github
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎change-notes/1.21/analysis-cpp.md‎
Lines changed: 5 additions & 1 deletion b/‎change-notes/1.21/analysis-cpp.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎change-notes/1.21/analysis-csharp.md‎
Lines changed: 18 additions & 1 deletion b/‎change-notes/1.21/analysis-csharp.md‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎change-notes/1.21/analysis-java.md‎
Lines changed: 5 additions & 0 deletions b/‎change-notes/1.21/analysis-java.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎change-notes/1.21/analysis-javascript.md‎
Lines changed: 12 additions & 2 deletions b/‎change-notes/1.21/analysis-javascript.md‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎change-notes/1.21/analysis-python.md‎
Lines changed: 1 addition & 1 deletion b/‎change-notes/1.21/analysis-python.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎change-notes/1.21/extractor-javascript.md‎
Lines changed: 6 additions & 0 deletions b/‎change-notes/1.21/extractor-javascript.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎change-notes/support/versions-compilers.csv‎
Lines changed: 1 addition & 1 deletion b/‎change-notes/support/versions-compilers.csv‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/config/suites/security/cwe-676‎
Lines changed: 2 additions & 0 deletions b/‎cpp/config/suites/security/cwe-676‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql‎
Lines changed: 1 addition & 1 deletion
@@ -9,7 +9,7 @@ You can use the [interactive query console](https://lgtm.com/help/lgtm/using-que
 
 ## Contributing
 
-We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md) and [QL style guide](docs/ql-style-guide.md).
+We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/Semmle/ql/tree/master/docs) to learn how to format your QL for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.
 
 ## License
 
 
@@ -9,6 +9,7 @@
 | `()`-declared function called with too few arguments (`cpp/too-few-arguments`) | Correctness | Find all cases where the number of arguments is less than the number of parameters of the function, provided the function is also properly declared/defined elsewhere. |
 | `()`-declared function called with mismatched arguments (`cpp/mismatched-function-arguments`) | Correctness | Find all cases where the types of arguments do not match the types of parameters of the function, provided the function is also properly declared/defined elsewhere. |
 | Call to alloca in a loop (`cpp/alloca-in-loop`) | reliability, correctness, external/cwe/cwe-770 | Finds calls to `alloca` in loops, which can lead to stack overflow if the number of iterations is large.  Newly displayed on LGTM. |
+| Use of dangerous function (`dangerous-function-overflow`) | reliability, security, external/cwe/cwe-242 | Finds calls to `gets`, which does not guard against buffer overflow.  These results were previously detected by the `cpp/potentially-dangerous-function` query. |
 
 ## Changes to existing queries
 
@@ -28,11 +29,14 @@
 | Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now more accurately identifies wide and non-wide string/character format arguments on different platforms.  Platform detection has also been made more accurate for the purposes of this query. |
 | Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | Fewer false positive results | Non-standard uses of %L are now understood. |
 | `()`-declared function called with too many arguments (`cpp/futile-params`) | Improved coverage | Query has been generalized to find all cases where the number of arguments exceedes the number of parameters of the function, provided the function is also properly declared/defined elsewhere. |
+| Use of potentially dangerous function (`cpp/potentially-dangerous-function`) | Fewer results | Results relating to the standard library `gets` function have been moved into a new query (`dangerous-function-overflow`). |
+| Constructor with default arguments will be used as a copy constructor (`cpp/constructor-used-as-copy-constructor`) | Lowered severity and precision | The severity and precision of this query have been reduced to "warning" and "low", respectively, due to this coding pattern being used intentionally and safely in a number of real-world projects. |
 
 ## Changes to QL libraries
 - The predicate `Declaration.hasGlobalName` now only holds for declarations that are not nested in a class. For example, it no longer holds for a member function `MyClass::myFunction` or a constructor `MyClass::MyClass`, whereas previously it would classify those two declarations as global names.
-- In class `Declaration`, predicates `getQualifiedName/0` and `hasQualifiedName/1` are no longer recommended for finding functions by name. Instead, use `hasGlobalName/1` and the new `hasQualifiedName/2` and `hasQualifiedName/3` predicates. This improves performance and makes it more reliable to identify names involving templates.
+- In class `Declaration`, predicates `getQualifiedName/0` and `hasQualifiedName/1` are no longer recommended for finding functions by name. Instead, use `hasGlobalName/1` and the new `hasQualifiedName/2` and `hasQualifiedName/3` predicates. This improves performance and makes it more reliable to identify names involving templates and inline namespaces.
 - Additional support for definition by reference has been added to the `semmle.code.cpp.dataflow.TaintTracking` library.
     - The taint tracking library now includes taint-specific edges for functions modeled in `semmle.code.cpp.models.interfaces.DataFlow`.
     - The taint tracking library adds flow through library functions that are modeled in `semmle.code.cpp.models.interfaces.Taint`. Queries can add subclasses of `TaintFunction` to specify additional flow.
 - There is a new `FoldExpr` class, representing C++17 fold expressions.
+- The member predicates `DeclarationEntry.getUnspecifiedType`, `Expr.getUnspecifiedType`, and `Variable.getUnspecifiedType` have been added. These should be preferred over the existing `getUnderlyingType` predicates.
@@ -6,13 +6,30 @@
 |------------------------------|------------------------|-----------------------------------|
 | Class defines a field that uses an ICryptoTransform class in a way that would be unsafe for concurrent threads (`cs/thread-unsafe-icryptotransform-field-in-class`) | Fewer false positive results | The criteria for a result has changed to include nested properties, nested fields and collections. The format of the alert message has changed to highlight the static field. |
 | Constant condition (`cs/constant-condition`) | Fewer false positive results | Results have been removed where the `null` value is in a conditional expression on the left hand side of a null-coalescing expression. For example, in `(a ? b : null) ?? c`, `null` is not considered to be a constant condition. |
+| Useless upcast (`cs/useless-upcast`) | Fewer false positive results | Results have been removed where the upcast is used to disambiguate the target of a constructor call. |
 
 ## Changes to code extraction
 
-* Named attribute arguments are now extracted.
+* The following C# 8 features are now extracted:
+    - Range expressions
+    - Recursive patterns
+* The `unmanaged` type parameter constraint is now extracted.
 
 ## Changes to QL libraries
 
 * The class `Attribute` has two new predicates: `getConstructorArgument()` and `getNamedArgument()`. The first predicate returns arguments to the underlying constructor call and the latter returns named arguments for initializing fields and properties.
+* The class `TypeParameterConstraints` has a new predicate `hasUnmanagedTypeConstraint()`, indicating that the type parameter has the `unmanaged` constraint.
+* The following QL classes have been added to model C# 8 features:
+    - Class `IndexExpr` models from-end index expressions, for example `^1`
+    - Class `PatternExpr` is an `Expr` that appears in a pattern. It has the new subclasses `DiscardPatternExpr`, `LabeledPatternExpr`, `RecursivePatternExpr`, `TypeAccessPatternExpr`, `TypePatternExpr`, and `VariablePatternExpr`.
+    - Class `PatternMatch` models a pattern being matched. It has the subclasses `Case` and `IsExpr`.
+    - Class `PositionalPatternExpr` models position patterns, for example `(int x, int y)`
+    - Class `PropertyPatternExpr` models property patterns, for example `Length: int len`
+    - Class `RangeExpr` models range expressions, for example `1..^1`
+    - Class `SwitchCaseExpr` models the arm of a switch expression, for example `(false, false) => true`
+    - Class `SwitchExpr` models `switch` expressions, for example `(a, b) switch { ... }`
+    - Classes `IsConstantExpr`, `IsTypeExpr` and `IsPatternExpr` are deprecated in favour of `IsExpr`
+    - Class `Switch` models both `SwitchExpr` and `SwitchStmt`
+    - Class `Case` models both `CaseStmt` and `SwitchCaseExpr`
 
 ## Changes to autobuilder
@@ -22,6 +22,11 @@
   methods. This means that more guards are recognized yielding precision
   improvements in a number of queries including `java/index-out-of-bounds`,
   `java/dereferenced-value-may-be-null`, and `java/useless-null-check`.
+* The default sanitizer in taint tracking has been made more precise. The
+  sanitizer works by looking for guards that inspect tainted strings, and it
+  used to work at the level of individual variables. This has been changed to
+  use the `Guards` library, such that only guarded variable accesses are
+  sanitized. This may give additional results in the security queries.
 * Spring framework support is enhanced by taking into account additional
   annotations that indicate remote user input. This affects all security
   queries, which may yield additional results.
@@ -17,13 +17,18 @@
 
 * The security queries now treat comparisons with symbolic constants as sanitizers, resulting in fewer false positives.
 
-* TypeScript 3.4 features are now supported.
+* TypeScript 3.5 is now supported.
+
+* On LGTM, TypeScript projects now have static type information extracted by default, resulting in more security results.
+  Users of the command-line tools must still pass `--typescript-full` to the extractor to enable this.
 
 
 ## New queries
 
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Missing regular expression anchor (`js/regex/missing-regexp-anchor`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression patterns that may be missing an anchor, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are not shown on LGTM by default. |
+| Prototype pollution (`js/prototype-pollution`)    | security, external/cwe-250, external/cwe-400 | Highlights code that allows an attacker to modify a built-in prototype object through an unsanitized recursive merge function. The results are shown on LGTM by default. |
 
 ## Changes to existing queries
 
@@ -42,10 +47,15 @@
 | Useless assignment to property | Fewer false-positive results | This rule now ignore reads of additional getters. |
 | Unreachable statement | Unreachable throws no longer give an alert | This ignores unreachable throws, as they could be intentional (for example, to placate the TS compiler). |
 | Incorrect suffix check | Fewer false-positive results | This rule now recognizes valid checks in more cases. |
+| Tainted path | More results and fewer false-positive results | This rule now analyses path manipulation code more precisely. |
 
 ## Changes to QL libraries
 
 * `RegExpLiteral` is now a `DataFlow::SourceNode`.
 * `JSDocTypeExpr` now has source locations and is a subclass of `Locatable` and `TypeAnnotation`.
+* The two-parameter versions of predicate `isBarrier` in `DataFlow::Configuration` and of predicate `isSanitizer` in `TaintTracking::Configuration` have been renamed to `isBarrierEdge` and `isSanitizerEdge`, respectively. The old names are maintained for backwards-compatibility in this version, but will be deprecated in the next version and subsequently removed.
 * Various predicates named `getTypeAnnotation()` now return `TypeAnnotation` instead of `TypeExpr`.
-  In rare cases, this may cause compilation errors. Cast the result to `TypeExpr` if this happens.
+  In rare cases, this may cause compilation errors in existing code. Cast the result to `TypeExpr` if this happens.
+* The `getALabel` predicate in `LabeledBarrierGuardNode` and `LabeledSanitizerGuardNode`
+  has been deprecated and overriding it no longer has any effect.
+  Instead use the 3-parameter version of `blocks` or `sanitizes`.
@@ -10,7 +10,7 @@
   | **Query** | **Tags** | **Purpose** |
   |-----------|----------|-------------|
   | Accepting unknown SSH host keys when using Paramiko (`py/paramiko-missing-host-key-validation`) | security, external/cwe/cwe-295 | Finds instances where Paramiko is configured to accept unknown host keys. Results are shown on LGTM by default. |
-
+  | Use of 'return' or 'yield' outside a function (`py/return-or-yield-outside-function`) | reliability, correctness | Finds instances where `return`, `yield`, and `yield from` are used outside a function. Results are not shown on LGTM by default. |
 
 ## Changes to existing queries
 
 
@@ -4,6 +4,12 @@
 
 ## Changes to code extraction
 
+* Custom file types can now be specified using the `filetypes` property in the `extraction/javascript/index` section of `lgtm.yml`. The property should be a map from file extensions (including the dot) to file types. Valid file types are `html`, `js`, `json`, `typescript`, `xml` and `yaml`.
+
 * ECMAScript 2019 support is now enabled by default.
 
+* On LGTM, JavaScript extraction for projects that do not contain any JavaScript or TypeScript code will now fail, even if the project contains other file types (such as HTML or YAML) recognized by the JavaScript extractor.
+
+* XML files can now be extracted on LGTM. To enable XML extraction, set the `xml_mode` property in the `extraction/javascript/index` section of your `lgtm.yml` file to `all`. The default value of this property is `disabled`, meaning that XML files will not be extracted. (Note, however, that files with an extension that is associated with file type `xml` in the `filetypes` property are still extracted.)
+
 * YAML files are now extracted by default on LGTM. You can specify exclusion filters in your `lgtm.yml` file to override this behavior.
@@ -13,4 +13,4 @@ Java,"Java 6 to 11 [2]_.","javac (OpenJDK and Oracle JDK)
 Eclipse compiler for Java (ECJ) batch compiler",``.java``
 JavaScript,ECMAScript 2019 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhm``, ``.xhtml``, ``.vue``, ``.json``, ``.yaml``, ``.yml``, ``.raml`` [3]_."
 Python,"2.7, 3.5, 3.6, 3.7",Not applicable,``.py``
-TypeScript [4]_.,"2.6-3.4",Standard TypeScript compiler,"``.ts``, ``.tsx``"
+TypeScript [4]_.,"2.6-3.5",Standard TypeScript compiler,"``.ts``, ``.tsx``"
@@ -3,3 +3,5 @@
     @name Dangerous use of 'cin' (CWE-676)
 + semmlecode-cpp-queries/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql: /CWE/CWE-676
     @name Use of potentially dangerous function (CWE-676)
++ semmlecode-cpp-queries/Security/CWE/CWE-676/DangerousFunctionOverflow.ql: /CWE/CWE-676
+    @name Use of dangerous function (CWE-676)
@@ -13,6 +13,6 @@
 import cpp
 
 from CatchBlock cb, Class caughtType
-where caughtType = cb.getParameter().getType().getUnderlyingType().getUnspecifiedType()
+where caughtType = cb.getParameter().getUnspecifiedType()
 select cb,
   "This should catch a " + caughtType.getName() + " by (const) reference rather than by value."