github
diff --git a/‎change-notes/1.22/analysis-cpp.md‎
Lines changed: 27 additions & 17 deletions b/‎change-notes/1.22/analysis-cpp.md‎
Lines changed: 27 additions & 17 deletions
diff --git a/‎change-notes/1.22/analysis-csharp.md‎
Lines changed: 40 additions & 27 deletions b/‎change-notes/1.22/analysis-csharp.md‎
Lines changed: 40 additions & 27 deletions
diff --git a/‎change-notes/1.22/analysis-java.md‎
Lines changed: 18 additions & 2 deletions b/‎change-notes/1.22/analysis-java.md‎
Lines changed: 18 additions & 2 deletions
diff --git a/‎change-notes/1.22/analysis-javascript.md‎
Lines changed: 14 additions & 5 deletions b/‎change-notes/1.22/analysis-javascript.md‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎change-notes/1.22/analysis-python.md‎
Lines changed: 21 additions & 1 deletion b/‎change-notes/1.22/analysis-python.md‎
Lines changed: 21 additions & 1 deletion
@@ -1,32 +1,42 @@
 # Improvements to C/C++ analysis
 
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
+The following changes in version 1.22 affect C/C++ analysis in all applications.
 
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
-| Call to alloca in a loop (`cpp/alloca-in-loop`) | Fewer false positive results | Fixed false positives where the stack allocation could not be reached multiple times in the loop, typically due to a `break` or `return` statement. |
+| Call to alloca in a loop (`cpp/alloca-in-loop`) | Fewer false positive results | The query no longer highlights code where the stack allocation could not be reached multiple times in the loop, typically due to a `break` or `return` statement. |
 | Continue statement that does not continue (`cpp/continue-in-false-loop`) | Fewer false positive results | Analysis is now restricted to `do`-`while` loops. This query is now run and displayed by default on LGTM. |
-| Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side effect free, because they could be overridden with a different implementation at link time. |
-| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positives involving strings that are not null-terminated have been excluded. |
-| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results and more true positive results | The query now understands the direction of each comparison, making it more accurate. |
+| Expression has no effect (`cpp/useless-expression`) | Fewer false positive results | Calls to functions with the `weak` attribute are no longer considered to be side-effect free, because they could be overridden with a different implementation at link time. |
+| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | False positive results for strings that are not null-terminated have been excluded. |
+| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | The query was rewritten using the taint-tracking library. |
+| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive and more true positive results | The query now understands the direction of each comparison, making it more accurate. |
 | Suspicious pointer scaling (`cpp/suspicious-pointer-scaling`) | Lower precision | The precision of this query has been reduced to "medium". This coding pattern is used intentionally and safely in a number of real-world projects. Results are no longer displayed on LGTM unless you choose to display them. |
-| Non-constant format string (`cpp/non-constant-format`) | Fewer false positive results | Rewritten using the taint-tracking library. |
-| Variable used in its own initializer (`cpp/use-in-own-initializer`) | Fewer false positive results | False positives for constant variables with the same name in different namespaces have been removed. |
+| Variable used in its own initializer (`cpp/use-in-own-initializer`) | Fewer false positive results | False positive results for constant variables with the same name in different namespaces have been removed. |
 
 ## Changes to QL libraries
 
+- The data flow library (`semmle.code.cpp.dataflow.DataFlow`) has had the
+  following improvements, all of which benefit the taint tracking library
+  (`semmle.code.cpp.dataflow.TaintTracking`) as well.
+  - This release includes preliminary support for interprocedural flow through
+    fields (non-static data members). In some cases, data stored in a field in
+    one function can now flow to a read of the same field in a different
+    function.
+  - The possibility of specifying barrier edges using
+    `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
+    configurations has been replaced with the option of specifying in- and
+    out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
+    `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
+    as it does not require knowledge about the actual edges used internally by
+    the library.
+  - The library now models data flow through `std::swap`.
+  - Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16 in March 2018. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries.
+- In the `semmle.code.cpp.dataflow.TaintTracking` library, the second copy of `Configuration` has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
+- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
 - The predicate `Variable.getAnAssignedValue()` now reports assignments to fields resulting from aggregate initialization (` = {...}`).
 - The predicate `TypeMention.toString()` has been simplified to always return the string "`type mention`".  This may improve performance when using `Element.toString()` or its descendants.
-- The `semmle.code.cpp.security.TaintTracking` library now considers a pointer difference calculation as blocking taint flow.
-- The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.cpp.dataflow.TaintTracking2` to access the new name.
-- Fixed the `LocalScopeVariableReachability.qll` library's handling of loops with an entry condition is both always true upon first entry, and where there is more than one control flow path through the loop condition.  This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries which depend on it.
-- The `semmle.code.cpp.models` library now models data flow through `std::swap`.
+- Fixed the `LocalScopeVariableReachability.qll` library's handling of loops where the entry condition is always true on first entry, and where there is more than one control flow path through the loop condition. This change increases the accuracy of the `LocalScopeVariableReachability.qll` library and queries that depend on it.
 - There is a new `Variable.isThreadLocal()` predicate. It can be used to tell whether a variable is `thread_local`.
-- Recursion through the `DataFlow` library is now always a compile error. Such recursion has been deprecated since release 1.16. If one `DataFlow::Configuration` needs to depend on the results of another, switch one of them to use one of the `DataFlow2` through `DataFlow4` libraries.
+- C/C++ code examples have been added to QLDoc comments on many more classes in the QL libraries.
@@ -1,31 +1,38 @@
 # Improvements to C# analysis
 
+The following changes in version 1.22 affect C# analysis in all applications.
+
 ## Changes to existing queries
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-| Added lines (`cs/vcs/added-lines-per-file`) | No results | Query has been removed. |
-| Churned lines (`cs/vcs/churn-per-file`) | No results | Query has been removed. |
 | Constant condition (`cs/constant-condition`) | Fewer false positive results | Results have been removed for default cases (`_`) in switch expressions. |
-| Defect filter | No results | Query has been removed. |
-| Defect from SVN | No results | Query has been removed. |
-| Deleted lines (`cs/vcs/deleted-lines-per-file`) | No results | Query has been removed. |
 | Dispose may not be called if an exception is thrown during execution (`cs/dispose-not-called-on-throw`) | Fewer false positive results | Results have been removed where an object is disposed both by a `using` statement and a `Dispose` call. |
-| Files edited in pairs | No results | Query has been removed. |
-| Filter: only files recently edited | No results | Query has been removed. |
-| Large files currently edited | No results | Query has been removed. |
-| Metric from SVN | No results | Query has been removed. |
-| Number of authors (version control) (`cs/vcs/authors-per-file`) | No results | Query has been removed. |
-| Number of file-level changes (`cs/vcs/commits-per-file`) | No results | Query has been removed. |
-| Number of co-committed files (`cs/vcs/co-commits-per-file`) | No results | Query has been removed. |
-| Number of file re-commits (`cs/vcs/recommits-per-file`) | No results | Query has been removed. |
-| Number of recent file changes (`cs/vcs/recent-commits-per-file`) | No results | Query has been removed. |
-| Number of authors | No results | Query has been removed. |
-| Number of commits | No results | Query has been removed. |
-| Poorly documented files with many authors | No results | Query has been removed. |
-| Recent activity | No results | Query has been removed. |
 | Unchecked return value (`cs/unchecked-return-value`) | Fewer false positive results | Method calls that are expression bodies of `void` callables (for example, the call to `Foo` in `void Bar() => Foo()`) are no longer considered to use the return value. |
 
+## Removal of old queries
+
+The following historic queries are no longer available in the distribution:
+
+* Added lines (`cs/vcs/added-lines-per-file`)
+* Churned lines (`cs/vcs/churn-per-file`)
+* Defect filter
+* Defect from SVN
+* Deleted lines (`cs/vcs/deleted-lines-per-file`)
+* Files edited in pairs
+* Filter: only files recently edited
+* Large files currently edited
+* Metric from SVN
+* Number of authors (version control) (`cs/vcs/authors-per-file`)
+* Number of file-level changes (`cs/vcs/commits-per-file`)
+* Number of co-committed files (`cs/vcs/co-commits-per-file`)
+* Number of file re-commits (`cs/vcs/recommits-per-file`)
+* Number of recent file changes (`cs/vcs/recent-commits-per-file`)
+* Number of authors
+* Number of commits
+* Poorly documented files with many authors
+* Recent activity
+
 ## Changes to code extraction
 
 * The following C# 8 features are now extracted:
@@ -34,12 +41,18 @@
 
 ## Changes to QL libraries
 
-* The new class `AnnotatedType` models types with type annotations, including nullability information, return kinds (`ref` and `readonly ref`), and parameter kinds (`in`, `out`, and `ref`)
-  - The new predicate `Assignable.getAnnotatedType()` gets the annotated type of an assignable (such as a variable or a property)
-  - The new predicates `Callable.getAnnotatedReturnType()` and `DelegateType.getAnnotatedReturnType()` get the annotated type of the return value
-  - The new predicate `ArrayType.getAnnotatedElementType()` gets the annotated type of the array element
-  - The new predicate `ConstructedGeneric.getAnnotatedTypeArgument()` gets the annotated type of a type argument
-  - The new predicate `TypeParameterConstraints.getAnAnnotatedTypeConstraint()` gets a type constraint with type annotations
-* The new class `SuppressNullableWarningExpr` models suppress-nullable-warning expressions such as `x!`
-
-## Changes to autobuilder
+* The new class `AnnotatedType` models types with type annotations, including nullability information, return kinds (`ref` and `readonly ref`), and parameter kinds (`in`, `out`, and `ref`).
+  - The new predicate `Assignable.getAnnotatedType()` gets the annotated type of an assignable (such as a variable or a property).
+  - The new predicates `Callable.getAnnotatedReturnType()` and `DelegateType.getAnnotatedReturnType()` gets the annotated type of the return value.
+  - The new predicate `ArrayType.getAnnotatedElementType()` gets the annotated type of the array element.
+  - The new predicate `ConstructedGeneric.getAnnotatedTypeArgument()` gets the annotated type of a type argument.
+  - The new predicate `TypeParameterConstraints.getAnAnnotatedTypeConstraint()` gets a type constraint with type annotations.
+* The new class `SuppressNullableWarningExpr` models suppress-nullable-warning expressions such as `x!`.
+* The data-flow and taint-tracking libraries now support flow through fields. All existing configurations will have field-flow enabled by default, but it can be disabled by adding `override int fieldFlowBranchLimit() { result = 0 }` to the configuration class. Field assignments, `this.Foo = x`, object initializers, `new C() { Foo = x }`, and field initializers `int Foo = 0` are supported.
+* The possibility of specifying barrier edges using
+  `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
+  configurations has been replaced with the option of specifying in- and
+  out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
+  `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
+  as it does not require knowledge about the actual edges used internally by
+  the library.
@@ -1,5 +1,7 @@
 # Improvements to Java analysis
 
+The following changes in version 1.22 affect Java analysis in all applications.
+
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
@@ -13,7 +15,21 @@
 
 * The virtual dispatch library has been updated to give more precise dispatch
   targets for `Object.toString()` calls. This affects all security queries and
-  removes false positives that arose from paths through impossible `toString()`
+  removes false positive results that arose from paths through impossible `toString()`
   calls.
 * The library `VCS.qll` and all queries that imported it have been removed.
-* The second copy of the interprocedural `TaintTracking` library has been renamed from `TaintTracking::Configuration2` to `TaintTracking2::Configuration`, and the old name is now deprecated. Import `semmle.code.java.dataflow.TaintTracking2` to access the new name.
+* The second copy of the interprocedural `TaintTracking` library has been
+  renamed from `TaintTracking::Configuration2` to
+  `TaintTracking2::Configuration`, and the old name is now deprecated. Import
+  `semmle.code.java.dataflow.TaintTracking2` to access the new name.
+* The data-flow library now makes it easier to specify barriers/sanitizers
+  arising from guards by overriding the predicate
+  `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
+  configurations respectively.
+* The possibility of specifying barrier edges using
+  `isBarrierEdge`/`isSanitizerEdge` in data-flow and taint-tracking
+  configurations has been replaced with the option of specifying in- and
+  out-barriers on nodes by overriding `isBarrierIn`/`isSanitizerIn` and
+  `isBarrierOut`/`isSanitizerOut`. This should be simpler to use effectively,
+  as it does not require knowledge about the actual edges used internally by
+  the library.
@@ -16,7 +16,11 @@
 * Support for tracking data flow and taint through getter functions (that is, functions that return a property of one of their arguments) and through the receiver object of method calls has been improved. This may produce more security alerts.
 
 * Taint tracking through object property names has been made more precise, resulting in fewer false positive results.
-  
+
+* Method calls are now resolved in more cases, due to improved class hierarchy analysis. This may produce more security alerts.
+
+* Jump-to-definition now resolves calls to their definition in more cases, and supports jumping from a JSDoc type annotation to its definition.
+
 ## New queries
 
 | **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
@@ -28,14 +32,19 @@
 
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
-| Shift out of range | Fewer false positive results | This rule now correctly handles BigInt shift operands. |
-| Conflicting HTML element attributes | Fewer results | Results are no longer shown on LGTM by default. |
-| Superfluous trailing arguments | Fewer false-positive results. | This rule no longer flags calls to placeholder functions that trivially throw an exception. |
+| Conflicting HTML element attributes (`js/conflicting-html-attribute`) | No changes to results | Results are no longer shown on LGTM by default. |
+| Shift out of range (`js/shift-out-of-range`| Fewer false positive results | This rule now correctly handles BigInt shift operands. |
+| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer false-positive results. | This rule no longer flags calls to placeholder functions that trivially throw an exception. |
+| Undocumented parameter (`js/jsdoc/missing-parameter`) | No changes to results | This rule is now run on LGTM, although its results are still not shown by default. |
 
 ## Changes to QL libraries
 
-- The `getName()` predicate on functions and classes now gets a name
+- The `getName()` predicate on functions and classes now gets a name that is
   inferred from the context if the function or class was not declared with a name.
 - The two-argument and three-argument variants of `DataFlow::Configuration::isBarrier` and
   `TaintTracking::Configuration::isSanitizer` have been deprecated. Overriding them no
   longer has any effect. Use `isBarrierEdge` and `isSanitizerEdge` instead.
+- The QLDoc for most AST classes have been expanded with concrete syntax examples.
+- Tutorials on how to use [flow labels](https://help.semmle.com/QL/learn-ql/javascript/flow-labels.html)
+  and [type tracking](https://help.semmle.com/QL/learn-ql/javascript/type-tracking.html) have been published,
+  as well as a [data flow cheat sheet](https://help.semmle.com/QL/learn-ql/javascript/dataflow-cheat-sheet.html) for quick reference.
@@ -6,9 +6,29 @@
 ### Points-to
 Tracking of "unknown" values from modules that are absent from the database has been improved. Particularly when an "unknown" value is used as a decorator, the decorated function is tracked.
 
+### Loop unrolling
+The extractor now unrolls a single iteration of loops that are known to run at least once. This improves analysis in cases like the following
 
-### Impact on existing queries.
+```python
+if seq:
+    for x in seq:
+        y = x
+    y  # y is defined here
+```
 
+### Better API for function parameter annotations
+Instances of the `Parameter` and `ParameterDefinition` class now have a `getAnnotation` method that returns the corresponding parameter annotation, if one exists.
+
+### Improvements to the Value API
+- The Value API has been extended with classes representing functions, classes, tuples, and other types.
+
+- `Value::forInt(int x)` and `Value::forString(string s)` have been added to make it easier to refer to the `Value` entities for common constants.
+
+### Other improvements
+
+- Short flags for regexes (for example, `re.M` for multiline regexes) are now handled correctly.
+- Modules with multiple import roots no longer get multiple names.
+- A new `NegativeIntegerLiteral` class has been added as a subtype of `ImmutableLiteral`, so that `-1` is treated as an `ImmutableLiteral`. This means that queries looking for the use of constant integers will automatically handle negative numbers.
 
 ## New queries