github
diff --git a/‎.lgtm.yml‎
Lines changed: 17 additions & 0 deletions b/‎.lgtm.yml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 5 additions & 3 deletions b/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎change-notes/1.19/analysis-csharp.md‎
Lines changed: 2 additions & 2 deletions b/‎change-notes/1.19/analysis-csharp.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎change-notes/1.19/analysis-java.md‎
Lines changed: 9 additions & 4 deletions b/‎change-notes/1.19/analysis-java.md‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/config/suites/security/cwe-428‎
Lines changed: 3 additions & 0 deletions b/‎cpp/config/suites/security/cwe-428‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cpp/config/suites/security/default‎
Lines changed: 1 addition & 0 deletions b/‎cpp/config/suites/security/default‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/Critical/DeadCodeGoto.cpp‎
Lines changed: 7 additions & 0 deletions b/‎cpp/ql/src/Critical/DeadCodeGoto.cpp‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎cpp/ql/src/Critical/DeadCodeGoto.qhelp‎
Lines changed: 28 additions & 0 deletions b/‎cpp/ql/src/Critical/DeadCodeGoto.qhelp‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎cpp/ql/src/Critical/DeadCodeGoto.ql‎
Lines changed: 33 additions & 0 deletions b/‎cpp/ql/src/Critical/DeadCodeGoto.ql‎
Lines changed: 33 additions & 0 deletions
@@ -0,0 +1,17 @@
+path_classifiers:
+  library:
+  - javascript/externs
+
+  test:
+  - csharp/ql/src
+  - csharp/ql/test
+  - javascript/ql/src
+  - javascript/ql/test
+
+queries:
+  - include: "*"
+
+extraction:
+  python:
+    python_setup:
+      version: 3
@@ -6,16 +6,18 @@
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| Cast between HRESULT and a Boolean type (`cpp/hresult-boolean-conversion`) | external/cwe/cwe-253 | Finds logic errors caused by mistakenly treating the Windows `HRESULT` type as a Boolean instead of testing it with the appropriate macros. Enabled by default. |
+| Cast between `HRESULT` and a Boolean type (`cpp/hresult-boolean-conversion`) | external/cwe/cwe-253 | Finds logic errors caused by mistakenly treating the Windows `HRESULT` type as a Boolean instead of testing it with the appropriate macros. Enabled by default. |
 | Setting a DACL to `NULL` in a `SECURITY_DESCRIPTOR` (`cpp/unsafe-dacl-security-descriptor`) | external/cwe/cwe-732 | This query finds code that creates world-writable objects on Windows by setting their DACL to `NULL`. Enabled by default. |
-| Cast from char* to wchar_t* | security, external/cwe/cwe-704 | Detects potentially dangerous casts from char* to wchar_t*.  Enabled by default on LGTM. |
+| Cast from `char*` to `wchar_t*` | security, external/cwe/cwe-704 | Detects potentially dangerous casts from `char*` to `wchar_t*`.  Enabled by default on LGTM. |
+| Dead code due to `goto` or `break` statement (`cpp/dead-code-goto`) | maintainability, external/cwe/cwe-561 | Detects dead code following a goto or break statement. Enabled by default on LGTM. |
 
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
-| Resource not released in destructor | Fewer false positive results | Placement new is now excluded from the query. |
+| Resource not released in destructor | Fewer false positive results | Placement new is now excluded from the query. Also fixed an issue where false positives could occur if the destructor body was not in the snapshot. |
 | Missing return statement (`cpp/missing-return`) | Visible by default | The precision of this query has been increased from 'medium' to 'high', which makes it visible by default in LGTM. It was 'medium' in release 1.17 and 1.18 because it had false positives due to an extractor bug that was fixed in 1.18. |
+| Missing return statement | Fewer false positive results | The query is now produces correct results when a function returns a template-dependent type. |
 | Call to memory access function may overflow buffer | More correct results | Array indexing with a negative index is now detected by this query. |
 | Suspicious add with sizeof | Fewer false positive results | Arithmetic with void pointers (where allowed) is now excluded from this query. |
 | Wrong type of arguments to formatting function | Fewer false positive results | False positive results involving typedefs have been removed.  Expected argument types are determined more accurately, especially for wide string and pointer types.  Custom (non-standard) formatting functions are also identified more accurately. |
 
@@ -12,8 +12,8 @@
 
 ## Changes to existing queries
 
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
+| Inconsistent lock sequence (`cs/inconsistent-lock-sequence`) | More results | This query now finds inconsistent lock sequences globally across calls. |
+
 | *@name of query (Query ID)*| *Impact on results*    | *How/why the query has changed*                                  |
 
 
 
@@ -4,13 +4,18 @@
 
 ## New queries
 
-| **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
-|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
 
 ## Changes to existing queries
 
-| **Query**                      | **Expected impact**        | **Change**                                   |
-| Unreachable catch clause (`java/unreachable-catch-clause`) | Fewer false-positive results | This rule now accounts for calls to generic methods that throw generic exceptions. |
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Array index out of bounds (`java/index-out-of-bounds`) | Fewer false positive results | False positives involving arrays with a length evenly divisible by 3 or some greater number and an index being increased with a similar stride length are no longer reported. |
+| Unreachable catch clause (`java/unreachable-catch-clause`) | Fewer false positive results | This rule now accounts for calls to generic methods that throw generic exceptions. |
+| Useless comparison test (`java/constant-comparison`) | Fewer false positive results | Constant comparisons guarding `java.util.ConcurrentModificationException` are no longer reported, as they are intended to always be false in the absence of API misuse. |
 
 ## Changes to QL libraries
 
+* The `ParityAnalysis` library is replaced with the more general `ModulusAnalysis` library, which improves the range analysis.
+
@@ -35,6 +35,7 @@
 | Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. |
 | Missing CSRF middleware | Fewer false-positive results | This rule now recognizes additional CSRF protection middlewares. |
 | Server-side URL redirect | More results | This rule now recognizes redirection calls in more cases. |
+| Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. |
 | User-controlled bypass of security check | Fewer results | This rule no longer flags conditions that guard early returns. The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. | 
 | Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. |
 
 
@@ -0,0 +1,3 @@
+# CWE-428: Unquoted Search Path or Element
++ semmlecode-cpp-queries/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql: /CWE/CWE-428
+    @name NULL application name with an unquoted path in call to CreateProcess (CWE-428)
@@ -19,6 +19,7 @@
 @import "cwe-327"
 @import "cwe-367"
 @import "cwe-416"
+@import "cwe-428"
 @import "cwe-457"
 @import "cwe-468"
 @import "cwe-676"
 
@@ -0,0 +1,7 @@
+goto err1;
+free(pointer); // BAD: this line is unreachable
+err1: return -1;
+
+free(pointer); // GOOD: this line is reachable
+goto err2;
+err2: return -1;
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>
+Code immediately following a <code>goto</code> or <code>break</code> statement will not be executed,
+unless there is a label or switch case. When the code is necessary, this leads to logical errors or
+resource leaks. If the code is unnecessary, it may confuse readers.
+</p>
+</overview>
+<recommendation>
+<p>
+If the unreachable code is necessary, move the <code>goto</code> or <code>break</code> statement to
+after the code. Otherwise, delete the unreachable code.
+</p>
+
+</recommendation>
+<example><sample src="DeadCodeGoto.cpp" />
+</example>
+<references>
+<li>
+  The CERT C Secure Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">MSC12-C. Detect and remove code that has no effect or is never executed</a>.
+</li>
+</references>
+</qhelp>
@@ -0,0 +1,33 @@
+/**
+ * @name Dead code due to goto or break statement
+ * @description A goto or break statement is followed by unreachable code. 
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id cpp/dead-code-goto
+ * @tags maintainability
+ *       external/cwe/cwe-561
+ */
+
+import cpp
+
+Stmt getNextRealStmt(Block b, int i) {
+  result = b.getStmt(i + 1) and
+  not result instanceof EmptyStmt
+  or
+  b.getStmt(i + 1) instanceof EmptyStmt and
+  result = getNextRealStmt(b, i + 1)
+}
+
+from JumpStmt js, Block b, int i, Stmt s
+where b.getStmt(i) = js
+  and s = getNextRealStmt(b, i)
+  // the next statement isn't jumped to
+  and not s instanceof LabelStmt
+  and not s instanceof SwitchCase
+  // the next statement isn't breaking out of a switch
+  and not s.(BreakStmt).getBreakable() instanceof SwitchStmt
+  // the next statement isn't a loop that can be jumped into
+  and not exists (LabelStmt ls | s.(Loop).getStmt().getAChild*() = ls)
+  and not exists (SwitchCase sc | s.(Loop).getStmt().getAChild*() = sc)
+select js, "This statement makes $@ unreachable.", s, s.toString()
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# CWE-428: Unquoted Search Path or Element`
	`2`	`++ semmlecode-cpp-queries/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql: /CWE/CWE-428`
	`3`	`+ @name NULL application name with an unquoted path in call to CreateProcess (CWE-428)`