hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/main' into mathiasvp/replace-ast-with-ir-use-usedataflow

Browse Source
This commit is contained in:
Jeroen Ketema
2022-12-20 11:34:41 +01:00
parent 949b61c635 149cae9603
commit 0addae81cd
317 changed files with 23012 additions and 7519 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.6
No user-facing changes.
## 0.4.5
No user-facing changes.

4
cpp/ql/lib/change-notes/2022-12-19-argv-as-parameter-flowsource.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.

3
cpp/ql/lib/change-notes/released/0.4.6.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.6
No user-facing changes.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.5
lastReleaseVersion: 0.4.6

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.4.6-dev
version: 0.5.0-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

2
cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
View File

@@ -53,7 +53,7 @@ private class ArgvSource extends LocalFlowSource {
exists(Function main, Parameter argv |
main.hasGlobalName("main") and
main.getParameter(1) = argv and
argv.getAnAccess() in [this.asExpr(), this.asIndirectExpr()]
this.asParameter(_) = argv
)
}

89
cpp/ql/src/AlertSuppression.ql
View File

@@ -5,78 +5,35 @@
* @id cpp/alert-suppression
*/
import cpp
private import codeql.suppression.AlertSuppression as AS
private import semmle.code.cpp.Element
/**
* An alert suppression comment.
*/
class SuppressionComment extends Comment {
string annotation;
string text;
class SingleLineComment extends Comment {
private string text;
SuppressionComment() {
(
this instanceof CppStyleComment and
// strip the beginning slashes
text = this.getContents().suffix(2)
or
this instanceof CStyleComment and
// strip both the beginning /* and the end */ the comment
exists(string text0 |
text0 = this.getContents().suffix(2) and
text = text0.prefix(text0.length() - 2)
) and
// The /* */ comment must be a single-line comment
not text.matches("%\n%")
SingleLineComment() {
this instanceof CppStyleComment and
// strip the beginning slashes
text = this.getContents().suffix(2)
or
this instanceof CStyleComment and
// strip both the beginning /* and the end */ the comment
exists(string text0 |
text0 = this.getContents().suffix(2) and
text = text0.prefix(text0.length() - 2)
) and
(
// match `lgtm[...]` anywhere in the comment
annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
or
// match `lgtm` at the start of the comment and after semicolon
annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _).trim()
)
// The /* */ comment must be a single-line comment
not text.matches("%\n%")
}
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
}
/** Gets the text in this comment, excluding the leading //. */
string getText() { result = text }
/** Gets the suppression annotation in this comment. */
string getAnnotation() { result = annotation }
/**
* Holds if this comment applies to the range from column `startcolumn` of line `startline`
* to column `endcolumn` of line `endline` in file `filepath`.
*/
predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
this.getLocation().hasLocationInfo(filepath, startline, _, endline, endcolumn) and
startcolumn = 1
}
/** Gets the scope of this suppression. */
SuppressionScope getScope() { result = this }
}
/**
* The scope of an alert suppression comment.
*/
class SuppressionScope extends ElementBase instanceof SuppressionComment {
/**
* Holds if this element is at the specified location.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
super.covers(filepath, startline, startcolumn, endline, endcolumn)
}
}
from SuppressionComment c
select c, // suppression comment
c.getText(), // text of suppression comment (excluding delimiters)
c.getAnnotation(), // text of suppression annotation
c.getScope() // scope of suppression
import AS::Make<SingleLineComment>

4
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.6
No user-facing changes.
## 0.4.5
No user-facing changes.

2
cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -81,8 +81,6 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
)
}
override predicate isSanitizerIn(DataFlow::Node node) { this.isSource(node) }
override predicate isSanitizer(DataFlow::Node node) {
node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType
or

3
cpp/ql/src/change-notes/released/0.4.6.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.6
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.5
lastReleaseVersion: 0.4.6

3
cpp/ql/src/qlpack.yml
View File

@@ -1,11 +1,12 @@
name: codeql/cpp-queries
version: 0.4.6-dev
version: 0.5.0-dev
groups:
- cpp
- queries
dependencies:
codeql/cpp-all: ${workspace}
codeql/suite-helpers: ${workspace}
codeql/util: ${workspace}
suites: codeql-suites
extractor: cpp
defaultSuiteFile: codeql-suites/cpp-code-scanning.qls

30
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected
View File

@@ -1,21 +1,21 @@
edges
| test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | filePath |
| test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | filePath |
| test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath |
| test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath |
| test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath |
| test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath |
| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath |
| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath |
| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath |
| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath |
| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath |
| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath |
nodes
| test.cpp:23:20:23:23 | argv | semmle.label | argv |
| test.cpp:23:20:23:23 | argv indirection | semmle.label | argv indirection |
| test.cpp:23:20:23:23 | argv indirection | semmle.label | argv indirection |
| test.cpp:22:27:22:30 | argv | semmle.label | argv |
| test.cpp:22:27:22:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:22:27:22:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
| test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
subpaths
#select
| test.cpp:29:13:29:20 | filePath | test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:23:20:23:23 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |

116
cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.expected
View File

@@ -1,58 +1,58 @@
| tst.c:1:12:1:18 | // lgtm | lgtm | lgtm | tst.c:1:1:1:18 | // lgtm |
| tst.c:2:1:2:30 | // lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.c:2:1:2:30 | // lgtm[js/debugger-statement] |
| tst.c:3:1:3:61 | // lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tst.c:3:1:3:61 | // lgtm[js/debugger-statement, js/invocation-of-non-function] |
| tst.c:4:1:4:22 | // lgtm[@tag:nullness] | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.c:4:1:4:22 | // lgtm[@tag:nullness] |
| tst.c:5:1:5:44 | // lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tst.c:5:1:5:44 | // lgtm[@tag:nullness,js/debugger-statement] |
| tst.c:6:1:6:28 | // lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tst.c:6:1:6:28 | // lgtm[@expires:2017-06-11] |
| tst.c:7:1:7:70 | // lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tst.c:7:1:7:70 | // lgtm[js/invocation-of-non-function] because I know better than lgtm |
| tst.c:8:1:8:18 | // lgtm: blah blah | lgtm: blah blah | lgtm | tst.c:8:1:8:18 | // lgtm: blah blah |
| tst.c:9:1:9:32 | // lgtm blah blah #falsepositive | lgtm blah blah #falsepositive | lgtm | tst.c:9:1:9:32 | // lgtm blah blah #falsepositive |
| tst.c:10:1:10:39 | //lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | tst.c:10:1:10:39 | //lgtm [js/invocation-of-non-function] |
| tst.c:11:1:11:10 | /* lgtm */ | lgtm | lgtm | tst.c:11:1:11:10 | /* lgtm */ |
| tst.c:12:1:12:9 | // lgtm[] | lgtm[] | lgtm[] | tst.c:12:1:12:9 | // lgtm[] |
| tst.c:14:1:14:6 | //lgtm | lgtm | lgtm | tst.c:14:1:14:6 | //lgtm |
| tst.c:15:1:15:7 | //\tlgtm | \tlgtm | lgtm | tst.c:15:1:15:7 | //\tlgtm |
| tst.c:16:1:16:31 | // lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tst.c:16:1:16:31 | // lgtm\t[js/debugger-statement] |
| tst.c:19:1:19:12 | // foo; lgtm | foo; lgtm | lgtm | tst.c:19:1:19:12 | // foo; lgtm |
| tst.c:20:1:20:35 | // foo; lgtm[js/debugger-statement] | foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.c:20:1:20:35 | // foo; lgtm[js/debugger-statement] |
| tst.c:22:1:22:34 | // foo lgtm[js/debugger-statement] | foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.c:22:1:22:34 | // foo lgtm[js/debugger-statement] |
| tst.c:24:1:24:38 | // foo lgtm[js/debugger-statement] bar | foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tst.c:24:1:24:38 | // foo lgtm[js/debugger-statement] bar |
| tst.c:25:1:25:8 | // LGTM! | LGTM! | LGTM | tst.c:25:1:25:8 | // LGTM! |
| tst.c:26:1:26:30 | // LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tst.c:26:1:26:30 | // LGTM[js/debugger-statement] |
| tst.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tst.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] |
| tst.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] |
| tst.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm | tst.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm |
| tst.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tst.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm |
| tst.c:29:1:29:12 | /* lgtm[] */ | lgtm[] | lgtm[] | tst.c:29:1:29:12 | /* lgtm[] */ |
| tst.c:30:1:30:41 | /* lgtm[js/invocation-of-non-function] */ | lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.c:30:1:30:41 | /* lgtm[js/invocation-of-non-function] */ |
| tst.c:36:1:36:55 | /* lgtm[@tag:nullness,js/invocation-of-non-function] */ | lgtm[@tag:nullness,js/invocation-of-non-function] | lgtm[@tag:nullness,js/invocation-of-non-function] | tst.c:36:1:36:55 | /* lgtm[@tag:nullness,js/invocation-of-non-function] */ |
| tst.c:37:1:37:25 | /* lgtm[@tag:nullness] */ | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.c:37:1:37:25 | /* lgtm[@tag:nullness] */ |
| tstWindows.c:1:12:1:18 | // lgtm | lgtm | lgtm | tstWindows.c:1:1:1:18 | // lgtm |
| tstWindows.c:2:1:2:30 | // lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.c:2:1:2:30 | // lgtm[js/debugger-statement] |
| tstWindows.c:3:1:3:61 | // lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tstWindows.c:3:1:3:61 | // lgtm[js/debugger-statement, js/invocation-of-non-function] |
| tstWindows.c:4:1:4:22 | // lgtm[@tag:nullness] | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.c:4:1:4:22 | // lgtm[@tag:nullness] |
| tstWindows.c:5:1:5:44 | // lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tstWindows.c:5:1:5:44 | // lgtm[@tag:nullness,js/debugger-statement] |
| tstWindows.c:6:1:6:28 | // lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tstWindows.c:6:1:6:28 | // lgtm[@expires:2017-06-11] |
| tstWindows.c:7:1:7:70 | // lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tstWindows.c:7:1:7:70 | // lgtm[js/invocation-of-non-function] because I know better than lgtm |
| tstWindows.c:8:1:8:18 | // lgtm: blah blah | lgtm: blah blah | lgtm | tstWindows.c:8:1:8:18 | // lgtm: blah blah |
| tstWindows.c:9:1:9:32 | // lgtm blah blah #falsepositive | lgtm blah blah #falsepositive | lgtm | tstWindows.c:9:1:9:32 | // lgtm blah blah #falsepositive |
| tstWindows.c:10:1:10:39 | //lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | tstWindows.c:10:1:10:39 | //lgtm [js/invocation-of-non-function] |
| tstWindows.c:11:1:11:10 | /* lgtm */ | lgtm | lgtm | tstWindows.c:11:1:11:10 | /* lgtm */ |
| tstWindows.c:12:1:12:9 | // lgtm[] | lgtm[] | lgtm[] | tstWindows.c:12:1:12:9 | // lgtm[] |
| tstWindows.c:14:1:14:6 | //lgtm | lgtm | lgtm | tstWindows.c:14:1:14:6 | //lgtm |
| tstWindows.c:15:1:15:7 | //\tlgtm | \tlgtm | lgtm | tstWindows.c:15:1:15:7 | //\tlgtm |
| tstWindows.c:16:1:16:31 | // lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tstWindows.c:16:1:16:31 | // lgtm\t[js/debugger-statement] |
| tstWindows.c:19:1:19:12 | // foo; lgtm | foo; lgtm | lgtm | tstWindows.c:19:1:19:12 | // foo; lgtm |
| tstWindows.c:20:1:20:35 | // foo; lgtm[js/debugger-statement] | foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.c:20:1:20:35 | // foo; lgtm[js/debugger-statement] |
| tstWindows.c:22:1:22:34 | // foo lgtm[js/debugger-statement] | foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.c:22:1:22:34 | // foo lgtm[js/debugger-statement] |
| tstWindows.c:24:1:24:38 | // foo lgtm[js/debugger-statement] bar | foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tstWindows.c:24:1:24:38 | // foo lgtm[js/debugger-statement] bar |
| tstWindows.c:25:1:25:8 | // LGTM! | LGTM! | LGTM | tstWindows.c:25:1:25:8 | // LGTM! |
| tstWindows.c:26:1:26:30 | // LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tstWindows.c:26:1:26:30 | // LGTM[js/debugger-statement] |
| tstWindows.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tstWindows.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] |
| tstWindows.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] |
| tstWindows.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm | tstWindows.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm |
| tstWindows.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tstWindows.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm |
| tstWindows.c:29:1:29:12 | /* lgtm[] */ | lgtm[] | lgtm[] | tstWindows.c:29:1:29:12 | /* lgtm[] */ |
| tstWindows.c:30:1:30:41 | /* lgtm[js/invocation-of-non-function] */ | lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.c:30:1:30:41 | /* lgtm[js/invocation-of-non-function] */ |
| tstWindows.c:36:1:36:55 | /* lgtm[@tag:nullness,js/invocation-of-non-function] */ | lgtm[@tag:nullness,js/invocation-of-non-function] | lgtm[@tag:nullness,js/invocation-of-non-function] | tstWindows.c:36:1:36:55 | /* lgtm[@tag:nullness,js/invocation-of-non-function] */ |
| tstWindows.c:37:1:37:25 | /* lgtm[@tag:nullness] */ | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.c:37:1:37:25 | /* lgtm[@tag:nullness] */ |
| tst.c:1:12:1:18 | // lgtm | lgtm | lgtm | tst.c:1:1:1:18 | suppression range |
| tst.c:2:1:2:30 | // lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.c:2:1:2:30 | suppression range |
| tst.c:3:1:3:61 | // lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tst.c:3:1:3:61 | suppression range |
| tst.c:4:1:4:22 | // lgtm[@tag:nullness] | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.c:4:1:4:22 | suppression range |
| tst.c:5:1:5:44 | // lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tst.c:5:1:5:44 | suppression range |
| tst.c:6:1:6:28 | // lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tst.c:6:1:6:28 | suppression range |
| tst.c:7:1:7:70 | // lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tst.c:7:1:7:70 | suppression range |
| tst.c:8:1:8:18 | // lgtm: blah blah | lgtm: blah blah | lgtm | tst.c:8:1:8:18 | suppression range |
| tst.c:9:1:9:32 | // lgtm blah blah #falsepositive | lgtm blah blah #falsepositive | lgtm | tst.c:9:1:9:32 | suppression range |
| tst.c:10:1:10:39 | //lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | tst.c:10:1:10:39 | suppression range |
| tst.c:11:1:11:10 | /* lgtm */ | lgtm | lgtm | tst.c:11:1:11:10 | suppression range |
| tst.c:12:1:12:9 | // lgtm[] | lgtm[] | lgtm[] | tst.c:12:1:12:9 | suppression range |
| tst.c:14:1:14:6 | //lgtm | lgtm | lgtm | tst.c:14:1:14:6 | suppression range |
| tst.c:15:1:15:7 | //\tlgtm | \tlgtm | lgtm | tst.c:15:1:15:7 | suppression range |
| tst.c:16:1:16:31 | // lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tst.c:16:1:16:31 | suppression range |
| tst.c:19:1:19:12 | // foo; lgtm | foo; lgtm | lgtm | tst.c:19:1:19:12 | suppression range |
| tst.c:20:1:20:35 | // foo; lgtm[js/debugger-statement] | foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.c:20:1:20:35 | suppression range |
| tst.c:22:1:22:34 | // foo lgtm[js/debugger-statement] | foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.c:22:1:22:34 | suppression range |
| tst.c:24:1:24:38 | // foo lgtm[js/debugger-statement] bar | foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tst.c:24:1:24:38 | suppression range |
| tst.c:25:1:25:8 | // LGTM! | LGTM! | LGTM | tst.c:25:1:25:8 | suppression range |
| tst.c:26:1:26:30 | // LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tst.c:26:1:26:30 | suppression range |
| tst.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tst.c:27:1:27:70 | suppression range |
| tst.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.c:27:1:27:70 | suppression range |
| tst.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm | tst.c:28:1:28:36 | suppression range |
| tst.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tst.c:28:1:28:36 | suppression range |
| tst.c:29:1:29:12 | /* lgtm[] */ | lgtm[] | lgtm[] | tst.c:29:1:29:12 | suppression range |
| tst.c:30:1:30:41 | /* lgtm[js/invocation-of-non-function] */ | lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.c:30:1:30:41 | suppression range |
| tst.c:36:1:36:55 | /* lgtm[@tag:nullness,js/invocation-of-non-function] */ | lgtm[@tag:nullness,js/invocation-of-non-function] | lgtm[@tag:nullness,js/invocation-of-non-function] | tst.c:36:1:36:55 | suppression range |
| tst.c:37:1:37:25 | /* lgtm[@tag:nullness] */ | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.c:37:1:37:25 | suppression range |
| tstWindows.c:1:12:1:18 | // lgtm | lgtm | lgtm | tstWindows.c:1:1:1:18 | suppression range |
| tstWindows.c:2:1:2:30 | // lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.c:2:1:2:30 | suppression range |
| tstWindows.c:3:1:3:61 | // lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tstWindows.c:3:1:3:61 | suppression range |
| tstWindows.c:4:1:4:22 | // lgtm[@tag:nullness] | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.c:4:1:4:22 | suppression range |
| tstWindows.c:5:1:5:44 | // lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tstWindows.c:5:1:5:44 | suppression range |
| tstWindows.c:6:1:6:28 | // lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tstWindows.c:6:1:6:28 | suppression range |
| tstWindows.c:7:1:7:70 | // lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tstWindows.c:7:1:7:70 | suppression range |
| tstWindows.c:8:1:8:18 | // lgtm: blah blah | lgtm: blah blah | lgtm | tstWindows.c:8:1:8:18 | suppression range |
| tstWindows.c:9:1:9:32 | // lgtm blah blah #falsepositive | lgtm blah blah #falsepositive | lgtm | tstWindows.c:9:1:9:32 | suppression range |
| tstWindows.c:10:1:10:39 | //lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | lgtm [js/invocation-of-non-function] | tstWindows.c:10:1:10:39 | suppression range |
| tstWindows.c:11:1:11:10 | /* lgtm */ | lgtm | lgtm | tstWindows.c:11:1:11:10 | suppression range |
| tstWindows.c:12:1:12:9 | // lgtm[] | lgtm[] | lgtm[] | tstWindows.c:12:1:12:9 | suppression range |
| tstWindows.c:14:1:14:6 | //lgtm | lgtm | lgtm | tstWindows.c:14:1:14:6 | suppression range |
| tstWindows.c:15:1:15:7 | //\tlgtm | \tlgtm | lgtm | tstWindows.c:15:1:15:7 | suppression range |
| tstWindows.c:16:1:16:31 | // lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tstWindows.c:16:1:16:31 | suppression range |
| tstWindows.c:19:1:19:12 | // foo; lgtm | foo; lgtm | lgtm | tstWindows.c:19:1:19:12 | suppression range |
| tstWindows.c:20:1:20:35 | // foo; lgtm[js/debugger-statement] | foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.c:20:1:20:35 | suppression range |
| tstWindows.c:22:1:22:34 | // foo lgtm[js/debugger-statement] | foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.c:22:1:22:34 | suppression range |
| tstWindows.c:24:1:24:38 | // foo lgtm[js/debugger-statement] bar | foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tstWindows.c:24:1:24:38 | suppression range |
| tstWindows.c:25:1:25:8 | // LGTM! | LGTM! | LGTM | tstWindows.c:25:1:25:8 | suppression range |
| tstWindows.c:26:1:26:30 | // LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tstWindows.c:26:1:26:30 | suppression range |
| tstWindows.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tstWindows.c:27:1:27:70 | suppression range |
| tstWindows.c:27:1:27:70 | // lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.c:27:1:27:70 | suppression range |
| tstWindows.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm | tstWindows.c:28:1:28:36 | suppression range |
| tstWindows.c:28:1:28:36 | // lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tstWindows.c:28:1:28:36 | suppression range |
| tstWindows.c:29:1:29:12 | /* lgtm[] */ | lgtm[] | lgtm[] | tstWindows.c:29:1:29:12 | suppression range |
| tstWindows.c:30:1:30:41 | /* lgtm[js/invocation-of-non-function] */ | lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.c:30:1:30:41 | suppression range |
| tstWindows.c:36:1:36:55 | /* lgtm[@tag:nullness,js/invocation-of-non-function] */ | lgtm[@tag:nullness,js/invocation-of-non-function] | lgtm[@tag:nullness,js/invocation-of-non-function] | tstWindows.c:36:1:36:55 | suppression range |
| tstWindows.c:37:1:37:25 | /* lgtm[@tag:nullness] */ | lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.c:37:1:37:25 | suppression range |

38
cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -1,36 +1,32 @@
edges
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | Convert indirection |
| test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection |
| test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection |
| test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection |
| test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection |
| test.c:8:27:8:30 | argv | test.c:17:11:17:18 | Convert indirection |
| test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | Convert indirection |
| test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | Convert indirection |
| test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | Convert indirection |
| test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | Convert indirection |
| test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection |
| test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection |
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | Convert indirection |
| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | Convert indirection |
| test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection |
| test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection |
nodes
| test.c:9:23:9:26 | argv | semmle.label | argv |
| test.c:9:23:9:26 | argv indirection | semmle.label | argv indirection |
| test.c:9:23:9:26 | argv indirection | semmle.label | argv indirection |
| test.c:8:27:8:30 | argv | semmle.label | argv |
| test.c:8:27:8:30 | argv indirection | semmle.label | argv indirection |
| test.c:8:27:8:30 | argv indirection | semmle.label | argv indirection |
| test.c:17:11:17:18 | Convert indirection | semmle.label | Convert indirection |
| test.c:31:22:31:25 | argv indirection | semmle.label | argv indirection |
| test.c:31:22:31:25 | argv indirection | semmle.label | argv indirection |
| test.c:32:11:32:18 | Convert indirection | semmle.label | Convert indirection |
| test.c:37:17:37:24 | scanf output argument | semmle.label | scanf output argument |
| test.c:38:11:38:18 | Convert indirection | semmle.label | Convert indirection |
| test.c:43:17:43:24 | scanf output argument | semmle.label | scanf output argument |
| test.c:44:11:44:18 | Convert indirection | semmle.label | Convert indirection |
| test.c:57:10:57:13 | argv indirection | semmle.label | argv indirection |
| test.c:57:10:57:13 | argv indirection | semmle.label | argv indirection |
| test.c:57:10:57:16 | access to array indirection | semmle.label | access to array indirection |
subpaths
#select
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (a command-line argument) |
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv indirection | user input (a command-line argument) |
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv indirection | user input (a command-line argument) |
| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv indirection | user input (a command-line argument) |
| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv indirection | user input (a command-line argument) |
| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv | user input (a command-line argument) |
| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
| test.c:32:11:32:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
| test.c:32:11:32:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | scanf output argument | user input (value read by scanf) |
| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | scanf output argument | user input (value read by scanf) |
| test.c:57:10:57:16 | access to array | test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:57:10:57:13 | argv indirection | user input (a command-line argument) |
| test.c:57:10:57:16 | access to array | test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:57:10:57:13 | argv indirection | user input (a command-line argument) |
| test.c:57:10:57:16 | access to array | test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
| test.c:57:10:57:16 | access to array | test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |

12
cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
View File

@@ -1,6 +1,6 @@
edges
| test.cpp:16:20:16:23 | argv indirection | test.cpp:22:45:22:52 | Load indirection |
| test.cpp:16:20:16:23 | argv indirection | test.cpp:22:45:22:52 | Load indirection |
| test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | Load indirection |
| test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | Load indirection |
| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | Convert indirection |
| test.cpp:22:45:22:52 | Load indirection | test.cpp:22:13:22:20 | sprintf output argument |
| test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:50:35:50:43 | Load indirection |
@@ -101,8 +101,8 @@ edges
| test.cpp:220:19:220:26 | Convert indirection | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:19:220:26 | Convert indirection | test.cpp:220:10:220:16 | strncat output argument |
nodes
| test.cpp:16:20:16:23 | argv indirection | semmle.label | argv indirection |
| test.cpp:16:20:16:23 | argv indirection | semmle.label | argv indirection |
| test.cpp:15:27:15:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:15:27:15:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
| test.cpp:22:45:22:52 | Load indirection | semmle.label | Load indirection |
| test.cpp:23:12:23:19 | Convert indirection | semmle.label | Convert indirection |
@@ -211,8 +211,8 @@ subpaths
| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename | test.cpp:187:11:187:15 | strncat output argument | test.cpp:196:19:196:23 | concat output argument |
| test.cpp:196:26:196:33 | filename | test.cpp:186:47:186:54 | filename | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
#select
| test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv indirection | test.cpp:23:12:23:19 | Convert indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:16:20:16:23 | argv indirection | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
| test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv indirection | test.cpp:23:12:23:19 | Convert indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:16:20:16:23 | argv indirection | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | argv indirection | test.cpp:23:12:23:19 | Convert indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | argv indirection | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | argv indirection | test.cpp:23:12:23:19 | Convert indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | argv indirection | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:51:10:51:16 | Convert indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | call to getenv indirection | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | Convert indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | Convert indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
View File

@@ -50,7 +50,6 @@
| tests.cpp:546:6:546:10 | call to fread | This 'fread' operation may access 400 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
| tests.cpp:569:6:569:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
| tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
| tests.cpp:586:6:586:12 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
| tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
| unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
| unions.cpp:27:2:27:7 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 10 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |

33
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
View File

@@ -1,7 +1,16 @@
edges
| overflowdestination.cpp:27:9:27:12 | argv | overflowdestination.cpp:30:17:30:20 | arg1 |
| overflowdestination.cpp:27:9:27:12 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 |
| overflowdestination.cpp:27:9:27:12 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 |
| main.cpp:6:27:6:30 | argv | main.cpp:7:33:7:36 | argv |
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | Load indirection |
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | Load indirection |
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | Load indirection |
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv |
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv |
| main.cpp:7:33:7:36 | Load indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
| main.cpp:7:33:7:36 | Load indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
| main.cpp:7:33:7:36 | argv | overflowdestination.cpp:23:45:23:48 | argv |
| overflowdestination.cpp:23:45:23:48 | argv | overflowdestination.cpp:30:17:30:20 | arg1 |
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 |
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src |
| overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:52:9:52:12 | memcpy output argument |
| overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:53:9:53:12 | memcpy output argument |
@@ -61,9 +70,15 @@ edges
| overflowdestination.cpp:76:30:76:32 | src | overflowdestination.cpp:76:24:76:27 | overflowdest_test3 output argument |
| overflowdestination.cpp:76:30:76:32 | src | overflowdestination.cpp:76:30:76:32 | overflowdest_test3 output argument |
nodes
| overflowdestination.cpp:27:9:27:12 | argv | semmle.label | argv |
| overflowdestination.cpp:27:9:27:12 | argv indirection | semmle.label | argv indirection |
| overflowdestination.cpp:27:9:27:12 | argv indirection | semmle.label | argv indirection |
| main.cpp:6:27:6:30 | argv | semmle.label | argv |
| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
| main.cpp:7:33:7:36 | Load indirection | semmle.label | Load indirection |
| main.cpp:7:33:7:36 | Load indirection | semmle.label | Load indirection |
| main.cpp:7:33:7:36 | argv | semmle.label | argv |
| overflowdestination.cpp:23:45:23:48 | argv | semmle.label | argv |
| overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
| overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
| overflowdestination.cpp:30:17:30:20 | arg1 | semmle.label | arg1 |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
| overflowdestination.cpp:46:15:46:17 | src | semmle.label | src |
@@ -121,9 +136,9 @@ subpaths
| overflowdestination.cpp:76:30:76:32 | src | overflowdestination.cpp:57:52:57:54 | src | overflowdestination.cpp:65:9:65:13 | memcpy output argument | overflowdestination.cpp:76:24:76:27 | overflowdest_test3 output argument |
| overflowdestination.cpp:76:30:76:32 | src | overflowdestination.cpp:57:52:57:54 | src | overflowdestination.cpp:65:9:65:13 | memcpy output argument | overflowdestination.cpp:76:30:76:32 | overflowdest_test3 output argument |
#select
| overflowdestination.cpp:30:2:30:8 | call to strncpy | overflowdestination.cpp:27:9:27:12 | argv | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:30:2:30:8 | call to strncpy | overflowdestination.cpp:27:9:27:12 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:30:2:30:8 | call to strncpy | overflowdestination.cpp:27:9:27:12 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |

12
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp Normal file
View File

@@ -0,0 +1,12 @@
int overflowdesination_main(int argc, char **argv);
int test_buffer_overrun_main(int argc, char **argv);
int tests_restrict_main(int argc, char **argv);
int tests_main(int argc, char **argv);
int main(int argc, char **argv) {
overflowdesination_main(argc, argv);
test_buffer_overrun_main(argc, argv);
tests_restrict_main(argc, argv);
tests_main(argc, argv);
return 0;
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp
View File

@@ -20,7 +20,7 @@ inline size_t min(size_t a, size_t b) {
}
}
int main(int argc, char* argv[]) {
int overflowdesination_main(int argc, char* argv[]) {
char param[20];
char *arg1;

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp
View File

@@ -29,7 +29,7 @@ void test_buffer_overrun_in_while_loop_using_array_indexing()
}
}
int main(int argc, char *argv[])
int test_buffer_overrun_main(int argc, char *argv[])
{
test_buffer_overrun_in_for_loop();
test_buffer_overrun_in_while_loop_using_pointer_arithmetic();

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
View File

@@ -603,7 +603,7 @@ void test22(bool b, const char* source) {
memcpy(dest, source, n); // GOOD
}
int main(int argc, char *argv[])
int tests_main(int argc, char *argv[])
{
long long arr17[19];

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c
View File

@@ -12,7 +12,7 @@ void test1()
memcpy(largebuf, smallbuf, 2); // BAD: source over-read
}
int main(int argc, char *argv[])
int tests_restrict_main(int argc, char *argv[])
{
test1();

54
cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
View File

@@ -1,16 +1,16 @@
edges
| test1.c:8:16:8:19 | argv | test1.c:9:9:9:9 | i |
| test1.c:8:16:8:19 | argv | test1.c:11:9:11:9 | i |
| test1.c:8:16:8:19 | argv | test1.c:12:9:12:9 | i |
| test1.c:8:16:8:19 | argv | test1.c:13:9:13:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:9:9:9:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:9:9:9:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:11:9:11:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:11:9:11:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:12:9:12:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:12:9:12:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:13:9:13:9 | i |
| test1.c:8:16:8:19 | argv indirection | test1.c:13:9:13:9 | i |
| test1.c:7:26:7:29 | argv | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | argv | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | argv | test1.c:12:9:12:9 | i |
| test1.c:7:26:7:29 | argv | test1.c:13:9:13:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:12:9:12:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:12:9:12:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:13:9:13:9 | i |
| test1.c:7:26:7:29 | argv indirection | test1.c:13:9:13:9 | i |
| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i |
| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i |
| test1.c:12:9:12:9 | i | test1.c:40:16:40:16 | i |
@@ -20,9 +20,9 @@ edges
| test1.c:40:16:40:16 | i | test1.c:41:11:41:11 | i |
| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j |
nodes
| test1.c:8:16:8:19 | argv | semmle.label | argv |
| test1.c:8:16:8:19 | argv indirection | semmle.label | argv indirection |
| test1.c:8:16:8:19 | argv indirection | semmle.label | argv indirection |
| test1.c:7:26:7:29 | argv | semmle.label | argv |
| test1.c:7:26:7:29 | argv indirection | semmle.label | argv indirection |
| test1.c:7:26:7:29 | argv indirection | semmle.label | argv indirection |
| test1.c:9:9:9:9 | i | semmle.label | i |
| test1.c:11:9:11:9 | i | semmle.label | i |
| test1.c:12:9:12:9 | i | semmle.label | i |
@@ -37,15 +37,15 @@ nodes
| test1.c:53:15:53:15 | j | semmle.label | j |
subpaths
#select
| test1.c:18:16:18:16 | i | test1.c:8:16:8:19 | argv | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv | a command-line argument |
| test1.c:18:16:18:16 | i | test1.c:8:16:8:19 | argv indirection | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:18:16:18:16 | i | test1.c:8:16:8:19 | argv indirection | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:8:16:8:19 | argv | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:8:16:8:19 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:8:16:8:19 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:8:16:8:19 | argv | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:8:16:8:19 | argv indirection | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:8:16:8:19 | argv indirection | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:8:16:8:19 | argv | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:8:16:8:19 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:8:16:8:19 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:8:16:8:19 | argv indirection | a command-line argument |
| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv indirection | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv indirection | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:7:26:7:29 | argv | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:41:11:41:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:41:11:41:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |

78
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -1,22 +1,22 @@
edges
| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:43:38:43:44 | tainted |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:43:38:43:44 | tainted |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:49:32:49:35 | size |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:49:32:49:35 | size |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:50:26:50:29 | size |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:50:26:50:29 | size |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:40:21:40:24 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:39:27:39:30 | argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:39:27:39:30 | argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:39:27:39:30 | argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:39:27:39:30 | argv | test.cpp:49:32:49:35 | size |
| test.cpp:39:27:39:30 | argv | test.cpp:50:26:50:29 | size |
| test.cpp:39:27:39:30 | argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
@@ -47,9 +47,9 @@ edges
| test.cpp:338:19:338:24 | call to getenv | test.cpp:342:25:342:43 | ... * ... |
| test.cpp:338:19:338:32 | call to getenv indirection | test.cpp:342:25:342:43 | ... * ... |
nodes
| test.cpp:40:21:40:24 | argv | semmle.label | argv |
| test.cpp:40:21:40:24 | argv indirection | semmle.label | argv indirection |
| test.cpp:40:21:40:24 | argv indirection | semmle.label | argv indirection |
| test.cpp:39:27:39:30 | argv | semmle.label | argv |
| test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
@@ -93,24 +93,24 @@ nodes
| test.cpp:342:25:342:43 | ... * ... | semmle.label | ... * ... |
subpaths
#select
| test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv indirection | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv indirection | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:40:21:40:24 | argv indirection | user input (a command-line argument) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) |
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv indirection | user input (an environment variable) |
| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:133:19:133:24 | call to getenv | user input (an environment variable) |

18
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
View File

@@ -1,19 +1,19 @@
edges
| test2.cpp:110:8:110:15 | gets output argument | test2.cpp:110:3:110:6 | call to gets |
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
| test.cpp:54:17:54:20 | argv indirection | test.cpp:58:25:58:29 | input |
| test.cpp:54:17:54:20 | argv indirection | test.cpp:58:25:58:29 | input |
| test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input |
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input |
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input |
nodes
| test2.cpp:110:3:110:6 | call to gets | semmle.label | call to gets |
| test2.cpp:110:8:110:15 | gets output argument | semmle.label | gets output argument |
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
| test.cpp:54:17:54:20 | argv indirection | semmle.label | argv indirection |
| test.cpp:54:17:54:20 | argv indirection | semmle.label | argv indirection |
| test.cpp:53:27:53:30 | argv | semmle.label | argv |
| test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
| test.cpp:58:25:58:29 | input | semmle.label | input |
subpaths
#select
| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets | user input (string read by gets) |
| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:8:110:15 | gets output argument | test2.cpp:110:3:110:6 | call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:8:110:15 | gets output argument | user input (string read by gets) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:54:17:54:20 | argv | user input (a command-line argument) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv indirection | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:54:17:54:20 | argv indirection | user input (a command-line argument) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv indirection | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:54:17:54:20 | argv indirection | user input (a command-line argument) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv | user input (a command-line argument) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |