hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into cpp-non-constant-format-as-path-query

Browse Source
This commit is contained in:
Ben Rodes
2024-02-22 06:24:18 -08:00
committed by GitHub
parent 8d35db0fe6 2b4b512611
commit 47f94e2ebe
1128 changed files with 63172 additions and 45370 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,16 @@
## 0.12.6
### New Features
* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.
## 0.12.5
### New Features
* Added the `PreprocBlock.qll` library to this repository. This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.
## 0.12.4
### Minor Analysis Improvements

4
cpp/ql/lib/change-notes/2024-01-30-throwing-model.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.

4
cpp/ql/lib/change-notes/2024-02-06-flow-out-barrier-function.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added an abstract class `FlowOutBarrierFunction` that can be used to block flow out of a function.

8
cpp/ql/lib/change-notes/2024-01-30-preproc-block.md → cpp/ql/lib/change-notes/released/0.12.5.md
View File

@@ -1,4 +1,6 @@
---
category: feature
---
## 0.12.5
### New Features
* Added the `PreprocBlock.qll` library to this repository. This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.

5
cpp/ql/lib/change-notes/released/0.12.6.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.12.6
### New Features
* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.12.4
lastReleaseVersion: 0.12.6

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.12.5-dev
version: 0.12.7-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

12
cpp/ql/lib/semmle/code/cpp/PrintAST.qll
View File

@@ -735,7 +735,9 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
or
s.(ForStmt).getStmt() = e and pred = "getStmt()"
or
s.(RangeBasedForStmt).getChild(0) = e and pred = "getChild(0)"
s.(RangeBasedForStmt).getInitialization() = e and pred = "getInitialization()"
or
s.(RangeBasedForStmt).getChild(1) = e and pred = "getChild(1)"
or
s.(RangeBasedForStmt).getBeginEndDeclaration() = e and pred = "getBeginEndDeclaration()"
or
@@ -743,7 +745,7 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
or
s.(RangeBasedForStmt).getUpdate() = e and pred = "getUpdate()"
or
s.(RangeBasedForStmt).getChild(4) = e and pred = "getChild(4)"
s.(RangeBasedForStmt).getChild(5) = e and pred = "getChild(5)"
or
s.(RangeBasedForStmt).getStmt() = e and pred = "getStmt()"
or
@@ -835,7 +837,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
or
expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
or
expr.(OverloadedPointerDereferenceExpr).getExpr() = ele and pred = "getExpr()"
// OverloadedPointerDereferenceExpr::getExpr/0 also considers qualifiers, which are already handled above for all Call classes.
not expr.(OverloadedPointerDereferenceExpr).getQualifier() =
expr.(OverloadedPointerDereferenceExpr).getExpr() and
expr.(OverloadedPointerDereferenceExpr).getExpr() = ele and
pred = "getExpr()"
or
expr.(CommaExpr).getLeftOperand() = ele and pred = "getLeftOperand()"
or

11
cpp/ql/lib/semmle/code/cpp/Variable.qll
View File

@@ -234,7 +234,16 @@ class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
* int f(int y) { return y; }
* ```
*/
override string getName() { var_decls(underlyingElement(this), _, _, result, _) and result != "" }
override string getName() {
exists(string name |
var_decls(underlyingElement(this), _, _, name, _) and
(
name != "" and result = name
or
name = "" and result = this.getVariable().(LocalVariable).getName()
)
)
}
/**
* Gets the type of the variable which is being declared or defined.

50
cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
View File

@@ -203,30 +203,42 @@ private class GuardConditionFromIR extends GuardCondition {
* `&&` and `||`. See the detailed explanation on predicate `controls`.
*/
private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
exists(IRBlock irb, Instruction instr |
exists(IRBlock irb |
ir.controls(irb, testIsTrue) and
instr = irb.getAnInstruction() and
instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
not isUnreachedBlock(irb) and
not this.excludeAsControlledInstruction(instr)
nonExcludedIRAndBasicBlock(irb, controlled) and
not isUnreachedBlock(irb)
)
}
}
private predicate excludeAsControlledInstruction(Instruction instr) {
// Exclude the temporaries generated by a ternary expression.
exists(TranslatedConditionalExpr tce |
instr = tce.getInstruction(ConditionValueFalseStoreTag())
or
instr = tce.getInstruction(ConditionValueTrueStoreTag())
or
instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
or
instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
)
private predicate excludeAsControlledInstruction(Instruction instr) {
// Exclude the temporaries generated by a ternary expression.
exists(TranslatedConditionalExpr tce |
instr = tce.getInstruction(ConditionValueFalseStoreTag())
or
// Exclude unreached instructions, as their AST is the whole function and not a block.
instr instanceof UnreachedInstruction
}
instr = tce.getInstruction(ConditionValueTrueStoreTag())
or
instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
or
instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
)
or
// Exclude unreached instructions, as their AST is the whole function and not a block.
instr instanceof UnreachedInstruction
}
/**
* Holds if `irb` is the `IRBlock` corresponding to the AST basic block
* `controlled`, and `irb` does not contain any instruction(s) that should make
* the `irb` be ignored.
*/
pragma[nomagic]
private predicate nonExcludedIRAndBasicBlock(IRBlock irb, BasicBlock controlled) {
exists(Instruction instr |
instr = irb.getAnInstruction() and
instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
not excludeAsControlledInstruction(instr)
)
}
/**

18
cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll
View File

@@ -637,8 +637,10 @@ private predicate straightLineSparse(Node scope, int i, Node ni, Spec spec) {
any(RangeBasedForStmt for |
i = -1 and ni = for and spec.isAt()
or
i = 0 and ni = for.getInitialization() and spec.isAround()
or
exists(DeclStmt s | s.getADeclaration() = for.getRangeVariable() |
i = 0 and ni = s and spec.isAround()
i = 1 and ni = s and spec.isAround()
)
or
exists(DeclStmt s |
@@ -649,22 +651,22 @@ private predicate straightLineSparse(Node scope, int i, Node ni, Spec spec) {
// DeclStmt in that case.
exists(s.getADeclaration())
|
i = 1 and ni = s and spec.isAround()
i = 2 and ni = s and spec.isAround()
)
or
i = 2 and ni = for.getCondition() and spec.isBefore()
i = 3 and ni = for.getCondition() and spec.isBefore()
or
i = 3 and /* BARRIER */ ni = for and spec.isBarrier()
i = 4 and /* BARRIER */ ni = for and spec.isBarrier()
or
exists(DeclStmt declStmt | declStmt.getADeclaration() = for.getVariable() |
i = 4 and ni = declStmt and spec.isAfter()
i = 5 and ni = declStmt and spec.isAfter()
)
or
i = 5 and ni = for.getStmt() and spec.isAround()
i = 6 and ni = for.getStmt() and spec.isAround()
or
i = 6 and ni = for.getUpdate() and spec.isAround()
i = 7 and ni = for.getUpdate() and spec.isAround()
or
i = 7 and ni = for.getCondition() and spec.isBefore()
i = 8 and ni = for.getCondition() and spec.isBefore()
)
or
scope =

27
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -709,7 +709,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {
override DataFlowType getType() {
exists(int indirectionIndex |
indirectionIndex = globalUse.getIndirectionIndex() and
result = getTypeImpl(globalUse.getUnspecifiedType(), indirectionIndex - 1)
result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex - 1)
)
}
@@ -740,7 +740,7 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
override DataFlowType getType() {
exists(DataFlowType type |
type = globalDef.getUnspecifiedType() and
type = globalDef.getUnderlyingType() and
if this.isGLValue()
then result = type
else result = getTypeImpl(type, globalDef.getIndirectionIndex() - 1)
@@ -943,10 +943,13 @@ private Type getTypeImpl0(Type t, int indirectionIndex) {
indirectionIndex > 0 and
exists(Type stripped |
stripped = stripPointer(t.stripTopLevelSpecifiers()) and
// We need to avoid the case where `stripPointer(t) = t` (which can happen on
// iterators that specify a `value_type` that is the iterator itself). Such a type
// would create an infinite loop otherwise. For these cases we simply don't produce
// a result for `getTypeImpl`.
// We need to avoid the case where `stripPointer(t) = t` (which can happen
// on iterators that specify a `value_type` that is the iterator itself).
// Such a type would create an infinite loop otherwise. For these cases we
// simply don't produce a result for `getTypeImpl`.
// To be on the safe side, we check whether the _unspecified_ type has
// changed since this also prevents an infinite loop when `stripped` and
// `t` only differ by const'ness or volatile'ness.
stripped.getUnspecifiedType() != t.getUnspecifiedType() and
result = getTypeImpl0(stripped, indirectionIndex - 1)
)
@@ -996,12 +999,14 @@ private module RawIndirectNodes {
override Declaration getEnclosingCallable() { result = this.getFunction() }
override predicate isGLValue() { this.getOperand().isGLValue() }
override DataFlowType getType() {
exists(int sub, DataFlowType type, boolean isGLValue |
type = getOperandType(this.getOperand(), isGLValue) and
if isGLValue = true then sub = 1 else sub = 0
|
result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
result = getTypeImpl(type.getUnderlyingType(), indirectionIndex - sub)
)
}
@@ -1038,12 +1043,14 @@ private module RawIndirectNodes {
override Declaration getEnclosingCallable() { result = this.getFunction() }
override predicate isGLValue() { this.getInstruction().isGLValue() }
override DataFlowType getType() {
exists(int sub, DataFlowType type, boolean isGLValue |
type = getInstructionType(this.getInstruction(), isGLValue) and
if isGLValue = true then sub = 1 else sub = 0
|
result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
result = getTypeImpl(type.getUnderlyingType(), indirectionIndex - sub)
)
}
@@ -1136,7 +1143,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
override Declaration getEnclosingCallable() { result = this.getFunction() }
override DataFlowType getType() { result = getTypeImpl(p.getUnspecifiedType(), indirectionIndex) }
override DataFlowType getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
final override Location getLocationImpl() {
// Parameters can have multiple locations. When there's a unique location we use
@@ -1789,7 +1796,7 @@ class VariableNode extends Node, TVariableNode {
}
override DataFlowType getType() {
result = getTypeImpl(v.getUnspecifiedType(), indirectionIndex - 1)
result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1)
}
final override Location getLocationImpl() {

16
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
View File

@@ -507,13 +507,13 @@ module ProductFlow {
private predicate pathSuccPlus(TNodePair n1, TNodePair n2) = fastTC(pathSucc/2)(n1, n2)
private predicate localPathStep1(Flow1::PathNode pred, Flow1::PathNode succ) {
Flow1::PathGraph::edges(pred, succ) and
Flow1::PathGraph::edges(pred, succ, _, _) and
pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
pragma[only_bind_out](succ.getNode().getEnclosingCallable())
}
private predicate localPathStep2(Flow2::PathNode pred, Flow2::PathNode succ) {
Flow2::PathGraph::edges(pred, succ) and
Flow2::PathGraph::edges(pred, succ, _, _) and
pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
pragma[only_bind_out](succ.getNode().getEnclosingCallable())
}
@@ -530,7 +530,7 @@ module ProductFlow {
TJump()
private predicate intoImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
Flow1::PathGraph::edges(pred1, succ1) and
Flow1::PathGraph::edges(pred1, succ1, _, _) and
pred1.getNode().(ArgumentNode).getCall() = call and
succ1.getNode() instanceof ParameterNode
}
@@ -543,7 +543,7 @@ module ProductFlow {
}
private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
Flow1::PathGraph::edges(pred1, succ1) and
Flow1::PathGraph::edges(pred1, succ1, _, _) and
exists(ReturnKindExt returnKind |
succ1.getNode() = returnKind.getAnOutNode(call) and
pred1.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -558,7 +558,7 @@ module ProductFlow {
}
private predicate intoImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
Flow2::PathGraph::edges(pred2, succ2) and
Flow2::PathGraph::edges(pred2, succ2, _, _) and
pred2.getNode().(ArgumentNode).getCall() = call and
succ2.getNode() instanceof ParameterNode
}
@@ -571,7 +571,7 @@ module ProductFlow {
}
private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
Flow2::PathGraph::edges(pred2, succ2) and
Flow2::PathGraph::edges(pred2, succ2, _, _) and
exists(ReturnKindExt returnKind |
succ2.getNode() = returnKind.getAnOutNode(call) and
pred2.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -590,7 +590,7 @@ module ProductFlow {
Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1,
TKind kind
) {
Flow1::PathGraph::edges(pred1, succ1) and
Flow1::PathGraph::edges(pred1, succ1, _, _) and
predDecl != succDecl and
pred1.getNode().getEnclosingCallable() = predDecl and
succ1.getNode().getEnclosingCallable() = succDecl and
@@ -610,7 +610,7 @@ module ProductFlow {
Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2,
TKind kind
) {
Flow2::PathGraph::edges(pred2, succ2) and
Flow2::PathGraph::edges(pred2, succ2, _, _) and
predDecl != succDecl and
pred2.getNode().getEnclosingCallable() = predDecl and
succ2.getNode().getEnclosingCallable() = succDecl and

56
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
View File

@@ -2,11 +2,8 @@ private import codeql.ssa.Ssa as SsaImplCommon
private import semmle.code.cpp.ir.IR
private import DataFlowUtil
private import DataFlowImplCommon as DataFlowImplCommon
private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
private import semmle.code.cpp.models.interfaces.Allocation as Alloc
private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
private import semmle.code.cpp.models.interfaces.FlowOutBarrier as FOB
private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as FIO
private import semmle.code.cpp.ir.internal.IRCppLanguage
private import DataFlowPrivate
private import ssa0.SsaInternals as SsaInternals0
@@ -145,7 +142,7 @@ private newtype TDefOrUseImpl =
exists(SsaInternals0::Def def |
def.getSourceVariable().getBaseVariable().(BaseIRVariable).getIRVariable().getAst() = p and
not def.getValue().asInstruction() instanceof InitializeParameterInstruction and
unspecifiedTypeIsModifiableAt(p.getUnspecifiedType(), indirectionIndex)
underlyingTypeIsModifiableAt(p.getUnderlyingType(), indirectionIndex)
)
}
@@ -175,11 +172,13 @@ private predicate isGlobalDefImpl(
)
}
private predicate unspecifiedTypeIsModifiableAt(Type unspecified, int indirectionIndex) {
indirectionIndex = [1 .. getIndirectionForUnspecifiedType(unspecified).getNumberOfIndirections()] and
private predicate underlyingTypeIsModifiableAt(Type underlying, int indirectionIndex) {
indirectionIndex =
[1 .. getIndirectionForUnspecifiedType(underlying.getUnspecifiedType())
.getNumberOfIndirections()] and
exists(CppType cppType |
cppType.hasUnspecifiedType(unspecified, _) and
isModifiableAt(cppType, indirectionIndex + 1)
cppType.hasUnderlyingType(underlying, false) and
isModifiableAt(cppType, indirectionIndex)
)
}
@@ -548,6 +547,11 @@ class GlobalUse extends UseImpl, TGlobalUse {
*/
Type getUnspecifiedType() { result = global.getUnspecifiedType() }
/**
* Gets the type of this use, after typedefs have been resolved.
*/
Type getUnderlyingType() { result = global.getUnderlyingType() }
override predicate isCertain() { any() }
override BaseSourceVariableInstruction getBase() { none() }
@@ -591,11 +595,16 @@ class GlobalDefImpl extends DefOrUseImpl, TGlobalDefImpl {
int getIndirection() { result = indirectionIndex }
/**
* Gets the type of this use after specifiers have been deeply stripped
* and typedefs have been resolved.
* Gets the type of this definition after specifiers have been deeply
* stripped and typedefs have been resolved.
*/
Type getUnspecifiedType() { result = global.getUnspecifiedType() }
/**
* Gets the type of this definition, after typedefs have been resolved.
*/
Type getUnderlyingType() { result = global.getUnderlyingType() }
override string toString() { result = "Def of " + this.getSourceVariable() }
override Location getLocation() { result = f.getLocation() }
@@ -787,30 +796,10 @@ private Node getAPriorDefinition(SsaDefOrUse defOrUse) {
)
}
/**
* Holds if there should not be use-use flow out of `n` (or a conversion that
* flows to `n`).
*/
private predicate modeledFlowBarrier(Node n) {
exists(FIO::FunctionInput input, CallInstruction call |
call.getStaticCallTarget().(FOB::FlowOutBarrierFunction).isFlowOutBarrier(input) and
n = callInput(call, input)
)
or
exists(Operand operand, Instruction instr, Node n0, int indirectionIndex |
modeledFlowBarrier(n0) and
nodeHasInstruction(n0, instr, indirectionIndex) and
conversionFlow(operand, instr, false, _) and
nodeHasOperand(n, operand, indirectionIndex)
)
}
/** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
predicate ssaFlow(Node nodeFrom, Node nodeTo) {
exists(Node nFrom, boolean uncertain, SsaDefOrUse defOrUse |
ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and
not modeledFlowBarrier(nFrom) and
nodeFrom != nodeTo
ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and nodeFrom != nodeTo
|
if uncertain = true then nodeFrom = [nFrom, getAPriorDefinition(defOrUse)] else nodeFrom = nFrom
)
@@ -1115,6 +1104,11 @@ class GlobalDef extends TGlobalDef, SsaDefOrUse {
*/
DataFlowType getUnspecifiedType() { result = global.getUnspecifiedType() }
/**
* Gets the type of this definition, after typedefs have been resolved.
*/
DataFlowType getUnderlyingType() { result = global.getUnderlyingType() }
/** Gets the `IRFunction` whose body is evaluated after this definition. */
IRFunction getIRFunction() { result = global.getIRFunction() }

2
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll
View File

@@ -452,7 +452,7 @@ private module IsModifiableAtImpl {
private predicate impl(CppType cppType, int indirectionIndex) {
exists(Type pointerType, Type base |
isUnderlyingIndirectionType(pointerType) and
cppType.hasUnderlyingType(pointerType, _) and
cppType.hasUnderlyingType(pointerType, false) and
base = getTypeImpl(pointerType, indirectionIndex)
|
// The value cannot be modified if it has a const specifier,

3
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
View File

@@ -209,6 +209,8 @@ private predicate usedAsCondition(Expr expr) {
or
exists(IfStmt ifStmt | ifStmt.getCondition().getFullyConverted() = expr)
or
exists(ConstexprIfStmt ifStmt | ifStmt.getCondition().getFullyConverted() = expr)
or
exists(ConditionalExpr condExpr |
// The two-operand form of `ConditionalExpr` treats its condition as a value, since it needs to
// be reused as a value if the condition is true.
@@ -474,7 +476,6 @@ private module IRDeclarationEntries {
* This class exists to work around the fact that `DeclStmt`s in some cases
* do not have `DeclarationEntry`s. Currently, this is the case for:
* - `DeclStmt`s in template instantiations.
* - `DeclStmt`s that are generated by the desugaring of range-based for-loops.
*
* So instead, the IR works with `IRDeclarationEntry`s that synthesize missing
* `DeclarationEntry`s when there is no result for `DeclStmt::getDeclarationEntry`.

97
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll
View File

@@ -774,6 +774,72 @@ class TranslatedIfStmt extends TranslatedStmt, ConditionContext {
}
}
class TranslatedConstExprIfStmt extends TranslatedStmt, ConditionContext {
override ConstexprIfStmt stmt;
override Instruction getFirstInstruction(EdgeKind kind) {
if this.hasInitialization()
then result = this.getInitialization().getFirstInstruction(kind)
else result = this.getFirstConditionInstruction(kind)
}
override TranslatedElement getChild(int id) {
id = 0 and result = this.getInitialization()
or
id = 1 and result = this.getCondition()
or
id = 2 and result = this.getThen()
or
id = 3 and result = this.getElse()
}
private predicate hasInitialization() { exists(stmt.getInitialization()) }
private TranslatedStmt getInitialization() {
result = getTranslatedStmt(stmt.getInitialization())
}
private TranslatedCondition getCondition() {
result = getTranslatedCondition(stmt.getCondition().getFullyConverted())
}
private Instruction getFirstConditionInstruction(EdgeKind kind) {
result = this.getCondition().getFirstInstruction(kind)
}
private TranslatedStmt getThen() { result = getTranslatedStmt(stmt.getThen()) }
private TranslatedStmt getElse() { result = getTranslatedStmt(stmt.getElse()) }
private predicate hasElse() { exists(stmt.getElse()) }
override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { none() }
override Instruction getChildTrueSuccessor(TranslatedCondition child, EdgeKind kind) {
child = this.getCondition() and
result = this.getThen().getFirstInstruction(kind)
}
override Instruction getChildFalseSuccessor(TranslatedCondition child, EdgeKind kind) {
child = this.getCondition() and
if this.hasElse()
then result = this.getElse().getFirstInstruction(kind)
else result = this.getParent().getChildSuccessor(this, kind)
}
override Instruction getChildSuccessor(TranslatedElement child, EdgeKind kind) {
child = this.getInitialization() and
result = this.getFirstConditionInstruction(kind)
or
(child = this.getThen() or child = this.getElse()) and
result = this.getParent().getChildSuccessor(this, kind)
}
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) {
none()
}
}
abstract class TranslatedLoop extends TranslatedStmt, ConditionContext {
override Loop stmt;
@@ -894,25 +960,38 @@ class TranslatedRangeBasedForStmt extends TranslatedStmt, ConditionContext {
override RangeBasedForStmt stmt;
override TranslatedElement getChild(int id) {
id = 0 and result = this.getRangeVariableDeclStmt()
id = 0 and result = this.getInitialization()
or
id = 1 and result = this.getRangeVariableDeclStmt()
or
// Note: `__begin` and `__end` are declared by the same `DeclStmt`
id = 1 and result = this.getBeginEndVariableDeclStmt()
id = 2 and result = this.getBeginEndVariableDeclStmt()
or
id = 2 and result = this.getCondition()
id = 3 and result = this.getCondition()
or
id = 3 and result = this.getUpdate()
id = 4 and result = this.getUpdate()
or
id = 4 and result = this.getVariableDeclStmt()
id = 5 and result = this.getVariableDeclStmt()
or
id = 5 and result = this.getBody()
id = 6 and result = this.getBody()
}
private predicate hasInitialization() { exists(stmt.getInitialization()) }
private TranslatedStmt getInitialization() {
result = getTranslatedStmt(stmt.getInitialization())
}
override Instruction getFirstInstruction(EdgeKind kind) {
result = this.getRangeVariableDeclStmt().getFirstInstruction(kind)
if this.hasInitialization()
then result = this.getInitialization().getFirstInstruction(kind)
else result = this.getFirstRangeVariableDeclStmtInstruction(kind)
}
override Instruction getChildSuccessor(TranslatedElement child, EdgeKind kind) {
child = this.getInitialization() and
result = this.getFirstRangeVariableDeclStmtInstruction(kind)
or
child = this.getRangeVariableDeclStmt() and
result = this.getBeginEndVariableDeclStmt().getFirstInstruction(kind)
or
@@ -952,6 +1031,10 @@ class TranslatedRangeBasedForStmt extends TranslatedStmt, ConditionContext {
)
}
private Instruction getFirstRangeVariableDeclStmtInstruction(EdgeKind kind) {
result = this.getRangeVariableDeclStmt().getFirstInstruction(kind)
}
private TranslatedDeclStmt getBeginEndVariableDeclStmt() {
exists(IRVariableDeclarationEntry entry |
entry.getStmt() = stmt.getBeginEndDeclaration() and

17
cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll
View File

@@ -22,11 +22,28 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
])
}
/**
* Gets the index of the parameter that specifies the fill character to insert, if any.
*/
private int getFillCharParameterIndex() {
(
this.hasGlobalOrStdOrBslName("memset")
or
this.hasGlobalOrStdName("wmemset")
or
this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk"])
) and
result = 1
}
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
input.isParameter(0) and
output.isReturnValue()
or
input.isParameter(this.getFillCharParameterIndex()) and
(output.isParameterDeref(0) or output.isReturnValueDeref())
}
override predicate hasArrayWithVariableSize(int bufParam, int countParam) {

13
cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll
View File

@@ -1,7 +1,6 @@
import semmle.code.cpp.models.interfaces.DataFlow
import semmle.code.cpp.models.interfaces.Taint
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.FlowOutBarrier
/**
* The standard function `swap`. A use of `swap` looks like this:
@@ -9,7 +8,7 @@ import semmle.code.cpp.models.interfaces.FlowOutBarrier
* std::swap(obj1, obj2)
* ```
*/
private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
private class Swap extends DataFlowFunction {
Swap() { this.hasQualifiedName(["std", "bsl"], "swap") }
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -19,8 +18,6 @@ private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
input.isParameterDeref(1) and
output.isParameterDeref(0)
}
override predicate isFlowOutBarrier(FunctionInput input) { input.isParameterDeref([0, 1]) }
}
/**
@@ -29,9 +26,7 @@ private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
* obj1.swap(obj2)
* ```
*/
private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction,
FlowOutBarrierFunction
{
private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
MemberSwap() {
this.hasName("swap") and
this.getNumberOfParameters() = 1 and
@@ -52,8 +47,4 @@ private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction,
override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
override predicate parameterIsAlwaysReturned(int index) { index = 0 }
override predicate isFlowOutBarrier(FunctionInput input) {
input.isQualifierObject() or input.isParameterDeref(0)
}
}

26
cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowOutBarrier.qll
View File

@@ -1,26 +0,0 @@
/**
* Provides an abstract class for blocking flow out of functions. To use this
* QL library, create a QL class extending `FlowOutBarrierFunction` with a
* characteristic predicate that selects the function or set of functions you
* are modeling. Within that class, override the predicates provided by
* `FlowOutBarrierFunction` to match the flow within that function.
*/
import semmle.code.cpp.Function
import FunctionInputsAndOutputs
/**
* A library function for which flow should not continue after reaching one
* of its inputs.
*
* For example, since `std::swap(a, b)` swaps the values pointed to by `a`
* and `b` there should not be use-use flow out of `a` or `b`.
*/
abstract class FlowOutBarrierFunction extends Function {
/**
* Holds if use-use flow should not continue onwards after reaching
* the argument, qualifier, or buffer represented by `input`.
*/
pragma[nomagic]
abstract predicate isFlowOutBarrier(FunctionInput input);
}

32
cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll
View File

@@ -892,6 +892,26 @@ class DoStmt extends Loop, @stmt_end_test_while {
class RangeBasedForStmt extends Loop, @stmt_range_based_for {
override string getAPrimaryQlClass() { result = "RangeBasedForStmt" }
/**
* Gets the initialization statement of this 'for' statement, if any.
*
* For example, for
* ```
* for (int x = y; auto z : ... ) { }
* ```
* the result is `int x = y;`.
*
* Does not hold if the initialization statement is missing or an empty statement, as in
* ```
* for (auto z : ...) { }
* ```
* or
* ```
* for (; auto z : ) { }
* ```
*/
Stmt getInitialization() { for_initialization(underlyingElement(this), unresolveElement(result)) }
/**
* Gets the 'body' statement of this range-based 'for' statement.
*
@@ -901,7 +921,7 @@ class RangeBasedForStmt extends Loop, @stmt_range_based_for {
* ```
* the result is the `BlockStmt` `{ y += x; }`.
*/
override Stmt getStmt() { result = this.getChild(5) }
override Stmt getStmt() { result = this.getChild(6) }
override string toString() { result = "for(...:...) ..." }
@@ -914,7 +934,7 @@ class RangeBasedForStmt extends Loop, @stmt_range_based_for {
* ```
* the result is `int x`.
*/
LocalVariable getVariable() { result = this.getChild(4).(DeclStmt).getADeclaration() }
LocalVariable getVariable() { result = this.getChild(5).(DeclStmt).getADeclaration() }
/**
* Gets the expression giving the range to iterate over.
@@ -928,7 +948,7 @@ class RangeBasedForStmt extends Loop, @stmt_range_based_for {
Expr getRange() { result = this.getRangeVariable().getInitializer().getExpr() }
/** Gets the compiler-generated `__range` variable after desugaring. */
LocalVariable getRangeVariable() { result = this.getChild(0).(DeclStmt).getADeclaration() }
LocalVariable getRangeVariable() { result = this.getChild(1).(DeclStmt).getADeclaration() }
/**
* Gets the compiler-generated `__begin != __end` which is the
@@ -936,7 +956,7 @@ class RangeBasedForStmt extends Loop, @stmt_range_based_for {
* It will be either an `NEExpr` or a call to a user-defined
* `operator!=`.
*/
override Expr getCondition() { result = this.getChild(2) }
override Expr getCondition() { result = this.getChild(3) }
override Expr getControllingExpr() { result = this.getCondition() }
@@ -945,7 +965,7 @@ class RangeBasedForStmt extends Loop, @stmt_range_based_for {
* `__end`, initializing them to the values they have before entering the
* desugared loop.
*/
DeclStmt getBeginEndDeclaration() { result = this.getChild(1) }
DeclStmt getBeginEndDeclaration() { result = this.getChild(2) }
/** Gets the compiler-generated `__begin` variable after desugaring. */
LocalVariable getBeginVariable() { result = this.getBeginEndDeclaration().getDeclaration(0) }
@@ -959,7 +979,7 @@ class RangeBasedForStmt extends Loop, @stmt_range_based_for {
* be either a `PrefixIncrExpr` or a call to a user-defined
* `operator++`.
*/
Expr getUpdate() { result = this.getChild(3) }
Expr getUpdate() { result = this.getChild(4) }
/** Gets the compiler-generated `__begin` variable after desugaring. */
LocalVariable getAnIterationVariable() { result = this.getBeginVariable() }

5
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -2050,8 +2050,11 @@ switch_body(
int body_id: @stmt ref
);
@stmt_for_or_range_based_for = @stmt_for
| @stmt_range_based_for;
for_initialization(
unique int for_stmt: @stmt_for ref,
unique int for_stmt: @stmt_for_or_range_based_for ref,
int init_id: @stmt ref
);

19
cpp/ql/lib/upgrades/4f9fabab5124d49108782c081579f45a70571d74/exprparents.ql Normal file
View File

@@ -0,0 +1,19 @@
class Element extends @element {
string toString() { none() }
}
class Expr extends @expr {
string toString() { none() }
}
class Stmt extends @stmt {
string toString() { none() }
}
predicate isStmtWithInitializer(Stmt stmt) { exists(int kind | stmts(stmt, kind, _) | kind = 29) }
from Expr child, int index, int index_new, Element parent
where
exprparents(child, index, parent) and
if isStmtWithInitializer(parent) then index_new = index + 1 else index_new = index
select child, index_new, parent

2241
cpp/ql/lib/upgrades/4f9fabab5124d49108782c081579f45a70571d74/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2244
cpp/ql/lib/upgrades/4f9fabab5124d49108782c081579f45a70571d74/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

15
cpp/ql/lib/upgrades/4f9fabab5124d49108782c081579f45a70571d74/stmtparents.ql Normal file
View File

@@ -0,0 +1,15 @@
class Element extends @element {
string toString() { none() }
}
class Stmt extends @stmt {
string toString() { none() }
}
predicate isStmtWithInitializer(Stmt stmt) { exists(int kind | stmts(stmt, kind, _) | kind = 29) }
from Stmt child, int index, int index_new, Element parent
where
stmtparents(child, index, parent) and
if isStmtWithInitializer(parent) then index_new = index + 1 else index_new = index
select child, index_new, parent

4
cpp/ql/lib/upgrades/4f9fabab5124d49108782c081579f45a70571d74/upgrade.properties Normal file
View File

@@ -0,0 +1,4 @@
description: Support C++20 range-based for initializers
compatibility: partial
exprparents.rel: run exprparents.qlo
stmtparents.rel: run stmtparents.qlo

17
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,20 @@
## 0.9.5
### Minor Analysis Improvements
* The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
* Added dataflow models for the `gettext` function variants.
## 0.9.4
### Minor Analysis Improvements
* Corrected 2 false positive with `cpp/incorrect-string-type-conversion`: conversion of byte arrays to wchar and new array allocations converted to wchar.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) no longer reports an alert when an explicit check for EOF is added.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) now recognizes more EOF checks.
* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) no longer reports an alert when the local variable is used as a qualifier to a static member function call.
* The diagnostic query `cpp/diagnostics/successfully-extracted-files` now considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.
## 0.9.3
### Minor Analysis Improvements

4
cpp/ql/src/change-notes/2024-01-19-extracted-files.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The diagnostic query `cpp/diagnostics/successfully-extracted-files` now considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.

4
cpp/ql/src/change-notes/2024-01-29-false_positive_incorrect_string_type_conversion.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Corrected 2 false positive with `cpp/incorrect-string-type-conversion`: conversion of byte arrays to wchar and new array allocations converted to wchar.

4
cpp/ql/src/change-notes/2024-01-29-incorrectly-checked-scanf-2.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) now recognizes more EOF checks.

4
cpp/ql/src/change-notes/2024-01-29-incorrectly-checked-scanf.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) no longer reports an alert when an explicit check for EOF is added.

5
cpp/ql/src/change-notes/2024-01-29-uninitialized-local-false-positive.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) no longer reports an alert when the local variable is used as a qualifier to a static member function call.
* ```

4
cpp/ql/src/change-notes/2024-02-05-gettext-dataflows.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added dataflow models for the `gettext` function variants.

9
cpp/ql/src/change-notes/released/0.9.4.md Normal file
View File

@@ -0,0 +1,9 @@
## 0.9.4
### Minor Analysis Improvements
* Corrected 2 false positive with `cpp/incorrect-string-type-conversion`: conversion of byte arrays to wchar and new array allocations converted to wchar.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) no longer reports an alert when an explicit check for EOF is added.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) now recognizes more EOF checks.
* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) no longer reports an alert when the local variable is used as a qualifier to a static member function call.
* The diagnostic query `cpp/diagnostics/successfully-extracted-files` now considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.

8
cpp/ql/src/change-notes/2024-02-16-non-constant-format.md → cpp/ql/src/change-notes/released/0.9.5.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
## 0.9.5
### Minor Analysis Improvements
* The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
* Added dataflow models for the `gettext` function variants.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.3
lastReleaseVersion: 0.9.5

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.9.4-dev
version: 0.9.6-dev
groups:
- cpp
- queries

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected
View File

@@ -1,5 +1,5 @@
edges
| test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath |
| test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | provenance | |
nodes
| test.cpp:22:27:22:30 | **argv | semmle.label | **argv |
| test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath |

6
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected
View File

@@ -1,7 +1,7 @@
edges
| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
| test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size |
| test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size |
| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance | |
| test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size | provenance | |
| test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size | provenance | |
nodes
| test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
| test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |

78
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
View File

@@ -1,43 +1,43 @@
edges
| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:28:19:28:26 | call to mk_array [p] |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
| test.cpp:21:5:21:7 | *arr [post update] [p] | test.cpp:22:5:22:7 | *arr [p] |
| test.cpp:21:5:21:24 | ... = ... | test.cpp:21:5:21:7 | *arr [post update] [p] |
| test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | ... = ... |
| test.cpp:22:5:22:7 | *arr [p] | test.cpp:19:9:19:16 | *mk_array [p] |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | *arr [p] |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | *arr [p] |
| test.cpp:31:9:31:11 | *arr [p] | test.cpp:31:13:31:13 | p |
| test.cpp:35:9:35:11 | *arr [p] | test.cpp:35:13:35:13 | p |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | *arr [p] |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | *arr [p] |
| test.cpp:41:9:41:11 | *arr [p] | test.cpp:41:13:41:13 | p |
| test.cpp:45:9:45:11 | *arr [p] | test.cpp:45:13:45:13 | p |
| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
| test.cpp:55:5:55:7 | *arr [post update] [p] | test.cpp:56:5:56:7 | *arr [p] |
| test.cpp:55:5:55:24 | ... = ... | test.cpp:55:5:55:7 | *arr [post update] [p] |
| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:59:9:59:11 | *arr [p] |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:63:9:63:11 | *arr [p] |
| test.cpp:59:9:59:11 | *arr [p] | test.cpp:59:13:59:13 | p |
| test.cpp:63:9:63:11 | *arr [p] | test.cpp:63:13:63:13 | p |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:76:20:76:29 | *call to mk_array_p [p] |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:98:18:98:27 | *call to mk_array_p [p] |
| test.cpp:69:5:69:7 | *arr [post update] [p] | test.cpp:70:5:70:7 | *arr [p] |
| test.cpp:69:5:69:25 | ... = ... | test.cpp:69:5:69:7 | *arr [post update] [p] |
| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... |
| test.cpp:70:5:70:7 | *arr [p] | test.cpp:67:10:67:19 | **mk_array_p [p] |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:79:9:79:11 | *arr [p] |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:83:9:83:11 | *arr [p] |
| test.cpp:79:9:79:11 | *arr [p] | test.cpp:79:14:79:14 | p |
| test.cpp:83:9:83:11 | *arr [p] | test.cpp:83:14:83:14 | p |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:89:9:89:11 | *arr [p] |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:93:9:93:11 | *arr [p] |
| test.cpp:89:9:89:11 | *arr [p] | test.cpp:89:14:89:14 | p |
| test.cpp:93:9:93:11 | *arr [p] | test.cpp:93:14:93:14 | p |
| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr | provenance | |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | provenance | |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:28:19:28:26 | call to mk_array [p] | provenance | |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:50:18:50:25 | call to mk_array [p] | provenance | |
| test.cpp:21:5:21:7 | *arr [post update] [p] | test.cpp:22:5:22:7 | *arr [p] | provenance | |
| test.cpp:21:5:21:24 | ... = ... | test.cpp:21:5:21:7 | *arr [post update] [p] | provenance | |
| test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | ... = ... | provenance | |
| test.cpp:22:5:22:7 | *arr [p] | test.cpp:19:9:19:16 | *mk_array [p] | provenance | |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | *arr [p] | provenance | |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | *arr [p] | provenance | |
| test.cpp:31:9:31:11 | *arr [p] | test.cpp:31:13:31:13 | p | provenance | |
| test.cpp:35:9:35:11 | *arr [p] | test.cpp:35:13:35:13 | p | provenance | |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | *arr [p] | provenance | |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | *arr [p] | provenance | |
| test.cpp:41:9:41:11 | *arr [p] | test.cpp:41:13:41:13 | p | provenance | |
| test.cpp:45:9:45:11 | *arr [p] | test.cpp:45:13:45:13 | p | provenance | |
| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] | provenance | |
| test.cpp:55:5:55:7 | *arr [post update] [p] | test.cpp:56:5:56:7 | *arr [p] | provenance | |
| test.cpp:55:5:55:24 | ... = ... | test.cpp:55:5:55:7 | *arr [post update] [p] | provenance | |
| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... | provenance | |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:59:9:59:11 | *arr [p] | provenance | |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:63:9:63:11 | *arr [p] | provenance | |
| test.cpp:59:9:59:11 | *arr [p] | test.cpp:59:13:59:13 | p | provenance | |
| test.cpp:63:9:63:11 | *arr [p] | test.cpp:63:13:63:13 | p | provenance | |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:76:20:76:29 | *call to mk_array_p [p] | provenance | |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:98:18:98:27 | *call to mk_array_p [p] | provenance | |
| test.cpp:69:5:69:7 | *arr [post update] [p] | test.cpp:70:5:70:7 | *arr [p] | provenance | |
| test.cpp:69:5:69:25 | ... = ... | test.cpp:69:5:69:7 | *arr [post update] [p] | provenance | |
| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... | provenance | |
| test.cpp:70:5:70:7 | *arr [p] | test.cpp:67:10:67:19 | **mk_array_p [p] | provenance | |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:79:9:79:11 | *arr [p] | provenance | |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:83:9:83:11 | *arr [p] | provenance | |
| test.cpp:79:9:79:11 | *arr [p] | test.cpp:79:14:79:14 | p | provenance | |
| test.cpp:83:9:83:11 | *arr [p] | test.cpp:83:14:83:14 | p | provenance | |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:89:9:89:11 | *arr [p] | provenance | |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:93:9:93:11 | *arr [p] | provenance | |
| test.cpp:89:9:89:11 | *arr [p] | test.cpp:89:14:89:14 | p | provenance | |
| test.cpp:93:9:93:11 | *arr [p] | test.cpp:93:14:93:14 | p | provenance | |
| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | provenance | |
nodes
| test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
| test.cpp:6:9:6:11 | arr | semmle.label | arr |

140
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
View File

@@ -1,74 +1,74 @@
edges
| test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array |
| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array |
| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array |
| test.cpp:39:14:39:16 | buf | test.cpp:39:9:39:19 | access to array |
| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array |
| test.cpp:48:10:48:12 | buf | test.cpp:48:5:48:24 | access to array |
| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array |
| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array |
| test.cpp:53:14:53:16 | buf | test.cpp:53:9:53:19 | access to array |
| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array |
| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array |
| test.cpp:70:33:70:33 | p | test.cpp:71:5:71:17 | access to array |
| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array |
| test.cpp:76:26:76:46 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:76:32:76:34 | buf | test.cpp:76:26:76:46 | & ... |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
| test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
| test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
| test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:31 | access to array |
| test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array |
| test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array |
| test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array |
| test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array |
| test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array |
| test.cpp:115:35:115:37 | arr | test.cpp:111:17:111:22 | access to array |
| test.cpp:115:35:115:37 | arr | test.cpp:115:35:115:40 | access to array |
| test.cpp:115:35:115:37 | arr | test.cpp:119:17:119:22 | access to array |
| test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array |
| test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array |
| test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array |
| test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array |
| test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... |
| test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
| test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
| test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
| test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... |
| test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... |
| test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p |
| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array |
| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array |
| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array |
| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 |
| test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p |
| test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array |
| test.cpp:306:20:306:23 | arr1 | test.cpp:292:25:292:27 | arr |
| test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 |
| test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr |
| test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 |
| test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... |
| test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... |
| test.cpp:319:19:319:27 | ... + ... | test.cpp:325:24:325:26 | end |
| test.cpp:322:19:322:22 | temp | test.cpp:322:19:322:27 | ... + ... |
| test.cpp:322:19:322:22 | temp | test.cpp:324:23:324:32 | ... + ... |
| test.cpp:322:19:322:27 | ... + ... | test.cpp:325:24:325:26 | end |
| test.cpp:324:23:324:26 | temp | test.cpp:324:23:324:32 | ... + ... |
| test.cpp:324:23:324:32 | ... + ... | test.cpp:325:15:325:19 | temp2 |
| test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array | provenance | |
| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | provenance | |
| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | provenance | |
| test.cpp:39:14:39:16 | buf | test.cpp:39:9:39:19 | access to array | provenance | |
| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | provenance | |
| test.cpp:48:10:48:12 | buf | test.cpp:48:5:48:24 | access to array | provenance | |
| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | provenance | |
| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | provenance | |
| test.cpp:53:14:53:16 | buf | test.cpp:53:9:53:19 | access to array | provenance | |
| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | provenance | |
| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | provenance | |
| test.cpp:70:33:70:33 | p | test.cpp:71:5:71:17 | access to array | provenance | |
| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array | provenance | |
| test.cpp:76:26:76:46 | & ... | test.cpp:66:32:66:32 | p | provenance | |
| test.cpp:76:32:76:34 | buf | test.cpp:76:26:76:46 | & ... | provenance | |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p | provenance | |
| test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... | provenance | |
| test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p | provenance | |
| test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf | provenance | |
| test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance | |
| test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance | |
| test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance | |
| test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | |
| test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | |
| test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | |
| test.cpp:115:35:115:37 | arr | test.cpp:111:17:111:22 | access to array | provenance | |
| test.cpp:115:35:115:37 | arr | test.cpp:115:35:115:40 | access to array | provenance | |
| test.cpp:115:35:115:37 | arr | test.cpp:119:17:119:22 | access to array | provenance | |
| test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | |
| test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | |
| test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | |
| test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | provenance | |
| test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... | provenance | |
| test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr | provenance | |
| test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr | provenance | |
| test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf | provenance | |
| test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... | provenance | |
| test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... | provenance | |
| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance | |
| test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance | |
| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance | |
| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance | |
| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance | |
| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance | |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance | |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance | |
| test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p | provenance | |
| test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p | provenance | |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p | provenance | |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance | |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p | provenance | |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance | |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p | provenance | |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance | |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array | provenance | |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array | provenance | |
| test.cpp:306:20:306:23 | arr1 | test.cpp:292:25:292:27 | arr | provenance | |
| test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 | provenance | |
| test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr | provenance | |
| test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 | provenance | |
| test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... | provenance | |
| test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | |
| test.cpp:319:19:319:27 | ... + ... | test.cpp:325:24:325:26 | end | provenance | |
| test.cpp:322:19:322:22 | temp | test.cpp:322:19:322:27 | ... + ... | provenance | |
| test.cpp:322:19:322:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | |
| test.cpp:322:19:322:27 | ... + ... | test.cpp:325:24:325:26 | end | provenance | |
| test.cpp:324:23:324:26 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | |
| test.cpp:324:23:324:32 | ... + ... | test.cpp:325:15:325:19 | temp2 | provenance | |
nodes
| test.cpp:34:5:34:24 | access to array | semmle.label | access to array |
| test.cpp:34:10:34:12 | buf | semmle.label | buf |

20
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected
View File

@@ -1,14 +1,14 @@
edges
| test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func |
| test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp |
| test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical |
| test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp |
| test.cpp:77:16:77:22 | medical | test.cpp:81:22:81:28 | medical |
| test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 |
| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer |
| test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func |
| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
| test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
| test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | provenance | |
| test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | provenance | |
| test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical | provenance | |
| test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | provenance | |
| test.cpp:77:16:77:22 | medical | test.cpp:81:22:81:28 | medical | provenance | |
| test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 | provenance | |
| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | provenance | |
| test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func | provenance | |
| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | provenance | |
| test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | provenance | |
nodes
| test.cpp:45:7:45:10 | *func | semmle.label | *func |
| test.cpp:45:18:45:23 | buffer | semmle.label | buffer |

1
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
View File

@@ -165,6 +165,7 @@ postWithInFlow
| test.cpp:931:5:931:18 | global_pointer [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:932:5:932:19 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:932:6:932:19 | global_pointer [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1045:9:1045:11 | ref arg buf | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition

1
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
View File

@@ -25,6 +25,7 @@ postWithInFlow
| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:1045:9:1045:11 | memset output argument | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition

1
cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
View File

@@ -309,6 +309,7 @@ irFlow
| test.cpp:994:18:994:32 | *call to indirect_source | test.cpp:1003:19:1003:28 | *translated |
| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1027:19:1027:28 | *translated |
| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1031:19:1031:28 | *translated |
| test.cpp:1045:14:1045:19 | call to source | test.cpp:1046:7:1046:10 | * ... |
| true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
| true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
| true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

7
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -1037,4 +1037,11 @@ namespace test_gettext {
sink(translated); // clean
indirect_sink(translated); // clean
}
}
void* memset(void*, int, size_t);
void memset_test(char* buf) { // $ ast-def=buf
memset(buf, source(), 10);
sink(*buf); // $ ir MISSING: ast
}

15
cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected
View File

@@ -1,3 +1,18 @@
astTypeBugs
irTypeBugs
incorrectBaseType
| clang.cpp:22:8:22:20 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| clang.cpp:23:17:23:29 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| flowOut.cpp:50:14:50:15 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| flowOut.cpp:84:9:84:10 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| flowOut.cpp:101:13:101:14 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| self_parameter_flow.cpp:8:8:8:9 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * |
| test.cpp:67:28:67:37 | (reference dereference) | Expected 'Node.getType()' to be const int, but it was int * |
| test.cpp:531:39:531:40 | *& ... | Expected 'Node.getType()' to be int, but it was const int * |
| test.cpp:615:13:615:21 | *& ... | Expected 'Node.getType()' to be int, but it was void |
| test.cpp:704:22:704:25 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| test.cpp:715:24:715:25 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * |
| test.cpp:848:23:848:25 | (reference dereference) | Expected 'Node.getType()' to be int, but it was int * |
| test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int |
| test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int |
failures

11
cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql
View File

@@ -25,6 +25,17 @@ module IrTest {
n != 1
)
}
query predicate incorrectBaseType(Node n, string msg) {
exists(PointerType pointerType, Type nodeType, Type baseType |
not n.isGLValue() and
pointerType = n.asIndirectExpr(1).getActualType() and
baseType = pointerType.getBaseType() and
nodeType = n.getType() and
nodeType != baseType and
msg = "Expected 'Node.getType()' to be " + baseType + ", but it was " + nodeType
)
}
}
import IrTest

1498
cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
View File

File diff suppressed because it is too large Load Diff

1494
cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
View File

File diff suppressed because it is too large Load Diff

16
cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
View File

@@ -71,11 +71,11 @@ void test_pair()
sink(i.second); // $ MISSING: ast,ir
sink(i); // $ ast,ir
sink(j.first);
sink(j.second); // $ SPURIOUS: ast
sink(j); // $ SPURIOUS: ast
sink(j.second); // $ SPURIOUS: ast,ir
sink(j); // $ SPURIOUS: ast,ir
sink(k.first);
sink(k.second); // $ SPURIOUS: ast
sink(k); // $ SPURIOUS: ast
sink(k.second); // $ SPURIOUS: ast,ir
sink(k); // $ SPURIOUS: ast,ir
sink(l.first);
sink(l.second); // $ MISSING: ast,ir
sink(l); // $ ast,ir
@@ -196,10 +196,10 @@ void test_map()
sink(m18); // $ ast,ir
m15.swap(m16);
m17.swap(m18);
sink(m15); // $ SPURIOUS: ast
sink(m15); // $ SPURIOUS: ast,ir
sink(m16); // $ ast,ir
sink(m17); // $ ast,ir
sink(m18); // $ SPURIOUS: ast
sink(m18); // $ SPURIOUS: ast,ir
// merge
std::map<char *, char *> m19, m20, m21, m22;
@@ -345,10 +345,10 @@ void test_unordered_map()
sink(m18); // $ ast,ir
m15.swap(m16);
m17.swap(m18);
sink(m15); // $ SPURIOUS: ast
sink(m15); // $ SPURIOUS: ast,ir
sink(m16); // $ ast,ir
sink(m17); // $ ast,ir
sink(m18); // $ SPURIOUS: ast
sink(m18); // $ SPURIOUS: ast,ir
// merge
std::unordered_map<char *, char *> m19, m20, m21, m22;

8
cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
View File

@@ -81,10 +81,10 @@ void test_set()
sink(s15); // $ ast,ir
s12.swap(s13);
s14.swap(s15);
sink(s12); // $ SPURIOUS: ast
sink(s12); // $ SPURIOUS: ast,ir
sink(s13); // $ ast,ir
sink(s14); // $ ast,ir
sink(s15); // $ SPURIOUS: ast
sink(s15); // $ SPURIOUS: ast,ir
// merge
std::set<char *> s16, s17, s18, s19;
@@ -193,10 +193,10 @@ void test_unordered_set()
sink(s15); // $ ast,ir
s12.swap(s13);
s14.swap(s15);
sink(s12); // $ SPURIOUS: ast
sink(s12); // $ SPURIOUS: ast,ir
sink(s13); // $ ast,ir
sink(s14); // $ ast,ir
sink(s15); // $ SPURIOUS: ast
sink(s15); // $ SPURIOUS: ast,ir
// merge
std::unordered_set<char *> s16, s17, s18, s19;

4
cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
View File

@@ -280,9 +280,9 @@ void test_string_swap() {
s4.swap(s3);
sink(s1); // $ ast,ir
sink(s2); // $ SPURIOUS: ast
sink(s2); // $ SPURIOUS: ast,ir
sink(s3); // $ ast,ir
sink(s4); // $ SPURIOUS: ast
sink(s4); // $ SPURIOUS: ast,ir
}
void test_string_clear() {

4
cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp
View File

@@ -118,9 +118,9 @@ void test_stringstream_swap()
ss4.swap(ss3);
sink(ss1); // $ ast,ir
sink(ss2); // $ SPURIOUS: ast
sink(ss2); // $ SPURIOUS: ast,ir
sink(ss3); // $ ast,ir
sink(ss4); // $ SPURIOUS: ast
sink(ss4); // $ SPURIOUS: ast,ir
}
void test_stringstream_in()

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -212,7 +212,7 @@ void test_swap() {
std::swap(x, y);
sink(x); // $ SPURIOUS: ast
sink(x); // $ SPURIOUS: ast,ir
sink(y); // $ ast,ir
}

4
cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
View File

@@ -114,10 +114,10 @@ void test_vector_swap() {
v1.swap(v2);
v3.swap(v4);
sink(v1); // $ SPURIOUS: ast
sink(v1); // $ SPURIOUS: ast,ir
sink(v2); // $ ast,ir
sink(v3); // $ ast,ir
sink(v4); // $ SPURIOUS: ast
sink(v4); // $ SPURIOUS: ast,ir
}
void test_vector_clear() {

12517
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

File diff suppressed because it is too large Load Diff

11106
cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
View File

File diff suppressed because it is too large Load Diff

71
cpp/ql/test/library-tests/ir/ir/ir.cpp
View File

@@ -1065,6 +1065,8 @@ struct vector {
bool operator!=(iterator right) const;
};
vector(T);
~vector();
iterator begin() const;
iterator end() const;
};
@@ -2120,4 +2122,71 @@ void call_as_child_of_ConditionDeclExpr() {
if(HasOperatorBool b = HasOperatorBool()) {}
}
// semmle-extractor-options: -std=c++17 --clang
class ClassWithDestructor {
char *x;
public:
ClassWithDestructor() { x = new char; }
~ClassWithDestructor() { delete x; }
void set_x(char y) { *x = y; }
char get_x() { return *x; }
};
constexpr bool initialization_with_destructor_bool = true;
void initialization_with_destructor(bool b, char c) {
if (ClassWithDestructor x; b)
x.set_x('a');
if constexpr (ClassWithDestructor x; initialization_with_destructor_bool)
x.set_x('a');
switch(ClassWithDestructor x; c) {
case 'a':
x.set_x('a');
break;
default:
x.set_x('b');
break;
}
ClassWithDestructor x;
for(vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys)
y.set_x('a');
for(vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys) {
y.set_x('a');
if (y.get_x() == 'b')
return;
}
for(vector<int> ys(1); int y : ys) {
if (y == 1)
return;
}
for(vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys) {
ClassWithDestructor z1;
ClassWithDestructor z2;
}
}
void static_variable_with_destructor_1() {
ClassWithDestructor a;
static ClassWithDestructor b;
}
void static_variable_with_destructor_2() {
static ClassWithDestructor a;
ClassWithDestructor b;
}
void static_variable_with_destructor_3() {
ClassWithDestructor a;
ClassWithDestructor b;
static ClassWithDestructor c;
}
static ClassWithDestructor global_class_with_destructor;
// semmle-extractor-options: -std=c++20 --clang

9761
cpp/ql/test/library-tests/ir/ir/operand_locations.expected
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
View File

@@ -20,7 +20,7 @@ multipleIRTypes
lostReachability
backEdgeCountMismatch
useNotDominatedByDefinition
| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
| ir.cpp:1488:8:1488:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1488:8:1488:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
| try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
| try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
| try_except.c:39:15:39:15 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |

9972
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

File diff suppressed because it is too large Load Diff

24
cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected
View File

@@ -1,16 +1,16 @@
edges
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a |
| test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a |
| test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a |
| test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a |
| test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a |
| test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | provenance | |
| test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | provenance | |
| test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | provenance | |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | provenance | |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | provenance | |
| test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | provenance | |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | provenance | |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | provenance | |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | provenance | |
| test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | provenance | |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | provenance | |
| test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | provenance | |
nodes
| test_free.cpp:11:10:11:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test_free.cpp:14:10:14:10 | a | semmle.label | a |

46
cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
View File

@@ -1,27 +1,27 @@
edges
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a |
| test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a |
| test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a |
| test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... |
| test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... |
| test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... |
| test_free.cpp:277:8:277:8 | *s [post update] [buf] | test_free.cpp:278:12:278:12 | *s [buf] |
| test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:277:8:277:8 | *s [post update] [buf] |
| test_free.cpp:278:12:278:12 | *s [buf] | test_free.cpp:278:15:278:17 | buf |
| test_free.cpp:282:8:282:8 | *s [post update] [buf] | test_free.cpp:283:12:283:12 | *s [buf] |
| test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:282:8:282:8 | *s [post update] [buf] |
| test_free.cpp:283:12:283:12 | *s [buf] | test_free.cpp:283:14:283:16 | buf |
| test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:294:3:294:13 | ... = ... |
| test_free.cpp:294:3:294:3 | *s [post update] [buf] | test_free.cpp:295:12:295:12 | *s [buf] |
| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:3:294:3 | *s [post update] [buf] |
| test_free.cpp:295:12:295:12 | *s [buf] | test_free.cpp:295:14:295:16 | buf |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | provenance | |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | provenance | |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | provenance | |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | provenance | |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | provenance | |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | provenance | |
| test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | provenance | |
| test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | provenance | |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | provenance | |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | provenance | |
| test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | provenance | |
| test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | provenance | |
| test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | provenance | |
| test_free.cpp:277:8:277:8 | *s [post update] [buf] | test_free.cpp:278:12:278:12 | *s [buf] | provenance | |
| test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:277:8:277:8 | *s [post update] [buf] | provenance | |
| test_free.cpp:278:12:278:12 | *s [buf] | test_free.cpp:278:15:278:17 | buf | provenance | |
| test_free.cpp:282:8:282:8 | *s [post update] [buf] | test_free.cpp:283:12:283:12 | *s [buf] | provenance | |
| test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:282:8:282:8 | *s [post update] [buf] | provenance | |
| test_free.cpp:283:12:283:12 | *s [buf] | test_free.cpp:283:14:283:16 | buf | provenance | |
| test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:294:3:294:13 | ... = ... | provenance | |
| test_free.cpp:294:3:294:3 | *s [post update] [buf] | test_free.cpp:295:12:295:12 | *s [buf] | provenance | |
| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:3:294:3 | *s [post update] [buf] | provenance | |
| test_free.cpp:295:12:295:12 | *s [buf] | test_free.cpp:295:14:295:16 | buf | provenance | |
nodes
| test_free.cpp:11:10:11:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test_free.cpp:12:5:12:5 | a | semmle.label | a |

42
cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected
View File

@@ -1,25 +1,25 @@
edges
| test.cpp:26:29:26:29 | b | test.cpp:27:2:27:2 | b |
| test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b |
| test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b |
| test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b |
| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d |
| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d |
| test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b |
| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d |
| test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b |
| test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b |
| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss |
| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b |
| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b |
| test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b |
| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b |
| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b |
| test.cpp:26:29:26:29 | b | test.cpp:27:2:27:2 | b | provenance | |
| test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b | provenance | |
| test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b | provenance | |
| test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b | provenance | |
| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d | provenance | |
| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d | provenance | |
| test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b | provenance | |
| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d | provenance | |
| test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b | provenance | |
| test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b | provenance | |
| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss | provenance | |
| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss | provenance | |
| test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b | provenance | |
| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss | provenance | |
| test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b | provenance | |
| test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b | provenance | |
| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 | provenance | |
| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 | provenance | |
| test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b | provenance | |
| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 | provenance | |
| test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b | provenance | |
nodes
| test.cpp:26:29:26:29 | b | semmle.label | b |
| test.cpp:27:2:27:2 | b | semmle.label | b |

2
cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected
View File

@@ -1,5 +1,5 @@
edges
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | provenance | |
nodes
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | semmle.label | *data |

10
cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -1,9 +1,9 @@
edges
| test.c:8:27:8:30 | **argv | test.c:17:11:17:18 | *fileName |
| test.c:8:27:8:30 | **argv | test.c:32:11:32:18 | *fileName |
| test.c:8:27:8:30 | **argv | test.c:57:10:57:16 | *access to array |
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | *fileName |
| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | *fileName |
| test.c:8:27:8:30 | **argv | test.c:17:11:17:18 | *fileName | provenance | |
| test.c:8:27:8:30 | **argv | test.c:32:11:32:18 | *fileName | provenance | |
| test.c:8:27:8:30 | **argv | test.c:57:10:57:16 | *access to array | provenance | |
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | *fileName | provenance | |
| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | *fileName | provenance | |
nodes
| test.c:8:27:8:30 | **argv | semmle.label | **argv |
| test.c:17:11:17:18 | *fileName | semmle.label | *fileName |

10
cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected
View File

@@ -1,9 +1,9 @@
edges
| tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource |
| tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:38:39:38:49 | *environment |
| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | **badSource |
| tests.cpp:38:39:38:49 | *environment | tests.cpp:38:25:38:36 | strncat output argument |
| tests.cpp:51:12:51:20 | *call to badSource | tests.cpp:53:16:53:19 | *data |
| tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource | provenance | |
| tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:38:39:38:49 | *environment | provenance | |
| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | **badSource | provenance | |
| tests.cpp:38:39:38:49 | *environment | tests.cpp:38:25:38:36 | strncat output argument | provenance | |
| tests.cpp:51:12:51:20 | *call to badSource | tests.cpp:53:16:53:19 | *data | provenance | |
nodes
| tests.cpp:26:15:26:23 | **badSource | semmle.label | **badSource |
| tests.cpp:33:34:33:39 | *call to getenv | semmle.label | *call to getenv |

132
cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
View File

@@ -1,70 +1,70 @@
edges
| test.cpp:15:27:15:30 | **argv | test.cpp:22:45:22:52 | *userName |
| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | *command1 |
| test.cpp:22:45:22:52 | *userName | test.cpp:22:13:22:20 | sprintf output argument |
| test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags |
| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command |
| test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument |
| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename |
| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command |
| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument |
| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename |
| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command |
| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument |
| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename |
| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path |
| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument |
| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path |
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str |
| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ |
| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str |
| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ |
| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ |
| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ |
| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path |
| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data |
| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ |
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str |
| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command |
| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument |
| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument |
| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument |
| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename |
| test.cpp:15:27:15:30 | **argv | test.cpp:22:45:22:52 | *userName | provenance | |
| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | *command1 | provenance | |
| test.cpp:22:45:22:52 | *userName | test.cpp:22:13:22:20 | sprintf output argument | provenance | |
| test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags | provenance | |
| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command | provenance | |
| test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument | provenance | |
| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename | provenance | |
| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command | provenance | |
| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument | provenance | |
| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename | provenance | |
| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command | provenance | |
| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument | provenance | |
| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename | provenance | |
| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path | provenance | |
| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument | provenance | |
| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path | provenance | |
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str | provenance | |
| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ | provenance | |
| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path | provenance | |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | |
| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ | provenance | |
| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ | provenance | |
| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ | provenance | |
| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path | provenance | |
| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data | provenance | |
| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ | provenance | |
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str | provenance | |
| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command | provenance | |
| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument | provenance | |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename | provenance | |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename | provenance | |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance | |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance | |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | |
| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument | provenance | |
| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename | provenance | |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance | |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance | |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | |
| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename | provenance | |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance | |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | |
| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename | provenance | |
nodes
| test.cpp:15:27:15:30 | **argv | semmle.label | **argv |
| test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |

18
cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
View File

@@ -1,13 +1,13 @@
edges
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query |
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query |
| search.c:55:24:55:28 | *query | search.c:62:8:62:17 | *query_text |
| search.c:67:21:67:26 | *call to getenv | search.c:71:17:71:25 | *raw_query |
| search.c:67:21:67:26 | *call to getenv | search.c:73:17:73:25 | *raw_query |
| search.c:67:21:67:26 | *call to getenv | search.c:77:17:77:25 | *raw_query |
| search.c:71:17:71:25 | *raw_query | search.c:14:24:14:28 | *query |
| search.c:73:17:73:25 | *raw_query | search.c:22:24:22:28 | *query |
| search.c:77:17:77:25 | *raw_query | search.c:55:24:55:28 | *query |
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query | provenance | |
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query | provenance | |
| search.c:55:24:55:28 | *query | search.c:62:8:62:17 | *query_text | provenance | |
| search.c:67:21:67:26 | *call to getenv | search.c:71:17:71:25 | *raw_query | provenance | |
| search.c:67:21:67:26 | *call to getenv | search.c:73:17:73:25 | *raw_query | provenance | |
| search.c:67:21:67:26 | *call to getenv | search.c:77:17:77:25 | *raw_query | provenance | |
| search.c:71:17:71:25 | *raw_query | search.c:14:24:14:28 | *query | provenance | |
| search.c:73:17:73:25 | *raw_query | search.c:22:24:22:28 | *query | provenance | |
| search.c:77:17:77:25 | *raw_query | search.c:55:24:55:28 | *query | provenance | |
nodes
| search.c:14:24:14:28 | *query | semmle.label | *query |
| search.c:17:8:17:12 | *query | semmle.label | *query |

16
cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
View File

@@ -1,12 +1,12 @@
edges
| test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 |
| test.c:14:27:14:30 | **argv | test.c:35:16:35:23 | *userName |
| test.c:35:16:35:23 | *userName | test.c:40:25:40:32 | *username |
| test.c:38:7:38:20 | **globalUsername | test.c:51:18:51:23 | *query1 |
| test.c:40:25:40:32 | *username | test.c:38:7:38:20 | **globalUsername |
| test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput |
| test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput |
| test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array |
| test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | provenance | |
| test.c:14:27:14:30 | **argv | test.c:35:16:35:23 | *userName | provenance | |
| test.c:35:16:35:23 | *userName | test.c:40:25:40:32 | *username | provenance | |
| test.c:38:7:38:20 | **globalUsername | test.c:51:18:51:23 | *query1 | provenance | |
| test.c:40:25:40:32 | *username | test.c:38:7:38:20 | **globalUsername | provenance | |
| test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | provenance | |
| test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | provenance | |
nodes
| test.c:14:27:14:30 | **argv | semmle.label | **argv |
| test.c:21:18:21:23 | *query1 | semmle.label | *query1 |

6
cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
View File

@@ -1,7 +1,7 @@
edges
| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data |
| test.cpp:64:30:64:35 | *call to getenv | test.cpp:73:24:73:27 | *data |
| test.cpp:73:24:73:27 | *data | test.cpp:37:73:37:76 | *data |
| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data | provenance | |
| test.cpp:64:30:64:35 | *call to getenv | test.cpp:73:24:73:27 | *data | provenance | |
| test.cpp:73:24:73:27 | *data | test.cpp:37:73:37:76 | *data | provenance | |
nodes
| test.cpp:37:73:37:76 | *data | semmle.label | *data |
| test.cpp:43:32:43:35 | *data | semmle.label | *data |

24
cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
View File

@@ -1,16 +1,16 @@
edges
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command |
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command |
| test.cpp:42:18:42:34 | *call to getenv | test.cpp:24:30:24:36 | *command |
| test.cpp:43:18:43:34 | *call to getenv | test.cpp:29:30:29:36 | *command |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer |
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer |
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer |
| test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr |
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command | provenance | |
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command | provenance | |
| test.cpp:42:18:42:34 | *call to getenv | test.cpp:24:30:24:36 | *command | provenance | |
| test.cpp:43:18:43:34 | *call to getenv | test.cpp:29:30:29:36 | *command | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | provenance | |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | provenance | |
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | provenance | |
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | provenance | |
| test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | provenance | |
nodes
| test.cpp:24:30:24:36 | *command | semmle.label | *command |
| test.cpp:26:10:26:16 | *command | semmle.label | *command |

116
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
View File

@@ -1,62 +1,62 @@
edges
| test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] |
| test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] |
| test.cpp:18:5:18:30 | ... = ... | test.cpp:18:5:18:7 | *str [post update] [string] |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
| test.cpp:19:5:19:7 | *str [string] | test.cpp:16:11:16:21 | **mk_string_t [string] |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:42:13:42:15 | *str [string] |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:72:17:72:19 | *str [string] |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:80:17:80:19 | *str [string] |
| test.cpp:42:13:42:15 | *str [string] | test.cpp:42:18:42:23 | string |
| test.cpp:72:17:72:19 | *str [string] | test.cpp:72:22:72:27 | string |
| test.cpp:80:17:80:19 | *str [string] | test.cpp:80:22:80:27 | string |
| test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] |
| test.cpp:90:5:90:7 | *str [post update] [string] | test.cpp:91:5:91:7 | *str [string] |
| test.cpp:90:5:90:34 | ... = ... | test.cpp:90:5:90:7 | *str [post update] [string] |
| test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
| test.cpp:91:5:91:7 | *str [string] | test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:99:13:99:15 | *str [string] |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:129:17:129:19 | *str [string] |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:137:17:137:19 | *str [string] |
| test.cpp:99:13:99:15 | *str [string] | test.cpp:99:18:99:23 | string |
| test.cpp:129:17:129:19 | *str [string] | test.cpp:129:22:129:27 | string |
| test.cpp:137:17:137:19 | *str [string] | test.cpp:137:22:137:27 | string |
| test.cpp:147:5:147:7 | *str [post update] [string] | test.cpp:148:5:148:7 | *str [string] |
| test.cpp:147:5:147:34 | ... = ... | test.cpp:147:5:147:7 | *str [post update] [string] |
| test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:152:13:152:15 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:154:13:154:15 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:156:13:156:15 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:175:17:175:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:187:17:187:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:195:17:195:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:199:17:199:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:203:17:203:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:207:17:207:19 | *str [string] |
| test.cpp:152:13:152:15 | *str [string] | test.cpp:152:18:152:23 | string |
| test.cpp:154:13:154:15 | *str [string] | test.cpp:154:18:154:23 | string |
| test.cpp:156:13:156:15 | *str [string] | test.cpp:156:18:156:23 | string |
| test.cpp:175:17:175:19 | *str [string] | test.cpp:175:22:175:27 | string |
| test.cpp:187:17:187:19 | *str [string] | test.cpp:187:22:187:27 | string |
| test.cpp:195:17:195:19 | *str [string] | test.cpp:195:22:195:27 | string |
| test.cpp:199:17:199:19 | *str [string] | test.cpp:199:22:199:27 | string |
| test.cpp:203:17:203:19 | *str [string] | test.cpp:203:22:203:27 | string |
| test.cpp:207:17:207:19 | *str [string] | test.cpp:207:22:207:27 | string |
| test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
| test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer |
| test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
| test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer |
| test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... |
| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | *p_str [post update] [string] |
| test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer |
| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | *str [string] |
| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
| test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
| test.cpp:243:12:243:14 | *str [string] | test.cpp:243:12:243:21 | string |
| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p |
| test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p |
| test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p |
| test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p |
| test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] | provenance | |
| test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] | provenance | |
| test.cpp:18:5:18:30 | ... = ... | test.cpp:18:5:18:7 | *str [post update] [string] | provenance | |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... | provenance | |
| test.cpp:19:5:19:7 | *str [string] | test.cpp:16:11:16:21 | **mk_string_t [string] | provenance | |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:42:13:42:15 | *str [string] | provenance | |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:72:17:72:19 | *str [string] | provenance | |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:80:17:80:19 | *str [string] | provenance | |
| test.cpp:42:13:42:15 | *str [string] | test.cpp:42:18:42:23 | string | provenance | |
| test.cpp:72:17:72:19 | *str [string] | test.cpp:72:22:72:27 | string | provenance | |
| test.cpp:80:17:80:19 | *str [string] | test.cpp:80:22:80:27 | string | provenance | |
| test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | provenance | |
| test.cpp:90:5:90:7 | *str [post update] [string] | test.cpp:91:5:91:7 | *str [string] | provenance | |
| test.cpp:90:5:90:34 | ... = ... | test.cpp:90:5:90:7 | *str [post update] [string] | provenance | |
| test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... | provenance | |
| test.cpp:91:5:91:7 | *str [string] | test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | provenance | |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:99:13:99:15 | *str [string] | provenance | |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:129:17:129:19 | *str [string] | provenance | |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:137:17:137:19 | *str [string] | provenance | |
| test.cpp:99:13:99:15 | *str [string] | test.cpp:99:18:99:23 | string | provenance | |
| test.cpp:129:17:129:19 | *str [string] | test.cpp:129:22:129:27 | string | provenance | |
| test.cpp:137:17:137:19 | *str [string] | test.cpp:137:22:137:27 | string | provenance | |
| test.cpp:147:5:147:7 | *str [post update] [string] | test.cpp:148:5:148:7 | *str [string] | provenance | |
| test.cpp:147:5:147:34 | ... = ... | test.cpp:147:5:147:7 | *str [post update] [string] | provenance | |
| test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:152:13:152:15 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:154:13:154:15 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:156:13:156:15 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:175:17:175:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:187:17:187:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:195:17:195:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:199:17:199:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:203:17:203:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:207:17:207:19 | *str [string] | provenance | |
| test.cpp:152:13:152:15 | *str [string] | test.cpp:152:18:152:23 | string | provenance | |
| test.cpp:154:13:154:15 | *str [string] | test.cpp:154:18:154:23 | string | provenance | |
| test.cpp:156:13:156:15 | *str [string] | test.cpp:156:18:156:23 | string | provenance | |
| test.cpp:175:17:175:19 | *str [string] | test.cpp:175:22:175:27 | string | provenance | |
| test.cpp:187:17:187:19 | *str [string] | test.cpp:187:22:187:27 | string | provenance | |
| test.cpp:195:17:195:19 | *str [string] | test.cpp:195:22:195:27 | string | provenance | |
| test.cpp:199:17:199:19 | *str [string] | test.cpp:199:22:199:27 | string | provenance | |
| test.cpp:203:17:203:19 | *str [string] | test.cpp:203:22:203:27 | string | provenance | |
| test.cpp:207:17:207:19 | *str [string] | test.cpp:207:22:207:27 | string | provenance | |
| test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p | provenance | |
| test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer | provenance | |
| test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p | provenance | |
| test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer | provenance | |
| test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... | provenance | |
| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | *p_str [post update] [string] | provenance | |
| test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer | provenance | |
| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | *str [string] | provenance | |
| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | provenance | |
| test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] | provenance | |
| test.cpp:243:12:243:14 | *str [string] | test.cpp:243:12:243:21 | string | provenance | |
| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | provenance | |
| test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p | provenance | |
| test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | provenance | |
| test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p | provenance | |
nodes
| test.cpp:16:11:16:21 | **mk_string_t [string] | semmle.label | **mk_string_t [string] |
| test.cpp:18:5:18:7 | *str [post update] [string] | semmle.label | *str [post update] [string] |

20
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
View File

@@ -1,14 +1,14 @@
edges
| main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv |
| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src |
| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:15:53:17 | *src |
| overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | *src2 |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | *src |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | *src |
| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src |
| overflowdestination.cpp:76:30:76:32 | *src | overflowdestination.cpp:57:52:57:54 | *src |
| main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | |
| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | provenance | |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | provenance | |
| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:15:53:17 | *src | provenance | |
| overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | *src2 | provenance | |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | *src | provenance | |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | *src | provenance | |
| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | provenance | |
| overflowdestination.cpp:76:30:76:32 | *src | overflowdestination.cpp:57:52:57:54 | *src | provenance | |
nodes
| main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |

26
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
View File

@@ -1,17 +1,17 @@
edges
| main.cpp:6:27:6:30 | **argv | main.cpp:10:20:10:23 | **argv |
| main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv |
| tests.cpp:613:19:613:24 | *source | tests.cpp:615:17:615:22 | *source |
| tests.cpp:622:19:622:24 | *source | tests.cpp:625:2:625:16 | *... = ... |
| tests.cpp:625:2:625:2 | *s [post update] [*home] | tests.cpp:628:14:628:14 | *s [*home] |
| tests.cpp:625:2:625:16 | *... = ... | tests.cpp:625:2:625:2 | *s [post update] [*home] |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home |
| tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array |
| tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source |
| tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source |
| main.cpp:6:27:6:30 | **argv | main.cpp:10:20:10:23 | **argv | provenance | |
| main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv | provenance | |
| tests.cpp:613:19:613:24 | *source | tests.cpp:615:17:615:22 | *source | provenance | |
| tests.cpp:622:19:622:24 | *source | tests.cpp:625:2:625:16 | *... = ... | provenance | |
| tests.cpp:625:2:625:2 | *s [post update] [*home] | tests.cpp:628:14:628:14 | *s [*home] | provenance | |
| tests.cpp:625:2:625:16 | *... = ... | tests.cpp:625:2:625:2 | *s [post update] [*home] | provenance | |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home | provenance | |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home | provenance | |
| tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home | provenance | |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array | provenance | |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array | provenance | |
| tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance | |
| tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance | |
nodes
| main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
| main.cpp:10:20:10:23 | **argv | semmle.label | **argv |

6
cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
View File

@@ -1,7 +1,7 @@
edges
| tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array |
| tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array |
| tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array |
| tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | provenance | |
| tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | provenance | |
| tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | provenance | |
nodes
| tests.c:16:26:16:29 | **argv | semmle.label | **argv |
| tests.c:28:22:28:28 | *access to array | semmle.label | *access to array |

2
cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
View File

@@ -1,5 +1,5 @@
edges
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data |
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | provenance | |
nodes
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | semmle.label | fgets output argument |
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | semmle.label | data |

18
cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
View File

@@ -1,13 +1,13 @@
edges
| test1.c:7:26:7:29 | **argv | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | **argv | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | **argv | test1.c:13:9:13:9 | i |
| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i |
| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i |
| test1.c:13:9:13:9 | i | test1.c:48:16:48:16 | i |
| test1.c:16:16:16:16 | i | test1.c:18:16:18:16 | i |
| test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i |
| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j |
| test1.c:7:26:7:29 | **argv | test1.c:9:9:9:9 | i | provenance | |
| test1.c:7:26:7:29 | **argv | test1.c:11:9:11:9 | i | provenance | |
| test1.c:7:26:7:29 | **argv | test1.c:13:9:13:9 | i | provenance | |
| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i | provenance | |
| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i | provenance | |
| test1.c:13:9:13:9 | i | test1.c:48:16:48:16 | i | provenance | |
| test1.c:16:16:16:16 | i | test1.c:18:16:18:16 | i | provenance | |
| test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i | provenance | |
| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j | provenance | |
nodes
| test1.c:7:26:7:29 | **argv | semmle.label | **argv |
| test1.c:9:9:9:9 | i | semmle.label | i |

6
cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected
View File

@@ -1,7 +1,7 @@
edges
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data |
| char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | provenance | |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | provenance | |
| char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | provenance | |
nodes
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | semmle.label | recv output argument |
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | semmle.label | *data |

48
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
View File

@@ -1,28 +1,28 @@
edges
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | provenance | |
nodes
| argvLocal.c:13:27:13:30 | **argv | semmle.label | **argv |
| argvLocal.c:95:9:95:15 | *access to array | semmle.label | *access to array |

16
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
View File

@@ -1,12 +1,12 @@
edges
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 |
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 |
| funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 |
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 |
| funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 |
| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... |
| funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | provenance | |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | provenance | |
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | provenance | |
| funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | provenance | |
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | provenance | |
| funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | provenance | |
| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | provenance | |
| funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | provenance | |
nodes
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
| funcsLocal.c:17:9:17:10 | *i1 | semmle.label | *i1 |

22
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected
View File

@@ -1,15 +1,15 @@
edges
| globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 |
| globalVars.c:11:22:11:25 | **argv | globalVars.c:8:7:8:10 | **copy |
| globalVars.c:15:21:15:23 | *val | globalVars.c:9:7:9:11 | **copy2 |
| globalVars.c:23:27:23:30 | **argv | globalVars.c:24:11:24:14 | **argv |
| globalVars.c:24:11:24:14 | **argv | globalVars.c:11:22:11:25 | **argv |
| globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance | |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance | |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy | provenance | |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 | provenance | |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance | |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 | provenance | |
| globalVars.c:11:22:11:25 | **argv | globalVars.c:8:7:8:10 | **copy | provenance | |
| globalVars.c:15:21:15:23 | *val | globalVars.c:9:7:9:11 | **copy2 | provenance | |
| globalVars.c:23:27:23:30 | **argv | globalVars.c:24:11:24:14 | **argv | provenance | |
| globalVars.c:24:11:24:14 | **argv | globalVars.c:11:22:11:25 | **argv | provenance | |
| globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | provenance | |
nodes
| globalVars.c:8:7:8:10 | **copy | semmle.label | **copy |
| globalVars.c:9:7:9:11 | **copy2 | semmle.label | **copy2 |

22
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
View File

@@ -1,15 +1,15 @@
edges
| ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 |
| ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 |
| ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 |
| ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 |
| ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 |
| ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 |
| ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 |
| ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 |
| ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 |
| ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 |
| ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 |
| ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | provenance | |
nodes
| ifs.c:16:27:16:30 | **argv | semmle.label | **argv |
| ifs.c:62:9:62:10 | *c7 | semmle.label | *c7 |

2
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected
View File

@@ -1,5 +1,5 @@
edges
| examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
| examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | provenance | |
nodes
| examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument |
| examples.cpp:66:11:66:14 | data | semmle.label | data |

24
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected
View File

@@ -1,16 +1,16 @@
edges
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
nodes
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |

64
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
View File

@@ -1,36 +1,36 @@
edges
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
| test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r |
| test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r |
| test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r |
| test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r |
| test.cpp:6:5:6:12 | *get_rand | test.cpp:24:11:24:18 | call to get_rand |
| test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | *get_rand |
| test.cpp:11:21:11:24 | *dest | test.cpp:30:13:30:14 | get_rand2 output argument |
| test.cpp:13:10:13:13 | call to rand | test.cpp:11:21:11:24 | *dest |
| test.cpp:16:21:16:24 | *dest | test.cpp:36:13:36:13 | get_rand3 output argument |
| test.cpp:18:9:18:12 | call to rand | test.cpp:16:21:16:24 | *dest |
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
| test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x |
| test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x |
| test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y |
| test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b |
| test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y |
| test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x |
| test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x |
| test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x |
| test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y |
| test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y |
| test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y |
| test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x |
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | provenance | |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | provenance | |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | provenance | |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | provenance | |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | provenance | |
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | provenance | |
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | provenance | |
| test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | provenance | |
| test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | provenance | |
| test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | provenance | |
| test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | provenance | |
| test.cpp:6:5:6:12 | *get_rand | test.cpp:24:11:24:18 | call to get_rand | provenance | |
| test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | *get_rand | provenance | |
| test.cpp:11:21:11:24 | *dest | test.cpp:30:13:30:14 | get_rand2 output argument | provenance | |
| test.cpp:13:10:13:13 | call to rand | test.cpp:11:21:11:24 | *dest | provenance | |
| test.cpp:16:21:16:24 | *dest | test.cpp:36:13:36:13 | get_rand3 output argument | provenance | |
| test.cpp:18:9:18:12 | call to rand | test.cpp:16:21:16:24 | *dest | provenance | |
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r | provenance | |
| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r | provenance | |
| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r | provenance | |
| test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | provenance | |
| test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | provenance | |
| test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | provenance | |
| test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | provenance | |
| test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | provenance | |
| test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | provenance | |
| test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | provenance | |
| test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | provenance | |
| test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | provenance | |
| test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | provenance | |
| test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | provenance | |
| test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | provenance | |
nodes
| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
| test.c:21:17:21:17 | r | semmle.label | r |

48
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -1,28 +1,28 @@
edges
| test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size |
| test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size |
| test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... |
| test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... |
| test.cpp:209:8:209:23 | *get_tainted_size | test.cpp:241:9:241:24 | call to get_tainted_size |
| test.cpp:211:14:211:27 | *call to getenv | test.cpp:209:8:209:23 | *get_tainted_size |
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:239:9:239:18 | local_size |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:245:11:245:20 | local_size |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:247:10:247:19 | local_size |
| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
| test.cpp:250:20:250:27 | *out_size | test.cpp:289:17:289:20 | get_size output argument |
| test.cpp:250:20:250:27 | *out_size | test.cpp:305:18:305:21 | get_size output argument |
| test.cpp:251:18:251:31 | *call to getenv | test.cpp:250:20:250:27 | *out_size |
| test.cpp:259:20:259:33 | *call to getenv | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... |
| test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:355:35:355:38 | size |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:356:35:356:38 | size |
| test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | provenance | |
| test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | provenance | |
| test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | provenance | |
| test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | provenance | |
| test.cpp:209:8:209:23 | *get_tainted_size | test.cpp:241:9:241:24 | call to get_tainted_size | provenance | |
| test.cpp:211:14:211:27 | *call to getenv | test.cpp:209:8:209:23 | *get_tainted_size | provenance | |
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s | provenance | |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:239:9:239:18 | local_size | provenance | |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:245:11:245:20 | local_size | provenance | |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:247:10:247:19 | local_size | provenance | |
| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s | provenance | |
| test.cpp:250:20:250:27 | *out_size | test.cpp:289:17:289:20 | get_size output argument | provenance | |
| test.cpp:250:20:250:27 | *out_size | test.cpp:305:18:305:21 | get_size output argument | provenance | |
| test.cpp:251:18:251:31 | *call to getenv | test.cpp:250:20:250:27 | *out_size | provenance | |
| test.cpp:259:20:259:33 | *call to getenv | test.cpp:263:11:263:29 | ... * ... | provenance | |
| test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... | provenance | |
| test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... | provenance | |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:355:35:355:38 | size | provenance | |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:356:35:356:38 | size | provenance | |
nodes
| test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |

30
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
View File

@@ -1,19 +1,19 @@
edges
| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:13:27:13 | v |
| test2.cpp:27:13:27:13 | v | test2.cpp:12:21:12:21 | v |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num |
| test3.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections |
| test3.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 |
| test3.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:17:6:17:18 | call to getTaintedInt |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:18:6:18:18 | call to getTaintedInt |
| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:5:5:5:17 | *getTaintedInt |
| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
| test.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections |
| test.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 |
| test.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 |
| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v | provenance | |
| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:13:27:13 | v | provenance | |
| test2.cpp:27:13:27:13 | v | test2.cpp:12:21:12:21 | v | provenance | |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | provenance | |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | provenance | |
| test3.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections | provenance | |
| test3.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 | provenance | |
| test3.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 | provenance | |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:17:6:17:18 | call to getTaintedInt | provenance | |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:18:6:18:18 | call to getTaintedInt | provenance | |
| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:5:5:5:17 | *getTaintedInt | provenance | |
| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y | provenance | |
| test.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections | provenance | |
| test.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 | provenance | |
| test.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 | provenance | |
nodes
| test2.cpp:12:21:12:21 | v | semmle.label | v |
| test2.cpp:14:11:14:11 | v | semmle.label | v |

204
cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected
View File

@@ -1,106 +1,106 @@
edges
| test.cpp:4:15:4:33 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | ... + ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
| test.cpp:6:14:6:15 | * ... | test.cpp:8:14:8:21 | * ... |
| test.cpp:16:15:16:33 | call to malloc | test.cpp:20:14:20:21 | * ... |
| test.cpp:28:15:28:37 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | ... + ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
| test.cpp:30:14:30:15 | * ... | test.cpp:32:14:32:21 | * ... |
| test.cpp:51:33:51:35 | *end | test.cpp:60:34:60:37 | mk_array output argument |
| test.cpp:52:19:52:37 | call to malloc | test.cpp:53:12:53:23 | ... + ... |
| test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | *end |
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... |
| test.cpp:205:15:205:33 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | ... + ... |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
| test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:261:14:261:21 | ... + ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:270:13:270:24 | new[] | test.cpp:271:14:271:21 | ... + ... |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:271:14:271:21 | ... + ... |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... |
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
| test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... |
| test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... |
| test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... |
| test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | ... = ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... |
| test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | ... = ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... |
| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... |
| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... |
| test.cpp:730:12:730:28 | new[] | test.cpp:732:16:732:26 | ... + ... |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:732:16:732:26 | ... + ... |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array |
| test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array |
| test.cpp:792:60:792:62 | *end | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument |
| test.cpp:792:60:792:62 | *end | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument |
| test.cpp:793:14:793:32 | call to malloc | test.cpp:794:12:794:24 | ... + ... |
| test.cpp:794:12:794:24 | ... + ... | test.cpp:792:60:792:62 | *end |
| test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | test.cpp:807:7:807:12 | ... = ... |
| test.cpp:815:52:815:54 | end | test.cpp:815:52:815:54 | end |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... |
| test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | test.cpp:833:37:833:39 | end |
| test.cpp:833:37:833:39 | end | test.cpp:815:52:815:54 | end |
| test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... |
| test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... |
| test.cpp:856:12:856:35 | call to malloc | test.cpp:857:16:857:29 | ... + ... |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:857:16:857:29 | ... + ... |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... |
| test.cpp:4:15:4:33 | call to malloc | test.cpp:5:15:5:22 | ... + ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | ... + ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... | provenance | |
| test.cpp:6:14:6:15 | * ... | test.cpp:8:14:8:21 | * ... | provenance | |
| test.cpp:16:15:16:33 | call to malloc | test.cpp:20:14:20:21 | * ... | provenance | |
| test.cpp:28:15:28:37 | call to malloc | test.cpp:29:15:29:28 | ... + ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | ... + ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... | provenance | |
| test.cpp:30:14:30:15 | * ... | test.cpp:32:14:32:21 | * ... | provenance | |
| test.cpp:51:33:51:35 | *end | test.cpp:60:34:60:37 | mk_array output argument | provenance | |
| test.cpp:52:19:52:37 | call to malloc | test.cpp:53:12:53:23 | ... + ... | provenance | |
| test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | *end | provenance | |
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... | provenance | |
| test.cpp:205:15:205:33 | call to malloc | test.cpp:206:17:206:23 | ... + ... | provenance | |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | ... + ... | provenance | |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... | provenance | |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... | provenance | |
| test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:261:14:261:21 | ... + ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:270:13:270:24 | new[] | test.cpp:271:14:271:21 | ... + ... | provenance | |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:271:14:271:21 | ... + ... | provenance | |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... | provenance | |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... | provenance | |
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... | provenance | |
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... | provenance | |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... | provenance | |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... | provenance | |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... | provenance | |
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... | provenance | |
| test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... | provenance | |
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... | provenance | |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... | provenance | |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... | provenance | |
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... | provenance | |
| test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... | provenance | |
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... | provenance | |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... | provenance | |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... | provenance | |
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... | provenance | |
| test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... | provenance | |
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... | provenance | |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... | provenance | |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... | provenance | |
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... | provenance | |
| test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | ... = ... | provenance | |
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... | provenance | |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... | provenance | |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... | provenance | |
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... | provenance | |
| test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | ... = ... | provenance | |
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... | provenance | |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... | provenance | |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... | provenance | |
| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... | provenance | |
| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... | provenance | |
| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... | provenance | |
| test.cpp:730:12:730:28 | new[] | test.cpp:732:16:732:26 | ... + ... | provenance | |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:732:16:732:26 | ... + ... | provenance | |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... | provenance | |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | provenance | |
| test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array | provenance | |
| test.cpp:792:60:792:62 | *end | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | provenance | |
| test.cpp:792:60:792:62 | *end | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | provenance | |
| test.cpp:793:14:793:32 | call to malloc | test.cpp:794:12:794:24 | ... + ... | provenance | |
| test.cpp:794:12:794:24 | ... + ... | test.cpp:792:60:792:62 | *end | provenance | |
| test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | test.cpp:807:7:807:12 | ... = ... | provenance | |
| test.cpp:815:52:815:54 | end | test.cpp:815:52:815:54 | end | provenance | |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... | provenance | |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... | provenance | |
| test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | test.cpp:833:37:833:39 | end | provenance | |
| test.cpp:833:37:833:39 | end | test.cpp:815:52:815:54 | end | provenance | |
| test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... | provenance | |
| test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... | provenance | |
| test.cpp:856:12:856:35 | call to malloc | test.cpp:857:16:857:29 | ... + ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:857:16:857:29 | ... + ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | |
nodes
| test.cpp:4:15:4:33 | call to malloc | semmle.label | call to malloc |
| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |

12
cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected
View File

@@ -1,10 +1,10 @@
edges
| test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address |
| test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address |
| test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address |
| test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | provenance | |
| test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | provenance | |
| test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | provenance | |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | provenance | |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | provenance | |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | provenance | |
nodes
| test.cpp:16:25:16:42 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:20:14:20:20 | *address | semmle.label | *address |

2
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
View File

@@ -1,5 +1,5 @@
edges
| test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input |
| test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | provenance | |
nodes
| test2.cpp:110:3:110:6 | *call to gets | semmle.label | *call to gets |
| test.cpp:53:27:53:30 | **argv | semmle.label | **argv |

12
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
View File

@@ -1,10 +1,10 @@
edges
| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
| test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf |
| test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | *buf |
| test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer |
| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
| test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword |
| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | provenance | |
| test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | provenance | |
| test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | *buf | provenance | |
| test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | provenance | |
| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | provenance | |
| test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | provenance | |
nodes
| test2.cpp:43:36:43:43 | password | semmle.label | password |
| test2.cpp:44:37:44:45 | thepasswd | semmle.label | thepasswd |

64
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
View File

@@ -1,36 +1,36 @@
edges
| test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr |
| test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr |
| test3.cpp:112:20:112:25 | buffer | test3.cpp:114:14:114:19 | buffer |
| test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | *id |
| test3.cpp:124:7:124:20 | *get_global_str | test3.cpp:144:16:144:29 | call to get_global_str |
| test3.cpp:126:9:126:23 | global_password | test3.cpp:124:7:124:20 | *get_global_str |
| test3.cpp:134:11:134:18 | password | test3.cpp:112:20:112:25 | buffer |
| test3.cpp:138:21:138:22 | call to id | test3.cpp:140:15:140:17 | ptr |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:138:21:138:22 | call to id |
| test3.cpp:144:16:144:29 | call to get_global_str | test3.cpp:146:15:146:18 | data |
| test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer |
| test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data |
| test3.cpp:278:20:278:23 | data | test3.cpp:280:14:280:17 | data |
| test3.cpp:283:20:283:23 | data | test3.cpp:285:14:285:17 | data |
| test3.cpp:288:20:288:23 | data | test3.cpp:290:14:290:17 | data |
| test3.cpp:293:20:293:23 | data | test3.cpp:295:14:295:17 | data |
| test3.cpp:298:20:298:23 | data | test3.cpp:300:14:300:17 | data |
| test3.cpp:313:11:313:19 | password1 | test3.cpp:278:20:278:23 | data |
| test3.cpp:314:11:314:19 | password1 | test3.cpp:283:20:283:23 | data |
| test3.cpp:316:11:316:19 | password1 | test3.cpp:283:20:283:23 | data |
| test3.cpp:317:11:317:19 | password1 | test3.cpp:288:20:288:23 | data |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:324:11:324:14 | data |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:325:11:325:14 | data |
| test3.cpp:324:11:324:14 | data | test3.cpp:293:20:293:23 | data |
| test3.cpp:325:11:325:14 | data | test3.cpp:298:20:298:23 | data |
| test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer |
| test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer |
| test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer |
| test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer |
| test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str |
| test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str |
| test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | provenance | |
| test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | provenance | |
| test3.cpp:112:20:112:25 | buffer | test3.cpp:114:14:114:19 | buffer | provenance | |
| test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | *id | provenance | |
| test3.cpp:124:7:124:20 | *get_global_str | test3.cpp:144:16:144:29 | call to get_global_str | provenance | |
| test3.cpp:126:9:126:23 | global_password | test3.cpp:124:7:124:20 | *get_global_str | provenance | |
| test3.cpp:134:11:134:18 | password | test3.cpp:112:20:112:25 | buffer | provenance | |
| test3.cpp:138:21:138:22 | call to id | test3.cpp:140:15:140:17 | ptr | provenance | |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer | provenance | |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:138:21:138:22 | call to id | provenance | |
| test3.cpp:144:16:144:29 | call to get_global_str | test3.cpp:146:15:146:18 | data | provenance | |
| test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | provenance | |
| test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | provenance | |
| test3.cpp:278:20:278:23 | data | test3.cpp:280:14:280:17 | data | provenance | |
| test3.cpp:283:20:283:23 | data | test3.cpp:285:14:285:17 | data | provenance | |
| test3.cpp:288:20:288:23 | data | test3.cpp:290:14:290:17 | data | provenance | |
| test3.cpp:293:20:293:23 | data | test3.cpp:295:14:295:17 | data | provenance | |
| test3.cpp:298:20:298:23 | data | test3.cpp:300:14:300:17 | data | provenance | |
| test3.cpp:313:11:313:19 | password1 | test3.cpp:278:20:278:23 | data | provenance | |
| test3.cpp:314:11:314:19 | password1 | test3.cpp:283:20:283:23 | data | provenance | |
| test3.cpp:316:11:316:19 | password1 | test3.cpp:283:20:283:23 | data | provenance | |
| test3.cpp:317:11:317:19 | password1 | test3.cpp:288:20:288:23 | data | provenance | |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:324:11:324:14 | data | provenance | |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:325:11:325:14 | data | provenance | |
| test3.cpp:324:11:324:14 | data | test3.cpp:293:20:293:23 | data | provenance | |
| test3.cpp:325:11:325:14 | data | test3.cpp:298:20:298:23 | data | provenance | |
| test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | provenance | |
| test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | provenance | |
| test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | provenance | |
| test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | provenance | |
| test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | provenance | |
| test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | provenance | |
nodes
| test3.cpp:22:15:22:23 | password1 | semmle.label | password1 |
| test3.cpp:26:15:26:23 | password2 | semmle.label | password2 |

26
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
View File

@@ -1,17 +1,17 @@
edges
| test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url |
| test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g |
| test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:13:24:17 | **url_g |
| test.cpp:28:10:28:29 | *http://example.com | test.cpp:11:26:11:28 | *url |
| test.cpp:35:23:35:42 | *http://example.com | test.cpp:39:11:39:15 | *url_l |
| test.cpp:36:26:36:45 | *http://example.com | test.cpp:40:11:40:17 | *access to array |
| test.cpp:38:11:38:15 | *url_g | test.cpp:11:26:11:28 | *url |
| test.cpp:39:11:39:15 | *url_l | test.cpp:11:26:11:28 | *url |
| test.cpp:40:11:40:17 | *access to array | test.cpp:11:26:11:28 | *url |
| test.cpp:46:18:46:26 | *http:// | test.cpp:49:11:49:16 | *buffer |
| test.cpp:49:11:49:16 | *buffer | test.cpp:11:26:11:28 | *url |
| test.cpp:110:21:110:40 | *http://example.com | test.cpp:121:11:121:13 | *ptr |
| test.cpp:121:11:121:13 | *ptr | test.cpp:11:26:11:28 | *url |
| test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url | provenance | |
| test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g | provenance | |
| test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:13:24:17 | **url_g | provenance | |
| test.cpp:28:10:28:29 | *http://example.com | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:35:23:35:42 | *http://example.com | test.cpp:39:11:39:15 | *url_l | provenance | |
| test.cpp:36:26:36:45 | *http://example.com | test.cpp:40:11:40:17 | *access to array | provenance | |
| test.cpp:38:11:38:15 | *url_g | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:39:11:39:15 | *url_l | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:40:11:40:17 | *access to array | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:46:18:46:26 | *http:// | test.cpp:49:11:49:16 | *buffer | provenance | |
| test.cpp:49:11:49:16 | *buffer | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:110:21:110:40 | *http://example.com | test.cpp:121:11:121:13 | *ptr | provenance | |
| test.cpp:121:11:121:13 | *ptr | test.cpp:11:26:11:28 | *url | provenance | |
nodes
| test.cpp:11:26:11:28 | *url | semmle.label | *url |
| test.cpp:15:30:15:32 | *url | semmle.label | *url |

24
cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected
View File

@@ -1,16 +1,16 @@
edges
| test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data |
| test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data |
| test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data |
| test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data |
| test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... |
| test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data |
| test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data |
| test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data |
| test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data |
| test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x |
| test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | provenance | |
| test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | provenance | |
| test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | provenance | |
| test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | provenance | |
| test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | provenance | |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | provenance | |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | provenance | |
| test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | provenance | |
| test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | provenance | |
| test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | provenance | |
| test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | provenance | |
| test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | provenance | |
nodes
| test.cpp:39:7:39:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test.cpp:41:6:41:9 | data | semmle.label | data |

2
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected
View File

@@ -1,5 +1,5 @@
edges
| tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password |
| tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | provenance | |
nodes
| tests.c:57:21:57:28 | *password | semmle.label | *password |
| tests.c:70:70:70:77 | *password | semmle.label | *password |

32
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
View File

@@ -1,20 +1,20 @@
edges
| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 |
| tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer |
| tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 |
| tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw |
| tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] | tests2.cpp:111:14:111:15 | *c1 [*ptr] |
| tests2.cpp:109:3:109:36 | *... = ... | tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] |
| tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:109:3:109:36 | *... = ... |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf |
| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 | provenance | |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 | provenance | |
| tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | provenance | |
| tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | provenance | |
| tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | provenance | |
| tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] | tests2.cpp:111:14:111:15 | *c1 [*ptr] | provenance | |
| tests2.cpp:109:3:109:36 | *... = ... | tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] | provenance | |
| tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:109:3:109:36 | *... = ... | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance | |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance | |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | provenance | |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | provenance | |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | provenance | |
nodes
| tests2.cpp:50:13:50:19 | **global1 | semmle.label | **global1 |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | semmle.label | *call to mysql_get_client_info |

28
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected
View File

@@ -1,18 +1,18 @@
edges
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:71:27:71:38 | *global_token |
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:73:27:73:31 | *maybe |
| tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:62:7:62:18 | **global_token |
| tests.cpp:86:29:86:31 | *msg | tests.cpp:88:15:88:17 | *msg |
| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:86:29:86:31 | *msg |
| tests.cpp:107:30:107:32 | *msg | tests.cpp:111:15:111:17 | *tmp |
| tests.cpp:114:30:114:32 | *msg | tests.cpp:119:7:119:12 | *buffer |
| tests.cpp:122:30:122:32 | *msg | tests.cpp:124:15:124:17 | *msg |
| tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:107:30:107:32 | *msg |
| tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:114:30:114:32 | *msg |
| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:122:30:122:32 | *msg |
| tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd |
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:71:27:71:38 | *global_token | provenance | |
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:73:27:73:31 | *maybe | provenance | |
| tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:62:7:62:18 | **global_token | provenance | |
| tests.cpp:86:29:86:31 | *msg | tests.cpp:88:15:88:17 | *msg | provenance | |
| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:86:29:86:31 | *msg | provenance | |
| tests.cpp:107:30:107:32 | *msg | tests.cpp:111:15:111:17 | *tmp | provenance | |
| tests.cpp:114:30:114:32 | *msg | tests.cpp:119:7:119:12 | *buffer | provenance | |
| tests.cpp:122:30:122:32 | *msg | tests.cpp:124:15:124:17 | *msg | provenance | |
| tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:107:30:107:32 | *msg | provenance | |
| tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:114:30:114:32 | *msg | provenance | |
| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:122:30:122:32 | *msg | provenance | |
| tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | provenance | |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | provenance | |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | provenance | |
nodes
| tests.cpp:48:15:48:36 | *call to getenv | semmle.label | *call to getenv |
| tests.cpp:49:15:49:36 | *call to getenv | semmle.label | *call to getenv |

Some files were not shown because too many files have changed in this diff Show More