Fix some violations of ql/could-be-cast.

Author: michaelnebel

actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -37,8 +37,6 @@ where
     )
     or
     // upload artifact is not used in the same workflow
-    not exists(UsesStep upload |
-      download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload
-    )
+    not download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() instanceof UsesStep
   )
 select download, "Potential artifact poisoning"

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql

@@ -266,7 +266,7 @@ class LifetimePointerType extends LifetimeIndirectionType {
 class FullExpr extends Expr {
   FullExpr() {
     // A full-expression is not a subexpression
-    not exists(Expr p | this.getParent() = p)
+    not this.getParent() instanceof Expr
     or
     // A sub-expression that is an unevaluated operand
     this.isUnevaluated()

cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql

@@ -28,7 +28,7 @@ where
   exists(FunctionCall c, int i, Function f |
     c.getArgument(i) = e and
     c.getTarget() = f and
-    exists(Parameter p | f.getParameter(i) = p) and // varargs
+    exists(f.getParameter(i)) and // varargs
     baseElement(e.getType(), cl) and // only interested in arrays with classes
     not compatible(f.getParameter(i).getUnspecifiedType(), e.getUnspecifiedType())
   )

csharp/ql/src/Telemetry/DatabaseQuality.qll

@@ -12,7 +12,7 @@ module CallTargetStats implements StatsSig {
   private predicate isNoSetterPropertyCallInConstructor(PropertyCall c) {
     exists(Property p, Constructor ctor |
       p = c.getProperty() and
-      not exists(Setter a | a = p.getAnAccessor()) and
+      not p.getAnAccessor() instanceof Setter and
       c.getEnclosingCallable() = ctor and
       (
         c.hasThisQualifier()
@@ -25,7 +25,7 @@ module CallTargetStats implements StatsSig {
   private predicate isNoSetterPropertyInitialization(PropertyCall c) {
     exists(Property p, AssignExpr assign |
       p = c.getProperty() and
-      not exists(Setter a | a = p.getAnAccessor()) and
+      not p.getAnAccessor() instanceof Setter and
       assign = c.getParent() and
       assign.getLValue() = c and
       assign.getParent() instanceof Property

java/ql/src/experimental/quantum/Analysis/ArtifactReuse.qll

@@ -10,15 +10,13 @@ import experimental.quantum.Language
  */
 private module WrapperConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    exists(Call c |
-      c = source.asExpr()
-      // not handling references yet, I think we want to flat say references are only ok
-      // if I know the source, otherwise, it has to be through an additional flow step, which
-      // we filter as a source, i.e., references are only allowed as sources only,
-      // no inferrece? Not sure if that would work
-      //or
-      //   source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = c.getAnArgument()
-    ) and
+    source.asExpr() instanceof Call and
+    // not handling references yet, I think we want to flat say references are only ok
+    // if I know the source, otherwise, it has to be through an additional flow step, which
+    // we filter as a source, i.e., references are only allowed as sources only,
+    // no inferrece? Not sure if that would work
+    //or
+    //   source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = c.getAnArgument()
     // Filter out sources that are known additional flow steps, as these are likely not the
     // kind of wrapper source we are looking for.
     not exists(AdditionalFlowInputStep s | s.getOutput() = source)

python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql

@@ -63,7 +63,7 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
       // For a call to `file.extractall` without `members` argument, `file` is considered a sink.
       exists(MethodCallNode call, AllTarfileOpens atfo |
         call = atfo.getReturn().getMember("extractall").getACall() and
-        not exists(Node arg | arg = call.getArgByName("members")) and
+        not exists(call.getArgByName("members")) and
         sink = call.getObject()
       )
       or