Merge branch 'master' into js/improve-createServer

Author: Esben Sparre Andreasen

change-notes/1.21/analysis-cpp.md

@@ -11,6 +11,7 @@
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Dead code due to goto or break statement (`cpp/dead-code-goto`) | Fewer false positive results | Functions containing preprocessor logic are now excluded from this analysis. |
 | Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed an issue where functions were being identified as allocation functions inappropriately.  Also affects `cpp/new-array-delete-mismatch` and `cpp/new-delete-array-mismatch`. |
 | Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | More correct results | This query has been reworked so that it can find a wider variety of results. |
 | Memory may not be freed (`cpp/memory-may-not-be-freed`) | More correct results | Support added for more Microsoft-specific allocation functions, including `LocalAlloc`, `GlobalAlloc`, `HeapAlloc` and `CoTaskMemAlloc`. |

change-notes/1.21/analysis-javascript.md

@@ -3,8 +3,10 @@
 ## General improvements
 
 * Support for the following frameworks and libraries has been improved:
+  - [koa](https://github.com/koajs/koa)
   - [socket.io](http://socket.io)
   - [Node.js](http://nodejs.org)
+  - [Firebase](https://firebase.google.com/)
 
 * The security queries now track data flow through Base64 decoders such as the Node.js `Buffer` class, the DOM function `atob`, and a number of npm packages intcluding [`abab`](https://www.npmjs.com/package/abab), [`atob`](https://www.npmjs.com/package/atob), [`btoa`](https://www.npmjs.com/package/btoa), [`base-64`](https://www.npmjs.com/package/base-64), [`js-base64`](https://www.npmjs.com/package/js-base64), [`Base64.js`](https://www.npmjs.com/package/Base64) and [`base64-js`](https://www.npmjs.com/package/base64-js).
 

cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql

@@ -2,7 +2,7 @@
  * @name Hub classes
  * @description Shows coupling between classes. Large, red, boxes are hub types that depend on many other classes
  *              and are depended on by many other classes.
- * @kind treemap
+ * @kind table
  * @id cpp/architecture/hub-classes
  * @treemap.warnOn highValues
  * @tags maintainability

cpp/ql/src/Critical/DeadCodeGoto.ql

@@ -10,6 +10,7 @@
  */
 
 import cpp
+import semmle.code.cpp.commons.Exclusions
 
 Stmt getNextRealStmt(Block b, int i) {
   result = b.getStmt(i + 1) and
@@ -30,4 +31,6 @@ where b.getStmt(i) = js
   // the next statement isn't a loop that can be jumped into
   and not exists (LabelStmt ls | s.(Loop).getStmt().getAChild*() = ls)
   and not exists (SwitchCase sc | s.(Loop).getStmt().getAChild*() = sc)
+  // no preprocessor logic applies
+  and not functionContainsPreprocCode(js.getEnclosingFunction())
 select js, "This statement makes $@ unreachable.", s, s.toString()

cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql

@@ -12,5 +12,4 @@ import cpp
 from Function f, int c
 where c = f.getMetrics().getCyclomaticComplexity() and
       c > 20
-select f, c as CyclomaticComplexity,
-       "AV Rule 3: All functions shall have a cyclomatic complexity number of 20 or less."
+select f, "AV Rule 3: All functions shall have a cyclomatic complexity number of 20 or less."

cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql

@@ -3,6 +3,7 @@
  * @description The assignment operator shall handle self-assignment correctly.
  * @kind problem
  * @id cpp/jsf/av-rule-81
+ * @precision low
  * @problem.severity error
  * @tags correctness
  *       external/jsf
@@ -77,4 +78,4 @@ where hasResource(op.getDeclaringType())
       and not exists(op.getASelfEqualityTest())
       and not exists(op.getASwapCall())
       and exists(op.getADeleteExpr())
-select op
+select op, "AV Rule 81: The assignment operator shall handle self-assignment correctly."

cpp/ql/src/semmle/code/cpp/ASTSanity.ql

@@ -1,7 +1,7 @@
 /**
  * @name AST Sanity Check
  * @description Performs sanity checks on the Abstract Syntax Tree. This query should have no results. 
- * @kind problem
+ * @kind table
  * @id cpp/ast-sanity-check
  */
 

cpp/ql/src/semmle/code/cpp/AutogeneratedFile.qll

@@ -23,11 +23,15 @@ private bindingset[comment] predicate autogeneratedComment(string comment) {
 
       // changes made in this file will be lost
       "(changes made in this file will be lost)|" +
-  
-      // do not edit/modify
+
+      // do not edit/modify (not mid-sentence)
       "(^ do(n't|nt| not) (hand-?)?(edit|modify))|" +
-      "(! do(n't|nt| not) (hand-?)?(edit|modify))" and
-  
+      "(! do(n't|nt| not) (hand-?)?(edit|modify))|" +
+
+      // do not edit/modify + generated
+      "(do(n't|nt| not) (hand-?)?(edit|modify).*generated)|" +
+      "(generated.*do(n't|nt| not) (hand-?)?(edit|modify))" and
+
     comment.regexpMatch("(?si).*(" +
       // replace `generated` with a regexp that also catches things like
       // `auto-generated`.

cpp/ql/src/semmle/code/cpp/commons/Exclusions.qll

@@ -58,3 +58,16 @@ predicate functionContainsDisabledCode(Function f) {
     )
   )
 }
+
+/**
+ * Holds if the function `f` contains code that could be excluded by the preprocessor.
+ */
+predicate functionContainsPreprocCode(Function f) {
+  // `f` contains a preprocessor branch
+  exists(PreprocessorBranchDirective pbd, string file, int pbdStartLine, int fBlockStartLine, int fBlockEndLine |
+    functionLocation(f, file, fBlockStartLine, fBlockEndLine) and
+    pbdLocation(pbd, file, pbdStartLine) and
+    pbdStartLine <= fBlockEndLine and
+    pbdStartLine >= fBlockStartLine
+  )
+}

cpp/ql/src/semmle/code/cpp/ir/IRSanity.ql

@@ -1,7 +1,7 @@
 /**
  * @name IR Sanity Check
  * @description Performs sanity checks on the Intermediate Representation. This query should have no results. 
- * @kind problem
+ * @kind table
  * @id cpp/ir-sanity-check
  */