C++: Exclude array initializers.

2025-12-20 10:46:30 +01:00 · 2021-05-12 19:39:30 +01:00
parent 52a88af6c1
commit 0450caa73d
3 changed files with 4 additions and 3 deletions
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -48,7 +48,9 @@ class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
    exists(this.getAGeneratedElement().(ControlFlowNode)) and
    // exclude expressions controlling ifs/switches (as they may not be used).
    not any(IfStmt c).getCondition().getAChild*() = this.getAGeneratedElement() and
-    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement()
+    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement() and
+    // exclude expressions in array initializers (as they may not be used).
+    not any(AggregateLiteral i).getAChild*() = this.getAGeneratedElement() 
  }

  override string description() { result = "macro invocation" }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,4 +1,3 @@
-| test2.cpp:25:2:25:9 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -22,7 +22,7 @@ typedef void (*implementation_fn_ptr)(char *data, size_t amount, keytype key);
 #define ALGO_AES (2)

 int all_algos[] = {
-	ALGO_DES, // [FALSE POSITIVE]
+	ALGO_DES,
 	ALGO_AES
 };