Merge pull request #7782 from geoffw0/clrtxt7

C++: Fix FPs for cpp/cleartext-storage-file
2026-05-03 12:45:27 +02:00 · 2022-01-28 17:24:05 +00:00
parent 864b61a804 a695f02af4
commit 0f239e315c
2 changed files with 5 additions and 0 deletions
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -65,6 +65,7 @@ where
  midNode.getNode().asExpr() = mid and
  mid = w.getASource() and
  dest = w.getDest() and
+  not dest.(VariableAccess).getTarget().getName() = ["stdin", "stdout", "stderr"] and // exclude calls with standard streams
  not isFileName(globalValueNumber(source)) and // file names are not passwords
  not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
 select w, sourceNode, midNode,
--- a/cpp/ql/src/change-notes/2022-01-28-cleartext-storage-file.md
+++ b/cpp/ql/src/change-notes/2022-01-28-cleartext-storage-file.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/cleartext-storage-file` query has been improved, removing false positives where data is written to a standard output stream.