Merge remote-tracking branch 'upstream/master' into mergeback-2020-05-19

Conflicts:
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected

Author: jbj

change-notes/1.25/analysis-javascript.md

@@ -43,6 +43,29 @@
 | Zip Slip (`js/zipslip`) | More results | This query now recognizes additional vulnerabilities. |
 | Unused property (`js/unused-property`) | Less results | This query no longer flags properties of objects that are operands of `yield` expressions. |
 
+The following low-precision queries are no longer run by default on LGTM (their results already were not displayed):
+
+  - `js/angular/dead-event-listener`
+  - `js/angular/unused-dependency`
+  - `js/conflicting-html-attribute`
+  - `js/useless-assignment-to-global`
+  - `js/too-many-parameters`
+  - `js/unused-property`
+  - `js/bitwise-sign-check`
+  - `js/comparison-of-identical-expressions`
+  - `js/misspelled-identifier`
+  - `js/jsdoc/malformed-param-tag`
+  - `js/jsdoc/unknown-parameter`
+  - `js/jsdoc/missing-parameter`
+  - `js/omitted-array-element`
+  - `js/ignored-setter-parameter`
+  - `js/json-in-javascript-file`
+  - `js/node/cyclic-import`
+  - `js/node/unused-npm-dependency`
+  - `js/single-run-loop`
+  - `js/nested-loops-with-same-variable`
+  - `js/return-outside-function`
+
 ## Changes to libraries
 
 * A library `semmle.javascript.explore.CallGraph` has been added to help write queries for exploring the call graph.

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp

@@ -99,21 +99,21 @@ void test_outparams() {
 }
 
 
-void *memcpy(void *dst, void *src, int size);
 
-struct ContainsArray {
-  int arr[16];
+
+struct XY {
   int x;
+  int y;
 };
 
-void taint_array(ContainsArray *ca, int offset) {
+void taint_y(XY *xyp) {
   int tainted = getenv("VAR")[0];
-  memcpy(ca->arr + offset, &tainted, sizeof(int));
+  xyp->y = tainted;
 }
 
-void test_conflated_fields3(int arbitrary) {
-  ContainsArray ca;
-  ca.x = 0;
-  taint_array(&ca, arbitrary);
-  sink(ca.x); // not tainted [FALSE POSITIVE]
+void test_conflated_fields3() {
+  XY xy;
+  xy.x = 0;
+  taint_y(&xy);
+  sink(xy.x); // not tainted [FALSE POSITIVE]
 }

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected

@@ -98,14 +98,11 @@
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | (const char *)... |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | p2 |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | shared.h:5:23:5:31 | sinkparam |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:102:31:102:33 | src |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:110:7:110:13 | tainted |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:110:17:110:22 | call to getenv |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:110:17:110:32 | (int)... |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:110:17:110:32 | access to array |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:3:111:8 | call to memcpy |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:28:111:35 | & ... |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:28:111:35 | (void *)... |
+| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:12:111:18 | tainted |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:118:11:118:11 | x |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | shared.h:6:15:6:23 | sinkparam |
 | dispatch.cpp:28:29:28:34 | call to getenv | dispatch.cpp:28:24:28:27 | call to atoi |

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected

@@ -20,9 +20,7 @@
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | (const char *)... | IR only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | defaulttainttracking.cpp:98:10:98:11 | p2 | IR only |
 | defaulttainttracking.cpp:97:27:97:32 | call to getenv | shared.h:5:23:5:31 | sinkparam | IR only |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:102:20:102:22 | dst | AST only |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:10:111:25 | ... + ... | AST only |
-| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:29:111:35 | tainted | AST only |
+| defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:111:8:111:8 | y | AST only |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | defaulttainttracking.cpp:118:11:118:11 | x | IR only |
 | defaulttainttracking.cpp:110:17:110:22 | call to getenv | shared.h:6:15:6:23 | sinkparam | IR only |
 | globals.cpp:13:15:13:20 | call to getenv | globals.cpp:13:5:13:11 | global1 | AST only |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -1,7 +1,7 @@
 edges
-| field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:13:10:13:25 | Chi |
-| field_conflation.c:12:22:12:34 | (const char *)... | field_conflation.c:13:10:13:25 | Chi |
-| field_conflation.c:13:10:13:25 | Chi | field_conflation.c:19:15:19:17 | taint_array output argument |
+| field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:13:3:13:18 | Chi |
+| field_conflation.c:12:22:12:34 | (const char *)... | field_conflation.c:13:3:13:18 | Chi |
+| field_conflation.c:13:3:13:18 | Chi | field_conflation.c:19:15:19:17 | taint_array output argument |
 | field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:10:20:13 | (unsigned long)... |
 | field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
 | field_conflation.c:19:15:19:17 | taint_array output argument | field_conflation.c:20:13:20:13 | x |
@@ -71,7 +71,7 @@ edges
 nodes
 | field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
 | field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
-| field_conflation.c:13:10:13:25 | Chi | semmle.label | Chi |
+| field_conflation.c:13:3:13:18 | Chi | semmle.label | Chi |
 | field_conflation.c:19:15:19:17 | taint_array output argument | semmle.label | taint_array output argument |
 | field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |
 | field_conflation.c:20:10:20:13 | (unsigned long)... | semmle.label | (unsigned long)... |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/field_conflation.c

@@ -1,21 +1,21 @@
 int atoi(const char *nptr);
 void *malloc(unsigned long size);
 char *getenv(const char *name);
-void *memcpy(void *dst, void *src, unsigned long size);
 
-struct ContainsArray {
-  int arr[16];
+
+struct XY {
   int x;
+  int y;
 };
 
-void taint_array(struct ContainsArray *ca, int offset) {
+void taint_array(struct XY *xyp) {
   int tainted = atoi(getenv("VAR"));
-  memcpy(ca->arr + offset, &tainted, sizeof(int));
+  xyp->y = tainted;
 }
 
-void test_conflated_fields3(int arbitrary) {
-  struct ContainsArray ca;
-  ca.x = 4;
-  taint_array(&ca, arbitrary);
-  malloc(ca.x); // not tainted [FALSE POSITIVE]
+void test_conflated_fields3(void) {
+  struct XY xy;
+  xy.x = 4;
+  taint_array(&xy);
+  malloc(xy.x); // not tainted [FALSE POSITIVE]
 }

java/ql/src/semmle/code/FileSystem.qll

@@ -151,33 +151,6 @@ class Container extends @container, Top {
    * This is the absolute path of the container.
    */
   override string toString() { result = getAbsolutePath() }
-
-  /**
-   * DEPRECATED: use `getAbsolutePath()`, `getBaseName()` or `getStem()` instead.
-   *
-   * Gets the name of this container.
-   */
-  deprecated string getName() { result = getAbsolutePath() }
-
-  /**
-   * DEPRECATED: use `getBaseName()` or `getStem()` instead.
-   *
-   * The short name of this container, excluding its path and (for files) extension.
-   *
-   * For folders, the short name includes the extension (if any), so the short name
-   * of the folder with absolute path `/home/user/.m2` is `.m2`.
-   */
-  deprecated string getShortName() {
-    folders(this, _, result) or
-    files(this, _, result, _, _)
-  }
-
-  /**
-   * DEPRECATED: use `getAbsolutePath()` instead.
-   *
-   * Gets the full name of this container, including its path and extension (if any).
-   */
-  deprecated string getFullName() { result = getAbsolutePath() }
 }
 
 /** A folder. */
@@ -198,13 +171,6 @@ class File extends Container, @file {
 
   /** Gets the URL of this file. */
   override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
-
-  /**
-   * DEPRECATED: use `getAbsolutePath()`, `getBaseName()` or `getStem()` instead.
-   *
-   * Holds if this file has the specified `name`.
-   */
-  deprecated predicate hasName(string name) { name = this.getAbsolutePath() }
 }
 
 /**

java/ql/src/semmle/code/java/Statement.qll

@@ -117,7 +117,7 @@ class IfStmt extends ConditionalStmt, @ifstmt {
    * Gets the statement that is executed whenever the condition
    * of this branch statement evaluates to `true`.
    */
-  override Stmt getTrueSuccessor() { result = getThen() }
+  deprecated override Stmt getTrueSuccessor() { result = getThen() }
 
   /** Gets the `else` branch of this `if` statement. */
   Stmt getElse() { result.isNthChildOf(this, 2) }
@@ -168,7 +168,7 @@ class ForStmt extends ConditionalStmt, @forstmt {
    * Gets the statement that is executed whenever the condition
    * of this branch statement evaluates to true.
    */
-  override Stmt getTrueSuccessor() { result = getStmt() }
+  deprecated override Stmt getTrueSuccessor() { result = getStmt() }
 
   /**
    * Gets a variable that is used as an iteration variable: it is defined,
@@ -228,7 +228,7 @@ class WhileStmt extends ConditionalStmt, @whilestmt {
    * Gets the statement that is executed whenever the condition
    * of this branch statement evaluates to true.
    */
-  override Stmt getTrueSuccessor() { result = getStmt() }
+  deprecated override Stmt getTrueSuccessor() { result = getStmt() }
 
   /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "while (...) " + this.getStmt().pp() }
@@ -249,7 +249,7 @@ class DoStmt extends ConditionalStmt, @dostmt {
    * Gets the statement that is executed whenever the condition
    * of this branch statement evaluates to `true`.
    */
-  override Stmt getTrueSuccessor() { result = getStmt() }
+  deprecated override Stmt getTrueSuccessor() { result = getStmt() }
 
   /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "do " + this.getStmt().pp() + " while (...)" }

javascript/ql/src/AngularJS/DeadAngularJSEventListener.ql

@@ -3,7 +3,7 @@
  * @description An AngularJS event listener that listens for a non-existent event has no effect.
  * @kind problem
  * @problem.severity warning
- * @precision medium
+ * @precision low
  * @id js/angular/dead-event-listener
  * @tags correctness
  *       frameworks/angularjs

javascript/ql/src/AngularJS/UnusedAngularDependency.ql

@@ -3,7 +3,7 @@
  * @description Unused dependencies are confusing, and should be removed.
  * @kind problem
  * @problem.severity recommendation
- * @precision high
+ * @precision low
  * @id js/angular/unused-dependency
  * @tags maintainability
  *       frameworks/angularjs