Merge pull request github#12148 from jketema/opt-in

C++: Revert `semmle.code.cpp.dataflow` to its old state

Author: jketema

config/identical-files.json

@@ -8,11 +8,11 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl2.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl3.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImpl4.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImplLocal.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
@@ -43,7 +43,7 @@
   ],
   "DataFlow Java/C++/C#/Go/Python/Ruby/Swift Common": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImplCommon.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll",
@@ -52,9 +52,9 @@
     "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll",
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll"
   ],
-"TaintTracking::Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/tainttracking1/TaintTrackingImpl.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/tainttracking2/TaintTrackingImpl.qll",
+  "TaintTracking::Configuration Java/C++/C#/Go/Python/Ruby/Swift": [
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -80,7 +80,7 @@
   ],
   "DataFlow Java/C++/C#/Python/Ruby/Swift Consistency checks": [
     "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/DataFlowImplConsistency.qll",
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
@@ -122,7 +122,7 @@
   ],
   "C++ SubBasicBlocks": [
     "cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
-    "cpp/ql/lib/semmle/code/cpp/dataflow/old/internal/SubBasicBlocks.qll"
+    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
   ],
   "IR Instruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",

cpp/ql/lib/change-notes/2023-02-10-buffer-and-nill-termination-dataflow.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The `semmle.code.cpp.commons.Buffer` and `semmle.code.cpp.commons.NullTermination` libraries no longer expose `semmle.code.cpp.dataflow.DataFlow`. Please import `semmle.code.cpp.dataflow.DataFlow` directly.

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -3,7 +3,7 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.PrivateData
 import semmle.code.cpp.security.FileWrite
 import semmle.code.cpp.security.BufferWrite

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -1,5 +1,5 @@
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.DataFlow
 
 /**
  * Holds if `v` is a member variable of `c` that looks like it might be variable sized

cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll

@@ -1,7 +1,7 @@
 import cpp
 private import semmle.code.cpp.models.interfaces.ArrayFunction
 private import semmle.code.cpp.models.implementations.Strcat
-import semmle.code.cpp.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.DataFlow
 
 /**
  * Holds if the expression `e` assigns something including `va` to a

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll

@@ -4,7 +4,10 @@
  * _sink_.
  *
  * Unless configured otherwise, _flow_ means that the exact value of
- * the source may reach the sink.
+ * the source may reach the sink. We do not track flow across pointer
+ * dereferences or array indexing. To track these types of flow, where the
+ * exact value may not be preserved, import
+ * `semmle.code.cpp.dataflow.TaintTracking`.
  *
  * To use global (interprocedural) data flow, extend the class
  * `DataFlow::Configuration` as documented on that class. To use local
@@ -14,4 +17,12 @@
  * `DataFlow::Node`.
  */
 
-import semmle.code.cpp.ir.dataflow.DataFlow
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow {
+  import semmle.code.cpp.dataflow.internal.DataFlowImpl
+}

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow2.qll

@@ -9,4 +9,12 @@
  * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
  */
 
-import semmle.code.cpp.ir.dataflow.DataFlow2
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow2 {
+  import semmle.code.cpp.dataflow.internal.DataFlowImpl2
+}

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow3.qll

@@ -9,4 +9,12 @@
  * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
  */
 
-import semmle.code.cpp.ir.dataflow.DataFlow3
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow3 {
+  import semmle.code.cpp.dataflow.internal.DataFlowImpl3
+}

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow4.qll

@@ -9,4 +9,12 @@
  * See `semmle.code.cpp.dataflow.DataFlow` for the full documentation.
  */
 
-import semmle.code.cpp.ir.dataflow.DataFlow4
+import cpp
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow4 {
+  import semmle.code.cpp.dataflow.internal.DataFlowImpl4
+}

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll

@@ -15,4 +15,13 @@
  * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
  */
 
-import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.DataFlow2
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ */
+module TaintTracking {
+  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
+}