hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into atorralba/promote-groovy-injection

Browse Source
This commit is contained in:
Tony Torralba
2021-08-03 09:53:46 +02:00
committed by GitHub
parent 36565802dc a27cb4b1ae
commit 084cda6daa
211 changed files with 5560 additions and 2147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CODEOWNERS
View File

@@ -17,3 +17,9 @@
/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go /java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
# CodeQL tools and associated docs
/docs/codeql-cli/ @github/codeql-cli-reviewers
/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
/docs/ql-language-reference/ @github/codeql-frontend-reviewers
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers

4
cpp/change-notes/2021-06-15-path-sensitive-stack-reachability.md
View File

@@ -1,4 +0,0 @@
lgtm,codescanning
* The `StackVariableReachability` library now ignores some paths that contain an infeasible combination
of conditionals. These improvements primarily affect the queries `cpp/uninitialized-local` and
`cpp/use-after-free`.

3
cpp/change-notes/2021-07-13-cleartext-storage-file.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file) query now uses dataflow to produce additional results.
* Heuristics in the SensitiveExprs.qll library have been improved, making the "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file), "Cleartext storage of sensitive information in buffer" (cpp/cleartext-storage-buffer) and "Cleartext storage of sensitive information in an SQLite" (cpp/cleartext-storage-database) queries more accurate.

2
cpp/change-notes/2021-07-20-toctou-race-condition.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Improvements have been made to the `cpp/toctou-race-condition` query, both to find more correct results and fewer false positive results.

2
cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Virtual function specifiers are now accessible via the new predicates on `Function` (`.isDeclaredVirtual`, `.isOverride`, and `.isFinal`).

2
cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
View File

@@ -41,7 +41,7 @@ DeclStmt declWithNoInit(LocalVariable v) {
result.getADeclaration() = v and result.getADeclaration() = v and
not exists(v.getInitializer()) and not exists(v.getInitializer()) and
/* The type of the variable is not stack-allocated. */ /* The type of the variable is not stack-allocated. */
not allocatedType(v.getType()) exists(Type t | t = v.getType() | not allocatedType(t))
} }
class UninitialisedLocalReachability extends StackVariableReachability { class UninitialisedLocalReachability extends StackVariableReachability {

38
cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 7.5 * @security-severity 7.5
* @precision medium * @precision high
* @id cpp/cleartext-storage-file * @id cpp/cleartext-storage-file
* @tags security * @tags security
* external/cwe/cwe-313 * external/cwe/cwe-313
@@ -14,10 +14,40 @@
import cpp import cpp
import semmle.code.cpp.security.SensitiveExprs import semmle.code.cpp.security.SensitiveExprs
import semmle.code.cpp.security.FileWrite import semmle.code.cpp.security.FileWrite
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
from FileWrite w, SensitiveExpr source, Expr dest /**
* An operation on a filename.
*/
predicate filenameOperation(FunctionCall op, Expr path) {
exists(string name | name = op.getTarget().getName() |
name =
[
"remove", "unlink", "rmdir", "rename", "fopen", "open", "freopen", "_open", "_wopen",
"_wfopen", "_fsopen", "_wfsopen", "chmod", "chown", "stat", "lstat", "fstat", "access",
"_access", "_waccess", "_access_s", "_waccess_s"
] and
path = op.getArgument(0)
or
name = ["fopen_s", "wfopen_s", "rename"] and
path = op.getArgument(1)
)
}
predicate isFileName(GVN gvn) {
exists(FunctionCall op, Expr path |
filenameOperation(op, path) and
gvn = globalValueNumber(path)
)
}
from FileWrite w, SensitiveExpr source, Expr mid, Expr dest
where where
source = w.getASource() and DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(mid)) and
dest = w.getDest() mid = w.getASource() and
dest = w.getDest() and
not isFileName(globalValueNumber(source)) and // file names are not passwords
not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@", select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
source, "this source." source, "this source."

126
cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 7.7 * @security-severity 7.7
* @precision medium * @precision high
* @id cpp/toctou-race-condition * @id cpp/toctou-race-condition
* @tags security * @tags security
* external/cwe/cwe-367 * external/cwe/cwe-367
@@ -16,59 +16,60 @@ import cpp
import semmle.code.cpp.controlflow.Guards import semmle.code.cpp.controlflow.Guards
/** /**
* An operation on a filename. * An operation on a filename that is likely to modify the corresponding file
* and may return an indication of success.
* *
* Note: we're not interested in operations on file descriptors, as they * Note: we're not interested in operations where the file is specified by a
* are better behaved. * descriptor, rather than a filename, as they are better behaved. We are
* interested in functions that take a filename and return a file descriptor,
* however.
*/ */
FunctionCall filenameOperation(Expr path) { FunctionCall filenameOperation(Expr path) {
exists(string name | name = result.getTarget().getName() | exists(string name | name = result.getTarget().getName() |
( name =
name = "remove" or [
name = "unlink" or "remove", "unlink", "rmdir", "rename", "fopen", "open", "freopen", "_open", "_wopen",
name = "rmdir" or "_wfopen", "_fsopen", "_wfsopen"
name = "rename" or ] and
name = "chmod" or
name = "chown" or
name = "fopen" or
name = "open" or
name = "freopen" or
name = "_open" or
name = "_wopen" or
name = "_wfopen"
) and
result.getArgument(0) = path result.getArgument(0) = path
or or
( name = ["fopen_s", "wfopen_s", "rename"] and
name = "fopen_s" or
name = "wfopen_s"
) and
result.getArgument(1) = path result.getArgument(1) = path
) )
or
result = sensitiveFilenameOperation(path)
}
/**
* An operation on a filename that is likely to modify the security properties
* of the corresponding file and may return an indication of success.
*/
FunctionCall sensitiveFilenameOperation(Expr path) {
exists(string name | name = result.getTarget().getName() |
name = ["chmod", "chown"] and
result.getArgument(0) = path
)
} }
/** /**
* A use of `access` (or similar) on a filename. * An operation on a filename that returns information in the return value but
* does not modify the corresponding file. For example, `access`.
*/ */
FunctionCall accessCheck(Expr path) { FunctionCall accessCheck(Expr path) {
exists(string name | name = result.getTarget().getName() | exists(string name | name = result.getTarget().getName() |
name = "access" or name = ["access", "_access", "_waccess", "_access_s", "_waccess_s"]
name = "_access" or
name = "_waccess" or
name = "_access_s" or
name = "_waccess_s"
) and ) and
path = result.getArgument(0) path = result.getArgument(0)
} }
/** /**
* A use of `stat` (or similar) on a filename. * An operation on a filename that returns information via a pointer argument
* and any return value, but does not modify the corresponding file. For
* example, `stat`.
*/ */
FunctionCall stat(Expr path, Expr buf) { FunctionCall stat(Expr path, Expr buf) {
exists(string name | name = result.getTarget().getName() | exists(string name | name = result.getTarget().getName() |
name = "stat" or name = ["stat", "lstat", "fstat"] or
name = "lstat" or
name = "fstat" or
name.matches("\\_stat%") or name.matches("\\_stat%") or
name.matches("\\_wstat%") name.matches("\\_wstat%")
) and ) and
@@ -77,7 +78,7 @@ FunctionCall stat(Expr path, Expr buf) {
} }
/** /**
* Holds if `use` points to `source`, either by being the same or by * Holds if `use` refers to `source`, either by being the same or by
* one step of variable indirection. * one step of variable indirection.
*/ */
predicate referenceTo(Expr source, Expr use) { predicate referenceTo(Expr source, Expr use) {
@@ -88,36 +89,45 @@ predicate referenceTo(Expr source, Expr use) {
) )
} }
from FunctionCall fc, Expr check, Expr checkUse, Expr opUse from Expr check, Expr checkPath, FunctionCall use, Expr usePath
where where
// checkUse looks like a check on a filename // `check` looks like a check on a filename
( (
// either: (
// an access check // either:
check = accessCheck(checkUse) // an access check
or check = accessCheck(checkPath)
// a stat or
check = stat(checkUse, _) // a stat
check = stat(checkPath, _)
or
// access to a member variable on the stat buf
// (morally, this should be a use-use pair, but it seems unlikely
// that this variable will get reused in practice)
exists(Expr call, Expr e, Variable v |
call = stat(checkPath, e) and
e.getAChild*().(VariableAccess).getTarget() = v and
check.(VariableAccess).getTarget() = v and
not e.getAChild*() = check // the call that writes to the pointer is not where the pointer is checked.
)
) and
// `op` looks like an operation on a filename
use = filenameOperation(usePath)
or or
// another filename operation (null pointers can indicate errors) // another filename operation (null pointers can indicate errors)
check = filenameOperation(checkUse) check = filenameOperation(checkPath) and
or // `op` looks like a sensitive operation on a filename
// access to a member variable on the stat buf use = sensitiveFilenameOperation(usePath)
// (morally, this should be a use-use pair, but it seems unlikely
// that this variable will get reused in practice)
exists(Variable buf | exists(stat(checkUse, buf.getAnAccess())) |
check.(VariableAccess).getQualifier() = buf.getAnAccess()
)
) and ) and
// checkUse and opUse refer to the same SSA variable // `checkPath` and `usePath` refer to the same SSA variable
exists(SsaDefinition def, StackVariable v | def.getAUse(v) = checkUse and def.getAUse(v) = opUse) and exists(SsaDefinition def, StackVariable v |
// opUse looks like an operation on a filename def.getAUse(v) = checkPath and def.getAUse(v) = usePath
fc = filenameOperation(opUse) and ) and
// the return value of check is used (possibly with one step of // the return value of `check` is used (possibly with one step of
// variable indirection) in a guard which controls fc // variable indirection) in a guard which controls `use`
exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) | exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
guard.controls(fc.(ControlFlowNode).getBasicBlock(), _) guard.controls(use.(ControlFlowNode).getBasicBlock(), _)
) )
select fc, select use,
"The $@ being operated upon was previously $@, but the underlying file may have been changed since then.", "The $@ being operated upon was previously $@, but the underlying file may have been changed since then.",
opUse, "filename", check, "checked" usePath, "filename", check, "checked"

16
cpp/ql/src/semmle/code/cpp/Function.qll
View File

@@ -82,9 +82,23 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
/** Holds if this function is inline. */ /** Holds if this function is inline. */
predicate isInline() { this.hasSpecifier("inline") } predicate isInline() { this.hasSpecifier("inline") }
/** Holds if this function is virtual. */ /**
* Holds if this function is virtual.
*
* Unlike `isDeclaredVirtual()`, `isVirtual()` holds even if the function
* is not explicitly declared with the `virtual` specifier.
*/
predicate isVirtual() { this.hasSpecifier("virtual") } predicate isVirtual() { this.hasSpecifier("virtual") }
/** Holds if this function is declared with the `virtual` specifier. */
predicate isDeclaredVirtual() { this.hasSpecifier("declared_virtual") }
/** Holds if this function is declared with the `override` specifier. */
predicate isOverride() { this.hasSpecifier("override") }
/** Holds if this function is declared with the `final` specifier. */
predicate isFinal() { this.hasSpecifier("final") }
/** /**
* Holds if this function is deleted. * Holds if this function is deleted.
* This may be because it was explicitly deleted with an `= delete` * This may be because it was explicitly deleted with an `= delete`

2
cpp/ql/src/semmle/code/cpp/controlflow/DefinitionsAndUses.qll
View File

@@ -208,7 +208,7 @@ private predicate bbSuccessorEntryReachesDefOrUse(
boolean skipsFirstLoopAlwaysTrueUponEntry boolean skipsFirstLoopAlwaysTrueUponEntry
) { ) {
exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry | exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry |
bbSuccessorEntryReachesLoopInvariant0(bb, succ, skipsFirstLoopAlwaysTrueUponEntry, bbSuccessorEntryReachesLoopInvariant(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
succSkipsFirstLoopAlwaysTrueUponEntry) succSkipsFirstLoopAlwaysTrueUponEntry)
| |
bbEntryReachesDefOrUseLocally(succ, v, defOrUse) and bbEntryReachesDefOrUseLocally(succ, v, defOrUse) and

476
cpp/ql/src/semmle/code/cpp/controlflow/StackVariableReachability.qll
View File

@@ -3,250 +3,7 @@
* reachability involving stack variables. * reachability involving stack variables.
*/ */
private import semmle.code.cpp.controlflow.Guards import cpp
private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/** A `GuardCondition` which appear in a control-flow path to a sink. */
abstract private class LogicalGuardCondition extends GuardCondition {
LogicalGuardCondition() {
// Either the `GuardCondition` is part of the path from a source to a sink
revBbSuccessorEntryReaches0(_, this.getBasicBlock(), _, _, _)
or
// or it controls the basic block that contains the source node.
this.controls(any(BasicBlock bb | fwdBbEntryReachesLocally(bb, _, _, _)), _)
}
/**
* Holds if the truth of this logical expression having value `wholeIsTrue`
* implies that the truth of the child expression `part` has truth value `partIsTrue`.
*/
abstract predicate impliesCondition(
LogicalGuardCondition e, boolean testIsTrue, boolean condIsTrue
);
}
private class BinaryLogicalGuardCondition extends LogicalGuardCondition, BinaryLogicalOperation {
override predicate impliesCondition(
LogicalGuardCondition e, boolean testIsTrue, boolean condIsTrue
) {
this.impliesValue(e, testIsTrue, condIsTrue)
}
}
private class VariableGuardCondition extends LogicalGuardCondition, VariableAccess {
override predicate impliesCondition(
LogicalGuardCondition e, boolean testIsTrue, boolean condIsTrue
) {
this = e and
(
testIsTrue = true and condIsTrue = true
or
testIsTrue = false and condIsTrue = false
)
}
}
private class NotGuardCondition extends LogicalGuardCondition, NotExpr {
override predicate impliesCondition(
LogicalGuardCondition e, boolean testIsTrue, boolean condIsTrue
) {
e = this.getOperand() and
(
testIsTrue = true and
condIsTrue = false
or
testIsTrue = false and
condIsTrue = true
)
}
}
private newtype TCondition =
MkCondition(LogicalGuardCondition guard, boolean testIsTrue) { testIsTrue = [false, true] }
private class Condition extends MkCondition {
boolean testIsTrue;
LogicalGuardCondition guard;
Condition() { this = MkCondition(guard, testIsTrue) }
/**
* Holds if this condition having the value `this.getTruthValue()` implies that `cond` has truth
* value `cond.getTruthValue()`.
*/
string toString() { result = guard.toString() + " == " + testIsTrue.toString() }
/** Gets the value of this `Condition`. */
boolean getTruthValue() { result = testIsTrue }
LogicalGuardCondition getCondition() { result = guard }
pragma[nomagic]
predicate impliesCondition(Condition cond) {
exists(LogicalGuardCondition other |
other = cond.getCondition() and
this.getCondition()
.impliesCondition(globalValueNumber(other).getAnExpr(),
pragma[only_bind_into](pragma[only_bind_out](testIsTrue)),
pragma[only_bind_into](pragma[only_bind_out](cond.getTruthValue())))
)
}
/** Gets the negated expression represented by this `Condition`, if any. */
private Condition negate() {
result.getCondition() = guard and
result.getTruthValue() = testIsTrue.booleanNot()
}
/**
* Holds if this condition having the value `this.getTruthValue()` implies that `cond` cannot have
* the truth value `cond.getTruthValue()`.
*/
final predicate refutesCondition(Condition cond) { this.impliesCondition(cond.negate()) }
/** Gets the `Location` of the expression that generated this `Condition`. */
Location getLocation() { result = guard.getLocation() }
}
/**
* Gets a `Condition` that controls `b`. That is, to enter `b` the condition must hold.
*/
private Condition getADirectCondition(BasicBlock b) {
result.getCondition().controls(b, result.getTruthValue())
}
/**
* Like the shared dataflow library, the reachability analysis is split into two stages:
* In the first stage, we compute an overapproximation of the possible control-flow paths where we don't
* reason about path conditions. This stage is split into phases: A forward phase (computed by the
* predicates prefixes with `fwd`), and a reverse phase (computed by the predicates prefixed with `rev`).
*
* The forward phease computes the set of control-flow nodes reachable from a given `source` and `v` such
* that `config.isSource(source, v)` holds.
*
* See the QLDoc on `revBbSuccessorEntryReaches0` for a description of what the reverse phase computes.
*/
private predicate fwdBbSuccessorEntryReaches0(
ControlFlowNode source, BasicBlock bb, SemanticStackVariable v,
boolean skipsFirstLoopAlwaysTrueUponEntry, StackVariableReachability config
) {
fwdBbEntryReachesLocally(bb, v, source, config) and
skipsFirstLoopAlwaysTrueUponEntry = false
or
exists(BasicBlock pred, boolean predSkipsFirstLoopAlwaysTrueUponEntry |
bbSuccessorEntryReachesLoopInvariant0(pred, bb, predSkipsFirstLoopAlwaysTrueUponEntry,
skipsFirstLoopAlwaysTrueUponEntry)
|
// Note we cannot filter out barriers at this point.
// See the comment in `revBbSuccessorEntryReaches0` for an explanation why,
fwdBbSuccessorEntryReaches0(source, pred, v, predSkipsFirstLoopAlwaysTrueUponEntry, config)
)
}
/**
* The second phase of the first stages computes, for each `source` and `v` pair such
* that `config.isSource(source, v)`, which sinks are reachable from that `(source, v)` pair.
*/
private predicate revBbSuccessorEntryReaches0(
ControlFlowNode source, BasicBlock bb, SemanticStackVariable v,
boolean skipsFirstLoopAlwaysTrueUponEntry, StackVariableReachability config
) {
exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry |
fwdBbSuccessorEntryReaches0(source, bb, v, skipsFirstLoopAlwaysTrueUponEntry, config) and
bbSuccessorEntryReachesLoopInvariant0(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
succSkipsFirstLoopAlwaysTrueUponEntry)
|
revBbEntryReachesLocally(succ, v, _, config) and
succSkipsFirstLoopAlwaysTrueUponEntry = false
or
// Note: We cannot rule out a successor block that contain a barrier here (like we do later in
// `bbSuccessorEntryReaches`) as we might later discover that the only way to get through a piece of
// code is through that barrier, and we want to discover this in
// `bbSuccessorEntryReachesLoopInvariant`. As an example, consider this piece of code:
// ```
// if(b) { (1) source(); }
// (2) if(b) { (3) barrier(); }
// (4) sink();
// ```
// here, we want the successor relation to contain:
// 1 -> {2}, 2 -> {3, 4}
// since the second stage will deduce that the edge (2) -> (3) is unconditional (as b is always true
// if we start at `source()`), and so there is actually no path from (1) to (4) without going through
// a barrier.
revBbSuccessorEntryReaches0(source, succ, v, succSkipsFirstLoopAlwaysTrueUponEntry, config)
)
}
private predicate successorExitsLoop(BasicBlock pred, BasicBlock succ, Loop loop) {
pred.getASuccessor() = succ and
bbDominates(loop.getStmt(), pred) and
not bbDominates(loop.getStmt(), succ)
}
private predicate successorExitsFirstDisjunct(BasicBlock pred, BasicBlock succ) {
exists(LogicalOrExpr orExpr | orExpr instanceof GuardCondition |
pred.getAFalseSuccessor() = succ and
pred.contains(orExpr.getLeftOperand())
)
}
/**
* When we exit a loop, we filter out the conditions that arise from the loop's guard.
* To see why this is necessary, consider this example:
* ```
* (1) source();
* while (b) { (2) ... }
* (3) sink();
* ```
* If we keep all the conditions when we transition from (2) to (3) we learn that `b` is true at
* (3), but since we exited the loop we also learn that `b` is false at 3.
* Thus, when we transition from (2) to (3) we discard all those conditions that are true at (2),
* but NOT true at (3).
*/
private predicate isLoopCondition(LogicalGuardCondition cond, BasicBlock pred, BasicBlock bb) {
exists(Loop loop, boolean testIsTrue | successorExitsLoop(pred, bb, loop) |
// the resulting `Condition` holds inside the loop
cond.controls(pred, testIsTrue) and
// but not prior to the loop.
not cond.controls(loop.getBasicBlock(), testIsTrue)
)
}
/**
* When we leave the first disjunct we throw away the condition that says the the first disjunct is
* false. To see why this is necessary, consider this example:
* ```
* if((1) b1 || (2) b2) { (3) ... }
* ```
* it holds that `b1 == false` controls (2), and since (2) steps to (3) we learn that `b1 == false `
* holds at (3). So we filter out the conditions that we learn from leaving taking the false
* branch in a disjunction.
*/
private predicate isDisjunctionCondition(LogicalGuardCondition cond, BasicBlock pred, BasicBlock bb) {
exists(boolean testIsTrue | successorExitsFirstDisjunct(pred, bb) |
// the resulting `Condition` holds after evaluating the left-hand side
cond.controls(bb, testIsTrue) and
// but not before evaluating the left-hand side.
not cond.controls(pred, testIsTrue)
)
}
private predicate isLoopVariantCondition(LogicalGuardCondition cond, BasicBlock pred, BasicBlock bb) {
exists(Loop loop |
bb.getEnd() = loop.getCondition() and
pred.getASuccessor() = bb and
bbDominates(bb, pred) and
loopVariant(cond.getAChild*(), loop)
)
}
private predicate loopVariant(VariableAccess e, Loop loop) {
exists(SsaDefinition d | d.getAUse(e.getTarget()) = e |
d.getAnUltimateDefiningValue(e.getTarget()) = loop.getCondition().getAChild*() or
d.getAnUltimateDefiningValue(e.getTarget()).getEnclosingStmt().getParent*() = loop.getStmt() or
d.getAnUltimateDefiningValue(e.getTarget()) = loop.(ForStmt).getUpdate().getAChild*()
)
}
/** /**
* A reachability analysis for control-flow nodes involving stack variables. * A reachability analysis for control-flow nodes involving stack variables.
@@ -303,8 +60,7 @@ abstract class StackVariableReachability extends string {
* ``` * ```
* *
* In addition to using a better performing implementation, this analysis * In addition to using a better performing implementation, this analysis
* accounts for loops where the condition is provably true upon entry, and discards paths that require * accounts for loops where the condition is provably true upon entry.
* an infeasible combination of guard conditions (for example, `if(b) { ... }` and `if(!b) { ... }`).
*/ */
predicate reaches(ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink) { predicate reaches(ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink) {
/* /*
@@ -324,184 +80,46 @@ abstract class StackVariableReachability extends string {
j > i and j > i and
sink = bb.getNode(j) and sink = bb.getNode(j) and
isSink(sink, v) and isSink(sink, v) and
not isBarrier(bb.getNode(pragma[only_bind_into]([i + 1 .. j - 1])), v) not exists(int k | isBarrier(bb.getNode(k), v) | k in [i + 1 .. j - 1])
) )
or or
not exists(int k | isBarrier(bb.getNode(k), v) | k > i) and not exists(int k | isBarrier(bb.getNode(k), v) | k > i) and
bbSuccessorEntryReaches(source, bb, v, sink, _) bbSuccessorEntryReaches(bb, v, sink, _)
)
}
private Condition getASinkCondition(SemanticStackVariable v) {
exists(BasicBlock bb |
revBbEntryReachesLocally(bb, v, _, this) and
result.getCondition().controls(bb, result.getTruthValue())
)
}
private Condition getABarrierCondition(SemanticStackVariable v) {
exists(BasicBlock bb |
isBarrier(bb.getANode(), v) and
result.getCondition().controls(bb, result.getTruthValue())
)
}
/**
* Gets a condition with a known truth value in `bb` when the control-flow starts at the source
* node `source` and we're tracking reachability using variable `v` (that is,
* `this.isSource(source, v)` holds).
*
* This predicate is `pragma[noopt]` as it seems difficult to get the correct join order for the
* recursive case otherwise:
* revBbSuccessorEntryReaches0(bb) -> getASuccessor -> prev_delta ->
* revBbSuccessorEntryReaches0(pred) -> {isLoopCondition, isDisjunctionCondition, isLoopVariantCondition}
*/
pragma[noopt]
private Condition getACondition(ControlFlowNode source, SemanticStackVariable v, BasicBlock bb) {
revBbSuccessorEntryReaches0(source, bb, v, _, this) and
(
result = getADirectCondition(bb) and
(
exists(Condition c |
c = getASinkCondition(v) and
result.refutesCondition(c)
)
or
exists(Condition c |
c = getABarrierCondition(v) and
result.impliesCondition(c)
)
)
or
exists(BasicBlock pred |
pred.getASuccessor() = bb and
result = getACondition(source, v, pred) and
revBbSuccessorEntryReaches0(source, pred, v, _, this) and
exists(LogicalGuardCondition c | c = result.getCondition() |
not isLoopCondition(c, pred, bb) and
not isDisjunctionCondition(c, pred, bb) and
not isLoopVariantCondition(c, pred, bb)
)
)
)
}
pragma[nomagic]
private predicate bbSuccessorEntryReachesLoopInvariantSucc(
ControlFlowNode source, BasicBlock pred, SemanticStackVariable v, BasicBlock succ,
boolean predSkipsFirstLoopAlwaysTrueUponEntry
) {
revBbSuccessorEntryReaches0(source, pragma[only_bind_into](pred), v,
predSkipsFirstLoopAlwaysTrueUponEntry, this) and
pred.getASuccessor() = succ
}
pragma[nomagic]
private predicate bbSuccessorEntryReachesLoopInvariantCand(
ControlFlowNode source, BasicBlock pred, SemanticStackVariable v, BasicBlock succ,
boolean predSkipsFirstLoopAlwaysTrueUponEntry, boolean succSkipsFirstLoopAlwaysTrueUponEntry
) {
bbSuccessorEntryReachesLoopInvariantSucc(source, pragma[only_bind_into](pred), v, succ,
predSkipsFirstLoopAlwaysTrueUponEntry) and
bbSuccessorEntryReachesLoopInvariant0(pred, succ, predSkipsFirstLoopAlwaysTrueUponEntry,
succSkipsFirstLoopAlwaysTrueUponEntry)
}
/**
* Holds if `pred`, `succ`, `predSkipsFirstLoopAlwaysTrueUponEntry` and
* `succSkipsFirstLoopAlwaysTrueUponEntry` satisfy the loop invariants specified in the QLDoc
* for `bbSuccessorEntryReachesLoopInvariant0`.
*
* In addition, this predicate:
* 1. Rules out successor blocks that are unreachable due to contradictory path conditions.
* 2. Refines the successor relation when the edge `pred -> succ` is a conditional edge whose truth
* value is known.
*/
pragma[nomagic]
private predicate bbSuccessorEntryReachesLoopInvariant(
ControlFlowNode source, BasicBlock pred, SemanticStackVariable v, BasicBlock succ,
boolean predSkipsFirstLoopAlwaysTrueUponEntry, boolean succSkipsFirstLoopAlwaysTrueUponEntry
) {
bbSuccessorEntryReachesLoopInvariantCand(source, pred, v, succ,
predSkipsFirstLoopAlwaysTrueUponEntry, succSkipsFirstLoopAlwaysTrueUponEntry) and
not exists(Condition cond, Condition direct |
cond = getACondition(source, v, pred) and
direct = pragma[only_bind_out](getADirectCondition(succ)) and
cond.refutesCondition(direct)
) and
(
// If we picked the successor edge corresponding to a condition being true, there must not be
// another path condition that refutes that the condition is true.
not exists(Condition cond | cond = getACondition(source, v, pred) |
succ = pred.getATrueSuccessor() and
cond.refutesCondition(pragma[only_bind_out](MkCondition(pred.getEnd(), true)))
) and
// If we picked the successor edge corresponding to a condition being false, there must not be
// another path condition that refutes that the condition is false.
not exists(Condition cond | cond = getACondition(source, v, pred) |
succ = pred.getAFalseSuccessor() and
cond.refutesCondition(pragma[only_bind_out](MkCondition(pred.getEnd(), false)))
)
) )
} }
private predicate bbSuccessorEntryReaches( private predicate bbSuccessorEntryReaches(
ControlFlowNode source, BasicBlock bb, SemanticStackVariable v, ControlFlowNode node, BasicBlock bb, SemanticStackVariable v, ControlFlowNode node,
boolean skipsFirstLoopAlwaysTrueUponEntry boolean skipsFirstLoopAlwaysTrueUponEntry
) { ) {
exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry | exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry |
bbSuccessorEntryReachesLoopInvariant(source, bb, v, succ, skipsFirstLoopAlwaysTrueUponEntry, bbSuccessorEntryReachesLoopInvariant(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
succSkipsFirstLoopAlwaysTrueUponEntry) succSkipsFirstLoopAlwaysTrueUponEntry)
| |
revBbEntryReachesLocally(succ, v, node, this) and bbEntryReachesLocally(succ, v, node) and
succSkipsFirstLoopAlwaysTrueUponEntry = false succSkipsFirstLoopAlwaysTrueUponEntry = false
or or
bbSuccessorEntryReachesLoopInvariant(source, bb, v, succ, skipsFirstLoopAlwaysTrueUponEntry, not isBarrier(succ.getNode(_), v) and
succSkipsFirstLoopAlwaysTrueUponEntry) and bbSuccessorEntryReaches(succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
not isBarrier(pragma[only_bind_out](succ.getANode()), v) and
pragma[only_bind_into](this)
.bbSuccessorEntryReaches(source, succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
) )
} }
}
private predicate fwdBbEntryReachesLocally( private predicate bbEntryReachesLocally(
BasicBlock bb, SemanticStackVariable v, ControlFlowNode node, StackVariableReachability config BasicBlock bb, SemanticStackVariable v, ControlFlowNode node
) { ) {
exists(int n | exists(int n |
node = bb.getNode(n) and node = bb.getNode(n) and
config.isSource(node, v) and isSink(node, v)
( |
not exists(lastBarrierIndexIn(bb, v, config)) not exists(this.firstBarrierIndexIn(bb, v))
or or
lastBarrierIndexIn(bb, v, config) <= n n <= this.firstBarrierIndexIn(bb, v)
) )
) }
}
private predicate revBbEntryReachesLocally( private int firstBarrierIndexIn(BasicBlock bb, SemanticStackVariable v) {
BasicBlock bb, SemanticStackVariable v, ControlFlowNode node, StackVariableReachability config result = min(int m | isBarrier(bb.getNode(m), v))
) { }
exists(int n |
node = bb.getNode(n) and
config.isSink(node, v)
|
not exists(firstBarrierIndexIn(bb, v, config))
or
n <= firstBarrierIndexIn(bb, v, config)
)
}
private int firstBarrierIndexIn(
BasicBlock bb, SemanticStackVariable v, StackVariableReachability config
) {
result = min(int m | config.isBarrier(bb.getNode(m), v))
}
private int lastBarrierIndexIn(
BasicBlock bb, SemanticStackVariable v, StackVariableReachability config
) {
result = max(int m | config.isBarrier(bb.getNode(m), v))
} }
/** /**
@@ -564,7 +182,7 @@ private predicate bbLoopConditionAlwaysTrueUponEntrySuccessor(
* is provably true upon entry, then `succ` is not allowed to skip * is provably true upon entry, then `succ` is not allowed to skip
* that loop (`succSkipsFirstLoopAlwaysTrueUponEntry = false`). * that loop (`succSkipsFirstLoopAlwaysTrueUponEntry = false`).
*/ */
predicate bbSuccessorEntryReachesLoopInvariant0( predicate bbSuccessorEntryReachesLoopInvariant(
BasicBlock pred, BasicBlock succ, boolean predSkipsFirstLoopAlwaysTrueUponEntry, BasicBlock pred, BasicBlock succ, boolean predSkipsFirstLoopAlwaysTrueUponEntry,
boolean succSkipsFirstLoopAlwaysTrueUponEntry boolean succSkipsFirstLoopAlwaysTrueUponEntry
) { ) {
@@ -678,52 +296,10 @@ abstract class StackVariableReachabilityWithReassignment extends StackVariableRe
) )
} }
private predicate bbSuccessorEntryReaches(
BasicBlock bb, SemanticStackVariable v, ControlFlowNode node,
boolean skipsFirstLoopAlwaysTrueUponEntry
) {
exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry |
bbSuccessorEntryReachesLoopInvariant0(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
succSkipsFirstLoopAlwaysTrueUponEntry)
|
revBbEntryReachesLocally(succ, v, node, this) and
succSkipsFirstLoopAlwaysTrueUponEntry = false
or
not isBarrier(succ.getNode(_), v) and
bbSuccessorEntryReaches(succ, v, node, succSkipsFirstLoopAlwaysTrueUponEntry)
)
}
private predicate reaches0(ControlFlowNode source, SemanticStackVariable v, ControlFlowNode sink) {
/*
* Implementation detail: the predicates in this class are a generalization of
* those in DefinitionsAndUses.qll, and should be kept in sync.
*
* Unfortunately, caching of abstract predicates does not work well, so the
* predicates in DefinitionsAndUses.qll cannot use this library.
*/
exists(BasicBlock bb, int i |
isSource(source, v) and
bb.getNode(i) = source and
not bb.isUnreachable()
|
exists(int j |
j > i and
sink = bb.getNode(j) and
isSink(sink, v) and
not isBarrier(bb.getNode(pragma[only_bind_into]([i + 1 .. j - 1])), v)
)
or
not exists(int k | isBarrier(bb.getNode(k), v) | k > i) and
bbSuccessorEntryReaches(bb, v, sink, _)
)
}
private predicate reassignment( private predicate reassignment(
ControlFlowNode source, SemanticStackVariable v, ControlFlowNode def, SemanticStackVariable v0 ControlFlowNode source, SemanticStackVariable v, ControlFlowNode def, SemanticStackVariable v0
) { ) {
reaches0(source, v, def) and StackVariableReachability.super.reaches(source, v, def) and
exprDefinition(v0, def, v.getAnAccess()) exprDefinition(v0, def, v.getAnAccess())
} }
@@ -789,11 +365,11 @@ abstract class StackVariableReachabilityExt extends string {
boolean skipsFirstLoopAlwaysTrueUponEntry boolean skipsFirstLoopAlwaysTrueUponEntry
) { ) {
exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry | exists(BasicBlock succ, boolean succSkipsFirstLoopAlwaysTrueUponEntry |
bbSuccessorEntryReachesLoopInvariant0(bb, succ, skipsFirstLoopAlwaysTrueUponEntry, bbSuccessorEntryReachesLoopInvariant(bb, succ, skipsFirstLoopAlwaysTrueUponEntry,
succSkipsFirstLoopAlwaysTrueUponEntry) and succSkipsFirstLoopAlwaysTrueUponEntry) and
not isBarrier(source, bb.getEnd(), succ.getStart(), v) not isBarrier(source, bb.getEnd(), succ.getStart(), v)
| |
this.bbEntryReachesLocally(source, succ, v, node) and bbEntryReachesLocally(source, succ, v, node) and
succSkipsFirstLoopAlwaysTrueUponEntry = false succSkipsFirstLoopAlwaysTrueUponEntry = false
or or
not exists(int k | isBarrier(source, succ.getNode(k), succ.getNode(k + 1), v)) and not exists(int k | isBarrier(source, succ.getNode(k), succ.getNode(k + 1), v)) and

7
cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
View File

@@ -735,7 +735,12 @@ private module FieldFlow {
private class FieldConfiguration extends Configuration { private class FieldConfiguration extends Configuration {
FieldConfiguration() { this = "FieldConfiguration" } FieldConfiguration() { this = "FieldConfiguration" }
override predicate isSource(Node source) { storeStep(source, _, _) } override predicate isSource(Node source) {
storeStep(source, _, _)
or
// Also mark `foo(a.b);` as a source when `a.b` may be overwritten by `foo`.
readStep(_, _, any(Node node | node.asExpr() = source.asDefiningArgument()))
}
override predicate isSink(Node sink) { readStep(_, _, sink) } override predicate isSink(Node sink) { readStep(_, _, sink) }

26
cpp/ql/src/semmle/code/cpp/security/FileWrite.qll
View File

@@ -19,6 +19,15 @@ class FileWrite extends Expr {
* Gets the expression for the object being written to. * Gets the expression for the object being written to.
*/ */
Expr getDest() { fileWrite(this, _, result) } Expr getDest() { fileWrite(this, _, result) }
/**
* Gets the conversion character for this write, if it exists and is known. For example in the following code the write of `value1` has conversion character `"s"`, whereas the write of `value2` has no conversion specifier.
* ```
* fprintf(file, "%s", value1);
* stream << value2;
* ```
*/
string getSourceConvChar(Expr source) { fileWriteWithConvChar(this, source, result) }
} }
/** /**
@@ -150,3 +159,20 @@ private predicate fileWrite(Call write, Expr source, Expr dest) {
// file stream using '<<', 'put' or 'write' // file stream using '<<', 'put' or 'write'
fileStreamChain(write, source, dest) fileStreamChain(write, source, dest)
} }
/**
* Whether the function call is a write to a file from 'source' with
* conversion character 'conv'. Does not hold if there isn't a conversion
* character, or if it is unknown (for example the format string is not a
* constant).
*/
private predicate fileWriteWithConvChar(FormattingFunctionCall ffc, Expr source, string conv) {
// fprintf
exists(FormattingFunction f, int n |
f = ffc.getTarget() and
source = ffc.getFormatArgument(n)
|
exists(f.getOutputParameterIndex(true)) and
conv = ffc.(FormattingFunctionCall).getFormat().(FormatLiteral).getConversionChar(n)
)
}

2
cpp/ql/src/semmle/code/cpp/security/Overflow.qll
View File

@@ -5,6 +5,8 @@
import cpp import cpp
import semmle.code.cpp.controlflow.Dominance import semmle.code.cpp.controlflow.Dominance
// `GlobalValueNumbering` is only imported to prevent IR re-evaluation.
private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils

19
cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll
View File

@@ -14,14 +14,13 @@ private predicate suspicious(string s) {
( (
s.matches("%password%") or s.matches("%password%") or
s.matches("%passwd%") or s.matches("%passwd%") or
s.matches("%account%") or
s.matches("%accnt%") or
s.matches("%trusted%") s.matches("%trusted%")
) and ) and
not ( not (
s.matches("%hashed%") or s.matches("%hash%") or
s.matches("%encrypted%") or s.matches("%crypt%") or
s.matches("%crypt%") s.matches("%file%") or
s.matches("%path%")
) )
} }
@@ -29,14 +28,20 @@ private predicate suspicious(string s) {
* A variable that might contain a password or other sensitive information. * A variable that might contain a password or other sensitive information.
*/ */
class SensitiveVariable extends Variable { class SensitiveVariable extends Variable {
SensitiveVariable() { suspicious(getName().toLowerCase()) } SensitiveVariable() {
suspicious(getName().toLowerCase()) and
not this.getUnspecifiedType() instanceof IntegralType
}
} }
/** /**
* A function that might return a password or other sensitive information. * A function that might return a password or other sensitive information.
*/ */
class SensitiveFunction extends Function { class SensitiveFunction extends Function {
SensitiveFunction() { suspicious(getName().toLowerCase()) } SensitiveFunction() {
suspicious(getName().toLowerCase()) and
not this.getUnspecifiedType() instanceof IntegralType
}
} }
/** /**

2
cpp/ql/test/library-tests/clang_ms/element.expected
View File

@@ -79,6 +79,7 @@
| file://:0:0:0:0 | declaration of 1st parameter | | file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declared_constexpr | | file://:0:0:0:0 | declared_constexpr |
| file://:0:0:0:0 | declared_constinit | | file://:0:0:0:0 | declared_constinit |
| file://:0:0:0:0 | declared_virtual |
| file://:0:0:0:0 | decltype(nullptr) | | file://:0:0:0:0 | decltype(nullptr) |
| file://:0:0:0:0 | definition of fp_offset | | file://:0:0:0:0 | definition of fp_offset |
| file://:0:0:0:0 | definition of gp_offset | | file://:0:0:0:0 | definition of gp_offset |
@@ -91,6 +92,7 @@
| file://:0:0:0:0 | explicit | | file://:0:0:0:0 | explicit |
| file://:0:0:0:0 | extern | | file://:0:0:0:0 | extern |
| file://:0:0:0:0 | far | | file://:0:0:0:0 | far |
| file://:0:0:0:0 | final |
| file://:0:0:0:0 | float | | file://:0:0:0:0 | float |
| file://:0:0:0:0 | forceinline | | file://:0:0:0:0 | forceinline |
| file://:0:0:0:0 | fp_offset | | file://:0:0:0:0 | fp_offset |

2
cpp/ql/test/library-tests/conditions/elements.expected
View File

@@ -49,6 +49,7 @@
| file://:0:0:0:0 | const __va_list_tag & | | file://:0:0:0:0 | const __va_list_tag & |
| file://:0:0:0:0 | declared_constexpr | | file://:0:0:0:0 | declared_constexpr |
| file://:0:0:0:0 | declared_constinit | | file://:0:0:0:0 | declared_constinit |
| file://:0:0:0:0 | declared_virtual |
| file://:0:0:0:0 | decltype(nullptr) | | file://:0:0:0:0 | decltype(nullptr) |
| file://:0:0:0:0 | definition of <error> | | file://:0:0:0:0 | definition of <error> |
| file://:0:0:0:0 | definition of fp_offset | | file://:0:0:0:0 | definition of fp_offset |
@@ -62,6 +63,7 @@
| file://:0:0:0:0 | explicit | | file://:0:0:0:0 | explicit |
| file://:0:0:0:0 | extern | | file://:0:0:0:0 | extern |
| file://:0:0:0:0 | far | | file://:0:0:0:0 | far |
| file://:0:0:0:0 | final |
| file://:0:0:0:0 | float | | file://:0:0:0:0 | float |
| file://:0:0:0:0 | forceinline | | file://:0:0:0:0 | forceinline |
| file://:0:0:0:0 | fp_offset | | file://:0:0:0:0 | fp_offset |

5
cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow.expected
View File

@@ -70,3 +70,8 @@
| test.cpp:391:11:391:13 | tmp | test.cpp:391:10:391:13 | & ... | | test.cpp:391:11:391:13 | tmp | test.cpp:391:10:391:13 | & ... |
| test.cpp:391:17:391:23 | source1 | test.cpp:391:10:391:13 | ref arg & ... | | test.cpp:391:17:391:23 | source1 | test.cpp:391:10:391:13 | ref arg & ... |
| test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... | | test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... |
| test.cpp:480:67:480:67 | s | test.cpp:481:21:481:21 | s |
| test.cpp:480:67:480:67 | s | test.cpp:482:20:482:20 | s |
| test.cpp:481:21:481:21 | s [post update] | test.cpp:482:20:482:20 | s |
| test.cpp:481:24:481:30 | ref arg content | test.cpp:482:23:482:29 | content |
| test.cpp:482:23:482:29 | content | test.cpp:483:9:483:17 | p_content |

12
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -470,3 +470,15 @@ void viaOutparam() {
intOutparamSource(&x); intOutparamSource(&x);
sink(x); // $ ast,ir sink(x); // $ ast,ir
} }
void writes_to_content(void*);
struct MyStruct {
int* content;
};
void local_field_flow_def_by_ref_steps_with_local_flow(MyStruct * s) {
writes_to_content(s->content);
int* p_content = s->content;
sink(*p_content);
}

13
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -496,9 +496,13 @@
| map.cpp:49:7:49:7 | f [post update] | map.cpp:51:7:51:7 | f | | | map.cpp:49:7:49:7 | f [post update] | map.cpp:51:7:51:7 | f | |
| map.cpp:49:7:49:7 | f [post update] | map.cpp:53:30:53:30 | f | | | map.cpp:49:7:49:7 | f [post update] | map.cpp:53:30:53:30 | f | |
| map.cpp:49:7:49:7 | f [post update] | map.cpp:59:6:59:6 | f | | | map.cpp:49:7:49:7 | f [post update] | map.cpp:59:6:59:6 | f | |
| map.cpp:49:9:49:13 | ref arg first | map.cpp:54:9:54:13 | first | |
| map.cpp:49:9:49:13 | ref arg first | map.cpp:60:9:60:13 | first | |
| map.cpp:50:7:50:7 | f [post update] | map.cpp:51:7:51:7 | f | | | map.cpp:50:7:50:7 | f [post update] | map.cpp:51:7:51:7 | f | |
| map.cpp:50:7:50:7 | f [post update] | map.cpp:53:30:53:30 | f | | | map.cpp:50:7:50:7 | f [post update] | map.cpp:53:30:53:30 | f | |
| map.cpp:50:7:50:7 | f [post update] | map.cpp:59:6:59:6 | f | | | map.cpp:50:7:50:7 | f [post update] | map.cpp:59:6:59:6 | f | |
| map.cpp:50:9:50:14 | ref arg second | map.cpp:55:9:55:14 | second | |
| map.cpp:50:9:50:14 | ref arg second | map.cpp:61:9:61:14 | second | |
| map.cpp:53:30:53:30 | f | map.cpp:54:7:54:7 | g | | | map.cpp:53:30:53:30 | f | map.cpp:54:7:54:7 | g | |
| map.cpp:53:30:53:30 | f | map.cpp:55:7:55:7 | g | | | map.cpp:53:30:53:30 | f | map.cpp:55:7:55:7 | g | |
| map.cpp:53:30:53:30 | f | map.cpp:56:7:56:7 | g | | | map.cpp:53:30:53:30 | f | map.cpp:56:7:56:7 | g | |
@@ -3395,6 +3399,7 @@
| smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 | TAINT | | smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 | TAINT |
| smart_pointer.cpp:125:22:125:22 | q | smart_pointer.cpp:125:18:125:22 | call to shared_ptr | | | smart_pointer.cpp:125:22:125:22 | q | smart_pointer.cpp:125:18:125:22 | call to shared_ptr | |
| smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:125:22:125:22 | q [inner post update] | | | smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:125:22:125:22 | q [inner post update] | |
| smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:126:12:126:12 | q | |
| smart_pointer.cpp:126:8:126:9 | p1 | smart_pointer.cpp:126:10:126:10 | call to operator-> | | | smart_pointer.cpp:126:8:126:9 | p1 | smart_pointer.cpp:126:10:126:10 | call to operator-> | |
| smart_pointer.cpp:126:8:126:9 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 | | | smart_pointer.cpp:126:8:126:9 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 | |
| smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 | TAINT | | smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 | TAINT |
@@ -3432,6 +3437,7 @@
| smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 | | | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 | |
| smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:134:8:134:9 | p1 | | | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:134:8:134:9 | p1 | |
| smart_pointer.cpp:133:25:133:25 | call to operator-> [post update] | smart_pointer.cpp:133:23:133:24 | ref arg p1 | TAINT | | smart_pointer.cpp:133:25:133:25 | call to operator-> [post update] | smart_pointer.cpp:133:23:133:24 | ref arg p1 | TAINT |
| smart_pointer.cpp:133:27:133:27 | ref arg q | smart_pointer.cpp:134:12:134:12 | q | |
| smart_pointer.cpp:134:8:134:9 | p1 | smart_pointer.cpp:134:10:134:10 | call to operator-> | | | smart_pointer.cpp:134:8:134:9 | p1 | smart_pointer.cpp:134:10:134:10 | call to operator-> | |
| smart_pointer.cpp:134:8:134:9 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 | | | smart_pointer.cpp:134:8:134:9 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 | |
| smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 | TAINT | | smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 | TAINT |
@@ -6435,6 +6441,7 @@
| taint.cpp:669:18:669:18 | s [post update] | taint.cpp:671:7:671:7 | s | | | taint.cpp:669:18:669:18 | s [post update] | taint.cpp:671:7:671:7 | s | |
| taint.cpp:669:18:669:18 | s [post update] | taint.cpp:672:7:672:7 | s | | | taint.cpp:669:18:669:18 | s [post update] | taint.cpp:672:7:672:7 | s | |
| taint.cpp:669:18:669:18 | s [post update] | taint.cpp:673:7:673:7 | s | | | taint.cpp:669:18:669:18 | s [post update] | taint.cpp:673:7:673:7 | s | |
| taint.cpp:669:20:669:20 | ref arg x | taint.cpp:672:9:672:9 | x | |
| taint.cpp:672:7:672:7 | s [post update] | taint.cpp:673:7:673:7 | s | | | taint.cpp:672:7:672:7 | s [post update] | taint.cpp:673:7:673:7 | s | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 | | | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 | | | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 | |
@@ -7076,14 +7083,20 @@
| vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:200:3:200:4 | ee | | | vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:200:3:200:4 | ee | |
| vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:201:8:201:9 | ee | | | vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:201:8:201:9 | ee | |
| vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:202:2:202:2 | ee | | | vector.cpp:198:3:198:4 | ee [post update] | vector.cpp:202:2:202:2 | ee | |
| vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:199:11:199:12 | vs | |
| vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:200:6:200:7 | vs | |
| vector.cpp:198:6:198:7 | ref arg vs | vector.cpp:201:11:201:12 | vs | |
| vector.cpp:198:19:198:19 | 0 | vector.cpp:198:6:198:7 | ref arg vs | TAINT | | vector.cpp:198:19:198:19 | 0 | vector.cpp:198:6:198:7 | ref arg vs | TAINT |
| vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:200:3:200:4 | ee | | | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:200:3:200:4 | ee | |
| vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:201:8:201:9 | ee | | | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:201:8:201:9 | ee | |
| vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:202:2:202:2 | ee | | | vector.cpp:199:8:199:9 | ee [post update] | vector.cpp:202:2:202:2 | ee | |
| vector.cpp:199:11:199:12 | ref arg vs | vector.cpp:200:6:200:7 | vs | |
| vector.cpp:199:11:199:12 | ref arg vs | vector.cpp:201:11:201:12 | vs | |
| vector.cpp:199:11:199:12 | vs | vector.cpp:199:13:199:13 | call to operator[] | TAINT | | vector.cpp:199:11:199:12 | vs | vector.cpp:199:13:199:13 | call to operator[] | TAINT |
| vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:201:8:201:9 | ee | | | vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:201:8:201:9 | ee | |
| vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:202:2:202:2 | ee | | | vector.cpp:200:3:200:4 | ee [post update] | vector.cpp:202:2:202:2 | ee | |
| vector.cpp:200:3:200:21 | ... = ... | vector.cpp:200:8:200:8 | call to operator[] [post update] | | | vector.cpp:200:3:200:21 | ... = ... | vector.cpp:200:8:200:8 | call to operator[] [post update] | |
| vector.cpp:200:6:200:7 | ref arg vs | vector.cpp:201:11:201:12 | vs | |
| vector.cpp:200:6:200:7 | vs | vector.cpp:200:8:200:8 | call to operator[] | TAINT | | vector.cpp:200:6:200:7 | vs | vector.cpp:200:8:200:8 | call to operator[] | TAINT |
| vector.cpp:200:8:200:8 | call to operator[] [post update] | vector.cpp:200:6:200:7 | ref arg vs | TAINT | | vector.cpp:200:8:200:8 | call to operator[] [post update] | vector.cpp:200:6:200:7 | ref arg vs | TAINT |
| vector.cpp:200:14:200:19 | call to source | vector.cpp:200:3:200:21 | ... = ... | | | vector.cpp:200:14:200:19 | call to source | vector.cpp:200:3:200:21 | ... = ... | |

12
cpp/ql/test/library-tests/fields/fields/Fields.expected
View File

@@ -1,21 +1,13 @@
| fields.cpp:3:8:3:12 | Entry | fields.cpp:4:9:4:12 | name | public | CharPointerType | char | | fields.cpp:3:8:3:12 | Entry | fields.cpp:4:9:4:12 | name | public | CharPointerType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:4:9:4:12 | name | public | PointerDumpType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:5:8:5:8 | t | public | Enum | | | fields.cpp:3:8:3:12 | Entry | fields.cpp:5:8:5:8 | t | public | Enum | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:5:8:5:8 | t | public | UserDumpType | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:6:9:6:9 | s | public | CharPointerType | char | | fields.cpp:3:8:3:12 | Entry | fields.cpp:6:9:6:9 | s | public | CharPointerType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:6:9:6:9 | s | public | PointerDumpType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:7:7:7:7 | i | public | IntType | | | fields.cpp:3:8:3:12 | Entry | fields.cpp:7:7:7:7 | i | public | IntType | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:7:7:7:7 | i | public | IntegralDumpType | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:7:7:7:7 | i | public | MicrosoftInt32Type | | | fields.cpp:3:8:3:12 | Entry | fields.cpp:7:7:7:7 | i | public | MicrosoftInt32Type | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:9:7:9:14 | internal | private | IntType | | | fields.cpp:3:8:3:12 | Entry | fields.cpp:9:7:9:14 | internal | private | IntType | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:9:7:9:14 | internal | private | IntegralDumpType | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:9:7:9:14 | internal | private | MicrosoftInt32Type | | | fields.cpp:3:8:3:12 | Entry | fields.cpp:9:7:9:14 | internal | private | MicrosoftInt32Type | |
| fields.cpp:12:7:12:10 | Name | fields.cpp:13:15:13:15 | s | private | PointerDumpType | const char | | fields.cpp:12:7:12:10 | Name | fields.cpp:13:15:13:15 | s | private | PointerType | const char |
| fields.cpp:16:7:16:11 | Table | fields.cpp:17:9:17:9 | p | private | PointerDumpType | Name | | fields.cpp:16:7:16:11 | Table | fields.cpp:17:9:17:9 | p | private | PointerType | Name |
| fields.cpp:16:7:16:11 | Table | fields.cpp:18:7:18:8 | sz | private | IntType | | | fields.cpp:16:7:16:11 | Table | fields.cpp:18:7:18:8 | sz | private | IntType | |
| fields.cpp:16:7:16:11 | Table | fields.cpp:18:7:18:8 | sz | private | IntegralDumpType | |
| fields.cpp:16:7:16:11 | Table | fields.cpp:18:7:18:8 | sz | private | MicrosoftInt32Type | | | fields.cpp:16:7:16:11 | Table | fields.cpp:18:7:18:8 | sz | private | MicrosoftInt32Type | |
| fields.cpp:26:7:26:10 | Date | fields.cpp:28:16:28:26 | cache_valid | private | BoolType | | | fields.cpp:26:7:26:10 | Date | fields.cpp:28:16:28:26 | cache_valid | private | BoolType | |
| fields.cpp:26:7:26:10 | Date | fields.cpp:28:16:28:26 | cache_valid | private | IntegralDumpType | |
| fields.cpp:26:7:26:10 | Date | fields.cpp:30:17:30:21 | cache | public | CharPointerType | char | | fields.cpp:26:7:26:10 | Date | fields.cpp:30:17:30:21 | cache | public | CharPointerType | char |
| fields.cpp:26:7:26:10 | Date | fields.cpp:30:17:30:21 | cache | public | PointerDumpType | char |

2
cpp/ql/test/library-tests/functions/routinetype/types.expected
View File

@@ -1 +1 @@
| routinetype.cpp:2:7:2:19 | myRoutineType | file://:0:0:0:0 | ..()(..) | PrintableElement, RoutineDumpType | | routinetype.cpp:2:7:2:19 | myRoutineType | file://:0:0:0:0 | ..()(..) | RoutineType |

3
cpp/ql/test/library-tests/specifiers2/specifiers2.expected
View File

@@ -43,10 +43,12 @@
| Function | specifiers2pp.cpp:10:18:10:24 | MyClass | MyClass | public | | Function | specifiers2pp.cpp:10:18:10:24 | MyClass | MyClass | public |
| Function | specifiers2pp.cpp:12:14:12:22 | publicFun | publicFun | inline | | Function | specifiers2pp.cpp:12:14:12:22 | publicFun | publicFun | inline |
| Function | specifiers2pp.cpp:12:14:12:22 | publicFun | publicFun | public | | Function | specifiers2pp.cpp:12:14:12:22 | publicFun | publicFun | public |
| Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | declared_virtual |
| Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | extern | | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | extern |
| Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | public | | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | public |
| Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | pure | | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | pure |
| Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | virtual | | Function | specifiers2pp.cpp:13:21:13:26 | getInt | getInt | virtual |
| Function | specifiers2pp.cpp:14:21:14:21 | f | f | declared_virtual |
| Function | specifiers2pp.cpp:14:21:14:21 | f | f | extern | | Function | specifiers2pp.cpp:14:21:14:21 | f | f | extern |
| Function | specifiers2pp.cpp:14:21:14:21 | f | f | public | | Function | specifiers2pp.cpp:14:21:14:21 | f | f | public |
| Function | specifiers2pp.cpp:14:21:14:21 | f | f | virtual | | Function | specifiers2pp.cpp:14:21:14:21 | f | f | virtual |
@@ -71,6 +73,7 @@
| Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | inline | | Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | inline |
| Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | public | | Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | public |
| Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | public | | Function | specifiers2pp.cpp:24:7:24:7 | operator= | operator= | public |
| Function | specifiers2pp.cpp:26:21:26:21 | f | f | declared_virtual |
| Function | specifiers2pp.cpp:26:21:26:21 | f | f | extern | | Function | specifiers2pp.cpp:26:21:26:21 | f | f | extern |
| Function | specifiers2pp.cpp:26:21:26:21 | f | f | override | | Function | specifiers2pp.cpp:26:21:26:21 | f | f | override |
| Function | specifiers2pp.cpp:26:21:26:21 | f | f | public | | Function | specifiers2pp.cpp:26:21:26:21 | f | f | public |

2
cpp/ql/test/library-tests/templates/instantiations_functions/elements.expected
View File

@@ -109,6 +109,7 @@
| file://:0:0:0:0 | declaration of 1st parameter | | file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declared_constexpr | | file://:0:0:0:0 | declared_constexpr |
| file://:0:0:0:0 | declared_constinit | | file://:0:0:0:0 | declared_constinit |
| file://:0:0:0:0 | declared_virtual |
| file://:0:0:0:0 | decltype(nullptr) | | file://:0:0:0:0 | decltype(nullptr) |
| file://:0:0:0:0 | definition of fp_offset | | file://:0:0:0:0 | definition of fp_offset |
| file://:0:0:0:0 | definition of gp_offset | | file://:0:0:0:0 | definition of gp_offset |
@@ -121,6 +122,7 @@
| file://:0:0:0:0 | explicit | | file://:0:0:0:0 | explicit |
| file://:0:0:0:0 | extern | | file://:0:0:0:0 | extern |
| file://:0:0:0:0 | far | | file://:0:0:0:0 | far |
| file://:0:0:0:0 | final |
| file://:0:0:0:0 | float | | file://:0:0:0:0 | float |
| file://:0:0:0:0 | forceinline | | file://:0:0:0:0 | forceinline |
| file://:0:0:0:0 | fp_offset | | file://:0:0:0:0 | fp_offset |

4
cpp/ql/test/library-tests/typedefs/Typedefs2.expected
View File

@@ -1,2 +1,2 @@
| typedefs.cpp:6:6:6:7 | f1 | typedefs.cpp:8:15:8:18 | TYPE | CTypedefType, LocalTypedefType, PrintableElement, UserDumpType | | typedefs.cpp:6:6:6:7 | f1 | typedefs.cpp:8:15:8:18 | TYPE | CTypedefType, LocalTypedefType |
| typedefs.cpp:6:6:6:7 | f1 | typedefs.cpp:9:9:9:9 | D | DirectAccessHolder, LocalClass, MetricClass, PrintableElement, StructLikeClass, UserDumpType | | typedefs.cpp:6:6:6:7 | f1 | typedefs.cpp:9:9:9:9 | D | DirectAccessHolder, LocalClass, MetricClass, StructLikeClass |

6
cpp/ql/test/library-tests/types/__wchar_t/wchar_t.expected
View File

@@ -1,3 +1,3 @@
| file://:0:0:0:0 | __wchar_t * | PointerDumpType, PrintableElement | IntegralDumpType, PrintableElement, Wchar_t, WideCharType | | file://:0:0:0:0 | __wchar_t * | PointerType | Wchar_t, WideCharType |
| file://:0:0:0:0 | const __wchar_t | PrintableElement, SpecifiedDumpType | IntegralDumpType, PrintableElement, Wchar_t, WideCharType | | file://:0:0:0:0 | const __wchar_t | SpecifiedType | Wchar_t, WideCharType |
| file://:0:0:0:0 | wchar_t | IntegralDumpType, PrintableElement, Wchar_t, WideCharType | | | file://:0:0:0:0 | wchar_t | Wchar_t, WideCharType | |

16
cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.expected
View File

@@ -1,8 +1,8 @@
| cstd_types.cpp:47:13:47:15 | if8 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast8_t, PrintableElement, UserDumpType | | cstd_types.cpp:47:13:47:15 | if8 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast8_t |
| cstd_types.cpp:48:14:48:17 | if16 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast16_t, PrintableElement, UserDumpType | | cstd_types.cpp:48:14:48:17 | if16 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast16_t |
| cstd_types.cpp:49:14:49:17 | if32 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast32_t, PrintableElement, UserDumpType | | cstd_types.cpp:49:14:49:17 | if32 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast32_t |
| cstd_types.cpp:50:14:50:17 | if64 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast64_t, PrintableElement, UserDumpType | | cstd_types.cpp:50:14:50:17 | if64 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast64_t |
| cstd_types.cpp:51:14:51:16 | uf8 | CTypedefType, FastestMinimumWidthIntegralType, PrintableElement, UInt_fast8_t, UserDumpType | | cstd_types.cpp:51:14:51:16 | uf8 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast8_t |
| cstd_types.cpp:52:15:52:18 | uf16 | CTypedefType, FastestMinimumWidthIntegralType, PrintableElement, UInt_fast16_t, UserDumpType | | cstd_types.cpp:52:15:52:18 | uf16 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast16_t |
| cstd_types.cpp:53:15:53:18 | uf32 | CTypedefType, FastestMinimumWidthIntegralType, PrintableElement, UInt_fast32_t, UserDumpType | | cstd_types.cpp:53:15:53:18 | uf32 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast32_t |
| cstd_types.cpp:54:15:54:18 | uf64 | CTypedefType, FastestMinimumWidthIntegralType, PrintableElement, UInt_fast64_t, UserDumpType | | cstd_types.cpp:54:15:54:18 | uf64 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast64_t |

16
cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected
View File

@@ -1,8 +1,8 @@
| cstd_types.cpp:31:8:31:9 | i8 | CTypedefType, FixedWidthIntegralType, Int8_t, PrintableElement, UserDumpType | | cstd_types.cpp:31:8:31:9 | i8 | CTypedefType, FixedWidthIntegralType, Int8_t |
| cstd_types.cpp:32:9:32:11 | i16 | CTypedefType, FixedWidthIntegralType, Int16_t, PrintableElement, UserDumpType | | cstd_types.cpp:32:9:32:11 | i16 | CTypedefType, FixedWidthIntegralType, Int16_t |
| cstd_types.cpp:33:9:33:11 | i32 | CTypedefType, FixedWidthIntegralType, Int32_t, PrintableElement, UserDumpType | | cstd_types.cpp:33:9:33:11 | i32 | CTypedefType, FixedWidthIntegralType, Int32_t |
| cstd_types.cpp:34:9:34:11 | i64 | CTypedefType, FixedWidthIntegralType, Int64_t, PrintableElement, UserDumpType | | cstd_types.cpp:34:9:34:11 | i64 | CTypedefType, FixedWidthIntegralType, Int64_t |
| cstd_types.cpp:35:9:35:11 | ui8 | CTypedefType, FixedWidthIntegralType, PrintableElement, UInt8_t, UserDumpType | | cstd_types.cpp:35:9:35:11 | ui8 | CTypedefType, FixedWidthIntegralType, UInt8_t |
| cstd_types.cpp:36:10:36:13 | ui16 | CTypedefType, FixedWidthIntegralType, PrintableElement, UInt16_t, UserDumpType | | cstd_types.cpp:36:10:36:13 | ui16 | CTypedefType, FixedWidthIntegralType, UInt16_t |
| cstd_types.cpp:37:10:37:13 | ui32 | CTypedefType, FixedWidthIntegralType, PrintableElement, UInt32_t, UserDumpType | | cstd_types.cpp:37:10:37:13 | ui32 | CTypedefType, FixedWidthIntegralType, UInt32_t |
| cstd_types.cpp:38:10:38:13 | ui64 | CTypedefType, FixedWidthIntegralType, PrintableElement, UInt64_t, UserDumpType | | cstd_types.cpp:38:10:38:13 | ui64 | CTypedefType, FixedWidthIntegralType, UInt64_t |

4
cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.expected
View File

@@ -1,2 +1,2 @@
| cstd_types.cpp:74:4:74:6 | _e0 | Enum, FixedWidthEnumType, PrintableElement, UserDumpType | | cstd_types.cpp:74:4:74:6 | _e0 | Enum, FixedWidthEnumType |
| cstd_types.cpp:75:4:75:6 | _e1 | FixedWidthEnumType, PrintableElement, ScopedEnum, UserDumpType | | cstd_types.cpp:75:4:75:6 | _e1 | FixedWidthEnumType, ScopedEnum |

4
cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected
View File

@@ -1,2 +1,2 @@
| cstd_types.cpp:55:10:55:11 | im | CTypedefType, Intmax_t, MaximumWidthIntegralType, PrintableElement, UserDumpType | | cstd_types.cpp:55:10:55:11 | im | CTypedefType, Intmax_t, MaximumWidthIntegralType |
| cstd_types.cpp:56:11:56:13 | uim | CTypedefType, MaximumWidthIntegralType, PrintableElement, Uintmax_t, UserDumpType | | cstd_types.cpp:56:11:56:13 | uim | CTypedefType, MaximumWidthIntegralType, Uintmax_t |

16
cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected
View File

@@ -1,8 +1,8 @@
| cstd_types.cpp:39:15:39:16 | l8 | CTypedefType, Int_least8_t, MinimumWidthIntegralType, PrintableElement, UserDumpType | | cstd_types.cpp:39:15:39:16 | l8 | CTypedefType, Int_least8_t, MinimumWidthIntegralType |
| cstd_types.cpp:40:15:40:17 | l16 | CTypedefType, Int_least16_t, MinimumWidthIntegralType, PrintableElement, UserDumpType | | cstd_types.cpp:40:15:40:17 | l16 | CTypedefType, Int_least16_t, MinimumWidthIntegralType |
| cstd_types.cpp:41:15:41:17 | l32 | CTypedefType, Int_least32_t, MinimumWidthIntegralType, PrintableElement, UserDumpType | | cstd_types.cpp:41:15:41:17 | l32 | CTypedefType, Int_least32_t, MinimumWidthIntegralType |
| cstd_types.cpp:42:15:42:17 | l64 | CTypedefType, Int_least64_t, MinimumWidthIntegralType, PrintableElement, UserDumpType | | cstd_types.cpp:42:15:42:17 | l64 | CTypedefType, Int_least64_t, MinimumWidthIntegralType |
| cstd_types.cpp:43:15:43:17 | ul8 | CTypedefType, MinimumWidthIntegralType, PrintableElement, UInt_least8_t, UserDumpType | | cstd_types.cpp:43:15:43:17 | ul8 | CTypedefType, MinimumWidthIntegralType, UInt_least8_t |
| cstd_types.cpp:44:16:44:19 | ul16 | CTypedefType, MinimumWidthIntegralType, PrintableElement, UInt_least16_t, UserDumpType | | cstd_types.cpp:44:16:44:19 | ul16 | CTypedefType, MinimumWidthIntegralType, UInt_least16_t |
| cstd_types.cpp:45:16:45:19 | ul32 | CTypedefType, MinimumWidthIntegralType, PrintableElement, UInt_least32_t, UserDumpType | | cstd_types.cpp:45:16:45:19 | ul32 | CTypedefType, MinimumWidthIntegralType, UInt_least32_t |
| cstd_types.cpp:46:16:46:19 | ul64 | CTypedefType, MinimumWidthIntegralType, PrintableElement, UInt_least64_t, UserDumpType | | cstd_types.cpp:46:16:46:19 | ul64 | CTypedefType, MinimumWidthIntegralType, UInt_least64_t |

8
cpp/ql/test/library-tests/types/integral_types_ms/vars.expected
View File

@@ -1,4 +1,4 @@
| integral_types.cpp:2:8:2:9 | i8 | file://:0:0:0:0 | char | IntegralDumpType, MicrosoftInt8Type, PlainCharType, PrintableElement | | integral_types.cpp:2:8:2:9 | i8 | file://:0:0:0:0 | char | MicrosoftInt8Type, PlainCharType |
| integral_types.cpp:3:9:3:11 | i16 | file://:0:0:0:0 | short | IntegralDumpType, MicrosoftInt16Type, PrintableElement, ShortType | | integral_types.cpp:3:9:3:11 | i16 | file://:0:0:0:0 | short | MicrosoftInt16Type, ShortType |
| integral_types.cpp:4:9:4:11 | i32 | file://:0:0:0:0 | int | IntType, IntegralDumpType, MicrosoftInt32Type, PrintableElement | | integral_types.cpp:4:9:4:11 | i32 | file://:0:0:0:0 | int | IntType, MicrosoftInt32Type |
| integral_types.cpp:5:9:5:11 | i64 | file://:0:0:0:0 | long long | IntegralDumpType, LongLongType, MicrosoftInt64Type, PrintableElement | | integral_types.cpp:5:9:5:11 | i64 | file://:0:0:0:0 | long long | LongLongType, MicrosoftInt64Type |

6
cpp/ql/test/library-tests/types/wchar_t_typedef/wchar_t.expected
View File

@@ -1,3 +1,3 @@
| file://:0:0:0:0 | wchar_t | IntegralDumpType, PrintableElement, Wchar_t, WideCharType | | | file://:0:0:0:0 | wchar_t | Wchar_t, WideCharType | |
| file://:0:0:0:0 | wchar_t * | PointerDumpType, PrintableElement | CTypedefType, PrintableElement, UserDumpType, Wchar_t | | file://:0:0:0:0 | wchar_t * | PointerType | CTypedefType, Wchar_t |
| ms.c:2:24:2:30 | wchar_t | CTypedefType, PrintableElement, UserDumpType, Wchar_t | | | ms.c:2:24:2:30 | wchar_t | CTypedefType, Wchar_t | |

2
cpp/ql/test/library-tests/unnamed/elements.expected
View File

@@ -41,6 +41,7 @@
| file://:0:0:0:0 | const | Other | | file://:0:0:0:0 | const | Other |
| file://:0:0:0:0 | declared_constexpr | Other | | file://:0:0:0:0 | declared_constexpr | Other |
| file://:0:0:0:0 | declared_constinit | Other | | file://:0:0:0:0 | declared_constinit | Other |
| file://:0:0:0:0 | declared_virtual | Other |
| file://:0:0:0:0 | decltype(nullptr) | Other | | file://:0:0:0:0 | decltype(nullptr) | Other |
| file://:0:0:0:0 | definition of fp_offset | Other | | file://:0:0:0:0 | definition of fp_offset | Other |
| file://:0:0:0:0 | definition of gp_offset | Other | | file://:0:0:0:0 | definition of gp_offset | Other |
@@ -53,6 +54,7 @@
| file://:0:0:0:0 | explicit | Other | | file://:0:0:0:0 | explicit | Other |
| file://:0:0:0:0 | extern | Other | | file://:0:0:0:0 | extern | Other |
| file://:0:0:0:0 | far | Other | | file://:0:0:0:0 | far | Other |
| file://:0:0:0:0 | final | Other |
| file://:0:0:0:0 | float | Other | | file://:0:0:0:0 | float | Other |
| file://:0:0:0:0 | forceinline | Other | | file://:0:0:0:0 | forceinline | Other |
| file://:0:0:0:0 | fp_offset | Other | | file://:0:0:0:0 | fp_offset | Other |

188
cpp/ql/test/library-tests/variables/variables/types.expected
View File

@@ -1,94 +1,94 @@
| ..()(..) | PrintableElement, RoutineDumpType | | | | | | ..()(..) | RoutineType | | | | |
| ..(*)(..) | FunctionPointerDumpType, PrintableElement | | ..()(..) | | | | ..(*)(..) | FunctionPointerType | | ..()(..) | | |
| _Complex __float128 | BinaryFloatingPointType, BuiltInDumpType, ComplexNumberType, PrintableElement | | | | | | _Complex __float128 | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex double | BinaryFloatingPointType, BuiltInDumpType, ComplexNumberType, PrintableElement | | | | | | _Complex double | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex float | BinaryFloatingPointType, BuiltInDumpType, ComplexNumberType, PrintableElement | | | | | | _Complex float | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex long double | BinaryFloatingPointType, BuiltInDumpType, ComplexNumberType, PrintableElement | | | | | | _Complex long double | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Decimal32 | BuiltInDumpType, Decimal32Type, PrintableElement | | | | | | _Decimal32 | Decimal32Type | | | | |
| _Decimal64 | BuiltInDumpType, Decimal64Type, PrintableElement | | | | | | _Decimal64 | Decimal64Type | | | | |
| _Decimal128 | BuiltInDumpType, Decimal128Type, PrintableElement | | | | | | _Decimal128 | Decimal128Type | | | | |
| _Float32 | BinaryFloatingPointType, BuiltInDumpType, PrintableElement, RealNumberType | | | | | | _Float32 | BinaryFloatingPointType, RealNumberType | | | | |
| _Float32x | BinaryFloatingPointType, BuiltInDumpType, PrintableElement, RealNumberType | | | | | | _Float32x | BinaryFloatingPointType, RealNumberType | | | | |
| _Float64 | BinaryFloatingPointType, BuiltInDumpType, PrintableElement, RealNumberType | | | | | | _Float64 | BinaryFloatingPointType, RealNumberType | | | | |
| _Float64x | BinaryFloatingPointType, BuiltInDumpType, PrintableElement, RealNumberType | | | | | | _Float64x | BinaryFloatingPointType, RealNumberType | | | | |
| _Float128 | BinaryFloatingPointType, BuiltInDumpType, PrintableElement, RealNumberType | | | | | | _Float128 | BinaryFloatingPointType, RealNumberType | | | | |
| _Float128x | BinaryFloatingPointType, BuiltInDumpType, PrintableElement, RealNumberType | | | | | | _Float128x | BinaryFloatingPointType, RealNumberType | | | | |
| _Imaginary double | BinaryFloatingPointType, BuiltInDumpType, ImaginaryNumberType, PrintableElement | | | | | | _Imaginary double | BinaryFloatingPointType, ImaginaryNumberType | | | | |
| _Imaginary float | BinaryFloatingPointType, BuiltInDumpType, ImaginaryNumberType, PrintableElement | | | | | | _Imaginary float | BinaryFloatingPointType, ImaginaryNumberType | | | | |
| _Imaginary long double | BinaryFloatingPointType, BuiltInDumpType, ImaginaryNumberType, PrintableElement | | | | | | _Imaginary long double | BinaryFloatingPointType, ImaginaryNumberType | | | | |
| __float128 | BuiltInDumpType, Float128Type, PrintableElement | | | | | | __float128 | Float128Type | | | | |
| __int128 | Int128Type, IntegralDumpType, PrintableElement | | | | | | __int128 | Int128Type | | | | |
| __va_list_tag | DirectAccessHolder, MetricClass, PrintableElement, Struct, StructLikeClass, UserDumpType | | | | | | __va_list_tag | DirectAccessHolder, MetricClass, Struct, StructLikeClass | | | | |
| __va_list_tag & | LValueReferenceDumpType, PrintableElement | | __va_list_tag | | | | __va_list_tag & | LValueReferenceType | | __va_list_tag | | |
| __va_list_tag && | PrintableElement, RValueReferenceDumpType | | __va_list_tag | | | | __va_list_tag && | RValueReferenceType | | __va_list_tag | | |
| address | DirectAccessHolder, MetricClass, PrintableElement, Struct, StructLikeClass, UserDumpType | | | | | | address | DirectAccessHolder, MetricClass, Struct, StructLikeClass | | | | |
| address & | LValueReferenceDumpType, PrintableElement | | address | | | | address & | LValueReferenceType | | address | | |
| address && | PrintableElement, RValueReferenceDumpType | | address | | | | address && | RValueReferenceType | | address | | |
| auto | AutoType, PrintableElement, UserDumpType | | | | | | auto | AutoType | | | | |
| bool | BoolType, IntegralDumpType, PrintableElement | | | | | | bool | BoolType | | | | |
| char | IntegralDumpType, MicrosoftInt8Type, PlainCharType, PrintableElement | | | | | | char | MicrosoftInt8Type, PlainCharType | | | | |
| char8_t | Char8Type, IntegralDumpType, PrintableElement | | | | | | char8_t | Char8Type | | | | |
| char16_t | Char16Type, IntegralDumpType, PrintableElement | | | | | | char16_t | Char16Type | | | | |
| char32_t | Char32Type, IntegralDumpType, PrintableElement | | | | | | char32_t | Char32Type | | | | |
| char * | CharPointerType, PointerDumpType, PrintableElement | | char | | | | char * | CharPointerType | | char | | |
| char *[3] | ArrayDumpType, PrintableElement | char * | char * | | | | char *[3] | ArrayType | char * | char * | | |
| char *[32] | ArrayDumpType, PrintableElement | char * | char * | | | | char *[32] | ArrayType | char * | char * | | |
| char *[] | ArrayDumpType, PrintableElement | char * | char * | | | | char *[] | ArrayType | char * | char * | | |
| char[2] | ArrayDumpType, PrintableElement | char | char | | | | char[2] | ArrayType | char | char | | |
| char[3] | ArrayDumpType, PrintableElement | char | char | | | | char[3] | ArrayType | char | char | | |
| char[5] | ArrayDumpType, PrintableElement | char | char | | | | char[5] | ArrayType | char | char | | |
| char[6] | ArrayDumpType, PrintableElement | char | char | | | | char[6] | ArrayType | char | char | | |
| char[8] | ArrayDumpType, PrintableElement | char | char | | | | char[8] | ArrayType | char | char | | |
| char[9] | ArrayDumpType, PrintableElement | char | char | | | | char[9] | ArrayType | char | char | | |
| char[10] | ArrayDumpType, PrintableElement | char | char | | | | char[10] | ArrayType | char | char | | |
| char[53] | ArrayDumpType, PrintableElement | char | char | | | | char[53] | ArrayType | char | char | | |
| char[] | ArrayDumpType, PrintableElement | char | char | | | | char[] | ArrayType | char | char | | |
| const __va_list_tag | PrintableElement, SpecifiedDumpType | | __va_list_tag | | | | const __va_list_tag | SpecifiedType | | __va_list_tag | | |
| const __va_list_tag & | LValueReferenceDumpType, PrintableElement | | const __va_list_tag | | | | const __va_list_tag & | LValueReferenceType | | const __va_list_tag | | |
| const address | PrintableElement, SpecifiedDumpType | | address | | | | const address | SpecifiedType | | address | | |
| const address & | LValueReferenceDumpType, PrintableElement | | const address | | | | const address & | LValueReferenceType | | const address | | |
| const char | PrintableElement, SpecifiedDumpType | | char | | | | const char | SpecifiedType | | char | | |
| const char * | PointerDumpType, PrintableElement | | const char | | | | const char * | PointerType | | const char | | |
| const char *[3] | ArrayDumpType, PrintableElement | const char * | const char * | | | | const char *[3] | ArrayType | const char * | const char * | | |
| const char *[] | ArrayDumpType, PrintableElement | const char * | const char * | | | | const char *[] | ArrayType | const char * | const char * | | |
| const char[5] | ArrayDumpType, PrintableElement | const char | const char | | | | const char[5] | ArrayType | const char | const char | | |
| const char[6] | ArrayDumpType, PrintableElement | const char | const char | | | | const char[6] | ArrayType | const char | const char | | |
| const char[8] | ArrayDumpType, PrintableElement | const char | const char | | | | const char[8] | ArrayType | const char | const char | | |
| const char[9] | ArrayDumpType, PrintableElement | const char | const char | | | | const char[9] | ArrayType | const char | const char | | |
| const char[10] | ArrayDumpType, PrintableElement | const char | const char | | | | const char[10] | ArrayType | const char | const char | | |
| const char[53] | ArrayDumpType, PrintableElement | const char | const char | | | | const char[53] | ArrayType | const char | const char | | |
| const double | PrintableElement, SpecifiedDumpType | | double | | | | const double | SpecifiedType | | double | | |
| const int | PrintableElement, SpecifiedDumpType | | int | | | | const int | SpecifiedType | | int | | |
| decltype(nullptr) | BuiltInDumpType, NullPointerType, PrintableElement | | | | | | decltype(nullptr) | NullPointerType | | | | |
| double | BuiltInDumpType, DoubleType, PrintableElement | | | | | | double | DoubleType | | | | |
| error | BuiltInDumpType, ErroneousType, PrintableElement | | | | | | error | ErroneousType | | | | |
| float | BuiltInDumpType, FloatType, PrintableElement | | | | | | float | FloatType | | | | |
| float[3] | ArrayDumpType, PrintableElement | float | float | | | | float[3] | ArrayType | float | float | | |
| int | IntType, IntegralDumpType, MicrosoftInt32Type, PrintableElement | | | | | | int | IntType, MicrosoftInt32Type | | | | |
| int * | IntPointerType, PointerDumpType, PrintableElement | | int | | | | int * | IntPointerType | | int | | |
| int[4] | ArrayDumpType, PrintableElement | int | int | | | | int[4] | ArrayType | int | int | | |
| int[8] | ArrayDumpType, PrintableElement | int | int | | | | int[8] | ArrayType | int | int | | |
| int[10] | ArrayDumpType, PrintableElement | int | int | | | | int[10] | ArrayType | int | int | | |
| int[10][20] | ArrayDumpType, PrintableElement | int[20] | int[20] | | | | int[10][20] | ArrayType | int[20] | int[20] | | |
| int[20] | ArrayDumpType, PrintableElement | int | int | | | | int[20] | ArrayType | int | int | | |
| int[] | ArrayDumpType, PrintableElement | int | int | | | | int[] | ArrayType | int | int | | |
| long | IntegralDumpType, LongType, PrintableElement | | | | | | long | LongType | | | | |
| long double | BuiltInDumpType, LongDoubleType, PrintableElement | | | | | | long double | LongDoubleType | | | | |
| long long | IntegralDumpType, LongLongType, MicrosoftInt64Type, PrintableElement | | | | | | long long | LongLongType, MicrosoftInt64Type | | | | |
| short | IntegralDumpType, MicrosoftInt16Type, PrintableElement, ShortType | | | | | | short | MicrosoftInt16Type, ShortType | | | | |
| signed __int128 | Int128Type, IntegralDumpType, PrintableElement | | | | | | signed __int128 | Int128Type | | | | |
| signed char | IntegralDumpType, PrintableElement, SignedCharType | | | | | | signed char | SignedCharType | | | | |
| signed int | IntType, IntegralDumpType, PrintableElement | | | | | | signed int | IntType | | | | |
| signed long | IntegralDumpType, LongType, PrintableElement | | | | | | signed long | LongType | | | | |
| signed long long | IntegralDumpType, LongLongType, PrintableElement | | | | | | signed long long | LongLongType | | | | |
| signed short | IntegralDumpType, PrintableElement, ShortType | | | | | | signed short | ShortType | | | | |
| unknown | BuiltInDumpType, PrintableElement, UnknownType | | | | | | unknown | UnknownType | | | | |
| unsigned __int128 | Int128Type, IntegralDumpType, PrintableElement | | | | unsigned integral | | unsigned __int128 | Int128Type | | | | unsigned integral |
| unsigned char | IntegralDumpType, PrintableElement, UnsignedCharType | | | | unsigned integral | | unsigned char | UnsignedCharType | | | | unsigned integral |
| unsigned int | IntType, IntegralDumpType, PrintableElement | | | unsigned int | unsigned integral | | unsigned int | IntType | | | unsigned int | unsigned integral |
| unsigned long | IntegralDumpType, LongType, PrintableElement | | | | unsigned integral | | unsigned long | LongType | | | | unsigned integral |
| unsigned long long | IntegralDumpType, LongLongType, PrintableElement | | | | unsigned integral | | unsigned long long | LongLongType | | | | unsigned integral |
| unsigned short | IntegralDumpType, PrintableElement, ShortType | | | | unsigned integral | | unsigned short | ShortType | | | | unsigned integral |
| void | BuiltInDumpType, PrintableElement, VoidType | | | | | | void | VoidType | | | | |
| void * | PointerDumpType, PrintableElement, VoidPointerType | | void | | | | void * | VoidPointerType | | void | | |
| wchar_t | IntegralDumpType, PrintableElement, Wchar_t, WideCharType | | | | | | wchar_t | Wchar_t, WideCharType | | | | |

41
cpp/ql/test/library-tests/variables/variables/variable.expected
View File

@@ -1,111 +1,70 @@
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | __va_list_tag && | DumpVariable | | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | __va_list_tag && | SemanticStackVariable | | | | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | __va_list_tag && | SemanticStackVariable | | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | address && | DumpVariable | | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | address && | SemanticStackVariable | | | | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | address && | SemanticStackVariable | | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const __va_list_tag & | DumpVariable | | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const __va_list_tag & | SemanticStackVariable | | | | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const __va_list_tag & | SemanticStackVariable | | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const address & | DumpVariable | | |
| file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const address & | SemanticStackVariable | | | | file://:0:0:0:0 | (unnamed parameter 0) | file://:0:0:0:0 | const address & | SemanticStackVariable | | |
| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int | DumpVariable | | |
| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int | Field | | | | file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int | Field | | |
| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int | DumpVariable | | |
| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int | Field | | | | file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int | Field | | |
| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * | DumpVariable | | |
| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * | Field | | | | file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * | Field | | |
| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * | DumpVariable | | |
| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * | Field | | | | file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * | Field | | |
| variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | DumpVariable | | |
| variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | GlobalVariable | | | | variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | | | variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | DumpVariable | | |
| variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | GlobalVariable | | | | variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | | | variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | DumpVariable | | |
| variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | GlobalVariable | | | | variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | | | variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | DumpVariable | const | static |
| variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | GlobalVariable | const | static | | variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | GlobalVariable | const | static |
| variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | StaticStorageDurationVariable | const | static | | variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | StaticStorageDurationVariable | const | static |
| variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | DumpVariable | const | static |
| variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | GlobalVariable | const | static | | variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | GlobalVariable | const | static |
| variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | StaticStorageDurationVariable | const | static | | variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | StaticStorageDurationVariable | const | static |
| variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | DumpVariable | | |
| variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | GlobalVariable | | | | variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | GlobalVariable | | |
| variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | StaticStorageDurationVariable | | | | variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | StaticStorageDurationVariable | | |
| variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | DumpVariable | | |
| variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | GlobalVariable | | | | variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | GlobalVariable | | |
| variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | StaticStorageDurationVariable | | | | variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | StaticStorageDurationVariable | | |
| variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | DumpVariable | | |
| variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | GlobalVariable | | | | variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | GlobalVariable | | |
| variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | StaticStorageDurationVariable | | | | variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | StaticStorageDurationVariable | | |
| variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | DumpVariable | | |
| variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | GlobalVariable | | | | variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | | | variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | DumpVariable | | |
| variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | GlobalVariable | | | | variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | StaticStorageDurationVariable | | | | variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | DumpVariable | | static |
| variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | GlobalVariable | | static | | variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | GlobalVariable | | static |
| variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | StaticStorageDurationVariable | | static | | variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | StaticStorageDurationVariable | | static |
| variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | DumpVariable | | static |
| variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | GlobalVariable | | static | | variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | GlobalVariable | | static |
| variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | static | | variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | static |
| variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | DumpVariable | | |
| variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | FunctionPointerVariable | | | | variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | FunctionPointerVariable | | |
| variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | GlobalVariable | | | | variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | GlobalVariable | | |
| variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | StaticStorageDurationVariable | | | | variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | StaticStorageDurationVariable | | |
| variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | DumpVariable | | |
| variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | GlobalVariable | | | | variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | GlobalVariable | | |
| variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | StaticStorageDurationVariable | | | | variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | StaticStorageDurationVariable | | |
| variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | DumpVariable | | |
| variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | GlobalVariable | | | | variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | GlobalVariable | | |
| variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | StaticStorageDurationVariable | | | | variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | StaticStorageDurationVariable | | |
| variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | DumpVariable | | |
| variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | GlobalVariable | | | | variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | GlobalVariable | | |
| variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | StaticStorageDurationVariable | | | | variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | StaticStorageDurationVariable | | |
| variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | DumpVariable | | |
| variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | GlobalVariable | | | | variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | GlobalVariable | | |
| variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | StaticStorageDurationVariable | | | | variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | StaticStorageDurationVariable | | |
| variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | DumpVariable | | |
| variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | GlobalVariable | | | | variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | GlobalVariable | | |
| variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | StaticStorageDurationVariable | | | | variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | StaticStorageDurationVariable | | |
| variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | DumpVariable | | |
| variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | GlobalVariable | | | | variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | GlobalVariable | | |
| variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | StaticStorageDurationVariable | | | | variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | StaticStorageDurationVariable | | |
| variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | DumpVariable | | |
| variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | GlobalVariable | | | | variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | GlobalVariable | | |
| variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | StaticStorageDurationVariable | | | | variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | StaticStorageDurationVariable | | |
| variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | DumpVariable | | |
| variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | GlobalVariable | | | | variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | GlobalVariable | | |
| variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | StaticStorageDurationVariable | | | | variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | StaticStorageDurationVariable | | |
| variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | DumpVariable | | |
| variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | GlobalVariable | | | | variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | GlobalVariable | | |
| variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | StaticStorageDurationVariable | | | | variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | StaticStorageDurationVariable | | |
| variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | DumpVariable | | |
| variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | GlobalVariable | | | | variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | | | variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | DumpVariable | | |
| variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | GlobalVariable | | | | variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | | | variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | DumpVariable | | |
| variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | GlobalVariable | | | | variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | | | variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | DumpVariable | | |
| variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | LocalVariable | | | | variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | LocalVariable | | |
| variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | SemanticStackVariable | | | | variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | SemanticStackVariable | | |
| variables.cpp:43:14:43:18 | local | file://:0:0:0:0 | int | DumpVariable | | static |
| variables.cpp:43:14:43:18 | local | file://:0:0:0:0 | int | StaticLocalVariable | | static | | variables.cpp:43:14:43:18 | local | file://:0:0:0:0 | int | StaticLocalVariable | | static |
| variables.cpp:48:9:48:12 | name | file://:0:0:0:0 | char * | DumpVariable | | |
| variables.cpp:48:9:48:12 | name | file://:0:0:0:0 | char * | Field | | | | variables.cpp:48:9:48:12 | name | file://:0:0:0:0 | char * | Field | | |
| variables.cpp:49:12:49:17 | number | file://:0:0:0:0 | long | DumpVariable | | |
| variables.cpp:49:12:49:17 | number | file://:0:0:0:0 | long | Field | | | | variables.cpp:49:12:49:17 | number | file://:0:0:0:0 | long | Field | | |
| variables.cpp:50:9:50:14 | street | file://:0:0:0:0 | char * | DumpVariable | | |
| variables.cpp:50:9:50:14 | street | file://:0:0:0:0 | char * | Field | | | | variables.cpp:50:9:50:14 | street | file://:0:0:0:0 | char * | Field | | |
| variables.cpp:51:9:51:12 | town | file://:0:0:0:0 | char * | DumpVariable | | |
| variables.cpp:51:9:51:12 | town | file://:0:0:0:0 | char * | Field | | | | variables.cpp:51:9:51:12 | town | file://:0:0:0:0 | char * | Field | | |
| variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | DumpVariable | | static |
| variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | MemberVariable | | static | | variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | MemberVariable | | static |
| variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | StaticStorageDurationVariable | | static | | variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | StaticStorageDurationVariable | | static |
| variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | DumpVariable | | |
| variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | GlobalVariable | | | | variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | StaticStorageDurationVariable | | | | variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |

7
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
View File

@@ -1,3 +1,10 @@
| test2.cpp:43:2:43:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:43:36:43:43 | password | this source. |
| test2.cpp:44:2:44:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:44:37:44:45 | thepasswd | this source. |
| test2.cpp:50:2:50:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:50:41:50:53 | passwd_config | this source. |
| test2.cpp:54:2:54:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:54:41:54:52 | widepassword | this source. |
| test2.cpp:55:2:55:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:55:40:55:51 | widepassword | this source. |
| test2.cpp:57:2:57:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:57:39:57:49 | call to getPassword | this source. |
| test2.cpp:65:3:65:9 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:62:18:62:25 | password | this source. |
| test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. | | test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
| test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. | | test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
| test.cpp:73:37:73:41 | call to write | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. | | test.cpp:73:37:73:41 | call to write | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. |

94
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp Normal file
View File

@@ -0,0 +1,94 @@
#define FILE int
typedef unsigned long size_t;
FILE *fopen(const char *filename, const char *mode);
int snprintf(char *s, size_t n, const char *format, ...);
int fprintf(FILE *stream, const char *format, ...);
char *strcpy(char *s1, const char *s2);
char *crypt(char *input);
struct myStruct
{
// sensitive
char *password;
char *thepasswd;
char *accountkey;
wchar_t *widepassword;
// encrypted
char password_hash[64];
char *encrypted_passwd;
// not sensitive
char *password_file;
char *password_path;
int num_passwords;
int *password_tries;
bool have_passwd;
// dubious
char *passwd_config;
char *passwd_config2;
};
char *getPassword();
char *getPasswordHash();
int getPasswordMaxChars();
void tests(FILE *log, myStruct &s)
{
fprintf(log, "password = %s\n", s.password); // BAD
fprintf(log, "thepasswd = %s\n", s.thepasswd); // BAD
fprintf(log, "accountkey = %s\n", s.accountkey); // DUBIOUS [NOT REPORTED]
fprintf(log, "password_hash = %s\n", s.password_hash); // GOOD
fprintf(log, "encrypted_passwd = %s\n", s.encrypted_passwd); // GOOD
fprintf(log, "password_file = %s\n", s.password_file); // GOOD
fprintf(log, "password_path = %s\n", s.password_path); // GOOD
fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED]
fprintf(log, "num_passwords = %i\n", s.num_passwords); // GOOD
fprintf(log, "password_tries = %i\n", *(s.password_tries)); // GOOD
fprintf(log, "have_passwd = %i\n", s.have_passwd); // GOOD
fprintf(log, "widepassword = %ls\n", s.widepassword); // BAD
fprintf(log, "widepassword = %S\n", s.widepassword); // BAD
fprintf(log, "getPassword() = %s\n", getPassword()); // BAD
fprintf(log, "getPasswordHash() = %s\n", getPasswordHash()); // GOOD
fprintf(log, "getPasswordMaxChars() = %i\n", getPasswordMaxChars()); // GOOD
{
char *cpy1 = s.password;
char *cpy2 = crypt(s.password);
fprintf(log, "cpy1 = %s\n", cpy1); // BAD
fprintf(log, "cpy2 = %s\n", cpy2); // GOOD
}
{
char buf[1024];
strcpy(buf, s.password);
fprintf(log, "buf = %s\n", buf); // BAD [NOT DETECTED]
strcpy(buf, s.password_hash);
fprintf(log, "buf = %s\n", buf); // GOOD
}
fprintf(log, "password = %p\n", s.password); // GOOD
{
if (fopen(s.passwd_config2, "rt") == 0)
{
fprintf(log, "could not open file '%s'.\n", s.passwd_config2); // GOOD
}
}
{
char buffer[1024];
snprintf(buffer, 1024, "password = %s", s.password);
fprintf(log, "log: %s", buffer); // BAD [NOT DETECTED]
}
}

16
cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected
View File

@@ -1,3 +1,13 @@
| test.cpp:21:3:21:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:21:10:21:14 | file1 | filename | test.cpp:19:7:19:12 | call to rename | checked | | test2.cpp:69:7:69:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:69:13:69:16 | path | filename | test2.cpp:67:6:67:9 | call to stat | checked |
| test.cpp:35:3:35:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:35:10:35:14 | file1 | filename | test.cpp:32:7:32:12 | call to rename | checked | | test2.cpp:83:7:83:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:83:13:83:16 | path | filename | test2.cpp:81:6:81:8 | buf | checked |
| test.cpp:49:3:49:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:49:10:49:14 | file1 | filename | test.cpp:47:7:47:12 | call to rename | checked | | test2.cpp:98:7:98:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:98:13:98:16 | path | filename | test2.cpp:96:6:96:12 | buf_ptr | checked |
| test2.cpp:115:7:115:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:115:13:115:16 | path | filename | test2.cpp:113:22:113:24 | buf | checked |
| test2.cpp:130:7:130:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:130:13:130:16 | path | filename | test2.cpp:128:21:128:27 | buf_ptr | checked |
| test2.cpp:157:7:157:10 | call to open | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:157:12:157:15 | path | filename | test2.cpp:155:6:155:9 | call to stat | checked |
| test2.cpp:170:7:170:10 | call to open | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:170:12:170:15 | path | filename | test2.cpp:168:6:168:10 | call to lstat | checked |
| test2.cpp:245:3:245:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:245:9:245:12 | path | filename | test2.cpp:238:6:238:10 | call to fopen | checked |
| test2.cpp:277:7:277:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:277:13:277:16 | path | filename | test2.cpp:275:6:275:11 | call to access | checked |
| test2.cpp:303:7:303:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:303:13:303:16 | path | filename | test2.cpp:301:7:301:12 | call to access | checked |
| test2.cpp:317:7:317:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:317:13:317:16 | path | filename | test2.cpp:313:6:313:11 | call to access | checked |
| test2.cpp:348:3:348:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:348:9:348:12 | path | filename | test2.cpp:341:6:341:10 | call to fopen | checked |
| test2.cpp:356:3:356:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:356:9:356:13 | path2 | filename | test2.cpp:354:7:354:12 | call to rename | checked |

6
cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test.cpp
View File

@@ -18,7 +18,7 @@ void test1()
create(file1); create(file1);
if (!rename(file1, file2)) if (!rename(file1, file2))
{ {
remove(file1); // BAD remove(file1); // DUBIOUS (bad but perhaps not exploitable)
} }
} }
@@ -32,7 +32,7 @@ void test2()
if (!rename(file1, file2)) if (!rename(file1, file2))
{ {
file1.set("d.txt"); file1.set("d.txt");
remove(file1); // GOOD [FALSE POSITIVE] remove(file1); // GOOD
} }
} }
@@ -46,6 +46,6 @@ void test3()
create(file1); create(file1);
if (!rename(file1, file2)) if (!rename(file1, file2))
{ {
remove(file1); // BAD remove(file1); // DUBIOUS (bad but perhaps not exploitable)
} }
} }

358
cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp Normal file
View File

@@ -0,0 +1,358 @@
// More test cases. Some of these are inspired by real-world cases, others are synthetic or variations.
#define NULL 0
typedef struct {} FILE;
typedef struct {
int foo;
} stat_data;
FILE *fopen(const char *filename, const char *mode);
int fclose(FILE *stream);
int open(const char *filename, int arg);
int creat(const char *filename, int arg);
int openat(int dir, const char *filename, int arg);
int close(int file);
bool stat(const char *path, stat_data *buf);
bool fstat(int file, stat_data *buf);
bool lstat(const char *path, stat_data *buf);
bool fstatat(int dir, const char *path, stat_data *buf);
void chmod(const char *path, int setting);
int rename(const char *from, const char *to);
bool remove(const char *path);
bool access(const char *path);
// --- open -> open ---
void test1_1(const char *path)
{
FILE *f = NULL;
f = fopen(path, "r");
if (f == NULL)
{
// retry
f = fopen(path, "r"); // GOOD (this is just trying again)
}
// ...
}
void test1_2(const char *path)
{
FILE *f = NULL;
// try until we succeed
while (f == NULL)
{
f = fopen(path, "r"); // GOOD (this is just trying again)
// ...
}
// ...
}
// --- stat -> open ---
void test2_1(const char *path)
{
FILE *f = NULL;
stat_data buf;
if (stat(path, &buf))
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_2(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat(path, &buf);
if (buf.foo > 0)
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_3(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat_data *buf_ptr = &buf;
stat(path, buf_ptr);
if (buf_ptr->foo > 0)
{
f = fopen(path, "r"); // BAD
}
// ...
}
bool stat_condition(const stat_data *buf);
bool other_condition();
void test2_4(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat(path, &buf);
if (stat_condition(&buf))
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_5(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat_data *buf_ptr = &buf;
stat(path, buf_ptr);
if (stat_condition(buf_ptr))
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_6(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat(path, &buf);
if (other_condition())
{
f = fopen(path, "r"); // GOOD (does not depend on the result of stat)
}
// ...
}
void test2_7(const char *path, int arg)
{
stat_data buf;
int f;
if (stat(path, &buf))
{
f = open(path, arg); // BAD
}
// ...
}
void test2_8(const char *path, int arg)
{
stat_data buf;
int f;
if (lstat(path, &buf))
{
f = open(path, arg); // BAD
}
// ...
}
void test2_9(const char *path, int arg)
{
stat_data buf;
int f;
if (stat(path, &buf))
{
f = creat(path, arg); // BAD [NOT DETECTED]
}
// ...
}
void test2_10(int dir, const char *path, int arg)
{
stat_data buf;
int f;
if (fstatat(dir, path, &buf))
{
f = openat(dir, path, arg); // BAD [NOT DETECTED]
}
// ...
}
// --- open -> stat ---
void test3_1(const char *path, int arg)
{
stat_data buf;
int f;
f = open(path, arg);
if (stat(path, &buf)) // BAD [NOT DETECTED]
{
// ...
}
// ...
}
void test3_2(const char *path, int arg)
{
stat_data buf;
int f;
f = open(path, arg);
if (fstat(f, &buf)) // GOOD (uses file descriptor, not path)
{
// ...
}
// ...
}
// --- open -> chmod ---
void test4_1(const char *path)
{
FILE *f = NULL;
f = fopen(path, "w");
if (f)
{
// ...
fclose(f);
chmod(path, 0); // BAD
}
}
// --- rename -> remove / open ---
void test5_1(const char *path1, const char *path2)
{
if (rename(path1, path2))
{
remove(path1); // DUBIOUS (bad but perhaps not exploitable)
}
}
void test5_2(const char *path1, const char *path2)
{
FILE *f = NULL;
if (!rename(path1, path2))
{
f = fopen(path2, "r"); // BAD [NOT DETECTED]
}
}
// --- access -> open ---
void test6_1(const char *path)
{
FILE *f = NULL;
if (access(path))
{
f = fopen(path, "r"); // BAD
// ...
}
}
void test6_2(const char *path)
{
FILE *f = NULL;
if (access(path))
{
// ...
}
f = fopen(path, "r"); // GOOD (appears not to be intended to depend on the access check)
// ...
}
void test6_3(const char *path)
{
FILE *f = NULL;
if (!access(path))
{
f = fopen(path, "r"); // BAD
// ...
}
}
void test6_4(const char *path)
{
FILE *f = NULL;
if (access(path))
{
// ...
} else {
f = fopen(path, "r"); // BAD
// ...
}
}
void test6_5(const char *path1, const char *path2)
{
FILE *f = NULL;
if (access(path1))
{
f = fopen(path2, "r"); // GOOD (different file)
// ...
}
}
// --- open / rename -> chmod ---
void test7_1(const char *path)
{
FILE *f;
f = fopen(path, "wt");
if (f != 0)
{
// ...
fclose(f);
chmod(path, 1234); // BAD
}
}
void test7_1(const char *path1, const char *path2)
{
if (!rename(path1, path2))
{
chmod(path2, 1234); // BAD
}
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree.expected
View File

@@ -7,4 +7,3 @@
| test.cpp:170:6:170:9 | data | Memory pointed to by 'data' may have been previously freed $@ | test.cpp:165:2:165:5 | call to free | here | | test.cpp:170:6:170:9 | data | Memory pointed to by 'data' may have been previously freed $@ | test.cpp:165:2:165:5 | call to free | here |
| test.cpp:193:6:193:9 | data | Memory pointed to by 'data' may have been previously freed $@ | test.cpp:191:3:191:6 | call to free | here | | test.cpp:193:6:193:9 | data | Memory pointed to by 'data' may have been previously freed $@ | test.cpp:191:3:191:6 | call to free | here |
| test.cpp:201:6:201:6 | x | Memory pointed to by 'x' may have been previously freed $@ | test.cpp:200:2:200:9 | delete | here | | test.cpp:201:6:201:6 | x | Memory pointed to by 'x' may have been previously freed $@ | test.cpp:200:2:200:9 | delete | here |
| test.cpp:242:14:242:17 | data | Memory pointed to by 'data' may have been previously freed $@ | test.cpp:243:11:243:14 | call to free | here |

39
cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/test.cpp
View File

@@ -213,42 +213,3 @@ void regression_test_for_static_var_handling()
data = (char *)malloc(100*sizeof(char)); data = (char *)malloc(100*sizeof(char));
use(data); // GOOD use(data); // GOOD
} }
void test16(int n, bool b) {
char* data = NULL;
for(int i = 0; i < n; ++i) {
if(b) data = (char*)malloc(10 * sizeof(char));
if(!b || data == NULL) return;
use(data); // GOOD
free(data); // GOOD
}
}
void test17(int n, bool b) {
char* data = (char*)malloc(10);
if(b) {
free(data);
}
if(!b) {
use(data); // GOOD
}
}
void test18(int* array) {
char* data = (char*)malloc(10 * sizeof(char));
for (int i = 0; i < 4; ++i) {
int b = array[i];
if(b) use(data); // BAD
if(!b) free(data);
}
}
void test19(int* array) {
char* data = (char*)malloc(10 * sizeof(char));
int b = array[0];
for (int i = 0; i < 4; ++i) {
if(b) use(data); // GOOD
if(!b) free(data);
}
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected
View File

@@ -8,6 +8,7 @@
| test.cpp:132:9:132:9 | j | The variable $@ may not be initialized here. | test.cpp:126:6:126:6 | j | j | | test.cpp:132:9:132:9 | j | The variable $@ may not be initialized here. | test.cpp:126:6:126:6 | j | j |
| test.cpp:219:3:219:3 | x | The variable $@ may not be initialized here. | test.cpp:218:7:218:7 | x | x | | test.cpp:219:3:219:3 | x | The variable $@ may not be initialized here. | test.cpp:218:7:218:7 | x | x |
| test.cpp:243:13:243:13 | i | The variable $@ may not be initialized here. | test.cpp:241:6:241:6 | i | i | | test.cpp:243:13:243:13 | i | The variable $@ may not be initialized here. | test.cpp:241:6:241:6 | i | i |
| test.cpp:329:9:329:11 | val | The variable $@ may not be initialized here. | test.cpp:321:6:321:8 | val | val |
| test.cpp:336:10:336:10 | a | The variable $@ may not be initialized here. | test.cpp:333:7:333:7 | a | a | | test.cpp:336:10:336:10 | a | The variable $@ may not be initialized here. | test.cpp:333:7:333:7 | a | a |
| test.cpp:369:10:369:10 | a | The variable $@ may not be initialized here. | test.cpp:358:7:358:7 | a | a | | test.cpp:369:10:369:10 | a | The variable $@ may not be initialized here. | test.cpp:358:7:358:7 | a | a |
| test.cpp:378:9:378:11 | val | The variable $@ may not be initialized here. | test.cpp:359:6:359:8 | val | val | | test.cpp:378:9:378:11 | val | The variable $@ may not be initialized here. | test.cpp:359:6:359:8 | val | val |

2
cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp
View File

@@ -326,7 +326,7 @@ int test28() {
a = false; a = false;
c = false; c = false;
} }
return val; // GOOD return val; // GOOD [FALSE POSITIVE]
} }
int test29() { int test29() {

2
csharp/ql/src/Bad Practices/UseOfSystemOutputStream.qhelp
View File

@@ -6,7 +6,7 @@
<p>Writing directly to system output streams is often used as an unstructured form of logging. A <p>Writing directly to system output streams is often used as an unstructured form of logging. A
proper logging mechanism is a better way to direct messages to the desired location and also proper logging mechanism is a better way to direct messages to the desired location and also
ensures that no critical information is leaked to the standard outputs. The rule points out any ensures that no critical information is leaked to the standard outputs. The rule points out any
call to the <code> Console.Write*(...)</code> methods and any access to <code>Console.Out</code> or call to the <code>Console.Write*(...)</code> methods and any access to <code>Console.Out</code> or
<code>Console.Error</code>.</p> <code>Console.Error</code>.</p>
</overview> </overview>

2
csharp/ql/src/Input Validation/ValueShadowingServerVariable.qhelp
View File

@@ -6,7 +6,7 @@
<p>Relying on <code>HttpRequest</code> to provide access to a particular server variable is not <p>Relying on <code>HttpRequest</code> to provide access to a particular server variable is not
safe as it can be overridden by the client. The <code>HttpRequest</code> class implements an safe as it can be overridden by the client. The <code>HttpRequest</code> class implements an
indexer to provide a simplified, combined access to its <code>QueryString</code>, <code>Form</code> indexer to provide a simplified, combined access to its <code>QueryString</code>, <code>Form</code>
, <code>Cookies</code>, or <code> ServerVariables</code> collections, in that particular order. , <code>Cookies</code>, or <code>ServerVariables</code> collections, in that particular order.
When searching for a variable, the first match is returned: <code>QueryString</code> parameters When searching for a variable, the first match is returned: <code>QueryString</code> parameters
hence supersede values from forms, cookies and server variables, and so on. This is a serious hence supersede values from forms, cookies and server variables, and so on. This is a serious
attack vector since an attacker could inject a value in the query string that you do not expect, attack vector since an attacker could inject a value in the query string that you do not expect,

4
csharp/ql/src/Linq/MissedCastOpportunity.qhelp
View File

@@ -6,8 +6,8 @@
<p>Casts are often used when you iterate over a collection of elements of a type that is known to <p>Casts are often used when you iterate over a collection of elements of a type that is known to
contain only elements of a different type (possibly more specific). For example, <code>List&lt;Animal contain only elements of a different type (possibly more specific). For example, <code>List&lt;Animal
&gt; </code> might refer to a collection of instances of <code>Dog</code>, a class derived from &gt; </code> might refer to a collection of instances of <code>Dog</code>, a class derived from
<code> Animal</code>. Programmers often write a loop to iterate over the collection and cast each <code>Animal</code>. Programmers often write a loop to iterate over the collection and cast each
<code> Animal</code> in turn to <code>Dog</code> before using it</p> <code>Animal</code> in turn to <code>Dog</code> before using it</p>
</overview> </overview>
<recommendation> <recommendation>

104
docs/codeql/codeql-cli/about-codeql-packs.rst Normal file
View File

@@ -0,0 +1,104 @@
.. _about-codeql-packs:
About CodeQL packs
==================
.. include:: ../reusables/beta-note-package-management.rst
CodeQL packs are used to create, share, depend on, and run CodeQL queries and libraries. You can publish your own CodeQL packs and download packs created by others. CodeQL packs contain queries, library files, query suites, and metadata.
There are two types of CodeQL packs: query packs and library packs.
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and a compilation cache. This ensures consistent and efficient execution of the queries in the pack.
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled and there is no compilation cache included when the pack is published.
You can use the package management commands in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. For more information, see ":ref:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`." You can also publish and download CodeQL packs using the CodeQL CLI. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
CodeQL pack structure
---------------------
A CodeQL pack must contain a file called ``qlpack.yml`` in its root directory. In the ``qlpack.yml`` file, the ``name:`` field must have a value that follows the format of ``<scope>/<pack>``, where ``<scope>`` is the GitHub organization or user account that the pack will be published to and ``<pack>`` is the name of the pack. The other
files and directories within the pack should be logically organized. For example, typically:
- Queries are organized into directories for specific categories.
- Queries for specific products, libraries, and frameworks are organized into
their own top-level directories.
About ``qlpack.yml`` files
--------------------------
When executing query-related commands, CodeQL first looks in siblings of the installation directory (and their subdirectories) for ``qlpack.yml`` files.
Then it checks the package cache for CodeQL packs which have been downloaded. This means that when you are developing queries locally, the local packages
in the installation directory override packages of the same name in the package cache, so that you can test your local changes.
The metadata in each `qlpack.yml`` file tells
CodeQL how to compile any queries in the pack, what libraries the pack depends on, and where to
find query suite definitions.
The contents of the CodeQL pack (queries or libraries used in CodeQL analysis) is
included in the same directory as ``qlpack.yml``, or its subdirectories.
The location of ``qlpack.yml`` defines the library path for the content
of the CodeQL pack. That is, for all ``.ql`` and ``.qll`` files in the pack,
CodeQL will resolve all import statements relative to the ``qlpack.yml`` at the
pack's root.
.. _codeqlpack-yml-properties:
``qlpack.yml`` properties
~~~~~~~~~~~~~~~~~~~~~~~~~
The following properties are supported in ``qlpack.yml`` files.
.. list-table::
:header-rows: 1
:widths: auto
* - Property
- Example
- Required
- Purpose
* - ``name``
- ``octo-org/security-queries``
- All packs
- The scope, where the CodeQL pack is published, and the name of the pack defined using alphanumeric characters and hyphens. It must be unique as CodeQL cannot differentiate between CodeQL packs with identical names. Name components cannot start or end with a hyphen. Additionally, a period is not allowed in pack names at all. Use the pack name to specify queries to run using ``database analyze`` and to define dependencies between QL packs (see examples below).
* - ``version``
- ``0.0.0``
- All packs
- A version range for this CodeQL pack. This must be a valid semantic version that meets the `SemVer v2.0.0 specification <https://semver.org/spec/v2.0.0.html>`__.
* - ``dependencies``
- ``codeql/javascript-all: ^1.2.3``
- Optional
- The names and version ranges of any CodeQL packs that this pack depends on, as a mapping. This gives the pack access to any libraries, database schema, and query suites defined in the dependency. For more information, see `SemVer ranges <https://docs.npmjs.com/cli/v6/using-npm/semver#ranges>`__ in the NPM documentation.
* - ``suites``
- ``octo-org-query-suites``
- Optional
- The path to a directory in the pack that contains the query suites you want to make known to the CLI, defined relative to the pack directory. QL pack users can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. This is not supported for CodeQL packs downloaded from a package registry. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
* - ``extractor``
- ``javascript``
- All test packs
- The CodeQL language extractor to use when the CLI creates a database in the pack. For more information about testing queries, see ":doc:`Testing custom queries <testing-custom-queries>`."
* - ``tests``
- ``.``
- Optional for test packs
- The path to a directory within the pack that contains tests, defined relative to the pack directory. Use ``.`` to specify the whole pack. Any queries in this directory are run as tests when ``test run`` is run with the ``--strict-test-discovery`` option. These queries are ignored by query suite definitions that use ``queries`` or ``qlpack`` instructions to ask for all queries in a particular pack.
* - ``dbscheme``
- ``semmlecode.python.dbscheme``
- Core language packs only
- The path to the :ref:`database schema <codeql-database-schema>` for all libraries and queries written for this CodeQL language (see example below).
* - ``upgrades``
- ``.``
- Core language packs only
- The path to a directory within the pack that contains upgrade scripts, defined relative to the pack directory. The ``database upgrade`` action uses these scripts to update databases that were created by an older version of an extractor so they're compatible with the current extractor (see `Upgrade scripts for a language <#upgrade-scripts-for-a-language>`__ below.)
* - ``authors``
- ``example@github.com``
- All packs
- Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to.
* - ``licenses``
- ``(LGPL-2.1 AND MIT)``
- All packs
- Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to. For a list of allowed licenses, see `SPDX License List <https://spdx.org/licenses/>`__ in the SPDX Specification.
* - ``description``
- ``Human-readable description of the contents of the CodeQL pack.``
- All packs
- Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to.

2
docs/codeql/codeql-cli/about-ql-packs.rst
View File

@@ -87,7 +87,7 @@ The following properties are supported in ``qlpack.yml`` files.
* - ``suites`` * - ``suites``
- ``suites`` - ``suites``
- Optional - Optional
- The path to a directory that contains the "well-known" query suites in the pack, defined relative to the pack directory. You can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. To use query suites stored in other directories in the pack, you must provide their full path. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`." - The path to a directory in the pack that contains the query suites you want to make known to the CLI, defined relative to the pack directory. QL pack users can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
* - ``extractor`` * - ``extractor``
- ``javascript`` - ``javascript``
- All test packs - All test packs

77
docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
View File

@@ -16,9 +16,9 @@ For information about writing queries to run with ``database analyze``, see
Before starting an analysis you must: Before starting an analysis you must:
- :doc:`Set up the CodeQL CLI <getting-started-with-the-codeql-cli>` so that it can find the queries - :doc:`Set up the CodeQL CLI <getting-started-with-the-codeql-cli>` so that it can find the queries
and libraries included in the CodeQL repository. and libraries included in the CodeQL repository.
- :doc:`Create a CodeQL database <creating-codeql-databases>` for the source - :doc:`Create a CodeQL database <creating-codeql-databases>` for the source
code you want to analyze. code you want to analyze.
Running ``codeql database analyze`` Running ``codeql database analyze``
@@ -65,7 +65,7 @@ You can also specify:
- .. include:: ../reusables/threads-query-execution.rst - .. include:: ../reusables/threads-query-execution.rst
.. pull-quote:: .. pull-quote::
Upgrading databases Upgrading databases
@@ -94,7 +94,7 @@ Running a single query
To run a single query over a CodeQL database for a JavaScript codebase, To run a single query over a CodeQL database for a JavaScript codebase,
you could use the following command from the directory containing your database:: you could use the following command from the directory containing your database::
codeql database analyze <javascript-database> ../ql/javascript/ql/src/Declarations/UnusedVariable.ql --format=csv --output=js-analysis/js-results.csv codeql database analyze <javascript-database> ../ql/javascript/ql/src/Declarations/UnusedVariable.ql --format=csv --output=js-analysis/js-results.csv
This command runs a simple query that finds potential bugs related to unused This command runs a simple query that finds potential bugs related to unused
variables, imports, functions, or classes---it is one of the JavaScript variables, imports, functions, or classes---it is one of the JavaScript
@@ -102,28 +102,44 @@ queries included in the CodeQL repository. You could run more than one query by
specifying a space-separated list of similar paths. specifying a space-separated list of similar paths.
The analysis generates a CSV file (``js-results.csv``) in a new directory The analysis generates a CSV file (``js-results.csv``) in a new directory
(``js-analysis``). (``js-analysis``).
You can also run your own custom queries with the ``database analyze`` command. You can also run your own custom queries with the ``database analyze`` command.
For more information about preparing your queries to use with the CodeQL CLI, For more information about preparing your queries to use with the CodeQL CLI,
see ":doc:`Using custom queries with the CodeQL CLI <using-custom-queries-with-the-codeql-cli>`." see ":doc:`Using custom queries with the CodeQL CLI <using-custom-queries-with-the-codeql-cli>`."
Running GitHub code scanning suites Running a CodeQL pack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
To run the GitHub code scanning suite of queries over a CodeQL database for a C/C++ codebase, .. include:: ../reusables/beta-note-package-management.rst
To run an existing CodeQL query pack from the GitHub Container registry, you need to download it first::
codeql pack download microsoft/coding-standards@1.0.0
Afterwards, you can run the pack on a specific database::
codeql database analyze <database> microsoft/coding-standards@1.0.0 <scope>/<other-pack> --format=sarifv2.1.0 --output=query-results.sarif
The ``analyze`` command above runs the default suite from ``microsoft/coding-standards v1.0.0`` and the latest version of ``scope/other-pack`` on the specified database.
For further information about default suites, see ":ref:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`".
Running query suites
~~~~~~~~~~~~~~~~~~~~
To run a query suite over a CodeQL database for a C/C++ codebase,
you could use the following command from the directory containing your database:: you could use the following command from the directory containing your database::
codeql database analyze <cpp-database> cpp-code-scanning.qls --format=sarifv2.1.0 --output=cpp-results.sarif codeql database analyze <cpp-database> cpp-code-scanning.qls --format=sarifv2.1.0 --output=cpp-results.sarif
The analysis generates a file in the v2.1.0 SARIF format that is supported by all versions of GitHub. The analysis generates a file in the v2.1.0 SARIF format that is supported by all versions of GitHub.
This file can be uploaded to GitHub using ``github upload-results`` or the code scanning API. This file can be uploaded to GitHub by executing ``codeql github upload-results`` or the code scanning API.
For more information, see `Analyzing a CodeQL database <https://docs.github.com/en/code-security/secure-coding/configuring-codeql-cli-in-your-ci-system#analyzing-a-codeql-database>`__ For more information, see `Analyzing a CodeQL database <https://docs.github.com/en/code-security/secure-coding/configuring-codeql-cli-in-your-ci-system#analyzing-a-codeql-database>`__
or `Code scanning API <https://docs.github.com/en/rest/reference/code-scanning>`__ in the GitHub documentation. or `Code scanning API <https://docs.github.com/en/rest/reference/code-scanning>`__ in the GitHub documentation.
CodeQL query suites are ``.qls`` files that use directives to select queries to run CodeQL query suites are ``.qls`` files that use directives to select queries to run
based on certain metadata properties. The standard QL packs have metadata that specify based on certain metadata properties. The standard QL packs have metadata that specify
the location of the code scanning suites, so the CodeQL CLI knows where to find these the location of the query suites used by code scanning, so the CodeQL CLI knows where to find these
suite files automatically, and you don't have to specify the full path on the command line. suite files automatically, and you don't have to specify the full path on the command line.
For more information, see ":ref:`About QL packs <standard-ql-packs>`." For more information, see ":ref:`About QL packs <standard-ql-packs>`."
@@ -137,7 +153,7 @@ and at the following path in the CodeQL for Go repository::
ql/src/codeql-suites/go-code-scanning.qls ql/src/codeql-suites/go-code-scanning.qls
The repository also includes the query suites used by `LGTM.com <https://lgtm.com>`__. The repository also includes the query suites used by `LGTM.com <https://lgtm.com>`__.
These are stored alongside the code scanning suites with names of the form: ``<language>-lgtm.qls``. These are stored alongside the query suites for code scanning with names of the form: ``<language>-lgtm.qls``.
For information about creating custom query suites, see ":doc:`Creating For information about creating custom query suites, see ":doc:`Creating
CodeQL query suites <creating-codeql-query-suites>`." CodeQL query suites <creating-codeql-query-suites>`."
@@ -149,12 +165,21 @@ When you create a CodeQL database, the extractor stores diagnostic data in the d
If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic and summary queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze. If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic and summary queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
Integrating a CodeQL pack into a code scanning workflow in GitHub
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: ../reusables/beta-note-package-management.rst
You can use CodeQL query packs in your Code Scanning setup. This allows you to select query packs published by various sources and use them to analyze your code.
For more information, see "`Using CodeQL query packs in the CodeQL action <https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-codeql-query-packs/>`_" or "`Downloading and using CodeQL query packs in your CI system <https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#downloading-and-using-codeql-query-packs>`_."
Running all queries in a directory Running all queries in a directory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can run all the queries located in a directory by providing the directory You can run all the queries located in a directory by providing the directory
path, rather than listing all the individual query files. Paths are searched path, rather than listing all the individual query files. Paths are searched
recursively, so any queries contained in subfolders will also be executed. recursively, so any queries contained in subfolders will also be executed.
.. pull-quote:: .. pull-quote::
@@ -164,12 +189,12 @@ recursively, so any queries contained in subfolders will also be executed.
<about-ql-packs>` when executing ``database analyze`` <about-ql-packs>` when executing ``database analyze``
as it contains some special queries that aren't designed to be used with as it contains some special queries that aren't designed to be used with
the command. Rather, to run a wide range of useful queries, run one of the the command. Rather, to run a wide range of useful queries, run one of the
LGTM.com query suites. LGTM.com query suites.
For example, to execute all Python queries contained in the ``Functions`` For example, to execute all Python queries contained in the ``Functions``
directory you would run:: directory you would run::
codeql database analyze <python-database> ../ql/python/ql/src/Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif codeql database analyze <python-database> ../ql/python/ql/src/Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif
A SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures A SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures
that the results are formatted according to the most recent SARIF specification that the results are formatted according to the most recent SARIF specification
@@ -196,19 +221,19 @@ corresponds to an alert. Each line is a comma-separated list with the following
- Description - Description
- Example - Example
* - Name * - Name
- Name of the query that identified the result. - Name of the query that identified the result.
- ``Inefficient regular expression`` - ``Inefficient regular expression``
* - Description * - Description
- Description of the query. - Description of the query.
- ``A regular expression that requires exponential time to match certain - ``A regular expression that requires exponential time to match certain
inputs can be a performance bottleneck, and may be vulnerable to inputs can be a performance bottleneck, and may be vulnerable to
denial-of-service attacks.`` denial-of-service attacks.``
* - Severity * - Severity
- Severity of the query. - Severity of the query.
- ``error`` - ``error``
* - Message * - Message
- Alert message. - Alert message.
- ``This part of the regular expression may cause exponential backtracking - ``This part of the regular expression may cause exponential backtracking
on strings containing many repetitions of '\\\\'.`` on strings containing many repetitions of '\\\\'.``
* - Path * - Path
- Path of the file containing the alert. - Path of the file containing the alert.
@@ -225,14 +250,14 @@ corresponds to an alert. Each line is a comma-separated list with the following
included when the same value as the start line. included when the same value as the start line.
- ``64`` - ``64``
* - End column * - End column
- Where available, the column of the end line that marks the end of the - Where available, the column of the end line that marks the end of the
alert code. Otherwise the end line is repeated. alert code. Otherwise the end line is repeated.
- ``617`` - ``617``
Results files can be integrated into your own code-review or debugging Results files can be integrated into your own code-review or debugging
infrastructure. For example, SARIF file output can be used to highlight alerts infrastructure. For example, SARIF file output can be used to highlight alerts
in the correct location in your source code using a SARIF viewer plugin for your in the correct location in your source code using a SARIF viewer plugin for your
IDE. IDE.
Further reading Further reading
--------------- ---------------

2
docs/codeql/codeql-cli/codeql-cli-reference.rst
View File

@@ -9,12 +9,14 @@ Learn more about the files you can use when running CodeQL processes and the res
:titlesonly: :titlesonly:
:hidden: :hidden:
about-codeql-packs
about-ql-packs about-ql-packs
query-reference-files query-reference-files
sarif-output sarif-output
exit-codes exit-codes
- :doc:`About CodeQL packs <about-codeql-packs>`: CodeQL packs are created with the CodeQL CLI and are used to create, depend on, publish, and run CodeQL queries and libraries.
- :doc:`About QL packs <about-ql-packs>`: QL packs are used to organize the files used in CodeQL analysis. They - :doc:`About QL packs <about-ql-packs>`: QL packs are used to organize the files used in CodeQL analysis. They
contain queries, library files, query suites, and important metadata. contain queries, library files, query suites, and important metadata.
- :doc:`Query reference files <query-reference-files>`: A query reference file is text file that defines the location of one query to test. - :doc:`Query reference files <query-reference-files>`: A query reference file is text file that defines the location of one query to test.

70
docs/codeql/codeql-cli/creating-and-working-with-codeql-packs.rst Normal file
View File

@@ -0,0 +1,70 @@
.. _creating-and-working-with-codeql-packs:
Creating and working with CodeQL packs
======================================
You can use CodeQL packs to create, share, depend on, and run CodeQL queries and libraries.
.. include:: ../reusables/beta-note-package-management.rst
About CodeQL packs and the CodeQL CLI
-------------------------------------
With CodeQL packs and the package management commands in the CodeQL CLI, you can publish your custom queries and integrate them into your codebase analysis.
There are two types of CodeQL packs: query packs and library packs.
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and a compilation cache. This ensures consistent and efficient execution of the queries in the pack.
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled and there is no compilation cache included when the pack is published.
You can use the ``pack`` command in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. You can also publish and download CodeQL packs using the ``pack`` command. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
Creating a CodeQL pack
----------------------
You can create a CodeQL pack by running the following command from the checkout root of your project:
::
codeql pack init <scope>/<pack>
You must specify:
- ``<scope>``: the name of the GitHub organization or user account that you will publish to.
- ``<pack>``: the name for the pack that you are creating.
The ``codeql pack init`` command creates the directory structure and configuration files for a CodeQL pack. By default, the command creates a query pack. If you want to create a library pack, you must edit the ``qlpack.yml`` file to explicitly declare the file as a library pack by including the ``library:true`` property.
Modifying an existing QL pack to create a CodeQL pack
-----------------------------------------------------
If you already have a ``qlpack.yml`` file, you can edit it manually to convert it into a CodeQL pack.
#. Edit the ``name`` property so that it matches the format ``<scope>/<name>``, where ``<scope>`` is the name of the GitHub organization or user account that you will publish to.
#. In the ``qlpack.yml`` file, include a ``version`` property with a semver identifier, as well as an optional ``dependencies`` block.
For more information about the properties, see ":ref:`About CodeQL packs <about-codeql-packs>`."
Adding and installing dependencies to a CodeQL pack
---------------------------------------------------
You can add dependencies on CodeQL packs using the command ``codeql pack add``. You must specify the scope, name, and version range.
::
codeql pack add <scope>/<name>@x.x.x <scope>/<other-name>
The version range is optional. If you leave off the version range, the latest version will be added. Otherwise, the latest version that satisfies the requested range will be added.
This command updates the ``qlpack.yml`` file with the requested dependencies and downloads them into the package cache. Please note that this command will reformat the file and remove all comments.
You can also manually edit the ``qlpack.yml`` file to include dependencies and install the dependencies with the command:
::
codeql pack install
This command downloads all dependencies to the shared cache on the local disk.
.. pull-quote::
Note
Running the ``codeql pack add`` and ``codeql pack install`` commands will generate or update the ``qlpack.lock.yml`` file. This file should be checked-in to version control. The ``qlpack.lock.yml`` file contains the precise version numbers used by the pack.

26
docs/codeql/codeql-cli/getting-started-with-the-codeql-cli.rst
View File

@@ -18,9 +18,9 @@ structures. To get started quickly, we recommend adopting a relatively simple
setup, as outlined in the steps below. setup, as outlined in the steps below.
If you use Linux, Windows, or macOS version 10.14 ("Mojave") or earlier, simply If you use Linux, Windows, or macOS version 10.14 ("Mojave") or earlier, simply
follow the steps below. For macOS version 10.15 ("Catalina"), steps 1 and 4 are follow the steps below. For macOS version 10.15 ("Catalina") or newer, steps 1
slightly different---for further details, see the sections labeled **Information and 4 are slightly different---for further details, see the sections labeled
for macOS "Catalina" users**. **Information for macOS "Catalina" (or newer) users**.
For information about installing the CodeQL CLI in a CI system to create results For information about installing the CodeQL CLI in a CI system to create results
to display in GitHub as code scanning alerts, see to display in GitHub as code scanning alerts, see
@@ -66,13 +66,14 @@ Alternatively, you can download ``codeql.zip``, which contains the CLI for all s
.. container:: name .. container:: name
**Information for macOS "Catalina" users** **Information for macOS "Catalina" (or newer) users**
.. pull-quote:: macOS "Catalina" .. pull-quote:: macOS "Catalina" (or newer)
If you use macOS version 10.15 ("Catalina"), you need to ensure that your web If you use macOS version 10.15 ("Catalina"), version 11 ("Big Sur"), or the upcoming
browser does not automatically extract zip files. If you use Safari, version 12 ("Monterey"), you need to ensure that your web browser does not automatically
complete the following steps before downloading the CodeQL CLI zip archive: extract zip files. If you use Safari, complete the following steps before downloading
the CodeQL CLI zip archive:
i. Open Safari. i. Open Safari.
ii. From the Safari menu, select **Preferences...**. ii. From the Safari menu, select **Preferences...**.
@@ -164,16 +165,17 @@ For example, if the path to your copy of the CodeQL repository is
.. container:: name .. container:: name
**Information for macOS "Catalina" users** **Information for macOS "Catalina" (or newer) users**
.. pull-quote:: macOS "Catalina" .. pull-quote:: macOS "Catalina"
macOS "Catalina" users should run the following commands in the Terminal, macOS "Catalina", "Big Sur", or "Monterey" users should run the following
where ``${install_loc}`` is the path to the directory you created in step 2: commands in the Terminal, where ``${install_loc}`` is the path to the
directory you created in step 2:
i. ``mv ~/Downloads/codeql*.zip ${install_loc}`` i. ``mv ~/Downloads/codeql*.zip ${install_loc}``
ii. ``cd ${install_loc}`` ii. ``cd ${install_loc}``
iii. ``xattr -c codeql*.zip`` iii. ``/usr/bin/xattr -c codeql*.zip``
iv. ``unzip codeql*.zip`` iv. ``unzip codeql*.zip``
5. Launch ``codeql`` 5. Launch ``codeql``

74
docs/codeql/codeql-cli/publishing-and-using-codeql-packs.rst Normal file
View File

@@ -0,0 +1,74 @@
.. _publishing-and-using-codeql-packs:
Publishing and using CodeQL packs
=================================
You can publish your own CodeQL packs and use packs published by other people.
.. include:: ../reusables/beta-note-package-management.rst
Configuring the ``qlpack.yml`` file before publishing
-----------------------------------------------------
You can check and modify the configuration details of your CodeQL pack prior to publishing. Open the ``qlpack.yml`` file in your preferred text editor.
.. code-block:: none
library: # set to true if the pack is a library. Set to false or omit for a query pack
name: <scope>/<pack>
version: <x.x.x>
description: <Description to publish with the package>
default-suite: # optional, one or more queries in the pack to run by default
- query: <relative-path>/query-file>.ql
default-suite-file: default-queries.qls # optional, a pointer to a query-suite in this pack
license: # optional, the license under which the pack is published
dependencies: # map from CodeQL pack name to version range
- ``name:`` must follow the <scope>/<pack> format, where <scope> is the GitHub organization that you will publish to and <pack> is the name for the pack.
- A maximum of one of ``default-suite`` or ``default-suite-file`` is allowed. These are two different ways to define a default query suite to be run, the first by specifying queries directly in the `qlpack.yml` file and the second by specifying a query suite in the pack.
Running ``codeql pack publish``
-------------------------------
When you are ready to publish a pack to the GitHub Container registry, you can run the following command in the root of the pack directory:
::
codeql pack publish
The published package will be displayed in the packages section of GitHub organization specified by the scope in the ``qlpack.yml`` file.
Running ``codeql pack download <scope>/<pack>``
-----------------------------------------------
To run a pack that someone else has created, you must first download it by running the following command:
::
codeql pack download <scope>/<pack>@x.x.x
- ``<scope>``: the name of the GitHub organization that you will download from.
- ``<pack>``: the name for the pack that you want to download.
- ``@x.x.x``: an optional version number. If omitted, the latest version will be downloaded.
This command accepts arguments for multiple packs.
Using a CodeQL pack to analyze a CodeQL database
------------------------------------------------
To analyze a CodeQL database with a CodeQL pack, run the following command:
::
codeql database analyze <database> <scope>/<pack>@x.x.x
- ``<database>``: the CodeQL database to be analyzed.
- ``<scope>``: the name of the GitHub organization that the pack is published to.
- ``<pack>``: the name for the pack that you are using.
- ``@x.x.x``: an optional version number. If omitted, the latest version will be used.
The ``analyze`` command will run the default suite of any specified CodeQL packs. You can specify multiple CodeQL packs to be used for analyzing a CodeQL database. For example:
::
codeql <database> analyze <scope>/<pack> <scope>/<other-pack>

40
docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
View File

@@ -8,7 +8,7 @@ specific vulnerabilities or errors.
This topic is specifically about writing This topic is specifically about writing
queries to use with the `database analyze <../manual/database-analyze>`__ queries to use with the `database analyze <../manual/database-analyze>`__
command to produce :ref:`interpreted results <interpret-query-results>`. command to produce :ref:`interpreted results <interpret-query-results>`.
.. include:: ../reusables/advanced-query-execution.rst .. include:: ../reusables/advanced-query-execution.rst
@@ -26,16 +26,16 @@ Including query metadata
------------------------ ------------------------
Query metadata is included at the top of each query file. It provides users with information about Query metadata is included at the top of each query file. It provides users with information about
the query, and tells the CodeQL CLI how to process the query results. the query, and tells the CodeQL CLI how to process the query results.
When running queries with the ``database analyze`` command, you must include the When running queries with the ``database analyze`` command, you must include the
following two properties to ensure that the results are interpreted correctly: following two properties to ensure that the results are interpreted correctly:
- Query identifier (``@id``): a sequence of words composed of lowercase letters or - Query identifier (``@id``): a sequence of words composed of lowercase letters or
digits, delimited by ``/`` or ``-``, identifying and classifying the query. digits, delimited by ``/`` or ``-``, identifying and classifying the query.
- Query type (``@kind``): identifies the query as a simple alert (``@kind problem``), - Query type (``@kind``): identifies the query as a simple alert (``@kind problem``),
an alert documented by a sequence of code locations (``@kind path-problem``), an alert documented by a sequence of code locations (``@kind path-problem``),
for extractor troubleshooting (``@kind diagnostic``), or a summary metric for extractor troubleshooting (``@kind diagnostic``), or a summary metric
(``@kind metric`` and ``@tags summary``). (``@kind metric`` and ``@tags summary``).
For more information about these metadata properties, see ":ref:`Metadata for CodeQL queries For more information about these metadata properties, see ":ref:`Metadata for CodeQL queries
@@ -47,22 +47,30 @@ For more information about these metadata properties, see ":ref:`Metadata for Co
Metadata requirements may differ if you want to use your query with other Metadata requirements may differ if you want to use your query with other
applications. For more information, see ":ref:`Metadata for CodeQL queries applications. For more information, see ":ref:`Metadata for CodeQL queries
<metadata-for-codeql-queries>` <metadata-for-codeql-queries>`
." ."
Packaging custom QL queries
---------------------------
Creating a custom QL pack .. include:: ../reusables/beta-note-package-management.rst
-------------------------
When writing your own queries, you should save them in a custom QL pack When you write your own queries, you should save them in a custom QL pack
directory. QL packs provide a way of organizing directory. When you are ready to share your queries with other users, you can publish the pack as a CodeQL pack to GitHub Packages - the GitHub Container registry.
the files used in CodeQL analysis. This directory must contain a file
named ``qlpack.yml`` at the root. Your custom queries should be saved in the QL QL packs organize the files used in CodeQL analysis and can store queries,
pack root, or its subdirectories. library files, query suites, and important metadata. Their root directory must
contain a file named ``qlpack.yml``. Your custom queries should be saved in the
QL pack root, or its subdirectories.
For each QL pack, the ``qlpack.yml`` file includes information that tells CodeQL For each QL pack, the ``qlpack.yml`` file includes information that tells CodeQL
how to compile the queries, what libraries the pack depends on, and where to find how to compile the queries, which other CodeQL packs and libraries the pack
query suite definitions. For more information about what to include in this depends on, and where to find query suite definitions. For more information
file, see ":ref:`About QL packs <custom-ql-packs>`." about what to include in this file, see ":ref:`About QL packs <about-ql-packs>`."
CodeQL packages are used to create, share, depend on, and run CodeQL queries and
libraries. You can publish your own CodeQL packages and download ones created by
others via the the Container registry. For further information see
":ref:`About CodeQL packs <about-codeql-packs>`."
Contributing to the CodeQL repository Contributing to the CodeQL repository
------------------------------------- -------------------------------------

8
docs/codeql/codeql-cli/using-the-codeql-cli.rst
View File

@@ -41,6 +41,12 @@ See the following links to learn how to get set up and run CodeQL commands:
Test query help files by rendering them as markdown to ensure they are valid Test query help files by rendering them as markdown to ensure they are valid
before adding them to the CodeQL repository or using them in code scanning. before adding them to the CodeQL repository or using them in code scanning.
- :doc:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`:
Create, share, depend on, and run CodeQL queries and libraries.
- :doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`:
Publish your own or use others CodeQL packs for code scanning.
- :doc:`Specifying command options in a CodeQL configuration file <specifying-command-options-in-a-codeql-configuration-file>`: - :doc:`Specifying command options in a CodeQL configuration file <specifying-command-options-in-a-codeql-configuration-file>`:
You can save default or frequently used options for your commands in a per-user configuration file. You can save default or frequently used options for your commands in a per-user configuration file.
@@ -57,4 +63,6 @@ See the following links to learn how to get set up and run CodeQL commands:
creating-codeql-query-suites creating-codeql-query-suites
testing-custom-queries testing-custom-queries
testing-query-help-files testing-query-help-files
creating-and-working-with-codeql-packs
publishing-and-using-codeql-packs
Specifying command options <specifying-command-options-in-a-codeql-configuration-file> Specifying command options <specifying-command-options-in-a-codeql-configuration-file>

2
docs/codeql/ql-language-reference/ql-language-specification.rst
View File

@@ -497,6 +497,7 @@ The following sequences of characters are keyword tokens:
max max
min min
module module
newtype
none none
not not
or or
@@ -514,6 +515,7 @@ The following sequences of characters are keyword tokens:
then then
this this
true true
unique
where where
Operators Operators

2
docs/codeql/ql-language-reference/variables.rst
View File

@@ -57,7 +57,7 @@ As an aside, note that the following query leads to a compile-time error:
select i select i
In theory, it would have infinitely many results, as the variable ``i`` is not constrained to a In theory, it would have infinitely many results, as the variable ``i`` is not constrained to a
finite number of possible values. For more informaion, see ":ref:`binding`." finite number of possible values. For more information, see ":ref:`binding`."
.. index:: variable; free, variable; bound .. index:: variable; free, variable; bound
.. _free-variables: .. _free-variables:

25
docs/codeql/query-help/codeql-cwe-coverage.md → docs/codeql/query-help/codeql-cwe-coverage.rst
View File

@@ -1,8 +1,10 @@
# CodeQL CWE coverage CodeQL CWE coverage
===================
An overview of the coverage of MITRE's Common Weakness Enumeration (CWE) for the latest release of CodeQL. You can view the full coverage of MITRE's Common Weakness Enumeration (CWE) or coverage by language for the latest release of CodeQL.
## About CWEs About CWEs
##########
The CWE categorization contains several types of entity, collectively known as CWEs. The CWEs that we consider in this report are only those of the types: The CWE categorization contains several types of entity, collectively known as CWEs. The CWEs that we consider in this report are only those of the types:
@@ -11,15 +13,22 @@ The CWE categorization contains several types of entity, collectively known as C
- Weakness Variant - Weakness Variant
- Compound Element - Compound Element
Other types of CWE do not correspond directly to weaknesses, so are omitted. Other types of CWE that do not correspond directly to weaknesses are omitted.
The CWE categorization includes relationships between entities, in particular a parent-child relationship. The CWE categorization includes relationships between entities, in particular a parent-child relationship.
These relationships are associated with Views (another kind of CWE entity). For the purposes of coverage claims, we use the "[Research View](https://cwe.mitre.org/data/definitions/1000.html)." These relationships are associated with Views (another kind of CWE entity). For the purposes of coverage claims, we use the "`Research View <https://cwe.mitre.org/data/definitions/1000.html>`_."
Every security query is associated with one or more CWEs, which are the most precise CWEs that are covered by that query. Every security query is associated with one or more CWEs, which are the most precise CWEs that are covered by that query.
Overall coverage is claimed for the most-precise CWEs, as well as for any of their ancestors in the View. Overall coverage is claimed for the most-precise CWEs, as well as for any of their ancestors in the View.
## Overview .. toctree::
:hidden:
<!-- autogenerated CWE coverage table will be added below --> :titlesonly:
full-cwe
cpp-cwe
csharp-cwe
go-cwe
java-cwe
javascript-cwe
python-cwe

8
docs/codeql/query-help/cpp-cwe.md Normal file
View File

@@ -0,0 +1,8 @@
# CWE coverage for C and C++
An overview of CWE coverage for C and C++ in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/codeql/query-help/csharp-cwe.md Normal file
View File

@@ -0,0 +1,8 @@
# CWE coverage for C#
An overview of CWE coverage for C# in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/codeql/query-help/full-cwe.md Normal file
View File

@@ -0,0 +1,8 @@
# CodeQL full CWE coverage
An overview of the full coverage of MITRE's Common Weakness Enumeration (CWE) for the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/codeql/query-help/go-cwe.md Normal file
View File

@@ -0,0 +1,8 @@
# CWE coverage for Go
An overview of CWE coverage for Go in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/codeql/query-help/java-cwe.md Normal file
View File

@@ -0,0 +1,8 @@
# CWE coverage for Java
An overview of CWE coverage for Java in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/codeql/query-help/javascript-cwe.md Normal file
View File

@@ -0,0 +1,8 @@
# CWE coverage for JavaScript
An overview of CWE coverage for JavaScript in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/codeql/query-help/python-cwe.md Normal file
View File

@@ -0,0 +1,8 @@
# CWE coverage for Python
An overview of CWE coverage for Python in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

6
docs/codeql/query-help/readme.md
View File

@@ -2,7 +2,9 @@ CodeQL query help Sphinx documentation
-------------------------------------- --------------------------------------
This project supplies the configuration and some boiler plate This project supplies the configuration and some boiler plate
index files for the CodeQL query help documentation. index files for the CodeQL query help and CWE coverage documentation.
The query help itself is automatically generated by the The query help itself is automatically generated by the
"Generate CodeQL query help documentation using Sphinx" workflow. "Generate CodeQL query help documentation using Sphinx" workflow.
The CWE coverage tables are generated and appended to pages by the "Docs generate query help" workflow in the `semmle-code` repository.

5
docs/codeql/reusables/beta-note-package-management.rst Normal file
View File

@@ -0,0 +1,5 @@
.. pull-quote::
Note
The CodeQL package management functionality, including CodeQL packs, is currently available as a beta release and is subject to change. During the beta release, CodeQL packs are available only using GitHub Packages - the GitHub Container registry. To use this beta functionality, install the beta release of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.6.0-beta.1.

1
docs/codeql/support/reusables/frameworks.rst
View File

@@ -95,6 +95,7 @@ Java built-in support
Guava, Utility and collections library Guava, Utility and collections library
Hibernate, Database Hibernate, Database
iBatis / MyBatis, Database iBatis / MyBatis, Database
Jackson, Serialization
Java Persistence API (JPA), Database Java Persistence API (JPA), Database
JDBC, Database JDBC, Database
Protobuf, Serialization Protobuf, Serialization

4
docs/codeql/writing-codeql-queries/metadata-for-codeql-queries.rst
View File

@@ -45,10 +45,12 @@ The following properties are supported by all query files:
| | | ``high`` | | | | | ``high`` | |
| | | ``very-high`` | | | | | ``very-high`` | |
+-----------------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ``@problem.severity`` | | ``error`` | Defines the level of severity of any alerts generated by the query. This, along with the ``@precision`` property, determines whether the results are displayed by default on LGTM. | | ``@problem.severity`` | | ``error`` | Defines the level of severity of any alerts generated by a non-security query. This, along with the ``@precision`` property, determines whether the results are displayed by default on LGTM. |
| | | ``warning`` | | | | | ``warning`` | |
| | | ``recommendation`` | | | | | ``recommendation`` | |
+-----------------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ``@security-severity``| ``<score>`` | Defines the level of severity, between 0.0 and 10.0, for queries with `@tags security`. For more information about calculating `@security-severity`, see the [GitHub changelog](https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/). |
+-----------------------+---------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Additional properties for filter queries Additional properties for filter queries
---------------------------------------- ----------------------------------------

15
docs/query-help-style-guide.md
View File

@@ -110,6 +110,21 @@ For example:
If your query checks code for a CWE weakness, you should use the `@tags` element in the query file to reference the associated CWEs, as explained [here](query-metadata-style-guide.md). When you use these tags, a link to the appropriate entry from the [MITRE.org](https://cwe.mitre.org/scoring/index.html) site will automatically appear as a reference in the output HTML file. If your query checks code for a CWE weakness, you should use the `@tags` element in the query file to reference the associated CWEs, as explained [here](query-metadata-style-guide.md). When you use these tags, a link to the appropriate entry from the [MITRE.org](https://cwe.mitre.org/scoring/index.html) site will automatically appear as a reference in the output HTML file.
## Validating qhelp files
Before making a pull request, please ensure the `.qhelp` files are well-formed and can be generated without errors. This can be done locally with the CodeQL CLI, as shown in the following example:
```bash
# codeql generate query-help <path_to_your_qhelp_file> --format=<format>
# For example:
codeql generate query-help ./myCustomQuery.qhelp --format=markdown
```
Please include the `.qhelp` files (and any associated code snippets) in your pull request, but do not commit the generated Markdown.
More information on how to test your `.qhelp` files can be found [within the documentation](https://codeql.github.com/docs/codeql-cli/testing-query-help-files/)
## Query help example ## Query help example
The following example is a query help file for a query from the standard query suite for Java: The following example is a query help file for a query from the standard query suite for Java:

5
docs/query-metadata-style-guide.md
View File

@@ -115,10 +115,11 @@ Alert queries (`@kind problem` or `path-problem`) support two further properties
* `medium` * `medium`
* `high` * `high`
* `very-high` * `very-high`
* `@problem.severity`defines the level of severity of the alert: * `@problem.severity`defines the level of severity of non-security alerts:
* `error`an issue that is likely to cause incorrect program behavior, for example a crash or vulnerability. * `error`an issue that is likely to cause incorrect program behavior, for example a crash or vulnerability.
* `warning`an issue that indicates a potential problem in the code, or makes the code fragile if another (unrelated) part of code is changed. * `warning`an issue that indicates a potential problem in the code, or makes the code fragile if another (unrelated) part of code is changed.
* `recommendation`an issue where the code behaves correctly, but it could be improved. * `recommendation`an issue where the code behaves correctly, but it could be improved.
* `@security-severity`-defines the level of severity, between 0.0 and 10.0, for queries with `@tags security`. For more information about calculating `@security-severity`, see the [GitHub changelog](https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/).
The values of `@precision` and `@problem.severity` assigned to a query that is part of the standard set determine how the results are displayed by LGTM. See [About alerts](https://help.semmle.com/lgtm-enterprise/user/help/about-alerts.html) and [Alert interest](https://lgtm.com/help/lgtm/alert-interest) for further information. For information about using custom queries in LGTM on a 'per-project' basis, see [Writing custom queries to include in LGTM analysis](https://lgtm.com/help/lgtm/writing-custom-queries) and [About adding custom queries](https://help.semmle.com/lgtm-enterprise/admin/help/about-adding-custom-queries.html). The values of `@precision` and `@problem.severity` assigned to a query that is part of the standard set determine how the results are displayed by LGTM. See [About alerts](https://help.semmle.com/lgtm-enterprise/user/help/about-alerts.html) and [Alert interest](https://lgtm.com/help/lgtm/alert-interest) for further information. For information about using custom queries in LGTM on a 'per-project' basis, see [Writing custom queries to include in LGTM analysis](https://lgtm.com/help/lgtm/writing-custom-queries) and [About adding custom queries](https://help.semmle.com/lgtm-enterprise/admin/help/about-adding-custom-queries.html).
@@ -165,6 +166,8 @@ When you tag a query like this, the associated CWE pages from [MITRE.org](https:
Code Scanning may use tags to identify queries with specific meanings across languages. Currently, there is only one such tag: `lines-of-code`. The sum of the results for queries with this tag that return a single number column ([example for JavaScript](https://github.com/github/codeql/blob/c47d680d65f09a851e41d4edad58ffa7486b5431/java/ql/src/Metrics/Summaries/LinesOfCode.ql)) is interpreted by Code Scanning as the lines of code under the source root present in the database. Each language should have exactly one query of this form. Code Scanning may use tags to identify queries with specific meanings across languages. Currently, there is only one such tag: `lines-of-code`. The sum of the results for queries with this tag that return a single number column ([example for JavaScript](https://github.com/github/codeql/blob/c47d680d65f09a851e41d4edad58ffa7486b5431/java/ql/src/Metrics/Summaries/LinesOfCode.ql)) is interpreted by Code Scanning as the lines of code under the source root present in the database. Each language should have exactly one query of this form.
Maintainers are expected to add a `@security-severity` tag to security relevant queries that will be run on Code Scanning. There is a documented internal process for generating these `@security-severity` values.
## QL area ## QL area
### Alert messages ### Alert messages

3
java/change-notes/2021-05-17-jackson-deserialization-sink.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
now recognizes `Jackson` deserialization.

2
java/change-notes/2021-06-02-mvel-injection-query.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Expression language injection (MVEL) (`java/mvel-expression-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @artem-smotrakov](https://github.com/github/codeql/pull/3329)

2
java/change-notes/2021-07-22-model-collection-constructors.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added additional taint steps modeling constructors for collections in `java.util`.

6
java/documentation/library-coverage/coverage.csv
View File

@@ -9,6 +9,7 @@ com.fasterxml.jackson.databind,,,3,,,,,,,,,,,,,,,3,
com.google.common.base,,,85,,,,,,,,,,,,,,,62,23 com.google.common.base,,,85,,,,,,,,,,,,,,,62,23
com.google.common.io,6,,73,,,,,,,,,,6,,,,,72,1 com.google.common.io,6,,73,,,,,,,,,,6,,,,,72,1
com.unboundid.ldap.sdk,17,,,,,,,,17,,,,,,,,,, com.unboundid.ldap.sdk,17,,,,,,,,17,,,,,,,,,,
jakarta.json,,,123,,,,,,,,,,,,,,,100,23
jakarta.ws.rs.client,1,,,,,,,,,1,,,,,,,,, jakarta.ws.rs.client,1,,,,,,,,,1,,,,,,,,,
jakarta.ws.rs.core,2,,143,,,,,,,,,,,2,,,,88,55 jakarta.ws.rs.core,2,,143,,,,,,,,,,,2,,,,88,55
java.beans,,,1,,,,,,,,,,,,,,,1, java.beans,,,1,,,,,,,,,,,,,,,1,
@@ -17,7 +18,8 @@ java.lang,,,3,,,,,,,,,,,,,,,1,2
java.net,10,3,6,,,,,,,10,,,,,,,3,6, java.net,10,3,6,,,,,,,10,,,,,,,3,6,
java.nio,10,,2,,10,,,,,,,,,,,,,2, java.nio,10,,2,,10,,,,,,,,,,,,,2,
java.sql,7,,,,,,,,,,,7,,,,,,, java.sql,7,,,,,,,,,,,7,,,,,,,
java.util,,,295,,,,,,,,,,,,,,,15,280 java.util,,,332,,,,,,,,,,,,,,,15,317
javax.json,,,123,,,,,,,,,,,,,,,100,23
javax.naming.directory,1,,,,,,,,1,,,,,,,,,, javax.naming.directory,1,,,,,,,,1,,,,,,,,,,
javax.net.ssl,2,,,,,,,,,,2,,,,,,,, javax.net.ssl,2,,,,,,,,,,2,,,,,,,,
javax.servlet,4,21,2,,,3,1,,,,,,,,,,21,2, javax.servlet,4,21,2,,,3,1,,,,,,,,,,21,2,
@@ -47,7 +49,7 @@ org.hibernate,7,,,,,,,,,,,7,,,,,,,
org.jooq,1,,,,,,,,,,,1,,,,,,, org.jooq,1,,,,,,,,,,,1,,,,,,,
org.springframework.beans,,,26,,,,,,,,,,,,,,,,26 org.springframework.beans,,,26,,,,,,,,,,,,,,,,26
org.springframework.cache,,,13,,,,,,,,,,,,,,,,13 org.springframework.cache,,,13,,,,,,,,,,,,,,,,13
org.springframework.http,14,,,,,,,,,14,,,,,,,,, org.springframework.http,14,,70,,,,,,,14,,,,,,,,60,10
org.springframework.jdbc.core,10,,,,,,,,,,,10,,,,,,, org.springframework.jdbc.core,10,,,,,,,,,,,10,,,,,,,
org.springframework.jdbc.object,9,,,,,,,,,,,9,,,,,,, org.springframework.jdbc.object,9,,,,,,,,,,,9,,,,,,,
org.springframework.ldap.core,14,,,,,,,,14,,,,,,,,,, org.springframework.ldap.core,14,,,,,,,,14,,,,,,,,,,
1 package sink source summary sink:bean-validation sink:create-file sink:header-splitting sink:information-leak sink:jexl sink:ldap sink:open-url sink:set-hostname-verifier sink:sql sink:url-open-stream sink:url-redirect sink:xpath sink:xss source:remote summary:taint summary:value
9 com.google.common.base 85 62 23
10 com.google.common.io 6 73 6 72 1
11 com.unboundid.ldap.sdk 17 17
12 jakarta.json 123 100 23
13 jakarta.ws.rs.client 1 1
14 jakarta.ws.rs.core 2 143 2 88 55
15 java.beans 1 1
18 java.net 10 3 6 10 3 6
19 java.nio 10 2 10 2
20 java.sql 7 7
21 java.util 295 332 15 280 317
22 javax.json 123 100 23
23 javax.naming.directory 1 1
24 javax.net.ssl 2 2
25 javax.servlet 4 21 2 3 1 21 2
49 org.jooq 1 1
50 org.springframework.beans 26 26
51 org.springframework.cache 13 13
52 org.springframework.http 14 70 14 60 10
53 org.springframework.jdbc.core 10 10
54 org.springframework.jdbc.object 9 9
55 org.springframework.ldap.core 14 14

8
java/documentation/library-coverage/coverage.rst
View File

@@ -14,9 +14,9 @@ Java framework & library support
`Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,, `Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,,
`Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25 `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,158,6,,6,,,,, `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,158,6,,6,,,,,
Java Standard Library,``java.*``,3,327,30,13,,,7,,,10 Java Standard Library,``java.*``,3,364,30,13,,,7,,,10
Java extensions,"``javax.*``, ``jakarta.*``",22,294,18,,,,,1,1,2 Java extensions,"``javax.*``, ``jakarta.*``",22,540,18,,,,,1,1,2
`Spring <https://spring.io/>`_,``org.springframework.*``,29,236,62,,,,19,14,,29 `Spring <https://spring.io/>`_,``org.springframework.*``,29,306,62,,,,19,14,,29
Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,12,82,,,,14,18,, Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,12,82,,,,14,18,,
Totals,,84,2112,296,13,6,6,107,33,1,66 Totals,,84,2465,296,13,6,6,107,33,1,66

2
java/ql/src/Language Abuse/DubiousTypeTestOfThis.ql
View File

@@ -17,7 +17,7 @@ from InstanceOfExpr ioe, RefType t, RefType ct
where where
ioe.getExpr() instanceof ThisAccess and ioe.getExpr() instanceof ThisAccess and
t = ioe.getExpr().getType() and t = ioe.getExpr().getType() and
ct = ioe.getTypeName().getType() and ct = ioe.getCheckedType() and
ct.getASupertype*() = t ct.getASupertype*() = t
select ioe, select ioe,
"Testing whether 'this' is an instance of $@ in $@ introduces a dependency cycle between the two types.", "Testing whether 'this' is an instance of $@ in $@ introduces a dependency cycle between the two types.",

2
java/ql/src/Language Abuse/UselessTypeTest.ql
View File

@@ -15,7 +15,7 @@ import java
from InstanceOfExpr ioe, RefType t, RefType ct from InstanceOfExpr ioe, RefType t, RefType ct
where where
t = ioe.getExpr().getType() and t = ioe.getExpr().getType() and
ct = ioe.getTypeName().getType() and ct = ioe.getCheckedType() and
ct = t.getASupertype+() ct = t.getASupertype+()
select ioe, select ioe,
"There is no need to test whether an instance of $@ is also an instance of $@ - it always is.", t, "There is no need to test whether an instance of $@ is also an instance of $@ - it always is.", t,

4
java/ql/src/Likely Bugs/Comparison/EqualsUsesInstanceOf.ql
View File

@@ -17,8 +17,8 @@ predicate instanceofInEquals(EqualsMethod m, InstanceOfExpr e) {
m.fromSource() and m.fromSource() and
e.getEnclosingCallable() = m and e.getEnclosingCallable() = m and
e.getExpr().(VarAccess).getVariable() = m.getParameter() and e.getExpr().(VarAccess).getVariable() = m.getParameter() and
exists(Class instanceofType | exists(RefType instanceofType |
instanceofType = e.getTypeName().getType() and instanceofType = e.getCheckedType() and
not instanceofType.isFinal() not instanceofType.isFinal()
) )
} }

2
java/ql/src/Likely Bugs/Concurrency/LazyInitStaticField.ql
View File

@@ -51,7 +51,7 @@ class LockObjectField extends Field {
class ValidSynchStmt extends Stmt { class ValidSynchStmt extends Stmt {
ValidSynchStmt() { ValidSynchStmt() {
// It's OK to lock the enclosing class. // It's OK to lock the enclosing class.
this.(SynchronizedStmt).getExpr().(TypeLiteral).getTypeName().getType() = this.(SynchronizedStmt).getExpr().(TypeLiteral).getReferencedType() =
this.getEnclosingCallable().getDeclaringType() this.getEnclosingCallable().getDeclaringType()
or or
// It's OK to lock on a "lock object field". // It's OK to lock on a "lock object field".

2
java/ql/src/Likely Bugs/Concurrency/SynchSetUnsynchGet.ql
View File

@@ -24,7 +24,7 @@ import java
predicate isSynchronizedByBlock(Method m) { predicate isSynchronizedByBlock(Method m) {
exists(SynchronizedStmt sync, Expr on | sync = m.getBody().getAChild*() and on = sync.getExpr() | exists(SynchronizedStmt sync, Expr on | sync = m.getBody().getAChild*() and on = sync.getExpr() |
if m.isStatic() if m.isStatic()
then on.(TypeLiteral).getTypeName().getType() = m.getDeclaringType() then on.(TypeLiteral).getReferencedType() = m.getDeclaringType()
else on.(ThisAccess).getType().(RefType).getSourceDeclaration() = m.getDeclaringType() else on.(ThisAccess).getType().(RefType).getSourceDeclaration() = m.getDeclaringType()
) )
} }

2
java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql
View File

@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.SSA
/** `ioe` is of the form `va instanceof t`. */ /** `ioe` is of the form `va instanceof t`. */
predicate instanceOfCheck(InstanceOfExpr ioe, VarAccess va, RefType t) { predicate instanceOfCheck(InstanceOfExpr ioe, VarAccess va, RefType t) {
ioe.getExpr() = va and ioe.getExpr() = va and
ioe.getTypeName().getType().(RefType).getSourceDeclaration() = t ioe.getCheckedType().getSourceDeclaration() = t
} }
/** Expression `e` assumes that `va` could be of type `t`. */ /** Expression `e` assumes that `va` could be of type `t`. */

4
java/ql/src/Performance/InnerClassCouldBeStatic.ql
View File

@@ -127,7 +127,9 @@ predicate potentiallyStatic(InnerClass c) {
forall(InnerClass superOfNested | superOfNested = nested.getASourceSupertype+() | forall(InnerClass superOfNested | superOfNested = nested.getASourceSupertype+() |
potentiallyStatic(superOfNested) potentiallyStatic(superOfNested)
) )
) ) and
// JUnit Nested test classes are required to be non-static.
not c.hasAnnotation("org.junit.jupiter.api", "Nested")
} }
/** /**

25
java/ql/src/Security/CWE/CWE-094/MvelExpressionEvaluation.java Normal file
View File

@@ -0,0 +1,25 @@
public void evaluate(Socket socket) throws IOException {
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(socket.getInputStream()))) {
String expression = reader.readLine();
// BAD: the user-provided expression is directly evaluated
MVEL.eval(expression);
}
}
public void safeEvaluate(Socket socket) throws IOException {
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(socket.getInputStream()))) {
String expression = reader.readLine();
// GOOD: the user-provided expression is validated before evaluation
validateExpression(expression);
MVEL.eval(expression);
}
}
private void validateExpression(String expression) {
// Validate that the expression does not contain unexpected code.
// For instance, this can be done with allow-lists or deny-lists of code patterns.
}

16
java/ql/src/experimental/Security/CWE/CWE-094/MvelInjection.qhelp → java/ql/src/Security/CWE/CWE-094/MvelInjection.qhelp
View File

@@ -3,11 +3,11 @@
<overview> <overview>
<p> <p>
MVEL is an expression language based on Java-syntax. MVEL is an expression language based on Java-syntax,
The language offers many features which offers many features
including invocation of methods available in the JVM. including invocation of methods available in the JVM.
If a MVEL expression is built using attacker-controlled data, If a MVEL expression is built using attacker-controlled data,
and then evaluated, then it may allow the attacker to run arbitrary code. and then evaluated, then it may allow attackers to run arbitrary code.
</p> </p>
</overview> </overview>
@@ -19,10 +19,12 @@ Including user input in a MVEL expression should be avoided.
<example> <example>
<p> <p>
The following example uses untrusted data to build a MVEL expression In the following sample, the first example uses untrusted data to build a MVEL expression
and then runs it in the default powerfull context. and then runs it in the default context. In the second example, the untrusted data is
validated with a custom method that checks that the expression does not contain unexpected code
before evaluating it.
</p> </p>
<sample src="UnsafeMvelExpressionEvaluation.java" /> <sample src="MvelExpressionEvaluation.java" />
</example> </example>
<references> <references>
@@ -35,4 +37,4 @@ and then runs it in the default powerfull context.
<a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>. <a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
</li> </li>
</references> </references>
</qhelp> </qhelp>

4
java/ql/src/experimental/Security/CWE/CWE-094/MvelInjection.ql → java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
View File

@@ -11,9 +11,9 @@
*/ */
import java import java
import MvelInjectionLib import semmle.code.java.security.MvelInjectionQuery
import DataFlow::PathGraph import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, MvelInjectionConfig conf from DataFlow::PathNode source, DataFlow::PathNode sink, MvelInjectionFlowConfig conf
where conf.hasFlowPath(source, sink) where conf.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "MVEL injection from $@.", source.getNode(), "this user input" select sink.getNode(), source, sink, "MVEL injection from $@.", source.getNode(), "this user input"

13
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
View File

@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
</p> </p>
<p> <p>
There are many different serialization frameworks. This query currently There are many different serialization frameworks. This query currently
supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>. Jackson and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
</p> </p>
</overview> </overview>
@@ -91,6 +91,15 @@ Remote code execution in JYaml library:
JsonIO deserialization vulnerabilities: JsonIO deserialization vulnerabilities:
<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>. <a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
</li> </li>
<li>
Research by Moritz Bechler:
<a href="https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true">Java Unmarshaller Security - Turning your data into code execution</a>
</li>
<li>
Blog posts by the developer of Jackson libraries:
<a href="https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">On Jackson CVEs: Dont Panic — Here is what you need to know</a>
<a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">Jackson 2.10: Safe Default Typing</a>
</li>
</references> </references>
</qhelp> </qhelp>

44
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
View File

@@ -12,51 +12,9 @@
*/ */
import java import java
import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.UnsafeDeserializationQuery
import semmle.code.java.security.UnsafeDeserialization
import DataFlow::PathGraph import DataFlow::PathGraph
class UnsafeDeserializationConfig extends TaintTracking::Configuration {
UnsafeDeserializationConfig() { this = "UnsafeDeserializationConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(ClassInstanceExpr cie |
cie.getArgument(0) = pred.asExpr() and
cie = succ.asExpr() and
(
cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
cie.getConstructor().getDeclaringType() instanceof BurlapInput
)
)
or
exists(MethodAccess ma |
ma.getMethod() instanceof BurlapInputInitMethod and
ma.getArgument(0) = pred.asExpr() and
ma.getQualifier() = succ.asExpr()
)
}
override predicate isSanitizer(DataFlow::Node node) {
exists(ClassInstanceExpr cie |
cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
cie = node.asExpr() and
exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
)
or
exists(MethodAccess ma |
ma.getMethod() instanceof JsonIoJsonToJavaMethod and
ma.getArgument(0) = node.asExpr() and
exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
)
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf
where conf.hasFlowPath(source, sink) where conf.hasFlowPath(source, sink)
select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink, select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink,

4
java/ql/src/Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
View File

@@ -16,9 +16,9 @@ import java
import semmle.code.java.Collections import semmle.code.java.Collections
predicate guardedByInstanceOf(VarAccess e, RefType t) { predicate guardedByInstanceOf(VarAccess e, RefType t) {
exists(IfStmt s, InstanceOfExpr instanceCheck, Type checkType | exists(IfStmt s, InstanceOfExpr instanceCheck, RefType checkType |
s.getCondition() = instanceCheck and s.getCondition() = instanceCheck and
instanceCheck.getTypeName().getType() = checkType and instanceCheck.getCheckedType() = checkType and
// The same variable appears as the subject of the `instanceof`. // The same variable appears as the subject of the `instanceof`.
instanceCheck.getExpr() = e.getVariable().getAnAccess() and instanceCheck.getExpr() = e.getVariable().getAnAccess() and
// The checked type is either the type itself, or a raw version. For example, it is usually // The checked type is either the type itself, or a raw version. For example, it is usually

367
java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
View File

@@ -1,367 +0,0 @@
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
/**
* A taint-tracking configuration for unsafe user input
* that is used to construct and evaluate a MVEL expression.
*/
class MvelInjectionConfig extends TaintTracking::Configuration {
MvelInjectionConfig() { this = "MvelInjectionConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink }
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
expressionCompilationStep(node1, node2) or
createExpressionCompilerStep(node1, node2) or
expressionCompilerCompileStep(node1, node2) or
createCompiledAccExpressionStep(node1, node2) or
scriptCompileStep(node1, node2) or
createMvelCompiledScriptStep(node1, node2) or
templateCompileStep(node1, node2) or
createTemplateCompilerStep(node1, node2)
}
}
/**
* A sink for EL injection vulnerabilities via MVEL,
* i.e. methods that run evaluation of a MVEL expression.
*/
class MvelEvaluationSink extends DataFlow::ExprNode {
MvelEvaluationSink() {
exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
(
m instanceof MvelEvalMethod or
m instanceof TemplateRuntimeEvaluationMethod
) and
ma.getArgument(0) = asExpr()
)
or
exists(MethodAccess ma, Method m | m = ma.getMethod() |
m instanceof MvelScriptEngineEvaluationMethod and
ma.getArgument(0) = asExpr()
)
or
exists(MethodAccess ma, Method m | m = ma.getMethod() |
(
m instanceof ExecutableStatementEvaluationMethod or
m instanceof CompiledExpressionEvaluationMethod or
m instanceof CompiledAccExpressionEvaluationMethod or
m instanceof AccessorEvaluationMethod or
m instanceof CompiledScriptEvaluationMethod or
m instanceof MvelCompiledScriptEvaluationMethod
) and
ma.getQualifier() = asExpr()
)
or
exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
m instanceof MvelRuntimeEvaluationMethod and
ma.getArgument(1) = asExpr()
)
}
}
/**
* Holds if `node1` to `node2` is a dataflow step that compiles a MVEL expression
* by callilng `MVEL.compileExpression(tainted)`.
*/
predicate expressionCompilationStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(StaticMethodAccess ma, Method m | ma.getMethod() = m |
m.getDeclaringType() instanceof MVEL and
m.hasName("compileExpression") and
ma.getAnArgument() = node1.asExpr() and
node2.asExpr() = ma
)
}
/**
* Holds if `node1` to `node2` is a dataflow step creates `ExpressionCompiler`,
* i.e. `new ExpressionCompiler(tainted)`.
*/
predicate createExpressionCompilerStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(ConstructorCall cc |
cc.getConstructedType() instanceof ExpressionCompiler and
cc = node2.asExpr() and
cc.getArgument(0) = node1.asExpr()
)
}
/**
* Holds if `node1` to `node2` is a dataflow step creates `CompiledAccExpression`,
* i.e. `new CompiledAccExpression(tainted, ...)`.
*/
predicate createCompiledAccExpressionStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(ConstructorCall cc |
cc.getConstructedType() instanceof CompiledAccExpression and
cc = node2.asExpr() and
cc.getArgument(0) = node1.asExpr()
)
}
/**
* Holds if `node1` to `node2` is a dataflow step that compiles a MVEL expression
* by calling `ExpressionCompiler.compile()`.
*/
predicate expressionCompilerCompileStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(MethodAccess ma, Method m | ma.getMethod() = m |
m.getDeclaringType() instanceof ExpressionCompiler and
m.hasName("compile") and
ma = node2.asExpr() and
ma.getQualifier() = node1.asExpr()
)
}
/**
* Holds if `node1` to `node2` is a dataflow step that compiles a script via `MvelScriptEngine`,
* i.e. `engine.compile(tainted)` or `engine.compiledScript(tainted)`.
*/
predicate scriptCompileStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(MethodAccess ma, Method m | ma.getMethod() = m |
m instanceof MvelScriptEngineCompilationMethod and
ma = node2.asExpr() and
ma.getArgument(0) = node1.asExpr()
)
}
/**
* Holds if `node1` to `node2` is a dataflow step creates `MvelCompiledScript`,
* i.e. `new MvelCompiledScript(engine, tainted)`.
*/
predicate createMvelCompiledScriptStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(ConstructorCall cc |
cc.getConstructedType() instanceof MvelCompiledScript and
cc = node2.asExpr() and
cc.getArgument(1) = node1.asExpr()
)
}
/**
* Holds if `node1` to `node2` is a dataflow step creates `TemplateCompiler`,
* i.e. `new TemplateCompiler(tainted)`.
*/
predicate createTemplateCompilerStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(ConstructorCall cc |
cc.getConstructedType() instanceof TemplateCompiler and
cc = node2.asExpr() and
cc.getArgument(0) = node1.asExpr()
)
}
/**
* Holds if `node1` to `node2` is a dataflow step that compiles a script via `TemplateCompiler`,
* i.e. `compiler.compile()` or `TemplateCompiler.compileTemplate(tainted)`.
*/
predicate templateCompileStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(MethodAccess ma, Method m | ma.getMethod() = m |
m instanceof TemplateCompilerCompileMethod and
ma.getQualifier() = node1.asExpr() and
ma = node2.asExpr()
)
or
exists(StaticMethodAccess ma, Method m | ma.getMethod() = m |
m instanceof TemplateCompilerCompileTemplateMethod and
ma = node2.asExpr() and
ma.getArgument(0) = node1.asExpr()
)
}
/**
* Methods in the MVEL class that evaluate a MVEL expression.
*/
class MvelEvalMethod extends Method {
MvelEvalMethod() {
getDeclaringType() instanceof MVEL and
(
hasName("eval") or
hasName("executeExpression") or
hasName("evalToBoolean") or
hasName("evalToString") or
hasName("executeAllExpression") or
hasName("executeSetExpression")
)
}
}
/**
* Methods in `MVEL` class that compile a MVEL expression.
*/
class MvelCompileExpressionMethod extends Method {
MvelCompileExpressionMethod() {
getDeclaringType() instanceof MVEL and
(
hasName("compileExpression") or
hasName("compileGetExpression") or
hasName("compileSetExpression")
)
}
}
/**
* Methods in `ExecutableStatement` that evaluate a MVEL expression.
*/
class ExecutableStatementEvaluationMethod extends Method {
ExecutableStatementEvaluationMethod() {
getDeclaringType() instanceof ExecutableStatement and
hasName("getValue")
}
}
/**
* Methods in `CompiledExpression` that evaluate a MVEL expression.
*/
class CompiledExpressionEvaluationMethod extends Method {
CompiledExpressionEvaluationMethod() {
getDeclaringType() instanceof CompiledExpression and
hasName("getDirectValue")
}
}
/**
* Methods in `CompiledAccExpression` that evaluate a MVEL expression.
*/
class CompiledAccExpressionEvaluationMethod extends Method {
CompiledAccExpressionEvaluationMethod() {
getDeclaringType() instanceof CompiledAccExpression and
hasName("getValue")
}
}
/**
* Methods in `Accessor` that evaluate a MVEL expression.
*/
class AccessorEvaluationMethod extends Method {
AccessorEvaluationMethod() {
getDeclaringType() instanceof Accessor and
hasName("getValue")
}
}
/**
* Methods in `MvelScriptEngine` that evaluate a MVEL expression.
*/
class MvelScriptEngineEvaluationMethod extends Method {
MvelScriptEngineEvaluationMethod() {
getDeclaringType() instanceof MvelScriptEngine and
(hasName("eval") or hasName("evaluate"))
}
}
/**
* Methods in `MvelScriptEngine` that compile a MVEL expression.
*/
class MvelScriptEngineCompilationMethod extends Method {
MvelScriptEngineCompilationMethod() {
getDeclaringType() instanceof MvelScriptEngine and
(hasName("compile") or hasName("compiledScript"))
}
}
/**
* Methods in `CompiledScript` that evaluate a MVEL expression.
*/
class CompiledScriptEvaluationMethod extends Method {
CompiledScriptEvaluationMethod() {
getDeclaringType() instanceof CompiledScript and
hasName("eval")
}
}
/**
* Methods in `TemplateRuntime` that evaluate a MVEL template.
*/
class TemplateRuntimeEvaluationMethod extends Method {
TemplateRuntimeEvaluationMethod() {
getDeclaringType() instanceof TemplateRuntime and
(hasName("eval") or hasName("execute"))
}
}
/**
* `TemplateCompiler.compile()` method compiles a MVEL template.
*/
class TemplateCompilerCompileMethod extends Method {
TemplateCompilerCompileMethod() {
getDeclaringType() instanceof TemplateCompiler and
hasName("compile")
}
}
/**
* `TemplateCompiler.compileTemplate(tainted)` static method compiles a MVEL template.
*/
class TemplateCompilerCompileTemplateMethod extends Method {
TemplateCompilerCompileTemplateMethod() {
getDeclaringType() instanceof TemplateCompiler and
hasName("compileTemplate")
}
}
/**
* Methods in `MvelCompiledScript` that evaluate a MVEL expression.
*/
class MvelCompiledScriptEvaluationMethod extends Method {
MvelCompiledScriptEvaluationMethod() {
getDeclaringType() instanceof MvelCompiledScript and
hasName("eval")
}
}
/**
* Methods in `MVELRuntime` that evaluate a MVEL expression.
*/
class MvelRuntimeEvaluationMethod extends Method {
MvelRuntimeEvaluationMethod() {
getDeclaringType() instanceof MVELRuntime and
hasName("execute")
}
}
class MVEL extends RefType {
MVEL() { hasQualifiedName("org.mvel2", "MVEL") }
}
class ExpressionCompiler extends RefType {
ExpressionCompiler() { hasQualifiedName("org.mvel2.compiler", "ExpressionCompiler") }
}
class ExecutableStatement extends RefType {
ExecutableStatement() { hasQualifiedName("org.mvel2.compiler", "ExecutableStatement") }
}
class CompiledExpression extends RefType {
CompiledExpression() { hasQualifiedName("org.mvel2.compiler", "CompiledExpression") }
}
class CompiledAccExpression extends RefType {
CompiledAccExpression() { hasQualifiedName("org.mvel2.compiler", "CompiledAccExpression") }
}
class Accessor extends RefType {
Accessor() { hasQualifiedName("org.mvel2.compiler", "Accessor") }
}
class CompiledScript extends RefType {
CompiledScript() { hasQualifiedName("javax.script", "CompiledScript") }
}
class MvelScriptEngine extends RefType {
MvelScriptEngine() { hasQualifiedName("org.mvel2.jsr223", "MvelScriptEngine") }
}
class MvelCompiledScript extends RefType {
MvelCompiledScript() { hasQualifiedName("org.mvel2.jsr223", "MvelCompiledScript") }
}
class TemplateRuntime extends RefType {
TemplateRuntime() { hasQualifiedName("org.mvel2.templates", "TemplateRuntime") }
}
class TemplateCompiler extends RefType {
TemplateCompiler() { hasQualifiedName("org.mvel2.templates", "TemplateCompiler") }
}
class MVELRuntime extends RefType {
MVELRuntime() { hasQualifiedName("org.mvel2", "MVELRuntime") }
}

8
java/ql/src/experimental/Security/CWE/CWE-094/UnsafeMvelExpressionEvaluation.java
View File

@@ -1,8 +0,0 @@
public void evaluate(Socket socket) throws IOException {
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(socket.getInputStream()))) {
String expression = reader.readLine();
MVEL.eval(expression);
}
}

2
java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
View File

@@ -26,7 +26,7 @@ all certificate errors are ignored. In the 'GOOD' case, certificate errors are r
<references> <references>
<li>Teamdev: <li>Teamdev:
<a href="https://jxbrowser.support.teamdev.com/support/discussions/topics/9000051708"> <a href="https://jxbrowser-support.teamdev.com/release-notes/2019/v6-24.html">
Changelog of JxBrowser 6.24</a>.</li> Changelog of JxBrowser 6.24</a>.</li>
</references> </references>
</qhelp> </qhelp>

103
java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.java Normal file
View File

@@ -0,0 +1,103 @@
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.multipart.MultipartFile;
@Controller
public class UnsafeReflection {
@RequestMapping(value = {"/service/{beanIdOrClassName}/{methodName}"}, method = {RequestMethod.POST}, consumes = {"application/json"}, produces = {"application/json"})
public Object bad1(@PathVariable("beanIdOrClassName") String beanIdOrClassName, @PathVariable("methodName") String methodName, @RequestBody Map<String, Object> body) throws Exception {
List<Object> rawData = null;
try {
rawData = (List<Object>)body.get("methodInput");
} catch (Exception e) {
return e;
}
return invokeService(beanIdOrClassName, methodName, null, rawData);
}
@GetMapping(value = "uf1")
public void good1(HttpServletRequest request) throws Exception {
HashSet<String> hashSet = new HashSet<>();
hashSet.add("com.example.test1");
hashSet.add("com.example.test2");
String className = request.getParameter("className");
String parameterValue = request.getParameter("parameterValue");
if (!hashSet.contains(className)){
throw new Exception("Class not valid: " + className);
}
try {
Class clazz = Class.forName(className);
Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); //good
} catch (Exception e) {
e.printStackTrace();
}
}
@GetMapping(value = "uf2")
public void good2(HttpServletRequest request) throws Exception {
String className = request.getParameter("className");
String parameterValue = request.getParameter("parameterValue");
if (!"com.example.test1".equals(className)){
throw new Exception("Class not valid: " + className);
}
try {
Class clazz = Class.forName(className);
Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); //good
} catch (Exception e) {
e.printStackTrace();
}
}
private Object invokeService(String beanIdOrClassName, String methodName, MultipartFile[] files, List<Object> data) throws Exception {
BeanFactory beanFactory = new BeanFactory();
try {
Object bean = null;
Class<?> beanClass = Class.forName(beanIdOrClassName);
bean = beanFactory.getBean(beanClass);
byte b;
int i;
Method[] arrayOfMethod;
for (i = (arrayOfMethod = bean.getClass().getMethods()).length, b = 0; b < i; ) {
Method method = arrayOfMethod[b];
if (!method.getName().equals(methodName)) {
b++;
continue;
}
Object result = method.invoke(bean, data);
Map<String, Object> map = new HashMap<>();
return map;
}
} catch (Exception e) {
return e;
}
return null;
}
}
class BeanFactory {
private static HashMap<String, Object> classNameMap = new HashMap<>();
private static HashMap<Class<?>, Object> classMap = new HashMap<>();
static {
classNameMap.put("xxxx", Runtime.getRuntime());
classMap.put(Runtime.class, Runtime.getRuntime());
}
public Object getBean(Class<?> clzz) {
return classMap.get(clzz);
}
}

38
java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.qhelp Normal file
View File

@@ -0,0 +1,38 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
Allowing users to freely choose the name of a class to instantiate could provide means to attack a vulnerable appplication.
</p>
</overview>
<recommendation>
<p>
Create a list of classes that are allowed to load reflectively and strictly verify the input to ensure that
users can only instantiate classes or execute methods that ought to be allowed.
</p>
</recommendation>
<example>
<p>
The <code>bad</code> method shown below illustrate class loading with <code>Class.forName</code> without any check on the particular class being instantiated.
The <code>good</code> methods illustrate some different ways to restrict which classes can be instantiated.
</p>
<sample src="UnsafeReflection.java" />
</example>
<references>
<li>
Unsafe use of Reflection | OWASP:
<a href="https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection">Unsafe use of Reflection</a>.
</li>
<li>
Java owasp: Classes should not be loaded dynamically:
<a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-2658">Classes should not be loaded dynamically</a>.
</li>
</references>
</qhelp>

99
java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql Normal file
View File

@@ -0,0 +1,99 @@
/**
* @name Use of externally-controlled input to select classes or code ('unsafe reflection')
* @description Use external input with reflection function to select the class or code to
* be used, which brings serious security risks.
* @kind path-problem
* @problem.severity error
* @precision high
* @id java/unsafe-reflection
* @tags security
* external/cwe/cwe-470
*/
import java
import DataFlow
import UnsafeReflectionLib
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
private class ContainsSanitizer extends DataFlow::BarrierGuard {
ContainsSanitizer() { this.(MethodAccess).getMethod().hasName("contains") }
override predicate checks(Expr e, boolean branch) {
e = this.(MethodAccess).getArgument(0) and branch = true
}
}
private class EqualsSanitizer extends DataFlow::BarrierGuard {
EqualsSanitizer() { this.(MethodAccess).getMethod().hasName("equals") }
override predicate checks(Expr e, boolean branch) {
e = [this.(MethodAccess).getArgument(0), this.(MethodAccess).getQualifier()] and
branch = true
}
}
class UnsafeReflectionConfig extends TaintTracking::Configuration {
UnsafeReflectionConfig() { this = "UnsafeReflectionConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
// Argument -> return of Class.forName, ClassLoader.loadClass
exists(ReflectiveClassIdentifierMethodAccess rcimac |
rcimac.getArgument(0) = pred.asExpr() and rcimac = succ.asExpr()
)
or
// Qualifier -> return of Class.getDeclaredConstructors/Methods and similar
exists(MethodAccess ma |
(
ma instanceof ReflectiveConstructorsAccess or
ma instanceof ReflectiveMethodsAccess
) and
ma.getQualifier() = pred.asExpr() and
ma = succ.asExpr()
)
or
// Qualifier -> return of Object.getClass
exists(MethodAccess ma |
ma.getMethod().hasName("getClass") and
ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Object") and
ma.getQualifier() = pred.asExpr() and
ma = succ.asExpr()
)
or
// Argument -> return of methods that look like Class.forName
looksLikeResolveClassStep(pred, succ)
or
// Argument -> return of methods that look like `Object getInstance(Class c)`
looksLikeInstantiateClassStep(pred, succ)
or
// Qualifier -> return of Constructor.newInstance, Class.newInstance
exists(NewInstance ni |
ni.getQualifier() = pred.asExpr() and
ni = succ.asExpr()
)
}
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof ContainsSanitizer or guard instanceof EqualsSanitizer
}
}
private Expr getAMethodArgument(MethodAccess reflectiveCall) {
result = reflectiveCall.(NewInstance).getAnArgument()
or
result = reflectiveCall.(MethodInvokeCall).getAnArgument()
}
from
DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeReflectionConfig conf,
MethodAccess reflectiveCall
where
conf.hasFlowPath(source, sink) and
sink.getNode().asExpr() = reflectiveCall.getQualifier() and
conf.hasFlowToExpr(getAMethodArgument(reflectiveCall))
select sink.getNode(), source, sink, "Unsafe reflection of $@.", source.getNode(), "user input"

60
java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll Normal file
View File

@@ -0,0 +1,60 @@
import java
import DataFlow
import semmle.code.java.Reflection
import semmle.code.java.dataflow.FlowSources
/**
* A call to `java.lang.reflect.Method.invoke`.
*/
class MethodInvokeCall extends MethodAccess {
MethodInvokeCall() { this.getMethod().hasQualifiedName("java.lang.reflect", "Method", "invoke") }
}
/**
* Unsafe reflection sink (the qualifier or method arguments to `Constructor.newInstance(...)` or `Method.invoke(...)`)
*/
class UnsafeReflectionSink extends DataFlow::ExprNode {
UnsafeReflectionSink() {
exists(MethodAccess ma |
(
ma.getMethod().hasQualifiedName("java.lang.reflect", "Constructor<>", "newInstance") or
ma instanceof MethodInvokeCall
) and
this.asExpr() = [ma.getQualifier(), ma.getAnArgument()]
)
}
}
/**
* Holds if `fromNode` to `toNode` is a dataflow step that looks like resolving a class.
* A method probably resolves a class if it takes a string, returns a Class
* and its name contains "resolve", "load", etc.
*/
predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(MethodAccess ma, Method m, int i, Expr arg |
m = ma.getMethod() and arg = ma.getArgument(i)
|
m.getReturnType() instanceof TypeClass and
m.getName().toLowerCase().regexpMatch("resolve|load|class|type") and
arg.getType() instanceof TypeString and
arg = fromNode.asExpr() and
ma = toNode.asExpr()
)
}
/**
* Holds if `fromNode` to `toNode` is a dataflow step that looks like instantiating a class.
* A method probably instantiates a class if it is external, takes a Class, returns an Object
* and its name contains "instantiate" or similar terms.
*/
predicate looksLikeInstantiateClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(MethodAccess ma, Method m, int i, Expr arg |
m = ma.getMethod() and arg = ma.getArgument(i)
|
m.getReturnType() instanceof TypeObject and
m.getName().toLowerCase().regexpMatch("instantiate|instance|create|make|getbean") and
arg.getType() instanceof TypeClass and
arg = fromNode.asExpr() and
ma = toNode.asExpr()
)
}

23
java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.java
View File

@@ -34,6 +34,29 @@ public class SpringUrlRedirect {
} }
@GetMapping("url5") @GetMapping("url5")
public ResponseEntity<Void> bad5(String redirectUrl) {
return ResponseEntity.status(HttpStatus.FOUND)
.location(URI.create(redirectUrl))
.build();
}
@GetMapping("url6")
public ResponseEntity<Void> bad6(String redirectUrl) {
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.setLocation(URI.create(redirectUrl));
return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER);
}
@GetMapping("url7")
public ResponseEntity<Void> bad7(String redirectUrl) {
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Location", redirectUrl);
return ResponseEntity.status(HttpStatus.SEE_OTHER).headers(httpHeaders).build();
}
@GetMapping("url8")
public RedirectView good1(String redirectUrl) { public RedirectView good1(String redirectUrl) {
RedirectView rv = new RedirectView(); RedirectView rv = new RedirectView();
if (redirectUrl.startsWith(VALID_REDIRECT)){ if (redirectUrl.startsWith(VALID_REDIRECT)){

9
java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qhelp
View File

@@ -21,10 +21,10 @@ redirects on the server; then choose from that list based on the user input prov
<example> <example>
<p>The following examples show the bad case and the good case respectively. <p>The following examples show the bad case and the good case respectively.
In <code>bad1</code> method and <code>bad2</code> method and <code>bad3</code> method and The <code>bad</code> methods show an HTTP request parameter being used directly
<code>bad4</code> method, shows an HTTP request parameter being used directly in a URL redirect in a URL redirect without validating the input, which facilitates phishing attacks.
without validating the input, which facilitates phishing attacks. In <code>good1</code> method, In the <code>good1</code> method, it is shown how to solve this problem by verifying whether
shows how to solve this problem by verifying whether the user input is a known fixed string beginning. the user input is a known fixed string beginning.
</p> </p>
<sample src="SpringUrlRedirect.java" /> <sample src="SpringUrlRedirect.java" />
@@ -33,5 +33,6 @@ shows how to solve this problem by verifying whether the user input is a known f
<references> <references>
<li>A Guide To Spring Redirects: <a href="https://www.baeldung.com/spring-redirect-and-forward">Spring Redirects</a>.</li> <li>A Guide To Spring Redirects: <a href="https://www.baeldung.com/spring-redirect-and-forward">Spring Redirects</a>.</li>
<li>Url redirection - attack and defense: <a href="https://www.virtuesecurity.com/kb/url-redirection-attack-and-defense/">Url Redirection</a>.</li> <li>Url redirection - attack and defense: <a href="https://www.virtuesecurity.com/kb/url-redirection-attack-and-defense/">Url Redirection</a>.</li>
<li>How to redirect to an external URL from Spring Boot REST Controller (Post/Redirect/Get pattern)?: <a href="https://fullstackdeveloper.guru/2021/03/12/how-to-redirect-to-an-external-url-from-spring-boot-rest-controller/">ResponseEntity Redirection</a>.</li>
</references> </references>
</qhelp> </qhelp>

Some files were not shown because too many files have changed in this diff Show More