codeql/change-notes/1.25/analysis-cpp.md

# Improvements to C/C++ analysis

The following changes in version 1.25 affect C/C++ analysis in all applications.

## General improvements

## New queries

| **Query**                   | **Tags**  | **Purpose**                                                        |
|-----------------------------|-----------|--------------------------------------------------------------------|

## Changes to existing queries

| **Query**                  | **Expected impact**    | **Change**                                                       |
|----------------------------|------------------------|------------------------------------------------------------------|
| Uncontrolled format string (`cpp/tainted-format-string`) |  | This query is now displayed by default on LGTM. |
| Uncontrolled format string (through global variable) (`cpp/tainted-format-string-through-global`) |  | This query is now displayed by default on LGTM. |

## Changes to libraries

* The library `VCS.qll` and all queries that imported it have been removed.
* The data-flow library has been improved, which affects most security queries by potentially
  adding more results. Flow through functions now takes nested field reads/writes into account.
  For example, the library is able to track flow from `taint()` to `sink()` via the method
  `getf2f1()` in
  ```c
  struct C {
      int f1;
  };

  struct C2
  {
      C f2;

      int getf2f1() {
          return f2.f1; // Nested field read
      }

      void m() {
          f2.f1 = taint();
          sink(getf2f1()); // NEW: taint() reaches here
      }
  };
  ```
* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) now considers that equality checks may block the flow of taint.  This results in fewer false positive results from queries that use this library.
* The length of a tainted string (such as the return value of a call to `strlen` or `strftime` with tainted parameters) is no longer itself considered tainted by the `models` library.  This leads to fewer false positive results in queries that use any of our taint libraries.