github
diff --git a/‎.lgtm.yml‎
Lines changed: 3 additions & 0 deletions b/‎.lgtm.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.19/analysis-csharp.md‎
Lines changed: 3 additions & 1 deletion b/‎change-notes/1.19/analysis-csharp.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 6 additions & 3 deletions b/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎change-notes/1.19/extractor-javascript.md‎
Lines changed: 26 additions & 0 deletions b/‎change-notes/1.19/extractor-javascript.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.cpp‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.cpp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.c‎
Lines changed: 2 additions & 2 deletions b/‎cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.c‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.cpp‎
Lines changed: 7 additions & 7 deletions b/‎cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.cpp‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.cpp‎
Lines changed: 5 additions & 5 deletions b/‎cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.cpp‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎cpp/ql/src/Critical/LargeParameter.cpp‎
Lines changed: 4 additions & 4 deletions b/‎cpp/ql/src/Critical/LargeParameter.cpp‎
Lines changed: 4 additions & 4 deletions
@@ -1,10 +1,13 @@
 path_classifiers:
   library:
   - javascript/externs
+  - javascript/extractor/lib
 
   test:
   - csharp/ql/src
   - csharp/ql/test
+  - javascript/extractor/parser-tests
+  - javascript/extractor/tests
   - javascript/ql/src
   - javascript/ql/test
 
 
@@ -28,3 +28,4 @@
 
 * Added a hash consing library for structural comparison of expressions.
 * `getBufferSize` now detects variable size structs more reliably.
+* Buffer.qll now treats arrays of zero size as a special case.
@@ -3,7 +3,7 @@
 ## General improvements
 
 * Control flow graph improvements:
-* The control flow graph construction now takes simple Boolean conditions on local scope variables into account. For example, in `if (b) x = 0; if (b) x = 1;`, the control flow graph will reflect that taking the `true` (resp. `false`) branch in the first condition implies taking the same branch in the second condition. In effect, the first assignment to `x` will now be identified as being dead.
+  * The control flow graph construction now takes simple Boolean conditions on local scope variables into account. For example, in `if (b) x = 0; if (b) x = 1;`, the control flow graph will reflect that taking the `true` (resp. `false`) branch in the first condition implies taking the same branch in the second condition. In effect, the first assignment to `x` will now be identified as being dead.
   * Code that is only reachable from a constant failing assertion, such as `Debug.Assert(false)`, is considered to be unreachable.
 
 ## New queries
@@ -21,3 +21,5 @@
 
 
 ## Changes to QL libraries
+
+* `getArgument()` on `AccessorCall` has been improved so it now takes tuple assignments into account. For example, the argument for the implicit `value` parameter in the setter of property `P` is `0` in `(P, x) = (0, 1)`. Additionally, the argument for the `value` parameter in compound assignments is now only the expanded value, for example, in `P += 7` the argument is `P + 7` and not `7`.
@@ -9,9 +9,9 @@
 * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
   - file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby)
   - outbound network access, for example through the [fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API)
-  - the [Google Cloud Spanner](https://cloud.google.com/spanner), [lodash](https://lodash.com) and [underscore](https://underscorejs.org/) libraries
+  - the [lodash](https://lodash.com), [underscore](https://underscorejs.org/), [async](https://www.npmjs.com/package/async) and [async-es](https://www.npmjs.com/package/async-es) libraries
 
-* The type inference now handles nested imports (that is, imports not appearing at the toplevel). This may yield fewer false-positive results on projects that use this non-standard language feature.
+* Type inference for function calls has been improved. This may give additional results for queries that rely on type inference.
 
 ## New queries
 
@@ -37,9 +37,10 @@
 | Server-side URL redirect | More results | This rule now recognizes redirection calls in more cases. |
 | Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that may be used by `eval` calls. |
 | Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. |
-| User-controlled bypass of security check | Fewer results | This rule no longer flags conditions that guard early returns. The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. | 
 | Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. |
 | Unused import | Fewer false-positive results | This rule no longer flags imports used by the `transform-react-jsx` Babel plugin. |
+| Self assignment | Fewer false-positive results | This rule now ignores self-assignments preceded by a JSDoc comment with a `@type` tag. |
+| Client side cross-site scripting | More results | This rule now also flags HTML injection in the body of an email. |
 
 ## Changes to QL libraries
 
@@ -48,3 +49,5 @@
 * The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual `this` expression. This means `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode` - it is recomended to use `getALocalSource` before casting or instead of casting.
 
 * `ReactComponent::getAThisAccess` has been renamed to `getAThisNode`. The old name is still usable but is deprecated. It no longer gets individual `this` expressions, but the `ThisNode` mentioned above.
+
+* A `DataFlow::ParameterNode` instance now exists for all function parameters. Previously, unused parameters did not have a corresponding dataflow node.
@@ -0,0 +1,26 @@
+[[ condition: enterprise-only ]]
+
+# Improvements to JavaScript analysis
+
+> NOTES
+>
+> Please describe your changes in terms that are suitable for
+> customers to read. These notes will have only minor tidying up
+> before they are published as part of the release notes.
+>
+> This file is written for lgtm users and should contain *only*
+> notes about changes that affect lgtm enterprise users. Add
+> any other customer-facing changes to the `studio-java.md`
+> file.
+>
+
+## General improvements
+
+> Changes that affect alerts in many files or from many queries
+> For example, changes to file classification
+
+## Changes to code extraction
+
+* The TypeScript compiler is now bundled with the distribution, and no longer needs to be installed manually.
+  Should the compiler version need to be overridden, set the `SEMMLE_TYPESCRIPT_HOME` environment variable to
+  point to an installation of the `typescript` NPM package.
@@ -4,5 +4,5 @@ void fillRect(int x, int y, int w, int h,
               int r2, int g2, int b2, int a2,
               gradient_type grad, unsigned int flags, bool border)
 {
-	// ...
+    // ...
 }
@@ -1,7 +1,7 @@
 int find(int start, char *str, char goal)
 {
     int len = strlen(str);
-	//Potential buffer overflow
+    //Potential buffer overflow
     for (int i = start; str[i] != 0 && i < len; i++) { 
         if (str[i] == goal)
             return i; 
@@ -12,7 +12,7 @@ int find(int start, char *str, char goal)
 int findRangeCheck(int start, char *str, char goal)
 {
     int len = strlen(str);
-	//Range check protects against buffer overflow
+    //Range check protects against buffer overflow
     for (int i = start; i < len && str[i] != 0 ; i++) {
         if (str[i] == goal)
             return i; 
 
@@ -1,16 +1,16 @@
 void sanitize(Fields[] record) {
     //The number of fields here can be put in a const
-	for (fieldCtr = 0; field < 7; field++) {
-		sanitize(fields[fieldCtr]);
-	}
+    for (fieldCtr = 0; field < 7; field++) {
+        sanitize(fields[fieldCtr]);
+    }
 }
 
 #define NUM_FIELDS 7
 
 void process(Fields[] record) {
-	//This avoids using a magic constant by using the macro instead
-	for (fieldCtr = 0; field < NUM_FIELDS; field++) {
-		process(fields[fieldCtr]);
-	}
+    //This avoids using a magic constant by using the macro instead
+    for (fieldCtr = 0; field < NUM_FIELDS; field++) {
+        process(fields[fieldCtr]);
+    }
 }
 
@@ -1,14 +1,14 @@
 //start of file
 static void f() { //static function f() is unused in the file
-	//...
+    //...
 }
 static void g() {
-	//...
+    //...
 }
 void public_func() { //non-static function public_func is not called in file, 
                      //but could be visible in other files
-	//...
-	g(); //call to g()
-	//...
+    //...
+    g(); //call to g()
+    //...
 }
 //end of file
@@ -1,13 +1,13 @@
 typedef struct Names {
-	char first[100];
-	char last[100];
+    char first[100];
+    char last[100];
 } Names;
 
 int doFoo(Names n) { //wrong: n is passed by value (meaning the entire structure
                      //is copied onto the stack, instead of just a pointer)
-	...
+    ...
 }
 
 int doBar(Names &n) { //better, only a reference is passed
-	...
+    ...
 }
Original file line number	Diff line number	Diff line change
`@@ -28,3 +28,4 @@`
`28`	`28`
`29`	`29`	`* Added a hash consing library for structural comparison of expressions.`
`30`	`30`	* `getBufferSize` now detects variable size structs more reliably.
	`31`	`+* Buffer.qll now treats arrays of zero size as a special case.`
Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,5 @@ void fillRect(int x, int y, int w, int h,`
`4`	`4`	`int r2, int g2, int b2, int a2,`
`5`	`5`	`gradient_type grad, unsigned int flags, bool border)`
`6`	`6`	`{`
`7`		`- // ...`
	`7`	`+ // ...`
`8`	`8`	`}`