github
diff --git a/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 9 additions & 0 deletions b/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎change-notes/1.23/analysis-csharp.md‎
Lines changed: 2 additions & 0 deletions b/‎change-notes/1.23/analysis-csharp.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 5 additions & 2 deletions b/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎change-notes/1.23/analysis-python.md‎
Lines changed: 5 additions & 0 deletions b/‎change-notes/1.23/analysis-python.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.qhelp‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.qhelp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.qhelp‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.qhelp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableBad.c‎
Lines changed: 3 additions & 3 deletions b/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableBad.c‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableGood.c‎
Lines changed: 3 additions & 3 deletions b/‎cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableGood.c‎
Lines changed: 3 additions & 3 deletions
@@ -39,6 +39,10 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
   definition of `x` when `x` is a variable of pointer type. It no longer
   considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
   changes are in line with the user expectations we've observed.
+* The data-flow library now makes it easier to specify barriers/sanitizers
+  arising from guards by overriding the predicate
+  `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
+  configurations respectively.
 * There is now a `DataFlow::localExprFlow` predicate and a
   `TaintTracking::localExprTaint` predicate to make it easy to use the most
   common case of local data flow and taint: from one `Expr` to another.
@@ -50,3 +54,8 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
   lead to regressions (or improvements) in how queries are optimized because
   optimization in QL relies on static size estimates, and the control-flow edge
   relations will now have different size estimates than before.
+* Support has been added for non-type template arguments.  This means that the
+  return type of `Declaration::getTemplateArgument()` and
+  `Declaration::getATemplateArgument` have changed to `Locatable`.  See the
+  documentation for `Declaration::getTemplateArgument()` and
+  `Declaration::getTemplateArgumentKind()` for details.
@@ -8,6 +8,7 @@ The following changes in version 1.23 affect C# analysis in all applications.
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
+| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
 | Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
 | Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
 
@@ -43,5 +44,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
 * There is now a `DataFlow::localExprFlow` predicate and a
   `TaintTracking::localExprTaint` predicate to make it easy to use the most
   common case of local data flow and taint: from one `Expr` to another.
+* Data is now tracked through null-coalescing expressions (`??`).
 
 ## Changes to autobuilder
@@ -2,7 +2,7 @@
 
 ## General improvements
 
-* Suppor for `globalThis` has been added.
+* Support for `globalThis` has been added.
 
 * Support for the following frameworks and libraries has been improved:
   - [firebase](https://www.npmjs.com/package/firebase)
@@ -12,8 +12,9 @@
 
 * The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
 
-* TypeScript 3.6 features are supported.
+* TypeScript 3.6 and 3.7 features are now supported.
 
+* Automatic classification of generated files has been improved, in particular files generated by Doxygen are now recognized.
 
 ## New queries
 
@@ -26,11 +27,13 @@
 | Use of returnless function (`js/use-of-returnless-function`)              | maintainability, correctness                                      | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
 | Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
 | Unreachable method overloads (`js/unreachable-method-overloads`)          | correctness, typescript                                           | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
+| Ignoring result from pure array method (`js/ignore-array-result`)         | maintainability, correctness                                      | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. |
 
 ## Changes to existing queries
 
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Double escaping or unescaping (`js/double-escaping`) | More results | This rule now detects additional escaping and unescaping functions. |
 | Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
 | Client-side cross-site scripting (`js/xss`) | More results, fewer false-positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
 
@@ -20,3 +20,8 @@
 |----------------------------|------------------------|------------|
 | Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
 | `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. |
+
+
+## Changes to QL libraries
+
+* Django library now recognizes positional arguments from a `django.conf.urls.url` regex (Django version 1.x)
@@ -21,6 +21,7 @@ from Variable v
 where
   v.isStatic() and
   v.hasDefinition() and
+  not v.isConstexpr() and
   not exists(VariableAccess a | a.getTarget() = v) and
   not v instanceof MemberVariable and
   not declarationHasSideEffects(v) and
 
@@ -14,7 +14,7 @@ byte order function, such as <code>ntohl</code>.
 The use of a network-to-host byte order function is therefore a good indicator that the returned
 value is unvalidated data retrieved from the network, and should not be used without further
 validation. In particular, the returned value should not be used as an array index or array length
-value without validation, which may result in a buffer overflow vulnerability.
+value without validation, as this could result in a buffer overflow vulnerability.
 </p>
 </overview>
 
 
@@ -37,7 +37,7 @@ which is then subsequently accessed to fetch properties of the device. However,
 check the return value from the function call to <code>initDeviceConfig</code>. If the
 device number passed to the <code>notify</code> function was invalid, the
 <code>initDeviceConfig</code> function will leave the <code>config</code> variable uninitialized,
-which would result in the <code>notify</code> function accessing uninitialized memory.</p>
+which will result in the <code>notify</code> function accessing uninitialized memory.</p>
 
 <sample src="ConditionallyUninitializedVariableBad.c" />
 
 
@@ -2,7 +2,7 @@
  * @name Conditionally uninitialized variable
  * @description When an initialization function is used to initialize a local variable, but the
  *              returned status code is not checked, the variable may be left in an uninitialized
- *              state, and reading the variable may result in undefined behaviour.
+ *              state, and reading the variable may result in undefined behavior.
  * @kind problem
  * @problem.severity warning
  * @opaque-id SM02313
 
@@ -19,7 +19,7 @@ int notify(int deviceNumber) {
   DeviceConfig config;
   initDeviceConfig(&config, deviceNumber);
   // BAD: Using config without checking the status code that is returned
-  if (config->isEnabled) {
-    notifyChannel(config->channel);
+  if (config.isEnabled) {
+    notifyChannel(config.channel);
   }
-}
+}
@@ -20,8 +20,8 @@ void notify(int deviceNumber) {
   int statusCode = initDeviceConfig(&config, deviceNumber);
   if (statusCode == 0) {
     // GOOD: Status code returned by initialization function is checked, so this is safe
-    if (config->isEnabled) {
-      notifyChannel(config->channel);
+    if (config.isEnabled) {
+      notifyChannel(config.channel);
     }
   }
-}
+}
Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,8 @@ void notify(int deviceNumber) {`
`20`	`20`	`int statusCode = initDeviceConfig(&config, deviceNumber);`
`21`	`21`	`if (statusCode == 0) {`
`22`	`22`	`// GOOD: Status code returned by initialization function is checked, so this is safe`
`23`		`- if (config->isEnabled) {`
`24`		`- notifyChannel(config->channel);`
	`23`	`+ if (config.isEnabled) {`
	`24`	`+ notifyChannel(config.channel);`
`25`	`25`	`}`
`26`	`26`	`}`
`27`		`-}`
	`27`	`+}`