C#: Improved CIL instruction types to pass type consistency checks

C#: Make qltests pass on all platforms

.codeqlmanifest.json

@@ -0,0 +1,5 @@
+{ "provide": [ "*/ql/src/qlpack.yml",
+               "*/upgrades/qlpack.yml",
+               "misc/legacy-support/*/qlpack.yml",
+               "misc/suite-helpers/qlpack.yml",
+               "codeql/.codeqlmanifest.json" ] }

.gitattributes

@@ -46,3 +46,5 @@
 *.jpg -text
 *.jpeg -text
 *.gif -text
+*.dll -text
+*.pdb -text

.github/ISSUE_TEMPLATE/lgtm-com---false-positive.md

@@ -0,0 +1,24 @@
+---
+name: LGTM.com - false positive
+about: Tell us about an alert that shouldn't be reported
+title: LGTM.com - false positive
+labels: false-positive
+assignees: ''
+
+---
+
+**Description of the false positive**
+
+<!-- Please explain briefly why you think it shouldn't be included. -->
+
+**URL to the alert on the project page on LGTM.com**
+
+<!--
+1. Open the project on LGTM.com.
+For example, https://lgtm.com/projects/g/pallets/click/.
+2. Switch to the `Alerts` tab. For example, https://lgtm.com/projects/g/pallets/click/alerts/.
+3. Scroll to the alert that you would like to report.
+4. Click on the right most icon `View this alert within the complete file`.
+5. A new browser tab opens. Copy and paste the page URL here.
+For example, https://lgtm.com/projects/g/pallets/click/snapshot/719fb7d8322b0767cdd1e5903ba3eb3233ba8dd5/files/click/_winconsole.py#xa08d213ab3289f87:1.
+-->

.github/ISSUE_TEMPLATE/ql---general.md

@@ -0,0 +1,14 @@
+---
+name: General issue
+about: Tell us if you think something is wrong or if you have a question
+title: General issue
+labels: question
+assignees: ''
+
+---
+
+**Description of the issue**
+
+<!-- Please explain briefly what is the problem.
+If it is about an LGTM project, please include its URL.-->
+

.gitignore

@@ -12,3 +12,6 @@
 # Visual studio temporaries, except a file used by QL4VS
 .vs/*
 !.vs/VSWorkspaceSettings.json
+
+# It's useful (though not required) to be able to unpack codeql in the ql checkout itself
+/codeql/

.lgtm.yml

@@ -20,3 +20,8 @@ extraction:
   python:
     python_setup:
       version: 3
+  javascript:
+    index:
+      exclude:
+        - javascript/ql/test
+        - javascript/extractor/tests

CODEOWNERS

@@ -2,3 +2,9 @@
 /java/ @Semmle/java
 /javascript/ @Semmle/js
 /cpp/ @Semmle/cpp-analysis
+/cpp/**/*.qhelp @hubwriter
+/csharp/**/*.qhelp @jf205
+/java/**/*.qhelp @felicitymay
+/javascript/**/*.qhelp @mchammer01
+/python/**/*.qhelp @felicitymay
+/docs/language/ @shati-patel @jf205

CODE_OF_CONDUCT.md

@@ -14,7 +14,7 @@ Our community strives to:
   * Posting, or threatening to post, people’s personally identifying information (“doxing”).
   * Insults, especially those using discriminatory terms or slurs.
   * Behavior that could be perceived as sexual attention.
-* Advocating for or encouraging any of the above behaviors.
+  * Advocating for or encouraging any of the above behaviors.
 * Understand disagreements: Disagreements, both social and technical, are useful learning opportunities. Seek to understand others’ viewpoints and resolve differences constructively.
 
 This code is not exhaustive or complete. It serves to capture our common understanding of a productive, collaborative environment. We expect the code to be followed in spirit as much as in the letter.

CONTRIBUTING.md

@@ -1,10 +1,50 @@
-# Contributing to QL
+# Contributing to CodeQL
 
-We welcome contributions to our standard library and standard checks, got an idea for a new check, or how to improve an existing query? Then please go ahead an open a Pull Request!
+We welcome contributions to our standard library and standard checks. Got an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request!
 
-Before we accept your pull request, we will require that you have agreed to our Contributor License Agreement, this is not something that you need to do before you submit your pull request, but until you've done so, we will be unable to accept your contribution.
+Before we accept your pull request, we require that you have agreed to our Contributor License Agreement, this is not something that you need to do before you submit your pull request, but until you've done so, we will be unable to accept your contribution.
 
-Please read our [QL Style Guide](docs/ql-style-guide.md) for information on how to format QL code in this repository.
+## Adding a new query
+
+If you have an idea for a query that you would like to share with other Semmle users, please open a pull request to add it to this repository. 
+Follow the steps below to help other users understand what your query does, and to ensure that your query is consistent with the other Semmle queries.
+
+1. **Consult the documentation for query writers**
+
+   There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [Writing CodeQL queries](https://help.semmle.com/QL/learn-ql/writing-queries/writing-queries.html) on [help.semmle.com](https://help.semmle.com).
+
+2. **Format your code correctly**
+
+   All of Semmle's standard queries and libraries are uniformly formatted for clarity and consistency, so we strongly recommend that all contributions follow the same formatting guidelines. If you use QL for Eclipse, you can auto-format your query in the [QL editor](https://help.semmle.com/ql-for-eclipse/Content/WebHelp/ql-editor.html). For more information, see the [CodeQL style guide](https://github.com/Semmle/ql/blob/master/docs/ql-style-guide.md).
+
+3. **Make sure your query has the correct metadata**
+
+   Query metadata is used by Semmle's analysis to identify your query and make sure the query results are displayed properly. 
+   The most important metadata to include are the `@name`, `@description`, and the `@kind`.
+   Other metadata properties (`@precision`, `@severity`, and `@tags`) are usually added after the query has been reviewed by Semmle staff.
+   For more information on writing query metadata, see the [Query metadata style guide](https://github.com/Semmle/ql/blob/master/docs/query-metadata-style-guide.md).
+
+4. **Make sure the `select` statement is compatible with the query type**
+
+   The `select` statement of your query must be compatible with the query type (determined by the `@kind` metadata property) for alert or path results to be displayed correctly in LGTM and QL for Eclipse.
+   For more information on `select` statement format, see [Introduction to query files](https://help.semmle.com/QL/learn-ql/writing-queries/introduction-to-queries.html#select-clause) on help.semmle.com.
+
+5. **Save your query in a `.ql` file in the correct language directory in this repository**
+
+   There are five language-specific directories in this repository:
+   
+     * C/C++: `ql/cpp/ql/src`
+     * C#: `ql/csharp/ql/src`
+     * Java: `ql/java/ql/src`
+     * JavaScript: `ql/javascript/ql/src`
+     * Python: `ql/python/ql/src`
+
+   Each language-specific directory contains further subdirectories that group queries based on their `@tags` properties or purpose. Select the appropriate subdirectory for your new query, or create a new one if necessary. 
+
+6. **Write a query help file**
+
+   Query help files explain the purpose of your query to other users. Write your query help in a `.qhelp` file and save it in the same directory as your new query. 
+   For more information on writing query help, see the [Query help style guide](https://github.com/Semmle/ql/blob/master/docs/query-help-style-guide.md).
 
 ## Using your personal data
 
@@ -14,7 +54,7 @@ repositories, which might be made public. We might also use this information
 to contact you in relation to your contributions, as well as in the
 normal course of software development. We also store records of your
 CLA agreements. Under GDPR legislation, we do this
-on the basis of our legitimate interest in creating the QL product.
+on the basis of our legitimate interest in creating the CodeQL product.
 
 Please do get in touch (privacy@semmle.com) if you have any questions about
 this or our data protection policies.

README.md

@@ -1,16 +1,16 @@
-# Semmle QL
+# CodeQL
 
-This open source repository contains the standard QL libraries and queries that power [LGTM](https://lgtm.com), and the other products that [Semmle](https://semmle.com) makes available to its customers worldwide.
+This open source repository contains the standard CodeQL libraries and queries that power [LGTM](https://lgtm.com), and the other products that [Semmle](https://semmle.com) makes available to its customers worldwide.
 
-## How do I learn QL and run queries?
+## How do I learn CodeQL and run queries?
 
-LGTM has [extensive documentation](https://lgtm.com/help/ql/introduction-to-ql) on getting started with writing QL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin to try out your queries on any open-source project that's currently being analyzed.
+There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 
-We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md) and [QL style guide](docs/ql-style-guide.md).
+We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/Semmle/ql/tree/master/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
 
 ## License
 
-The LGTM queries are licensed under [Apache License 2.0](LICENSE) by [Semmle](https://semmle.com).
+The code in this repository is licensed under [Apache License 2.0](LICENSE) by [Semmle](https://semmle.com).

change-notes/1.19/analysis-csharp.md

@@ -36,6 +36,7 @@ In all three cases, when multiple files of the same type are found, the project/
 
 * Arguments passed using `in` are now extracted.
 * Fixed a bug where the `dynamic` type name was not extracted correctly in certain circumstances.
+* Fixed a bug where method type signatures were extracted incorrectly in some circumstances.
 
 ## Changes to QL libraries
 

change-notes/1.19/support/framework-support.rst

@@ -0,0 +1,61 @@
+Frameworks and libraries
+########################
+
+The QL libraries and queries in this version have been explicitly checked against the libraries and frameworks listed below.
+
+.. pull-quote::
+
+    Tip
+    
+    If you're interested in other libraries or frameworks, you can extend the analysis to cover them. 
+    For example, by extending the data flow libraries to include data sources and sinks for additional libraries or frameworks.
+
+.. There is currently no built-in support for libraries or frameworks for C/C++.
+
+C# built-in support
+================================
+
+* ASP.Net MVC framework
+* ASP.NET Web API
+* ASP.NET Web Forms
+* ASP.NET Core
+* ASP.NET Core MVC
+* ASP.Net Core Razor
+* Razor templates
+
+
+COBOL built-in support
+===================================
+
+* Embedded SQL
+* Embedded CICS
+
+
+Java built-in support
+==================================
+
+.. csv-table:: 
+     :file: java-frameworks.csv
+     :header-rows: 1
+     :class: fullWidthTable
+     :widths: auto
+
+
+JavaScript and TypeScript built-in support
+=======================================================
+
+.. csv-table:: 
+     :file: javascript-typescript-frameworks.csv
+     :header-rows: 1
+     :class: fullWidthTable
+     :widths: auto
+
+
+Python built-in support
+====================================
+
+.. csv-table:: 
+     :file: python-frameworks.csv
+     :header-rows: 1
+     :class: fullWidthTable
+     :widths: auto

change-notes/1.19/support/java-frameworks.csv

@@ -0,0 +1,10 @@
+Name, Category
+Hibernate, Database
+iBatis / MyBatis, Database
+Java Persistence API (JPA), Database
+JDBC, Database
+Kryo deserialization, Serialization
+SnakeYaml, Serialization
+Spring JDBC, Database
+Spring MVC, Web application framework
+XStream, Serialization

change-notes/1.19/support/javascript-typescript-frameworks.csv

@@ -0,0 +1,22 @@
+Name, Category
+angularjs, HTML framework
+axios, Network communicator
+browser, Runtime environment
+electron, Runtime environment
+express, Server
+hapi, Server
+jquery, Utility library
+koa, Server
+lodash, Utility library
+mongodb, Database
+mssql, Database
+mysql, Database
+node, Runtime environment
+postgres, Database
+ramda, Utility library
+react, HTML framework
+request, Network communicator
+sequelize, Database
+sqlite3, Database
+superagent, Network communicator
+underscore, Utility library

change-notes/1.19/support/language-support.rst

@@ -0,0 +1,19 @@
+Languages and compilers
+#######################
+
+QL and LGTM version |version| support analysis of the following languages compiled by the following compilers.
+
+Note that where there are several versions or dialects of a language, the supported variants are listed.
+
+.. csv-table::
+     :file: versions-compilers.csv
+     :header-rows: 1
+     :widths: auto
+     :stub-columns: 1
+
+.. container:: footnote-group
+
+    .. [1] The best results are achieved with COBOL code that stays close to the ANSI 85 standard.  
+    .. [2] Java 11 refers to the language features used. Builds that execute on Java 6 or higher can be analyzed.
+    .. [3] JSX and Flow code, YAML, JSON, and HTML files may also be analyzed with JavaScript files. 
+    .. [4] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default for LGTM.   

change-notes/1.19/support/python-frameworks.csv

@@ -0,0 +1,7 @@
+Name, Category
+Django, Web application framework
+Flask, Microframework
+Pyramid, Web application framework
+Tornado, Web application framework and asynchronous networking library
+Twisted, Networking engine
+WebOb, WSGI request library

change-notes/1.19/support/versions-compilers.csv

@@ -0,0 +1,16 @@
+Language,Variants,Compilers,Extensions
+C/C++,"C89, C99, C11, C++98, C++03, C++11, C++14, C++17","Clang extensions (up to Clang 6.0)
+
+GNU extensions (up to GCC 7.3), 
+
+Microsoft extensions (up to VS 2017)","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
+C#,C# up to 7.2 together with .NET versions up to 4.7.1,"Microsoft Visual Studio up to 2017, 
+
+.NET Core up to 2.1","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
+COBOL,ANSI 85 or newer [1]_.,Not applicable,"``.cbl``, ``.CBL``, ``.cpy``, ``.CPY``, ``.copy``, ``.COPY``"
+Java,"Java 11 [2]_. or lower","javac (OpenJDK and Oracle JDK)
+
+Eclipse compiler for Java (ECJ) batch compiler",``.java``
+JavaScript,ECMAScript 2018 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhm``, ``.xhtml``, ``.vue``, ``.json`` [3]_."
+Python,"2.7, 3.5, 3.6, 3.7",Not applicable,``.py``
+TypeScript [4]_.,"2.6, 2.7, 2.8, 2.9, 3.0, 3.1",Standard TypeScript compiler,"``.ts``, ``.tsx``"

change-notes/1.20/analysis-cpp.md

@@ -0,0 +1,48 @@
+# Improvements to C/C++ analysis
+
+## General improvements
+
+* The logic for identifying auto-generated files via comments and `#line` directives has been improved.
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Array argument size mismatch (`cpp/array-arg-size-mismatch`) | reliability | Finds function calls where the size of an array being passed is smaller than the array size of the declared parameter.  Newly displayed on LGTM. |
+| Lossy function result cast (`cpp/lossy-function-result-cast`) | correctness | Finds function calls whose result type is a floating point type, which are implicitly cast to an integral type.  Newly available on LGTM but results not displayed by default. |
+| Returning stack-allocated memory (`cpp/return-stack-allocated-memory`) | reliability, external/cwe/cwe-825 | Finds functions that may return a pointer or reference to stack-allocated memory. This query existed already but has been rewritten from scratch to make the error rate low enough for use on LGTM. Results displayed by default. |
+| Use of string copy function in a condition (`cpp/string-copy-return-value-as-boolean`) | correctness | This query identifies calls to string copy functions used in conditions, where it's likely that a different function was intended to be called. Results are displayed by default on LGTM. |
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Array argument size mismatch (`cpp/array-arg-size-mismatch`) | Fewer false positive results | An exception has been added to this query for variable sized arrays. |
+| Call to memory access function may overflow buffer (`cpp/overflow-buffer`) | More correct results | This query now recognizes calls to `RtlCopyMemoryNonTemporal` and `RtlSecureZeroMemory`. |
+| Call to memory access function may overflow buffer (`cpp/overflow-buffer`) | More correct results | Calls to `fread` are now examined by this query. |
+| Lossy function result cast (`cpp/lossy-function-result-cast`) | Fewer false positive results | The whitelist of rounding functions built into this query has been expanded. |
+| Memory is never freed (`cpp/memory-never-freed`) | More correct results | Support for more Microsoft-specific memory allocation/de-allocation functions has been added. |
+| Memory may not be freed (`cpp/memory-may-not-be-freed`) | More correct results | Support for more Microsoft-specific memory allocation/de-allocation functions has been added. |
+| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | More correct results | Data flow through global variables for this query has been improved. |
+| 'new[]' array freed with 'delete' (`cpp/new-array-delete-mismatch`) | More correct results | Data flow through global variables for this query has been improved. |
+| 'new' object freed with 'delete[]' (`cpp/new-delete-array-mismatch`) | More correct results | Data flow through global variables for this query has been improved. |
+| Potential buffer overflow (`cpp/potential-buffer-overflow`) | Deprecated | This query has been deprecated. Use Potentially overrunning write (`cpp/overrunning-write`) and Potentially overrunning write with float to string conversion (`cpp/overrunning-write-with-float`) instead. |
+| Resource not released in destructor (`cpp/resource-not-released-in-destructor`) | Fewer false positive results | The query no longer highlights code that releases a resource via a virtual method call, function pointer, or lambda. |
+| Returning stack-allocated memory (`cpp/return-stack-allocated-memory`) | More correct results | Many more stack allocated expressions are now recognized. |
+| Suspicious add with sizeof (`cpp/suspicious-add-sizeof`) | Fewer false positive results | Pointer arithmetic on `char * const` expressions (and other variations of `char *`) are now correctly excluded from the results. |
+| Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Fewer false positive results | False positive results involving types that are not uniquely named in the snapshot have been fixed. |
+| Unused static variable (`cpp/unused-static-variable`) | Fewer false positive results | Variables with the attribute `unused` are now excluded from the query. |
+| Use of inherently dangerous function (`cpp/potential-buffer-overflow`) | Cleaned up | This query no longer catches uses of `gets`, and has been renamed 'Potential buffer overflow'. |
+| Use of potentially dangerous function (`cpp/potentially-dangerous-function`) | More correct results | This query now catches uses of `gets`. |
+
+
+## Changes to QL libraries
+
+* The `semmle.code.cpp.dataflow.DataFlow` library now supports _definition by reference_ via output parameters of known functions.
+    * Data flows through `memcpy` and `memmove` by default.
+    * Custom flow into or out of arguments assigned by reference can be modeled with the new class `DataFlow::DefinitionByReferenceNode`.
+    * The data flow library adds flow through library functions that are modeled in `semmle.code.cpp.models.interfaces.DataFlow`. Queries can add subclasses of `DataFlowFunction` to specify additional flow.
+* There is a new `Namespace.isInline()` predicate, which holds if the namespace was declared as `inline namespace`.
+* The `Expr.isConstant()` predicate now also holds for _address constant expressions_, which are addresses that will be constant after the program has been linked. These address constants do not have a result for `Expr.getValue()`.
+* There are new `Function.isDeclaredConstexpr()` and `Function.isConstexpr()` predicates. They can be used to tell whether a function was declared as `constexpr`, and whether it actually is `constexpr`.
+* There is a new `Variable.isConstexpr()` predicate. It can be used to tell whether a variable is `constexpr`.

change-notes/1.20/analysis-csharp.md

@@ -0,0 +1,38 @@
+# Improvements to C# analysis
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+| Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. |
+| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. |
+| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positive and more true positive results | No longer highlights code where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. |
+| Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Improper control of generation of code (`cs/code-injection`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positive results | No longer reports results when there are additional guards on the index. |
+| SQL query built from user-controlled sources (`cs/sql-injection`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Uncontrolled format string (`cs/uncontrolled-format-string`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Unused format argument (`cs/format-argument-unused`) | Fewer false positive results | No longer reports results where the format string is empty. This is often used as a default value and is not an interesting result. |
+| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positive results | No longer reports results for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. |
+| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | No longer reports results when the object is an interface or an abstract class. |
+| Using a package with a known vulnerability (`cs/use-of-vulnerable-package`) | More results | This query detects packages vulnerable to CVE-2019-0657. |
+
+## Changes to code extraction
+
+* Fix extraction of `for` statements where the condition declares new variables using `is`.
+* Initializers of `stackalloc` arrays are now extracted.
+
+## Changes to QL libraries
+
+* The class `TrivialProperty` now includes library properties determined to be trivial using CIL analysis. This may increase the number of results for all queries that use data flow.
+* Taint-tracking steps have been added for the `Json.NET` package. This will improve results for queries that use taint tracking.
+* Support has been added for EntityFrameworkCore, including
+  - Stored data flow sources
+  - Sinks for SQL expressions
+  - Data flow through fields that are mapped to the database
+* Support has been added for NHibernate-Core, including
+  - Stored data flow sources
+  - Sinks for SQL expressions
+  - Data flow through fields that are mapped to the database 
+

change-notes/1.20/analysis-java.md

@@ -0,0 +1,32 @@
+# Improvements to Java analysis
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Double-checked locking is not thread-safe (`java/unsafe-double-checked-locking`) | reliability, correctness, concurrency, external/cwe/cwe-609 | Identifies wrong implementations of double-checked locking that does not use the `volatile` keyword. |
+| Race condition in double-checked locking object initialization (`java/unsafe-double-checked-locking-init-order`) | reliability, correctness, concurrency, external/cwe/cwe-609 | Identifies wrong implementations of double-checked locking that performs additional initialization after exposing the constructed object. |
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Arbitrary file write during archive extraction ("Zip Slip") (`java/zipslip`) | Fewer false positive results | Results involving a sanitization step that converts a destination `Path` to a `File` are no longer reported. |
+| Result of multiplication cast to wider type (`java/integer-multiplication-cast-to-long`) | Fewer results | Results involving conversions to `float` or `double` are no longer reported, as they were almost exclusively false positives. |
+
+## Changes to QL libraries
+
+* The deprecated library `semmle.code.java.security.DataFlow` has been removed.
+  Improved data flow libraries have been available in
+  `semmle.code.java.dataflow.DataFlow`,
+  `semmle.code.java.dataflow.TaintTracking`, and
+  `semmle.code.java.dataflow.FlowSources` since 1.16.
+* Taint tracking now includes additional default data-flow steps through
+  collections, maps, and iterators. This affects all security queries, which
+  can report more results based on such paths.
+* The `FlowSources` and `TaintTracking` libraries are extended to cover additional remote user
+  input and taint steps from the following frameworks: Guice, Protobuf, Thrift and Struts.
+  This affects all security queries, which may yield additional results on projects
+  that use these frameworks.
+
+

change-notes/1.20/analysis-javascript.md

@@ -0,0 +1,67 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Support for many frameworks and libraries has been improved, in particular for:
+  - [a-sync-waterfall](https://www.npmjs.com/package/a-sync-waterfall)
+  - [Electron](https://electronjs.org)
+  - [Express](https://npmjs.org/express)
+  - [hapi](https://hapijs.com/)
+  - [js-cookie](https://github.com/js-cookie/js-cookie)
+  - [React](https://reactjs.org/)
+  - [socket.io](http://socket.io)
+  - [Vue](https://vuejs.org/)
+
+* File classification now recognizes additional generated files, for example, files from [HTML Tidy](html-tidy.org).
+
+* The taint tracking library now recognizes flow through persistent storage, class fields, and callbacks in certain cases. Handling of regular expressions has also been improved. This may give more results for the security queries.
+
+* Type inference for function calls has been improved. This may give additional results for queries that rely on type inference.
+
+* The [Closure-Library](https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.provide) module system is now supported.
+
+## New queries
+
+| **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
+|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Arbitrary file write during archive extraction ("Zip Slip") (`js/zipslip`) | security, external/cwe/cwe-022 | Identifies extraction routines that allow arbitrary file overwrite vulnerabilities, indicating a possible violation of [CWE-022](https://cwe.mitre.org/data/definitions/22.html). Results are shown on LGTM by default. |
+| Arrow method on Vue instance (`js/vue/arrow-method-on-vue-instance`) | reliability, frameworks/vue | Highlights arrow functions that are used as methods on Vue instances. Results are shown on LGTM by default.|
+| Cross-window communication with unrestricted target origin (`js/cross-window-information-leak`) | security, external/cwe/201, external/cwe/359 | Highlights code that sends potentially sensitive information to another window without restricting the receiver window's origin, indicating a possible violation of [CWE-201](https://cwe.mitre.org/data/definitions/201.html). Results are shown on LGTM by default. |
+| Double escaping or unescaping (`js/double-escaping`) | correctness, security, external/cwe/cwe-116 | Highlights potential double escaping or unescaping of special characters, indicating a possible violation of [CWE-116](https://cwe.mitre.org/data/definitions/116.html). Results are shown on LGTM by default. |
+| Incomplete regular expression for hostnames (`js/incomplete-hostname-regexp`) | correctness, security, external/cwe/cwe-020 |  Highlights hostname sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default.|
+| Incomplete URL substring sanitization | correctness, security, external/cwe/cwe-020 | Highlights URL sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results shown on LGTM by default. |
+| Incorrect suffix check (`js/incorrect-suffix-check`) | correctness, security, external/cwe/cwe-020 | Highlights error-prone suffix checks based on `indexOf`, indicating a potential violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
+| Loop iteration skipped due to shifting (`js/loop-iteration-skipped-due-to-shifting`) | correctness | Highlights code that removes an element from an array while iterating over it, causing the loop to skip over some elements. Results are shown on LGTM by default. |
+| Unused property (`js/unused-property`) | maintainability | Highlights properties that are unused. Results are shown on LGTM by default. |
+| Useless comparison test (`js/useless-comparison-test`) | correctness | Highlights code that is unreachable due to a numeric comparison that is always true or always false. Results are shown on LGTM by default. |
+
+## Changes to existing queries
+
+| **Query**                                  | **Expected impact**          | **Change**                                                                   |
+|--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
+| Ambiguous HTML id attribute                | Fewer false positive results | This query now treats templates more conservatively. Its precision has been revised to 'high'. |
+| Assignment to exports variable             | Fewer results                | This query no longer flags code that is also flagged by the query "Useless assignment to local variable". |
+| Client-side cross-site scripting           | More true positive and fewer false positive results. | This query now recognizes WinJS functions that are vulnerable to HTML injection. It no longer flags certain safe uses of jQuery, and recognizes custom sanitizers. |
+| Hard-coded credentials                     | Fewer false positive results | This query no longer flags the empty string as a hardcoded username. |
+| Insecure randomness | More results | This query now flags insecure uses of `crypto.pseudoRandomBytes`. |
+| Reflected cross-site scripting             | Fewer false positive results. | This query now recognizes custom sanitizers. |
+| Stored cross-site scripting                | Fewer false positive results. | This query now recognizes custom sanitizers. |
+| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | Additional ways that class methods can be bound are now recognized. |
+| Uncontrolled data used in network request  | More results                 | This query now recognizes host values that are vulnerable to injection. |
+| Uncontrolled data used in path expression | Fewer false positive results | This query now recognizes the Express `root` option, which prevents path traversal. |
+| Unneeded defensive code | More true positive and fewer false positive results | This query now recognizes additional defensive code patterns. |
+| Unsafe dynamic method access              | Fewer false positive results | This query no longer flags concatenated strings as unsafe method names. |
+| Unused parameter                           | Fewer false positive results | This query no longer flags parameters with leading underscore. |
+| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implictly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
+| Unvalidated dynamic method call           | More true positive results | This query now flags concatenated strings as unvalidated method names in more cases. |
+| Useless assignment to property. | Fewer false positive results | This query now treats assignments with complex right-hand sides correctly. |
+| Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |
+| Useless conditional | More true positive results | This query now flags additional uses of function call values. |
+
+## Changes to QL libraries
+
+* `DataFlow::SourceNode` is no longer an abstract class; to add new source nodes, extend `DataFlow::SourceNode::Range` instead.
+* Subclasses of `DataFlow::PropRead` are no longer automatically made source nodes; you now need to additionally define a corresponding subclass of `DataFlow::SourceNode::Range` to achieve this.
+* The deprecated libraries `semmle.javascript.DataFlow` and `semmle.javascript.dataflow.CallGraph` have been removed; they are both superseded by `semmle.javascript.dataflow.DataFlow`.
+* Overriding `DataFlow::InvokeNode.getACallee()` no longer affects the call graph seen by the interprocedural data flow libraries. To do this, the 1-argument version `getACallee(int imprecision)` can be overridden instead.
+* The predicate `DataFlow::returnedPropWrite` was intended for internal use only and is no longer available.

change-notes/1.20/analysis-python.md

@@ -0,0 +1,51 @@
+# Improvements to Python analysis
+
+## General improvements
+
+### Extractor changes
+
+The extractor now parses all Python code from a single unified grammar. This means that almost all Python code will be successfully parsed, even if mutually incompatible Python code is present in the same project. This also means that Python code for any version can be correctly parsed on a worker running any other supported version of Python. For example, Python 3.7 code is parsed correctly, even if the installed version of Python is only 3.5. This will reduce the number of syntax errors found in many projects.
+
+### Regular expression analysis improvements
+
+The Python `re` (regular expressions) module library has a couple of constants called `MULTILINE` and `VERBOSE` which determine the parsing of regular expressions. Python 3.6 changed the implementation of these constants, which resulted in false positive results for some queries. The relevant QL libraries have been updated to support both implementations which will remove false positive results from projects that use Python 3.6 and later versions.
+
+### API improvements
+
+The API has been improved to declutter the global namespace and improve discoverability and readability.
+ * New predicates `ModuleObject::named(name)` and `ModuleObject.attr(name)` have been added, allowing more readable access to common objects. For example, `(any ModuleObject m | m.getName() = "sys").getAttribute("exit")` can be replaced with `ModuleObject::named("sys").attr("exit")`
+ * The API for accessing builtin functions has been improved. Predicates of the form `theXXXFunction()`, such as `theLenFunction()`, have been deprecated in favor of `Object::builtin(name)`.
+ * A configuration based API has been added for writing data flow and taint tracking queries. This is provided as a convenience for query authors who have written data flow or taint tracking queries for other languages, so they can use a similar format of query across multiple languages.
+
+## New queries
+
+ | **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Default version of SSL/TLS may be insecure (`py/insecure-default-protocol`) | security, external/cwe/cwe-327 | Finds instances where an insecure default protocol may be used. Results are shown on LGTM by default. |
+| Incomplete regular expression for hostnames (`py/incomplete-hostname-regexp`) | security, external/cwe/cwe-020 | Finds instances where a hostname is incompletely sanitized because a regular expression contains an unescaped character. Results are shown on LGTM by default. |
+| Incomplete URL substring sanitization (`py/incomplete-url-substring-sanitization`) | security, external/cwe/cwe-020 | Finds instances where a URL is incompletely sanitized due to insufficient checks. Results are shown on LGTM by default. |
+| Insecure temporary file (`py/insecure-temporary-file`) | security, external/cwe/cwe-377 | Finds uses of the insecure and deprecated `tempfile.mktemp`, `os.tempnam`, and `os.tmpnam` functions. Results are shown on LGTM by default. |
+| Overly permissive file permissions (`py/overly-permissive-file`) | security, external/cwe/cwe-732 | Finds instances where a file is created with overly permissive permissions. Results are not shown on LGTM by default. |
+| Use of insecure SSL/TLS version (`py/insecure-protocol`) | security, external/cwe/cwe-327 | Finds instances where a known insecure protocol has been specified. Results are shown on LGTM by default. |
+
+## Changes to existing queries
+
+ | **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Comparison using is when operands support \_\_eq\_\_ (`py/comparison-using-is`) | Fewer false positive results | Results where one of the objects being compared is an enum member are no longer reported. |
+| Modification of parameter with default (`py/modification-of-default-value`) | More true positive results | Instances where the mutable default value is mutated inside other functions are now also reported. |
+| Mutation of descriptor in \_\_get\_\_ or \_\_set\_\_ method (`py/mutable-descriptor`) | Fewer false positive results | Results where the mutation does not occur when calling one of the  `__get__`, `__set__` or `__delete__` methods are no longer reported. |
+| Redundant comparison (`py/redundant-comparison`) | Fewer false positive results | Results in chained comparisons are no longer reported. |
+| Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a `doctest` string are no longer reported. |
+| Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a type-hint comment are no longer reported. |
+
+
+## Changes to QL libraries
+
+ * Added support for the `dill` pickle library.
+ * Added support for the `bottle` web framework.
+ * Added support for the `CherryPy` web framework.
+ * Added support for the `falcon` web API framework.
+ * Added support for the `turbogears` web framework.
+
+ 

change-notes/1.20/extractor-javascript.md

@@ -0,0 +1,12 @@
+[[ condition: enterprise-only ]]
+
+# Improvements to JavaScript analysis
+
+## Changes to code extraction
+
+* Parallel extraction of JavaScript files (but not TypeScript files) on LGTM is now supported. If LGTM is configured to evaluate queries using multiple threads, then JavaScript files are also extracted using multiple threads.
+* Experimental support for [E4X](https://developer.mozilla.org/en-US/docs/Archive/Web/E4X), a legacy language extension developed by Mozilla, is available.
+* Additional [Flow](https://flow.org/) syntax is now supported.
+* [Nullish Coalescing](https://github.com/tc39/proposal-nullish-coalescing) expressions are now supported.
+* [TypeScript 3.2](https://www.typescriptlang.org/docs/handbook/release-notes/typescript-3-2.html) is now supported.
+* The TypeScript extractor now handles the control flow of logical operators and destructuring assignments more accurately.

change-notes/1.21/analysis-cpp.md

@@ -0,0 +1,41 @@
+# Improvements to C/C++ analysis
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Call to alloca in a loop (`cpp/alloca-in-loop`) | reliability, correctness, external/cwe/cwe-770 | Finds calls to `alloca` in loops, which can lead to stack overflow if the number of iterations is large.  Newly displayed [on LGTM](https://lgtm.com/rules/1508831665988/). |
+| Call to function with fewer arguments than declared parameters (`cpp/too-few-arguments`) | correctness, maintainability, security | Finds all cases where the number of arguments is fewer than the number of parameters of the function, provided the function is also properly declared/defined elsewhere. Results are displayed by default [on LGTM](https://lgtm.com/rules/1508860726279/). |
+| Call to a function with one or more incompatible arguments (`cpp/mistyped-function-arguments`) | correctness, maintainability | Finds all cases where the types of arguments do not match the types of parameters of the function, provided the function is also properly declared/defined elsewhere. Results are not displayed by default [on LGTM](https://lgtm.com/rules/1508849286093/). |
+| Use of dangerous function (`cpp/dangerous-function-overflow`) | reliability, security, external/cwe/cwe-242 | Finds calls to `gets`, which does not guard against buffer overflow. These results were previously detected by the `cpp/potentially-dangerous-function` query. Results for both queries are displayed by default on LGTM. |
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Buffer not sufficient for string (`cpp/overflow-calculated`) | Fewer results | This query no longer reports results that would be found by the 'No space for zero terminator' (`cpp/no-space-for-terminator`) query. |
+| Call to function with extraneous arguments (`cpp/futile-params`) | Improved coverage | Query has been generalized to find all cases where the number of arguments exceeds the number of parameters of the function, provided the function is also properly declared/defined elsewhere. |
+| Commented-out code (`cpp/commented-out-code`) | More correct results | Commented-out preprocessor code is now detected by this query. |
+| Comparison result is always the same | Fewer false positive results | The range analysis library is now more conservative about floating point values being possibly `NaN`. |
+| Constructor with default arguments will be used as a copy constructor (`cpp/constructor-used-as-copy-constructor`) | Lowered severity and precision | The severity and precision of this query have been reduced to "warning" and "low", respectively. This coding pattern is used intentionally and safely in a number of real-world projects. Results are no longer displayed on LGTM unless you choose to display them. |
+| Dead code due to goto or break statement (`cpp/dead-code-goto`) | Fewer false positive results | Functions containing preprocessor logic are now excluded from this analysis. |
+| Memory is never freed (`cpp/memory-never-freed`) | More correct results | Support added for more Microsoft-specific allocation functions, including `LocalAlloc`, `GlobalAlloc`, `HeapAlloc` and `CoTaskMemAlloc`. |
+| Memory may not be freed (`cpp/memory-may-not-be-freed`) | More correct results | Support added for more Microsoft-specific allocation functions, including `LocalAlloc`, `GlobalAlloc`, `HeapAlloc` and `CoTaskMemAlloc`. |
+| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed an issue where functions were being identified as allocation functions inappropriately.  This correction also affects `cpp/new-array-delete-mismatch` and `cpp/new-delete-array-mismatch`. |
+| No space for zero terminator (`cpp/no-space-for-terminator`) | More correct results | This query now detects calls to `std::malloc`. |
+| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | More correct results | This query has been reworked so that it can find a wider variety of results. |
+| Resource not released in destructor (`cpp/resource-not-released-in-destructor`) | Fewer false positive results | Resource allocation and deallocation functions are now determined more accurately. |
+| Use of potentially dangerous function | More correct results | Calls to `localtime`, `ctime` and `asctime` are now detected by this query. |
+| Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now understands non-standard uses of `%L`. In addition, it more accurately identifies wide and non-wide string/character format arguments on different platforms. |
+| Use of potentially dangerous function (`cpp/potentially-dangerous-function`) | Fewer results | Results relating to the standard library `gets` function have been moved into a new query (`cpp/dangerous-function-overflow`). |
+
+## Changes to QL libraries
+- The predicate `Declaration.hasGlobalName` now only holds for declarations that are not nested in a class. For example, it no longer holds for a member function `MyClass::myFunction` or a constructor `MyClass::MyClass`, whereas previously it would classify those two declarations as global names.
+- In class `Declaration`, predicates `getQualifiedName/0` and `hasQualifiedName/1` are no longer recommended for finding functions by name. Instead, use `hasGlobalName/1` and the new `hasQualifiedName/2` and `hasQualifiedName/3` predicates. This improves performance and identifies names involving templates and inline namespaces more reliably.
+- Additional support for definition by reference has been added to the `semmle.code.cpp.dataflow.TaintTracking` library, including:
+    - Taint-specific edges for functions modeled in `semmle.code.cpp.models.interfaces.DataFlow`.
+    - Flow through library functions that are modeled in `semmle.code.cpp.models.interfaces.Taint`. Queries can add subclasses of `TaintFunction` to specify additional flow.
+- There is a new `FoldExpr` class, representing C++17 fold expressions.
+- The member predicates `DeclarationEntry.getUnspecifiedType`, `Expr.getUnspecifiedType`, and `Variable.getUnspecifiedType` have been added. These should be preferred over the existing `getUnderlyingType` predicates.

change-notes/1.21/analysis-csharp.md

@@ -0,0 +1,49 @@
+# Improvements to C# analysis
+
+## General improvements
+
+C# analysis now supports the extraction and analysis of many C# 8 features. For details see [Changes to code extraction](#changes-to-code-extraction) and [Changes to QL libraries](#changes-to-ql-libraries) below.
+
+## New queries
+
+| **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
+|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Thread-unsafe capturing of an ICryptoTransform object (`cs/thread-unsafe-icryptotransform-captured-in-lambda`) | concurrency, security, external/cwe/cwe-362 | Highlights instances of classes where a field of type `System.Security.Cryptography.ICryptoTransform` is captured by a lambda, and appears to be used in a thread initialization method. Results are not shown on [LGTM](https://lgtm.com/rules/1508141845995/) by default. |
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+| Constant condition (`cs/constant-condition`) | Fewer false positive results | The query now ignores code where the `null` value is in a conditional expression on the left hand side of a null-coalescing expression. For example, in `(a ? b : null) ?? c`, `null` is not considered to be a constant condition. |
+| Thread-unsafe use of a static ICryptoTransform field (`cs/thread-unsafe-icryptotransform-field-in-class`) | Fewer false positive results | The criteria for a result has changed to include nested properties, nested fields, and collections. The format of the alert message has changed to highlight the static field. The query name has been updated. |
+| Useless upcast (`cs/useless-upcast`) | Fewer false positive results | The query now ignores code where the upcast is used to disambiguate the target of a constructor call. |
+
+## Changes to code extraction
+
+* The following C# 8 features are now extracted:
+    - Range expressions
+    - Recursive patterns
+    - Using declaration statements
+    - `static` modifiers on local functions
+    - Null-coalescing assignment expressions
+
+* The `unmanaged` type parameter constraint is also now extracted.
+
+## Changes to QL libraries
+
+* The class `Attribute` has two new predicates: `getConstructorArgument()` and `getNamedArgument()`. The first predicate returns arguments to the underlying constructor call and the second returns named arguments for initializing fields and properties.
+* The class `TypeParameterConstraints` has a new predicate `hasUnmanagedTypeConstraint()`. This shows whether the type parameter has the `unmanaged` constraint.
+* The following QL classes have been added to model C# 8 features:
+    - Class `AssignCoalesceExpr` models null-coalescing assignment, for example `x ??= y`
+    - Class `IndexExpr` models from-end index expressions, for example `^1`
+    - Class `PatternExpr` is an `Expr` that appears in a pattern. It has the new subclasses `DiscardPatternExpr`, `LabeledPatternExpr`, `RecursivePatternExpr`, `TypeAccessPatternExpr`, `TypePatternExpr`, and `VariablePatternExpr`.
+    - Class `PatternMatch` models a pattern being matched. It has the subclasses `Case` and `IsExpr`.
+    - Class `PositionalPatternExpr` models position patterns, for example `(int x, int y)`
+    - Class `PropertyPatternExpr` models property patterns, for example `Length: int len`
+    - Class `RangeExpr` models range expressions, for example `1..^1`
+    - Class `SwitchCaseExpr` models the arm of a switch expression, for example `(false, false) => true`
+    - Class `SwitchExpr` models `switch` expressions, for example `(a, b) switch { ... }`
+    - Classes `IsConstantExpr`, `IsTypeExpr` and `IsPatternExpr` are deprecated in favour of `IsExpr`
+    - Class `Switch` models both `SwitchExpr` and `SwitchStmt`
+    - Class `Case` models both `CaseStmt` and `SwitchCaseExpr`
+    - Class `UsingStmt` models both `UsingBlockStmt` and `UsingDeclStmt`

change-notes/1.21/analysis-java.md

@@ -0,0 +1,26 @@
+# Improvements to Java analysis
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Implicit conversion from array to string (`java/print-array`) | Fewer false positive results | Results in slf4j logging calls are no longer reported as slf4j supports array printing. |
+| Result of multiplication cast to wider type (`java/integer-multiplication-cast-to-long`) | Fewer false positive results | Range analysis is now used to exclude results involving multiplication of small values that cannot overflow. |
+
+## Changes to QL libraries
+
+* The `Guards` library has been extended to account for method calls that check
+  conditions by conditionally throwing an exception. This includes the
+  `checkArgument` and `checkState` methods in
+  `com.google.common.base.Preconditions`, the `isTrue` and `validState` methods
+  in `org.apache.commons.lang3.Validate`, as well as any similar custom
+  methods. This means that more guards are recognized which improves the precision of a number of queries including `java/index-out-of-bounds`,
+  `java/dereferenced-value-may-be-null`, and `java/useless-null-check`.
+* The default sanitizer in taint tracking has been made more precise. The
+  sanitizer works by looking for guards that inspect tainted strings. It
+  previously worked at the level of individual variables. Now it
+  uses the `Guards` library, such that only guarded variable accesses are
+  sanitized. This may give additional results for security queries.
+* Spring framework support now takes into account additional
+  annotations that indicate remote user input. This affects all security
+  queries, which may give additional results.

change-notes/1.21/analysis-javascript.md

@@ -0,0 +1,62 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Support for the following frameworks and libraries has been improved:
+  - [koa](https://github.com/koajs/koa)
+  - [socket.io](http://socket.io)
+  - [Node.js](http://nodejs.org)
+  - [Firebase](https://firebase.google.com/)
+  - [Express](https://expressjs.com/)
+  - [shelljs](https://www.npmjs.com/package/shelljs)
+  - [cheerio](https://www.npmjs.com/package/cheerio)
+
+* The security queries now track data flow through Base64 decoders such as the Node.js `Buffer` class, the DOM function `atob`, and a number of npm packages including [`abab`](https://www.npmjs.com/package/abab), [`atob`](https://www.npmjs.com/package/atob), [`btoa`](https://www.npmjs.com/package/btoa), [`base-64`](https://www.npmjs.com/package/base-64), [`js-base64`](https://www.npmjs.com/package/js-base64), [`Base64.js`](https://www.npmjs.com/package/Base64) and [`base64-js`](https://www.npmjs.com/package/base64-js).
+
+* The security queries now track data flow through exceptions.
+
+* The security queries now treat comparisons with symbolic constants as sanitizers, resulting in fewer false positive results.
+
+* TypeScript 3.5 is now supported.
+
+* On LGTM, TypeScript projects now have static type information extracted by default, resulting in more security results.
+  Users of the command-line tools must still pass `--typescript-full` to the extractor to enable this.
+
+
+## New queries
+
+| **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
+|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Missing regular expression anchor (`js/regex/missing-regexp-anchor`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression patterns that may be missing an anchor, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are not shown on LGTM by default. |
+| Prototype pollution (`js/prototype-pollution`)    | security, external/cwe-250, external/cwe-400 | Highlights code that allows an attacker to modify a built-in prototype object through an unsanitized recursive merge function. Results are not shown on [LGTM](https://lgtm.com/rules/1508857356317/) by default. |
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Arbitrary file write during zip extraction ("Zip Slip") | More results | This rule now considers more libraries, including tar as well as zip. |
+| Client-side URL redirect       | More results and fewer false-positive results | This rule now recognizes additional uses of the document URL. It also treats URLs as safe in more cases where the hostname cannot be tampered with. |
+| Double escaping or unescaping | More results | This rule now considers the flow of regular expressions literals. |
+| Expression has no effect       | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
+| Incomplete regular expression for hostnames | More results | This rule now tracks regular expressions for host names further. |
+| Incomplete string escaping or encoding | More results | This rule now considers the flow of regular expressions literals, and it no longer flags the removal of trailing newlines. |
+| Incorrect suffix check | Fewer false-positive results | This rule now recognizes valid checks in more cases. |
+| Password in configuration file | Fewer false positive results | This query now excludes passwords that are inserted into the configuration file using a templating mechanism or read from environment variables. Results are no longer shown on LGTM by default. |
+| Replacement of a substring with itself | More results | This rule now considers the flow of regular expressions literals. |
+| Server-side URL redirect       | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
+| Tainted path | More results and fewer false-positive results | This rule now analyzes path manipulation code more precisely. |
+| Type confusion through parameter tampering | Fewer false-positive results | This rule now recognizes additional emptiness checks. |
+| Useless assignment to property | Fewer false-positive results | This rule now ignores reads of additional getters. |
+| Unreachable statement | Unreachable throws no longer give an alert | This ignores unreachable throws, as they could be intentional (for example, to placate the TS compiler). |
+
+
+## Changes to QL libraries
+
+* `RegExpLiteral` is now a `DataFlow::SourceNode`.
+* `JSDocTypeExpr` now has source locations and is a subclass of `Locatable` and `TypeAnnotation`.
+* The two-parameter versions of predicate `isBarrier` in `DataFlow::Configuration` and of predicate `isSanitizer` in `TaintTracking::Configuration` have been renamed to `isBarrierEdge` and `isSanitizerEdge`, respectively. The old names are maintained for backwards-compatibility in this version, but will be deprecated in the next version and subsequently removed.
+* Various predicates named `getTypeAnnotation()` now return `TypeAnnotation` instead of `TypeExpr`.
+  In rare cases, this may cause compilation errors in existing code. Cast the result to `TypeExpr` if this happens.
+* The `getALabel` predicate in `LabeledBarrierGuardNode` and `LabeledSanitizerGuardNode`
+  has been deprecated and overriding it no longer has any effect.
+  Instead use the 3-parameter version of `blocks` or `sanitizes`.

change-notes/1.21/analysis-python.md

@@ -0,0 +1,49 @@
+# Improvements to Python analysis
+
+
+## General improvements
+
+Points-to analysis has been re-implemented to support more language features and provide better reachability analysis.
+The new implementation adds the following new features:
+
+* Non-local tracking of bound methods and instances of `super()`
+* Superior analysis of conditionals and thus improved reachability analysis.
+* Superior modelling of descriptors, for example, classmethods and staticmethods.
+* Superior tracking of values through parameters, especially `*` arguments.
+
+A new object API has been provided to complement the new points-to implementation.
+A new class `Value` replaces the old `Object` class. The `Value` class has a simpler and more consistent API compared to `Object`.
+Some of the functionality of `FunctionObject` and `ClassObject` has been added to `Value` to reduce the number of casts to more specific classes.
+For example, the QL to find calls to `os.path.open` has changed from
+`ModuleObject::named("os").attr("path").(ModuleObject).attr("join").(FunctionObject).getACall()`
+to
+`Value::called("os.path.join").getACall()`
+
+The old API is now deprecated, but will be continued to be supported for at least another year.
+
+### Impact on existing queries.
+
+As points-to analysis underpins many queries, and provides the call-graph and reachability analysis required for taint-tracking, the results of many queries may change.
+
+The improved reachability analysis and non-local tracking of bound methods may identify new results.
+The increased precision in tracking of values through `*` arguments may remove false positive results.
+
+Overall the number of true positive results should increase and the number false negative results should decline.
+We welcome feedback on the new implementation, particularly any surprising changes in results.
+
+## New queries
+
+| **Query** | **Tags** | **Purpose** |
+|-----------|----------|-------------|
+| Accepting unknown SSH host keys when using Paramiko (`py/paramiko-missing-host-key-validation`) | security, external/cwe/cwe-295 | Finds instances where Paramiko is configured to accept unknown host keys. Results are shown [on LGTM](https://lgtm.com/rules/1508297729270/) by default. |
+| Pythagorean calculation with sub-optimal numerics (`py/pythagorean`) | accuracy | Finds instances of hypotenuse calculation using `math.sqrt` instead of `math.hypot`. Results are not shown on LGTM by default. |
+| Use of 'return' or 'yield' outside a function (`py/return-or-yield-outside-function`) | reliability, correctness | Finds instances where `return`, `yield`, and `yield from` are used outside a function. Results are not shown on LGTM by default. |
+
+## Changes to code extraction
+
+* String literals as expressions within literal string interpolation (f-strings) are now handled correctly.
+
+* The Python extractor now handles invalid input more robustly. In particular, it exits gracefully when:
+
+    * A non-existent file or directory is specified using the `--path` option, or as a file name.
+    * An invalid number is specified for the `--max-procs` option.

change-notes/1.21/extractor-javascript.md

@@ -0,0 +1,17 @@
+[[ condition: enterprise-only ]]
+
+# Improvements to JavaScript analysis
+
+## Changes to code extraction
+
+* Custom file types can now be specified using the `filetypes` property in the `extraction/javascript/index` section of `lgtm.yml`. The property should be a map from file extensions (including the dot) to file types. Valid file types are `html`, `js`, `json`, `typescript`, `xml` and `yaml`.
+
+* ECMAScript 2019 support is now enabled by default.
+
+* On LGTM, JavaScript extraction for projects that do not contain any JavaScript or TypeScript code will now fail, even if the project contains other file types (such as HTML or YAML) recognized by the JavaScript extractor.
+
+* XML files can now be extracted on LGTM. To enable XML extraction, set the `xml_mode` property in the `extraction/javascript/index` section of your `lgtm.yml` file to `all`. The default value of this property is `disabled`, meaning that XML files will not be extracted. (Note, that the `xml_mode` property does not apply to files that you map to the `xml` file type using the `filetypes` property. LGTM will always extract these files.)
+
+* YAML files are now extracted by default on LGTM. If required, you can specify exclusion filters in your `lgtm.yml` file to override this behavior.
+
+For detailed information about customizing LGTM extraction, see [JavaScript extraction](https://help.semmle.com/lgtm-enterprise/user/help/javascript-extraction.html).

change-notes/1.22/analysis-cpp.md

@@ -0,0 +1,42 @@
+# Improvements to C/C++ analysis
+
+The following changes in version 1.22 affect C/C++ analysis in all applications.
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Call to alloca in a loop (`cpp/alloca-in-loop`) | Fewer false positive results | The query no longer highlights code where the stack allocation could not be reached multiple times in the loop, typically due to a `break` or `return` statement. |
+| Continue statement that does not continue (`cpp/continue-in-false-loop`) | Fewer false positive results | Analysis is now restricted to `do`-`while` loops. This query is now run and displayed by default on LGTM. |
+| Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side-effect free, because they could be overridden with a different implementation at link time. |
+| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positive results for strings that are not null-terminated have been excluded. |
+| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | The query was rewritten using the taint-tracking library. |
+| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive and more true positive results | The query now understands the direction of each comparison, making it more accurate. |
+| Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Lower precision | The precision of this query has been reduced to "medium". This coding pattern is used intentionally and safely in a number of real-world projects. Results are no longer displayed on LGTM unless you choose to display them. |
+| Variable used in its own initializer (`cpp/use-in-own-initializer`) | Fewer false positive results | False positive results for constant variables with the same name in different namespaces have been removed. |
+
+## Changes to QL libraries
+
+- The data flow library (`semmle.code.cpp.dataflow.DataFlow`) has had the
+  following improvements, all of which benefit the taint tracking library
+  (`semmle.code.cpp.dataflow.TaintTracking`) as well.
+  - This release includes preliminary support for interprocedural flow through
+    fields (non-static data members). In some cases, data stored in a field in
+    one function can now flow to a read of the same field in a different
+    function.
+  - The possibility of specifying barrier edges using
+    `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
+    configurations has been replaced with the option of specifying in- and
+    out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
+    `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
+    as it does not require knowledge about the actual edges used internally by
+    the library.
+  - The library now models data flow through `std::swap`.
+  - Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries.
+- In the `semmle.code.cpp.dataflow.TaintTracking` library, the second copy of `Configuration` has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
+- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
+- The predicate `Variable.getAnAssignedValue()` now reports assignments to fields resulting from aggregate initialization (` = {...}`).
+- The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`".  This may improve performance when using `Element.toString()` or its descendants.
+- Fixed the `LocalScopeVariableReachability.qll` library's handling of loops where the entry condition is always true on first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries that depend on it.
+- There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`.
+- C/C++ code examples have been added to QLDoc comments on many more classes in the QL libraries.

change-notes/1.22/analysis-csharp.md

@@ -0,0 +1,58 @@
+# Improvements to C# analysis
+
+The following changes in version 1.22 affect C# analysis in all applications.
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+| Constant condition (`cs/constant-condition`) | Fewer false positive results | Results have been removed for default cases (`_`) in switch expressions. |
+| Dispose may not be called if an exception is thrown during execution (`cs/dispose-not-called-on-throw`) | Fewer false positive results | Results have been removed where an object is disposed both by a `using` statement and a `Dispose` call. |
+| Unchecked return value (`cs/unchecked-return-value`) | Fewer false positive results | Method calls that are expression bodies of `void` callables (for example, the call to `Foo` in `void Bar() => Foo()`) are no longer considered to use the return value. |
+
+## Removal of old queries
+
+The following historic queries are no longer available in the distribution:
+
+* Added lines (`cs/vcs/added-lines-per-file`)
+* Churned lines (`cs/vcs/churn-per-file`)
+* Defect filter
+* Defect from SVN
+* Deleted lines (`cs/vcs/deleted-lines-per-file`)
+* Files edited in pairs
+* Filter: only files recently edited
+* Large files currently edited
+* Metric from SVN
+* Number of authors (version control) (`cs/vcs/authors-per-file`)
+* Number of file-level changes (`cs/vcs/commits-per-file`)
+* Number of co-committed files (`cs/vcs/co-commits-per-file`)
+* Number of file re-commits (`cs/vcs/recommits-per-file`)
+* Number of recent file changes (`cs/vcs/recent-commits-per-file`)
+* Number of authors
+* Number of commits
+* Poorly documented files with many authors
+* Recent activity
+
+## Changes to code extraction
+
+* The following C# 8 features are now extracted:
+  - Suppress-nullable-warning expressions, for example `x!`
+  - Nullable reference types, for example `string?`
+
+## Changes to QL libraries
+
+* The new class `AnnotatedType` models types with type annotations, including nullability information, return kinds (`ref` and `readonly ref`), and parameter kinds (`in`, `out`, and `ref`).
+  - The new predicate `Assignable.getAnnotatedType()` gets the annotated type of an assignable (such as a variable or a property).
+  - The new predicates `Callable.getAnnotatedReturnType()` and `DelegateType.getAnnotatedReturnType()` gets the annotated type of the return value.
+  - The new predicate `ArrayType.getAnnotatedElementType()` gets the annotated type of the array element.
+  - The new predicate `ConstructedGeneric.getAnnotatedTypeArgument()` gets the annotated type of a type argument.
+  - The new predicate `TypeParameterConstraints.getAnAnnotatedTypeConstraint()` gets a type constraint with type annotations.
+* The new class `SuppressNullableWarningExpr` models suppress-nullable-warning expressions such as `x!`.
+* The data-flow and taint-tracking libraries now support flow through fields. All existing configurations will have field-flow enabled by default, but it can be disabled by adding `override int fieldFlowBranchLimit() { result = 0 }` to the configuration class. Field assignments, `this.Foo = x`, object initializers, `new C() { Foo = x }`, and field initializers `int Foo = 0` are supported.
+* The possibility of specifying barrier edges using
+  `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
+  configurations has been replaced with the option of specifying in- and
+  out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
+  `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
+  as it does not require knowledge about the actual edges used internally by
+  the library.

change-notes/1.22/analysis-java.md

@@ -0,0 +1,35 @@
+# Improvements to Java analysis
+
+The following changes in version 1.22 affect Java analysis in all applications.
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Equals method does not inspect argument type (`java/unchecked-cast-in-equals`) | Fewer false positive and more true positive results | Precision has been improved by doing a bit of inter-procedural analysis and relying less on ad-hoc method names. |
+| Uncontrolled data in arithmetic expression (`java/uncontrolled-arithmetic`) | Fewer false positive results | Precision has been improved in several ways, in particular, by better detection of guards along the data-flow path. |
+| Uncontrolled data used in path expression (`java/path-injection`) | Fewer false positive results | The query no longer reports results guarded by `!var.contains("..")`. |
+| User-controlled data in arithmetic expression (`java/tainted-arithmetic`) | Fewer false positive results | Precision has been improved in several ways, in particular, by better detection of guards along the data-flow path. |
+
+## Changes to QL libraries
+
+* The virtual dispatch library has been updated to give more precise dispatch
+  targets for `Object.toString()` calls. This affects all security queries and
+  removes false positive results that arose from paths through impossible `toString()`
+  calls.
+* The library `VCS.qll` and all queries that imported it have been removed.
+* The second copy of the interprocedural `TaintTracking` library has been
+  renamed from `TaintTracking::Configuration2` to
+  `TaintTracking2::Configuration`, and the old name is now deprecated. Import
+  `semmle.code.java.dataflow.TaintTracking2` to access the new name.
+* The data-flow library now makes it easier to specify barriers/sanitizers
+  arising from guards by overriding the predicate
+  `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
+  configurations respectively.
+* The possibility of specifying barrier edges using
+  `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
+  configurations has been replaced with the option of specifying in- and
+  out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
+  `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
+  as it does not require knowledge about the actual edges used internally by
+  the library.

change-notes/1.22/analysis-javascript.md

@@ -0,0 +1,51 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Automatic classification of test files has been improved, in particular `__tests__` and `__mocks__` folders (as used by [Jest](https://jestjs.io)) are now recognized.
+
+* Support for the following frameworks and libraries has been improved:
+  - [cross-spawn](https://www.npmjs.com/package/cross-spawn)
+  - [cross-spawn-async](https://www.npmjs.com/package/cross-spawn-async)
+  - [exec](https://www.npmjs.com/package/exec)
+  - [execa](https://www.npmjs.com/package/execa)
+  - [exec-async](https://www.npmjs.com/package/exec-async)
+  - [express](https://www.npmjs.com/package/express)
+  - [remote-exec](https://www.npmjs.com/package/remote-exec)
+
+* Support for tracking data flow and taint through getter functions (that is, functions that return a property of one of their arguments) and through the receiver object of method calls has been improved. This may produce more security alerts.
+
+* Taint tracking through object property names has been made more precise, resulting in fewer false positive results.
+
+* Method calls are now resolved in more cases, due to improved class hierarchy analysis. This may produce more security alerts.
+
+* Jump-to-definition now resolves calls to their definition in more cases, and supports jumping from a JSDoc type annotation to its definition.
+
+## New queries
+
+| **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
+|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Indirect uncontrolled command line (`js/indirect-command-line-injection`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights command-line invocations that may indirectly introduce a command-line injection vulnerability elsewhere, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are not shown on LGTM by default. |
+
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Conflicting HTML element attributes (`js/conflicting-html-attribute`) | No changes to results | Results are no longer shown on LGTM by default. |
+| Shift out of range (`js/shift-out-of-range`| Fewer false positive results | This rule now correctly handles BigInt shift operands. |
+| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer false-positive results. | This rule no longer flags calls to placeholder functions that trivially throw an exception. |
+| Undocumented parameter (`js/jsdoc/missing-parameter`) | No changes to results | This rule is now run on LGTM, although its results are still not shown by default. |
+| Missing space in string concatenation (`js/missing-space-in-concatenation`) | Fewer false positive results | The rule now requires a word-like part exists in the string concatenation. | 
+
+## Changes to QL libraries
+
+- The `getName()` predicate on functions and classes now gets a name that is
+  inferred from the context if the function or class was not declared with a name.
+- The two-argument and three-argument variants of `DataFlow::Configuration::isBarrier` and
+  `TaintTracking::Configuration::isSanitizer` have been deprecated. Overriding them no
+  longer has any effect. Use `isBarrierEdge` and `isSanitizerEdge` instead.
+- The QLDoc for most AST classes have been expanded with concrete syntax examples.
+- Tutorials on how to use [flow labels](https://help.semmle.com/QL/learn-ql/javascript/flow-labels.html)
+  and [type tracking](https://help.semmle.com/QL/learn-ql/javascript/type-tracking.html) have been published,
+  as well as a [data flow cheat sheet](https://help.semmle.com/QL/learn-ql/javascript/dataflow-cheat-sheet.html) for quick reference.

change-notes/1.22/analysis-python.md

@@ -0,0 +1,38 @@
+# Improvements to Python analysis
+
+
+## General improvements
+
+### Points-to
+Tracking of "unknown" values from modules that are absent from the database has been improved. Particularly when an "unknown" value is used as a decorator, the decorated function is tracked.
+
+### Loop unrolling
+The extractor now unrolls a single iteration of loops that are known to run at least once. This improves analysis in cases like the following
+
+```python
+if seq:
+    for x in seq:
+        y = x
+    y  # y is defined here
+```
+
+### Better API for function parameter annotations
+Instances of the `Parameter` and `ParameterDefinition` class now have a `getAnnotation` method that returns the corresponding parameter annotation, if one exists.
+
+### Improvements to the Value API
+- The Value API has been extended with classes representing functions, classes, tuples, and other types.
+
+- `Value::forInt(int x)` and `Value::forString(string s)` have been added to make it easier to refer to the `Value` entities for common constants.
+
+### Other improvements
+
+- Short flags for regexes (for example, `re.M` for multiline regexes) are now handled correctly.
+- Modules with multiple import roots no longer get multiple names.
+- A new `NegativeIntegerLiteral` class has been added as a subtype of `ImmutableLiteral`, so that `-1` is treated as an `ImmutableLiteral`. This means that queries looking for the use of constant integers will automatically handle negative numbers.
+
+## New queries
+
+| **Query** | **Tags** | **Purpose** |
+|-----------|----------|-------------|
+| Arbitrary file write during tarfile extraction (`py/tarslip`) | security, external/cwe/cwe-022 | Finds instances where extracting from a tar archive can result in arbitrary file writes. Results are not shown on LGTM by default. |
+

change-notes/1.23/analysis-cpp.md

@@ -0,0 +1,66 @@
+# Improvements to C/C++ analysis
+
+The following changes in version 1.23 affect C/C++ analysis in all applications.
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail.  This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). |
+| Signed overflow check (`cpp/signed-overflow-check`) | correctness, reliability | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. |
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Query name (`query id`) | Expected impact | Message. |
+| Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
+| Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated.  Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
+| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
+| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
+| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
+| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
+| Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positives involving template classes and functions have been fixed. |
+| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. |
+| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
+| Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now understands explicitly specified argument numbers in format strings, such as the `1$` in `%1$s`. |
+
+## Changes to libraries
+
+* The data-flow library has been extended with a new feature to aid debugging.
+  Instead of specifying `isSink(Node n) { any() }` on a configuration to
+  explore the possible flow from a source, it is recommended to use the new
+  `Configuration::hasPartialFlow` predicate, as this gives a more complete
+  picture of the partial flow paths from a given source. The feature is
+  disabled by default and can be enabled for individual configurations by
+  overriding `int explorationLimit()`.
+* The data-flow library now supports flow out of C++ reference parameters.
+* The data-flow library now allows flow through the address-of operator (`&`).
+* The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a
+  definition of `x` when `x` is a variable of pointer type. It no longer
+  considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
+  changes are in line with the user expectations we've observed.
+* The data-flow library now makes it easier to specify barriers/sanitizers
+  arising from guards by overriding the predicate
+  `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
+  configurations respectively.
+* There is now a `DataFlow::localExprFlow` predicate and a
+  `TaintTracking::localExprTaint` predicate to make it easy to use the most
+  common case of local data flow and taint: from one `Expr` to another.
+* The member predicates of the `FunctionInput` and `FunctionOutput` classes have been renamed for
+  clarity (e.g. `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates
+  have been deprecated, and will be removed in a future release. Code that uses the old member
+  predicates should be updated to use the corresponding new member predicate.
+* The predicates `Declaration.hasStdName()` and `Declaration.hasGlobalOrStdName`
+  have been added, simplifying handling of C++ standard library functions.
+* The control-flow graph is now computed in QL, not in the extractor. This can
+  lead to regressions (or improvements) in how queries are optimized because
+  optimization in QL relies on static size estimates, and the control-flow edge
+  relations will now have different size estimates than before.
+* Support has been added for non-type template arguments.  This means that the
+  return type of `Declaration::getTemplateArgument()` and
+  `Declaration::getATemplateArgument` have changed to `Locatable`.  See the
+  documentation for `Declaration::getTemplateArgument()` and
+  `Declaration::getTemplateArgumentKind()` for details.

change-notes/1.23/analysis-csharp.md

@@ -0,0 +1,52 @@
+# Improvements to C# analysis
+
+The following changes in version 1.23 affect C# analysis in all applications.
+
+## New queries
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
+| Deserialization of untrusted data (`cs/unsafe-deserialization-untrusted-input`) | security, external/cwe/cwe-502 | Finds flow of untrusted input to calls to unsafe deserializers. |
+| Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
+| Unsafe deserializer (`cs/unsafe-deserialization`) | security, external/cwe/cwe-502 | Finds calls to unsafe deserializers. |
+| Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Fewer false positive results | More `null` checks are now taken into account, including `null` checks for `dynamic` expressions and `null` checks such as `object alwaysNull = null; if (x != alwaysNull) ...`. |
+| Missing Dispose call on local IDisposable (`cs/local-not-disposed`) | Fewer false positive results | The query has been rewritten in order to identify more dispose patterns. For example, a local `IDisposable` that is disposed of by passing through a fluent API is no longer reported. |
+
+## Removal of old queries
+
+## Changes to code extraction
+
+* `nameof` expressions are now extracted correctly when the name is a namespace.
+
+## Changes to libraries
+
+* The new class `NamespaceAccess` models accesses to namespaces, for example in `nameof` expressions.
+* The data-flow library now makes it easier to specify barriers/sanitizers
+  arising from guards by overriding the predicate
+  `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
+  configurations respectively.
+* The data-flow library has been extended with a new feature to aid debugging.
+  Instead of specifying `isSink(Node n) { any() }` on a configuration to
+  explore the possible flow from a source, it is recommended to use the new
+  `Configuration::hasPartialFlow` predicate, as this gives a more complete
+  picture of the partial flow paths from a given source. The feature is
+  disabled by default and can be enabled for individual configurations by
+  overriding `int explorationLimit()`.
+* `foreach` statements where the body is guaranteed to be executed at least once, such as `foreach (var x in new string[]{ "a", "b", "c" }) { ... }`, are now recognized by all analyses based on the control flow graph (such as SSA, data flow and taint tracking).
+* Fixed the control flow graph for `switch` statements where the `default` case was not the last case. This had caused the remaining cases to be unreachable. `SwitchStmt.getCase(int i)` now puts the `default` case last.
+* There is now a `DataFlow::localExprFlow` predicate and a
+  `TaintTracking::localExprTaint` predicate to make it easy to use the most
+  common case of local data flow and taint: from one `Expr` to another.
+* Data is now tracked through null-coalescing expressions (`??`).
+* A new library `semmle.code.csharp.Unification` has been added. This library exposes two predicates `unifiable` and `subsumes` for calculating type unification and type subsumption, respectively.
+
+## Changes to autobuilder

change-notes/1.23/analysis-java.md

@@ -0,0 +1,30 @@
+# Improvements to Java analysis
+
+The following changes in version 1.23 affect Java analysis in all applications.
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Continue statement that does not continue (`java/continue-in-false-loop`) | correctness | Finds `continue` statements in `do { ... } while (false)` loops. |
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positives | Certain indirect null guards involving two auxiliary variables known to be equal can now be detected. |
+| Non-synchronized override of synchronized method (`java/non-sync-override`) | Fewer false positives | Results are now only reported if the immediately overridden method is synchronized. |
+| Query built from user-controlled sources (`java/sql-injection`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Query built from local-user-controlled sources (`java/sql-injection-local`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Useless comparison test (`java/constant-comparison`) | Fewer false positives | Additional overflow check patterns are now recognized and no longer reported. |
+
+## Changes to libraries
+
+* The data-flow library has been extended with a new feature to aid debugging.
+  Instead of specifying `isSink(Node n) { any() }` on a configuration to
+  explore the possible flow from a source, it is recommended to use the new
+  `Configuration::hasPartialFlow` predicate, as this gives a more complete
+  picture of the partial flow paths from a given source. The feature is
+  disabled by default and can be enabled for individual configurations by
+  overriding `int explorationLimit()`.

change-notes/1.23/analysis-javascript.md

@@ -0,0 +1,71 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Automatic classification of generated and minified files has been improved, in particular files generated by Doxygen are now recognized.
+
+* Support for `globalThis` has been added.
+
+* Support for the following frameworks and libraries has been improved:
+  - [firebase](https://www.npmjs.com/package/firebase)
+  - [mongodb](https://www.npmjs.com/package/mongodb)
+  - [mongoose](https://www.npmjs.com/package/mongoose)
+  - [rate-limiter-flexible](https://www.npmjs.com/package/rate-limiter-flexible)
+
+* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
+
+* TypeScript 3.6 and 3.7 features are now supported.
+
+## New queries
+
+| **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
+|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
+| Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default. |
+| Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
+| Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
+| Use of returnless function (`js/use-of-returnless-function`)              | maintainability, correctness                                      | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
+| Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
+| Unreachable method overloads (`js/unreachable-method-overloads`)          | correctness, typescript                                           | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
+| Ignoring result from pure array method (`js/ignore-array-result`)         | maintainability, correctness                                      | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. |
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
+| Client-side cross-site scripting (`js/xss`) | More results, fewer false-positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. |
+| Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
+| Hard-coded credentials (`js/hardcoded-credentials`) | Fewer false-positive results | This rule now flags fewer password examples. |
+| Illegal invocation (`js/illegal-invocation`) | Fewer false-positive results | This rule now correctly handles methods named `call` and `apply`. |
+| Incorrect suffix check (`js/incorrect-suffix-check`) | Fewer false-positive results | The query recognizes valid checks in more cases. |
+| Network data written to file (`js/http-to-file-access`) | Fewer false-positive results | This query has been renamed to better match its intended purpose, and now only considers network data untrusted. | 
+| Password in configuration file (`js/password-in-configuration-file`) | Fewer false-positive results | This rule now flags fewer password examples. |
+| Prototype pollution (`js/prototype-pollution`) | More results | The query now highlights vulnerable uses of jQuery and Angular, and the results are shown on LGTM by default. |
+| Reflected cross-site scripting (`js/reflected-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
+| Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
+| Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
+| Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
+| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. |
+
+## Changes to libraries
+
+* `Expr.getDocumentation()` now handles chain assignments.
+
+## Removal of deprecated queries
+
+The following queries (deprecated since 1.17) are no longer available in the distribution:
+
+* Builtin redefined (js/builtin-redefinition)
+* Inefficient method definition (js/method-definition-in-constructor)
+* Bad parity check (js/incomplete-parity-check)
+* Potentially misspelled property or variable name (js/wrong-capitalization)
+* Unknown JSDoc tag (js/jsdoc/unknown-tag-type)
+* Invalid JSLint directive (js/jslint/invalid-directive)
+* Malformed JSLint directive (js/jslint/malformed-directive)
+* Use of HTML comments (js/html-comment)
+* Multi-line string literal (js/multi-line-string)
+* Octal literal (js/octal-literal)
+* Reserved word used as variable name (js/use-of-reserved-word)
+* Trailing comma in array or object expressions (js/trailing-comma-in-array-or-object)
+* Call to parseInt without radix (js/parseint-without-radix)

change-notes/1.23/analysis-python.md

@@ -0,0 +1,27 @@
+# Improvements to Python analysis
+
+
+## General improvements
+
+
+
+## New queries
+
+| **Query** | **Tags** | **Purpose** |
+|-----------|----------|-------------|
+| Clear-text logging of sensitive information (`py/clear-text-logging-sensitive-data`) | security, external/cwe/cwe-312 | Finds instances where sensitive information is logged without encryption or hashing. Results are shown on LGTM by default. |
+| Clear-text storage of sensitive information (`py/clear-text-storage-sensitive-data`) | security, external/cwe/cwe-312 | Finds instances where sensitive information is stored without encryption or hashing. Results are shown on LGTM by default. |
+| Binding a socket to all network interfaces (`py/bind-socket-all-network-interfaces`) | security | Finds instances where a socket is bound to all network interfaces. Results are shown on LGTM by default. |
+
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change** |
+|----------------------------|------------------------|------------|
+| Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
+| `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. |
+
+
+## Changes to QL libraries
+
+* Django library now recognizes positional arguments from a `django.conf.urls.url` regex (Django version 1.x)

change-notes/1.23/extractor-javascript.md

@@ -0,0 +1,23 @@
+[[ condition: enterprise-only ]]
+
+# Improvements to JavaScript analysis
+
+## Changes to code extraction
+
+* Asynchronous generator methods are now parsed correctly and no longer cause a spurious syntax error.
+* Files in `node_modules` and `bower_components` folders are no longer extracted by default. If you still want to extract files from these folders, you can add the following filters to your `lgtm.yml` file (or add them to existing filters):
+
+```yaml
+extraction:
+  javascript:
+    index:
+      filters:
+        - include: "**/node_modules"
+        - include: "**/bower_components"
+```
+
+* Recognition of CommonJS modules has improved. As a result, some files that were previously extracted as
+  global scripts are now extracted as modules.
+* Top-level `await` is now supported.
+* A bug was fixed in how the TypeScript extractor handles default-exported anonymous classes.
+* A bug was fixed in how the TypeScript extractor handles computed instance field names.

change-notes/support/README.md

@@ -0,0 +1,6 @@
+# Files moved to ``docs`` directory
+
+Now that all of the CodeQL documentation is in this repository,
+notes on the languages, compilers, and frameworks supported have moved.
+They're now stored as part of the Sphinx ``support`` project with the other documentation:
+``docs/language/support``.

config/identical-files.json

@@ -1,77 +1,211 @@
 {
-  "DataFlow Java/C++": [
+  "DataFlow Java/C++/C#": [
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
-    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplDepr.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll"
   ],
-  "DataFlow Java/C++ Common": [
+  "DataFlow Java/C++/C# Common": [
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll"
   ],
-  "C++ IR Instruction": [
+  "TaintTracking::Configuration Java/C++/C#": [
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
+  ],
+  "C++ SubBasicBlocks": [
+    "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
+    "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
+  ],
+  "IR Instruction": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll"
   ],
-  "C++ IR IRBlock": [
+  "IR IRBlock": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRBlock.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRBlock.qll"
   ],
-  "C++ IR IRVariable": [
+  "IR IRVariable": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll"
   ],
-  "C++ IR FunctionIR": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/FunctionIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/FunctionIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/FunctionIR.qll"
+  "IR IRFunction": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRFunction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRFunction.qll"
   ],
-  "C++ IR Operand": [
+  "IR Operand": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll" 
   ],
-  "C++ IR IRImpl": [
+  "IR IRType": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll"
+  ],
+  "IR Operand Tag": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/internal/OperandTag.qll"
+  ],
+  "IR TIRVariable":[
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll"
+  ],
+  "IR IR": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll"
   ],
-  "C++ IR IRSanityImpl": [
+  "IR IRSanity": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll"
   ],
-  "C++ IR PrintIRImpl": [
+  "IR PrintIR": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/PrintIR.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/PrintIR.qll"
+  ],
+  "IR IntegerConstant": [
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerConstant.qll"
+  ],
+  "IR IntegerInteval": [
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerInterval.qll"
+  ],
+  "IR IntegerPartial": [
+    "cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/internal/IntegerPartial.qll"
+  ],
+  "IR Overlap": [
+    "cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/internal/Overlap.qll"
+  ],
+  "IR EdgeKind": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/EdgeKind.qll"
+  ],
+  "IR MemoryAccessKind": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll"
+  ],
+  "IR TempVariableTag": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/TempVariableTag.qll"
+  ],
+  "IR Opcode": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll"
+  ],
+  "C++ IR InstructionImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll"
+  ],
+  "C++ IR IRImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll"
+  ],
+  "C++ IR IRBlockImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRBlockImports.qll"
+  ],
+  "C++ IR IRVariableImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll"
+  ],
+  "C++ IR OperandImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll"
+  ],
+  "C++ IR PrintIRImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
+  ],
+  "C++ SSA SSAConstructionImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
   ],
   "C++ SSA AliasAnalysis": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
   ],
-  "C++ SSA SSAConstruction": [
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
+  "C++ IR ValueNumberingImports": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
-  "C++ IR ValueNumber": [
+  "IR SSA SimpleSSA": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
+  ],
+  "IR SSA SSAConstruction": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
+  ],
+  "IR SSA PrintSSA": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
+  ],
+  "IR ValueNumber": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -94,5 +228,37 @@
   "C++ IR Dominance": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/Dominance.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/Dominance.qll"
+  ],
+  "C++ IR PrintDominance": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
+  ],
+  "C# IR InstructionImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
+  ],
+  "C# IR IRImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll"
+  ],
+  "C# IR IRBlockImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRBlockImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
+  ],
+  "C# IR IRVariableImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
+  ],
+  "C# IR OperandImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
+  ],
+  "C# IR PrintIRImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/PrintIRImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
+  ],
+  "C# IR ValueNumberingImports": [
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ]
 }

cpp/config/suites/c/correctness

@@ -6,8 +6,9 @@
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/IntMultToLong.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql: /Correctness/Dangerous Conversions
++ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
-  # Consistent Use 
+  # Consistent Use
 + semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCallOnResult.ql: /Correctness/Consistent Use
@@ -15,6 +16,8 @@
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
++ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooFewArguments.ql: /Correctness/Common Errors
++ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooManyArguments.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors

cpp/config/suites/c/experimental

@@ -0,0 +1 @@
++ semmlecode-cpp-queries/Likely Bugs/RedundantNullCheckSimple.ql: /Correctness/Common Errors

cpp/config/suites/cpp/correctness

@@ -7,8 +7,9 @@
 + semmlecode-cpp-queries/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql: /Correctness/Dangerous Conversions
++ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
-  # Consistent Use 
+  # Consistent Use
 + semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCallOnResult.ql: /Correctness/Consistent Use
@@ -16,6 +17,8 @@
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ExprHasNoEffect.ql: /Correctness/Common Errors
++ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooFewArguments.ql: /Correctness/Common Errors
++ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/TooManyArguments.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql: /Correctness/Common Errors
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/FloatComparison.ql: /Correctness/Common Errors

cpp/config/suites/cpp/experimental

@@ -0,0 +1 @@
++ semmlecode-cpp-queries/Likely Bugs/RedundantNullCheckSimple.ql: /Correctness/Common Errors

cpp/config/suites/lgtm/cpp-queries-lgtm

@@ -4,7 +4,5 @@
     @_namespace com.lgtm/cpp-queries
 + semmlecode-cpp-queries/filters/ClassifyFiles.ql
     @_namespace com.lgtm/cpp-queries
-+ semmlecode-cpp-queries/filters/ImportAdditionalLibraries.ql
-    @_namespace com.lgtm/cpp-queries
 
 @import "cpp-alerts-lgtm"

cpp/config/suites/security/cwe-119

@@ -3,8 +3,8 @@
     @name Call to memory access function may overflow buffer (CWE-119)
 + semmlecode-cpp-queries/Critical/OverflowStatic.ql: /CWE/CWE-119
     @name Static array access may cause overflow (CWE-119)
-# + semmlecode-cpp-queries/Critical/OverflowDestination.ql: /CWE/CWE-119
-#    ^ disabled due to timeout issue
++ semmlecode-cpp-queries/Critical/OverflowDestination.ql: /CWE/CWE-119
+    @name Copy function using source size (CWE-119)
 + semmlecode-cpp-queries/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql: /CWE/CWE-119
     @name Potentially unsafe call to strncat (CWE-119)
 + semmlecode-cpp-queries/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql: /CWE/CWE-119

cpp/config/suites/security/cwe-242

@@ -1,3 +0,0 @@
-# CWE-242: Use of Inherently Dangerous Function
-+ semmlecode-cpp-queries/Likely Bugs/Memory Management/PotentialBufferOverflow.ql: /CWE/CWE-242
-    @name Use of inherently dangerous function (CWE-242)

cpp/config/suites/security/cwe-676

@@ -3,3 +3,5 @@
     @name Dangerous use of 'cin' (CWE-676)
 + semmlecode-cpp-queries/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql: /CWE/CWE-676
     @name Use of potentially dangerous function (CWE-676)
++ semmlecode-cpp-queries/Security/CWE/CWE-676/DangerousFunctionOverflow.ql: /CWE/CWE-676
+    @name Use of dangerous function (CWE-676)

cpp/config/suites/security/default

@@ -12,7 +12,6 @@
 @import "cwe-134"
 @import "cwe-170"
 @import "cwe-190"
-@import "cwe-242"
 @import "cwe-253"
 @import "cwe-290"
 @import "cwe-311"

cpp/ql/examples/snippets/addressof.ql

@@ -0,0 +1,16 @@
+/**
+ * @id cpp/examples/addressof
+ * @name Address of reference variable
+ * @description Finds address-of expressions (`&`) that take the address
+ *              of a reference variable
+ * @tags addressof
+ *       reference
+ */
+
+import cpp
+
+from AddressOfExpr addr, VariableAccess access
+where
+  access = addr.getOperand() and
+  access.getTarget().getType() instanceof ReferenceType
+select addr

cpp/ql/examples/snippets/arrayaccess.ql

@@ -0,0 +1,17 @@
+/**
+ * @id cpp/examples/arrayaccess
+ * @name Array access
+ * @description Finds array access expressions with an index expression
+ *              consisting of a postfix increment (`++`) expression.
+ * @tags array
+ *       access
+ *       index
+ *       postfix
+ *       increment
+ */
+
+import cpp
+
+from ArrayExpr a
+where a.getArrayOffset() instanceof PostfixIncrExpr
+select a

cpp/ql/examples/snippets/castexpr.ql

@@ -0,0 +1,17 @@
+/**
+ * @id cpp/examples/castexpr
+ * @name Cast expressions
+ * @description Finds casts from a floating point type to an integer type
+ * @tags cast
+ *       integer
+ *       float
+ *       type
+ */
+
+import cpp
+
+from Cast c
+where
+  c.getExpr().getType() instanceof FloatingPointType and
+  c.getType() instanceof IntegralType
+select c

cpp/ql/examples/snippets/catch_exception.ql

@@ -0,0 +1,15 @@
+/**
+ * @id cpp/examples/catch-exception
+ * @name Catch exception
+ * @description Finds places where we catch exceptions of type `parse_error`
+ * @tags catch
+ *       try
+ *       exception
+ */
+
+import cpp
+
+from CatchBlock catch
+// `stripType` converts `const parse_error &` to `parse_error`.
+where catch.getParameter().getType().stripType().hasName("parse_error")
+select catch

cpp/ql/examples/snippets/constructor_call.ql

@@ -0,0 +1,16 @@
+/**
+ * @id cpp/examples/constructor-call
+ * @name Call to constructor
+ * @description Finds places where we call `new MyClass(...)`
+ * @tags call
+ *       constructor
+ *       new
+ */
+
+import cpp
+
+from NewExpr new, Constructor c
+where
+  c = new.getInitializer().(ConstructorCall).getTarget() and
+  c.getName() = "MyClass"
+select new

cpp/ql/examples/snippets/derives_from_class.ql

@@ -0,0 +1,20 @@
+/**
+ * @id cpp/examples/derives-from-class
+ * @name Class derives from
+ * @description Finds classes that derive from `std::exception`
+ * @tags base
+ *       class
+ *       derive
+ *       inherit
+ *       override
+ *       subtype
+ *       supertype
+ */
+
+import cpp
+
+from Class type
+where
+  type.getABaseClass+().hasName("exception") and
+  type.getNamespace().getName() = "std"
+select type

cpp/ql/examples/snippets/emptyblock.ql

@@ -0,0 +1,14 @@
+/**
+ * @id cpp/examples/emptyblock
+ * @name Empty blocks
+ * @description Finds empty block statements
+ * @tags empty
+ *       block
+ *       statement
+ */
+
+import cpp
+
+from Block blk
+where blk.getNumStmt() = 0
+select blk

cpp/ql/examples/snippets/emptythen.ql

@@ -0,0 +1,17 @@
+/**
+ * @id cpp/examples/emptythen
+ * @name If statements with empty then branch
+ * @description Finds `if` statements where the `then` branch is
+ *              an empty block statement
+ * @tags if
+ *       then
+ *       empty
+ *       conditional
+ *       branch
+ */
+
+import cpp
+
+from IfStmt i
+where i.getThen().(Block).getNumStmt() = 0
+select i

cpp/ql/examples/snippets/eq_true.ql

@@ -0,0 +1,18 @@
+/**
+ * @id cpp/examples/eq-true
+ * @name Equality test on boolean
+ * @description Finds tests like `==true`, `!=true`
+ * @tags equal
+ *       comparison
+ *       test
+ *       boolean
+ */
+
+import cpp
+
+from EqualityOperation eq, Expr trueExpr
+where
+  trueExpr = eq.getAnOperand() and
+  trueExpr.getType() instanceof BoolType and
+  trueExpr.getValue().toInt() = 1
+select eq

cpp/ql/examples/snippets/field_access.ql

@@ -0,0 +1,17 @@
+/**
+ * @id cpp/examples/field-access
+ * @name Access of field
+ * @description Finds reads of `aDate` (defined on class `Order`)
+ * @tags access
+ *       field
+ *       read
+ */
+
+import cpp
+
+from Field f, FieldAccess access
+where
+  f.hasName("aDate") and
+  f.getDeclaringType().hasName("Order") and
+  f = access.getTarget()
+select access

cpp/ql/examples/snippets/function_call.ql

@@ -0,0 +1,18 @@
+/**
+ * @id cpp/examples/function-call
+ * @name Call to function
+ * @description Finds calls to `std::map<...>::find()`
+ * @tags call
+ *       function
+ *       method
+ */
+
+import cpp
+
+from FunctionCall call, Function fcn
+where
+  call.getTarget() = fcn and
+  fcn.getDeclaringType().getSimpleName() = "map" and
+  fcn.getDeclaringType().getNamespace().getName() = "std" and
+  fcn.hasName("find")
+select call

cpp/ql/examples/snippets/integer_literal.ql

@@ -0,0 +1,15 @@
+/**
+ * @id cpp/examples/integer-literal
+ * @name Integer literal
+ * @description Finds places where we use the integer literal `2`
+ * @tags integer
+ *       literal
+ */
+
+import cpp
+
+from Literal literal
+where
+  literal.getType() instanceof IntType and
+  literal.getValue().toInt() = 2
+select literal

cpp/ql/examples/snippets/mutualrecursion.ql

@@ -0,0 +1,17 @@
+/**
+ * @id cpp/examples/mutualrecursion
+ * @name Mutual recursion
+ * @description Finds pairs of functions that call each other
+ * @tags function
+ *       method
+ *       recursion
+ */
+
+import cpp
+
+from Function m, Function n
+where
+  exists(FunctionCall c | c.getEnclosingFunction() = m and c.getTarget() = n) and
+  exists(FunctionCall c | c.getEnclosingFunction() = n and c.getTarget() = m) and
+  m != n
+select m, n

cpp/ql/examples/snippets/override_method.ql

@@ -0,0 +1,18 @@
+/**
+ * @id cpp/examples/override-method
+ * @name Override of method
+ * @description Finds methods that override `std::exception::what()`
+ * @tags function
+ *       method
+ *       override
+ */
+
+import cpp
+
+from MemberFunction override, MemberFunction base
+where
+  base.getName() = "what" and
+  base.getDeclaringType().getName() = "exception" and
+  base.getDeclaringType().getNamespace().getName() = "std" and
+  override.overrides+(base)
+select override

cpp/ql/examples/snippets/returnstatement.ql

@@ -0,0 +1,14 @@
+/**
+ * @id cpp/examples/returnstatement
+ * @name Return statements
+ * @description Finds return statements that return `0`
+ * @tags return
+ *       statement
+ *       literal
+ */
+
+import cpp
+
+from ReturnStmt r
+where r.getExpr().(Literal).getValue().toInt() = 0
+select r

cpp/ql/examples/snippets/singletonblock.ql

@@ -0,0 +1,13 @@
+/**
+ * @id cpp/examples/singletonblock
+ * @name Singleton blocks
+ * @description Finds block statements containing a single statement
+ * @tags block
+ *       statement
+ */
+
+import cpp
+
+from Block b
+where b.getNumStmt() = 1
+select b

cpp/ql/examples/snippets/switchcase.ql

@@ -0,0 +1,17 @@
+/**
+ * @id cpp/examples/switchcase
+ * @name Switch statement case missing
+ * @description Finds switch statements with a missing enum constant case
+ *              and no default case
+ * @tags switch
+ *       case
+ *       enum
+ */
+
+import cpp
+
+from EnumSwitch es, EnumConstant ec
+where
+  ec = es.getAMissingCase() and
+  not es.hasDefaultCase()
+select es, ec

cpp/ql/examples/snippets/ternaryconditional.ql

@@ -0,0 +1,15 @@
+/**
+ * @id cpp/examples/ternaryconditional
+ * @name Conditional expressions
+ * @description Finds conditional expressions of the form `... ? ... : ...`
+ *              where the types of the resulting expressions differ
+ * @tags conditional
+ *       ternary
+ *       type
+ */
+
+import cpp
+
+from ConditionalExpr e
+where e.getThen().getType() != e.getElse().getType()
+select e

cpp/ql/examples/snippets/throw_exception.ql

@@ -0,0 +1,15 @@
+/**
+ * @id cpp/examples/throw-exception
+ * @name Throw exception of type
+ * @description Finds places where we throw `parse_error` or one of its sub-types
+ * @tags base
+ *       class
+ *       throw
+ *       exception
+ */
+
+import cpp
+
+from ThrowExpr throw
+where throw.getType().(Class).getABaseClass*().getName() = "parse_error"
+select throw

cpp/ql/examples/snippets/todocomment.ql

@@ -0,0 +1,14 @@
+/**
+ * @id cpp/examples/todocomment
+ * @name TODO comments
+ * @description Finds comments containing the word "TODO"
+ * @tags comment
+ *       matches
+ *       TODO
+ */
+
+import cpp
+
+from Comment c
+where c.getContents().matches("%TODO%")
+select c

cpp/ql/examples/snippets/toomanyparams.ql

@@ -0,0 +1,15 @@
+/**
+ * @id cpp/examples/toomanyparams
+ * @name Functions with many parameters
+ * @description Finds functions or methods with more than 10 parameters
+ * @tags function
+ *       method
+ *       parameter
+ *       argument
+ */
+
+import cpp
+
+from Function fcn
+where fcn.getNumberOfParameters() > 10
+select fcn

cpp/ql/examples/snippets/unusedlocalvar.ql

@@ -0,0 +1,16 @@
+/**
+ * @id cpp/examples/unusedlocalvar
+ * @name Unused local variable
+ * @description Finds local variables that are not accessed
+ * @tags variable
+ *       local
+ *       access
+ */
+
+import cpp
+
+from LocalScopeVariable v
+where
+  not v instanceof Parameter and
+  not exists(v.getAnAccess())
+select v

cpp/ql/examples/snippets/unusedmethod.ql

@@ -0,0 +1,18 @@
+/**
+ * @id cpp/examples/unusedmethod
+ * @name Unused private method
+ * @description Finds private non-virtual methods that are not accessed
+ * @tags method
+ *       access
+ *       private
+ *       virtual
+ */
+
+import cpp
+
+from MemberFunction fcn
+where
+  fcn.isPrivate() and
+  not fcn.isVirtual() and
+  not exists(FunctionCall call | fcn = call.getTarget())
+select fcn.getDefinition()

cpp/ql/examples/snippets/unusedparam.ql

@@ -0,0 +1,13 @@
+/**
+ * @id cpp/examples/unusedparam
+ * @name Unused parameter
+ * @description Finds parameters that are not accessed
+ * @tags parameter
+ *       access
+ */
+
+import cpp
+
+from Parameter p
+where p.isNamed() and not exists(p.getAnAccess())
+select p

cpp/ql/examples/snippets/voidreturntype.ql

@@ -0,0 +1,21 @@
+/**
+ * @id cpp/examples/voidreturntype
+ * @name Const method without return type
+ * @description Finds const methods whose return type is `void`
+ * @tags const
+ *       function
+ *       method
+ *       modifier
+ *       specifier
+ *       return
+ *       type
+ *       void
+ */
+
+import cpp
+
+from MemberFunction m
+where
+  m.hasSpecifier("const") and
+  m.getType() instanceof VoidType
+select m

cpp/ql/examples/snippets/volatilevariable.ql

@@ -0,0 +1,13 @@
+/**
+ * @id cpp/examples/volatilevariable
+ * @name Variable declared volatile
+ * @description Finds variables with a `volatile` modifier
+ * @tags variable
+ *       volatile
+ */
+
+import cpp
+
+from Variable f
+where f.isVolatile()
+select f

cpp/ql/src/AlertSuppression.ql

@@ -16,64 +16,56 @@ class SuppressionComment extends CppStyleComment {
 
   SuppressionComment() {
     text = getContents().suffix(2) and
-    ( // match `lgtm[...]` anywhere in the comment
+    (
+      // match `lgtm[...]` anywhere in the comment
       annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
       or
       // match `lgtm` at the start of the comment and after semicolon
-      annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _)
-                       .trim()
+      annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _).trim()
     )
   }
 
-
   /** Gets the text in this comment, excluding the leading //. */
-  string getText() {
-    result = text
-  }
+  string getText() { result = text }
 
   /** Gets the suppression annotation in this comment. */
-  string getAnnotation() {
-    result = annotation
-  }
+  string getAnnotation() { result = annotation }
 
   /**
-  * Holds if this comment applies to the range from column `startcolumn` of line `startline`
-  * to column `endcolumn` of line `endline` in file `filepath`.
-  */
+   * Holds if this comment applies to the range from column `startcolumn` of line `startline`
+   * to column `endcolumn` of line `endline` in file `filepath`.
+   */
   predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
     this.getLocation().hasLocationInfo(filepath, startline, _, endline, endcolumn) and
     startcolumn = 1
   }
 
   /** Gets the scope of this suppression. */
-  SuppressionScope getScope() {
-    result = this
-  }
+  SuppressionScope getScope() { result = this }
 }
 
 /**
  * The scope of an alert suppression comment.
  */
 class SuppressionScope extends ElementBase {
-  SuppressionScope() {
-    this instanceof SuppressionComment
-  }
+  SuppressionScope() { this instanceof SuppressionComment }
 
   /**
-  * Holds if this element is at the specified location.
-  * The location spans column `startcolumn` of line `startline` to
-  * column `endcolumn` of line `endline` in file `filepath`.
-  * For more information, see
-  * [LGTM locations](https://lgtm.com/help/ql/locations).
-  */
-  predicate hasLocationInfo(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
     this.(SuppressionComment).covers(filepath, startline, startcolumn, endline, endcolumn)
   }
 }
 
 from SuppressionComment c
-select c,                 // suppression comment
-       c.getText(),       // text of suppression comment (excluding delimiters)
-       c.getAnnotation(), // text of suppression annotation
-       c.getScope()       // scope of suppression
-
+select c, // suppression comment
+  c.getText(), // text of suppression comment (excluding delimiters)
+  c.getAnnotation(), // text of suppression annotation
+  c.getScope() // scope of suppression

cpp/ql/src/Architecture/FeatureEnvy.ql

@@ -10,11 +10,12 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
 predicate functionUsesVariable(Function source, Variable v, File target) {
   v.getAnAccess().getEnclosingFunction() = source and
-  not (v.(LocalScopeVariable).getFunction() = source) and
+  not v.(LocalScopeVariable).getFunction() = source and
   v.getFile() = target
 }
 
@@ -25,15 +26,15 @@ predicate functionUsesFunction(Function source, Function f, File target) {
 
 predicate dependencyCount(Function source, File target, int res) {
   res = strictcount(Declaration d |
-    functionUsesVariable(source, d, target) or
-    functionUsesFunction(source, d, target)
-  )
+      functionUsesVariable(source, d, target) or
+      functionUsesFunction(source, d, target)
+    )
 }
 
 predicate selfDependencyCountOrZero(Function source, int res) {
-  exists(File target
-       | target = source.getFile() and onlyInFile(source, target)
-       | res = max(int i | dependencyCount(source, target, i) or i = 0))
+  exists(File target | target = source.getFile() and onlyInFile(source, target) |
+    res = max(int i | dependencyCount(source, target, i) or i = 0)
+  )
 }
 
 predicate dependsHighlyOn(Function source, File target, int res) {
@@ -41,7 +42,7 @@ predicate dependsHighlyOn(Function source, File target, int res) {
   target.fromSource() and
   exists(int selfCount |
     selfDependencyCountOrZero(source, selfCount) and
-    res > 2*selfCount and
+    res > 2 * selfCount and
     res > 4
   )
 }
@@ -52,14 +53,18 @@ predicate onlyInFile(Function f, File file) {
 }
 
 from Function f, File other, int selfCount, int depCount, string selfDeps
-where dependsHighlyOn(f, other, depCount) and
-      selfDependencyCountOrZero(f, selfCount) and
-      not exists(File yetAnother | dependsHighlyOn(f, yetAnother, _) and yetAnother != other) and
-      not other instanceof HeaderFile and
-      not f instanceof MemberFunction
-      and if      selfCount = 0 then selfDeps = "0 dependencies"
-          else if selfCount = 1 then selfDeps = "only 1 dependency"
-          else                       selfDeps = "only " + selfCount.toString() + " dependencies"
-select f, "Function " + f.getName() + " could be moved to file $@" +
-       " since it has " + depCount.toString() + " dependencies to that file, but " +
-       selfDeps + " to its own file.", other, other.getBaseName()
+where
+  dependsHighlyOn(f, other, depCount) and
+  selfDependencyCountOrZero(f, selfCount) and
+  not exists(File yetAnother | dependsHighlyOn(f, yetAnother, _) and yetAnother != other) and
+  not other instanceof HeaderFile and
+  not f instanceof MemberFunction and
+  if selfCount = 0
+  then selfDeps = "0 dependencies"
+  else
+    if selfCount = 1
+    then selfDeps = "only 1 dependency"
+    else selfDeps = "only " + selfCount.toString() + " dependencies"
+select f,
+  "Function " + f.getName() + " could be moved to file $@" + " since it has " + depCount.toString() +
+    " dependencies to that file, but " + selfDeps + " to its own file.", other, other.getBaseName()

cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql

@@ -7,7 +7,9 @@
  * @workingset jhotdraw
  * @result succeed 48
  * @result_ondemand succeed 48
+ * @tags maintainability
  */
+
 import cpp
 
 from Class s

cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql

@@ -2,15 +2,15 @@
  * @name Hub classes
  * @description Shows coupling between classes. Large, red, boxes are hub types that depend on many other classes
  *              and are depended on by many other classes.
- * @kind treemap
+ * @kind table
  * @id cpp/architecture/hub-classes
  * @treemap.warnOn highValues
+ * @tags maintainability
  */
+
 import cpp
 
 from Class c
 where c.fromSource()
-select c as Class,
-       c.getMetrics().getAfferentCoupling() as AfferentCoupling,
-       c.getMetrics().getEfferentSourceCoupling() as EfferentCoupling
-order by AfferentCoupling desc
+select c as Class, c.getMetrics().getAfferentCoupling() as AfferentCoupling,
+  c.getMetrics().getEfferentSourceCoupling() as EfferentCoupling order by AfferentCoupling desc

cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql

@@ -7,7 +7,9 @@
  * @workingset jhotdraw
  * @result succeed 48
  * @result_ondemand succeed 48
+ * @tags maintainability
  */
+
 import cpp
 
 /** does source class c have inheritance depth d? */
@@ -17,6 +19,5 @@ predicate hasInheritanceDepth(Class c, int d) {
 
 from int depth
 where hasInheritanceDepth(_, depth)
-select depth as InheritanceDepth,
-       count(Class c | hasInheritanceDepth(c, depth)) as NumberOfClasses
-order by InheritanceDepth
+select depth as InheritanceDepth, count(Class c | hasInheritanceDepth(c, depth)) as NumberOfClasses
+  order by InheritanceDepth

cpp/ql/src/Architecture/General Namespace-Level Information/CyclicNamespaces.ql

@@ -5,7 +5,9 @@
  * @id cpp/architecture/cyclic-namespaces
  * @graph.layout hierarchical
  * @tags maintainability
+ *       modularity
  */
+
 import cpp
 
 from MetricNamespace a, MetricNamespace b

cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql

@@ -3,11 +3,15 @@
  * @description Finds classes that belong to no namespace.
  * @kind table
  * @id cpp/architecture/global-namespace-classes
+ * @tags maintainability
+ *       modularity
  */
+
 import cpp
 
 from Class c
-where c.fromSource()
-  and c.isTopLevel()
-  and c.getParentScope() instanceof GlobalNamespace
+where
+  c.fromSource() and
+  c.isTopLevel() and
+  c.getParentScope() instanceof GlobalNamespace
 select c, "This class is not declared in any namespace"

cpp/ql/src/Architecture/General Namespace-Level Information/NamespaceDependencies.ql

@@ -4,7 +4,10 @@
  * @kind graph
  * @id cpp/architecture/namespace-dependencies
  * @graph.layout hierarchical
+ * @tags maintainability
+ *       modularity
  */
+
 import cpp
 
 from MetricNamespace a, MetricNamespace b

cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql

@@ -3,32 +3,50 @@
  * @description Shows general statistics about the application.
  * @kind table
  * @id cpp/architecture/general-statistics
+ * @tags maintainability
  */
+
 import cpp
 
 from string l, string n
-where (l = "Number of Namespaces" and
-         n = count(Namespace p | p.fromSource()).toString())
-   or (l = "Number of Files" and
-         n = count(File f | f.fromSource()).toString())
-   or (l = "Number of Header Files" and
-         n = count(HeaderFile f | f.fromSource()).toString())
-   or (l = "Number of C Files" and
-         n = count(CFile f | f.fromSource()).toString())
-   or (l = "Number of C++ Files" and
-         n = count(CppFile f | f.fromSource()).toString())
-   or (l = "Number of Classes" and
-         n = count(Class c | c.fromSource() and not c instanceof Struct).toString())
-   or (l = "Number of Structs" and
-         n = count(Struct s | s.fromSource()and not s instanceof Union).toString())
-   or (l = "Number of Unions" and
-         n = count(Union u | u.fromSource()).toString())
-   or (l = "Number of Functions" and
-         n = count(Function f | f.fromSource()).toString())
-   or (l = "Number of Lines Of Code" and
-         n = sum(File f, int toSum | (f.fromSource()) and (toSum = f.getMetrics().getNumberOfLinesOfCode()) | toSum).toString())
-   or (l = "Self-Containedness" and
-         n = (100 * sum(Class c, int toSum | (c.fromSource()) and (toSum = c.getMetrics().getEfferentSourceCoupling()) | toSum)
-                  / sum(Class c, int toSum | (c.fromSource()) and (toSum = c.getMetrics().getEfferentCoupling()) | toSum)).toString()
-           + "%")
+where
+  l = "Number of Namespaces" and
+  n = count(Namespace p | p.fromSource()).toString()
+  or
+  l = "Number of Files" and
+  n = count(File f | f.fromSource()).toString()
+  or
+  l = "Number of Header Files" and
+  n = count(HeaderFile f | f.fromSource()).toString()
+  or
+  l = "Number of C Files" and
+  n = count(CFile f | f.fromSource()).toString()
+  or
+  l = "Number of C++ Files" and
+  n = count(CppFile f | f.fromSource()).toString()
+  or
+  l = "Number of Classes" and
+  n = count(Class c | c.fromSource() and not c instanceof Struct).toString()
+  or
+  l = "Number of Structs" and
+  n = count(Struct s | s.fromSource() and not s instanceof Union).toString()
+  or
+  l = "Number of Unions" and
+  n = count(Union u | u.fromSource()).toString()
+  or
+  l = "Number of Functions" and
+  n = count(Function f | f.fromSource()).toString()
+  or
+  l = "Number of Lines Of Code" and
+  n = sum(File f, int toSum |
+      f.fromSource() and toSum = f.getMetrics().getNumberOfLinesOfCode()
+    |
+      toSum
+    ).toString()
+  or
+  l = "Self-Containedness" and
+  n = (
+        100 * sum(Class c | c.fromSource() | c.getMetrics().getEfferentSourceCoupling()) /
+          sum(Class c | c.fromSource() | c.getMetrics().getEfferentCoupling())
+      ).toString() + "%"
 select l as Title, n as Value

cpp/ql/src/Architecture/InappropriateIntimacy.ql

@@ -10,6 +10,7 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
 predicate remoteVarAccess(File source, File target, VariableAccess va) {
@@ -48,16 +49,19 @@ predicate highDependencyCount(File source, File target, int res) {
     variableDependencyCount(source, target, varCount) and
     functionDependencyCount(source, target, funCount) and
     res = varCount + funCount and
-    res > 20)
+    res > 20
+  )
 }
 
 from File a, File b, int ca, int cb
-where highDependencyCount(a, b, ca) and
-      highDependencyCount(b, a, cb) and
-      ca >= cb and
-      a != b and
-      not a instanceof HeaderFile and
-      not b instanceof HeaderFile and
-      b.getShortName().trim().length() > 0
-select a, "File is too closely tied to $@ (" + ca.toString() + " dependencies one way and " + cb.toString() + " the other).",
-       b, b.getBaseName()
+where
+  highDependencyCount(a, b, ca) and
+  highDependencyCount(b, a, cb) and
+  ca >= cb and
+  a != b and
+  not a instanceof HeaderFile and
+  not b instanceof HeaderFile and
+  b.getShortName().trim().length() > 0
+select a,
+  "File is too closely tied to $@ (" + ca.toString() + " dependencies one way and " + cb.toString() +
+    " the other).", b, b.getBaseName()

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql

@@ -11,10 +11,12 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
 from Class t, int n
-where t.fromSource() and
-      n = t.getMetrics().getEfferentSourceCoupling() and
-      n > 10
+where
+  t.fromSource() and
+  n = t.getMetrics().getEfferentSourceCoupling() and
+  n > 10
 select t as Class, "This class has too many dependencies (" + n.toString() + ")"

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.qhelp

@@ -6,7 +6,7 @@
 
 <overview>
 <p>This rule finds classes with more than 15 instance (i.e., non-<code>static</code>) fields. Library classes
-are not shown. Having too many fields in one class is a sign that the class lacks cohesion (i.e. lacks a single purpose).
+are not shown. Having too many fields in one class is a sign that the class may lack cohesion (i.e. lack a single purpose).
 These classes can be split into smaller, more cohesive classes. Alternatively, the related fields can be grouped 
 into <code>struct</code>s.</p>
 

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql

@@ -9,77 +9,143 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
-string kindstr(Class c)
-{
+/**
+ * Gets a string describing the kind of a `Class`.
+ */
+string kindstr(Class c) {
   exists(int kind | usertypes(unresolveElement(c), _, kind) |
-    (kind = 1 and result = "Struct") or
-    (kind = 2 and result = "Class") or
-    (kind = 6 and result = "Template class")
+    kind = 1 and result = "Struct"
+    or
+    kind = 2 and result = "Class"
+    or
+    kind = 6 and result = "Template class"
   )
 }
 
-predicate vdeInfo(VariableDeclarationEntry vde, Class c, File f, int line)
-{
+/**
+ * Holds if the arguments correspond to information about a `VariableDeclarationEntry`.
+ */
+predicate vdeInfo(VariableDeclarationEntry vde, Class c, File f, int line) {
   c = vde.getVariable().getDeclaringType() and
   f = vde.getLocation().getFile() and
   line = vde.getLocation().getStartLine()
 }
 
-predicate previousVde(VariableDeclarationEntry previous, VariableDeclarationEntry vde)
-{
-  exists(Class c, File f, int line | vdeInfo(vde, c, f, line) |
-    vdeInfo(previous, c, f, line - 3) or
-    vdeInfo(previous, c, f, line - 2) or
-    vdeInfo(previous, c, f, line - 1) or
-    (vdeInfo(previous, c, f, line) and exists(int prevCol, int vdeCol |
-      prevCol = previous.getLocation().getStartColumn() and vdeCol = vde.getLocation().getStartColumn() |
-      prevCol < vdeCol or (prevCol = vdeCol and previous.getName() < vde.getName())
-    ))
-  )
+newtype TVariableDeclarationInfo =
+  TVariableDeclarationLine(Class c, File f, int line) { vdeInfo(_, c, f, line) }
+
+/**
+ * A line that contains one or more `VariableDeclarationEntry`s (in the same class).
+ */
+class VariableDeclarationLine extends TVariableDeclarationInfo {
+  Class c;
+  File f;
+  int line;
+
+  VariableDeclarationLine() {
+    vdeInfo(_, c, f, line) and
+    this = TVariableDeclarationLine(c, f, line)
+  }
+
+  /**
+   * Gets the class associated with this `VariableDeclarationLine`.
+   */
+  Class getClass() { result = c }
+
+  /**
+   * Gets the line of this `VariableDeclarationLine`.
+   */
+  int getLine() { result = line }
+
+  /**
+   * Gets a `VariableDeclarationEntry` on this line.
+   */
+  VariableDeclarationEntry getAVDE() { vdeInfo(result, c, f, line) }
+
+  /**
+   * Gets the start column of the first `VariableDeclarationEntry` on this line.
+   */
+  int getStartColumn() { result = min(getAVDE().getLocation().getStartColumn()) }
+
+  /**
+   * Gets the end column of the last `VariableDeclarationEntry` on this line.
+   */
+  int getEndColumn() { result = max(getAVDE().getLocation().getEndColumn()) }
+
+  /**
+   * Gets the rank of this `VariableDeclarationLine` in its file and class
+   * (that is, the first is 0, the second is 1 and so on).
+   */
+  private int getRank() {
+    line = rank[result](VariableDeclarationLine vdl, int l |
+        vdl = TVariableDeclarationLine(c, f, l)
+      |
+        l
+      )
+  }
+
+  /**
+   * Gets the `VariableDeclarationLine` following this one, if any.
+   */
+  VariableDeclarationLine getNext() {
+    result = TVariableDeclarationLine(c, f, _) and
+    result.getRank() = getRank() + 1
+  }
+
+  /**
+   * Gets the `VariableDeclarationLine` following this one, if it is nearby.
+   */
+  VariableDeclarationLine getProximateNext() {
+    result = getNext() and
+    result.getLine() <= this.getLine() + 3
+  }
+
+  string toString() { result = "VariableDeclarationLine" }
 }
 
-predicate masterVde(VariableDeclarationEntry master, VariableDeclarationEntry vde)
-{
-  (not previousVde(_, vde) and master = vde) or
-  exists(VariableDeclarationEntry previous | previousVde(previous, vde) and masterVde(master, previous))
-}
+/**
+ * A group of `VariableDeclarationEntry`s in the same class that are approximately
+ * contiguous.
+ */
+class VariableDeclarationGroup extends VariableDeclarationLine {
+  VariableDeclarationLine end;
 
-class VariableDeclarationGroup extends ElementBase {
   VariableDeclarationGroup() {
-    this instanceof VariableDeclarationEntry and
-    not previousVde(_, this)
-  }
-  Class getClass() {
-    vdeInfo(this, result, _, _)
+    // there is no `VariableDeclarationLine` within three lines previously
+    not any(VariableDeclarationLine prev).getProximateNext() = this and
+    // `end` is the last transitively proximate line
+    end = getProximateNext*() and
+    not exists(end.getProximateNext())
   }
 
-  // pragma[noopt] since otherwise the two locationInfo relations get join-ordered
-  // after each other
-  pragma[noopt]
   predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
-    exists(VariableDeclarationEntry last, Location lstart, Location lend |
-      masterVde(this, last) and
-      this instanceof VariableDeclarationGroup and
-      not previousVde(last, _) and
-      exists(VariableDeclarationEntry vde | vde=this and vde instanceof VariableDeclarationEntry and vde.getLocation() = lstart) and
-      last.getLocation() = lend and
-      lstart.hasLocationInfo(path, startline, startcol, _, _) and
-      lend.hasLocationInfo(path, _, _, endline, endcol)
-    )
+    path = f.getAbsolutePath() and
+    startline = getLine() and
+    startcol = getStartColumn() and
+    endline = end.getLine() and
+    endcol = end.getEndColumn()
   }
 
-  string describeGroup() {
-    if previousVde(this, _) then
-      result = "group of "
-             + strictcount(string name
-                         | exists(VariableDeclarationEntry vde
-                                | masterVde(this, vde) and
-                                  name = vde.getName()))
-             + " fields here"
-    else
-      result = "declaration of " + this.(VariableDeclarationEntry).getVariable().getName()
+  /**
+   * Gets the number of uniquely named `VariableDeclarationEntry`s in this group.
+   */
+  int getCount() {
+    result = count(VariableDeclarationLine l |
+        l = getProximateNext*()
+      |
+        l.getAVDE().getVariable().getName()
+      )
+  }
+
+  override string toString() {
+    getCount() = 1 and
+    result = "declaration of " + getAVDE().getVariable().getName()
+    or
+    getCount() > 1 and
+    result = "group of " + getCount() + " fields here"
   }
 }
 
@@ -89,26 +155,32 @@ class ExtClass extends Class {
   }
 
   predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
-    if hasOneVariableGroup() then
-      exists(VariableDeclarationGroup vdg | vdg.getClass() = this | vdg.hasLocationInfo(path, startline, startcol, endline, endcol))
-    else
-      getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
+    if hasOneVariableGroup()
+    then
+      exists(VariableDeclarationGroup vdg | vdg.getClass() = this |
+        vdg.hasLocationInfo(path, startline, startcol, endline, endcol)
+      )
+    else getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
   }
 }
 
 from ExtClass c, int n, VariableDeclarationGroup vdg, string suffix
-where n = strictcount(string fieldName
-                    | exists(Field f
-                           | f.getDeclaringType() = c and
-                             fieldName = f.getName() and
-                             // IBOutlet's are a way of building GUIs
-                             // automatically out of ObjC properties.
-                             // We don't want to count those for the
-                             // purposes of this query.
-                             not (f.getType().getAnAttribute().hasName("iboutlet")))) and
-      n > 15 and
-      not c.isConstructedFrom(_) and
-      c = vdg.getClass() and
-      if c.hasOneVariableGroup() then suffix = "" else suffix = " - see $@"
-select c, kindstr(c) + " " + c.getName() + " has " + n + " fields, which is too many" + suffix + ".",
-       vdg, vdg.describeGroup()
+where
+  n = strictcount(string fieldName |
+      exists(Field f |
+        f.getDeclaringType() = c and
+        fieldName = f.getName() and
+        // IBOutlet's are a way of building GUIs
+        // automatically out of ObjC properties.
+        // We don't want to count those for the
+        // purposes of this query.
+        not f.getType().getAnAttribute().hasName("iboutlet")
+      )
+    ) and
+  n > 15 and
+  not c.isConstructedFrom(_) and
+  c = vdg.getClass() and
+  if c.hasOneVariableGroup() then suffix = "" else suffix = " - see $@"
+select c,
+  kindstr(c) + " " + c.getName() + " has " + n +
+    " fields; we suggest refactoring to 15 fields or fewer" + suffix + ".", vdg, vdg.toString()

cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql

@@ -8,11 +8,13 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
 from Function f, int n
-where f.fromSource() and
-      n = f.getMetrics().getNumberOfCalls() and
-      n > 99 and
-      not f.isMultiplyDefined()
+where
+  f.fromSource() and
+  n = f.getMetrics().getNumberOfCalls() and
+  n > 99 and
+  not f.isMultiplyDefined()
 select f as Function, "This function makes too many calls (" + n.toString() + ")"

cpp/ql/src/Architecture/Refactoring Opportunities/CyclomaticComplexity.ql

@@ -8,9 +8,11 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
 from Function f, int complexity
-where complexity = f.getMetrics().getCyclomaticComplexity()
-  and complexity > 250
+where
+  complexity = f.getMetrics().getCyclomaticComplexity() and
+  complexity > 250
 select f, "Function has high cyclomatic complexity: " + complexity.toString()

cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql

@@ -9,10 +9,13 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
 from Function f
-where f.fromSource() and
-      f.getMetrics().getNumberOfParameters() > 15
-select f, "This function has too many parameters ("
-          + f.getMetrics().getNumberOfParameters().toString() + ")"
+where
+  f.fromSource() and
+  f.getMetrics().getNumberOfParameters() > 15
+select f,
+  "This function has too many parameters (" + f.getMetrics().getNumberOfParameters().toString() +
+    ")"

cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql

@@ -9,19 +9,27 @@
  *       readability
  *       maintainability
  */
+
 import cpp
 
 class ComplexStmt extends Stmt {
   ComplexStmt() {
-    exists(Block body | body = this.(Loop      ).getStmt() or
-                        body = this.(SwitchStmt).getStmt()
-                      | strictcount(body.getAStmt+()) > 6)
-    and not exists (this.getGeneratingMacro())
+    exists(Block body |
+      body = this.(Loop).getStmt() or
+      body = this.(SwitchStmt).getStmt()
+    |
+      strictcount(body.getAStmt+()) > 6
+    ) and
+    not exists(this.getGeneratingMacro())
   }
 }
 
 from Block b, int n, ComplexStmt complexStmt
-where n = strictcount(ComplexStmt s | s = b.getAStmt()) and n > 3
-  and complexStmt = b.getAStmt()
-select b, "Block with too many statements (" + n.toString() + " complex statements in the block). Complex statements at: $@", complexStmt, complexStmt.toString()
-
+where
+  n = strictcount(ComplexStmt s | s = b.getAStmt()) and
+  n > 3 and
+  complexStmt = b.getAStmt()
+select b,
+  "Block with too many statements (" + n.toString() +
+    " complex statements in the block). Complex statements at: $@", complexStmt,
+  complexStmt.toString()

cpp/ql/src/Best Practices/ComplexCondition.ql

@@ -11,23 +11,23 @@
  *       statistical
  *       non-attributable
  */
+
 import cpp
 
-predicate logicalOp(string op) {
-  op = "&&" or op = "||"
-}
+predicate logicalOp(string op) { op = "&&" or op = "||" }
 
 predicate nontrivialLogicalOperator(Operation e) {
   exists(string op |
     op = e.getOperator() and
     logicalOp(op) and
-    not (op = e.getParent().(Operation).getOperator())
-  )
-  and not e.isInMacroExpansion()
+    not op = e.getParent().(Operation).getOperator()
+  ) and
+  not e.isInMacroExpansion()
 }
 
 from Expr e, int operators
-where not (e.getParent() instanceof Expr)
-      and operators = count(Operation op | op.getParent*() = e and nontrivialLogicalOperator(op))
-      and operators > 5
+where
+  not e.getParent() instanceof Expr and
+  operators = count(Operation op | op.getParent*() = e and nontrivialLogicalOperator(op)) and
+  operators > 5
 select e, "Complex condition: too many logical operations in this expression."

cpp/ql/src/Best Practices/Exceptions/AccidentalRethrow.ql

@@ -13,10 +13,11 @@
 import cpp
 
 predicate isInCatch(Expr e) {
-  e.getEnclosingStmt().getParent*() instanceof CatchBlock or // Lexically enclosing catch blocks will cause there to be a current exception,
+  e.getEnclosingStmt().getParent*() instanceof CatchBlock // Lexically enclosing catch blocks will cause there to be a current exception,
+  or
   exists(Function f | f = e.getEnclosingFunction() |
-    isInCatch(f.getACallToThisFunction()) or                 // as will dynamically enclosing catch blocks.
-    f.getName().toLowerCase().matches("%exception%")         // We assume that rethrows are intended when the function is called *exception*.
+    isInCatch(f.getACallToThisFunction()) or // as will dynamically enclosing catch blocks.
+    f.getName().toLowerCase().matches("%exception%") // We assume that rethrows are intended when the function is called *exception*.
   )
 }
 

cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql

@@ -13,5 +13,6 @@
 import cpp
 
 from CatchBlock cb, Class caughtType
-where caughtType = cb.getParameter().getType().getUnderlyingType().getUnspecifiedType()
-select cb, "This should catch a " + caughtType.getName() + " by (const) reference rather than by value."
+where caughtType = cb.getParameter().getUnspecifiedType()
+select cb,
+  "This should catch a " + caughtType.getName() + " by (const) reference rather than by value."

cpp/ql/src/Best Practices/Exceptions/LeakyCatch.ql

@@ -18,31 +18,33 @@ predicate doesRethrow(Function f) {
     not e.getEnclosingStmt().getParent*() instanceof CatchBlock
   )
   or
-  exists(FunctionCall fc | fc.getEnclosingFunction() = f |
-    doesRethrow(fc.getTarget())
-  )
+  exists(FunctionCall fc | fc.getEnclosingFunction() = f | doesRethrow(fc.getTarget()))
 }
 
 predicate deletesException(Expr expr, Parameter exception) {
-  expr.getEnclosingBlock().getParent*().(CatchBlock).getParameter() = exception and (
+  expr.getEnclosingBlock().getParent*().(CatchBlock).getParameter() = exception and
+  (
     exists(FunctionCall fc | fc = expr |
       // Calling a delete function on the exception will free it (MFC's CException has a Delete function).
-      (fc.getQualifier() = exception.getAnAccess() and fc.getTarget().getName().toLowerCase().matches("%delete%")) or
+      fc.getQualifier() = exception.getAnAccess() and
+      fc.getTarget().getName().toLowerCase().matches("%delete%")
+      or
       // Passing the exception to a function might free it.
-      (fc.getAnArgument() = exception.getAnAccess()) or
+      fc.getAnArgument() = exception.getAnAccess()
+      or
       // Calling a function which rethrows the current exception might cause the exception to be freed.
       doesRethrow(fc.getTarget())
-    ) or
-    // Calling operator delete on the exception will free it.
-    exists(DeleteExpr d | d = expr |
-      d.getExpr() = exception.getAnAccess()
     )
+    or
+    // Calling operator delete on the exception will free it.
+    exists(DeleteExpr d | d = expr | d.getExpr() = exception.getAnAccess())
   )
 }
 
 from CatchBlock cb
-where cb.getParameter().getType().getUnderlyingType() instanceof PointerType
-and not exists(Expr e | e.getEnclosingBlock().getParent*() = cb |
-  deletesException(e, cb.getParameter())
-)
+where
+  cb.getParameter().getType().getUnderlyingType() instanceof PointerType and
+  not exists(Expr e | e.getEnclosingBlock().getParent*() = cb |
+    deletesException(e, cb.getParameter())
+  )
 select cb, "This catch block does not free the caught exception, thereby leaking memory."

cpp/ql/src/Best Practices/Exceptions/ThrowingPointers.ql

@@ -13,8 +13,9 @@
 import cpp
 
 from ThrowExpr throw, NewExpr new, Type t
-where new.getParent() = throw
+where
+  new.getParent() = throw and
   // Microsoft MFC's CException hierarchy should be thrown (and caught) as pointers
-  and t = new.getAllocatedType()
-  and not t.getUnderlyingType().(Class).getABaseClass*().hasName("CException")
+  t = new.getAllocatedType() and
+  not t.getUnderlyingType().(Class).getABaseClass*().hasName("CException")
 select throw, "This should throw a " + t.toString() + " rather than a pointer to one."