **Save your query in a `.ql` file in correct language directory in this repository**

-3. **Formatting**
+   There are five language-specific directories in this repository:
+   
+     * C/C++: `ql/cpp/ql/src`
+     * C#: `ql/csharp/ql/src`
+     * Java: `ql/java/ql/src`
+     * JavaScript: `ql/javascript/ql/src`
+     * Python: `ql/python/ql/src`

-    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html).
+   Each language-specific directory contains further subdirectories that group queries based on their `@tags` properties or purpose. Select the appropriate subdirectory for your new query, or create a new one if necessary. 

-    If you prefer, you can use this [pre-commit hook](misc/scripts/pre-commit) that automatically checks whether your files are correctly formatted. See the [pre-commit hook installation guide](docs/pre-commit-hook-setup.md) for instructions on how to install the hook.
+6. **Write a query help file**

-4. **Compilation**
-
-    - Compilation of the query and any associated libraries and tests must be resilient to future development of the [supported](docs/supported-queries.md) libraries. This means that the functionality cannot use internal libraries, cannot depend on the output of `getAQlClass`, and cannot make use of regexp matching on `toString`.
-    - The query and any associated libraries and tests must not cause any compiler warnings to be emitted (such as use of deprecated functionality or missing `override` annotations).
-
-5. **Results**
-
-    - The query must have at least one true positive result on some revision of a real project.
-
-6. **Query help files and unit tests**
-
-	- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories. For more information about contributing query help files and unit tests, see [Supported CodeQL queries and libraries](docs/supported-queries.md).
-
-Experimental queries and libraries may not be actively maintained as the supported libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
-
-After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
+   Query help files explain the purpose of your query to other users. Write your query help in a `.qhelp` file and save it in the same directory as your new query. 
+   For more information on writing query help, see the [Query help style guide](https://github.com/Semmle/ql/blob/master/docs/query-help-style-guide.md).

 ## Using your personal data

-If you contribute to this project, we will record your name and email address (as provided by you with your contributions) as part of the code repositories, which are public. We might also use this information to contact you in relation to your contributions, as well as in the normal course of software development. We also store records of CLA agreements signed in the past, but no longer require contributors to sign a CLA. Under GDPR legislation, we do this on the basis of our legitimate interest in creating the CodeQL product. 
+If you contribute to this project, we will record your name and email
+address (as provided by you with your contributions) as part of the code
+repositories, which might be made public. We might also use this information
+to contact you in relation to your contributions, as well as in the
+normal course of software development. We also store records of your
+CLA agreements. Under GDPR legislation, we do this
+on the basis of our legitimate interest in creating the QL product.

-Please do get in touch (privacy@github.com) if you have any questions about this or our data protection policies.
+Please do get in touch (privacy@semmle.com) if you have any questions about
+this or our data protection policies.
+
+## Contributor License Agreement
+
+This Contributor License Agreement (“Agreement”) is entered into between Semmle Limited (“Semmle,” “we” or “us” etc.), and You (as defined and further identified below).
+
+Accordingly, You hereby agree to the following terms for Your present and future Contributions submitted to Semmle:
+
+1. **Definitions**.
+
+   * "You" (or "Your") shall mean the Contribution copyright owner (whether an individual or organization) or legal entity authorized by the copyright owner that is making this Agreement with Semmle. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+
+   * "Contribution(s)" shall mean the code, documentation or other original works of authorship, including any modifications or additions to an existing work, submitted by You to Semmle for inclusion in, or documentation of, any of the products or projects owned or managed by Semmle (the "Work(s)").  For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Semmle or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Semmle for the purpose of discussing and/or improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+
+2. **Grant of Copyright License**. You hereby grant to Semmle and to recipients of software distributed by Semmle a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
+
+3. **Grant of Patent License**. You hereby grant to Semmle and to recipients of software distributed by Semmle a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that Your Contribution, or the Work to which You have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.  
+
+4. **Ownership**.  Except as set out above, You keep all right, title, and interest in Your Contribution. The rights that You grant to us under this Agreement are effective on the date You first submitted a Contribution to us, even if Your submission took place before the date You entered this Agreement.
+
+5. **Representations**.  You represent and warrant that: (i) the Contributions are an original work and that You can legally grant the rights set out in this Agreement; (ii) the Contributions and Semmle’s exercise of any license rights granted hereunder, does not and will not, infringe the rights of any third party; (iii) You are not aware of any pending or threatened claims, suits, actions, or charges pertaining to the Contributions, including without limitation any claims or allegations that any or all of the Contributions infringes, violates, or misappropriate the intellectual property rights of any third party (You further agree that You will notify Semmle immediately if You become aware of any such actual or potential claims, suits, actions, allegations or charges).
+
+6. **Employer**.  If Your employer(s) has rights to intellectual property that You create that includes Your Contributions, You represent and warrant that Your employer has waived such rights for Your Contributions to Semmle, or that You have received permission to make Contributions on behalf of that employer and that You are authorized to execute this Agreement on behalf of Your employer.
+
+7. **Inclusion of Code**. We determine the code that is in our Works. You understand that the decision to include the Contribution in any project or source repository is entirely that of Semmle, and this agreement does not guarantee that the Contributions will be included in any product.
+
+8. **Disclaimer**.  You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Except as set forth herein, and unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.
+
+9. **General**.  The failure of either party to enforce its rights under this Agreement for any period shall not be construed as a waiver of such rights.  No changes or modifications or waivers to this Agreement will be effective unless in writing and signed by both parties.  In the event that any provision of this Agreement shall be determined to be illegal or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.  This Agreement shall be governed by and construed in accordance with the laws of the State of California in the United States without regard to the conflicts of laws provisions thereof.  In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.  
--- a/13
+++ b/13
@@ -0,0 +1,13 @@
+Copyright (c) Semmle Inc and other contributors. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at http://www.apache.org/licenses/LICENSE-2.0
+
+THIS CODE IS PROVIDED ON AN *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED
+WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A PARTICULAR PURPOSE,
+MERCHANTABLITY OR NON-INFRINGEMENT.
+
+See the Apache Version 2.0 License for specific language governing permissions
+and limitations under the License.
--- a/189
+++ b/189
@@ -1,21 +1,176 @@
-MIT License
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/

-Copyright (c) 2006-2020 GitHub, Inc.
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+   1. Definitions.

-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
--- a/README.md
+++ b/README.md
@@ -1,28 +1,16 @@
-# CodeQL
+# Semmle QL

-This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com) and the other CodeQL products that [GitHub](https://github.com) makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the [CodeQL for Go repository](https://github.com/github/codeql-go).
+This open source repository contains the standard QL libraries and queries that power [LGTM](https://lgtm.com), and the other products that [Semmle](https://semmle.com) makes available to its customers worldwide.

-## How do I learn CodeQL and run queries?
+## How do I learn QL and run queries?

-There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
+There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing QL.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin to try out your queries on any open-source project that's currently being analyzed.

 ## Contributing

-We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
+We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/Semmle/ql/tree/master/docs) to learn how to format your QL for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.

 ## License

-The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
-
-## Visual Studio Code integration
-
-If you use Visual Studio Code to work in this repository, there are a few integration features to make development easier.
-
-### CodeQL for Visual Studio Code
-
-You can install the [CodeQL for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql) extension to get syntax highlighting, IntelliSense, and code navigation for the QL language, as well as unit test support for testing CodeQL libraries and queries.
-
-### Tasks
-
-The `.vscode/tasks.json` file defines custom tasks specific to working in this repository. To invoke one of these tasks, select the `Terminal | Run Task...` menu option, and then select the desired task from the dropdown. You can also invoke the `Tasks: Run Task` command from the command palette.
+The QL queries in this repository are licensed under [Apache License 2.0](LICENSE) by [Semmle](https://semmle.com).
--- a/change-notes/1.23/analysis-cpp.md
+++ b/change-notes/1.23/analysis-cpp.md
@@ -2,65 +2,50 @@

 The following changes in version 1.23 affect C/C++ analysis in all applications.

+## General improvements
+
 ## New queries

 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail.  This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). Results are not shown on LGTM by default. |
-| Pointer overflow check (`cpp/pointer-overflow-check`) | correctness, security | Finds overflow checks that rely on pointer addition to overflow, which has undefined behavior. Example: `ptr + a < ptr`. Results are shown on LGTM by default. |
-| Signed overflow check (`cpp/signed-overflow-check`) | correctness, security | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. Results are shown on LGTM by default. |
-
+| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail.  This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). |

 ## Changes to existing queries

 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
-| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. |
+| Query name (`query id`) | Expected impact | Message. |
 | Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
 | Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
 | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
-| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positive results triggrered by mismatching declarations of a formatting function. |
 | Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
-| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
-| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positive results triggered by mismatching declarations of a formatting function. |
-| Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positive results involving template classes and functions have been fixed. |
-| Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now understands explicitly-specified argument numbers in format strings, such as the `1$` in `%1$s`. |
+| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
+| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
+| Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positives involving template classes and functions have been fixed. |

-## Changes to libraries
+## Changes to QL libraries

-* The data-flow library in `semmle.code.cpp.dataflow.DataFlow` and
-  `semmle.code.cpp.dataflow.TaintTracking` have had extensive changes:
-  * Data flow through fields is now more complete and reliable.
-  * The data-flow library has been extended with a new feature to aid debugging. 
-    Previously, to explore the possible flow from all sources you could specify `isSink(Node n) { any() }` on a configuration. 
-    Now you can use the new `Configuration::hasPartialFlow` predicate, 
-    which gives a more complete picture of the partial flow paths from a given source, including flow that doesn't reach any sink.
-    The feature is disabled by default and can be enabled for individual configurations by overriding `int explorationLimit()`.
-  * There is now flow out of C++ reference parameters.
-  * There is now flow through the address-of operator (`&`).
-  * The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a
-    definition of `x` when `x` is a variable of pointer type. It no longer
-    considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
-    changes are in line with the user expectations we've observed.
-  * It's now easier to specify barriers/sanitizers
-    arising from guards by overriding the predicate
-    `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
-    configurations respectively.
-  * There is now a `DataFlow::localExprFlow` predicate and a
-    `TaintTracking::localExprTaint` predicate to make it easy to use the most
-    common case of local data flow and taint: from one `Expr` to another.
+* The data-flow library has been extended with a new feature to aid debugging.
+  Instead of specifying `isSink(Node n) { any() }` on a configuration to
+  explore the possible flow from a source, it is recommended to use the new
+  `Configuration::hasPartialFlow` predicate, as this gives a more complete
+  picture of the partial flow paths from a given source. The feature is
+  disabled by default and can be enabled for individual configurations by
+  overriding `int explorationLimit()`.
+* The data-flow library now supports flow out of C++ reference parameters.
+* The data-flow library now allows flow through the address-of operator (`&`).
+* The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a
+  definition of `x` when `x` is a variable of pointer type. It no longer
+  considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
+  changes are in line with the user expectations we've observed.
+* There is now a `DataFlow::localExprFlow` predicate and a
+  `TaintTracking::localExprTaint` predicate to make it easy to use the most
+  common case of local data flow and taint: from one `Expr` to another.
 * The member predicates of the `FunctionInput` and `FunctionOutput` classes have been renamed for
-  clarity (for example, `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates
+  clarity (e.g. `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates
  have been deprecated, and will be removed in a future release. Code that uses the old member
  predicates should be updated to use the corresponding new member predicate.
-* The predicate `Declaration.hasGlobalOrStdName` has been added, making it
-  easier to recognize C library functions called from C++.
 * The control-flow graph is now computed in QL, not in the extractor. This can
-  lead to changes in how queries are optimized because
+  lead to regressions (or improvements) in how queries are optimized because
  optimization in QL relies on static size estimates, and the control-flow edge
  relations will now have different size estimates than before.
-* Support has been added for non-type template arguments.  This means that the
-  return type of `Declaration::getTemplateArgument()` and
-  `Declaration::getATemplateArgument` have changed to `Locatable`.  For details, see the
-  CodeQL library documentation for `Declaration::getTemplateArgument()` and
-  `Declaration::getTemplateArgumentKind()`.
--- a/change-notes/1.23/analysis-csharp.md
+++ b/change-notes/1.23/analysis-csharp.md
@@ -4,42 +4,44 @@ The following changes in version 1.23 affect C# analysis in all applications.

 ## New queries

+## New queries
+
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. Results are shown on LGTM by default. |
-| Deserialization of untrusted data (`cs/unsafe-deserialization-untrusted-input`) | security, external/cwe/cwe-502 | Finds flow of untrusted input to calls to unsafe deserializers. Results are shown on LGTM by default. |
-| Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. Results are not shown on LGTM by default. |
-| Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. Results are not shown on LGTM by default. |
-| Unsafe deserializer (`cs/unsafe-deserialization`) | security, external/cwe/cwe-502 | Finds calls to unsafe deserializers. By default, the query is not run on LGTM. |
+| Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
+| Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |

 ## Changes to existing queries

 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
 | Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Fewer false positive results | More `null` checks are now taken into account, including `null` checks for `dynamic` expressions and `null` checks such as `object alwaysNull = null; if (x != alwaysNull) ...`. |
-| Missing Dispose call on local IDisposable (`cs/local-not-disposed`) | Fewer false positive results | The query has been rewritten in order to identify more dispose patterns. For example, a local `IDisposable` that is disposed of by passing through a fluent API is no longer reported as missing a dispose call. |
+| Missing Dispose call on local IDisposable (`cs/local-not-disposed`) | Fewer false positive results | The query has been rewritten in order to identify more dispose patterns. For example, a local `IDisposable` that is disposed of by passing through a fluent API is no longer reported. |
+
+## Removal of old queries

 ## Changes to code extraction

 * `nameof` expressions are now extracted correctly when the name is a namespace.

-## Changes to libraries
+## Changes to QL libraries

 * The new class `NamespaceAccess` models accesses to namespaces, for example in `nameof` expressions.
 * The data-flow library now makes it easier to specify barriers/sanitizers
-  arising from guards. You can override the predicate
+  arising from guards by overriding the predicate
  `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
  configurations respectively.
 * The data-flow library has been extended with a new feature to aid debugging.
-  Previously, to explore the possible flow from all sources you could specify `isSink(Node n) { any() }` on a configuration. 
-  Now you can use the new `Configuration::hasPartialFlow` predicate, 
-  which gives a more complete picture of the partial flow paths from a given source, including flow that doesn't reach any sink.
-  The feature is disabled by default and can be enabled for individual configurations by
+  Instead of specifying `isSink(Node n) { any() }` on a configuration to
+  explore the possible flow from a source, it is recommended to use the new
+  `Configuration::hasPartialFlow` predicate, as this gives a more complete
+  picture of the partial flow paths from a given source. The feature is
+  disabled by default and can be enabled for individual configurations by
  overriding `int explorationLimit()`.
-* `foreach` statements where the body is guaranteed to be executed at least once, such as `foreach (var x in new string[]{ "a", "b", "c" }) { ... }`, are now recognized by all analyses based on the control-flow graph (such as SSA, data flow and taint tracking).
-* Fixed the control-flow graph for `switch` statements where the `default` case was not the last case. This had caused the remaining cases to be unreachable. `SwitchStmt.getCase(int i)` now puts the `default` case last.
+* `foreach` statements where the body is guaranteed to be executed at least once, such as `foreach (var x in new string[]{ "a", "b", "c" }) { ... }`, are now recognized by all analyses based on the control flow graph (such as SSA, data flow and taint tracking).
+* Fixed the control flow graph for `switch` statements where the `default` case was not the last case. This had caused the remaining cases to be unreachable. `SwitchStmt.getCase(int i)` now puts the `default` case last.
 * There is now a `DataFlow::localExprFlow` predicate and a
  `TaintTracking::localExprTaint` predicate to make it easy to use the most
  common case of local data flow and taint: from one `Expr` to another.
-* Data is now tracked through null-coalescing expressions (`??`).
-* A new library `semmle.code.csharp.Unification` has been added. This library exposes two predicates `unifiable` and `subsumes` for calculating type unification and type subsumption, respectively.
+
+## Changes to autobuilder
--- a/change-notes/1.23/analysis-java.md
+++ b/change-notes/1.23/analysis-java.md
@@ -6,24 +6,25 @@ The following changes in version 1.23 affect Java analysis in all applications.

 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| Continue statement that does not continue (`java/continue-in-false-loop`) | correctness | Finds `continue` statements in `do { ... } while (false)` loops. Results are shown on LGTM by default. |
-| Disabled Netty HTTP header validation (`java/netty-http-response-splitting`) | security, external/cwe/cwe-113 | Finds response-splitting vulnerabilities due to Netty HTTP header validation being disabled. Results are shown on LGTM by default. |
+| Continue statement that does not continue (`java/continue-in-false-loop`) | correctness | Finds `continue` statements in `do { ... } while (false)` loops. |

 ## Changes to existing queries

 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positive results | Additional indirect null guards are detected, where two auxiliary variables are known to be equal. |
-| Non-synchronized override of synchronized method (`java/non-sync-override`) | Fewer false positive results | Results are now only reported if the immediately overridden method is synchronized. |
-| Query built from local-user-controlled sources (`java/sql-injection-local`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as sinks for SQL expressions. |
-| Query built from user-controlled sources (`java/sql-injection`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as sinks for SQL expressions. |
-| Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as sinks for SQL expressions. |
-| Useless comparison test (`java/constant-comparison`) | Fewer false positive results | Additional overflow check patterns are now recognized and no longer reported. Also, a few bug fixes in the range analysis for floating-point variables gives a further reduction in false positive results. |
+| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positives | Certain indirect null guards involving two auxiliary variables known to be equal can now be detected. |
+| Non-synchronized override of synchronized method (`java/non-sync-override`) | Fewer false positives | Results are now only reported if the immediately overridden method is synchronized. |
+| Query built from user-controlled sources (`java/sql-injection`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Query built from local-user-controlled sources (`java/sql-injection-local`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Useless comparison test (`java/constant-comparison`) | Fewer false positives | Additional overflow check patterns are now recognized and no longer reported. |

-## Changes to libraries
+## Changes to QL libraries

-The data-flow library has been extended with a new feature to aid debugging. 
-Previously, to explore the possible flow from all sources you could specify `isSink(Node n) { any() }` on a configuration. 
-Now you can use the new `Configuration::hasPartialFlow` predicate, 
-which gives a more complete picture of the partial flow paths from a given source, including flow that doesn't reach any sink.
-The feature is disabled by default and can be enabled for individual configurations by overriding `int explorationLimit()`.
+* The data-flow library has been extended with a new feature to aid debugging.
+  Instead of specifying `isSink(Node n) { any() }` on a configuration to
+  explore the possible flow from a source, it is recommended to use the new
+  `Configuration::hasPartialFlow` predicate, as this gives a more complete
+  picture of the partial flow paths from a given source. The feature is
+  disabled by default and can be enabled for individual configurations by
+  overriding `int explorationLimit()`.
--- a/change-notes/1.23/analysis-javascript.md
+++ b/change-notes/1.23/analysis-javascript.md
@@ -2,81 +2,66 @@

 ## General improvements

-* Automatic classification of generated and minified files has been improved, in particular files generated by Doxygen are now recognized.
-
-* Support for `globalThis` has been added.
+* Suppor for `globalThis` has been added.

 * Support for the following frameworks and libraries has been improved:
  - [firebase](https://www.npmjs.com/package/firebase)
-  - [get-them-args](https://www.npmjs.com/package/get-them-args)
-  - [minimist](https://www.npmjs.com/package/minimist)
  - [mongodb](https://www.npmjs.com/package/mongodb)
  - [mongoose](https://www.npmjs.com/package/mongoose)
-  - [optimist](https://www.npmjs.com/package/optimist)
-  - [parse-torrent](https://www.npmjs.com/package/parse-torrent)
  - [rate-limiter-flexible](https://www.npmjs.com/package/rate-limiter-flexible)
-  - [yargs](https://www.npmjs.com/package/yargs) 

 * The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.

-* TypeScript 3.6 and 3.7 features are now supported.
+* TypeScript 3.6 features are supported.
+

 ## New queries

 | **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 |---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Ignoring result from pure array method (`js/ignore-array-result`)         | maintainability, correctness                                      | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. |
-| Incomplete URL scheme check (`js/incomplete-url-scheme-check`)            | security, correctness, external/cwe/cwe-020                       | Highlights checks for `javascript:` URLs that do not take `data:` or `vbscript:` URLs into account. Results are shown on LGTM by default. |
-| Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary `.length` value can trick the server into looping indefinitely. Results are shown on LGTM by default. |
-| Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
-| Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
-| Unreachable method overloads (`js/unreachable-method-overloads`)          | correctness, typescript                                           | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
 | Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
+| Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default. |
+| Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
+| Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
 | Use of returnless function (`js/use-of-returnless-function`)              | maintainability, correctness                                      | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
 | Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
+| Unreachable method overloads (`js/unreachable-method-overloads`)          | correctness, typescript                                           | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |

 ## Changes to existing queries

 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Client-side cross-site scripting (`js/xss`) | More results, fewer false positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. |
+| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
+| Client-side cross-site scripting (`js/xss`) | More results, fewer false-positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
-| Hard-coded credentials (`js/hardcoded-credentials`) | Fewer false positive results | This rule now flags fewer password examples. |
-| Illegal invocation (`js/illegal-invocation`) | Fewer false positive results | This rule now correctly handles methods named `call` and `apply`. |
-| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This rule now recognizes additional ways delimiters can be stripped away. |
-| Incorrect suffix check (`js/incorrect-suffix-check`) | Fewer false positive results | The query recognizes valid checks in more cases. |
-| Network data written to file (`js/http-to-file-access`) | Fewer false positive results | This query has been renamed to better match its intended purpose, and now only considers network data untrusted. | 
-| Password in configuration file (`js/password-in-configuration-file`) | Fewer false positive results | This rule now flags fewer password examples. |
+| Hard-coded credentials (`js/hardcoded-credentials`) | Fewer false-positive results | This rule now flags fewer password examples. |
+| Illegal invocation (`js/illegal-invocation`) | Fewer false-positive results | This rule now correctly handles methods named `call` and `apply`. |
+| Incorrect suffix check (`js/incorrect-suffix-check`) | Fewer false-positive results | The query recognizes valid checks in more cases. |
+| Network data written to file (`js/http-to-file-access`) | Fewer false-positive results | This query has been renamed to better match its intended purpose, and now only considers network data untrusted. | 
+| Password in configuration file (`js/password-in-configuration-file`) | Fewer false-positive results | This rule now flags fewer password examples. |
 | Prototype pollution (`js/prototype-pollution`) | More results | The query now highlights vulnerable uses of jQuery and Angular, and the results are shown on LGTM by default. |
-| Reflected cross-site scripting (`js/reflected-xss`) | Fewer false positive results | The query now recognizes more sanitizers. |
-| Stored cross-site scripting (`js/stored-xss`) | Fewer false positive results | The query now recognizes more sanitizers. |
+| Reflected cross-site scripting (`js/reflected-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
+| Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
-| Uncontrolled data used in path expression (`js/path-injection`) | Fewer false positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
-| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. |

-## Changes to libraries
+## Changes to QL libraries

 * `Expr.getDocumentation()` now handles chain assignments.
-* String literals are now parsed as regular expressions.
-  Consequently, a `RegExpTerm` may occur as part of a string literal or
-  as a regular expression literal. Queries that search for regular expressions may need to
-  use `RegExpTerm.isPartOfRegExpLiteral` or `RegExpTerm.isUsedAsRegExp` to restrict the search.
-  A regular expression AST can be obtained from a string literal using `StringLiteral.asRegExp`.

 ## Removal of deprecated queries

 The following queries (deprecated since 1.17) are no longer available in the distribution:

-* Bad parity check (js/incomplete-parity-check)
 * Builtin redefined (js/builtin-redefinition)
-* Call to parseInt without radix (js/parseint-without-radix)
 * Inefficient method definition (js/method-definition-in-constructor)
+* Bad parity check (js/incomplete-parity-check)
+* Potentially misspelled property or variable name (js/wrong-capitalization)
+* Unknown JSDoc tag (js/jsdoc/unknown-tag-type)
 * Invalid JSLint directive (js/jslint/invalid-directive)
 * Malformed JSLint directive (js/jslint/malformed-directive)
+* Use of HTML comments (js/html-comment)
 * Multi-line string literal (js/multi-line-string)
 * Octal literal (js/octal-literal)
-* Potentially misspelled property or variable name (js/wrong-capitalization)
 * Reserved word used as variable name (js/use-of-reserved-word)
 * Trailing comma in array or object expressions (js/trailing-comma-in-array-or-object)
-* Unknown JSDoc tag (js/jsdoc/unknown-tag-type)
-* Use of HTML comments (js/html-comment)
+* Call to parseInt without radix (js/parseint-without-radix)
--- a/change-notes/1.23/analysis-python.md
+++ b/change-notes/1.23/analysis-python.md
@@ -3,19 +3,7 @@

 ## General improvements

-### Python 3.8 support

-Python 3.8 syntax is now supported. In particular, the following constructs are parsed correctly:
-
- Assignment expressions using the "walrus" operator, such as `while chunk := file.read(1024): ...`.
- The positional argument separator `/`, such as in `def foo(a, /, b, *, c): ...`.
- Self-documenting expressions in f-strings, such as `f"{var=}"`.
-
-### General query improvements
-
-Following the replacement of the `Object` API (for example, `ClassObject`) in favor of the
-`Value` API (for example, `ClassValue`) in the 1.21 release, many of the standard queries have been updated
-to use the `Value` API. This should result in more precise results.

 ## New queries

@@ -30,23 +18,5 @@ to use the `Value` API. This should result in more precise results.

 | **Query**                  | **Expected impact**    | **Change** |
 |----------------------------|------------------------|------------|
-| Explicit export is undefined (`py/undefined-export`) | Fewer false positive results | Instances where an exported value may be defined in a module that lacks points-to information are no longer flagged. |
-| Module-level cyclic import (`py/unsafe-cyclic-import`) | Fewer false positive results | Instances where one of the links in an import cycle is never actually executed are no longer flagged. |
-| Non-iterable used in for loop (`py/non-iterable-in-for-loop`) | Fewer false positive results | `__aiter__` is now recognized as an iterator method. |
-| Unreachable code (`py/unreachable-statement`) | Fewer false positive results | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
-| Unreachable code (`py/unreachable-statement`) | Fewer false positive results | Unreachable `else` branches that do nothing but `assert` their non-reachability are no longer flagged. |
-| Unused import (`py/unused-import`) | Fewer false positive results | Instances where a module is used in a forward-referenced type annotation, or only during type checking are no longer flagged. |
-| `__iter__` method returns a non-iterator (`py/iter-returns-non-iterator`) | Better alert message | Alert now highlights which class is expected to be an iterator. |
-| `__init__` method returns a value (`py/explicit-return-in-init`) | Fewer false positive results | Instances where the `__init__` method returns the value of a call to a procedure are no longer flagged. |
-
-## Changes to QL libraries
-
-* Django library now recognizes positional arguments from a `django.conf.urls.url` regex (Django version 1.x)
-* Instances of the `Value` class now support the `isAbsent` method, indicating
-  whether that `Value` lacks points-to information, but inference
-  suggests that it exists. For instance, if a file contains `import
-  django`, but `django` was not extracted properly, there will be a
-  `ModuleValue` corresponding to this "unknown" module, and the `isAbsent`
-  method will hold for this `ModuleValue`.
-* The `Expr` class now has a nullary method `pointsTo` that returns the possible
-  instances of `Value` that this expression may have.
+| Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
+| `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. |
--- a/change-notes/1.23/extractor-javascript.md
+++ b/change-notes/1.23/extractor-javascript.md
@@ -5,19 +5,8 @@
 ## Changes to code extraction

 * Asynchronous generator methods are now parsed correctly and no longer cause a spurious syntax error.
-* Files in `node_modules` and `bower_components` folders are no longer extracted by default. If you still want to extract files from these folders, you can add the following filters to your `lgtm.yml` file (or add them to existing filters):
-
-  ```yaml
-  extraction:
-    javascript:
-      index:
-        filters:
-          - include: "**/node_modules"
-          - include: "**/bower_components"
-  ```
-
-* Additional [Flow](https://flow.org/) syntax is now supported.
 * Recognition of CommonJS modules has improved. As a result, some files that were previously extracted as
  global scripts are now extracted as modules.
 * Top-level `await` is now supported.
-* Bugs were fixed in how the TypeScript extractor handles default-exported anonymous classes and computed-instance field names.
+* A bug was fixed in how the TypeScript extractor handles default-exported anonymous classes.
+* A bug was fixed in how the TypeScript extractor handles computed instance field names.
--- a/change-notes/1.24/analysis-cpp.md
+++ b/change-notes/1.24/analysis-cpp.md
@@ -1,84 +0,0 @@
-# Improvements to C/C++ analysis
-
-The following changes in version 1.24 affect C/C++ analysis in all applications.
-
-## General improvements
-
-You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-| Implicit function declarations (`cpp/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql`) | correctness, maintainability | This query finds calls to undeclared functions that are compiled by a C compiler. Results are shown on LGTM by default. |
-
-## Changes to existing queries
-
-A new taint-tracking library is used by all the security queries that track tainted values
-(`cpp/path-injection`, `cpp/cgi-xss`, `cpp/sql-injection`, `cpp/uncontrolled-process-operation`,
-`cpp/unbounded-write`, `cpp/tainted-format-string`, `cpp/tainted-format-string-through-global`,
-`cpp/uncontrolled-arithmetic`, `cpp/uncontrolled-allocation-size`, `cpp/user-controlled-bypass`,
-`cpp/cleartext-storage-buffer`, `cpp/tainted-permissions-check`).
-These queries now have more precise results and also offer _path explanations_ so you can explore the results easily.
-There is a performance cost to this, and the LGTM query suite will overall run slower than before.
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-| Boost\_asio TLS Settings Misconfiguration (`cpp/boost/tls-settings-misconfiguration`) | Query id change | The identifier was updated to use dashes in place of underscores (previous identifier `cpp/boost/tls_settings_misconfiguration`). |
-| Buffer not sufficient for string (`cpp/overflow-calculated`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
-| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) |  | This query is no longer run on LGTM. |
-| Memory is never freed (`cpp/memory-never-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
-| Memory may not be freed (`cpp/memory-may-not-be-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
-| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Improved handling of template code gives greater precision. |
-| Missing return statement (`cpp/missing-return`) | Fewer false positive results and more accurate locations | Functions containing `asm` statements are no longer highlighted by this query. The locations reported by this query are now more accurate in some cases. |
-| No space for zero terminator (`cpp/no-space-for-terminator`) | More results with greater precision | The query gives more precise results for a wider variety of buffer allocations. String arguments to formatting functions are now (usually) expected to be null terminated strings. Use of the `semmle.code.cpp.models.interfaces.Allocation` library identifies problems with a wider variety of buffer allocations. This query is also more conservative when identifying which pointers point to null-terminated strings. |
-| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. Cases where the tainted allocation size is range checked are more reliably excluded. |
-| Overloaded assignment does not return 'this' (`cpp/assignment-does-not-return-this`) | Fewer false positive results | This query no longer reports incorrect results in template classes. |
-| Pointer overflow check (`cpp/pointer-overflow-check`),<br> Possibly wrong buffer size in string copy (`cpp/bad-strncpy-size`),<br> Signed overflow check (`cpp/signed-overflow-check`) | More correct results | A new library is used for determining which expressions have identical value, giving more precise results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
-| Unsafe array for days of the year (`cpp/leap-year/unsafe-array-for-days-of-the-year`) |  | This query is no longer run on LGTM. |
-| Unsigned comparison to zero (`cpp/unsigned-comparison-zero`) | More correct results | This query now also looks for comparisons of the form `0 <= x`. |
-
-## Changes to libraries
-
-* The built-in C++20 "spaceship operator" (`<=>`) is now supported via the QL
-  class `SpaceshipExpr`. Overloaded forms are modeled as calls to functions
-  named `operator<=>`.
-* The data-flow library (`semmle.code.cpp.dataflow.DataFlow` and
-  `semmle.code.cpp.dataflow.TaintTracking`) has been improved, which affects
-  and improves some security queries. The improvements are:
-    - Track flow through functions that combine taint tracking with flow through fields.
-    - Track flow through clone-like functions, that is, functions that read contents of a field from a
-      parameter and stores the value in the field of a returned object.
-* The security pack taint tracking library
-  (`semmle.code.cpp.security.TaintTracking`) uses a new intermediate
-  representation. This provides a more precise analysis of flow through
-  parameters and pointers. For new queries, however, we continue to recommend
-  using `semmle.code.cpp.dataflow.TaintTracking`.
-* The global value numbering library
-  (`semmle.code.cpp.valuenumbering.GlobalValueNumbering`) uses a new
-  intermediate representation to provide a more precise analysis of
-  heap-allocated memory and pointers to stack variables.
-* New libraries have been created to provide a more consistent and useful interface
-  for modeling allocation and deallocation. These replace the old
-  `semmle.code.cpp.commons.Alloc` library.
-    * The new `semmle.code.cpp.models.interfaces.Allocation` library models
-      allocations, such as `new` expressions and calls to `malloc`.
-    * The new `semmle.code.cpp.models.interfaces.Deallocation` library
-      models deallocations, such as `delete` expressions and calls to `free`.
-    * The predicate `freeCall` in `semmle.code.cpp.commons.Alloc` has been
-      deprecated. The `Allocation` and `Deallocation` models in
-      `semmle.code.cpp.models.interfaces` should be used instead.
-* The new class `StackVariable` should be used in place of `LocalScopeVariable`
-  in most cases. The difference is that `StackVariable` does not include
-  variables declared with `static` or `thread_local`.
-    * As a rule of thumb, custom queries about the _values_ of variables should
-      be changed from `LocalScopeVariable` to `StackVariable`, while queries
-      about the _name or scope_ of variables should remain unchanged.
-    * The `LocalScopeVariableReachability` library is deprecated in favor of
-      `StackVariableReachability`. The functionality is the same.
-* Taint tracking and data flow now features better modeling of commonly-used
-  library functions:
-    * `gets` and similar functions,
-    * the most common operations on `std::string`,
-    * `strdup` and similar functions, and
-    * formatting functions such as `sprintf`.
--- a/change-notes/1.24/analysis-csharp.md
+++ b/change-notes/1.24/analysis-csharp.md
@@ -1,48 +0,0 @@
-# Improvements to C# analysis
-
-The following changes in version 1.24 affect C# analysis in all applications.
-
-## General improvements
-
-You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-| Assembly path injection (`cs/assembly-path-injection`) | security, external/cwe/cwe-114 | Finds user-controlled data used to load an assembly. Results are shown on LGTM by default. |
-| Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. By default, the query is not run on LGTM. |
-| Insecure SQL connection (`cs/insecure-sql-connection`) | security, external/cwe/cwe-327 | Finds unencrypted SQL connection strings. Results are not shown on LGTM by default. |
-| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could make the application less secure. By default, the query is not run on LGTM. |
-| Serialization check bypass (`cs/serialization-check-bypass`) | security, external/cwe/cwe-20 | Finds where data is not validated in a deserialization method. Results are not shown on LGTM by default. |
-| XML injection (`cs/xml-injection`) | security, external/cwe/cwe-091 | Finds user-controlled data that is used to write directly to an XML document. Results are shown on LGTM by default. |
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
-| Information exposure through an exception (`cs/information-exposure-through-exception`) | More results | The query now recognizes writes to cookies, writes to ASP.NET (`Inner`)`Text` properties, and email contents as additional sinks. |
-| Information exposure through transmitted data (`cs/sensitive-data-transmission`) | More results | The query now recognizes writes to cookies and writes to ASP.NET (`Inner`)`Text` properties as additional sinks. |
-| Potentially dangerous use of non-short-circuit logic (`cs/non-short-circuit`) | Fewer false positive results | Results have been removed when the expression contains an `out` parameter. |
-| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. Results have also been removed when the variable is named `_` in a `foreach` statement. | 
-| XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to methods on `System.Xml.XPath.XPathNavigator` objects. |
-
-## Changes to code extraction
-
-* Tuple expressions, for example `(int,bool)` in `default((int,bool))` are now extracted correctly.
-* Expression nullability flow state is extracted.
-* Implicitly typed `stackalloc` expressions are now extracted correctly.
-* The difference between `stackalloc` array creations and normal array creations is extracted.
-
-## Changes to libraries
-
-* The data-flow library has been improved, which affects and improves most security queries. The improvements are:
-    - Track flow through methods that combine taint tracking with flow through fields.
-    - Track flow through clone-like methods, that is, methods that read the contents of a field from a
-      parameter and store the value in the field of a returned object.
-* The taint tracking library now tracks flow through (implicit or explicit) conversion operator calls.
-* [Code contracts](https://docs.microsoft.com/en-us/dotnet/framework/debug-trace-profile/code-contracts) are now recognized, and are treated like any other assertion methods.
-* Expression nullability flow state is given by the predicates `Expr.hasNotNullFlowState()` and `Expr.hasMaybeNullFlowState()`.
-* `stackalloc` array creations are now represented by the QL class `Stackalloc`. Previously they were represented by the class `ArrayCreation`.
-* A new class `RemoteFlowSink` has been added to model sinks where data might be exposed to external users. Examples include web page output, emails, and cookies.
--- a/change-notes/1.24/analysis-java.md
+++ b/change-notes/1.24/analysis-java.md
@@ -1,43 +0,0 @@
-# Improvements to Java analysis
-
-The following changes in version 1.24 affect Java analysis in all applications.
-
-## General improvements
-
-* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
-* A `Customizations.qll` file has been added to allow customizations of the standard library that apply to all queries.
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-| Disabled Spring CSRF protection (`java/spring-disabled-csrf-protection`) | security, external/cwe/cwe-352 | Finds disabled Cross-Site Request Forgery (CSRF) protection in Spring. Results are shown on LGTM by default. |
-| Failure to use HTTPS or SFTP URL in Maven artifact upload/download (`java/maven/non-https-url`) | security, external/cwe/cwe-300, external/cwe/cwe-319, external/cwe/cwe-494, external/cwe/cwe-829 | Finds use of insecure protocols during Maven dependency resolution. Results are shown on LGTM by default. |
-| LDAP query built from user-controlled sources (`java/ldap-injection`) | security, external/cwe/cwe-090 | Finds LDAP queries vulnerable to injection of unsanitized user-controlled input. Results are shown on LGTM by default. |
-| Left shift by more than the type width (`java/lshift-larger-than-type-width`) | correctness | Finds left shifts of ints by 32 bits or more and left shifts of longs by 64 bits or more. Results are shown on LGTM by default. |
-| Suspicious date format (`java/suspicious-date-format`) | correctness | Finds date format patterns that use placeholders that are likely to be incorrect. Results are shown on LGTM by default. |
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positive results | Final fields with a non-null initializer are no longer reported. |
-| Expression always evaluates to the same value (`java/evaluation-to-constant`) | Fewer false positive results | Expressions of the form `0 * x` are usually intended and no longer reported. Also left shift of ints by 32 bits and longs by 64 bits are no longer reported as they are not constant, these results are instead reported by the new query `java/lshift-larger-than-type-width`. |
-| Useless null check (`java/useless-null-check`) | More true positive results | Useless checks on final fields with a non-null initializer are now reported. |
-
-## Changes to libraries
-
-* The data-flow library has been improved, which affects and improves most security queries. The improvements are:
-    - Track flow through methods that combine taint tracking with flow through fields.
-    - Track flow through clone-like methods, that is, methods that read contents of a field from a
-      parameter and stores the value in the field of a returned object.
-* Identification of test classes has been improved. Previously, one of the
-  match conditions would classify any class with a name containing the string
-  "Test" as a test class, but now this matching has been replaced with one that
-  looks for the occurrence of actual unit-test annotations. This affects the
-  general file classification mechanism and thus suppression of alerts, and
-  also any security queries using taint tracking, as test classes act as
-  default barriers stopping taint flow.
-* Parentheses are now no longer modeled directly in the AST, that is, the
-  `ParExpr` class is empty. Instead, a parenthesized expression can be
-  identified with the `Expr.isParenthesized()` member predicate.
--- a/change-notes/1.24/analysis-javascript.md
+++ b/change-notes/1.24/analysis-javascript.md
@@ -1,100 +0,0 @@
-# Improvements to JavaScript analysis
-
-## General improvements
-
-* TypeScript 3.8 is now supported.
-
-* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
-
-* Resolution of imports has improved, leading to more results from the security queries:
-    - Imports with the `.js` extension can now be resolved to a TypeScript file,
-      when the import refers to a file generated by TypeScript.
-    - Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved.
-    - Export declarations of the form `export * as ns from "x"` are now analyzed more precisely.
-
-* The analysis of sanitizers has improved, leading to more accurate results from the security queries.
-  In particular:
-    - Sanitizer guards now act across function boundaries in more cases.
-    - Sanitizers can now better distinguish between a tainted value and an object _containing_ a tainted value.
-
-* Call graph construction has been improved, leading to more results from the security queries:
-    - Calls can now be resolved to indirectly-defined class members in more cases.
-    - Calls through partial invocations such as `.bind` can now be resolved in more cases.
-
-* Support for flow summaries has been more clearly marked as being experimental and moved to the new `experimental` folder.
-
-* Support for the following frameworks and libraries has been improved:
-    - [chrome-remote-interface](https://www.npmjs.com/package/chrome-remote-interface)
-    - [Electron](https://electronjs.org/)
-    - [for-in](https://www.npmjs.com/package/for-in)
-    - [for-own](https://www.npmjs.com/package/for-own)
-    - [fstream](https://www.npmjs.com/package/fstream)
-    - [Handlebars](https://www.npmjs.com/package/handlebars)
-    - [http2](https://nodejs.org/api/http2.html)
-    - [jQuery](https://jquery.com/)
-    - [jsonfile](https://www.npmjs.com/package/jsonfile)
-    - [Koa](https://www.npmjs.com/package/koa)
-    - [lazy-cache](https://www.npmjs.com/package/lazy-cache)
-    - [mongodb](https://www.npmjs.com/package/mongodb)
-    - [ncp](https://www.npmjs.com/package/ncp)
-    - [Node.js](https://nodejs.org/)
-    - [node-dir](https://www.npmjs.com/package/node-dir)
-    - [path-exists](https://www.npmjs.com/package/path-exists)
-    - [pg](https://www.npmjs.com/package/pg)
-    - [react](https://www.npmjs.com/package/react)
-    - [recursive-readdir](https://www.npmjs.com/package/recursive-readdir)
-    - [request](https://www.npmjs.com/package/request)
-    - [rimraf](https://www.npmjs.com/package/rimraf)
-    - [send](https://www.npmjs.com/package/send)
-    - [Socket.IO](https://socket.io/)
-    - [SockJS](https://www.npmjs.com/package/sockjs)
-    - [SockJS-client](https://www.npmjs.com/package/sockjs-client)
-    - [typeahead.js](https://www.npmjs.com/package/typeahead.js)
-    - [vinyl-fs](https://www.npmjs.com/package/vinyl-fs)
-    - [WebSocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API)
-    - [write-file-atomic](https://www.npmjs.com/package/write-file-atomic)
-    - [ws](https://github.com/websockets/ws)
-
-
-## New queries
-
-| **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
-|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Cross-site scripting through exception (`js/xss-through-exception`) | security, external/cwe/cwe-079, external/cwe/cwe-116              | Highlights potential XSS vulnerabilities where an exception is written to the DOM. Results are not shown on LGTM by default. |
-| Missing await (`js/missing-await`) | correctness | Highlights expressions that operate directly on a promise object in a nonsensical way, instead of awaiting its result. Results are shown on LGTM by default. |
-| Polynomial regular expression used on uncontrolled data (`js/polynomial-redos`) | security, external/cwe/cwe-730, external/cwe/cwe-400 | Highlights expensive regular expressions that may be used on malicious input. Results are shown on LGTM by default. | 
-| Prototype pollution in utility function (`js/prototype-pollution-utility`) | security, external/cwe/cwe-400, external/cwe/cwe-471 | Highlights recursive assignment operations that are susceptible to prototype pollution. Results are shown on LGTM by default. |
-| Regular expression always matches (`js/regex/always-matches`) | correctness, regular-expressions | Highlights regular expression checks that trivially succeed by matching an empty substring. Results are shown on LGTM by default. |
-| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | | Highlights potential XSS vulnerabilities in unsafely designed jQuery plugins. Results are shown on LGTM by default. |
-| Unnecessary use of `cat` process (`js/unnecessary-use-of-cat`) | correctness, security, maintainability | Highlights command executions of `cat` where the fs API should be used instead. Results are shown on LGTM by default. |
-
-
-## Changes to existing queries
-
-| **Query**                      | **Expected impact**          | **Change**                                                                |
-|--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Clear-text logging of sensitive information (`js/clear-text-logging`) | More results | More results involving `process.env` and indirect calls to logging methods are recognized. |
-| Duplicate parameter names (`js/duplicate-parameter-name`) | Fewer results | This query now ignores additional parameters that reasonably can have duplicated names. |
-| Expression has no effect (`js/useless-expression`) | Fewer false positive results | The query now recognizes block-level flow type annotations and ignores the first statement of a try block. |
-| Identical operands (`js/redundant-operation`) | Fewer results | This query now excludes cases where the operands change a value using ++/-- expressions. |
-| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes and excludes additional cases where a single replacement is likely to be intentional. |
-| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional variations of URL scheme checks. |
-| Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | The query reports fewer duplicates and only flags handlers that explicitly access cookie data. |
-| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now excludes cases where a function uses the `Function.arguments` value to process a variable number of parameters. |
-| Syntax error (`js/syntax-error`) | Lower severity | This results of this query are now displayed with lower severity. |
-| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. |
-| Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. |
-| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. |
-| Use of call stack introspection in strict mode (`js/strict-mode-call-stack-introspection`) | Fewer false positive results | The query no longer flags expression statements. |
-| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes and excludes additional cases that do not require secure hashing. |
-| Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes between escapes in strings and regular expression literals. |
-
-## Changes to libraries
-
-* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
-* An extensible model of the `EventEmitter` pattern has been implemented.
-* Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
-  that combine taint-tracking and flow labels.
-    - Sources added by the 1-argument `isSource` predicate are associated with the `taint` label now, instead of the `data` label.
-    - Sanitizers now only block the `taint` label. As a result, sanitizers no longer block the flow of tainted values wrapped inside a property of an object.
-      To retain the old behavior, instead use a barrier, or block the `data` flow label using a labeled sanitizer.
--- a/change-notes/1.24/analysis-python.md
+++ b/change-notes/1.24/analysis-python.md
@@ -1,55 +0,0 @@
-# Improvements to Python analysis
-
-The following changes in version 1.24 affect Python analysis in all applications.
-
-## General improvements
-
- Support for Django version 2.x and 3.x
-
- Taint tracking now correctly tracks taint in destructuring assignments. For example, if `tainted_list` is a list of tainted tainted elements, then
-    ```python
-    head, *tail = tainted_list
-    ```
-    will result in `tail` being tainted with the same taint as `tainted_list`, and `head` being tainted with the taint of the elements of `tainted_list`.
-
- A large number of libraries and queries have been moved to the new `Value` API, which should result in more precise results.
-
- The `Value` interface has been extended in various ways:
-   - A new `StringValue` class has been added, for tracking string literals.
-   - Values now have a `booleanValue` method which returns the boolean interpretation of the given value.
-   - Built-in methods for which the return type is not fixed are now modeled as returning an unknown value by default.
-
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-| Arbitrary file write during tarfile extraction (`py/tarslip`) | Fewer false negative results | Negations are now handled correctly in conditional expressions that may sanitize tainted values. |
-| First parameter of a method is not named 'self' (`py/not-named-self`) | Fewer false positive results | `__class_getitem__` is now recognized as a class method. |
-| Import of deprecated module (`py/import-deprecated-module`) | Fewer false positive results | Deprecated modules that are used to provide backwards compatibility are no longer reported.|
-| Module imports itself (`py/import-own-module`) | Fewer false positive results | Imports local to a given package are no longer classified as self-imports. |
-| Uncontrolled command line (`py/command-line-injection`) | More results | We now model the `fabric` and `invoke` packages for command execution. |
-
-### Web framework support
-
-The CodeQL library has improved support for the web frameworks: Bottle, CherryPy, Falcon, Pyramid, TurboGears, Tornado, and Twisted. They now provide a proper `HttpRequestTaintSource`, instead of a `TaintSource`. This will enable results for the following queries:
-
- `py/path-injection`
- `py/command-line-injection`
- `py/reflective-xss`
- `py/sql-injection`
- `py/code-injection`
- `py/unsafe-deserialization`
- `py/url-redirection`
-
-The library also has improved support for the web framework Twisted. It now provides a proper
-`HttpResponseTaintSink`, instead of a `TaintSink`. This will enable results for the following
-queries:
-
- `py/reflective-xss`
- `py/stack-trace-exposure`
-
-## Changes to libraries
-### Taint tracking
- The `urlsplit` and `urlparse` functions now propagate taint appropriately.
- HTTP requests using the `requests` library are now modeled.
--- a/change-notes/1.24/extractor-javascript.md
+++ b/change-notes/1.24/extractor-javascript.md
@@ -1,7 +0,0 @@
-[[ condition: enterprise-only ]]
-
-# Improvements to JavaScript analysis
-
-## Changes to code extraction
-
-* `import.meta` expressions no longer result in a syntax error in JavaScript files.
--- a/change-notes/1.25/analysis-cpp.md
+++ b/change-notes/1.25/analysis-cpp.md
@@ -1,46 +0,0 @@
-# Improvements to C/C++ analysis
-
-The following changes in version 1.25 affect C/C++ analysis in all applications.
-
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-| Uncontrolled format string (`cpp/tainted-format-string`) |  | This query is now displayed by default on LGTM. |
-| Uncontrolled format string (through global variable) (`cpp/tainted-format-string-through-global`) |  | This query is now displayed by default on LGTM. |
-
-## Changes to libraries
-
-* The library `VCS.qll` and all queries that imported it have been removed.
-* The data-flow library has been improved, which affects most security queries by potentially
-  adding more results. Flow through functions now takes nested field reads/writes into account.
-  For example, the library is able to track flow from `taint()` to `sink()` via the method
-  `getf2f1()` in
-  ```c
-  struct C {
-      int f1;
-  };
-
-  struct C2
-  {
-      C f2;
-
-      int getf2f1() {
-          return f2.f1; // Nested field read
-      }
-
-      void m() {
-          f2.f1 = taint();
-          sink(getf2f1()); // NEW: taint() reaches here
-      }
-  };
-  ```
-* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) now considers that equality checks may block the flow of taint.  This results in fewer false positive results from queries that use this library.
-* The length of a tainted string (such as the return value of a call to `strlen` or `strftime` with tainted parameters) is no longer itself considered tainted by the `models` library.  This leads to fewer false positive results in queries that use any of our taint libraries.
--- a/change-notes/1.25/analysis-csharp.md
+++ b/change-notes/1.25/analysis-csharp.md
@@ -1,78 +0,0 @@
-# Improvements to C# analysis
-
-The following changes in version 1.25 affect C# analysis in all applications.
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-
-
-## Removal of old queries
-
-## Changes to code extraction
-
-* Index initializers, of the form `{ [1] = "one" }`, are extracted correctly. Previously, the kind of the
-  expression was incorrect, and the index was not extracted.
-
-## Changes to libraries
-
-* The class `UnboundGeneric` has been refined to only be those declarations that actually
-  have type parameters. This means that non-generic nested types inside constructed types,
-  such as `A<int>.B`, no longer are considered unbound generics. (Such nested types do,
-  however, still have relevant `.getSourceDeclaration()`s, for example `A<>.B`.)
-* The data-flow library has been improved, which affects most security queries by potentially
-  adding more results:
-  - Flow through methods now takes nested field reads/writes into account.
-    For example, the library is able to track flow from `"taint"` to `Sink()` via the method
-    `GetF2F1()` in
-    ```csharp
-    class C1
-    {
-        string F1;
-    }
-
-    class C2
-    {
-        C1 F2;
-
-        string GetF2F1() => F2.F1; // Nested field read
-
-        void M()
-        {
-            F2 = new C1() { F1 = "taint" };
-            Sink(GetF2F1()); // NEW: "taint" reaches here
-        }
-    }
-    ```
-  - Flow through collections is now modeled precisely. For example, instead of modeling an array
-    store `a[i] = x` as a taint-step from `x` to `a`, we now model it as a data-flow step that
-    stores `x` into `a`. To get the value back out, a matching read step must be taken.
-
-    For source-code based data-flow analysis, the following constructs are modeled as stores into
-    collections:
-    - Direct array assignments, `a[i] = x`.
-    - Array initializers, `new [] { x }`.
-    - C# 6-style array initializers, `new C() { Array = { [i] = x } }`.
-    - Call arguments that match a `params` parameter, where the C# compiler creates an array under-the-hood.
-    - `yield return` statements.
-
-    The following source-code constructs read from a collection:
-    - Direct array reads, `a[i]`.
-    - `foreach` statements.
-
-    For calls out to library code, existing flow summaries have been refined to precisely
-    capture how they interact with collection contents. For example, a call to
-    `System.Collections.Generic.List<T>.Add(T)` stores the value of the argument into the
-    qualifier, and a call to `System.Collections.Generic.List<T>.get_Item(int)` (that is, an
-    indexer call) reads contents out of the qualifier. Moreover, the effect of
-    collection-clearing methods such as `System.Collections.Generic.List<T>.Clear()` is now
-    also modeled.
-
-## Changes to autobuilder
--- a/change-notes/1.25/analysis-java.md
+++ b/change-notes/1.25/analysis-java.md
@@ -1,49 +0,0 @@
-# Improvements to Java analysis
-
-The following changes in version 1.25 affect Java analysis in all applications.
-
-## General improvements
-
-The Java autobuilder has been improved to detect more Gradle Java versions.
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-| Hard-coded credential in API call (`java/hardcoded-credential-api-call`) | More results | The query now recognizes the `BasicAWSCredentials` class of the Amazon client SDK library with hardcoded access key/secret key. |
-| Deserialization of user-controlled data (`java/unsafe-deserialization`) | Fewer false positive results | The query no longer reports results using `org.apache.commons.io.serialization.ValidatingObjectInputStream`. |
-| Use of a broken or risky cryptographic algorithm (`java/weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
-| Use of a potentially broken or risky cryptographic algorithm (`java/potentially-weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
-| Reading from a world writable file (`java/world-writable-file-read`) | More results | The query now recognizes more JDK file operations. |
-
-## Changes to libraries
-
-* The data-flow library has been improved with more taint flow modeling for the
-  Collections framework and other classes of the JDK. This affects all security
-  queries using data flow and can yield additional results.
-* The data-flow library has been improved with more taint flow modeling for the
-  Spring framework. This affects all security queries using data flow and can
-  yield additional results on project that rely on the Spring framework.
-* The data-flow library has been improved, which affects most security queries by potentially
-  adding more results. Flow through methods now takes nested field reads/writes into account.
-  For example, the library is able to track flow from `"taint"` to `sink()` via the method
-  `getF2F1()` in
-  ```java
-  class C1 {
-    String f1;
-    C1(String f1) { this.f1 = f1; }
-  }
-
-  class C2 {
-    C1 f2;
-    String getF2F1() {
-        return this.f2.f1; // Nested field read
-    }
-    void m() {
-        this.f2 = new C1("taint");
-        sink(this.getF2F1()); // NEW: "taint" reaches here
-    }
-  }
-  ```
-* The library has been extended with more support for Java 14 features
-  (`switch` expressions and pattern-matching for `instanceof`).
--- a/change-notes/1.25/analysis-javascript.md
+++ b/change-notes/1.25/analysis-javascript.md
@@ -1,111 +0,0 @@
-# Improvements to JavaScript analysis
-
-## General improvements
-
-* Support for the following frameworks and libraries has been improved:
-  - [Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise)
-  - [bluebird](http://bluebirdjs.com/)
-  - [express](https://www.npmjs.com/package/express)
-  - [execa](https://www.npmjs.com/package/execa)
-  - [fancy-log](https://www.npmjs.com/package/fancy-log)
-  - [fastify](https://www.npmjs.com/package/fastify)
-  - [foreground-child](https://www.npmjs.com/package/foreground-child)
-  - [fstream](https://www.npmjs.com/package/fstream)
-  - [jGrowl](https://github.com/stanlemon/jGrowl)
-  - [jQuery](https://jquery.com/)
-  - [marsdb](https://www.npmjs.com/package/marsdb)
-  - [micro](https://www.npmjs.com/package/micro/)
-  - [minimongo](https://www.npmjs.com/package/minimongo/)
-  - [mssql](https://www.npmjs.com/package/mssql)
-  - [mysql](https://www.npmjs.com/package/mysql)
-  - [npmlog](https://www.npmjs.com/package/npmlog)
-  - [opener](https://www.npmjs.com/package/opener)
-  - [pg](https://www.npmjs.com/package/pg)
-  - [sequelize](https://www.npmjs.com/package/sequelize)
-  - [spanner](https://www.npmjs.com/package/spanner)
-  - [sqlite](https://www.npmjs.com/package/sqlite)
-  - [ssh2-streams](https://www.npmjs.com/package/ssh2-streams)
-  - [ssh2](https://www.npmjs.com/package/ssh2)
-  - [vue](https://www.npmjs.com/package/vue)
-  - [yargs](https://www.npmjs.com/package/yargs)
-  - [webpack-dev-server](https://www.npmjs.com/package/webpack-dev-server)
-
-* TypeScript 4.0 is now supported.
-
-* TypeScript code embedded in HTML and Vue files is now extracted and analyzed.
-
-* The analysis of sanitizers has improved, leading to more accurate
-  results from the security queries.
-
-## New queries
-
-| **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
-|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| DOM text reinterpreted as HTML (`js/xss-through-dom`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are shown on LGTM by default. |
-| Incomplete HTML attribute sanitization (`js/incomplete-html-attribute-sanitization`) | security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default. |
-| Unsafe expansion of self-closing HTML tag (`js/unsafe-html-expansion`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags. |
-| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default. |
-| Download of sensitive file through insecure connection (`js/insecure-download`) | security, external/cwe/cwe-829 | Highlights downloads of sensitive files through an unencrypted protocol. Results are shown on LGTM by default. |
-| Exposure of private files (`js/exposure-of-private-files`) | security, external/cwe/cwe-200 | Highlights servers that serve private files. Results are shown on LGTM by default. |
-| Creating biased random numbers from a cryptographically secure source (`js/biased-cryptographic-random`) | security, external/cwe/cwe-327 | Highlights mathematical operations on cryptographically secure numbers that can create biased results. Results are shown on LGTM by default. |
-| Storage of sensitive information in build artifact (`js/build-artifact-leak`) | security, external/cwe/cwe-312 | Highlights storage of sensitive information in build artifacts. Results are shown on LGTM by default. |
-| Improper code sanitization (`js/bad-code-sanitization`) | security, external/cwe/cwe-094, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights string concatenation where code is constructed without proper sanitization. Results are shown on LGTM by default. |
-| Disabling certificate validation (`js/disabling-certificate-validation`) | security, external/cwe-295 | Highlights locations where SSL certificate validation is disabled. Results are shown on LGTM by default. | 
-| Incomplete multi-character sanitization (`js/incomplete-multi-character-sanitization`) | correctness, security, external/cwe/cwe-20, external/cwe/cwe-116 | Highlights sanitizers that fail to remove dangerous substrings completely. Results are shown on LGTM by default. |
-
-## Changes to existing queries
-
-| **Query**                      | **Expected impact**          | **Change**                                                                |
-|--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Client-side cross-site scripting (`js/xss`) | Fewer results | This query now recognizes additional safe patterns of constructing HTML. |
-| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Fewer results | This query now recognizes additional safe patterns of doing URL redirects. |
-| Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
-| Exception text reinterpreted as HTML (`js/exception-xss`) | Rephrased and changed visibility | Rephrased name and alert message. Severity lowered from error to warning. Results are now shown on LGTM by default. |
-| Expression has no effect (`js/useless-expression`) | Fewer results | This query no longer flags an expression when that expression is the only content of the containing file. |
-| Hard-coded credentials (`js/hardcoded-credentials`) | More results | This query now recognizes hard-coded credentials sent via HTTP authorization headers. |
-| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional url scheme checks. |
-| Insecure randomness (`js/insecure-randomness`) | Fewer results | This query now recognizes when an insecure random value is used as a fallback when secure random values are unsupported. |
-| Misspelled variable name (`js/misspelled-variable-name`) | Message changed | The message for this query now correctly identifies the misspelled variable in additional cases. |
-| Non-linear pattern (`js/non-linear-pattern`) | Fewer duplicates and message changed | This query now generates fewer duplicate alerts and has a clearer explanation in case of type annotations used in a pattern. |
-| Prototype pollution in utility function (`js/prototype-pollution-utility`) | More results | This query now recognizes additional utility functions as vulnerable to prototype polution. |
-| Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
-| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
-| Uncontrolled data used in path expression (`js/path-injection`) | Fewer results | This query no longer flags paths that have been checked to be part of a collection. |
-| Unknown directive (`js/unknown-directive`) | Fewer results | This query no longer flags directives generated by the Babel compiler. |
-| Unneeded defensive code (`js/unneeded-defensive-code`) | Fewer false-positive results | This query now recognizes checks meant to handle the `document.all` object. |
-| Unused property (`js/unused-property`) | Fewer results | This query no longer flags properties of objects that are operands of `yield` expressions. |
-| Zip Slip (`js/zipslip`) | More results | This query now recognizes additional vulnerabilities. |
-
-The following low-precision queries are no longer run by default on LGTM (their results already were not displayed):
-
-  - `js/angular/dead-event-listener`
-  - `js/angular/unused-dependency`
-  - `js/bitwise-sign-check`
-  - `js/comparison-of-identical-expressions`
-  - `js/conflicting-html-attribute`
-  - `js/ignored-setter-parameter`
-  - `js/jsdoc/malformed-param-tag`
-  - `js/jsdoc/missing-parameter`
-  - `js/jsdoc/unknown-parameter`
-  - `js/json-in-javascript-file`
-  - `js/misspelled-identifier`
-  - `js/nested-loops-with-same-variable`
-  - `js/node/cyclic-import`
-  - `js/node/unused-npm-dependency`
-  - `js/omitted-array-element`
-  - `js/return-outside-function`
-  - `js/single-run-loop`
-  - `js/too-many-parameters`
-  - `js/unused-property`
-  - `js/useless-assignment-to-global`
-
-## Changes to libraries
-
-* A library `semmle.javascript.explore.CallGraph` has been added to help write queries for exploring the call graph.
-* Added data flow for `Map` and `Set`, and added matching type-tracking steps that can accessed using the `CollectionsTypeTracking` module.
-* The data-flow node representing a parameter or destructuring pattern is now always the `ValueNode` corresponding to that AST node. This has a few consequences:
-  - `Parameter.flow()` now gets the correct data flow node for a parameter. Previously this had a result, but the node was disconnected from the data flow graph.
-  - `ParameterNode.asExpr()` and `.getAstNode()` now gets the parameter's AST node, whereas previously it had no result.
-  - `Expr.flow()` now has a more meaningful result for destructuring patterns. Previously this node was disconnected from the data flow graph. Now it represents the values being destructured by the pattern.
-* The global data-flow and taint-tracking libraries now model indirect parameter accesses through the `arguments` object in some cases, which may lead to additional results from some of the security queries, particularly "Prototype pollution in utility function".
-* The predicates `Type.getProperty()` and variants of `Type.getMethod()` have been deprecated due to lack of use-cases. Looking up a named property of a static type is no longer supported, favoring faster extraction times instead.
--- a/change-notes/1.25/analysis-python.md
+++ b/change-notes/1.25/analysis-python.md
@@ -1,9 +0,0 @@
-# Improvements to Python analysis
-
-* Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).
-* Added model of taint sources for HTTP servers using `http.server`.
-* Added taint modeling of routed parameters in Flask.
-* Improved modeling of built-in methods on strings for taint tracking.
-* Improved classification of test files.
-* New class `BoundMethodValue` represents a bound method during runtime.
-* The query `py/command-line-injection` now recognizes command execution with the `fabric` and `invoke` Python libraries.
--- a/change-notes/1.26/analysis-cpp.md
+++ b/change-notes/1.26/analysis-cpp.md
@@ -1,31 +0,0 @@
-# Improvements to C/C++ analysis
-
-The following changes in version 1.26 affect C/C++ analysis in all applications.
-
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-| Declaration hides parameter (`cpp/declaration-hides-parameter`) | Fewer false positive results | False positives involving template functions have been fixed. |
-| Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
-| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
-| Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
-
-## Changes to libraries
-
-* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
-* The models library now models many taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
-* The models library now models many more taint flows through `std::string`.
-* The models library now models many taint flows through `std::istream` and `std::ostream`.
-* The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
-* The models library now models many taint flows through `std::pair`, `std::map`, `std::unordered_map`, `std::set` and `std::unordered_set`.
-* The models library now models `bcopy`.
-* The `SimpleRangeAnalysis` library now supports multiplications of the form
-  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
--- a/change-notes/1.26/analysis-java.md
+++ b/change-notes/1.26/analysis-java.md
@@ -1,20 +0,0 @@
-# Improvements to Java analysis
-
-The following changes in version 1.26 affect Java analysis in all applications.
-
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-
-
-## Changes to libraries
-
--- a/change-notes/1.26/analysis-javascript.md
+++ b/change-notes/1.26/analysis-javascript.md
@@ -1,73 +0,0 @@
-# Improvements to JavaScript analysis
-
-## General improvements
-
-* Angular-specific taint sources and sinks are now recognized by the security queries.
-
-* Support for React has improved, with better handling of react hooks, react-router path parameters, lazy-loaded components, and components transformed using `react-redux` and/or `styled-components`.
-
-* Dynamic imports are now analyzed more precisely.
-
-* Support for the following frameworks and libraries has been improved:
-  - [@angular/*](https://www.npmjs.com/package/@angular/core)
-  - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
-  - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
-  - [debounce](https://www.npmjs.com/package/debounce)
-  - [bluebird](https://www.npmjs.com/package/bluebird)
-  - [call-limit](https://www.npmjs.com/package/call-limit)
-  - [classnames](https://www.npmjs.com/package/classnames)
-  - [clsx](https://www.npmjs.com/package/clsx)
-  - [express](https://www.npmjs.com/package/express)
-  - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
-  - [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
-  - [http](https://nodejs.org/api/http.html)
-  - [javascript-stringify](https://www.npmjs.com/package/javascript-stringify)
-  - [js-stringify](https://www.npmjs.com/package/js-stringify)
-  - [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
-  - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
-  - [json3](https://www.npmjs.com/package/json3)
-  - [jQuery throttle / debounce](https://github.com/cowboy/jquery-throttle-debounce)
-  - [lodash](https://www.npmjs.com/package/lodash)
-  - [lodash.debounce](https://www.npmjs.com/package/lodash.debounce)
-  - [lodash.throttle](https://www.npmjs.com/package/lodash.throttle)
-  - [needle](https://www.npmjs.com/package/needle)
-  - [object-inspect](https://www.npmjs.com/package/object-inspect)
-  - [pretty-format](https://www.npmjs.com/package/pretty-format)
-  - [react](https://www.npmjs.com/package/react)
-  - [react-router-dom](https://www.npmjs.com/package/react-router-dom)
-  - [react-redux](https://www.npmjs.com/package/react-redux)
-  - [redis](https://www.npmjs.com/package/redis)
-  - [redux](https://www.npmjs.com/package/redux)
-  - [stringify-object](https://www.npmjs.com/package/stringify-object)
-  - [styled-components](https://www.npmjs.com/package/styled-components)
-  - [throttle-debounce](https://www.npmjs.com/package/throttle-debounce)
-  - [underscore](https://www.npmjs.com/package/underscore)
-
-* Analyzing files with the ".cjs" extension is now supported.
-* ES2021 features are now supported.
-
-## New queries
-
-| **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
-|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                      | **Expected impact**          | **Change**                                                                |
-|--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Potentially unsafe external link (`js/unsafe-external-link`) | Fewer results | This query no longer flags URLs constructed using a template system where only the hash or query part of the URL is dynamic. |
-| Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
-| Ambiguous HTML id attribute (`js/duplicate-html-id`) | Results no longer shown | Precision tag reduced to "low". The query is no longer run by default. |
-| Unused loop iteration variable (`js/unused-loop-variable`) | Fewer results | This query no longer flags variables in a destructuring array assignment that are not the last variable in the destructed array. |
-| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, dash, and underscore are used. |
-| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
-| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
-| Missing CSRF middleware (`js/missing-token-validation`) | More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
-| Missing CSRF middleware (`js/missing-token-validation`) | Fewer results | This query now recognizes more ways of protecting against CSRF attacks. |
-| Client-side cross-site scripting (`js/xss`) | More results | This query now tracks data flow from `location.hash` more precisely. |
-
-
-## Changes to libraries
-* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
-* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, subclasses should instead be based on `HtmlInjectionConfiguration`. To use both configurations in a query, see [Xss.ql](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql) for an example.
--- a/change-notes/1.26/analysis-python.md
+++ b/change-notes/1.26/analysis-python.md
@@ -1,37 +0,0 @@
-# Improvements to Python analysis
-
-The following changes in version 1.26 affect Python analysis in all applications.
-
-## General improvements
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-|`py/unsafe-deserialization` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/path-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/command-line-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/reflective-xss` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/sql-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
-|`py/code-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
-## Changes to libraries
-* Some of the security queries now use the shared data flow library for data flow and taint tracking. This has resulted in an overall more robust and accurate analysis. The libraries mentioned below have been modelled in this new framework. Other libraries (e.g. the web framework `CherryPy`) have not been modelled yet, and this may lead to a temporary loss of results for these frameworks.
-* Improved modelling of the following serialization libraries:
-  - `PyYAML`
-  - `dill`
-  - `pickle`
-  - `marshal`
-* Improved modelling of the following web frameworks:
-  - `Django` (Note that modelling of class-based response handlers is currently incomplete.)
-  - `Flask`
-* Support for Werkzeug `MultiDict`.
-* Support for the [Python Database API Specification v2.0 (PEP-249)](https://www.python.org/dev/peps/pep-0249/), including the following libraries:
-  - `MySQLdb`
-  - `mysql-connector-python`
-  - `django.db`
-* Improved modelling of the following command execution libraries:
-  - `Fabric`
-  - `Invoke`
-* Improved modelling of security-related standard library modules, such as `os`, `popen2`, `platform`, and `base64`.
-* The original versions of the updated queries have been preserved [here](https://github.com/github/codeql/tree/main/python/ql/src/experimental/Security-old-dataflow).
-* Added taint tracking support for string formatting through f-strings.
--- a/change-notes/support/README.md
+++ b/change-notes/support/README.md
@@ -1,6 +1,6 @@
 # Files moved to ``docs`` directory

-Now that all of the CodeQL documentation is in this repository,
+Now that all of the QL documentation is in this repository,
 notes on the languages, compilers, and frameworks supported have moved.
 They're now stored as part of the Sphinx ``support`` project with the other documentation:
 ``docs/language/support``.
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -1,5 +1,5 @@
 {
-  "DataFlow Java/C++/C#/Python": [
+  "DataFlow Java/C++/C#": [
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
@@ -18,63 +18,26 @@
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll"
  ],
-  "DataFlow Java/C++/C#/Python Common": [
+  "DataFlow Java/C++/C# Common": [
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll"
  ],
-  "TaintTracking::Configuration Java/C++/C#/Python": [
+  "TaintTracking::Configuration Java/C++/C#": [
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
-  ],
-  "DataFlow Java/C++/C#/Python Consistency checks": [
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
-  ],
-  "SsaReadPosition Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
-  ],
-  "Sign Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
-  ],
-  "SignAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
-  ],
-  "Bound Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
-  ],
-  "ModulusAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
  ],
  "C++ SubBasicBlocks": [
    "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
@@ -84,122 +47,101 @@
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll"
  ],
  "IR IRBlock": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRBlock.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRBlock.qll"
  ],
  "IR IRVariable": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll"
  ],
  "IR IRFunction": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRFunction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRFunction.qll"
  ],
  "IR Operand": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll" 
  ],
  "IR IRType": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
-    "csharp/ql/src/experimental/ir/implementation/IRType.qll"
-  ],
-  "IR IRConfiguration": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
-    "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
-  ],
-  "IR UseSoundEscapeAnalysis": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
-    "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
-  ],
-  "IR IRFunctionBase": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll"
  ],
  "IR Operand Tag": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/internal/OperandTag.qll"
  ],
-  "IR TInstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
-  ],
-  "IR TIRVariable": [
+  "IR TIRVariable":[
    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll"
  ],
  "IR IR": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll"
  ],
-  "IR IRConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
+  "IR IRSanity": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll"
  ],
  "IR PrintIR": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/PrintIR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/PrintIR.qll"
  ],
  "IR IntegerConstant": [
    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerConstant.qll"
  ],
  "IR IntegerInteval": [
    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerInterval.qll"
  ],
  "IR IntegerPartial": [
    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerPartial.qll"
  ],
  "IR Overlap": [
    "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
-    "csharp/ql/src/experimental/ir/internal/Overlap.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/internal/Overlap.qll"
  ],
  "IR EdgeKind": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
-    "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/EdgeKind.qll"
  ],
  "IR MemoryAccessKind": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
-    "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll"
  ],
  "IR TempVariableTag": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
-    "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/TempVariableTag.qll"
  ],
  "IR Opcode": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
-    "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
-  ],
-  "IR SSAConsistency": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll"
  ],
  "C++ IR InstructionImports": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
@@ -216,11 +158,6 @@
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
  ],
-  "C++ IR IRFunctionImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRFunctionImports.qll"
-  ],
  "C++ IR IRVariableImports": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
@@ -240,14 +177,9 @@
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
  ],
-  "SSA AliasAnalysis": [
+  "C++ SSA AliasAnalysis": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
-  ],
-  "C++ SSA AliasAnalysisImports": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
  ],
  "C++ IR ValueNumberingImports": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
@@ -256,42 +188,24 @@
  ],
  "IR SSA SimpleSSA": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
-  ],
-  "IR AliasConfiguration (unaliased_ssa)": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
  ],
  "IR SSA SSAConstruction": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
  ],
  "IR SSA PrintSSA": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
  ],
-  "IR ValueNumberInternal": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
-  ],
-  "C++ IR ValueNumber": [
+  "IR ValueNumber": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
-  ],
-  "C++ IR PrintValueNumbering": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
  ],
  "C++ IR ConstantAnalysis": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -320,120 +234,31 @@
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
  ],
  "C# IR InstructionImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
  ],
  "C# IR IRImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll"
  ],
  "C# IR IRBlockImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRBlockImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
-  ],
-  "C# IR IRFunctionImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
  ],
  "C# IR IRVariableImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRVariableImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
  ],
  "C# IR OperandImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/OperandImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
  ],
  "C# IR PrintIRImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/PrintIRImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
  ],
  "C# IR ValueNumberingImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
-  ],
-  "C# ControlFlowReachability": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
-  ],
-  "Inline Test Expectations": [
-    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
-  ],
-  "C++ ExternalAPIs": [
-    "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
-    "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
-  ],
-  "C++ SafeExternalAPIFunction": [
-    "cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll",
-    "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
-  ],
-  "XML": [
-    "cpp/ql/src/semmle/code/cpp/XML.qll",
-    "csharp/ql/src/semmle/code/csharp/XML.qll",
-    "java/ql/src/semmle/code/xml/XML.qll",
-    "javascript/ql/src/semmle/javascript/XML.qll",
-    "python/ql/src/semmle/python/xml/XML.qll"
-  ],
-  "DuplicationProblems.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
-    "javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
-    "python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
-  ],
-  "CommentedOutCodeQuery.inc.qhelp": [
-    "cpp/ql/src/Documentation/CommentedOutCodeQuery.inc.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeQuery.inc.qhelp",
-    "csharp/ql/src/Bad Practices/Comments/CommentedOutCodeQuery.inc.qhelp",
-    "java/ql/src/Violations of Best Practice/Comments/CommentedOutCodeQuery.inc.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeQuery.inc.qhelp"
-  ],
-  "FLinesOfCodeReferences.inc.qhelp": [
-    "java/ql/src/Metrics/Files/FLinesOfCodeReferences.inc.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfCodeReferences.inc.qhelp"
-  ],
-  "FCommentRatioCommon.inc.qhelp": [
-    "java/ql/src/Metrics/Files/FCommentRatioCommon.inc.qhelp",
-    "javascript/ql/src/Metrics/FCommentRatioCommon.inc.qhelp"
-  ],
-  "FLinesOfCodeOverview.inc.qhelp": [
-    "java/ql/src/Metrics/Files/FLinesOfCodeOverview.inc.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfCodeOverview.inc.qhelp"
-  ],
-  "CommentedOutCodeMetricOverview.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
-    "csharp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
-    "java/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeMetricOverview.inc.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeMetricOverview.inc.qhelp"
-  ],
-  "FLinesOfDuplicatedCodeCommon.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.inc.qhelp",
-    "java/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.inc.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.inc.qhelp",
-    "python/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.inc.qhelp"
-  ],
-  "CommentedOutCodeReferences.inc.qhelp": [
-    "cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
-    "csharp/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
-    "java/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeReferences.inc.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
-  ],
-  "IDE Contextual Queries": [
-    "cpp/ql/src/IDEContextual.qll",
-    "csharp/ql/src/IDEContextual.qll",
-    "java/ql/src/IDEContextual.qll",
-    "javascript/ql/src/IDEContextual.qll",
-    "python/ql/src/analysis/IDEContextual.qll"
-  ],
-  "SSA C#": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
-    "csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
-  ],
-  "CryptoAlgorithms Python/JS": [
-    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/crypto/Crypto.qll"
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
  ]
-}
+}
--- a/config/opcode-qldoc.py
+++ b/config/opcode-qldoc.py
@@ -1,102 +0,0 @@
-#!/usr/bin/env python3
-
-import os
-import re
-path = os.path
-
-needs_an_re = re.compile(r'^(?!Unary)[AEIOU]')  # Name requiring "an" instead of "a".
-start_qldoc_re = re.compile(r'^\s*/\*\*')  # Start of a QLDoc comment
-end_qldoc_re = re.compile(r'\*/\s*$')  # End of a QLDoc comment
-blank_qldoc_line_re = re.compile(r'^\s*\*\s*$')  # A line in a QLDoc comment with only the '*'
-instruction_class_re = re.compile(r'^class (?P<name>[A-aa-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
-opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-aa-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
-opcode_class_re = re.compile(r'^  class (?P<name>[A-aa-z0-9]+)\s')  # Declaration of an `Opcode` class
-
-script_dir = path.realpath(path.dirname(__file__))
-instruction_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll'))
-opcode_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll'))
-
-# Scan `Instruction.qll`, keeping track of the QLDoc comment attached to each declaration of a class
-# whose name ends with `Instruction`.
-instruction_comments = {}
-in_qldoc = False
-saw_blank_line_in_qldoc = False
-qldoc_lines = []
-with open(instruction_path, 'r', encoding='utf-8') as instr:
-    for line in instr:
-        if in_qldoc:
-            if end_qldoc_re.search(line):
-                qldoc_lines.append(line)
-                in_qldoc = False
-            elif blank_qldoc_line_re.search(line):
-                # We're going to skip any lines after the first blank line, to avoid duplicating all
-                # of the verbose description.
-                saw_blank_line_in_qldoc = True
-            elif not saw_blank_line_in_qldoc:
-                qldoc_lines.append(line)
-        else:
-            if start_qldoc_re.search(line):
-                # Starting a new QLDoc comment.
-                saw_blank_line_in_qldoc = False
-                qldoc_lines.append(line)
-                if not end_qldoc_re.search(line):
-                    in_qldoc = True
-            else:
-                instruction_match = instruction_class_re.search(line)
-                if instruction_match:
-                    # Found the declaration of an `Instruction` class. Record the QLDoc comments.
-                    instruction_comments[instruction_match.group('name')] = qldoc_lines
-                qldoc_lines = []
-
-# Scan `Opcode.qll`. Whenever we see the declaration of an `Opcode` class for which we have a
-# corresponding `Instruction` class, we'll attach a copy of the `Instruction`'s QLDoc comment.
-in_qldoc = False
-qldoc_lines = []
-output_lines = []
-with open(opcode_path, 'r', encoding='utf-8') as opcode:
-    for line in opcode:
-        if in_qldoc:
-            qldoc_lines.append(line)
-            if end_qldoc_re.search(line):
-                in_qldoc = False
-        else:
-            if start_qldoc_re.search(line):
-                qldoc_lines.append(line)
-                if not end_qldoc_re.search(line):
-                    in_qldoc = True
-            else:
-                name_without_suffix = None
-                name = None
-                indent = ''
-                opcode_base_match = opcode_base_class_re.search(line)
-                if opcode_base_match:
-                    name_without_suffix = opcode_base_match.group('name')
-                    name = name_without_suffix + 'Opcode'
-                else:
-                    opcode_match = opcode_class_re.search(line)
-                    if opcode_match:
-                        name_without_suffix = opcode_match.group('name')
-                        name = name_without_suffix
-                        # Indent by two additional spaces, since opcodes are declared in the
-                        # `Opcode` module.
-                        indent = '  '
-                
-                if name_without_suffix:
-                    # Found an `Opcode` that matches a known `Instruction`. Replace the QLDoc with
-                    # a copy of the one from the `Instruction`.
-                    if instruction_comments.get(name_without_suffix):
-                        article = 'an' if needs_an_re.search(name_without_suffix) else 'a'
-                        qldoc_lines = [
-                            indent + '/**\n',
-                            indent + ' * The `Opcode` for ' + article + ' `' + name_without_suffix + 'Instruction`.\n',
-                            indent + ' *\n',
-                            indent + ' * See the `' + name_without_suffix + 'Instruction` documentation for more details.\n',
-                            indent + ' */\n'
-                        ]
-                output_lines.extend(qldoc_lines)
-                qldoc_lines = []
-                output_lines.append(line)
-
-# Write out the updated `Opcode.qll`
-with open(opcode_path, 'w', encoding='utf-8') as opcode:
-    opcode.writelines(output_lines)
--- a/config/sync-files.py
+++ b/config/sync-files.py
@@ -1,152 +0,0 @@
-#!/usr/bin/env python3
-
-# Due to various technical limitations, we sometimes have files that need to be
-# kept identical in the repository. This script loads a database of such
-# files and can perform two functions: check whether they are still identical,
-# and overwrite the others with a master copy if needed.
-
-import hashlib
-import shutil
-import os
-import sys
-import json
-import re
-path = os.path
-
-file_groups = {}
-
-def add_prefix(prefix, relative):
-    result = path.join(prefix, relative)
-    if path.commonprefix((path.realpath(result), path.realpath(prefix))) != \
-            path.realpath(prefix):
-        raise Exception("Path {} is not below {}".format(
-            result, prefix))
-    return result
-
-def load_if_exists(prefix, json_file_relative):
-    json_file_name = path.join(prefix, json_file_relative)
-    if path.isfile(json_file_name):
-        print("Loading file groups from", json_file_name)
-        with open(json_file_name, 'r', encoding='utf-8') as fp:
-            raw_groups = json.load(fp)
-        prefixed_groups = {
-                name: [
-                    add_prefix(prefix, relative)
-                    for relative in relatives
-                ]
-                for name, relatives in raw_groups.items()
-            }
-        file_groups.update(prefixed_groups)
-
-# Generates a list of C# test files that should be in sync
-def csharp_test_files():
-    test_file_re = re.compile('.*(Bad|Good)[0-9]*\\.cs$')
-    csharp_doc_files = {
-        file:os.path.join(root, file)
-            for root, dirs, files in os.walk("csharp/ql/src")
-            for file in files
-            if test_file_re.match(file)
-    }
-    return {
-        "C# test '" + file + "'" : [os.path.join(root, file), csharp_doc_files[file]]
-            for root, dirs, files in os.walk("csharp/ql/test")
-            for file in files
-            if file in csharp_doc_files
-    }
-
-def file_checksum(filename):
-    with open(filename, 'rb') as file_handle:
-        return hashlib.sha1(file_handle.read()).hexdigest()
-
-def check_group(group_name, files, master_file_picker, emit_error):
-    extant_files = [f for f in files if path.isfile(f)]
-    if len(extant_files) == 0:
-        emit_error(__file__, 0, "No files found from group '" + group_name + "'.")
-        emit_error(__file__, 0,
-                "Create one of the following files, and then run this script with "
-                "the --latest switch to sync it to the other file locations.")
-        for filename in files:
-            emit_error(__file__, 0, "    " + filename)
-        return
-
-    checksums = {file_checksum(f) for f in extant_files}
-
-    if len(checksums) == 1 and len(extant_files) == len(files):
-        # All files are present and identical.
-        return
-
-    master_file = master_file_picker(extant_files)
-    if master_file is None:
-        emit_error(__file__, 0,
-                "Files from group '"+ group_name +"' not in sync.")
-        emit_error(__file__, 0,
-                "Run this script with a file-name argument among the "
-                "following to overwrite the remaining files with the contents "
-                "of that file, or run with the --latest switch to update each "
-                "group of files from the most recently modified file in the group.")
-        for filename in extant_files:
-            emit_error(__file__, 0, "    " + filename)
-    else:
-        print("  Syncing others from", master_file)
-        for filename in files:
-            if filename == master_file:
-                continue
-            print("    " + filename)
-            if path.isfile(filename):
-                os.replace(filename, filename + '~')
-            shutil.copy(master_file, filename)
-        print("  Backups written with '~' appended to file names")
-
-def chdir_repo_root():
-    root_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..')
-    os.chdir(root_path)
-
-def choose_master_file(master_file, files):
-    if master_file in files:
-        return master_file
-    else:
-        return None
-
-def choose_latest_file(files):
-    latest_time = None
-    latest_file = None
-    for filename in files:
-        file_time = os.path.getmtime(filename)
-        if (latest_time is None) or (latest_time < file_time):
-            latest_time = file_time
-            latest_file = filename
-    return latest_file
-
-local_error_count = 0
-def emit_local_error(path, line, error):
-    print('ERROR: ' + path + ':' + str(line) + " - " + error)
-    global local_error_count
-    local_error_count += 1
-
-# This function is invoked directly by a CI script, which passes a different error-handling
-# callback.
-def sync_identical_files(emit_error):
-    if len(sys.argv) == 1:
-        master_file_picker = lambda files: None
-    elif len(sys.argv) == 2:
-        if sys.argv[1] == "--latest":
-            master_file_picker = choose_latest_file
-        elif os.path.isfile(sys.argv[1]):
-            master_file_picker = lambda files: choose_master_file(sys.argv[1], files)
-        else:
-            raise Exception("File not found")
-    else:
-        raise Exception("Bad command line or file not found")
-    chdir_repo_root()
-    load_if_exists('.', 'config/identical-files.json')
-    file_groups.update(csharp_test_files())
-    for group_name, files in file_groups.items():
-        check_group(group_name, files, master_file_picker, emit_error)
-
-def main():
-    sync_identical_files(emit_local_error)
-    if local_error_count > 0:
-        exit(1)
-
-if __name__ == "__main__":
-    main()
--- a/cpp/autobuilder/.gitignore
+++ b/cpp/autobuilder/.gitignore
@@ -1,13 +0,0 @@
-obj/
-TestResults/
-*.manifest
-*.pdb
-*.suo
-*.mdb
-*.vsmdi
-csharp.log
-**/bin/Debug
-**/bin/Release
-*.tlog
-.vs
-*.user
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs
@@ -1,323 +0,0 @@
-using Xunit;
-using Semmle.Autobuild.Shared;
-using System.Collections.Generic;
-using System;
-using System.Linq;
-using Microsoft.Build.Construction;
-using System.Xml;
-using System.IO;
-
-namespace Semmle.Autobuild.Cpp.Tests
-{
-    /// <summary>
-    /// Test class to script Autobuilder scenarios.
-    /// For most methods, it uses two fields:
-    /// - an IList to capture the the arguments passed to it
-    /// - an IDictionary of possible return values.
-    /// </summary>
-    class TestActions : IBuildActions
-    {
-        /// <summary>
-        /// List of strings passed to FileDelete.
-        /// </summary>
-        public IList<string> FileDeleteIn = new List<string>();
-
-        void IBuildActions.FileDelete(string file)
-        {
-            FileDeleteIn.Add(file);
-        }
-
-        public IList<string> FileExistsIn = new List<string>();
-        public IDictionary<string, bool> FileExists = new Dictionary<string, bool>();
-
-        bool IBuildActions.FileExists(string file)
-        {
-            FileExistsIn.Add(file);
-            if (FileExists.TryGetValue(file, out var ret))
-                return ret;
-            if (FileExists.TryGetValue(System.IO.Path.GetFileName(file), out ret))
-                return ret;
-            throw new ArgumentException("Missing FileExists " + file);
-        }
-
-        public IList<string> RunProcessIn = new List<string>();
-        public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
-        public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
-        public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
-        public HashSet<string> CreateDirectories { get; } = new HashSet<string>();
-        public HashSet<(string, string)> DownloadFiles { get; } = new HashSet<(string, string)>();
-
-        int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
-        {
-            var pattern = cmd + " " + args;
-            RunProcessIn.Add(pattern);
-            if (RunProcessOut.TryGetValue(pattern, out var str))
-                stdOut = str.Split("\n");
-            else
-                throw new ArgumentException("Missing RunProcessOut " + pattern);
-            RunProcessWorkingDirectory.TryGetValue(pattern, out var wd);
-            if (wd != workingDirectory)
-                throw new ArgumentException("Missing RunProcessWorkingDirectory " + pattern);
-            if (RunProcess.TryGetValue(pattern, out var ret))
-                return ret;
-            throw new ArgumentException("Missing RunProcess " + pattern);
-        }
-
-        int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env)
-        {
-            var pattern = cmd + " " + args;
-            RunProcessIn.Add(pattern);
-            RunProcessWorkingDirectory.TryGetValue(pattern, out var wd);
-            if (wd != workingDirectory)
-                throw new ArgumentException("Missing RunProcessWorkingDirectory " + pattern);
-            if (RunProcess.TryGetValue(pattern, out var ret))
-                return ret;
-            throw new ArgumentException("Missing RunProcess " + pattern);
-        }
-
-        public IList<string> DirectoryDeleteIn = new List<string>();
-
-        void IBuildActions.DirectoryDelete(string dir, bool recursive)
-        {
-            DirectoryDeleteIn.Add(dir);
-        }
-
-        public IDictionary<string, bool> DirectoryExists = new Dictionary<string, bool>();
-        public IList<string> DirectoryExistsIn = new List<string>();
-
-        bool IBuildActions.DirectoryExists(string dir)
-        {
-            DirectoryExistsIn.Add(dir);
-            if (DirectoryExists.TryGetValue(dir, out var ret))
-                return ret;
-            throw new ArgumentException("Missing DirectoryExists " + dir);
-        }
-
-        public IDictionary<string, string?> GetEnvironmentVariable = new Dictionary<string, string?>();
-
-        string? IBuildActions.GetEnvironmentVariable(string name)
-        {
-            if (GetEnvironmentVariable.TryGetValue(name, out var ret))
-                return ret;
-            throw new ArgumentException("Missing GetEnvironmentVariable " + name);
-        }
-
-        public string GetCurrentDirectory = "";
-
-        string IBuildActions.GetCurrentDirectory()
-        {
-            return GetCurrentDirectory;
-        }
-
-        public IDictionary<string, string> EnumerateFiles = new Dictionary<string, string>();
-
-        IEnumerable<string> IBuildActions.EnumerateFiles(string dir)
-        {
-            if (EnumerateFiles.TryGetValue(dir, out var str))
-                return str.Split("\n");
-            throw new ArgumentException("Missing EnumerateFiles " + dir);
-        }
-
-        public IDictionary<string, string> EnumerateDirectories = new Dictionary<string, string>();
-
-        IEnumerable<string> IBuildActions.EnumerateDirectories(string dir)
-        {
-            if (EnumerateDirectories.TryGetValue(dir, out var str))
-                return string.IsNullOrEmpty(str) ? Enumerable.Empty<string>() : str.Split("\n");
-            throw new ArgumentException("Missing EnumerateDirectories " + dir);
-        }
-
-        public bool IsWindows;
-
-        bool IBuildActions.IsWindows() => IsWindows;
-
-        string IBuildActions.PathCombine(params string[] parts)
-        {
-            return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));
-        }
-
-        string IBuildActions.GetFullPath(string path) => path;
-
-        string? IBuildActions.GetFileName(string? path) => Path.GetFileName(path?.Replace('\\', '/'));
-
-        public string? GetDirectoryName(string? path)
-        {
-            var dir = Path.GetDirectoryName(path?.Replace('\\', '/'));
-            return dir is null ? path : path?.Substring(0, dir.Length);
-        }
-
-        void IBuildActions.WriteAllText(string filename, string contents)
-        {
-        }
-
-        public IDictionary<string, XmlDocument> LoadXml = new Dictionary<string, XmlDocument>();
-        XmlDocument IBuildActions.LoadXml(string filename)
-        {
-            if (LoadXml.TryGetValue(filename, out var xml))
-                return xml;
-            throw new ArgumentException("Missing LoadXml " + filename);
-        }
-
-        public string EnvironmentExpandEnvironmentVariables(string s)
-        {
-            foreach (var kvp in GetEnvironmentVariable)
-                s = s.Replace($"%{kvp.Key}%", kvp.Value);
-            return s;
-        }
-
-        public void CreateDirectory(string path)
-        {
-            if (!CreateDirectories.Contains(path))
-                throw new ArgumentException($"Missing CreateDirectory, {path}");
-        }
-
-        public void DownloadFile(string address, string fileName)
-        {
-            if (!DownloadFiles.Contains((address, fileName)))
-                throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
-        }
-    }
-
-    /// <summary>
-    /// A fake solution to build.
-    /// </summary>
-    class TestSolution : ISolution
-    {
-        public IEnumerable<SolutionConfigurationInSolution> Configurations => throw new NotImplementedException();
-
-        public string DefaultConfigurationName => "Release";
-
-        public string DefaultPlatformName => "x86";
-
-        public string FullPath { get; set; }
-
-        public Version ToolsVersion => new Version("14.0");
-
-        public IEnumerable<IProjectOrSolution> IncludedProjects => throw new NotImplementedException();
-
-        public TestSolution(string path)
-        {
-            FullPath = path;
-        }
-    }
-
-    public class BuildScriptTests
-    {
-        TestActions Actions = new TestActions();
-
-        // Records the arguments passed to StartCallback.
-        IList<string> StartCallbackIn = new List<string>();
-
-        void StartCallback(string s, bool silent)
-        {
-            StartCallbackIn.Add(s);
-        }
-
-        // Records the arguments passed to EndCallback
-        IList<string> EndCallbackIn = new List<string>();
-        IList<int> EndCallbackReturn = new List<int>();
-
-        void EndCallback(int ret, string s, bool silent)
-        {
-            EndCallbackReturn.Add(ret);
-            EndCallbackIn.Add(s);
-        }
-
-        CppAutobuilder CreateAutoBuilder(bool isWindows,
-            string? buildless = null, string? solution = null, string? buildCommand = null, string? ignoreErrors = null,
-            string? msBuildArguments = null, string? msBuildPlatform = null, string? msBuildConfiguration = null, string? msBuildTarget = null,
-            string? dotnetArguments = null, string? dotnetVersion = null, string? vsToolsVersion = null,
-            string? nugetRestore = null, string? allSolutions = null,
-            string cwd = @"C:\Project")
-        {
-            string codeqlUpperLanguage = Language.Cpp.UpperCaseName;
-            Actions.GetEnvironmentVariable[$"CODEQL_AUTOBUILDER_{codeqlUpperLanguage}_NO_INDEXING"] = "false";
-            Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_TRAP_DIR"] = "";
-            Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
-            Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
-            Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
-            Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
-            Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
-            Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
-            Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
-            Actions.GetEnvironmentVariable["LGTM_INDEX_VSTOOLS_VERSION"] = vsToolsVersion;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_ARGUMENTS"] = msBuildArguments;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_PLATFORM"] = msBuildPlatform;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_CONFIGURATION"] = msBuildConfiguration;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_TARGET"] = msBuildTarget;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_ARGUMENTS"] = dotnetArguments;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_VERSION"] = dotnetVersion;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILD_COMMAND"] = buildCommand;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_SOLUTION"] = solution;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_IGNORE_ERRORS"] = ignoreErrors;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILDLESS"] = buildless;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_ALL_SOLUTIONS"] = allSolutions;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_NUGET_RESTORE"] = nugetRestore;
-            Actions.GetEnvironmentVariable["ProgramFiles(x86)"] = isWindows ? @"C:\Program Files (x86)" : null;
-            Actions.GetCurrentDirectory = cwd;
-            Actions.IsWindows = isWindows;
-
-            var options = new AutobuildOptions(Actions, Language.Cpp);
-            return new CppAutobuilder(Actions, options);
-        }
-
-        void TestAutobuilderScript(Autobuilder autobuilder, int expectedOutput, int commandsRun)
-        {
-            Assert.Equal(expectedOutput, autobuilder.GetBuildScript().Run(Actions, StartCallback, EndCallback));
-
-            // Check expected commands actually ran
-            Assert.Equal(commandsRun, StartCallbackIn.Count);
-            Assert.Equal(commandsRun, EndCallbackIn.Count);
-            Assert.Equal(commandsRun, EndCallbackReturn.Count);
-
-            var action = Actions.RunProcess.GetEnumerator();
-            for (int cmd = 0; cmd < commandsRun; ++cmd)
-            {
-                Assert.True(action.MoveNext());
-
-                Assert.Equal(action.Current.Key, StartCallbackIn[cmd]);
-                Assert.Equal(action.Current.Value, EndCallbackReturn[cmd]);
-            }
-        }
-
-
-        [Fact]
-        public void TestDefaultCppAutobuilder()
-        {
-            Actions.EnumerateFiles[@"C:\Project"] = "";
-            Actions.EnumerateDirectories[@"C:\Project"] = "";
-
-            var autobuilder = CreateAutoBuilder(true);
-            var script = autobuilder.GetBuildScript();
-
-            // Fails due to no solutions present.
-            Assert.NotEqual(0, script.Run(Actions, StartCallback, EndCallback));
-        }
-
-        [Fact]
-        public void TestCppAutobuilderSuccess()
-        {
-            Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
-            Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
-            Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
-            Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
-            Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
-            Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = 0;
-            Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationVersion"] = "";
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true;
-            Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
-            Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
-            Actions.EnumerateDirectories[@"C:\Project"] = "";
-            Actions.CreateDirectories.Add(@"C:\Project\.nuget");
-            Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
-
-            var autobuilder = CreateAutoBuilder(true);
-            var solution = new TestSolution(@"C:\Project\test.sln");
-            autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
-            TestAutobuilderScript(autobuilder, 0, 3);
-        }
-    }
-}
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj
@@ -1,25 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <OutputType>Exe</OutputType>
-    <TargetFramework>net5.0</TargetFramework>
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
-    <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
-    <PackageReference Include="xunit" Version="2.4.1" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
-    </PackageReference>
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\Semmle.Autobuild.Cpp\Semmle.Autobuild.Cpp.csproj" />
-    <ProjectReference Include="..\..\..\csharp\autobuilder\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
-  </ItemGroup>
-</Project>
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/CppAutobuilder.cs
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/CppAutobuilder.cs
@@ -1,23 +0,0 @@
-using Semmle.Autobuild.Shared;
-
-namespace Semmle.Autobuild.Cpp
-{
-    public class CppAutobuilder : Autobuilder
-    {
-        public CppAutobuilder(IBuildActions actions, AutobuildOptions options) : base(actions, options) { }
-
-        public override BuildScript GetBuildScript()
-        {
-            if (Options.BuildCommand != null)
-                return new BuildCommandRule((_, f) => f(null)).Analyse(this, false);
-
-            return
-                // First try MSBuild
-                new MsBuildRule().Analyse(this, true) |
-                // Then look for a script that might be a build script
-                (() => new BuildCommandAutoRule((_, f) => f(null)).Analyse(this, true)) |
-                // All attempts failed: print message
-                AutobuildFailure();
-        }
-    }
-}
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Program.cs
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Program.cs
@@ -1,33 +0,0 @@
-using System;
-using Semmle.Autobuild.Shared;
-
-namespace Semmle.Autobuild.Cpp
-{
-    class Program
-    {
-        static int Main()
-        {
-
-            try
-            {
-                var actions = SystemBuildActions.Instance;
-                var options = new AutobuildOptions(actions, Language.Cpp);
-                try
-                {
-                    Console.WriteLine("CodeQL C++ autobuilder");
-                    var builder = new CppAutobuilder(actions, options);
-                    return builder.AttemptBuild();
-                }
-                catch(InvalidEnvironmentException ex)
-                {
-                    Console.WriteLine("The environment is invalid: {0}", ex.Message);
-                }
-            }
-            catch (ArgumentOutOfRangeException ex)
-            {
-                Console.WriteLine("The value \"{0}\" for parameter \"{1}\" is invalid", ex.ActualValue, ex.ParamName);
-            }
-            return 1;
-        }
-    }
-}
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Properties/AssemblyInfo.cs
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Properties/AssemblyInfo.cs
@@ -1,32 +0,0 @@
-using System.Reflection;
-using System.Runtime.InteropServices;
-
-// General Information about an assembly is controlled through the following
-// set of attributes. Change these attribute values to modify the information
-// associated with an assembly.
-[assembly: AssemblyTitle("Semmle.Autobuild.Cpp")]
-[assembly: AssemblyDescription("")]
-[assembly: AssemblyConfiguration("")]
-[assembly: AssemblyCompany("GitHub")]
-[assembly: AssemblyProduct("CodeQL autobuilder for C++")]
-[assembly: AssemblyCopyright("Copyright © GitHub 2020")]
-[assembly: AssemblyTrademark("")]
-[assembly: AssemblyCulture("")]
-
-// Setting ComVisible to false makes the types in this assembly not visible
-// to COM components.  If you need to access a type in this assembly from
-// COM, set the ComVisible attribute to true on that type.
-[assembly: ComVisible(false)]
-
-// Version information for an assembly consists of the following four values:
-//
-//      Major Version
-//      Minor Version
-//      Build Number
-//      Revision
-//
-// You can specify all the values or you can default the Build and Revision Numbers
-// by using the '*' as shown below:
-// [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
--- a/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
+++ b/cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj
@@ -1,28 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>net5.0</TargetFramework>
-    <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
-    <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
-    <ApplicationIcon />
-    <OutputType>Exe</OutputType>
-    <StartupObject />
-    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Build" Version="16.9.0" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\..\..\csharp\extractor\Semmle.Util\Semmle.Util.csproj" />
-    <ProjectReference Include="..\..\..\csharp\autobuilder\Semmle.Autobuild.Shared\Semmle.Autobuild.Shared.csproj" />
-  </ItemGroup>
-
-</Project>
--- a/cpp/change-notes/2020-09-29-range-analysis-rollup.md
+++ b/cpp/change-notes/2020-09-29-range-analysis-rollup.md
@@ -1,14 +0,0 @@
-lgtm,codescanning
-* The `SimpleRangeAnalysis` library has gained support for several language
-  constructs it did not support previously. These improvements primarily affect
-  the queries `cpp/constant-comparison`, `cpp/comparison-with-wider-type`, and
-  `cpp/integer-multiplication-cast-to-long`. The newly supported language
-  features are:
-    * Multiplication of unsigned numbers.
-    * Multiplication by a constant.
-    * Reference-typed function parameters.
-    * Comparing a variable not equal to an endpoint of its range, thus narrowing the range by one.
-    * Using `if (x)` or `if (!x)` or similar to test for equality to zero.
-* The `SimpleRangeAnalysis` library can now be extended with custom rules. See
-  examples in
-  `cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/extensions/`.
--- a/cpp/change-notes/2020-10-21-erroneous-types.md
+++ b/cpp/change-notes/2020-10-21-erroneous-types.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The `cpp/wrong-type-format-argument` and `cpp/non-portable-printf` queries have been hardened so that they do not produce nonsensical results on databases that contain errors (specifically the `ErroneousType`).
--- a/cpp/change-notes/2020-10-21-size-check-queries.md
+++ b/cpp/change-notes/2020-10-21-size-check-queries.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Not enough memory allocated for pointer type' (cpp/allocation-too-small) and 'Not enough memory allocated for array of pointer type' (cpp/suspicious-allocation-size) queries have been improved. Previously some allocations would be reported by both queries, this no longer occurs. In addition more allocation functions are now understood by both queries.
--- a/cpp/change-notes/2020-11-02-unused-local-variable.md
+++ b/cpp/change-notes/2020-11-02-unused-local-variable.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* Two issues causing the 'Unused local variable' query (`cpp/unused-local-variable`) to produce false positive results have been fixed.
--- a/cpp/change-notes/2020-11-05-formatting-function.md
+++ b/cpp/change-notes/2020-11-05-formatting-function.md
@@ -1,4 +0,0 @@
-lgtm,codescanning
-* `FormattingFunction.getOutputParameterIndex` now has a parameter identifying whether the output at that index is a buffer or a stream.
-* `FormattingFunction` now has a predicate `isOutputGlobal` indicating when the output is to a global stream.
-* The `primitiveVariadicFormatter` and `variadicFormatter` predicates have more parameters exposing information about the function.
--- a/cpp/change-notes/2020-11-05-private-models.md
+++ b/cpp/change-notes/2020-11-05-private-models.md
@@ -1,3 +0,0 @@
-lgtm,codescanning
-* Various classes in `semmle.code.cpp.models.implementations` have been made private. Users should not depend on library implementation details.
-* The `OperatorNewAllocationFunction`, `OperatorDeleteDeallocationFunction`, `Iterator` and `Snprintf` classes now have interfaces in `semmle.code.cpp.models.interfaces`.
--- a/cpp/change-notes/2020-11-12-unsafe-use-of-this.md
+++ b/cpp/change-notes/2020-11-12-unsafe-use-of-this.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* A new query (`cpp/unsafe-use-of-this`) has been added. The query finds pure virtual function calls whose qualifier is an object under construction.
--- a/cpp/change-notes/2020-11-27-downgrade-to-recommendation.md
+++ b/cpp/change-notes/2020-11-27-downgrade-to-recommendation.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The queries `cpp/local-variable-hides-global-variable` and `cpp/missing-header-guard` now have severity `recommendation` instead of `warning`.
--- a/cpp/change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md
+++ b/cpp/change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md
@@ -1,2 +0,0 @@
-lgtm
-* A new query (`cpp/unsigned-difference-expression-compared-zero`) is run but not yet displayed on LGTM. The query finds unsigned subtractions used in relational comparisons with the value 0. This query was originally submitted as an experimental query by @ihsinme in https://github.com/github/codeql/pull/4745.
--- a/cpp/change-notes/2021-02-24-memset-may-be-deleted.md
+++ b/cpp/change-notes/2021-02-24-memset-may-be-deleted.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* A new query (`cpp/memset-may-be-deleted`) is added to the default query suite. The query finds calls to `memset` that may be removed by the compiler. This behavior can make information-leak vulnerabilities easier to exploit. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/4953).
--- a/cpp/change-notes/2021-03-01-fluent-interface-data-flow.md
+++ b/cpp/change-notes/2021-03-01-fluent-interface-data-flow.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The data-flow library now recognises more side-effects of method chaining (e.g. `someObject.setX(clean).setY(tainted).setZ...` having a side-effect on `someObject`), as well as other related circumstances where a function input is directly passed to its output. All queries that use data-flow analysis, including most security queries, may return more results accordingly.
--- a/cpp/change-notes/2021-03-11-failed-extractions.md
+++ b/cpp/change-notes/2021-03-11-failed-extractions.md
@@ -1,2 +0,0 @@
-codescanning
-* Added cpp/diagnostics/failed-extractions. This query gives information about which extractions did not run to completion.
--- a/cpp/change-notes/2021-03-17-av-rule-79.md
+++ b/cpp/change-notes/2021-03-17-av-rule-79.md
@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Resource not released in destructor' (cpp/resource-not-released-in-destructor) query has been improved to recognize more releases of resources.
--- a/cpp/config/suites/c/correctness
+++ b/cpp/config/suites/c/correctness
@@ -18,14 +18,11 @@
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooFewArguments.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooManyArguments.ql: /Correctness/Common Errors
-+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/BitwiseSignCheck.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql: /Correctness/Common Errors
-+ semmlecode-cpp-queries/Likely Bugs/Arithmetic/SignedOverflowCheck.ql: /Correctness/Common Errors
-+ semmlecode-cpp-queries/Likely Bugs/Memory Management/PointerOverflow.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/NestedLoopSameVar.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/UseInOwnInitializer.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Critical/NewArrayDeleteMismatch.ql: /Correctness/Common Errors
--- a/cpp/config/suites/cpp/correctness
+++ b/cpp/config/suites/cpp/correctness
@@ -9,8 +9,6 @@
 + semmlecode-cpp-queries/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
-+ semmlecode-cpp-queries/Likely Bugs/OO/UnsafeUseOfThis.ql: /Correctness/Dangerous Conversions
-+ semmlecode-cpp-queries/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql: /Correctness/Dangerous Conversions
  # Consistent Use
 + semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
@@ -21,14 +19,11 @@
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooFewArguments.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooManyArguments.ql: /Correctness/Common Errors
-+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/BitwiseSignCheck.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql: /Correctness/Common Errors
-+ semmlecode-cpp-queries/Likely Bugs/Arithmetic/SignedOverflowCheck.ql: /Correctness/Common Errors
-+ semmlecode-cpp-queries/Likely Bugs/Memory Management/PointerOverflow.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/NestedLoopSameVar.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/UseInOwnInitializer.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Critical/NewArrayDeleteMismatch.ql: /Correctness/Common Errors
--- a/cpp/ql/examples/qlpack.yml
+++ b/cpp/ql/examples/qlpack.yml
@@ -1,3 +0,0 @@
-name: codeql-cpp-examples
-version: 0.0.0
-libraryPathDependencies: codeql-cpp
--- a/cpp/ql/examples/snippets/emptyblock.ql
+++ b/cpp/ql/examples/snippets/emptyblock.ql
@@ -9,6 +9,6 @@

 import cpp

-from BlockStmt blk
+from Block blk
 where blk.getNumStmt() = 0
 select blk
--- a/cpp/ql/examples/snippets/emptythen.ql
+++ b/cpp/ql/examples/snippets/emptythen.ql
@@ -13,5 +13,5 @@
 import cpp

 from IfStmt i
-where i.getThen().(BlockStmt).getNumStmt() = 0
+where i.getThen().(Block).getNumStmt() = 0
 select i
--- a/cpp/ql/examples/snippets/singletonblock.ql
+++ b/cpp/ql/examples/snippets/singletonblock.ql
@@ -8,6 +8,6 @@

 import cpp

-from BlockStmt b
+from Block b
 where b.getNumStmt() = 1
 select b
--- a/cpp/ql/src/AlertSuppression.ql
+++ b/cpp/ql/src/AlertSuppression.ql
@@ -10,25 +10,12 @@ import cpp
 /**
 * An alert suppression comment.
 */
-class SuppressionComment extends Comment {
+class SuppressionComment extends CppStyleComment {
  string annotation;
  string text;

  SuppressionComment() {
-    (
-      this instanceof CppStyleComment and
-      // strip the beginning slashes
-      text = getContents().suffix(2)
-      or
-      this instanceof CStyleComment and
-      // strip both the beginning /* and the end */ the comment
-      exists(string text0 |
-        text0 = getContents().suffix(2) and
-        text = text0.prefix(text0.length() - 2)
-      ) and
-      // The /* */ comment must be a single-line comment
-      not text.matches("%\n%")
-    ) and
+    text = getContents().suffix(2) and
    (
      // match `lgtm[...]` anywhere in the comment
      annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
--- a/cpp/ql/src/Architecture/FeatureEnvy.ql
+++ b/cpp/ql/src/Architecture/FeatureEnvy.ql
@@ -3,7 +3,7 @@
 * @description A function that uses more functions and variables from another file than functions and variables from its own file. This function might be better placed in the other file, to avoid exposing internals of the file it depends on.
 * @kind problem
 * @problem.severity recommendation
- * @precision medium
+ * @precision high
 * @id cpp/feature-envy
 * @tags maintainability
 *       modularity
@@ -25,8 +25,7 @@ predicate functionUsesFunction(Function source, Function f, File target) {
 }

 predicate dependencyCount(Function source, File target, int res) {
-  res =
-    strictcount(Declaration d |
+  res = strictcount(Declaration d |
      functionUsesVariable(source, d, target) or
      functionUsesFunction(source, d, target)
    )
--- a/Information/ClassHierarchies.ql
+++ b/Information/ClassHierarchies.ql
@@ -4,6 +4,9 @@
 * @kind graph
 * @id cpp/architecture/class-hierarchies
 * @graph.layout organic
+ * @workingset jhotdraw
+ * @result succeed 48
+ * @result_ondemand succeed 48
 * @tags maintainability
 */

--- a/Information/InheritanceDepthDistribution.ql
+++ b/Information/InheritanceDepthDistribution.ql
@@ -4,6 +4,9 @@
 * @kind chart
 * @id cpp/architecture/inheritance-depth-distribution
 * @chart.type line
+ * @workingset jhotdraw
+ * @result succeed 48
+ * @result_ondemand succeed 48
 * @tags maintainability
 */

--- a/Information/GlobalNamespaceClasses.ql
+++ b/Information/GlobalNamespaceClasses.ql
@@ -1,8 +1,7 @@
 /**
 * @name Global namespace classes
 * @description Finds classes that belong to no namespace.
- * @kind problem
- * @problem.severity recommendation
+ * @kind table
 * @id cpp/architecture/global-namespace-classes
 * @tags maintainability
 *       modularity
--- a/Information/GeneralStatistics.ql
+++ b/Information/GeneralStatistics.ql
@@ -38,16 +38,14 @@ where
  n = count(Function f | f.fromSource()).toString()
  or
  l = "Number of Lines Of Code" and
-  n =
-    sum(File f, int toSum |
+  n = sum(File f, int toSum |
      f.fromSource() and toSum = f.getMetrics().getNumberOfLinesOfCode()
    |
      toSum
    ).toString()
  or
  l = "Self-Containedness" and
-  n =
-    (
+  n = (
        100 * sum(Class c | c.fromSource() | c.getMetrics().getEfferentSourceCoupling()) /
          sum(Class c | c.fromSource() | c.getMetrics().getEfferentCoupling())
      ).toString() + "%"
--- a/cpp/ql/src/Architecture/InappropriateIntimacy.ql
+++ b/cpp/ql/src/Architecture/InappropriateIntimacy.ql
@@ -3,7 +3,7 @@
 * @description Two files share too much information about each other (accessing many operations or variables in both directions). It would be better to invert some of the dependencies to reduce the coupling between the two files.
 * @kind problem
 * @problem.severity recommendation
- * @precision medium
+ * @precision high
 * @id cpp/file-intimacy
 * @tags maintainability
 *       modularity
--- a/Opportunities/ClassesWithManyDependencies.ql
+++ b/Opportunities/ClassesWithManyDependencies.ql
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/architecture/classes-with-many-dependencies
 * @problem.severity recommendation
+ * @workingset jhotdraw
+ * @result succeed 20
+ * @result_ondemand succeed 20
 * @tags maintainability
 *       statistical
 *       non-attributable
--- a/Opportunities/ClassesWithManyFields.ql
+++ b/Opportunities/ClassesWithManyFields.ql
@@ -3,7 +3,7 @@
 * @description Finds classes with many fields; they could probably be refactored by breaking them down into smaller classes, and using composition.
 * @kind problem
 * @problem.severity recommendation
- * @precision medium
+ * @precision high
 * @id cpp/class-many-fields
 * @tags maintainability
 *       statistical
@@ -80,8 +80,11 @@ class VariableDeclarationLine extends TVariableDeclarationInfo {
   * (that is, the first is 0, the second is 1 and so on).
   */
  private int getRank() {
-    line =
-      rank[result](VariableDeclarationLine vdl, int l | vdl = TVariableDeclarationLine(c, f, l) | l)
+    line = rank[result](VariableDeclarationLine vdl, int l |
+        vdl = TVariableDeclarationLine(c, f, l)
+      |
+        l
+      )
  }

  /**
@@ -130,8 +133,7 @@ class VariableDeclarationGroup extends VariableDeclarationLine {
   * Gets the number of uniquely named `VariableDeclarationEntry`s in this group.
   */
  int getCount() {
-    result =
-      count(VariableDeclarationLine l |
+    result = count(VariableDeclarationLine l |
        l = getProximateNext*()
      |
        l.getAVDE().getVariable().getName()
@@ -164,8 +166,7 @@ class ExtClass extends Class {

 from ExtClass c, int n, VariableDeclarationGroup vdg, string suffix
 where
-  n =
-    strictcount(string fieldName |
+  n = strictcount(string fieldName |
      exists(Field f |
        f.getDeclaringType() = c and
        fieldName = f.getName() and
--- a/Practices/BlockWithTooManyStatements.ql
+++ b/Practices/BlockWithTooManyStatements.ql
@@ -14,7 +14,7 @@ import cpp

 class ComplexStmt extends Stmt {
  ComplexStmt() {
-    exists(BlockStmt body |
+    exists(Block body |
      body = this.(Loop).getStmt() or
      body = this.(SwitchStmt).getStmt()
    |
@@ -24,7 +24,7 @@ class ComplexStmt extends Stmt {
  }
 }

-from BlockStmt b, int n, ComplexStmt complexStmt
+from Block b, int n, ComplexStmt complexStmt
 where
  n = strictcount(ComplexStmt s | s = b.getAStmt()) and
  n > 3 and
--- a/Practices/Exceptions/LeakyCatch.qhelp
+++ b/Practices/Exceptions/LeakyCatch.qhelp
@@ -39,7 +39,7 @@ void good() {
 </example>
 <references>

-  <li>MSDN Library for MFC: <a href="https://docs.microsoft.com/en-us/cpp/mfc/exceptions-catching-and-deleting-exceptions">Exceptions: Catching and Deleting Exceptions</a>.</li>
+  <li>MSDN Library for MFC: <a href="http://msdn.microsoft.com/en-us/library/0e5twxsh(v=vs.110).aspx">Exceptions: Catching and Deleting Exceptions</a>.</li>


 </references>
--- a/Practices/Hiding/DeclarationHidesParameter.ql
+++ b/Practices/Hiding/DeclarationHidesParameter.ql
@@ -11,17 +11,6 @@

 import cpp

-/**
- * Gets the template that a function `f` is constructed from, or just `f` if it
- * is not from a template instantiation.
- */
-Function getConstructedFrom(Function f) {
-  f.isConstructedFrom(result)
-  or
-  not f.isConstructedFrom(_) and
-  result = f
-}
-
 /**
 * Gets the parameter of `f` with name `name`, which has to come from the
 * _definition_ of `f` and not a prototype declaration.
@@ -29,17 +18,13 @@ Function getConstructedFrom(Function f) {
 * This should not happen in a single application but since we
 * have a system wide view it is likely to happen for instance for
 * the main function.
- *
- * Note: we use `getConstructedFrom` to ensure that we look at template
- * functions rather than their instantiations. We get better results this way
- * as the instantiation is artificial and may have inherited parameter names
- * from the declaration rather than the definition.
 */
 ParameterDeclarationEntry functionParameterNames(Function f, string name) {
  exists(FunctionDeclarationEntry fe |
    result.getFunctionDeclarationEntry() = fe and
-    getConstructedFrom(f).getDefinition() = fe and
+    fe.getFunction() = f and
    fe.getLocation() = f.getDefinitionLocation() and
+    result.getFile() = fe.getFile() and // Work around CPP-331
    strictcount(f.getDefinitionLocation()) = 1 and
    result.getName() = name
  )
--- a/Practices/Hiding/DeclarationHidesVariable.ql
+++ b/Practices/Hiding/DeclarationHidesVariable.ql
@@ -17,7 +17,7 @@ where
  shadowing(lv1, lv2) and
  not lv1.isCompilerGenerated() and
  not lv2.isCompilerGenerated() and
-  not lv1.getParentScope().(BlockStmt).isInMacroExpansion() and
-  not lv2.getParentScope().(BlockStmt).isInMacroExpansion()
+  not lv1.getParentScope().(Block).isInMacroExpansion() and
+  not lv2.getParentScope().(Block).isInMacroExpansion()
 select lv1, "Variable " + lv1.getName() + " hides another variable of the same name (on $@).", lv2,
  "line " + lv2.getLocation().getStartLine().toString()
--- a/Practices/Hiding/LocalVariableHidesGlobalVariable.ql
+++ b/Practices/Hiding/LocalVariableHidesGlobalVariable.ql
@@ -2,7 +2,7 @@
 * @name Local variable hides global variable
 * @description A local variable or parameter that hides a global variable of the same name. This may be confusing. Consider renaming one of the variables.
 * @kind problem
- * @problem.severity recommendation
+ * @problem.severity warning
 * @precision very-high
 * @id cpp/local-variable-hides-global-variable
 * @tags maintainability
--- a/Errors/EmptyBlock.ql
+++ b/Errors/EmptyBlock.ql
@@ -14,7 +14,7 @@

 import cpp

-predicate emptyBlock(ControlStructure s, BlockStmt b) {
+predicate emptyBlock(ControlStructure s, Block b) {
  b = s.getAChild() and
  not exists(b.getAChild()) and
  not b.isInMacroExpansion() and
@@ -23,7 +23,7 @@ predicate emptyBlock(ControlStructure s, BlockStmt b) {

 class AffectedFile extends File {
  AffectedFile() {
-    exists(BlockStmt b |
+    exists(Block b |
      emptyBlock(_, b) and
      this = b.getFile()
    )
@@ -37,7 +37,7 @@ class AffectedFile extends File {
 class BlockOrNonChild extends Element {
  BlockOrNonChild() {
    (
-      this instanceof BlockStmt
+      this instanceof Block
      or
      this instanceof Comment
      or
@@ -50,8 +50,7 @@ class BlockOrNonChild extends Element {

  private int getNonContiguousStartRankIn(AffectedFile file) {
    // When using `rank` with `order by`, the ranks may not be contiguous.
-    this =
-      rank[result](BlockOrNonChild boc, int startLine, int startCol |
+    this = rank[result](BlockOrNonChild boc, int startLine, int startCol |
        boc.getLocation().hasLocationInfo(file.getAbsolutePath(), startLine, startCol, _, _)
      |
        boc order by startLine, startCol
@@ -59,15 +58,13 @@ class BlockOrNonChild extends Element {
  }

  int getStartRankIn(AffectedFile file) {
-    this.getNonContiguousStartRankIn(file) =
-      rank[result](int rnk |
+    this.getNonContiguousStartRankIn(file) = rank[result](int rnk |
        exists(BlockOrNonChild boc | boc.getNonContiguousStartRankIn(file) = rnk)
      )
  }

  int getNonContiguousEndRankIn(AffectedFile file) {
-    this =
-      rank[result](BlockOrNonChild boc, int endLine, int endCol |
+    this = rank[result](BlockOrNonChild boc, int endLine, int endCol |
        boc.getLocation().hasLocationInfo(file.getAbsolutePath(), _, _, endLine, endCol)
      |
        boc order by endLine, endCol
@@ -78,12 +75,13 @@ class BlockOrNonChild extends Element {
 /**
 * A block that contains a non-child element.
 */
-predicate emptyBlockContainsNonchild(BlockStmt b) {
+predicate emptyBlockContainsNonchild(Block b) {
  emptyBlock(_, b) and
  exists(BlockOrNonChild c, AffectedFile file |
    c.(BlockOrNonChild).getStartRankIn(file) = 1 + b.(BlockOrNonChild).getStartRankIn(file) and
-    c.(BlockOrNonChild).getNonContiguousEndRankIn(file) <
-      b.(BlockOrNonChild).getNonContiguousEndRankIn(file)
+    c.(BlockOrNonChild).getNonContiguousEndRankIn(file) < b
+          .(BlockOrNonChild)
+          .getNonContiguousEndRankIn(file)
  )
 }

@@ -91,7 +89,7 @@ predicate emptyBlockContainsNonchild(BlockStmt b) {
 * A block that is entirely on one line, which also contains a comment.  Chances
 * are the comment is intended to refer to the block.
 */
-predicate lineComment(BlockStmt b) {
+predicate lineComment(Block b) {
  emptyBlock(_, b) and
  exists(Location bLocation, File f, int line |
    bLocation = b.getLocation() and
@@ -106,7 +104,7 @@ predicate lineComment(BlockStmt b) {
  )
 }

-from ControlStructure s, BlockStmt eb
+from ControlStructure s, Block eb
 where
  emptyBlock(s, eb) and
  not emptyBlockContainsNonchild(eb) and
--- a/Constants/JapaneseEraDate.ql
+++ b/Constants/JapaneseEraDate.ql
@@ -4,9 +4,8 @@
 * @kind problem
 * @problem.severity warning
 * @id cpp/japanese-era/exact-era-date
- * @precision low
- * @tags maintainability
- *       reliability
+ * @precision medium
+ * @tags reliability
 *       japanese-era
 */

--- a/Constants/MagicConstants.qll
+++ b/Constants/MagicConstants.qll
@@ -8,41 +8,168 @@ import semmle.code.cpp.AutogeneratedFile
 predicate trivialPositiveIntValue(string s) {
  // Small numbers
  s = [0 .. 20].toString() or
-  s =
-    [
-      // Popular powers of two (decimal)
-      "16", "24", "32", "64", "128", "256", "512", "1024", "2048", "4096", "16384", "32768",
-      "65536", "1048576", "2147483648", "4294967296",
-      // Popular powers of two, minus one (decimal)
-      "15", "31", "63", "127", "255", "511", "1023", "2047", "4095", "16383", "32767", "65535",
-      "1048577", "2147483647", "4294967295",
-      // Popular powers of two (32-bit hex)
-      "0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010", "0x00000020",
-      "0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400", "0x00000800",
-      "0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000", "0x00020000",
-      "0x00040000", "0x00080000", "0x00100000", "0x00200000", "0x00400000", "0x00800000",
-      "0x01000000", "0x02000000", "0x04000000", "0x08000000", "0x10000000", "0x20000000",
-      "0x40000000", "0x80000000",
-      // Popular powers of two, minus one (32-bit hex)
-      "0x00000001", "0x00000003", "0x00000007", "0x0000000f", "0x0000001f", "0x0000003f",
-      "0x0000007f", "0x000000ff", "0x000001ff", "0x000003ff", "0x000007ff", "0x00000fff",
-      "0x00001fff", "0x00003fff", "0x00007fff", "0x0000ffff", "0x0001ffff", "0x0003ffff",
-      "0x0007ffff", "0x000fffff", "0x001fffff", "0x003fffff", "0x007fffff", "0x00ffffff",
-      "0x01ffffff", "0x03ffffff", "0x07ffffff", "0x0fffffff", "0x1fffffff", "0x3fffffff",
-      "0x7fffffff", "0xffffffff",
-      // Popular powers of two (16-bit hex)
-      "0x0001", "0x0002", "0x0004", "0x0008", "0x0010", "0x0020", "0x0040", "0x0080", "0x0100",
-      "0x0200", "0x0400", "0x0800", "0x1000", "0x2000", "0x4000", "0x8000",
-      // Popular powers of two, minus one (16-bit hex)
-      "0x0001", "0x0003", "0x0007", "0x000f", "0x001f", "0x003f", "0x007f", "0x00ff", "0x01ff",
-      "0x03ff", "0x07ff", "0x0fff", "0x1fff", "0x3fff", "0x7fff", "0xffff",
-      // Popular powers of two (8-bit hex)
-      "0x01", "0x02", "0x04", "0x08", "0x10", "0x20", "0x40", "0x80",
-      // Popular powers of two, minus one (8-bit hex)
-      "0x01", "0x03", "0x07", "0x0f", "0x1f", "0x3f", "0x7f", "0xff", "0x00",
-      // Powers of ten
-      "10", "100", "1000", "10000", "100000", "1000000", "10000000", "100000000", "1000000000"
-    ]
+  // Popular powers of two (decimal)
+  s = "16" or
+  s = "24" or
+  s = "32" or
+  s = "64" or
+  s = "128" or
+  s = "256" or
+  s = "512" or
+  s = "1024" or
+  s = "2048" or
+  s = "4096" or
+  s = "16384" or
+  s = "32768" or
+  s = "65536" or
+  s = "1048576" or
+  s = "2147483648" or
+  s = "4294967296" or
+  // Popular powers of two, minus one (decimal)
+  s = "15" or
+  s = "31" or
+  s = "63" or
+  s = "127" or
+  s = "255" or
+  s = "511" or
+  s = "1023" or
+  s = "2047" or
+  s = "4095" or
+  s = "16383" or
+  s = "32767" or
+  s = "65535" or
+  s = "1048577" or
+  s = "2147483647" or
+  s = "4294967295" or
+  // Popular powers of two (32-bit hex)
+  s = "0x00000001" or
+  s = "0x00000002" or
+  s = "0x00000004" or
+  s = "0x00000008" or
+  s = "0x00000010" or
+  s = "0x00000020" or
+  s = "0x00000040" or
+  s = "0x00000080" or
+  s = "0x00000100" or
+  s = "0x00000200" or
+  s = "0x00000400" or
+  s = "0x00000800" or
+  s = "0x00001000" or
+  s = "0x00002000" or
+  s = "0x00004000" or
+  s = "0x00008000" or
+  s = "0x00010000" or
+  s = "0x00020000" or
+  s = "0x00040000" or
+  s = "0x00080000" or
+  s = "0x00100000" or
+  s = "0x00200000" or
+  s = "0x00400000" or
+  s = "0x00800000" or
+  s = "0x01000000" or
+  s = "0x02000000" or
+  s = "0x04000000" or
+  s = "0x08000000" or
+  s = "0x10000000" or
+  s = "0x20000000" or
+  s = "0x40000000" or
+  s = "0x80000000" or
+  // Popular powers of two, minus one (32-bit hex)
+  s = "0x00000001" or
+  s = "0x00000003" or
+  s = "0x00000007" or
+  s = "0x0000000f" or
+  s = "0x0000001f" or
+  s = "0x0000003f" or
+  s = "0x0000007f" or
+  s = "0x000000ff" or
+  s = "0x000001ff" or
+  s = "0x000003ff" or
+  s = "0x000007ff" or
+  s = "0x00000fff" or
+  s = "0x00001fff" or
+  s = "0x00003fff" or
+  s = "0x00007fff" or
+  s = "0x0000ffff" or
+  s = "0x0001ffff" or
+  s = "0x0003ffff" or
+  s = "0x0007ffff" or
+  s = "0x000fffff" or
+  s = "0x001fffff" or
+  s = "0x003fffff" or
+  s = "0x007fffff" or
+  s = "0x00ffffff" or
+  s = "0x01ffffff" or
+  s = "0x03ffffff" or
+  s = "0x07ffffff" or
+  s = "0x0fffffff" or
+  s = "0x1fffffff" or
+  s = "0x3fffffff" or
+  s = "0x7fffffff" or
+  s = "0xffffffff" or
+  // Popular powers of two (16-bit hex)
+  s = "0x0001" or
+  s = "0x0002" or
+  s = "0x0004" or
+  s = "0x0008" or
+  s = "0x0010" or
+  s = "0x0020" or
+  s = "0x0040" or
+  s = "0x0080" or
+  s = "0x0100" or
+  s = "0x0200" or
+  s = "0x0400" or
+  s = "0x0800" or
+  s = "0x1000" or
+  s = "0x2000" or
+  s = "0x4000" or
+  s = "0x8000" or
+  // Popular powers of two, minus one (16-bit hex)
+  s = "0x0001" or
+  s = "0x0003" or
+  s = "0x0007" or
+  s = "0x000f" or
+  s = "0x001f" or
+  s = "0x003f" or
+  s = "0x007f" or
+  s = "0x00ff" or
+  s = "0x01ff" or
+  s = "0x03ff" or
+  s = "0x07ff" or
+  s = "0x0fff" or
+  s = "0x1fff" or
+  s = "0x3fff" or
+  s = "0x7fff" or
+  s = "0xffff" or
+  // Popular powers of two (8-bit hex)
+  s = "0x01" or
+  s = "0x02" or
+  s = "0x04" or
+  s = "0x08" or
+  s = "0x10" or
+  s = "0x20" or
+  s = "0x40" or
+  s = "0x80" or
+  // Popular powers of two, minus one (8-bit hex)
+  s = "0x01" or
+  s = "0x03" or
+  s = "0x07" or
+  s = "0x0f" or
+  s = "0x1f" or
+  s = "0x3f" or
+  s = "0x7f" or
+  s = "0xff" or
+  s = "0x00" or
+  // Powers of ten
+  s = "10" or
+  s = "100" or
+  s = "1000" or
+  s = "10000" or
+  s = "100000" or
+  s = "1000000" or
+  s = "10000000" or
+  s = "100000000" or
+  s = "1000000000"
 }

 predicate trivialIntValue(string s) {
@@ -108,7 +235,10 @@ predicate joiningStringTrivial(Literal lit) {
  // understand (which is against the spirit of these queries).
  stringLiteral(lit) and
  exists(FunctionCall fc |
-    fc.getTarget().getName() = ["operator+", "operator<<"] and
+    (
+      fc.getTarget().getName() = "operator+" or
+      fc.getTarget().getName() = "operator<<"
+    ) and
    fc.getAnArgument().getAChild*() = lit
  ) and
  lit.getValue().length() < 16
@@ -161,7 +291,8 @@ predicate arrayInitializerChild(AggregateLiteral parent, Expr e) {

 // i.e. not a constant folded expression
 predicate literallyLiteral(Literal lit) {
-  lit.getValueText()
+  lit
+      .getValueText()
      .regexpMatch(".*\".*|\\s*+[-+]?+\\s*+(0[xob][0-9a-fA-F]|[0-9])[0-9a-fA-F,._]*+([eE][-+]?+[0-9,._]*+)?+\\s*+[a-zA-Z]*+\\s*+")
 }

@@ -176,8 +307,7 @@ predicate nonTrivialValue(string value, Literal literal) {
 }

 predicate valueOccurrenceCount(string value, int n) {
-  n =
-    strictcount(Location loc |
+  n = strictcount(Location loc |
      exists(Literal lit | lit.getLocation() = loc | nonTrivialValue(value, lit)) and
      // Exclude generated files (they do not have the same maintainability
      // concerns as ordinary source files)
@@ -208,8 +338,7 @@ predicate check(Literal lit, string value, int n, File f) {
 }

 predicate checkWithFileCount(string value, int overallCount, int fileCount, File f) {
-  fileCount =
-    strictcount(Location loc |
+  fileCount = strictcount(Location loc |
      exists(Literal lit | lit.getLocation() = loc | check(lit, value, overallCount, f))
    )
 }
@@ -235,8 +364,7 @@ predicate firstOccurrence(Literal lit, string value, int n) {
 predicate magicConstant(Literal e, string msg) {
  exists(string value, int n |
    firstOccurrence(e, value, n) and
-    msg =
-      "Magic constant: literal '" + value + "' is repeated " + n.toString() +
+    msg = "Magic constant: literal '" + value + "' is repeated " + n.toString() +
        " times and should be encapsulated in a constant."
  )
 }
--- a/Practices/RuleOfTwo.ql
+++ b/Practices/RuleOfTwo.ql
@@ -28,15 +28,13 @@ import cpp
 // design question and carries has no safety risk.
 predicate generatedCopyAssignment(CopyConstructor cc, string msg) {
  cc.getDeclaringType().hasImplicitCopyAssignmentOperator() and
-  msg =
-    "No matching copy assignment operator in class " + cc.getDeclaringType().getName() +
+  msg = "No matching copy assignment operator in class " + cc.getDeclaringType().getName() +
      ". It is good practice to match a copy constructor with a " + "copy assignment operator."
 }

 predicate generatedCopyConstructor(CopyAssignmentOperator ca, string msg) {
  ca.getDeclaringType().hasImplicitCopyConstructor() and
-  msg =
-    "No matching copy constructor in class " + ca.getDeclaringType().getName() +
+  msg = "No matching copy constructor in class " + ca.getDeclaringType().getName() +
      ". It is good practice to match a copy assignment operator with a " + "copy constructor."
 }

--- a/Entities/UnusedLocals.ql
+++ b/Entities/UnusedLocals.ql
@@ -57,12 +57,5 @@ where
  not declarationHasSideEffects(v) and
  not exists(AsmStmt s | f = s.getEnclosingFunction()) and
  not v.getAnAttribute().getName() = "unused" and
-  not any(ErrorExpr e).getEnclosingFunction() = f and // unextracted expr may use `v`
-  not exists(
-    Literal l // this case can be removed when the `myFunction2( [obj](){} );` test case doesn't depend on this exclusion
-  |
-    l.getEnclosingFunction() = f and
-    not exists(l.getValue())
-  ) and
-  not any(ConditionDeclExpr cde).getEnclosingFunction() = f // this case can be removed when the `if (a = b; a)` test case doesn't depend on this exclusion
+  not any(ErrorExpr e).getEnclosingFunction() = f // unextracted expr likely used `v`
 select v, "Variable " + v.getName() + " is not used"
--- a/Entities/UnusedStaticVariables.qhelp
+++ b/Entities/UnusedStaticVariables.qhelp
@@ -27,7 +27,7 @@ then removing it will make code more readable. If the static variable is needed
  <a href="https://www.securecoding.cert.org/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">Detect and remove code that has no effect</a>
 </li>
 <li>
-  <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL19-C.+Minimize+the+scope+of+variables+and+functions">Minimize the scope of variables and functions</a>
+  <a href="https://www.securecoding.cert.org/confluence/display/cplusplus/DCL07-CPP.+Minimize+the+scope+of+variables+and+methods">Minimize the scope of variables and methods</a>
 </li>


--- a/Entities/UnusedStaticVariables.ql
+++ b/Entities/UnusedStaticVariables.ql
@@ -21,7 +21,6 @@ from Variable v
 where
  v.isStatic() and
  v.hasDefinition() and
-  not v.isConstexpr() and
  not exists(VariableAccess a | a.getTarget() = v) and
  not v instanceof MemberVariable and
  not declarationHasSideEffects(v) and
--- a/Practices/UseOfGoto.qhelp
+++ b/Practices/UseOfGoto.qhelp
@@ -41,7 +41,7 @@ this rule.
  E. W. Dijkstra Archive: <a href="http://www.cs.utexas.edu/users/EWD/transcriptions/EWD02xx/EWD215.html">A Case against the GO TO Statement (EWD-215)</a>.
 </li>
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/goto-statement-cpp">goto Statement (C++)</a>.
+  MSDN Library: <a href="http://msdn.microsoft.com/en-gb/library/b34dt9cd%28v=vs.80%29.aspx">The goto Statement</a>.
 </li>
 <li>
  Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
--- a/cpp/ql/src/Critical/DeadCodeCondition.qhelp
+++ b/cpp/ql/src/Critical/DeadCodeCondition.qhelp
@@ -9,7 +9,7 @@
 It is likely that these conditions indicate an error in the branching condition. 
 Alternatively, the conditions may have been left behind after debugging.</p>

-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 </overview>

 <recommendation>
--- a/cpp/ql/src/Critical/DeadCodeCondition.ql
+++ b/cpp/ql/src/Critical/DeadCodeCondition.ql
@@ -22,7 +22,7 @@ predicate testAndBranch(Expr e, Stmt branch) {
  )
 }

-predicate choice(StackVariable v, Stmt branch, string value) {
+predicate choice(LocalScopeVariable v, Stmt branch, string value) {
  exists(AnalysedExpr e |
    testAndBranch(e, branch) and
    (
@@ -33,7 +33,7 @@ predicate choice(StackVariable v, Stmt branch, string value) {
  )
 }

-predicate guarded(StackVariable v, Stmt loopstart, AnalysedExpr child) {
+predicate guarded(LocalScopeVariable v, Stmt loopstart, AnalysedExpr child) {
  choice(v, loopstart, _) and
  loopstart.getChildStmt*() = child.getEnclosingStmt() and
  (definition(v, child) or exists(child.getNullSuccessor(v)))
@@ -47,7 +47,9 @@ predicate addressLeak(Variable v, Stmt leak) {
  )
 }

-from StackVariable v, Stmt branch, AnalysedExpr cond, string context, string test, string testresult
+from
+  LocalScopeVariable v, Stmt branch, AnalysedExpr cond, string context, string test,
+  string testresult
 where
  choice(v, branch, context) and
  forall(ControlFlowNode def | definition(v, def) and definitionReaches(def, cond) |
--- a/cpp/ql/src/Critical/DeadCodeFunction.qhelp
+++ b/cpp/ql/src/Critical/DeadCodeFunction.qhelp
@@ -13,7 +13,7 @@ If left in the code base they increase object code size, decrease code comprehen
 This type of function may be part of the program's API and could be used by external programs.
 </p>

-<include src="callGraphWarning.inc.qhelp" />
+<include src="callGraphWarning.qhelp" />
 </overview>

 <recommendation>
--- a/cpp/ql/src/Critical/DeadCodeGoto.ql
+++ b/cpp/ql/src/Critical/DeadCodeGoto.ql
@@ -12,7 +12,7 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions

-Stmt getNextRealStmt(BlockStmt b, int i) {
+Stmt getNextRealStmt(Block b, int i) {
  result = b.getStmt(i + 1) and
  not result instanceof EmptyStmt
  or
@@ -20,7 +20,7 @@ Stmt getNextRealStmt(BlockStmt b, int i) {
  result = getNextRealStmt(b, i + 1)
 }

-from JumpStmt js, BlockStmt b, int i, Stmt s
+from JumpStmt js, Block b, int i, Stmt s
 where
  b.getStmt(i) = js and
  s = getNextRealStmt(b, i) and
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.qhelp
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.qhelp
@@ -10,7 +10,7 @@ This query looks at functions that return file or socket descriptors, but may re
 This can occur when an operation performed on the open descriptor fails, and the function returns with an error before it closes the open resource. An improperly handled error could cause the function to leak resource descriptors. Failing to close resources in the function that opened them also makes it more difficult to detect leaks.
 </p> 

-<include src="dataFlowWarning.inc.qhelp" />
+<include src="dataFlowWarning.qhelp" />
 </overview>

 <recommendation>
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
 import Negativity

 predicate closeCall(FunctionCall fc, Variable v) {
-  fc.getTarget().hasGlobalOrStdName("close") and v.getAnAccess() = fc.getArgument(0)
+  fc.getTarget().hasGlobalName("close") and v.getAnAccess() = fc.getArgument(0)
  or
  exists(FunctionCall midcall, Function mid, int arg |
    fc.getArgument(arg) = v.getAnAccess() and
@@ -23,14 +23,14 @@ predicate closeCall(FunctionCall fc, Variable v) {
  )
 }

-predicate openDefinition(StackVariable v, ControlFlowNode def) {
+predicate openDefinition(LocalScopeVariable v, ControlFlowNode def) {
  exists(Expr expr | exprDefinition(v, def, expr) and allocateDescriptorCall(expr))
 }

 predicate openReaches(ControlFlowNode def, ControlFlowNode node) {
-  exists(StackVariable v | openDefinition(v, def) and node = def.getASuccessor())
+  exists(LocalScopeVariable v | openDefinition(v, def) and node = def.getASuccessor())
  or
-  exists(StackVariable v, ControlFlowNode mid |
+  exists(LocalScopeVariable v, ControlFlowNode mid |
    openDefinition(v, def) and
    openReaches(def, mid) and
    not errorSuccessor(v, mid) and
@@ -40,7 +40,7 @@ predicate openReaches(ControlFlowNode def, ControlFlowNode node) {
  )
 }

-predicate assignedToFieldOrGlobal(StackVariable v, Assignment assign) {
+predicate assignedToFieldOrGlobal(LocalScopeVariable v, Assignment assign) {
  exists(Variable external |
    assign.getRValue() = v.getAnAccess() and
    assign.getLValue().(VariableAccess).getTarget() = external and
@@ -48,7 +48,7 @@ predicate assignedToFieldOrGlobal(StackVariable v, Assignment assign) {
  )
 }

-from StackVariable v, ControlFlowNode def, ReturnStmt ret
+from LocalScopeVariable v, ControlFlowNode def, ReturnStmt ret
 where
  openDefinition(v, def) and
  openReaches(def, ret) and
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.qhelp
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.qhelp
@@ -6,15 +6,15 @@

 <overview>
 <p>
-This rule finds calls to <code>socket</code> where there is no corresponding <code>close</code> call in the program analyzed.
+This rule finds calls to <code>open</code> or <code>socket</code> where there is no corresponding <code>close</code> call in the program analyzed.
 Leaving descriptors open will cause a resource leak that will persist even after the program terminates.
 </p>

-<include src="aliasAnalysisWarning.inc.qhelp" />
+<include src="aliasAnalysisWarning.qhelp" />
 </overview>

 <recommendation>
-<p>Ensure that all socket descriptors allocated by the program are freed before it terminates.</p>
+<p>Ensure that all file or socket descriptors allocated by the program are freed before it terminates.</p>
 </recommendation>

 <example>
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -1,6 +1,6 @@
 /**
 * @name Open descriptor never closed
- * @description Functions that always return before closing the socket they opened leak resources.
+ * @description Functions that always return before closing the socket or file they opened leak resources.
 * @kind problem
 * @id cpp/descriptor-never-closed
 * @problem.severity warning
@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo

 predicate closed(Expr e) {
  exists(FunctionCall fc |
-    fc.getTarget().hasGlobalOrStdName("close") and
+    fc.getTarget().hasGlobalName("close") and
    fc.getArgument(0) = e
  )
 }
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`*.json linguist-language=JSON-with-Comments`