github
diff --git a/‎CODEOWNERS‎
Lines changed: 2 additions & 1 deletion b/‎CODEOWNERS‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 2 additions & 1 deletion b/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 15 additions & 4 deletions b/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎change-notes/1.24/analysis-javascript.md‎
Lines changed: 19 additions & 0 deletions b/‎change-notes/1.24/analysis-javascript.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql‎
Lines changed: 2 additions & 7 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql‎
Lines changed: 2 additions & 7 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql‎
Lines changed: 2 additions & 2 deletions b/‎cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql‎
Lines changed: 6 additions & 3 deletions b/‎cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow-bad.cpp‎
Lines changed: 3 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow-bad.cpp‎
Lines changed: 3 additions & 0 deletions
@@ -1,7 +1,8 @@
+/cpp/ @Semmle/cpp-analysis
 /csharp/ @Semmle/cs
 /java/ @Semmle/java
 /javascript/ @Semmle/js
-/cpp/ @Semmle/cpp-analysis
+/python/ @Semmle/python
 /cpp/**/*.qhelp @hubwriter
 /csharp/**/*.qhelp @jf205
 /java/**/*.qhelp @felicitymay
 
@@ -5,7 +5,7 @@ This open source repository contains the standard CodeQL libraries and queries t
 ## How do I learn CodeQL and run queries?
 
 There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin to try out your queries on any open source project that's currently being analyzed.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 
 
@@ -9,7 +9,8 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail.  This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). |
-| Signed overflow check (`cpp/signed-overflow-check`) | correctness, reliability | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. |
+| Signed overflow check (`cpp/signed-overflow-check`) | correctness, security | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. |
+| Pointer overflow check (`cpp/pointer-overflow-check`) | correctness, security | Finds overflow checks that rely on pointer addition to overflow, which has undefined behavior. Example: `ptr + a < ptr`. |
 
 ## Changes to existing queries
 
 
@@ -8,9 +8,14 @@
 
 * Support for the following frameworks and libraries has been improved:
   - [firebase](https://www.npmjs.com/package/firebase)
+  - [get-them-args](https://www.npmjs.com/package/get-them-args)
+  - [minimist](https://www.npmjs.com/package/minimist)
   - [mongodb](https://www.npmjs.com/package/mongodb)
   - [mongoose](https://www.npmjs.com/package/mongoose)
+  - [optimist](https://www.npmjs.com/package/optimist)
+  - [parse-torrent](https://www.npmjs.com/package/parse-torrent)
   - [rate-limiter-flexible](https://www.npmjs.com/package/rate-limiter-flexible)
+  - [yargs](https://www.npmjs.com/package/yargs) 
 
 * The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
 
@@ -20,14 +25,15 @@
 
 | **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 |---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
+| Ignoring result from pure array method (`js/ignore-array-result`)         | maintainability, correctness                                      | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. |
+| Incomplete URL scheme check (`js/incomplete-url-scheme-check`)            | security, correctness, external/cwe/cwe-020                       | Highlights checks for `javascript:` URLs that do not take `data:` or `vbscript:` URLs into account. Results are shown on LGTM by default. |
 | Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default. |
-| Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
 | Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
+| Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
+| Unreachable method overloads (`js/unreachable-method-overloads`)          | correctness, typescript                                           | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
+| Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
 | Use of returnless function (`js/use-of-returnless-function`)              | maintainability, correctness                                      | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
 | Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
-| Unreachable method overloads (`js/unreachable-method-overloads`)          | correctness, typescript                                           | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
-| Ignoring result from pure array method (`js/ignore-array-result`)         | maintainability, correctness                                      | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. |
 
 ## Changes to existing queries
 
@@ -51,6 +57,11 @@
 ## Changes to libraries
 
 * `Expr.getDocumentation()` now handles chain assignments.
+* String literals are now parsed as regular expressions.
+  Consequently, a `RegExpTerm` may occur as part of a string literal or
+  as a regular expression literal. Queries that search for regular expressions may need to
+  use `RegExpTerm.isPartOfRegExpLiteral` or `RegExpTerm.isUsedAsRegExp` to restrict the search.
+  A regular expression AST can be obtained from a string literal using `StringLiteral.asRegExp`.
 
 ## Removal of deprecated queries
 
 
@@ -0,0 +1,19 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+
+## New queries
+
+| **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
+|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Clear-text logging of sensitive information (`js/clear-text-logging`) | More results | More results involving `process.env` and indirect calls to logging methods are recognized. |
+
+## Changes to libraries
+
@@ -13,18 +13,13 @@
 
 import cpp
 import PointlessSelfComparison
+import semmle.code.cpp.commons.Exclusions
 
 from ComparisonOperation cmp
 where
   pointlessSelfComparison(cmp) and
   not nanTest(cmp) and
   not overflowTest(cmp) and
   not cmp.isFromTemplateInstantiation(_) and
-  not exists(MacroInvocation mi |
-    // cmp is in mi
-    mi.getAnExpandedElement() = cmp and
-    // and cmp was apparently not passed in as a macro parameter
-    cmp.getLocation().getStartLine() = mi.getLocation().getStartLine() and
-    cmp.getLocation().getStartColumn() = mi.getLocation().getStartColumn()
-  )
+  not isFromMacroDefinition(cmp)
 select cmp, "Self comparison."
@@ -1,13 +1,13 @@
 /**
- * @name Undefined result of signed test for overflow
+ * @name Signed overflow check
  * @description Testing for overflow by adding a value to a variable
  *              to see if it "wraps around" works only for
  *              unsigned integer values.
  * @kind problem
  * @problem.severity warning
  * @precision high
  * @id cpp/signed-overflow-check
- * @tags reliability
+ * @tags correctness
  *       security
  */
 
 
@@ -15,7 +15,10 @@ import cpp
 
 from ExprInVoidContext op
 where
-  op instanceof EQExpr
-  or
-  op.(FunctionCall).getTarget().hasName("operator==")
+  not op.isUnevaluated() and
+  (
+    op instanceof EQExpr
+    or
+    op.(FunctionCall).getTarget().hasName("operator==")
+  )
 select op, "This '==' operator has no effect. The assignment ('=') operator was probably intended."
@@ -86,6 +86,7 @@ where
   not peivc.isFromTemplateInstantiation(_) and
   parent = peivc.getParent() and
   not parent.isInMacroExpansion() and
+  not peivc.isUnevaluated() and
   not parent instanceof PureExprInVoidContext and
   not peivc.getEnclosingFunction().isCompilerGenerated() and
   not peivc.getType() instanceof UnknownType and
 
@@ -0,0 +1,3 @@
+bool not_in_range(T *ptr, T *ptr_end, size_t i) {
+    return ptr + i >= ptr_end || ptr + i < ptr; // BAD
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+bool not_in_range(T ptr, T ptr_end, size_t i) {`
	`2`	`+ return ptr + i >= ptr_end \|\| ptr + i < ptr; // BAD`
	`3`	`+}`