Adds the mog action

The mog action will add a `merge-on-green` label to a PR if a user adds a comment that contains the word "MOG" in it.

.codeqlmanifest.json

@@ -1,6 +1,5 @@
 { "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
-               "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",
                "misc/suite-helpers/qlpack.yml" ] }

.devcontainer/devcontainer.json

@@ -4,6 +4,6 @@
     "slevesque.vscode-zipexplorer"
   ],
   "settings": {
-    "codeQL.runningQueries.memory": 2048
+    "codeQL.experimentalBqrsParsing": true
   }
 }

.github/codeql/codeql-config.yml

@@ -7,5 +7,3 @@ paths-ignore:
   - '/cpp/'
   - '/java/'
   - '/python/'
-  - '/javascript/ql/test'
-  - '/javascript/extractor/tests'

.github/workflows/add-mog-label.yml

@@ -0,0 +1,22 @@
+name: "Add Merge on Green Label"
+
+on:
+  issue_comment:
+    types: [created, edited]
+
+jobs:
+  addMogLabel:
+    runs-on: ubuntu-latest
+    if:
+      ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'mog') }}
+    steps:
+      - name: Add label using Request Action
+        uses: octokit/request-action@v2.x
+        with:
+          route: POST /repos/:repository/issues/:issue_number/labels
+          repository: ${{ github.repository }}
+          issue_number: ${{ github.event.issue.number }}
+          labels: |
+            - "merge-on-green"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/labeler.yml

@@ -1,11 +0,0 @@
-name: "Pull Request Labeler"
-on:
-- pull_request_target
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/labeler@v2
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/query-list.yml

@@ -1,49 +0,0 @@
-name: Build code scanning query list
-
-on:
-  push:
-    branches:
-     - main
-     - 'rc/**'
-  pull_request:
-    paths:
-      - '.github/workflows/query-list.yml'
-      - 'misc/scripts/generate-code-scanning-query-list.py'
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Clone self (github/codeql)
-      uses: actions/checkout@v2
-      with:
-        path: codeql 
-    - name: Clone github/codeql-go
-      uses: actions/checkout@v2
-      with:
-        repository: 'github/codeql-go'
-        path: codeql-go
-    - name: Set up Python 3.8
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.8
-    - name: Download CodeQL CLI
-      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
-      with:
-        repo: "github/codeql-cli-binaries"
-        version: "latest"
-        file: "codeql-linux64.zip"
-        token: ${{ secrets.GITHUB_TOKEN }}
-    - name: Unzip CodeQL CLI
-      run: unzip -d codeql-cli codeql-linux64.zip
-    - name: Build code scanning query list
-      run: |
-        PATH="$PATH:codeql-cli/codeql" python codeql/misc/scripts/generate-code-scanning-query-list.py > code-scanning-query-list.csv
-    - name: Upload code scanning query list
-      uses: actions/upload-artifact@v2
-      with:
-        name: code-scanning-query-list
-        path: code-scanning-query-list.csv
-    

.vscode/extensions.json

@@ -3,8 +3,8 @@
     // Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
     // List of extensions which should be recommended for users of this workspace.
     "recommendations": [
-        "GitHub.vscode-codeql"
+        "github.vscode-codeql"
     ],
     // List of extensions recommended by VS Code that should not be recommended for users of this workspace.
     "unwantedRecommendations": []
-}
+}

.vscode/settings.json

@@ -1,3 +0,0 @@
-{
-    "omnisharp.autoStart": false
-}

README.md

@@ -9,7 +9,7 @@ You can use the [interactive query console](https://lgtm.com/help/lgtm/using-que
 
 ## Contributing
 
-We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
+We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/master/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
 
 ## License
 

change-notes/1.25/analysis-csharp.md

@@ -28,51 +28,27 @@ The following changes in version 1.25 affect C# analysis in all applications.
   such as `A<int>.B`, no longer are considered unbound generics. (Such nested types do,
   however, still have relevant `.getSourceDeclaration()`s, for example `A<>.B`.)
 * The data-flow library has been improved, which affects most security queries by potentially
-  adding more results:
-  - Flow through methods now takes nested field reads/writes into account.
-    For example, the library is able to track flow from `"taint"` to `Sink()` via the method
-    `GetF2F1()` in
-    ```csharp
-    class C1
-    {
-        string F1;
-    }
+  adding more results. Flow through methods now takes nested field reads/writes into account.
+  For example, the library is able to track flow from `"taint"` to `Sink()` via the method
+  `GetF2F1()` in
+  ```csharp
+  class C1
+  {
+      string F1;
+  }
 
-    class C2
-    {
-        C1 F2;
+  class C2
+  {
+      C1 F2;
+  
+      string GetF2F1() => F2.F1; // Nested field read
 
-        string GetF2F1() => F2.F1; // Nested field read
-
-        void M()
-        {
-            F2 = new C1() { F1 = "taint" };
-            Sink(GetF2F1()); // NEW: "taint" reaches here
-        }
-    }
-    ```
-  - Flow through collections is now modeled precisely. For example, instead of modeling an array
-    store `a[i] = x` as a taint-step from `x` to `a`, we now model it as a data-flow step that
-    stores `x` into `a`. To get the value back out, a matching read step must be taken.
-
-    For source-code based data-flow analysis, the following constructs are modeled as stores into
-    collections:
-    - Direct array assignments, `a[i] = x`.
-    - Array initializers, `new [] { x }`.
-    - C# 6-style array initializers, `new C() { Array = { [i] = x } }`.
-    - Call arguments that match a `params` parameter, where the C# compiler creates an array under-the-hood.
-    - `yield return` statements.
-
-    The following source-code constructs read from a collection:
-    - Direct array reads, `a[i]`.
-    - `foreach` statements.
-
-    For calls out to library code, existing flow summaries have been refined to precisely
-    capture how they interact with collection contents. For example, a call to
-    `System.Collections.Generic.List<T>.Add(T)` stores the value of the argument into the
-    qualifier, and a call to `System.Collections.Generic.List<T>.get_Item(int)` (that is, an
-    indexer call) reads contents out of the qualifier. Moreover, the effect of
-    collection-clearing methods such as `System.Collections.Generic.List<T>.Clear()` is now
-    also modeled.
+      void M()
+      {
+          F2 = new C1() { F1 = "taint" };
+          Sink(GetF2F1()); // NEW: "taint" reaches here
+      }
+  }
+  ```
 
 ## Changes to autobuilder

change-notes/1.25/analysis-java.md

@@ -4,26 +4,20 @@ The following changes in version 1.25 affect Java analysis in all applications.
 
 ## General improvements
 
-The Java autobuilder has been improved to detect more Gradle Java versions.
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
 
 ## Changes to existing queries
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-| Hard-coded credential in API call (`java/hardcoded-credential-api-call`) | More results | The query now recognizes the `BasicAWSCredentials` class of the Amazon client SDK library with hardcoded access key/secret key. |
-| Deserialization of user-controlled data (`java/unsafe-deserialization`) | Fewer false positive results | The query no longer reports results using `org.apache.commons.io.serialization.ValidatingObjectInputStream`. |
-| Use of a broken or risky cryptographic algorithm (`java/weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
-| Use of a potentially broken or risky cryptographic algorithm (`java/potentially-weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
-| Reading from a world writable file (`java/world-writable-file-read`) | More results | The query now recognizes more JDK file operations. |
+
 
 ## Changes to libraries
 
-* The data-flow library has been improved with more taint flow modeling for the
-  Collections framework and other classes of the JDK. This affects all security
-  queries using data flow and can yield additional results.
-* The data-flow library has been improved with more taint flow modeling for the
-  Spring framework. This affects all security queries using data flow and can
-  yield additional results on project that rely on the Spring framework.
 * The data-flow library has been improved, which affects most security queries by potentially
   adding more results. Flow through methods now takes nested field reads/writes into account.
   For example, the library is able to track flow from `"taint"` to `sink()` via the method
@@ -45,5 +39,3 @@ The Java autobuilder has been improved to detect more Gradle Java versions.
     }
   }
   ```
-* The library has been extended with more support for Java 14 features
-  (`switch` expressions and pattern-matching for `instanceof`).

change-notes/1.25/analysis-javascript.md

@@ -6,10 +6,8 @@
   - [Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise)
   - [bluebird](http://bluebirdjs.com/)
   - [express](https://www.npmjs.com/package/express)
-  - [execa](https://www.npmjs.com/package/execa)
   - [fancy-log](https://www.npmjs.com/package/fancy-log)
   - [fastify](https://www.npmjs.com/package/fastify)
-  - [foreground-child](https://www.npmjs.com/package/foreground-child)
   - [fstream](https://www.npmjs.com/package/fstream)
   - [jGrowl](https://github.com/stanlemon/jGrowl)
   - [jQuery](https://jquery.com/)
@@ -19,7 +17,6 @@
   - [mssql](https://www.npmjs.com/package/mssql)
   - [mysql](https://www.npmjs.com/package/mysql)
   - [npmlog](https://www.npmjs.com/package/npmlog)
-  - [opener](https://www.npmjs.com/package/opener)
   - [pg](https://www.npmjs.com/package/pg)
   - [sequelize](https://www.npmjs.com/package/sequelize)
   - [spanner](https://www.npmjs.com/package/spanner)
@@ -30,7 +27,7 @@
   - [yargs](https://www.npmjs.com/package/yargs)
   - [webpack-dev-server](https://www.npmjs.com/package/webpack-dev-server)
 
-* TypeScript 4.0 is now supported.
+* TypeScript 3.9 is now supported.
 
 * TypeScript code embedded in HTML and Vue files is now extracted and analyzed.
 

change-notes/1.25/analysis-python.md

@@ -1,9 +1,22 @@
 # Improvements to Python analysis
 
+The following changes in version 1.25 affect Python analysis in all applications.
+
+## General improvements
+
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+
+
+## Changes to libraries
+
 * Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).
-* Added model of taint sources for HTTP servers using `http.server`.
-* Added taint modeling of routed parameters in Flask.
-* Improved modeling of built-in methods on strings for taint tracking.
-* Improved classification of test files.
-* New class `BoundMethodValue` represents a bound method during runtime.
-* The query `py/command-line-injection` now recognizes command execution with the `fabric` and `invoke` Python libraries.

change-notes/1.26/analysis-cpp.md

@@ -1,31 +0,0 @@
-# Improvements to C/C++ analysis
-
-The following changes in version 1.26 affect C/C++ analysis in all applications.
-
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-| Declaration hides parameter (`cpp/declaration-hides-parameter`) | Fewer false positive results | False positives involving template functions have been fixed. |
-| Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
-| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
-| Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
-
-## Changes to libraries
-
-* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
-* The models library now models many taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
-* The models library now models many more taint flows through `std::string`.
-* The models library now models many taint flows through `std::istream` and `std::ostream`.
-* The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
-* The models library now models many taint flows through `std::pair`, `std::map`, `std::unordered_map`, `std::set` and `std::unordered_set`.
-* The models library now models `bcopy`.
-* The `SimpleRangeAnalysis` library now supports multiplications of the form
-  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

change-notes/1.26/analysis-java.md

@@ -1,20 +0,0 @@
-# Improvements to Java analysis
-
-The following changes in version 1.26 affect Java analysis in all applications.
-
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                    | **Expected impact**    | **Change**                        |
-|------------------------------|------------------------|-----------------------------------|
-
-
-## Changes to libraries
-

change-notes/1.26/analysis-javascript.md

@@ -1,73 +0,0 @@
-# Improvements to JavaScript analysis
-
-## General improvements
-
-* Angular-specific taint sources and sinks are now recognized by the security queries.
-
-* Support for React has improved, with better handling of react hooks, react-router path parameters, lazy-loaded components, and components transformed using `react-redux` and/or `styled-components`.
-
-* Dynamic imports are now analyzed more precisely.
-
-* Support for the following frameworks and libraries has been improved:
-  - [@angular/*](https://www.npmjs.com/package/@angular/core)
-  - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
-  - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
-  - [debounce](https://www.npmjs.com/package/debounce)
-  - [bluebird](https://www.npmjs.com/package/bluebird)
-  - [call-limit](https://www.npmjs.com/package/call-limit)
-  - [classnames](https://www.npmjs.com/package/classnames)
-  - [clsx](https://www.npmjs.com/package/clsx)
-  - [express](https://www.npmjs.com/package/express)
-  - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
-  - [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
-  - [http](https://nodejs.org/api/http.html)
-  - [javascript-stringify](https://www.npmjs.com/package/javascript-stringify)
-  - [js-stringify](https://www.npmjs.com/package/js-stringify)
-  - [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
-  - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
-  - [json3](https://www.npmjs.com/package/json3)
-  - [jQuery throttle / debounce](https://github.com/cowboy/jquery-throttle-debounce)
-  - [lodash](https://www.npmjs.com/package/lodash)
-  - [lodash.debounce](https://www.npmjs.com/package/lodash.debounce)
-  - [lodash.throttle](https://www.npmjs.com/package/lodash.throttle)
-  - [needle](https://www.npmjs.com/package/needle)
-  - [object-inspect](https://www.npmjs.com/package/object-inspect)
-  - [pretty-format](https://www.npmjs.com/package/pretty-format)
-  - [react](https://www.npmjs.com/package/react)
-  - [react-router-dom](https://www.npmjs.com/package/react-router-dom)
-  - [react-redux](https://www.npmjs.com/package/react-redux)
-  - [redis](https://www.npmjs.com/package/redis)
-  - [redux](https://www.npmjs.com/package/redux)
-  - [stringify-object](https://www.npmjs.com/package/stringify-object)
-  - [styled-components](https://www.npmjs.com/package/styled-components)
-  - [throttle-debounce](https://www.npmjs.com/package/throttle-debounce)
-  - [underscore](https://www.npmjs.com/package/underscore)
-
-* Analyzing files with the ".cjs" extension is now supported.
-* ES2021 features are now supported.
-
-## New queries
-
-| **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
-|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                      | **Expected impact**          | **Change**                                                                |
-|--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Potentially unsafe external link (`js/unsafe-external-link`) | Fewer results | This query no longer flags URLs constructed using a template system where only the hash or query part of the URL is dynamic. |
-| Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
-| Ambiguous HTML id attribute (`js/duplicate-html-id`) | Results no longer shown | Precision tag reduced to "low". The query is no longer run by default. |
-| Unused loop iteration variable (`js/unused-loop-variable`) | Fewer results | This query no longer flags variables in a destructuring array assignment that are not the last variable in the destructed array. |
-| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, dash, and underscore are used. |
-| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
-| Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
-| Missing CSRF middleware (`js/missing-token-validation`) | More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
-| Missing CSRF middleware (`js/missing-token-validation`) | Fewer results | This query now recognizes more ways of protecting against CSRF attacks. |
-| Client-side cross-site scripting (`js/xss`) | More results | This query now tracks data flow from `location.hash` more precisely. |
-
-
-## Changes to libraries
-* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
-* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, subclasses should instead be based on `HtmlInjectionConfiguration`. To use both configurations in a query, see [Xss.ql](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql) for an example.

change-notes/1.26/analysis-python.md

@@ -1,22 +0,0 @@
-# Improvements to Python analysis
-
-The following changes in version 1.26 affect Python analysis in all applications.
-
-## General improvements
-
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
-
-## Changes to existing queries
-
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
-
-
-## Changes to libraries
-
-* Added taint tracking support for string formatting through f-strings.

config/identical-files.json

@@ -19,17 +19,15 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll"
+    "python/ql/src/experimental/dataflow/internal/DataFlowImpl.qll",
+    "python/ql/src/experimental/dataflow/internal/DataFlowImpl2.qll"
   ],
   "DataFlow Java/C++/C#/Python Common": [
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll"
+    "python/ql/src/experimental/dataflow/internal/DataFlowImplCommon.qll"
   ],
   "TaintTracking::Configuration Java/C++/C#/Python": [
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
@@ -43,37 +41,14 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll"
+    "python/ql/src/experimental/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
   ],
   "DataFlow Java/C++/C#/Python Consistency checks": [
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
-    "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
-  ],
-  "SsaReadPosition Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
-  ],
-  "Sign Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll"
-  ],
-  "SignAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
-  ],
-  "Bound Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
-  ],
-  "ModulusAnalysis Java/C#": [
-    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+    "python/ql/src/experimental/dataflow/internal/DataFlowImplConsistency.qll"
   ],
   "C++ SubBasicBlocks": [
     "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
@@ -112,7 +87,7 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
     "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
+    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll" 
   ],
   "IR IRType": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
@@ -134,11 +109,11 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
   ],
-  "IR TInstruction": [
+  "IR TInstruction":[
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
   ],
-  "IR TIRVariable": [
+  "IR TIRVariable":[
     "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
     "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
   ],
@@ -350,64 +325,11 @@
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
-  "C# ControlFlowReachability": [
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
-  ],
-  "Inline Test Expectations": [
-    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
-    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
-  ],
   "XML": [
     "cpp/ql/src/semmle/code/cpp/XML.qll",
     "csharp/ql/src/semmle/code/csharp/XML.qll",
     "java/ql/src/semmle/code/xml/XML.qll",
     "javascript/ql/src/semmle/javascript/XML.qll",
     "python/ql/src/semmle/python/xml/XML.qll"
-  ],
-  "DuplicationProblems.qhelp": [
-    "cpp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
-    "csharp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
-    "javascript/ql/src/Metrics/DuplicationProblems.qhelp",
-    "python/ql/src/Metrics/DuplicationProblems.qhelp"
-  ],
-  "CommentedOutCodeQuery.qhelp": [
-    "cpp/ql/src/Documentation/CommentedOutCodeQuery.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeQuery.qhelp",
-    "csharp/ql/src/Bad Practices/Comments/CommentedOutCodeQuery.qhelp",
-    "java/ql/src/Violations of Best Practice/Comments/CommentedOutCodeQuery.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeQuery.qhelp"
-  ],
-  "FLinesOfCodeReferences.qhelp": [
-    "java/ql/src/Metrics/Files/FLinesOfCodeReferences.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfCodeReferences.qhelp"
-  ],
-  "FCommentRatioCommon.qhelp": [
-    "java/ql/src/Metrics/Files/FCommentRatioCommon.qhelp",
-    "javascript/ql/src/Metrics/FCommentRatioCommon.qhelp"
-  ],
-  "FLinesOfCodeOverview.qhelp": [
-    "java/ql/src/Metrics/Files/FLinesOfCodeOverview.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfCodeOverview.qhelp"
-  ],
-  "CommentedOutCodeMetricOverview.qhelp": [
-    "cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
-    "csharp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
-    "java/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeMetricOverview.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeMetricOverview.qhelp"
-  ],
-  "FLinesOfDuplicatedCodeCommon.qhelp": [
-    "cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
-    "java/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
-    "javascript/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp",
-    "python/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp"
-  ],
-  "CommentedOutCodeReferences.qhelp": [
-    "cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
-    "csharp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
-    "java/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
-    "javascript/ql/src/Comments/CommentedOutCodeReferences.qhelp",
-    "python/ql/src/Lexical/CommentedOutCodeReferences.qhelp"
   ]
 }

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj

@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>netcoreapp3.0</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
     <Nullable>enable</Nullable>

cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>netcoreapp3.0</TargetFramework>
     <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
     <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
     <ApplicationIcon />

cpp/change-notes/2020-09-29-range-analysis-rollup.md

@@ -1,14 +0,0 @@
-lgtm,codescanning
-* The `SimpleRangeAnalysis` library has gained support for several language
-  constructs it did not support previously. These improvements primarily affect
-  the queries `cpp/constant-comparison`, `cpp/comparison-with-wider-type`, and
-  `cpp/integer-multiplication-cast-to-long`. The newly supported language
-  features are:
-    * Multiplication of unsigned numbers.
-    * Multiplication by a constant.
-    * Reference-typed function parameters.
-    * Comparing a variable not equal to an endpoint of its range, thus narrowing the range by one.
-    * Using `if (x)` or `if (!x)` or similar to test for equality to zero.
-* The `SimpleRangeAnalysis` library can now be extended with custom rules. See
-  examples in
-  `cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/extensions/`.

cpp/change-notes/2020-10-21-erroneous-types.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The `cpp/wrong-type-format-argument` and `cpp/non-portable-printf` queries have been hardened so that they do not produce nonsensical results on databases that contain errors (specifically the `ErroneousType`).

cpp/change-notes/2020-10-21-size-check-queries.md

@@ -1,2 +0,0 @@
-lgtm,codescanning
-* The 'Not enough memory allocated for pointer type' (cpp/allocation-too-small) and 'Not enough memory allocated for array of pointer type' (cpp/suspicious-allocation-size) queries have been improved. Previously some allocations would be reported by both queries, this no longer occurs. In addition more allocation functions are now understood by both queries.

cpp/ql/examples/qlpack.yml

@@ -1,3 +0,0 @@
-name: codeql-cpp-examples
-version: 0.0.0
-libraryPathDependencies: codeql-cpp

cpp/ql/examples/snippets/emptyblock.ql

@@ -9,6 +9,6 @@
 
 import cpp
 
-from BlockStmt blk
+from Block blk
 where blk.getNumStmt() = 0
 select blk

cpp/ql/examples/snippets/emptythen.ql

@@ -13,5 +13,5 @@
 import cpp
 
 from IfStmt i
-where i.getThen().(BlockStmt).getNumStmt() = 0
+where i.getThen().(Block).getNumStmt() = 0
 select i

cpp/ql/examples/snippets/singletonblock.ql

@@ -8,6 +8,6 @@
 
 import cpp
 
-from BlockStmt b
+from Block b
 where b.getNumStmt() = 1
 select b

cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql

@@ -14,7 +14,7 @@ import cpp
 
 class ComplexStmt extends Stmt {
   ComplexStmt() {
-    exists(BlockStmt body |
+    exists(Block body |
       body = this.(Loop).getStmt() or
       body = this.(SwitchStmt).getStmt()
     |
@@ -24,7 +24,7 @@ class ComplexStmt extends Stmt {
   }
 }
 
-from BlockStmt b, int n, ComplexStmt complexStmt
+from Block b, int n, ComplexStmt complexStmt
 where
   n = strictcount(ComplexStmt s | s = b.getAStmt()) and
   n > 3 and

cpp/ql/src/Best Practices/Exceptions/LeakyCatch.qhelp

@@ -39,7 +39,7 @@ void good() {
 </example>
 <references>
 
-  <li>MSDN Library for MFC: <a href="https://docs.microsoft.com/en-us/cpp/mfc/exceptions-catching-and-deleting-exceptions">Exceptions: Catching and Deleting Exceptions</a>.</li>
+  <li>MSDN Library for MFC: <a href="http://msdn.microsoft.com/en-us/library/0e5twxsh(v=vs.110).aspx">Exceptions: Catching and Deleting Exceptions</a>.</li>
 
 
 </references>

cpp/ql/src/Best Practices/Hiding/DeclarationHidesParameter.ql

@@ -11,17 +11,6 @@
 
 import cpp
 
-/**
- * Gets the template that a function `f` is constructed from, or just `f` if it
- * is not from a template instantiation.
- */
-Function getConstructedFrom(Function f) {
-  f.isConstructedFrom(result)
-  or
-  not f.isConstructedFrom(_) and
-  result = f
-}
-
 /**
  * Gets the parameter of `f` with name `name`, which has to come from the
  * _definition_ of `f` and not a prototype declaration.
@@ -29,17 +18,13 @@ Function getConstructedFrom(Function f) {
  * This should not happen in a single application but since we
  * have a system wide view it is likely to happen for instance for
  * the main function.
- *
- * Note: we use `getConstructedFrom` to ensure that we look at template
- * functions rather than their instantiations. We get better results this way
- * as the instantiation is artificial and may have inherited parameter names
- * from the declaration rather than the definition.
  */
 ParameterDeclarationEntry functionParameterNames(Function f, string name) {
   exists(FunctionDeclarationEntry fe |
     result.getFunctionDeclarationEntry() = fe and
-    getConstructedFrom(f).getDefinition() = fe and
+    fe.getFunction() = f and
     fe.getLocation() = f.getDefinitionLocation() and
+    result.getFile() = fe.getFile() and // Work around CPP-331
     strictcount(f.getDefinitionLocation()) = 1 and
     result.getName() = name
   )

cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql

@@ -17,7 +17,7 @@ where
   shadowing(lv1, lv2) and
   not lv1.isCompilerGenerated() and
   not lv2.isCompilerGenerated() and
-  not lv1.getParentScope().(BlockStmt).isInMacroExpansion() and
-  not lv2.getParentScope().(BlockStmt).isInMacroExpansion()
+  not lv1.getParentScope().(Block).isInMacroExpansion() and
+  not lv2.getParentScope().(Block).isInMacroExpansion()
 select lv1, "Variable " + lv1.getName() + " hides another variable of the same name (on $@).", lv2,
   "line " + lv2.getLocation().getStartLine().toString()

cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql

@@ -14,7 +14,7 @@
 
 import cpp
 
-predicate emptyBlock(ControlStructure s, BlockStmt b) {
+predicate emptyBlock(ControlStructure s, Block b) {
   b = s.getAChild() and
   not exists(b.getAChild()) and
   not b.isInMacroExpansion() and
@@ -23,7 +23,7 @@ predicate emptyBlock(ControlStructure s, BlockStmt b) {
 
 class AffectedFile extends File {
   AffectedFile() {
-    exists(BlockStmt b |
+    exists(Block b |
       emptyBlock(_, b) and
       this = b.getFile()
     )
@@ -37,7 +37,7 @@ class AffectedFile extends File {
 class BlockOrNonChild extends Element {
   BlockOrNonChild() {
     (
-      this instanceof BlockStmt
+      this instanceof Block
       or
       this instanceof Comment
       or
@@ -78,7 +78,7 @@ class BlockOrNonChild extends Element {
 /**
  * A block that contains a non-child element.
  */
-predicate emptyBlockContainsNonchild(BlockStmt b) {
+predicate emptyBlockContainsNonchild(Block b) {
   emptyBlock(_, b) and
   exists(BlockOrNonChild c, AffectedFile file |
     c.(BlockOrNonChild).getStartRankIn(file) = 1 + b.(BlockOrNonChild).getStartRankIn(file) and
@@ -91,7 +91,7 @@ predicate emptyBlockContainsNonchild(BlockStmt b) {
  * A block that is entirely on one line, which also contains a comment.  Chances
  * are the comment is intended to refer to the block.
  */
-predicate lineComment(BlockStmt b) {
+predicate lineComment(Block b) {
   emptyBlock(_, b) and
   exists(Location bLocation, File f, int line |
     bLocation = b.getLocation() and
@@ -106,7 +106,7 @@ predicate lineComment(BlockStmt b) {
   )
 }
 
-from ControlStructure s, BlockStmt eb
+from ControlStructure s, Block eb
 where
   emptyBlock(s, eb) and
   not emptyBlockContainsNonchild(eb) and

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.qhelp

@@ -27,7 +27,7 @@ then removing it will make code more readable. If the static variable is needed
   <a href="https://www.securecoding.cert.org/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">Detect and remove code that has no effect</a>
 </li>
 <li>
-  <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL19-C.+Minimize+the+scope+of+variables+and+functions">Minimize the scope of variables and functions</a>
+  <a href="https://www.securecoding.cert.org/confluence/display/cplusplus/DCL07-CPP.+Minimize+the+scope+of+variables+and+methods">Minimize the scope of variables and methods</a>
 </li>
 
 

cpp/ql/src/Best Practices/UseOfGoto.qhelp

@@ -41,7 +41,7 @@ this rule.
   E. W. Dijkstra Archive: <a href="http://www.cs.utexas.edu/users/EWD/transcriptions/EWD02xx/EWD215.html">A Case against the GO TO Statement (EWD-215)</a>.
 </li>
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/goto-statement-cpp">goto Statement (C++)</a>.
+  MSDN Library: <a href="http://msdn.microsoft.com/en-gb/library/b34dt9cd%28v=vs.80%29.aspx">The goto Statement</a>.
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.

cpp/ql/src/Critical/DeadCodeGoto.ql

@@ -12,7 +12,7 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions
 
-Stmt getNextRealStmt(BlockStmt b, int i) {
+Stmt getNextRealStmt(Block b, int i) {
   result = b.getStmt(i + 1) and
   not result instanceof EmptyStmt
   or
@@ -20,7 +20,7 @@ Stmt getNextRealStmt(BlockStmt b, int i) {
   result = getNextRealStmt(b, i + 1)
 }
 
-from JumpStmt js, BlockStmt b, int i, Stmt s
+from JumpStmt js, Block b, int i, Stmt s
 where
   b.getStmt(i) = js and
   s = getNextRealStmt(b, i) and

cpp/ql/src/Critical/MissingNullTest.qhelp

@@ -27,6 +27,6 @@ this cannot happen.
 </example>
 
 <references>
-<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointers">EXP34-C. Do not dereference null pointers</a>.</li>
+<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointerss">EXP34-C. Do not dereference null pointers</a>.</li>
 </references>
 </qhelp>

cpp/ql/src/Critical/OverflowDestination.ql

@@ -23,7 +23,10 @@ import semmle.code.cpp.security.TaintTracking
  * ```
  */
 predicate sourceSized(FunctionCall fc, Expr src) {
-  fc.getTarget().hasGlobalOrStdName(["strncpy", "strncat", "memcpy", "memmove"]) and
+  exists(string name |
+    (name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
+    fc.getTarget().hasGlobalOrStdName(name)
+  ) and
   exists(Expr dest, Expr size, Variable v |
     fc.getArgument(0) = dest and
     fc.getArgument(1) = src and

cpp/ql/src/Critical/SizeCheck.ql

@@ -13,9 +13,30 @@
  */
 
 import cpp
-import semmle.code.cpp.models.Models
 
-predicate baseType(AllocationExpr alloc, Type base) {
+class Allocation extends FunctionCall {
+  Allocation() {
+    exists(string name |
+      this.getTarget().hasGlobalOrStdName(name) and
+      (name = "malloc" or name = "calloc" or name = "realloc")
+    )
+  }
+
+  private string getName() { this.getTarget().hasGlobalOrStdName(result) }
+
+  int getSize() {
+    this.getName() = "malloc" and
+    this.getArgument(0).getValue().toInt() = result
+    or
+    this.getName() = "realloc" and
+    this.getArgument(1).getValue().toInt() = result
+    or
+    this.getName() = "calloc" and
+    result = this.getArgument(0).getValue().toInt() * this.getArgument(1).getValue().toInt()
+  }
+}
+
+predicate baseType(Allocation alloc, Type base) {
   exists(PointerType pointer |
     pointer.getBaseType() = base and
     (
@@ -33,12 +54,11 @@ predicate decideOnSize(Type t, int size) {
   size = min(t.getSize())
 }
 
-from AllocationExpr alloc, Type base, int basesize, int allocated
+from Allocation alloc, Type base, int basesize, int allocated
 where
   baseType(alloc, base) and
-  allocated = alloc.getSizeBytes() and
+  allocated = alloc.getSize() and
   decideOnSize(base, basesize) and
-  alloc.(FunctionCall).getTarget() instanceof AllocationFunction and // exclude `new` and similar
   basesize > allocated
 select alloc,
   "Type '" + base.getName() + "' is " + basesize.toString() + " bytes, but only " +

cpp/ql/src/Critical/SizeCheck2.ql

@@ -13,9 +13,30 @@
  */
 
 import cpp
-import semmle.code.cpp.models.Models
 
-predicate baseType(AllocationExpr alloc, Type base) {
+class Allocation extends FunctionCall {
+  Allocation() {
+    exists(string name |
+      this.getTarget().hasGlobalOrStdName(name) and
+      (name = "malloc" or name = "calloc" or name = "realloc")
+    )
+  }
+
+  private string getName() { this.getTarget().hasGlobalOrStdName(result) }
+
+  int getSize() {
+    this.getName() = "malloc" and
+    this.getArgument(0).getValue().toInt() = result
+    or
+    this.getName() = "realloc" and
+    this.getArgument(1).getValue().toInt() = result
+    or
+    this.getName() = "calloc" and
+    result = this.getArgument(0).getValue().toInt() * this.getArgument(1).getValue().toInt()
+  }
+}
+
+predicate baseType(Allocation alloc, Type base) {
   exists(PointerType pointer |
     pointer.getBaseType() = base and
     (
@@ -28,23 +49,16 @@ predicate baseType(AllocationExpr alloc, Type base) {
   )
 }
 
-predicate decideOnSize(Type t, int size) {
-  // If the codebase has more than one type with the same name, it can have more than one size.
-  size = min(t.getSize())
-}
-
-from AllocationExpr alloc, Type base, int basesize, int allocated
+from Allocation alloc, Type base, int basesize, int allocated
 where
   baseType(alloc, base) and
-  allocated = alloc.getSizeBytes() and
-  decideOnSize(base, basesize) and
-  alloc.(FunctionCall).getTarget() instanceof AllocationFunction and // exclude `new` and similar
+  allocated = alloc.getSize() and
   // If the codebase has more than one type with the same name, check if any matches
   not exists(int size | base.getSize() = size |
     size = 0 or
     (allocated / size) * size = allocated
   ) and
-  not basesize > allocated // covered by SizeCheck.ql
+  basesize = min(base.getSize())
 select alloc,
   "Allocated memory (" + allocated.toString() + " bytes) is not a multiple of the size of '" +
     base.getName() + "' (" + basesize.toString() + " bytes)."

cpp/ql/src/Critical/aliasAnalysisWarning.qhelp

@@ -1,11 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<fragment>
-<warning>
-This check is an approximation, so some results may not be actual defects in the program. 
-It is not possible in general to compute the exact value of the variable without running the program with all possible input data.
-</warning>
-</fragment>
-</qhelp>

cpp/ql/src/Critical/callGraphWarning.qhelp

@@ -1,12 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<fragment>
-<warning>
-This check is an approximation, so some results may not be actual defects in the program. 
-It is not possible in general to compute which function is actually called in a virtual call,
-or a call through a pointer, without running the program with all possible input data.
-</warning>
-</fragment>
-</qhelp>

cpp/ql/src/Critical/dataFlowWarning.qhelp

@@ -1,13 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<fragment>
-<warning>
-This check is an approximation, so some results may not be actual defects in the program. 
-It is not possible in general to compute the actual branch taken in conditional statements such
-as "if" without running the program with all possible input data. This means that it is not possible
-to determine if a particular statement is going to be executed.
-</warning>
-</fragment>
-</qhelp>

cpp/ql/src/Critical/pointsToWarning.qhelp

@@ -1,11 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<fragment>
-<warning>
-This check is an approximation, so some results may not be actual defects in the program. It is not possible 
-in general to compute the values of pointers without running the program with all input data.
-</warning>
-</fragment>
-</qhelp>

cpp/ql/src/Documentation/CommentedOutCode.qhelp

@@ -3,5 +3,5 @@
   "qhelp.dtd">
 <qhelp>
   <include src="CommentedOutCodeQuery.qhelp" />
-  <include src="../Metrics/Files/CommentedOutCodeReferences.qhelp" />
+  <include src="CommentedOutCodeReferences.qhelp" />
 </qhelp>

cpp/ql/src/Documentation/CommentedOutCodeQuery.qhelp

@@ -1,25 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Commented-out code is distracting and confusing for developers who read the surrounding code,
-and its significance is often unclear. It will not get compiled or tested when the code around
-it changes, so it's likely to break over time. For these reasons, commented-out code should be
-avoided.
-</p>
-
-</overview>
-
-<recommendation>
-
-<p>
-Remove or reinstate the commented-out code. If you want to include a snippet of example code
-in a comment, consider enclosing it in quotes or marking it up as appropriate for the source
-language.
-</p>
-
-</recommendation>
-</qhelp>

cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql

@@ -13,7 +13,14 @@
 import cpp
 
 class ForbiddenFunction extends Function {
-  ForbiddenFunction() { this.getName() = ["setjmp", "longjmp", "sigsetjmp", "siglongjmp"] }
+  ForbiddenFunction() {
+    exists(string name | name = this.getName() |
+      name = "setjmp" or
+      name = "longjmp" or
+      name = "sigsetjmp" or
+      name = "siglongjmp"
+    )
+  }
 }
 
 from FunctionCall call

cpp/ql/src/JPL_C/LOC-4/Rule 21/MacroInBlock.ql

@@ -12,7 +12,7 @@
 import cpp
 
 int lineInBlock(File f) {
-  exists(BlockStmt block, Location blockLocation |
+  exists(Block block, Location blockLocation |
     block.getFile() = f and blockLocation = block.getLocation()
   |
     result in [blockLocation.getStartLine() .. blockLocation.getEndLine()]

cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.qhelp

@@ -23,7 +23,7 @@ As a result, this check incorrectly considers all negative numbers as even.
 <references>
 
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/multiplicative-operators-and-the-modulus-operator">Multiplicative Operators and the Modulus Operator</a>.
+  MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/ty2ax9z9%28v=vs.71%29.aspx">Multiplicative Operators: *, /, and %</a>.
 </li>
 <li>
   Wikipedia: <a href="http://en.wikipedia.org/wiki/Modulo_operation#Common_pitfalls">Modulo Operation - Common pitfalls</a>.

cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.qhelp

@@ -24,7 +24,7 @@
   Code Project: <a href="http://www.codeproject.com/Articles/2247/An-introduction-to-bitwise-operators">An introduction to bitwise operators</a>
 </li>
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/c-language/signed-bitwise-operations">Signed Bitwise Operations</a>
+  MSDN Library: <a href="https://msdn.microsoft.com/en-us/library/dxda59dh.aspx">Signed Bitwise Operations</a>
 </li>
 
 

cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.qhelp

@@ -21,7 +21,7 @@ It is best to fully parenthesize complex comparison expressions to explicitly de
 <references>
 
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/cpp-built-in-operators-precedence-and-associativity">C++ built-in operators, precedence, and associativity</a>
+  <a href="http://msdn.microsoft.com/en-us/library/126fe14k%28v=VS.80%29.aspx">Operator Precedence and Associativity</a>
 </li>
 <li>
   <a href="http://www.cplusplus.com/doc/tutorial/operators/">Operators</a>

cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.qhelp

@@ -24,7 +24,7 @@ as rounding errors will be more prominent when using such values.
 
 <li>
   D. Goldberg, <em>What Every Computer Scientist Should Know About Floating-Point Arithmetic</em>,
-ACM Computing Surveys, Volume 23, Issue 1, March 1991 (<a href="https://docs.oracle.com/cd/E19957-01/806-3568/ncg_goldberg.html">available online</a>).
+ACM Computing Surveys, Volume 23, Issue 1, March 1991 (<a href="http://docs.sun.com/source/806-3568/ncg_goldberg.html">available online</a>).
 </li>
 
 

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.cpp

@@ -4,5 +4,3 @@ long j = i * i; //Wrong: due to overflow on the multiplication between ints,
 
 long k = (long) i * i; //Correct: the multiplication is done on longs instead of ints, 
                        //and will not overflow
-
-long l = static_cast<long>(i) * i; //Correct: modern C++

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.qhelp

@@ -23,7 +23,7 @@ the expression would produce a result that would be too large to fit in the smal
 <references>
 
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/multiplicative-operators-and-the-modulus-operator">Multiplicative Operators and the Modulus Operator</a>.
+  MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/ty2ax9z9%28v=vs.71%29.aspx">Multiplicative Operators: *, /, and %</a>.
 </li>
 <li>
   Cplusplus.com: <a href="http://www.cplusplus.com/articles/DE18T05o/">Integer overflow</a>.

cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.qhelp

@@ -23,7 +23,7 @@ the latter occupies eight bytes on a 64-bit machine.</p>
 <references>
 
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/type-conversions-and-type-safety-modern-cpp">Type Conversions and Type Safety</a>.
+  MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/hh279667.aspx">Type Conversions and Type Safety (Modern C++)</a>.
 </li>
 <li>
   Cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/typecasting/">Type conversions</a>.

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.qhelp

@@ -23,7 +23,7 @@ the function.
 <li>CERT C Coding
 Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings">FIO30-C. Exclude user input from format strings</a>.</li>
 <li>cplusplus.com: <a href="http://www.tutorialspoint.com/cplusplus/cpp_functions.htm">C++ Functions</a>.</li>
-<li>CRT Alphabetical Function Reference: <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/printf-printf-l-wprintf-wprintf-l">printf, _printf_l, wprintf, _wprintf_l</a>.</li>
+<li>MSDN Alphabetical Function Reference: <a href="http://msdn.microsoft.com/en-us/library/wc7014hz%28VS.71%29.aspx">printf, wprintf</a>.</li>
 
 
 

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -155,8 +155,7 @@ where
     not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
   ) and
   not arg.isAffectedByMacro() and
-  not arg.isFromUninstantiatedTemplate(_) and
-  not actual.getUnspecifiedType() instanceof ErroneousType
+  not arg.isFromUninstantiatedTemplate(_)
 select arg,
   "This argument should be of type '" + expected.getName() + "' but is of type '" +
     actual.getUnspecifiedType().getName() + "'"

cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.qhelp

@@ -15,7 +15,7 @@ of days.  Alternatively, use an established library routine that already contain
 </recommendation>
 
 <references>
-  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
   <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
   <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
 </references>

cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.qhelp

@@ -22,7 +22,7 @@
 </example>
 
 <references>
-  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
   <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
   <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
 </references>

cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.qhelp

@@ -34,7 +34,7 @@
 </example>
 
 <references>
-  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
   <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
   <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
 </references>

cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql

@@ -40,7 +40,9 @@ class DateStructModifiedFieldAccess extends LeapYearFieldAccess {
  */
 class SafeTimeGatheringFunction extends Function {
   SafeTimeGatheringFunction() {
-    this.getQualifiedName() = ["GetFileTime", "GetSystemTime", "NtQuerySystemTime"]
+    this.getQualifiedName() = "GetFileTime" or
+    this.getQualifiedName() = "GetSystemTime" or
+    this.getQualifiedName() = "NtQuerySystemTime"
   }
 }
 
@@ -49,11 +51,15 @@ class SafeTimeGatheringFunction extends Function {
  */
 class TimeConversionFunction extends Function {
   TimeConversionFunction() {
-    this.getQualifiedName() =
-      ["FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime",
-          "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime",
-          "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime",
-          "RtlTimeToSecondsSince1970", "_mkgmtime"]
+    this.getQualifiedName() = "FileTimeToSystemTime" or
+    this.getQualifiedName() = "SystemTimeToFileTime" or
+    this.getQualifiedName() = "SystemTimeToTzSpecificLocalTime" or
+    this.getQualifiedName() = "SystemTimeToTzSpecificLocalTimeEx" or
+    this.getQualifiedName() = "TzSpecificLocalTimeToSystemTime" or
+    this.getQualifiedName() = "TzSpecificLocalTimeToSystemTimeEx" or
+    this.getQualifiedName() = "RtlLocalTimeToSystemTime" or
+    this.getQualifiedName() = "RtlTimeToSecondsSince1970" or
+    this.getQualifiedName() = "_mkgmtime"
   }
 }
 

cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.qhelp

@@ -23,7 +23,7 @@
 </example>
 
 <references>
-  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
   <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
   <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
 </references>

cpp/ql/src/Likely Bugs/Likely Typos/FutileConditional.ql

@@ -27,11 +27,11 @@ predicate macroUseLocation(File f, int start, int end) {
 }
 
 pragma[noopt]
-predicate emptyIf(IfStmt s, BlockStmt b, File f, int start, int end) {
+predicate emptyIf(IfStmt s, Block b, File f, int start, int end) {
   s instanceof IfStmt and
   not exists(s.getElse()) and
   b = s.getThen() and
-  b instanceof BlockStmt and
+  b instanceof Block and
   not exists(b.getAChild()) and
   f = b.getFile() and
   exists(Location l |
@@ -42,7 +42,7 @@ predicate emptyIf(IfStmt s, BlockStmt b, File f, int start, int end) {
 }
 
 pragma[noopt]
-predicate query(IfStmt s, BlockStmt b) {
+predicate query(IfStmt s, Block b) {
   exists(File f, int blockStart, int blockEnd |
     emptyIf(s, b, f, blockStart, blockEnd) and
     not exists(int macroStart, int macroEnd |
@@ -53,7 +53,7 @@ predicate query(IfStmt s, BlockStmt b) {
   )
 }
 
-from IfStmt s, BlockStmt b
+from IfStmt s, Block b
 where
   query(s, b) and
   not b.isInMacroExpansion()

cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp

@@ -23,7 +23,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
   Tutorialspoint - The C++ Programming Language: <a href="http://www.tutorialspoint.com/cplusplus/cpp_switch_statement.htm">C++ switch statement</a>
 </li>
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
+  MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/k0t5wee3%28v=VS.80%29.aspx">The switch Statement</a>
 </li>
 <li>
   M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).

cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql

@@ -50,12 +50,7 @@ predicate illDefinedDecrForStmt(
     DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and
     // `initialCondition` < `terminalCondition`
     (
-      upperBound(initialCondition) < lowerBound(terminalCondition) and
-      (
-        // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
-        v.getUnspecifiedType().(IntegralType).isSigned() or
-        initialCondition.getValue().toInt() = 0
-      )
+      upperBound(initialCondition) < lowerBound(terminalCondition)
       or
       (forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
     )

cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql

@@ -88,8 +88,7 @@ where
   not arg.isAffectedByMacro() and
   size32 = ilp32.paddedSize(actual) and
   size64 = lp64.paddedSize(actual) and
-  size64 != size32 and
-  not actual instanceof ErroneousType
+  size64 != size32
 select arg,
   "This argument should be of type '" + expected.getName() + "' but is of type '" + actual.getName()
     + "' (which changes size from " + size32 + " to " + size64 + " on 64-bit systems)."

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.qhelp

@@ -30,7 +30,7 @@ For an array, the size is the number of elements of the array multiplied by the
   Cplusplus.comn: <a href="http://www.cplusplus.com/reference/clibrary/cstring/memset/">memset</a>
 </li>
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/memset-wmemset">memset, wmemset</a>, <a href="https://docs.microsoft.com/en-us/cpp/cpp/sizeof-operator">sizeof Operator</a>
+  MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/aa246471%28v=VS.60%29.aspx">memset</a>, <a href="http://msdn.microsoft.com/en-us/library/4s7x1k91%28v=VS.71%29.aspx">sizeof Operator</a>
 </li>
 
 

cpp/ql/src/Likely Bugs/NestedLoopSameVar.qhelp

@@ -25,6 +25,9 @@ outer loop. </p>
 <li>
   Tutorialspoint - The C++ Programming Language: <a href="http://www.tutorialspoint.com/cplusplus/cpp_nested_loops.htm">C++ nested loops</a>
 </li>
+<li>
+  MSDN Library: <a href="http://msdn.microsoft.com/en-us/library/8y82wx12%28v=VS.80%29.aspx">Nested Control Structures</a>
+</li>
 
 
 

cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.qhelp

@@ -20,7 +20,7 @@ object instance).</p>
 
 </example>
 <references>
-<li>R. Chen, <a href="https://devblogs.microsoft.com/oldnewthing/20040507-00/?p=39443">When should your destructor be virtual?</a>.</li>
+<li>R. Chen, <a href="http://blogs.msdn.com/oldnewthing/archive/2004/05/07/127826.aspx">When should your destructor be virtual?</a>.</li>
 <li>S. Meyers. <em>Effective C++ 3d ed.</em> pp 40-44. Addison-Wesley Professional, 2005.</li>
 </references>
 </qhelp>

cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql

@@ -1,5 +1,4 @@
 /**
- * @deprecated
  * @name External dependencies
  * @description Count the number of dependencies a C/C++ source file has on external libraries.
  * @kind treemap

cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql

@@ -1,5 +1,4 @@
 /**
- * @deprecated
  * @name External dependency source links
  * @kind source-link
  * @metricType externalDependency

cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp

@@ -1,12 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>
-This metric counts the number of lines of commented-out code in each file. Large amounts of
-commented-out code often indicate poorly maintained code.
-</p>
-
-</overview>
-</qhelp>

cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp

@@ -1,12 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<references>
-
-<li>Mark Needham: <a href="http://www.markhneedham.com/blog/2009/01/17/the-danger-of-commenting-out-code/">The danger of commenting out code</a>.</li>
-<li>Los Techies: <a href="http://lostechies.com/rodpaddock/2010/12/29/commented-code-technical-debt">Commented Code == Technical Debt</a>.</li>
-<li>High Integrity C++ Coding Standard: <a href="http://www.codingstandard.com/rule/2-3-2-do-not-comment-out-code/">2.3.2 Do not comment out code</a>.</li>
-
-</references>
-</qhelp>

cpp/ql/src/Metrics/Files/DuplicationProblems.qhelp

@@ -1,16 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>
-Duplicated code increases overall code size, making the code base
-harder to maintain and harder to understand. It also becomes harder to fix bugs,
-since a programmer applying a fix to one copy has to always remember to update
-other copies accordingly. Finally, code duplication is generally an indication of
-a poorly designed or hastily written code base, which typically suffers from other
-problems as well.
-</p>
-
-</overview>
-</qhelp>

cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql

@@ -1,5 +1,4 @@
 /**
- * @deprecated
  * @name Duplicated lines in files
  * @description The number of lines in a file, including code, comment
  *              and whitespace lines, which are duplicated in at least

cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp

@@ -1,35 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-
-<p>
-This metric measures the number of lines in a file that are contained within a block that is duplicated elsewhere. These lines may include code, comments and whitespace, and the duplicate block may be in this file or in another file.
-</p>
-
-<p>
-A file that contains many lines that are duplicated within the code base is problematic
-for a number of reasons.
-</p>
-
-</overview>
-<include src="DuplicationProblems.qhelp" />
-
-<recommendation>
-
-<p>
-Refactor files with lots of duplicated code to extract the common code into
-a shared library or module.
-</p>
-
-</recommendation>
-<references> 
-
-
-<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Duplicate_code">Duplicate code</a>.</li>
-<li>M. Fowler, <em>Refactoring</em>. Addison-Wesley, 1999.</li>
-
-
-</references>
-</qhelp>

cpp/ql/src/Metrics/Files/FMacroRatio.qhelp

@@ -27,7 +27,7 @@ and IDE support than macros.</p>
 <references>
 
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/preprocessor/macros-c-cpp">Macros (C/C++)</a>
+  <a href="http://msdn.microsoft.com/en-us/library/503x3e3s%28v=vs.80%29.aspx">Macros</a>
 </li>
 <li>
   <a href="http://www.stroustrup.com/icsm-2012-demacro.pdf">Rejuvenating C++ Programs through

cpp/ql/src/Metrics/Files/FNumberOfTests.ql

@@ -18,9 +18,6 @@ Expr getTest() {
   or
   // boost tests; http://www.boost.org/
   result.(FunctionCall).getTarget().hasQualifiedName("boost::unit_test", "make_test_case")
-  or
-  // googletest tests; https://github.com/google/googletest/
-  result.(FunctionCall).getTarget().hasQualifiedName("testing::internal", "MakeAndRegisterTestInfo")
 }
 
 from File f, int n

cpp/ql/src/Metrics/Files/FTimeInFrontend.qhelp

@@ -15,7 +15,7 @@
 <references>
 
 <li>
-  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/preprocessor/hash-include-directive-c-cpp">#include directive (C/C++)</a>
+  <a href="http://msdn.microsoft.com/en-us/library/36k2cdd4%28v=VS.80%29.aspx">The #include Directive</a>
 </li>
 <li>
   <a href="http://gcc.gnu.org/onlinedocs/cpp/Include-Operation.html#Include-Operation">Include operation</a>

cpp/ql/src/Microsoft/SAL.qll

@@ -1,17 +1,14 @@
-/**
- * Provides classes for identifying and reasoning about Microsoft source code
- * annotation language (SAL) macros.
- */
-
 import cpp
 
-/**
- * A SAL macro defined in `sal.h` or a similar header file.
- */
 class SALMacro extends Macro {
   SALMacro() {
-    this.getFile().getBaseName() =
-      ["sal.h", "specstrings_strict.h", "specstrings.h", "w32p.h", "minwindef.h"] and
+    exists(string filename | filename = this.getFile().getBaseName() |
+      filename = "sal.h" or
+      filename = "specstrings_strict.h" or
+      filename = "specstrings.h" or
+      filename = "w32p.h" or
+      filename = "minwindef.h"
+    ) and
     (
       // Dialect for Windows 8 and above
       this.getName().matches("\\_%\\_")
@@ -23,44 +20,36 @@ class SALMacro extends Macro {
 }
 
 pragma[noinline]
-private predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
+predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
 
-/**
- * An invocation of a SAL macro (excluding invocations inside other macros).
- */
 class SALAnnotation extends MacroInvocation {
   SALAnnotation() {
     this.getMacro() instanceof SALMacro and
     isTopLevelMacroAccess(this)
   }
 
-  /** Gets the `Declaration` annotated by `this`. */
+  /** Returns the `Declaration` annotated by `this`. */
   Declaration getDeclaration() {
     annotatesAt(this, result.getADeclarationEntry(), _, _) and
     not result instanceof Type // exclude typedefs
   }
 
-  /** Gets the `DeclarationEntry` annotated by `this`. */
+  /** Returns the `DeclarationEntry` annotated by `this`. */
   DeclarationEntry getDeclarationEntry() {
     annotatesAt(this, result, _, _) and
     not result instanceof TypeDeclarationEntry // exclude typedefs
   }
 }
 
-/**
- * A SAL macro indicating that the return value of a function should always be
- * checked.
- */
 class SALCheckReturn extends SALAnnotation {
   SALCheckReturn() {
-    this.getMacro().(SALMacro).getName() = ["_Check_return_", "_Must_inspect_result_"]
+    exists(SALMacro m | m = this.getMacro() |
+      m.getName() = "_Check_return_" or
+      m.getName() = "_Must_inspect_result_"
+    )
   }
 }
 
-/**
- * A SAL macro indicating that a pointer variable or return value should not be
- * `NULL`.
- */
 class SALNotNull extends SALAnnotation {
   SALNotNull() {
     exists(SALMacro m | m = this.getMacro() |
@@ -80,9 +69,6 @@ class SALNotNull extends SALAnnotation {
   }
 }
 
-/**
- * A SAL macro indicating that a value may be `NULL`.
- */
 class SALMaybeNull extends SALAnnotation {
   SALMaybeNull() {
     exists(SALMacro m | m = this.getMacro() |
@@ -93,29 +79,13 @@ class SALMaybeNull extends SALAnnotation {
   }
 }
 
-/**
- * A parameter annotated by one or more SAL annotations.
- */
-class SALParameter extends Parameter {
-  /** One of this parameter's annotations. */
-  SALAnnotation a;
-
-  SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
-
-  predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
-
-  predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
-
-  predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
-}
-
 ///////////////////////////////////////////////////////////////////////////////
 // Implementation details
 /**
  * Holds if `a` annotates the declaration entry `d` and
  * its start position is the `idx`th position in `file` that holds a SAL element.
  */
-private predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
+predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
   annotatesAtPosition(a.(SALElement).getStartPosition(), d, file, idx)
 }
 
@@ -139,6 +109,22 @@ private predicate annotatesAtPosition(SALPosition pos, DeclarationEntry d, File
   )
 }
 
+/**
+ * A parameter annotated by one or more SAL annotations.
+ */
+class SALParameter extends Parameter {
+  /** One of this parameter's annotations. */
+  SALAnnotation a;
+
+  SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
+
+  predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
+
+  predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
+
+  predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
+}
+
 /**
  * A SAL element, that is, a SAL annotation or a declaration entry
  * that may have SAL annotations.

cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql

@@ -27,7 +27,7 @@ int logicalLength(FunctionDeclarationEntry f) {
     count(Stmt s |
         s.getEnclosingFunction() = f.getFunction() and
         s.getFile() = f.getFile() and
-        not s instanceof BlockStmt and
+        not s instanceof Block and
         not s instanceof EmptyStmt and
         not exists(ForStmt for | s = for.getInitialization()) and
         not s.isAffectedByMacro()

cpp/ql/src/Power of 10/Rule 4/OneStmtPerLine.ql

@@ -14,7 +14,7 @@ import cpp
 class OneLineStmt extends Stmt {
   OneLineStmt() {
     this.getLocation().getStartLine() = this.getLocation().getEndLine() and
-    not this instanceof BlockStmt and
+    not this instanceof Block and
     not exists(ForStmt for | this = for.getInitialization()) and
     (
       // Either this statement is not touched by a macro at all...

cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql

@@ -27,7 +27,7 @@ int logicalLength(FunctionDeclarationEntry f) {
     count(Stmt s |
         s.getEnclosingFunction() = f.getFunction() and
         s.getFile() = f.getFile() and
-        not s instanceof BlockStmt and
+        not s instanceof Block and
         not s instanceof EmptyStmt and
         not exists(ForStmt for | s = for.getInitialization()) and
         not s.isAffectedByMacro()

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.qhelp

@@ -39,7 +39,7 @@ access all the system's passwords.</p>
 
 <li>
 OWASP:
-<a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.
+<a href="https://www.owasp.org/index.php/Path_traversal">Path Traversal</a>.
 </li>
 
 </references>

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.qhelp

@@ -21,7 +21,7 @@ string before converting it to SQL.</p>
 </example>
 <references>
 
-<li>MSDN Library: <a href="https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-injection">SQL Injection</a>.</li>
+<li>Microsoft Developer Network: <a href="http://msdn.microsoft.com/en-us/library/ms161953.aspx">SQL Injection</a>.</li>
 
 
 <!--  LocalWords:  SQL CWE

cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql

@@ -56,7 +56,7 @@ class VarargsFunction extends Function {
   }
 
   string normalTerminator(int cnt) {
-    result = ["0", "-1"] and
+    (result = "0" or result = "-1") and
     cnt = trailingArgValueCount(result) and
     2 * cnt > totalCount() and
     not exists(FunctionCall fc, int index |

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -4,7 +4,7 @@
  *              user can result in integer overflow.
  * @kind path-problem
  * @problem.severity error
- * @precision medium
+ * @precision high
  * @id cpp/uncontrolled-allocation-size
  * @tags reliability
  *       security

cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql

@@ -66,7 +66,10 @@ class IFStream extends Type {
  */
 class CinVariable extends NamespaceVariable {
   CinVariable() {
-    getName() = ["cin", "wcin"] and
+    (
+      getName() = "cin" or
+      getName() = "wcin"
+    ) and
     getNamespace().getName() = "std"
   }
 }

cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql

@@ -14,7 +14,12 @@ import cpp
 
 predicate potentiallyDangerousFunction(Function f, string message) {
   exists(string name | f.hasGlobalName(name) |
-    name = ["gmtime", "localtime", "ctime", "asctime"] and
+    (
+      name = "gmtime" or
+      name = "localtime" or
+      name = "ctime" or
+      name = "asctime"
+    ) and
     message = "Call to " + name + " is potentially dangerous"
   )
 }

cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql

@@ -19,7 +19,12 @@ predicate worldWritableCreation(FileCreationExpr fc, int mode) {
 }
 
 predicate setWorldWritable(FunctionCall fc, int mode) {
-  fc.getTarget().getName() = ["chmod", "fchmod", "_chmod", "_wchmod"] and
+  exists(string name | fc.getTarget().getName() = name |
+    name = "chmod" or
+    name = "fchmod" or
+    name = "_chmod" or
+    name = "_wchmod"
+  ) and
   mode = fc.getArgument(1).getValue().toInt() and
   sets(mode, s_iwoth())
 }

cpp/ql/src/Security/CWE/CWE-732/FilePermissions.qll

@@ -31,7 +31,11 @@ predicate sets(int mask, int fields) { mask.bitAnd(fields) != 0 }
  * one of the `umask` family of functions.
  */
 private int umask(FunctionCall fc) {
-  fc.getTarget().getName() = ["umask", "_umask", "_umask_s"] and
+  exists(string name | name = fc.getTarget().getName() |
+    name = "umask" or
+    name = "_umask" or
+    name = "_umask_s"
+  ) and
   result = fc.getArgument(0).getValue().toInt()
 }
 
@@ -85,7 +89,11 @@ abstract class FileCreationExpr extends FunctionCall {
 
 class OpenCreationExpr extends FileCreationExpr {
   OpenCreationExpr() {
-    this.getTarget().getName() = ["open", "_open", "_wopen"] and
+    exists(string name | name = this.getTarget().getName() |
+      name = "open" or
+      name = "_open" or
+      name = "_wopen"
+    ) and
     sets(this.getArgument(1).getValue().toInt(), o_creat())
   }
 
@@ -126,9 +134,14 @@ private int fopenMode() {
 
 class FopenCreationExpr extends FileCreationExpr {
   FopenCreationExpr() {
-    this.getTarget().getName() = ["fopen", "_wfopen", "fsopen", "_wfsopen"] and
+    exists(string name | name = this.getTarget().getName() |
+      name = "fopen" or
+      name = "_wfopen" or
+      name = "fsopen" or
+      name = "_wfsopen"
+    ) and
     exists(string mode |
-      mode = ["w", "a"] and
+      (mode = "w" or mode = "a") and
       this.getArgument(1).getValue().matches(mode + "%")
     )
   }

cpp/ql/src/codeql-suites/cpp-lgtm-full.qls

@@ -9,7 +9,3 @@
     tags contain:
       - ide-contextual-queries/local-definitions
       - ide-contextual-queries/local-references
-- query: Metrics/Files/FLinesOfCode.ql
-- query: Metrics/Files/FLinesOfCommentedOutCode.ql
-- query: Metrics/Files/FLinesOfComments.ql
-- query: Metrics/Files/FNumberOfTests.ql

cpp/ql/src/definitions.ql

@@ -1,7 +1,7 @@
 /**
  * @name Jump-to-definition links
  * @description Generates use-definition pairs that provide the data
- *              for jump-to-definition in the code viewer of LGTM.
+ *              for jump-to-definition in the code viewer.
  * @kind definitions
  * @id cpp/jump-to-definition
  */
@@ -9,10 +9,5 @@
 import definitions
 
 from Top e, Top def, string kind
-where
-  def = definitionOf(e, kind) and
-  // We need to exclude definitions for elements inside template instantiations,
-  // as these often lead to multiple links to definitions from the same source location.
-  // LGTM does not support this bevaviour.
-  not e.isFromTemplateInstantiation(_)
+where def = definitionOf(e, kind)
 select e, def, kind

cpp/ql/src/definitions.qll

@@ -124,7 +124,6 @@ private predicate constructorCallTypeMention(ConstructorCall cc, TypeMention tm)
 
 /**
  * Gets an element, of kind `kind`, that element `e` uses, if any.
- * Attention: This predicate yields multiple definitions for a single location.
  *
  * The `kind` is a string representing what kind of use it is:
  *  - `"M"` for function and method calls
@@ -197,7 +196,15 @@ Top definitionOf(Top e, string kind) {
     not e.(Element).isInMacroExpansion() and
     // exclude nested macro invocations, as they will overlap with
     // the top macro invocation.
-    not exists(e.(MacroAccess).getParentInvocation())
+    not exists(e.(MacroAccess).getParentInvocation()) and
+    // exclude results from template instantiations, as:
+    // (1) these dependencies will often be caused by a choice of
+    // template parameter, which is non-local to this part of code; and
+    // (2) overlapping results pointing to different locations will
+    // be very common.
+    // It's possible we could allow a subset of these dependencies
+    // in future, if we're careful to ensure the above don't apply.
+    not e.isFromTemplateInstantiation(_)
   ) and
   // Some entities have many locations. This can arise for an external
   // function that is frequently declared but not defined, or perhaps

cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.cpp

@@ -1,11 +0,0 @@
-void test(char *arg1, int *arg2) {
-    if (arg1[0] == 'A') {
-        if (arg2 != NULL) { //maybe redundant
-            *arg2 = 42;
-        }
-    }
-    if (arg1[1] == 'B')
-    {
-        *arg2 = 54; //dereferenced without checking first
-    }
-}

cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.qhelp

@@ -1,29 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>This rule finds comparisons of a function parameter to null that occur when in another path the parameter is dereferenced without a guard check.  It's
-likely either the check is not required and can be removed, or it should be added before the dereference
-so that a null pointer dereference does not occur.</p>
-</overview>
-
-<recommendation>
-<p>A check should be added to before the dereference, in a way that prevents a null pointer value from
-being dereferenced.  If it's clear that the pointer cannot be null, consider removing the check instead.</p>
-</recommendation>
-
-<example>
-<sample src="RedundantNullCheckParam.cpp" />
-</example>
-
-<references>
-<li>
-  <a href="https://www.owasp.org/index.php/Null_Dereference">
-    Null Dereference
-  </a> 
-</li>
-</references>
-
-</qhelp>

cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql

@@ -1,56 +0,0 @@
-/**
- * @name Redundant null check or missing null check of parameter
- * @description Checking a parameter for nullness in one path,
- *              and not in another is likely to be a sign that either
- *              the check can be removed, or added in the other case.
- * @kind problem
- * @id cpp/redundant-null-check-param
- * @problem.severity recommendation
- * @tags reliability
- *       security
- *       external/cwe/cwe-476
- */
-
-import cpp
-
-predicate blockDominates(BlockStmt check, BlockStmt access) {
-  check.getLocation().getStartLine() <= access.getLocation().getStartLine() and
-  check.getLocation().getEndLine() >= access.getLocation().getEndLine()
-}
-
-predicate isCheckedInstruction(VariableAccess unchecked, VariableAccess checked) {
-  checked = any(VariableAccess va | va.getTarget() = unchecked.getTarget()) and
-  //Simple test if the first access in this code path is dereferenced
-  not dereferenced(checked) and
-  blockDominates(checked.getEnclosingBlock(), unchecked.getEnclosingBlock())
-}
-
-predicate candidateResultUnchecked(VariableAccess unchecked) {
-  not isCheckedInstruction(unchecked, _)
-}
-
-predicate candidateResultChecked(VariableAccess check, EqualityOperation eqop) {
-  //not dereferenced to check against pointer, not its pointed value
-  not dereferenced(check) and
-  //assert macros are not taken into account
-  not check.isInMacroExpansion() and
-  // is part of a comparison against some constant NULL
-  eqop.getAnOperand() = check and
-  eqop.getAnOperand() instanceof NullValue
-}
-
-from VariableAccess unchecked, VariableAccess check, EqualityOperation eqop, Parameter param
-where
-  // a dereference
-  dereferenced(unchecked) and
-  // for a function parameter
-  unchecked.getTarget() = param and
-  // this function parameter is not overwritten
-  count(param.getAnAssignment()) = 0 and
-  check.getTarget() = param and
-  // which is once checked
-  candidateResultChecked(check, eqop) and
-  // and which has not been checked before in this code path
-  candidateResultUnchecked(unchecked)
-select check, "This null check is redundant or there is a missing null check before $@ ", unchecked,
-  "where dereferencing happens"

cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.cpp

@@ -1,25 +0,0 @@
-///// Library routines /////
-
-int scanf(const char *format, ...);
-int sscanf(const char *str, const char *format, ...);
-int fscanf(const char *str, const char *format, ...);
-
-///// EXAMPLES /////
-
-int main(int argc, char **argv)
-{
-
-    // BAD, do not use scanf without specifying a length first
-    char buf1[10];
-    scanf("%s", buf1);
-
-    // GOOD, length is specified. The length should be one less than the size of the buffer, since the last character is the NULL terminator.
-    char buf2[10];
-    sscanf(buf2, "%9s");
-
-    // BAD, do not use scanf without specifying a length first
-    char file[10];
-    fscanf(file, "%s", buf2);
-
-    return 0;
-}

cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp

@@ -1,25 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>It is bad practice to use any of the <code>scanf</code> functions without including a specified length within the format parameter, as it will be vulnerable to buffer overflows.</p>
-
-</overview>
-
-<recommendation>
-
-<p>Specify a length within the format string parameter, and make this length one less than the size of the buffer, since the last character should be reserved for the NULL terminator.</p>
-
-</recommendation>
-
-<example>
-<p>The following example demonstrates safe and unsafe uses of <code>scanf</code> type functions.</p>
-<sample src="MemoryUnsafeFunctionScan.cpp" />
-
-</example>
-
-<references>
-</references>
-
-</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql

@@ -1,19 +0,0 @@
-/**
- * @name Scanf function without a specified length
- * @description Use of one of the scanf functions without a specified length.
- * @kind problem
- * @problem.severity warning
- * @id cpp/memory-unsafe-function-scan
- * @tags reliability
- *       security
- *       external/cwe/cwe-120
- */
-
-import cpp
-import semmle.code.cpp.commons.Scanf
-
-from FunctionCall call, ScanfFunction sff
-where
-  call.getTarget() = sff and
-  call.getArgument(sff.getFormatParameterIndex()).getValue().regexpMatch(".*%l?s.*")
-select call, "Dangerous use of one of the scanf functions"

cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.qhelp

@@ -1,32 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>Private data that is stored in a file or buffer unencrypted is accessible to an attacker who gains access to the
-storage.</p>
-
-</overview>
-<recommendation>
-
-<p>Ensure that private data is always encrypted before being stored.
-It may be wise to encrypt information before it is put into a buffer that may be readable in memory.</p>
-
-<p>In general, decrypt private data only at the point where it is necessary for it to be used in
-cleartext.</p>
-
-</recommendation>
-
-<references>
-
-<li><a href="https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Sensitive_Data_Exposure</a></li>
-<li>M. Dowd, J. McDonald and J. Schuhm, <i>The Art of Software Security Assessment</i>, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.</li> 
-<li>M. Howard and D. LeBlanc, <i>Writing Secure Code</i>, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.</li>
-
-
-
-<!--  LocalWords:  CWE
- -->
-
-</references>
-</qhelp>