github
diff --git a/‎.github/codeql/codeql-config.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/codeql/codeql-config.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.vscode/extensions.json‎
Lines changed: 2 additions & 2 deletions b/‎.vscode/extensions.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 4 additions & 0 deletions b/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎config/identical-files.json‎
Lines changed: 8 additions & 0 deletions b/‎config/identical-files.json‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj‎
Lines changed: 1 addition & 1 deletion b/‎cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/Semmle.Autobuild.Cpp.Tests.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj‎
Lines changed: 1 addition & 1 deletion b/‎cpp/autobuilder/Semmle.Autobuild.Cpp/Semmle.Autobuild.Cpp.csproj‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/change-notes/2020-09-29-range-analysis-rollup.md‎
Lines changed: 14 additions & 0 deletions b/‎cpp/change-notes/2020-09-29-range-analysis-rollup.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎cpp/ql/src/Critical/OverflowDestination.ql‎
Lines changed: 1 addition & 4 deletions b/‎cpp/ql/src/Critical/OverflowDestination.ql‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎cpp/ql/src/Critical/SizeCheck2.ql‎
Lines changed: 1 addition & 6 deletions b/‎cpp/ql/src/Critical/SizeCheck2.ql‎
Lines changed: 1 addition & 6 deletions
@@ -7,3 +7,5 @@ paths-ignore:
   - '/cpp/'
   - '/java/'
   - '/python/'
+  - '/javascript/ql/test'
+  - '/javascript/extractor/tests'
@@ -3,8 +3,8 @@
     // Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
     // List of extensions which should be recommended for users of this workspace.
     "recommendations": [
-        "github.vscode-codeql"
+        "GitHub.vscode-codeql"
     ],
     // List of extensions recommended by VS Code that should not be recommended for users of this workspace.
     "unwantedRecommendations": []
-}
+}
@@ -25,6 +25,7 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 * The models library now models many more taint flows through `std::string`.
 * The models library now models many taint flows through `std::istream` and `std::ostream`.
 * The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
+* The models library now models many taint flows through `std::pair`, `std::map`, `std::unordered_map`, `std::set` and `std::unordered_set`.
 * The models library now models `bcopy`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
@@ -3,6 +3,8 @@
 ## General improvements
 
 * Support for the following frameworks and libraries has been improved:
+  - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
+  - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
   - [bluebird](https://www.npmjs.com/package/bluebird)
   - [express](https://www.npmjs.com/package/express)
   - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
@@ -14,6 +16,7 @@
   - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
   - [json3](https://www.npmjs.com/package/json3)
   - [lodash](https://www.npmjs.com/package/lodash)
+  - [needle](https://www.npmjs.com/package/needle)
   - [object-inspect](https://www.npmjs.com/package/object-inspect)
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
@@ -39,6 +42,7 @@
 | Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, dash, and underscore are used. |
 | Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
+| Missing CSRF middleware (`js/missing-token-validation`) | More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
 
 
 ## Changes to libraries
 
@@ -62,6 +62,14 @@
     "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
+  "Bound Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
+  ],
+  "ModulusAnalysis Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+  ],
   "C++ SubBasicBlocks": [
     "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
 
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp3.0</TargetFramework>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
     <Nullable>enable</Nullable>
 
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.0</TargetFramework>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
     <AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
     <RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
     <ApplicationIcon />
 
@@ -0,0 +1,14 @@
+lgtm,codescanning
+* The `SimpleRangeAnalysis` library has gained support for several language
+  constructs it did not support previously. These improvements primarily affect
+  the queries `cpp/constant-comparison`, `cpp/comparison-with-wider-type`, and
+  `cpp/integer-multiplication-cast-to-long`. The newly supported language
+  features are:
+    * Multiplication of unsigned numbers.
+    * Multiplication by a constant.
+    * Reference-typed function parameters.
+    * Comparing a variable not equal to an endpoint of its range, thus narrowing the range by one.
+    * Using `if (x)` or `if (!x)` or similar to test for equality to zero.
+* The `SimpleRangeAnalysis` library can now be extended with custom rules. See
+  examples in
+  `cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/extensions/`.
@@ -23,10 +23,7 @@ import semmle.code.cpp.security.TaintTracking
  * ```
  */
 predicate sourceSized(FunctionCall fc, Expr src) {
-  exists(string name |
-    (name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
-    fc.getTarget().hasGlobalOrStdName(name)
-  ) and
+  fc.getTarget().hasGlobalOrStdName(["strncpy", "strncat", "memcpy", "memmove"]) and
   exists(Expr dest, Expr size, Variable v |
     fc.getArgument(0) = dest and
     fc.getArgument(1) = src and
 
@@ -15,12 +15,7 @@
 import cpp
 
 class Allocation extends FunctionCall {
-  Allocation() {
-    exists(string name |
-      this.getTarget().hasGlobalOrStdName(name) and
-      (name = "malloc" or name = "calloc" or name = "realloc")
-    )
-  }
+  Allocation() { this.getTarget().hasGlobalOrStdName(["malloc", "calloc", "realloc"]) }
 
   private string getName() { this.getTarget().hasGlobalOrStdName(result) }