github
diff --git a/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 5 additions & 1 deletion b/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎change-notes/1.19/analysis-java.md‎
Lines changed: 16 additions & 0 deletions b/‎change-notes/1.19/analysis-java.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 7 additions & 1 deletion b/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎cpp/config/suites/c/correctness‎
Lines changed: 1 addition & 0 deletions b/‎cpp/config/suites/c/correctness‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/config/suites/cpp/correctness‎
Lines changed: 1 addition & 0 deletions b/‎cpp/config/suites/cpp/correctness‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/config/suites/security/cwe-253‎
Lines changed: 3 additions & 0 deletions b/‎cpp/config/suites/security/cwe-253‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cpp/config/suites/security/cwe-732‎
Lines changed: 2 additions & 0 deletions b/‎cpp/config/suites/security/cwe-732‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/config/suites/security/default‎
Lines changed: 1 addition & 0 deletions b/‎cpp/config/suites/security/default‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.qhelp‎
Lines changed: 4 additions & 4 deletions b/‎cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.qhelp‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql‎
Lines changed: 3 additions & 5 deletions b/‎cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql‎
Lines changed: 3 additions & 5 deletions
@@ -6,14 +6,18 @@
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| *@name of query (Query ID)* | *Tags*    |*Aim of the new query and whether it is enabled by default or not*  |
+| Cast between HRESULT and a Boolean type (`cpp/hresult-boolean-conversion`) | external/cwe/cwe-253 | Finds logic errors caused by mistakenly treating the Windows `HRESULT` type as a Boolean instead of testing it with the appropriate macros. Enabled by default. |
+| Setting a DACL to `NULL` in a `SECURITY_DESCRIPTOR` (`cpp/unsafe-dacl-security-descriptor`) | external/cwe/cwe-732 | This query finds code that creates world-writable objects on Windows by setting their DACL to `NULL`. Enabled by default. |
+| Cast from char* to wchar_t* | security, external/cwe/cwe-704 | Detects potentially dangerous casts from char* to wchar_t*.  Enabled by default on LGTM. |
 
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
 | Resource not released in destructor | Fewer false positive results | Placement new is now excluded from the query. |
 | Missing return statement (`cpp/missing-return`) | Visible by default | The precision of this query has been increased from 'medium' to 'high', which makes it visible by default in LGTM. It was 'medium' in release 1.17 and 1.18 because it had false positives due to an extractor bug that was fixed in 1.18. |
+| Call to memory access function may overflow buffer | More correct results | Array indexing with a negative index is now detected by this query. |
+| Suspicious add with sizeof | Fewer false positive results | Arithmetic with void pointers (where allowed) is now excluded from this query. |
 | Wrong type of arguments to formatting function | Fewer false positive results | False positive results involving typedefs have been removed.  Expected argument types are determined more accurately, especially for wide string and pointer types.  Custom (non-standard) formatting functions are also identified more accurately. |
 
 ## Changes to QL libraries
 
@@ -0,0 +1,16 @@
+# Improvements to Java analysis
+
+## General improvements
+
+## New queries
+
+| **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
+|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**        | **Change**                                   |
+| Unreachable catch clause (`java/unreachable-catch-clause`) | Fewer false-positive results | This rule now accounts for calls to generic methods that throw generic exceptions. |
+
+## Changes to QL libraries
+
@@ -16,10 +16,12 @@
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094  | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. |
+| File data in outbound network request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Results are not shown on LGTM by default. |
 | Host header poisoning in email generation |  security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default.  |
 | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. |
 | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |
 | Unclear precedence of nested operators (`js/unclear-operator-precedence`) | maintainability, correctness, external/cwe/cwe-783 | Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default. |
+| User-controlled data in file | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. Results are not shown on LGTM by default. |
 
 ## Changes to existing queries
 
@@ -35,4 +37,8 @@
 
 ## Changes to QL libraries
 
-* The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class `FlowLabel` (which can also be referred to by its alias `TaintKind`).
+* The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class `FlowLabel` (which can also be referred to by its alias `TaintKind`).
+
+* The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual `this` expression. This means `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode` - it is recomended to use `getALocalSource` before casting or instead of casting.
+
+* `ReactComponent::getAThisAccess` has been renamed to `getAThisNode`. The old name is still usable but is deprecated. It no longer gets individual `this` expressions, but the `ThisNode` mentioned above.
@@ -6,6 +6,7 @@
 + semmlecode-cpp-queries/Likely Bugs/Arithmetic/IntMultToLong.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql: /Correctness/Dangerous Conversions
++ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
   # Consistent Use 
 + semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
 
@@ -7,6 +7,7 @@
 + semmlecode-cpp-queries/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql: /Correctness/Dangerous Conversions
 + semmlecode-cpp-queries/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql: /Correctness/Dangerous Conversions
++ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
   # Consistent Use 
 + semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
 + semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
 
@@ -0,0 +1,3 @@
+# CWE-253: Incorrect Check of Function Return Value
++ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /CWE/CWE-253
+    @name Cast between HRESULT and a Boolean type (CWE-253)
@@ -1,3 +1,5 @@
 # CWE-732: Incorrect Permission Assignment for Critical Resource
 + semmlecode-cpp-queries/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql: /CWE/CWE-732
     @name File created without restricting permissions (CWE-732)
++ semmlecode-cpp-queries/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql: /CWE/CWE-732
+    @name Setting a DACL to NULL in a SECURITY_DESCRIPTOR (CWE-732)
@@ -13,6 +13,7 @@
 @import "cwe-170"
 @import "cwe-190"
 @import "cwe-242"
+@import "cwe-253"
 @import "cwe-290"
 @import "cwe-311"
 @import "cwe-327"
 
@@ -4,13 +4,13 @@
 <qhelp>
 
 <overview>
-  <p>This query indicates that an <code>HRESULT</code> is being cast to a boolean type or vice versa.</p>
-  <p>The typical success value (<code>S_OK</code>) of an <code>HRESULT</code> equals 0. However, 0 indicates failure for a boolean type.</p>
-  <p>Casting an <code>HRESULT</code> to a boolean type and then using it in a test expression will yield an incorrect result.</p>
+  <p>This query indicates that an <code>HRESULT</code> is being cast to a Boolean type or vice versa.</p>
+  <p>The typical success value (<code>S_OK</code>) of an <code>HRESULT</code> equals 0. However, 0 indicates failure for a Boolean type.</p>
+  <p>Casting an <code>HRESULT</code> to a Boolean type and then using it in a test expression will yield an incorrect result.</p>
 </overview>
 
 <recommendation>
-<p>To check if a call that returns an HRESULT succeeded use the <code>FAILED</code> macro.</p>
+<p>To check if a call that returns an <code>HRESULT</code> succeeded use the <code>FAILED</code> macro.</p>
 </recommendation>
 
 <example>
 
@@ -1,8 +1,6 @@
 /**
- * @name Cast between semantically different integer types: HRESULT to/from a Boolean type
- * @description Cast between semantically different integer types: HRESULT to/from a Boolean type.
- *              Boolean types indicate success by a non-zero value, whereas success (S_OK) in HRESULT is indicated by a value of 0. 
- *              Casting an HRESULT to/from a Boolean type and then using it in a test expression will yield an incorrect result.
+ * @name Cast between HRESULT and a Boolean type
+ * @description Casting an HRESULT to/from a Boolean type and then using it in a test expression will yield an incorrect result because success (S_OK) in HRESULT is indicated by a value of 0.
  * @kind problem
  * @id cpp/hresult-boolean-conversion
  * @problem.severity error
@@ -68,4 +66,4 @@ where exists
     )
     and not isHresultBooleanConverted(e1)
   )
-select e1, msg
+select e1, msg
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# CWE-253: Incorrect Check of Function Return Value`
	`2`	`++ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /CWE/CWE-253`
	`3`	`+ @name Cast between HRESULT and a Boolean type (CWE-253)`