github
diff --git a/‎change-notes/1.20/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.20/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.20/analysis-javascript.md‎
Lines changed: 7 additions & 1 deletion b/‎change-notes/1.20/analysis-javascript.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎cpp/ql/src/Metrics/queries.xml‎
Lines changed: 0 additions & 1 deletion b/‎cpp/ql/src/Metrics/queries.xml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/commons/Environment.qll‎
Lines changed: 1 addition & 7 deletions b/‎cpp/ql/src/semmle/code/cpp/commons/Environment.qll‎
Lines changed: 1 addition & 7 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/security/CommandExecution.qll‎
Lines changed: 0 additions & 24 deletions b/‎cpp/ql/src/semmle/code/cpp/security/CommandExecution.qll‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll‎
Lines changed: 0 additions & 22 deletions b/‎cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll‎
Lines changed: 0 additions & 22 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/security/TaintTracking.qll‎
Lines changed: 0 additions & 63 deletions b/‎cpp/ql/src/semmle/code/cpp/security/TaintTracking.qll‎
Lines changed: 0 additions & 63 deletions
diff --git a/‎cpp/ql/test/library-tests/sideEffects/functions/error.cpp‎
Lines changed: 19 additions & 0 deletions b/‎cpp/ql/test/library-tests/sideEffects/functions/error.cpp‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/sideEffects/functions/sideEffects.expected‎
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/test/library-tests/sideEffects/functions/sideEffects.expected‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.expected‎
Lines changed: 3 additions & 0 deletions b/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.expected‎
Lines changed: 3 additions & 0 deletions
@@ -18,6 +18,7 @@
 ## Changes to code extraction
 
 * Fix extraction of `for` statements where the condition declares new variables using `is`.
+* Initializers of `stackalloc` arrays are now extracted.
 
 ## Changes to QL libraries
 
 
@@ -4,7 +4,11 @@
 
 * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
   - client-side code, for example [React](https://reactjs.org/)
+  - cookies and webstorage, for example [js-cookie](https://github.com/js-cookie/js-cookie)
   - server-side code, for example [hapi](https://hapijs.com/)
+* File classification has been improved to recognize additional generated files, for example files from [HTML Tidy](html-tidy.org).
+
+* The taint tracking library now recognizes flow through persistent storage, this may give more results for the security queries. 
 
 ## New queries
 
@@ -20,6 +24,8 @@
 | **Query**                                  | **Expected impact**          | **Change**                                                                   |
 |--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
 | Client-side cross-site scripting           | More results                 | This rule now recognizes WinJS functions that are vulnerable to HTML injection. |
-| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements. |
+| Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
+| Unused parameter                           | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |
+| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, and no longer flags variables with leading underscore. |
 
 ## Changes to QL libraries
@@ -34,11 +34,5 @@ private predicate readsEnvironment(Expr read, string sourceDescription) {
     read = call and
     call.getTarget().hasGlobalName(name) and
     (name = "getenv" or name = "secure_getenv" or name = "_wgetenv") and
-    sourceDescription = name) or
-  exists(MessageExpr getObjectKey, MessageExpr getEnviron |
-    read = getObjectKey and
-    getObjectKey.getTarget().getQualifiedName().matches("NSDictionary%::-objectForKey:") and
-    getObjectKey.getQualifier() = getEnviron and
-    getEnviron.getTarget().getQualifiedName().matches("NSProcessInfo%:-environment") and
-    sourceDescription = "NSProcessInfo")
+    sourceDescription = name)
 }
@@ -159,17 +159,6 @@ predicate shellCommandPreface(string cmd, string flag) {
   )
 }
 
-/**
- * An array element. This supports multiple kinds of array syntax.
- */
-private predicate arrayElement(Expr arrayLit, int idx, Expr element) {
-  exists (ArrayLiteral lit | lit = arrayLit |
-    lit.getElement(idx) = element)
-  or exists (MessageExpr arrayWithObjects | arrayWithObjects = arrayLit |
-    arrayWithObjects.getStaticTarget().getQualifiedName().matches("NSArray%::+arrayWithObjects:") and
-    arrayWithObjects.getArgument(idx) = element)
-}
-
 /**
  * A command that is used as a command, or component of a command,
  * that will be executed by a general-purpose command interpreter
@@ -203,18 +192,5 @@ predicate shellCommand(Expr command, string callChain) {
     and arrayInitializer.getChild(idx) = command
     and shellCommandPreface(commandInterpreter.getValue(), flag.getValue())
     and idx > 1)
-      
-  // Creation of NSTask
-  or exists(
-    MessageExpr launchedTaskCall, TextLiteral commandInterpreter,
-    Expr arrayLiteral, TextLiteral flag
-  |
-    launchedTaskCall.getStaticTarget().getQualifiedName().matches("NSTask%::+launchedTaskWithLaunchPath:arguments:")
-    and commandInterpreter = launchedTaskCall.getArgument(0)
-    and arrayLiteral = launchedTaskCall.getArgument(1)
-    and arrayElement(arrayLiteral, 0, flag)
-    and arrayElement(arrayLiteral, 1, command)
-    and shellCommandPreface(commandInterpreter.getValue(), flag.getValue())
-    and callChain = "NSTask")
 }
 
@@ -35,25 +35,3 @@ class SensitiveCall extends SensitiveExpr {
     )
   } 
 }
-
-class SensitivePropAccess extends SensitiveExpr {
-  SensitivePropAccess() {
-    exists (PropertyAccess acc, string name |
-      acc = this and
-      name = acc.getProperty().getName().toLowerCase() and
-      name.matches(suspicious()) and
-      not name.matches(nonSuspicious()))
-  }
-}
-
-/**
- * A read from the value of a text widget.
- */
-class SensitiveTextRead extends SensitiveExpr {
-  SensitiveTextRead() {
-    exists (PropertyAccess facc |
-      facc = this and
-      facc.getReceiver() instanceof SensitiveExpr and
-      facc.getProperty().getName() = "text")
-  }
-}
@@ -238,21 +238,12 @@ predicate insideFunctionValueMoveTo(Element src, Element dest)
       returnArgument(c.getTarget(), sourceArg)
       and src = c.getArgument(sourceArg)
       and dest = c)
-    or exists (MessageExpr send |
-      methodReturningAnyArgument(send.getStaticTarget())
-      and not send instanceof FormattingFunctionCall
-      and src = send.getAnArgument()
-      and dest = send)
     or exists(FormattingFunctionCall formattingSend, int arg, FormatLiteral format, string argFormat |
       dest = formattingSend
       and formattingSend.getArgument(arg) = src
       and format = formattingSend.getFormat()
       and format.getConversionChar(arg - formattingSend.getTarget().getNumberOfParameters()) = argFormat
       and (argFormat = "s" or argFormat = "S" or argFormat = "@"))
-    or exists (ExprMessageExpr send |
-      methodReturningReceiver(send.getStaticTarget())
-      and src = send.getReceiver()
-      and dest = send)
     // Expressions computed from tainted data are also tainted
     or (exists (FunctionCall call | dest = call and isPureFunction(call.getTarget().getName()) |
       call.getAnArgument() = src
@@ -457,60 +448,6 @@ private predicate returnArgument(Function f, int sourceArg)
   or (f.hasGlobalName("gethostbyaddr") and sourceArg = 0)
 }
 
-/** A method where if any argument is tainted, the return value should be, too */
-private predicate methodReturningAnyArgument(MemberFunction method) {
-  method.getQualifiedName().matches("NS%Array%::+array%") or
-  method.getQualifiedName().matches("NS%Array%::-arrayBy%") or
-  method.getQualifiedName().matches("NS%Array%::-componentsJoinedByString:") or
-  method.getQualifiedName().matches("NS%Array%::-init%") or
-  method.getQualifiedName().matches("NS%Data%::+dataWith%") or
-  method.getQualifiedName().matches("NS%Data%::-initWith%") or
-  method.getQualifiedName().matches("NS%String%::+pathWithComponents:") or
-  method.getQualifiedName().matches("NS%String%::+stringWith%") or
-  method.getQualifiedName().matches("NS%String%::-initWithCString:") or
-  method.getQualifiedName().matches("NS%String%::-initWithCString:length:") or
-  method.getQualifiedName().matches("NS%String%::-initWithCStringNoCopy:length:") or
-  method.getQualifiedName().matches("NS%String%::-initWithCharacters:length:") or
-  method.getQualifiedName().matches("NS%String%::-initWithCharactersNoCopy:length:freeWhenDone:") or
-  method.getQualifiedName().matches("NS%String%::-initWithFormat:") or
-  method.getQualifiedName().matches("NS%String%::-initWithFormat:arguments:") or
-  method.getQualifiedName().matches("NS%String%::-initWithString:") or
-  method.getQualifiedName().matches("NS%String%::-initWithUTF8String:") or
-  method.getQualifiedName().matches("NS%String%::-stringByAppendingFormat:") or
-  method.getQualifiedName().matches("NS%String%::-stringByAppendingString:") or
-  method.getQualifiedName().matches("NS%String%::-stringByPaddingToLength:withString:startingAtIndex:") or
-  method.getQualifiedName().matches("NS%String%::-stringByReplacing%") or
-  method.getQualifiedName().matches("NS%String%::-stringsByAppendingPaths:")
-}
-
-/** A method where if the receiver is tainted, the return value should be, too */
-private predicate methodReturningReceiver(MemberFunction method) {
-  method.getQualifiedName().matches("NS%Array%::-arrayBy%") or
-  method.getQualifiedName().matches("NS%Array%::-componentsJoinedByString:") or
-  method.getQualifiedName().matches("NS%Array%::-firstObject") or
-  method.getQualifiedName().matches("NS%Array%::-lastObject") or
-  method.getQualifiedName().matches("NS%Array%::-objectAt%") or
-  method.getQualifiedName().matches("NS%Array%::-pathsMatchingExtensions:") or
-  method.getQualifiedName().matches("NS%Array%::-sortedArray%") or
-  method.getQualifiedName().matches("NS%Array%::-subarrayWithRange:") or
-  method.getQualifiedName().matches("NS%Data%::-bytes") or
-  method.getQualifiedName().matches("NS%Data%::-subdataWithRange:") or
-  method.getQualifiedName().matches("NS%String%::-capitalizedString%") or
-  method.getQualifiedName().matches("NS%String%::-componentsSeparatedByCharactersInSet:") or
-  method.getQualifiedName().matches("NS%String%::-componentsSeparatedByString:") or
-  method.getQualifiedName().matches("NS%String%::-cStringUsingEncoding:") or
-  method.getQualifiedName().matches("NS%String%::-dataUsingEncoding:%") or
-  method.getQualifiedName().matches("NS%String%::-lowercaseString%") or
-  method.getQualifiedName().matches("NS%String%::-pathComponents") or
-  method.getQualifiedName().matches("NS%String%::-stringBy%") or
-  method.getQualifiedName().matches("NS%String%::-stringsByAppendingPaths:") or
-  method.getQualifiedName().matches("NS%String%::-substringFromIndex:") or
-  method.getQualifiedName().matches("NS%String%::-substringToIndex:") or
-  method.getQualifiedName().matches("NS%String%::-substringWithRange:") or
-  method.getQualifiedName().matches("NS%String%::-uppercaseString%") or
-  method.getQualifiedName().matches("NS%String%::-UTF8String")
-}
-
 /**
  * Resolve potential target function(s) for `call`.
  *
 
@@ -0,0 +1,19 @@
+// semmle-extractor-options: --expect_errors
+
+void functionBeforeError()
+{
+}
+
+void functionWithError1()
+{
+	aaaaaaaaaa(); // error
+}
+
+void functionWithError2()
+{
+	int i = aaaaaaaaaa(); // error
+}
+
+void functionAfterError()
+{
+}
@@ -43,6 +43,10 @@
 | cpp.cpp:87:5:87:26 | functionAccessesStatic | int | false |
 | cpp.cpp:93:6:93:14 | increment | int & -> void | false |
 | cpp.cpp:97:6:97:16 | doIncrement | void | false |
+| error.cpp:3:6:3:24 | functionBeforeError | void | true |
+| error.cpp:7:6:7:23 | functionWithError1 | void | false |
+| error.cpp:12:6:12:23 | functionWithError2 | void | false |
+| error.cpp:17:6:17:23 | functionAfterError | void | true |
 | file://:0:0:0:0 | operator= | __va_list_tag & | false |
 | file://:0:0:0:0 | operator= | __va_list_tag & | false |
 | sideEffects.c:4:5:4:6 | f1 | int | true |
 
@@ -1,5 +1,8 @@
 | calls.cpp:8:5:8:5 | 1 | This expression has no effect. | calls.cpp:8:5:8:5 | 1 |  |
 | calls.cpp:12:5:12:16 | call to thingy | This expression has no effect (because $@ has no external side effects). | calls.cpp:7:15:7:20 | thingy | thingy |
+| expr.cpp:8:2:8:2 | 0 | This expression has no effect. | expr.cpp:8:2:8:2 | 0 |  |
+| expr.cpp:9:7:9:7 | 0 | This expression has no effect. | expr.cpp:9:7:9:7 | 0 |  |
+| expr.cpp:10:2:10:5 | ... , ... | This expression has no effect. | expr.cpp:10:2:10:5 | ... , ... |  |
 | preproc.c:89:2:89:4 | call to fn4 | This expression has no effect (because $@ has no external side effects). | preproc.c:33:5:33:7 | fn4 | fn4 |
 | preproc.c:94:2:94:4 | call to fn9 | This expression has no effect (because $@ has no external side effects). | preproc.c:78:5:78:7 | fn9 | fn9 |
 | template.cpp:19:3:19:3 | call to operator++ | This expression has no effect (because $@ has no external side effects). | template.cpp:9:10:9:19 | operator++ | operator++ |