github
diff --git a/‎change-notes/1.24/analysis-java.md‎
Lines changed: 3 additions & 1 deletion b/‎change-notes/1.24/analysis-java.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected‎
Lines changed: 100 additions & 0 deletions b/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.cpp‎
Lines changed: 129 additions & 0 deletions b/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.cpp‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected‎
Lines changed: 22 additions & 0 deletions b/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.ql‎
Lines changed: 19 additions & 0 deletions b/‎cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.ql‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎java/ql/src/Complexity/ComplexCondition.ql‎
Lines changed: 4 additions & 1 deletion b/‎java/ql/src/Complexity/ComplexCondition.ql‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎java/ql/src/Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.qhelp‎
Lines changed: 1 addition & 5 deletions b/‎java/ql/src/Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.qhelp‎
Lines changed: 1 addition & 5 deletions
@@ -10,15 +10,17 @@ The following changes in version 1.24 affect Java analysis in all applications.
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
+| Disabled Spring CSRF protection (`java/spring-disabled-csrf-protection`) | security, external/cwe/cwe-352 | Finds disabled Cross-Site Request Forgery (CSRF) protection in Spring. |
 | Failure to use HTTPS or SFTP URL in Maven artifact upload/download (`java/maven/non-https-url`) | security, external/cwe/cwe-300, external/cwe/cwe-319, external/cwe/cwe-494, external/cwe/cwe-829 | Finds use of insecure protocols during Maven dependency resolution. Results are shown on LGTM by default. |
+| Left shift by more than the type width (`java/lshift-larger-than-type-width`) | correctness | Finds left shifts of ints by 32 bits or more and left shifts of longs by 64 bits or more. Results are shown on LGTM by default. |
 | Suspicious date format (`java/suspicious-date-format`) | correctness | Finds date format patterns that use placeholders that are likely to be incorrect. |
 
 ## Changes to existing queries
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
 | Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positives | Final fields with a non-null initializer are no longer reported. |
-| Expression always evaluates to the same value (`java/evaluation-to-constant`) | Fewer false positives | Expressions of the form `0 * x` are usually intended and no longer reported. |
+| Expression always evaluates to the same value (`java/evaluation-to-constant`) | Fewer false positives | Expressions of the form `0 * x` are usually intended and no longer reported. Also left shift of ints by 32 bits and longs by 64 bits are no longer reported as they are not constant, these results are instead reported by the new query `java/lshift-larger-than-type-width`. |
 | Useless null check (`java/useless-null-check`) | More true positives | Useless checks on final fields with a non-null initializer are now reported. |
 
 ## Changes to libraries
 
@@ -4,12 +4,14 @@
 | defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:16:8:16:29 | (const char *)... |
 | defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:16:16:16:21 | call to getenv |
 | defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:16:16:16:28 | (const char *)... |
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | test_diff.cpp:1:11:1:20 | p#0 |
 | defaulttainttracking.cpp:17:15:17:20 | call to getenv | defaulttainttracking.cpp:5:14:5:23 | p#0 |
 | defaulttainttracking.cpp:17:15:17:20 | call to getenv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
 | defaulttainttracking.cpp:17:15:17:20 | call to getenv | defaulttainttracking.cpp:17:8:17:13 | call to strdup |
 | defaulttainttracking.cpp:17:15:17:20 | call to getenv | defaulttainttracking.cpp:17:8:17:28 | (const char *)... |
 | defaulttainttracking.cpp:17:15:17:20 | call to getenv | defaulttainttracking.cpp:17:15:17:20 | call to getenv |
 | defaulttainttracking.cpp:17:15:17:20 | call to getenv | defaulttainttracking.cpp:17:15:17:27 | (const char *)... |
+| defaulttainttracking.cpp:17:15:17:20 | call to getenv | test_diff.cpp:1:11:1:20 | p#0 |
 | defaulttainttracking.cpp:18:27:18:32 | call to getenv | defaulttainttracking.cpp:7:26:7:35 | p#0 |
 | defaulttainttracking.cpp:18:27:18:32 | call to getenv | defaulttainttracking.cpp:18:27:18:32 | call to getenv |
 | defaulttainttracking.cpp:18:27:18:32 | call to getenv | defaulttainttracking.cpp:18:27:18:39 | (const char *)... |
@@ -19,6 +21,7 @@
 | defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:8:22:33 | (const char *)... |
 | defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:20:22:25 | call to getenv |
 | defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:20:22:32 | (const char *)... |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | test_diff.cpp:1:11:1:20 | p#0 |
 | defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:32:11:32:26 | p#0 |
 | defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:38:11:38:21 | env_pointer |
 | defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:38:25:38:30 | call to getenv |
@@ -27,3 +30,100 @@
 | defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:39:26:39:34 | call to inet_addr |
 | defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:39:50:39:61 | & ... |
 | defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:40:10:40:10 | a |
+| test_diff.cpp:92:10:92:13 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:92:10:92:13 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:92:10:92:13 | argv | test_diff.cpp:92:10:92:13 | argv |
+| test_diff.cpp:92:10:92:13 | argv | test_diff.cpp:92:10:92:16 | (const char *)... |
+| test_diff.cpp:92:10:92:13 | argv | test_diff.cpp:92:10:92:16 | access to array |
+| test_diff.cpp:94:32:94:35 | argv | defaulttainttracking.cpp:10:11:10:13 | p#0 |
+| test_diff.cpp:94:32:94:35 | argv | test_diff.cpp:2:11:2:13 | p#0 |
+| test_diff.cpp:94:32:94:35 | argv | test_diff.cpp:94:10:94:36 | reinterpret_cast<int>... |
+| test_diff.cpp:94:32:94:35 | argv | test_diff.cpp:94:32:94:35 | argv |
+| test_diff.cpp:96:26:96:29 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:96:26:96:29 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:96:26:96:29 | argv | test_diff.cpp:16:39:16:39 | a |
+| test_diff.cpp:96:26:96:29 | argv | test_diff.cpp:17:10:17:10 | a |
+| test_diff.cpp:96:26:96:29 | argv | test_diff.cpp:96:26:96:29 | argv |
+| test_diff.cpp:96:26:96:29 | argv | test_diff.cpp:96:26:96:32 | (const char *)... |
+| test_diff.cpp:96:26:96:29 | argv | test_diff.cpp:96:26:96:32 | access to array |
+| test_diff.cpp:98:18:98:21 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:16:39:16:39 | a |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:17:10:17:10 | a |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:98:13:98:13 | p |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:98:17:98:21 | & ... |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:98:18:98:21 | argv |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:100:10:100:14 | (const char *)... |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:100:10:100:14 | * ... |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:100:11:100:11 | p |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:100:11:100:14 | access to array |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:102:26:102:30 | (const char *)... |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:102:26:102:30 | * ... |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:102:27:102:27 | p |
+| test_diff.cpp:98:18:98:21 | argv | test_diff.cpp:102:27:102:30 | access to array |
+| test_diff.cpp:104:12:104:15 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:10:104:20 | (const char *)... |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:10:104:20 | * ... |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:11:104:20 | (...) |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:12:104:15 | argv |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:12:104:19 | ... + ... |
+| test_diff.cpp:108:10:108:13 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:24:20:24:29 | p#0 |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:29:24:29:24 | p |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:30:14:30:14 | p |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:108:10:108:13 | argv |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:108:10:108:16 | (const char *)... |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:108:10:108:16 | access to array |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:24:20:24:29 | p#0 |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:36:24:36:24 | p |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:111:10:111:13 | argv |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:111:10:111:16 | (const char *)... |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:111:10:111:16 | access to array |
+| test_diff.cpp:115:11:115:14 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:24:20:24:29 | p#0 |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:41:24:41:24 | p |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:42:14:42:14 | p |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:52:24:52:24 | p |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:53:37:53:37 | p |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:115:11:115:14 | argv |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:115:11:115:17 | (const char *)... |
+| test_diff.cpp:115:11:115:14 | argv | test_diff.cpp:115:11:115:17 | access to array |
+| test_diff.cpp:118:26:118:29 | argv | test_diff.cpp:60:24:60:24 | p |
+| test_diff.cpp:118:26:118:29 | argv | test_diff.cpp:61:34:61:34 | p |
+| test_diff.cpp:118:26:118:29 | argv | test_diff.cpp:88:24:88:24 | p |
+| test_diff.cpp:118:26:118:29 | argv | test_diff.cpp:118:26:118:29 | argv |
+| test_diff.cpp:118:26:118:29 | argv | test_diff.cpp:118:26:118:32 | (const char *)... |
+| test_diff.cpp:118:26:118:29 | argv | test_diff.cpp:118:26:118:32 | access to array |
+| test_diff.cpp:121:23:121:26 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:60:24:60:24 | p |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:61:34:61:34 | p |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:67:24:67:24 | p |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:68:14:68:14 | p |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:121:23:121:26 | argv |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:121:23:121:29 | (const char *)... |
+| test_diff.cpp:121:23:121:26 | argv | test_diff.cpp:121:23:121:29 | access to array |
+| test_diff.cpp:124:19:124:22 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:24:20:24:29 | p#0 |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:76:24:76:24 | p |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:81:24:81:24 | p |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:82:14:82:14 | p |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:124:19:124:22 | argv |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:124:19:124:25 | (const char *)... |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:124:19:124:25 | access to array |
+| test_diff.cpp:126:43:126:46 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 |
+| test_diff.cpp:126:43:126:46 | argv | test_diff.cpp:1:11:1:20 | p#0 |
+| test_diff.cpp:126:43:126:46 | argv | test_diff.cpp:76:24:76:24 | p |
+| test_diff.cpp:126:43:126:46 | argv | test_diff.cpp:81:24:81:24 | p |
+| test_diff.cpp:126:43:126:46 | argv | test_diff.cpp:82:14:82:14 | p |
+| test_diff.cpp:126:43:126:46 | argv | test_diff.cpp:126:43:126:46 | argv |
+| test_diff.cpp:126:43:126:46 | argv | test_diff.cpp:126:43:126:49 | (const char *)... |
+| test_diff.cpp:126:43:126:46 | argv | test_diff.cpp:126:43:126:49 | access to array |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:76:24:76:24 | p |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:128:44:128:47 | argv |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:128:44:128:50 | (const char *)... |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:128:44:128:50 | access to array |
@@ -0,0 +1,129 @@
+void sink(const char *);
+void sink(int);
+
+struct S {
+    void(*f)(const char*);
+
+    void apply(char* p) {
+        f(p);
+    }
+
+    void (*get())(const char*) {
+        return f;
+    }
+};
+
+void calls_sink_with_argv(const char* a) {
+    sink(a);
+}
+
+extern int i;
+
+class BaseWithPureVirtual {
+public:
+    virtual void f(const char*) = 0;
+};
+
+class DerivedCallsSink : public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {
+        sink(p);
+    }
+};
+
+class DerivedDoesNotCallSink : public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {}
+};
+
+class DerivedCallsSinkDiamond1 : virtual public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {
+        sink(p);
+    }
+};
+
+class DerivedDoesNotCallSinkDiamond2 : virtual public BaseWithPureVirtual {
+public:
+    void f(const char* p) override {}
+};
+
+class DerivesMultiple : public DerivedCallsSinkDiamond1, public DerivedDoesNotCallSinkDiamond2 {
+    void f(const char* p) override {
+        DerivedCallsSinkDiamond1::f(p);
+    }
+};
+
+template<typename T>
+class CRTP {
+public:
+    void f(const char* p) {
+        static_cast<T*>(this)->g(p);
+    }
+};
+
+class CRTPCallsSink : public CRTP<CRTPCallsSink> {
+    public:
+    void g(const char* p) {
+        sink(p);
+    }
+};
+
+class Derived1 : public BaseWithPureVirtual {};
+
+class Derived2 : public Derived1 {
+    public:
+    void f(const char* p) override {}
+};
+
+class Derived3 : public Derived2 {
+    public:
+    void f(const char* p) override {
+        sink(p);
+    }
+};
+
+class CRTPDoesNotCallSink : public CRTP<CRTPDoesNotCallSink> {
+    public:
+    void g(const char* p) {}
+};
+
+int main(int argc, char *argv[]) {
+    sink(argv[0]);
+
+    sink(reinterpret_cast<int>(argv));
+
+    calls_sink_with_argv(argv[1]);
+
+    char*** p = &argv;
+
+    sink(*p[0]);
+
+    calls_sink_with_argv(*p[i]);
+
+    sink(*(argv + 1));
+
+    BaseWithPureVirtual* b = new DerivedCallsSink;
+
+    b->f(argv[1]);
+
+    b = new DerivedDoesNotCallSink;
+    b->f(argv[0]); // no flow [FALSE POSITIVE by AST]
+
+    BaseWithPureVirtual* b2 = new DerivesMultiple;
+
+    b2->f(argv[i]);
+
+    CRTP<CRTPDoesNotCallSink> crtp_not_call_sink;
+    crtp_not_call_sink.f(argv[0]);
+
+    CRTP<CRTPCallsSink> crtp_calls_sink;
+    crtp_calls_sink.f(argv[0]);
+
+    Derived1* calls_sink = new Derived3;
+    calls_sink->f(argv[1]);
+
+    static_cast<Derived2*>(calls_sink)->f(argv[1]);
+
+    dynamic_cast<Derived2*>(calls_sink)->f(argv[1]); // flow [NOT DETECTED by IR]
+}
@@ -0,0 +1,22 @@
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:9:11:9:20 | p#0 | IR only |
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:16:8:16:14 | call to _strdup | IR only |
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | defaulttainttracking.cpp:16:8:16:29 | (const char *)... | IR only |
+| defaulttainttracking.cpp:16:16:16:21 | call to getenv | test_diff.cpp:1:11:1:20 | p#0 | IR only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:3:21:3:22 | s1 | AST only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:21:8:21:10 | buf | AST only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:15:22:17 | buf | AST only |
+| defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:24:8:24:10 | buf | AST only |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:31:40:31:53 | dotted_address | AST only |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:39:36:39:61 | (const char *)... | AST only |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:39:51:39:61 | env_pointer | AST only |
+| test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:11:104:20 | (...) | IR only |
+| test_diff.cpp:108:10:108:13 | argv | test_diff.cpp:36:24:36:24 | p | AST only |
+| test_diff.cpp:111:10:111:13 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 | AST only |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:1:11:1:20 | p#0 | AST only |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:29:24:29:24 | p | AST only |
+| test_diff.cpp:111:10:111:13 | argv | test_diff.cpp:30:14:30:14 | p | AST only |
+| test_diff.cpp:124:19:124:22 | argv | test_diff.cpp:76:24:76:24 | p | IR only |
+| test_diff.cpp:128:44:128:47 | argv | defaulttainttracking.cpp:9:11:9:20 | p#0 | AST only |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:1:11:1:20 | p#0 | AST only |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:81:24:81:24 | p | AST only |
+| test_diff.cpp:128:44:128:47 | argv | test_diff.cpp:82:14:82:14 | p | AST only |
@@ -0,0 +1,19 @@
+import cpp
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.security.TaintTracking as ASTTaintTracking
+import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
+
+predicate astFlow(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
+
+predicate irFlow(Expr source, Element sink) { IRDefaultTaintTracking::tainted(source, sink) }
+
+from Expr source, Element sink, string note
+where
+  astFlow(source, sink) and
+  not irFlow(source, sink) and
+  note = "AST only"
+  or
+  irFlow(source, sink) and
+  not astFlow(source, sink) and
+  note = "IR only"
+select source, sink, note
@@ -13,7 +13,10 @@ import java
 
 predicate nontrivialLogicalOperator(BinaryExpr e) {
   e instanceof LogicExpr and
-  not e.getParent().(Expr).getKind() = e.getKind()
+  (
+    not e.getParent().(Expr).getKind() = e.getKind() or
+    e.isParenthesized()
+  )
 }
 
 Expr getSimpleParent(Expr e) {
 
@@ -14,10 +14,6 @@ Some expressions always evaluate to the same result, no matter what their subexp
 </li>
 <li><code>x % 1</code> always evaluates to <code>0</code>.
 </li>
-<li><code>x &lt;&lt; 64</code> (when <code>x</code> is of type <code>long</code>) always evaluates to <code>0</code>.
-</li>
-<li><code>x &lt;&lt; 32</code> (when <code>x</code> is not of type <code>long</code>) always evaluates to <code>0</code>.
-</li>
 <li><code>x &amp; 0</code> always evaluates to <code>0</code>.
 </li>
 <li><code>x || true</code> always evaluates to <code>true</code>.
@@ -58,7 +54,7 @@ an integer. The correct check is <code>x % 2 == 0</code>.
 
 <li>
   The Java Language Specification:
-  <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.17.1">Multiplication operator *</a>, <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.17.3">Remainder operator %</a>, <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.19">Left shift operator &lt;&lt;</a>, <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.22.1">Bitwise AND operator &amp;</a>, <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.23">Conditional-and operator &amp;&amp;</a> and <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.24">Conditional-or operator ||</a>.
+  <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.17.1">Multiplication operator *</a>, <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.17.3">Remainder operator %</a>, <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.22.1">Bitwise AND operator &amp;</a>, <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.23">Conditional-and operator &amp;&amp;</a> and <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.24">Conditional-or operator ||</a>.
 </li>