hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into rdmarsh2/cpp/ir-synthetic-destructors

Browse Source
This commit is contained in:
Robert Marsh
2024-02-13 15:45:51 +00:00
parent 128bc99f90 7217dfa997
commit 7e23ccd383
762 changed files with 46674 additions and 44872 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.12.5
### New Features
* Added the `PreprocBlock.qll` library to this repository. This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.
## 0.12.4
### Minor Analysis Improvements

4
cpp/ql/lib/change-notes/2024-01-30-throwing-model.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.

4
cpp/ql/lib/change-notes/2024-02-06-flow-out-barrier-function.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added an abstract class `FlowOutBarrierFunction` that can be used to block flow out of a function.

8
cpp/ql/lib/change-notes/2024-01-30-preproc-block.md → cpp/ql/lib/change-notes/released/0.12.5.md
View File

@@ -1,4 +1,6 @@
---
category: feature
---
## 0.12.5
### New Features
* Added the `PreprocBlock.qll` library to this repository. This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.12.4
lastReleaseVersion: 0.12.5

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.12.5-dev
version: 0.12.6-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

27
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -709,7 +709,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {
override DataFlowType getType() {
exists(int indirectionIndex |
indirectionIndex = globalUse.getIndirectionIndex() and
result = getTypeImpl(globalUse.getUnspecifiedType(), indirectionIndex - 1)
result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex - 1)
)
}
@@ -740,7 +740,7 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
override DataFlowType getType() {
exists(DataFlowType type |
type = globalDef.getUnspecifiedType() and
type = globalDef.getUnderlyingType() and
if this.isGLValue()
then result = type
else result = getTypeImpl(type, globalDef.getIndirectionIndex() - 1)
@@ -943,10 +943,13 @@ private Type getTypeImpl0(Type t, int indirectionIndex) {
indirectionIndex > 0 and
exists(Type stripped |
stripped = stripPointer(t.stripTopLevelSpecifiers()) and
// We need to avoid the case where `stripPointer(t) = t` (which can happen on
// iterators that specify a `value_type` that is the iterator itself). Such a type
// would create an infinite loop otherwise. For these cases we simply don't produce
// a result for `getTypeImpl`.
// We need to avoid the case where `stripPointer(t) = t` (which can happen
// on iterators that specify a `value_type` that is the iterator itself).
// Such a type would create an infinite loop otherwise. For these cases we
// simply don't produce a result for `getTypeImpl`.
// To be on the safe side, we check whether the _unspecified_ type has
// changed since this also prevents an infinite loop when `stripped` and
// `t` only differ by const'ness or volatile'ness.
stripped.getUnspecifiedType() != t.getUnspecifiedType() and
result = getTypeImpl0(stripped, indirectionIndex - 1)
)
@@ -996,12 +999,14 @@ private module RawIndirectNodes {
override Declaration getEnclosingCallable() { result = this.getFunction() }
override predicate isGLValue() { this.getOperand().isGLValue() }
override DataFlowType getType() {
exists(int sub, DataFlowType type, boolean isGLValue |
type = getOperandType(this.getOperand(), isGLValue) and
if isGLValue = true then sub = 1 else sub = 0
|
result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
result = getTypeImpl(type.getUnderlyingType(), indirectionIndex - sub)
)
}
@@ -1038,12 +1043,14 @@ private module RawIndirectNodes {
override Declaration getEnclosingCallable() { result = this.getFunction() }
override predicate isGLValue() { this.getInstruction().isGLValue() }
override DataFlowType getType() {
exists(int sub, DataFlowType type, boolean isGLValue |
type = getInstructionType(this.getInstruction(), isGLValue) and
if isGLValue = true then sub = 1 else sub = 0
|
result = getTypeImpl(type.getUnspecifiedType(), indirectionIndex - sub)
result = getTypeImpl(type.getUnderlyingType(), indirectionIndex - sub)
)
}
@@ -1136,7 +1143,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
override Declaration getEnclosingCallable() { result = this.getFunction() }
override DataFlowType getType() { result = getTypeImpl(p.getUnspecifiedType(), indirectionIndex) }
override DataFlowType getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
final override Location getLocationImpl() {
// Parameters can have multiple locations. When there's a unique location we use
@@ -1789,7 +1796,7 @@ class VariableNode extends Node, TVariableNode {
}
override DataFlowType getType() {
result = getTypeImpl(v.getUnspecifiedType(), indirectionIndex - 1)
result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1)
}
final override Location getLocationImpl() {

16
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
View File

@@ -507,13 +507,13 @@ module ProductFlow {
private predicate pathSuccPlus(TNodePair n1, TNodePair n2) = fastTC(pathSucc/2)(n1, n2)
private predicate localPathStep1(Flow1::PathNode pred, Flow1::PathNode succ) {
Flow1::PathGraph::edges(pred, succ) and
Flow1::PathGraph::edges(pred, succ, _, _) and
pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
pragma[only_bind_out](succ.getNode().getEnclosingCallable())
}
private predicate localPathStep2(Flow2::PathNode pred, Flow2::PathNode succ) {
Flow2::PathGraph::edges(pred, succ) and
Flow2::PathGraph::edges(pred, succ, _, _) and
pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
pragma[only_bind_out](succ.getNode().getEnclosingCallable())
}
@@ -530,7 +530,7 @@ module ProductFlow {
TJump()
private predicate intoImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
Flow1::PathGraph::edges(pred1, succ1) and
Flow1::PathGraph::edges(pred1, succ1, _, _) and
pred1.getNode().(ArgumentNode).getCall() = call and
succ1.getNode() instanceof ParameterNode
}
@@ -543,7 +543,7 @@ module ProductFlow {
}
private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
Flow1::PathGraph::edges(pred1, succ1) and
Flow1::PathGraph::edges(pred1, succ1, _, _) and
exists(ReturnKindExt returnKind |
succ1.getNode() = returnKind.getAnOutNode(call) and
pred1.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -558,7 +558,7 @@ module ProductFlow {
}
private predicate intoImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
Flow2::PathGraph::edges(pred2, succ2) and
Flow2::PathGraph::edges(pred2, succ2, _, _) and
pred2.getNode().(ArgumentNode).getCall() = call and
succ2.getNode() instanceof ParameterNode
}
@@ -571,7 +571,7 @@ module ProductFlow {
}
private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
Flow2::PathGraph::edges(pred2, succ2) and
Flow2::PathGraph::edges(pred2, succ2, _, _) and
exists(ReturnKindExt returnKind |
succ2.getNode() = returnKind.getAnOutNode(call) and
pred2.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -590,7 +590,7 @@ module ProductFlow {
Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1,
TKind kind
) {
Flow1::PathGraph::edges(pred1, succ1) and
Flow1::PathGraph::edges(pred1, succ1, _, _) and
predDecl != succDecl and
pred1.getNode().getEnclosingCallable() = predDecl and
succ1.getNode().getEnclosingCallable() = succDecl and
@@ -610,7 +610,7 @@ module ProductFlow {
Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2,
TKind kind
) {
Flow2::PathGraph::edges(pred2, succ2) and
Flow2::PathGraph::edges(pred2, succ2, _, _) and
predDecl != succDecl and
pred2.getNode().getEnclosingCallable() = predDecl and
succ2.getNode().getEnclosingCallable() = succDecl and

44
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
View File

@@ -2,11 +2,8 @@ private import codeql.ssa.Ssa as SsaImplCommon
private import semmle.code.cpp.ir.IR
private import DataFlowUtil
private import DataFlowImplCommon as DataFlowImplCommon
private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
private import semmle.code.cpp.models.interfaces.Allocation as Alloc
private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
private import semmle.code.cpp.models.interfaces.FlowOutBarrier as FOB
private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as FIO
private import semmle.code.cpp.ir.internal.IRCppLanguage
private import DataFlowPrivate
private import ssa0.SsaInternals as SsaInternals0
@@ -548,6 +545,11 @@ class GlobalUse extends UseImpl, TGlobalUse {
*/
Type getUnspecifiedType() { result = global.getUnspecifiedType() }
/**
* Gets the type of this use, after typedefs have been resolved.
*/
Type getUnderlyingType() { result = global.getUnderlyingType() }
override predicate isCertain() { any() }
override BaseSourceVariableInstruction getBase() { none() }
@@ -591,11 +593,16 @@ class GlobalDefImpl extends DefOrUseImpl, TGlobalDefImpl {
int getIndirection() { result = indirectionIndex }
/**
* Gets the type of this use after specifiers have been deeply stripped
* and typedefs have been resolved.
* Gets the type of this definition after specifiers have been deeply
* stripped and typedefs have been resolved.
*/
Type getUnspecifiedType() { result = global.getUnspecifiedType() }
/**
* Gets the type of this definition, after typedefs have been resolved.
*/
Type getUnderlyingType() { result = global.getUnderlyingType() }
override string toString() { result = "Def of " + this.getSourceVariable() }
override Location getLocation() { result = f.getLocation() }
@@ -787,30 +794,10 @@ private Node getAPriorDefinition(SsaDefOrUse defOrUse) {
)
}
/**
* Holds if there should not be use-use flow out of `n` (or a conversion that
* flows to `n`).
*/
private predicate modeledFlowBarrier(Node n) {
exists(FIO::FunctionInput input, CallInstruction call |
call.getStaticCallTarget().(FOB::FlowOutBarrierFunction).isFlowOutBarrier(input) and
n = callInput(call, input)
)
or
exists(Operand operand, Instruction instr, Node n0, int indirectionIndex |
modeledFlowBarrier(n0) and
nodeHasInstruction(n0, instr, indirectionIndex) and
conversionFlow(operand, instr, false, _) and
nodeHasOperand(n, operand, indirectionIndex)
)
}
/** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
predicate ssaFlow(Node nodeFrom, Node nodeTo) {
exists(Node nFrom, boolean uncertain, SsaDefOrUse defOrUse |
ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and
not modeledFlowBarrier(nFrom) and
nodeFrom != nodeTo
ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and nodeFrom != nodeTo
|
if uncertain = true then nodeFrom = [nFrom, getAPriorDefinition(defOrUse)] else nodeFrom = nFrom
)
@@ -1115,6 +1102,11 @@ class GlobalDef extends TGlobalDef, SsaDefOrUse {
*/
DataFlowType getUnspecifiedType() { result = global.getUnspecifiedType() }
/**
* Gets the type of this definition, after typedefs have been resolved.
*/
DataFlowType getUnderlyingType() { result = global.getUnderlyingType() }
/** Gets the `IRFunction` whose body is evaluated after this definition. */
IRFunction getIRFunction() { result = global.getIRFunction() }

17
cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll
View File

@@ -22,11 +22,28 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
])
}
/**
* Gets the index of the parameter that specifies the fill character to insert, if any.
*/
private int getFillCharParameterIndex() {
(
this.hasGlobalOrStdOrBslName("memset")
or
this.hasGlobalOrStdName("wmemset")
or
this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk"])
) and
result = 1
}
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
input.isParameter(0) and
output.isReturnValue()
or
input.isParameter(this.getFillCharParameterIndex()) and
(output.isParameterDeref(0) or output.isReturnValueDeref())
}
override predicate hasArrayWithVariableSize(int bufParam, int countParam) {

13
cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll
View File

@@ -1,7 +1,6 @@
import semmle.code.cpp.models.interfaces.DataFlow
import semmle.code.cpp.models.interfaces.Taint
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.FlowOutBarrier
/**
* The standard function `swap`. A use of `swap` looks like this:
@@ -9,7 +8,7 @@ import semmle.code.cpp.models.interfaces.FlowOutBarrier
* std::swap(obj1, obj2)
* ```
*/
private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
private class Swap extends DataFlowFunction {
Swap() { this.hasQualifiedName(["std", "bsl"], "swap") }
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -19,8 +18,6 @@ private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
input.isParameterDeref(1) and
output.isParameterDeref(0)
}
override predicate isFlowOutBarrier(FunctionInput input) { input.isParameterDeref([0, 1]) }
}
/**
@@ -29,9 +26,7 @@ private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
* obj1.swap(obj2)
* ```
*/
private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction,
FlowOutBarrierFunction
{
private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
MemberSwap() {
this.hasName("swap") and
this.getNumberOfParameters() = 1 and
@@ -52,8 +47,4 @@ private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction,
override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
override predicate parameterIsAlwaysReturned(int index) { index = 0 }
override predicate isFlowOutBarrier(FunctionInput input) {
input.isQualifierObject() or input.isParameterDeref(0)
}
}

26
cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowOutBarrier.qll
View File

@@ -1,26 +0,0 @@
/**
* Provides an abstract class for blocking flow out of functions. To use this
* QL library, create a QL class extending `FlowOutBarrierFunction` with a
* characteristic predicate that selects the function or set of functions you
* are modeling. Within that class, override the predicates provided by
* `FlowOutBarrierFunction` to match the flow within that function.
*/
import semmle.code.cpp.Function
import FunctionInputsAndOutputs
/**
* A library function for which flow should not continue after reaching one
* of its inputs.
*
* For example, since `std::swap(a, b)` swaps the values pointed to by `a`
* and `b` there should not be use-use flow out of `a` or `b`.
*/
abstract class FlowOutBarrierFunction extends Function {
/**
* Holds if use-use flow should not continue onwards after reaching
* the argument, qualifier, or buffer represented by `input`.
*/
pragma[nomagic]
abstract predicate isFlowOutBarrier(FunctionInput input);
}

10
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 0.9.4
### Minor Analysis Improvements
* Corrected 2 false positive with `cpp/incorrect-string-type-conversion`: conversion of byte arrays to wchar and new array allocations converted to wchar.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) no longer reports an alert when an explicit check for EOF is added.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) now recognizes more EOF checks.
* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) no longer reports an alert when the local variable is used as a qualifier to a static member function call.
* The diagnostic query `cpp/diagnostics/successfully-extracted-files` now considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.
## 0.9.3
### Minor Analysis Improvements

4
cpp/ql/src/change-notes/2024-01-19-extracted-files.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The diagnostic query `cpp/diagnostics/successfully-extracted-files` now considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.

4
cpp/ql/src/change-notes/2024-01-29-false_positive_incorrect_string_type_conversion.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Corrected 2 false positive with `cpp/incorrect-string-type-conversion`: conversion of byte arrays to wchar and new array allocations converted to wchar.

4
cpp/ql/src/change-notes/2024-01-29-incorrectly-checked-scanf-2.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) now recognizes more EOF checks.

4
cpp/ql/src/change-notes/2024-01-29-incorrectly-checked-scanf.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) no longer reports an alert when an explicit check for EOF is added.

5
cpp/ql/src/change-notes/2024-01-29-uninitialized-local-false-positive.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) no longer reports an alert when the local variable is used as a qualifier to a static member function call.
* ```

9
cpp/ql/src/change-notes/released/0.9.4.md Normal file
View File

@@ -0,0 +1,9 @@
## 0.9.4
### Minor Analysis Improvements
* Corrected 2 false positive with `cpp/incorrect-string-type-conversion`: conversion of byte arrays to wchar and new array allocations converted to wchar.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) no longer reports an alert when an explicit check for EOF is added.
* The "Incorrect return-value check for a 'scanf'-like function" query (`cpp/incorrectly-checked-scanf`) now recognizes more EOF checks.
* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) no longer reports an alert when the local variable is used as a qualifier to a static member function call.
* The diagnostic query `cpp/diagnostics/successfully-extracted-files` now considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.3
lastReleaseVersion: 0.9.4

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.9.4-dev
version: 0.9.5-dev
groups:
- cpp
- queries

2
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected
View File

@@ -1,5 +1,5 @@
edges
| test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath |
| test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | provenance | |
nodes
| test.cpp:22:27:22:30 | **argv | semmle.label | **argv |
| test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath |

6
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected
View File

@@ -1,7 +1,7 @@
edges
| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
| test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size |
| test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size |
| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance | |
| test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size | provenance | |
| test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size | provenance | |
nodes
| test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
| test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |

78
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
View File

@@ -1,43 +1,43 @@
edges
| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:28:19:28:26 | call to mk_array [p] |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:50:18:50:25 | call to mk_array [p] |
| test.cpp:21:5:21:7 | *arr [post update] [p] | test.cpp:22:5:22:7 | *arr [p] |
| test.cpp:21:5:21:24 | ... = ... | test.cpp:21:5:21:7 | *arr [post update] [p] |
| test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | ... = ... |
| test.cpp:22:5:22:7 | *arr [p] | test.cpp:19:9:19:16 | *mk_array [p] |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | *arr [p] |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | *arr [p] |
| test.cpp:31:9:31:11 | *arr [p] | test.cpp:31:13:31:13 | p |
| test.cpp:35:9:35:11 | *arr [p] | test.cpp:35:13:35:13 | p |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | *arr [p] |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | *arr [p] |
| test.cpp:41:9:41:11 | *arr [p] | test.cpp:41:13:41:13 | p |
| test.cpp:45:9:45:11 | *arr [p] | test.cpp:45:13:45:13 | p |
| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] |
| test.cpp:55:5:55:7 | *arr [post update] [p] | test.cpp:56:5:56:7 | *arr [p] |
| test.cpp:55:5:55:24 | ... = ... | test.cpp:55:5:55:7 | *arr [post update] [p] |
| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:59:9:59:11 | *arr [p] |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:63:9:63:11 | *arr [p] |
| test.cpp:59:9:59:11 | *arr [p] | test.cpp:59:13:59:13 | p |
| test.cpp:63:9:63:11 | *arr [p] | test.cpp:63:13:63:13 | p |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:76:20:76:29 | *call to mk_array_p [p] |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:98:18:98:27 | *call to mk_array_p [p] |
| test.cpp:69:5:69:7 | *arr [post update] [p] | test.cpp:70:5:70:7 | *arr [p] |
| test.cpp:69:5:69:25 | ... = ... | test.cpp:69:5:69:7 | *arr [post update] [p] |
| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... |
| test.cpp:70:5:70:7 | *arr [p] | test.cpp:67:10:67:19 | **mk_array_p [p] |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:79:9:79:11 | *arr [p] |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:83:9:83:11 | *arr [p] |
| test.cpp:79:9:79:11 | *arr [p] | test.cpp:79:14:79:14 | p |
| test.cpp:83:9:83:11 | *arr [p] | test.cpp:83:14:83:14 | p |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:89:9:89:11 | *arr [p] |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:93:9:93:11 | *arr [p] |
| test.cpp:89:9:89:11 | *arr [p] | test.cpp:89:14:89:14 | p |
| test.cpp:93:9:93:11 | *arr [p] | test.cpp:93:14:93:14 | p |
| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr | provenance | |
| test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | provenance | |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:28:19:28:26 | call to mk_array [p] | provenance | |
| test.cpp:19:9:19:16 | *mk_array [p] | test.cpp:50:18:50:25 | call to mk_array [p] | provenance | |
| test.cpp:21:5:21:7 | *arr [post update] [p] | test.cpp:22:5:22:7 | *arr [p] | provenance | |
| test.cpp:21:5:21:24 | ... = ... | test.cpp:21:5:21:7 | *arr [post update] [p] | provenance | |
| test.cpp:21:13:21:18 | call to malloc | test.cpp:21:5:21:24 | ... = ... | provenance | |
| test.cpp:22:5:22:7 | *arr [p] | test.cpp:19:9:19:16 | *mk_array [p] | provenance | |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:31:9:31:11 | *arr [p] | provenance | |
| test.cpp:28:19:28:26 | call to mk_array [p] | test.cpp:35:9:35:11 | *arr [p] | provenance | |
| test.cpp:31:9:31:11 | *arr [p] | test.cpp:31:13:31:13 | p | provenance | |
| test.cpp:35:9:35:11 | *arr [p] | test.cpp:35:13:35:13 | p | provenance | |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:41:9:41:11 | *arr [p] | provenance | |
| test.cpp:39:27:39:29 | arr [p] | test.cpp:45:9:45:11 | *arr [p] | provenance | |
| test.cpp:41:9:41:11 | *arr [p] | test.cpp:41:13:41:13 | p | provenance | |
| test.cpp:45:9:45:11 | *arr [p] | test.cpp:45:13:45:13 | p | provenance | |
| test.cpp:50:18:50:25 | call to mk_array [p] | test.cpp:39:27:39:29 | arr [p] | provenance | |
| test.cpp:55:5:55:7 | *arr [post update] [p] | test.cpp:56:5:56:7 | *arr [p] | provenance | |
| test.cpp:55:5:55:24 | ... = ... | test.cpp:55:5:55:7 | *arr [post update] [p] | provenance | |
| test.cpp:55:13:55:18 | call to malloc | test.cpp:55:5:55:24 | ... = ... | provenance | |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:59:9:59:11 | *arr [p] | provenance | |
| test.cpp:56:5:56:7 | *arr [p] | test.cpp:63:9:63:11 | *arr [p] | provenance | |
| test.cpp:59:9:59:11 | *arr [p] | test.cpp:59:13:59:13 | p | provenance | |
| test.cpp:63:9:63:11 | *arr [p] | test.cpp:63:13:63:13 | p | provenance | |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:76:20:76:29 | *call to mk_array_p [p] | provenance | |
| test.cpp:67:10:67:19 | **mk_array_p [p] | test.cpp:98:18:98:27 | *call to mk_array_p [p] | provenance | |
| test.cpp:69:5:69:7 | *arr [post update] [p] | test.cpp:70:5:70:7 | *arr [p] | provenance | |
| test.cpp:69:5:69:25 | ... = ... | test.cpp:69:5:69:7 | *arr [post update] [p] | provenance | |
| test.cpp:69:14:69:19 | call to malloc | test.cpp:69:5:69:25 | ... = ... | provenance | |
| test.cpp:70:5:70:7 | *arr [p] | test.cpp:67:10:67:19 | **mk_array_p [p] | provenance | |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:79:9:79:11 | *arr [p] | provenance | |
| test.cpp:76:20:76:29 | *call to mk_array_p [p] | test.cpp:83:9:83:11 | *arr [p] | provenance | |
| test.cpp:79:9:79:11 | *arr [p] | test.cpp:79:14:79:14 | p | provenance | |
| test.cpp:83:9:83:11 | *arr [p] | test.cpp:83:14:83:14 | p | provenance | |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:89:9:89:11 | *arr [p] | provenance | |
| test.cpp:87:28:87:30 | *arr [p] | test.cpp:93:9:93:11 | *arr [p] | provenance | |
| test.cpp:89:9:89:11 | *arr [p] | test.cpp:89:14:89:14 | p | provenance | |
| test.cpp:93:9:93:11 | *arr [p] | test.cpp:93:14:93:14 | p | provenance | |
| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | provenance | |
nodes
| test.cpp:4:17:4:22 | call to malloc | semmle.label | call to malloc |
| test.cpp:6:9:6:11 | arr | semmle.label | arr |

140
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
View File

@@ -1,74 +1,74 @@
edges
| test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array |
| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array |
| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array |
| test.cpp:39:14:39:16 | buf | test.cpp:39:9:39:19 | access to array |
| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array |
| test.cpp:48:10:48:12 | buf | test.cpp:48:5:48:24 | access to array |
| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array |
| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array |
| test.cpp:53:14:53:16 | buf | test.cpp:53:9:53:19 | access to array |
| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array |
| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array |
| test.cpp:70:33:70:33 | p | test.cpp:71:5:71:17 | access to array |
| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array |
| test.cpp:76:26:76:46 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:76:32:76:34 | buf | test.cpp:76:26:76:46 | & ... |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
| test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... |
| test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p |
| test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf |
| test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:31 | access to array |
| test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array |
| test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array |
| test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array |
| test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array |
| test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array |
| test.cpp:115:35:115:37 | arr | test.cpp:111:17:111:22 | access to array |
| test.cpp:115:35:115:37 | arr | test.cpp:115:35:115:40 | access to array |
| test.cpp:115:35:115:37 | arr | test.cpp:119:17:119:22 | access to array |
| test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array |
| test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array |
| test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array |
| test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array |
| test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... |
| test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr |
| test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr |
| test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf |
| test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... |
| test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... |
| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... |
| test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p |
| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array |
| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array |
| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array |
| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 |
| test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p |
| test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array |
| test.cpp:306:20:306:23 | arr1 | test.cpp:292:25:292:27 | arr |
| test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 |
| test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr |
| test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 |
| test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... |
| test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... |
| test.cpp:319:19:319:27 | ... + ... | test.cpp:325:24:325:26 | end |
| test.cpp:322:19:322:22 | temp | test.cpp:322:19:322:27 | ... + ... |
| test.cpp:322:19:322:22 | temp | test.cpp:324:23:324:32 | ... + ... |
| test.cpp:322:19:322:27 | ... + ... | test.cpp:325:24:325:26 | end |
| test.cpp:324:23:324:26 | temp | test.cpp:324:23:324:32 | ... + ... |
| test.cpp:324:23:324:32 | ... + ... | test.cpp:325:15:325:19 | temp2 |
| test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array | provenance | |
| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | provenance | |
| test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | provenance | |
| test.cpp:39:14:39:16 | buf | test.cpp:39:9:39:19 | access to array | provenance | |
| test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | provenance | |
| test.cpp:48:10:48:12 | buf | test.cpp:48:5:48:24 | access to array | provenance | |
| test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | provenance | |
| test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | provenance | |
| test.cpp:53:14:53:16 | buf | test.cpp:53:9:53:19 | access to array | provenance | |
| test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | provenance | |
| test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | provenance | |
| test.cpp:70:33:70:33 | p | test.cpp:71:5:71:17 | access to array | provenance | |
| test.cpp:70:33:70:33 | p | test.cpp:72:5:72:15 | access to array | provenance | |
| test.cpp:76:26:76:46 | & ... | test.cpp:66:32:66:32 | p | provenance | |
| test.cpp:76:32:76:34 | buf | test.cpp:76:26:76:46 | & ... | provenance | |
| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p | provenance | |
| test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... | provenance | |
| test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p | provenance | |
| test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf | provenance | |
| test.cpp:85:34:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance | |
| test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance | |
| test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance | |
| test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | |
| test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | |
| test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | |
| test.cpp:115:35:115:37 | arr | test.cpp:111:17:111:22 | access to array | provenance | |
| test.cpp:115:35:115:37 | arr | test.cpp:115:35:115:40 | access to array | provenance | |
| test.cpp:115:35:115:37 | arr | test.cpp:119:17:119:22 | access to array | provenance | |
| test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | |
| test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | |
| test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | |
| test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | provenance | |
| test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... | provenance | |
| test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr | provenance | |
| test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr | provenance | |
| test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf | provenance | |
| test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... | provenance | |
| test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... | provenance | |
| test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance | |
| test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance | |
| test.cpp:218:23:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance | |
| test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance | |
| test.cpp:229:25:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance | |
| test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance | |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | |
| test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance | |
| test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance | |
| test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p | provenance | |
| test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p | provenance | |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p | provenance | |
| test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance | |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p | provenance | |
| test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance | |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p | provenance | |
| test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance | |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array | provenance | |
| test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array | provenance | |
| test.cpp:306:20:306:23 | arr1 | test.cpp:292:25:292:27 | arr | provenance | |
| test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 | provenance | |
| test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr | provenance | |
| test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 | provenance | |
| test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... | provenance | |
| test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | |
| test.cpp:319:19:319:27 | ... + ... | test.cpp:325:24:325:26 | end | provenance | |
| test.cpp:322:19:322:22 | temp | test.cpp:322:19:322:27 | ... + ... | provenance | |
| test.cpp:322:19:322:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | |
| test.cpp:322:19:322:27 | ... + ... | test.cpp:325:24:325:26 | end | provenance | |
| test.cpp:324:23:324:26 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | |
| test.cpp:324:23:324:32 | ... + ... | test.cpp:325:15:325:19 | temp2 | provenance | |
nodes
| test.cpp:34:5:34:24 | access to array | semmle.label | access to array |
| test.cpp:34:10:34:12 | buf | semmle.label | buf |

20
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected
View File

@@ -1,14 +1,14 @@
edges
| test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func |
| test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp |
| test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical |
| test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp |
| test.cpp:77:16:77:22 | medical | test.cpp:81:22:81:28 | medical |
| test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 |
| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer |
| test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func |
| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
| test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode |
| test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | provenance | |
| test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | provenance | |
| test.cpp:74:24:74:30 | medical | test.cpp:81:22:81:28 | medical | provenance | |
| test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | provenance | |
| test.cpp:77:16:77:22 | medical | test.cpp:81:22:81:28 | medical | provenance | |
| test.cpp:81:17:81:20 | call to func | test.cpp:82:24:82:28 | buff5 | provenance | |
| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | provenance | |
| test.cpp:81:22:81:28 | medical | test.cpp:81:17:81:20 | call to func | provenance | |
| test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | provenance | |
| test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | provenance | |
nodes
| test.cpp:45:7:45:10 | *func | semmle.label | *func |
| test.cpp:45:18:45:23 | buffer | semmle.label | buffer |

1
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
View File

@@ -165,6 +165,7 @@ postWithInFlow
| test.cpp:931:5:931:18 | global_pointer [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:932:5:932:19 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:932:6:932:19 | global_pointer [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:1045:9:1045:11 | ref arg buf | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition

1
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
View File

@@ -25,6 +25,7 @@ postWithInFlow
| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. |
| test.cpp:1045:9:1045:11 | memset output argument | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition

1
cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
View File

@@ -309,6 +309,7 @@ irFlow
| test.cpp:994:18:994:32 | *call to indirect_source | test.cpp:1003:19:1003:28 | *translated |
| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1027:19:1027:28 | *translated |
| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1031:19:1031:28 | *translated |
| test.cpp:1045:14:1045:19 | call to source | test.cpp:1046:7:1046:10 | * ... |
| true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
| true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
| true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

7
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -1037,4 +1037,11 @@ namespace test_gettext {
sink(translated); // clean
indirect_sink(translated); // clean
}
}
void* memset(void*, int, size_t);
void memset_test(char* buf) { // $ ast-def=buf
memset(buf, source(), 10);
sink(*buf); // $ ir MISSING: ast
}

15
cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected
View File

@@ -1,3 +1,18 @@
astTypeBugs
irTypeBugs
incorrectBaseType
| clang.cpp:22:8:22:20 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| clang.cpp:23:17:23:29 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| flowOut.cpp:50:14:50:15 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| flowOut.cpp:84:9:84:10 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| flowOut.cpp:101:13:101:14 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| self_parameter_flow.cpp:8:8:8:9 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * |
| test.cpp:67:28:67:37 | (reference dereference) | Expected 'Node.getType()' to be const int, but it was int * |
| test.cpp:531:39:531:40 | *& ... | Expected 'Node.getType()' to be int, but it was const int * |
| test.cpp:615:13:615:21 | *& ... | Expected 'Node.getType()' to be int, but it was void |
| test.cpp:704:22:704:25 | *& ... | Expected 'Node.getType()' to be int, but it was int * |
| test.cpp:715:24:715:25 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * |
| test.cpp:848:23:848:25 | (reference dereference) | Expected 'Node.getType()' to be int, but it was int * |
| test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int |
| test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int |
failures

11
cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.ql
View File

@@ -25,6 +25,17 @@ module IrTest {
n != 1
)
}
query predicate incorrectBaseType(Node n, string msg) {
exists(PointerType pointerType, Type nodeType, Type baseType |
not n.isGLValue() and
pointerType = n.asIndirectExpr(1).getActualType() and
baseType = pointerType.getBaseType() and
nodeType = n.getType() and
nodeType != baseType and
msg = "Expected 'Node.getType()' to be " + baseType + ", but it was " + nodeType
)
}
}
import IrTest

1498
cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
View File

File diff suppressed because it is too large Load Diff

1494
cpp/ql/test/library-tests/dataflow/fields/path-flow.expected
View File

File diff suppressed because it is too large Load Diff

16
cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
View File

@@ -71,11 +71,11 @@ void test_pair()
sink(i.second); // $ MISSING: ast,ir
sink(i); // $ ast,ir
sink(j.first);
sink(j.second); // $ SPURIOUS: ast
sink(j); // $ SPURIOUS: ast
sink(j.second); // $ SPURIOUS: ast,ir
sink(j); // $ SPURIOUS: ast,ir
sink(k.first);
sink(k.second); // $ SPURIOUS: ast
sink(k); // $ SPURIOUS: ast
sink(k.second); // $ SPURIOUS: ast,ir
sink(k); // $ SPURIOUS: ast,ir
sink(l.first);
sink(l.second); // $ MISSING: ast,ir
sink(l); // $ ast,ir
@@ -196,10 +196,10 @@ void test_map()
sink(m18); // $ ast,ir
m15.swap(m16);
m17.swap(m18);
sink(m15); // $ SPURIOUS: ast
sink(m15); // $ SPURIOUS: ast,ir
sink(m16); // $ ast,ir
sink(m17); // $ ast,ir
sink(m18); // $ SPURIOUS: ast
sink(m18); // $ SPURIOUS: ast,ir
// merge
std::map<char *, char *> m19, m20, m21, m22;
@@ -345,10 +345,10 @@ void test_unordered_map()
sink(m18); // $ ast,ir
m15.swap(m16);
m17.swap(m18);
sink(m15); // $ SPURIOUS: ast
sink(m15); // $ SPURIOUS: ast,ir
sink(m16); // $ ast,ir
sink(m17); // $ ast,ir
sink(m18); // $ SPURIOUS: ast
sink(m18); // $ SPURIOUS: ast,ir
// merge
std::unordered_map<char *, char *> m19, m20, m21, m22;

8
cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
View File

@@ -81,10 +81,10 @@ void test_set()
sink(s15); // $ ast,ir
s12.swap(s13);
s14.swap(s15);
sink(s12); // $ SPURIOUS: ast
sink(s12); // $ SPURIOUS: ast,ir
sink(s13); // $ ast,ir
sink(s14); // $ ast,ir
sink(s15); // $ SPURIOUS: ast
sink(s15); // $ SPURIOUS: ast,ir
// merge
std::set<char *> s16, s17, s18, s19;
@@ -193,10 +193,10 @@ void test_unordered_set()
sink(s15); // $ ast,ir
s12.swap(s13);
s14.swap(s15);
sink(s12); // $ SPURIOUS: ast
sink(s12); // $ SPURIOUS: ast,ir
sink(s13); // $ ast,ir
sink(s14); // $ ast,ir
sink(s15); // $ SPURIOUS: ast
sink(s15); // $ SPURIOUS: ast,ir
// merge
std::unordered_set<char *> s16, s17, s18, s19;

4
cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
View File

@@ -280,9 +280,9 @@ void test_string_swap() {
s4.swap(s3);
sink(s1); // $ ast,ir
sink(s2); // $ SPURIOUS: ast
sink(s2); // $ SPURIOUS: ast,ir
sink(s3); // $ ast,ir
sink(s4); // $ SPURIOUS: ast
sink(s4); // $ SPURIOUS: ast,ir
}
void test_string_clear() {

4
cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp
View File

@@ -118,9 +118,9 @@ void test_stringstream_swap()
ss4.swap(ss3);
sink(ss1); // $ ast,ir
sink(ss2); // $ SPURIOUS: ast
sink(ss2); // $ SPURIOUS: ast,ir
sink(ss3); // $ ast,ir
sink(ss4); // $ SPURIOUS: ast
sink(ss4); // $ SPURIOUS: ast,ir
}
void test_stringstream_in()

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -212,7 +212,7 @@ void test_swap() {
std::swap(x, y);
sink(x); // $ SPURIOUS: ast
sink(x); // $ SPURIOUS: ast,ir
sink(y); // $ ast,ir
}

4
cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
View File

@@ -114,10 +114,10 @@ void test_vector_swap() {
v1.swap(v2);
v3.swap(v4);
sink(v1); // $ SPURIOUS: ast
sink(v1); // $ SPURIOUS: ast,ir
sink(v2); // $ ast,ir
sink(v3); // $ ast,ir
sink(v4); // $ SPURIOUS: ast
sink(v4); // $ SPURIOUS: ast,ir
}
void test_vector_clear() {

12843
cpp/ql/test/library-tests/ir/ir/PrintAST.expected
View File

File diff suppressed because it is too large Load Diff

11927
cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
View File

File diff suppressed because it is too large Load Diff

1
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency.expected
View File

@@ -6,6 +6,7 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ir.cpp:2138:21:2138:21 | Chi: x | Instruction 'Chi: x' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
ambiguousSuccessors
unexplainedLoop
unnecessaryPhiInstruction

1
cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.expected
View File

@@ -6,6 +6,7 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ir.cpp:2138:21:2138:21 | Chi: x | Instruction 'Chi: x' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
ambiguousSuccessors
unexplainedLoop
unnecessaryPhiInstruction

47
cpp/ql/test/library-tests/ir/ir/ir.cpp
View File

@@ -1064,7 +1064,9 @@ struct vector {
bool operator!=(iterator right) const;
};
vector(T); ~vector();
vector(T);
~vector();
iterator begin() const;
iterator end() const;
};
@@ -2120,6 +2122,38 @@ void call_as_child_of_ConditionDeclExpr() {
if(HasOperatorBool b = HasOperatorBool()) {}
}
class ClassWithDestructor {
char *x;
public:
ClassWithDestructor() { x = new char; }
~ClassWithDestructor() { delete x; }
void set_x(char y) { *x = y; }
};
constexpr bool initialization_with_destructor_bool = true;
void initialization_with_destructor(bool b, char c) {
if (ClassWithDestructor x; b)
x.set_x('a');
if constexpr (ClassWithDestructor x; initialization_with_destructor_bool)
x.set_x('a');
switch(ClassWithDestructor x; c) {
case 'a':
x.set_x('a');
break;
default:
x.set_x('b');
break;
}
ClassWithDestructor x;
for(vector<ClassWithDestructor> ys(x); ClassWithDestructor y : ys)
y.set_x('a');
}
void TryCatchDestructors(bool b) {
try {
String s;
@@ -2186,14 +2220,6 @@ void IfDestructors3(bool b) {
}
}
class Bool2 {
public:
Bool2(bool b_);
operator bool();
~Bool2();
};
void WhileLoopDestructors(bool b) {
{
String s;
@@ -2208,4 +2234,5 @@ void WhileLoopDestructors(bool b) {
}
}
}
// semmle-extractor-options: -std=c++17 --clang
// semmle-extractor-options: -std=c++20 --clang

10598
cpp/ql/test/library-tests/ir/ir/operand_locations.expected
View File

File diff suppressed because it is too large Load Diff

7
cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
View File

@@ -6,6 +6,10 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ir.cpp:2138:21:2138:21 | IndirectMayWriteSideEffect: x | Instruction 'IndirectMayWriteSideEffect: x' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
| ir.cpp:2140:39:2140:39 | IndirectMayWriteSideEffect: call to ClassWithDestructor | Instruction 'IndirectMayWriteSideEffect: call to ClassWithDestructor' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
| ir.cpp:2140:42:2140:76 | Constant: initialization_with_destructor_bool | Instruction 'Constant: initialization_with_destructor_bool' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
| ir.cpp:2141:9:2141:9 | IndirectMayWriteSideEffect: x | Instruction 'IndirectMayWriteSideEffect: x' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
ambiguousSuccessors
unexplainedLoop
unnecessaryPhiInstruction
@@ -20,7 +24,7 @@ multipleIRTypes
lostReachability
backEdgeCountMismatch
useNotDominatedByDefinition
| ir.cpp:1486:8:1486:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1486:8:1486:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
| ir.cpp:1488:8:1488:8 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | ir.cpp:1488:8:1488:8 | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() | void StructuredBindingDataMemberStruct::StructuredBindingDataMemberStruct() |
| try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
| try_except.c:13:13:13:13 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:6:6:6:6 | void f() | void f() |
| try_except.c:39:15:39:15 | Left | Operand 'Left' is not dominated by its definition in function '$@'. | try_except.c:32:6:32:6 | void h(int) | void h(int) |
@@ -37,4 +41,5 @@ nonUniqueEnclosingIRFunction
fieldAddressOnNonPointer
thisArgumentIsNonPointer
nonUniqueIRVariable
| ir.cpp:2153:68:2153:69 | VariableAddress: ys | Variable address instruction 'VariableAddress: ys' has no associated variable, in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
missingCppType

10685
cpp/ql/test/library-tests/ir/ir/raw_ir.expected
View File

File diff suppressed because it is too large Load Diff

1
cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency.expected
View File

@@ -6,6 +6,7 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ir.cpp:2138:21:2138:21 | IndirectMayWriteSideEffect: x | Instruction 'IndirectMayWriteSideEffect: x' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
ambiguousSuccessors
unexplainedLoop
unnecessaryPhiInstruction

1
cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.expected
View File

@@ -6,6 +6,7 @@ missingOperandType
duplicateChiOperand
sideEffectWithoutPrimary
instructionWithoutSuccessor
| ir.cpp:2138:21:2138:21 | IndirectMayWriteSideEffect: x | Instruction 'IndirectMayWriteSideEffect: x' has no successors in function '$@'. | ir.cpp:2136:6:2136:35 | void initialization_with_destructor(bool, char) | void initialization_with_destructor(bool, char) |
ambiguousSuccessors
unexplainedLoop
unnecessaryPhiInstruction

24
cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected
View File

@@ -1,16 +1,16 @@
edges
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a |
| test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a |
| test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a |
| test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a |
| test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a |
| test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | provenance | |
| test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | provenance | |
| test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | provenance | |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | provenance | |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | provenance | |
| test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | provenance | |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | provenance | |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | provenance | |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | provenance | |
| test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | provenance | |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | provenance | |
| test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | provenance | |
nodes
| test_free.cpp:11:10:11:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test_free.cpp:14:10:14:10 | a | semmle.label | a |

46
cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
View File

@@ -1,27 +1,27 @@
edges
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a |
| test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a |
| test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a |
| test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... |
| test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... |
| test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... |
| test_free.cpp:277:8:277:8 | *s [post update] [buf] | test_free.cpp:278:12:278:12 | *s [buf] |
| test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:277:8:277:8 | *s [post update] [buf] |
| test_free.cpp:278:12:278:12 | *s [buf] | test_free.cpp:278:15:278:17 | buf |
| test_free.cpp:282:8:282:8 | *s [post update] [buf] | test_free.cpp:283:12:283:12 | *s [buf] |
| test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:282:8:282:8 | *s [post update] [buf] |
| test_free.cpp:283:12:283:12 | *s [buf] | test_free.cpp:283:14:283:16 | buf |
| test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:294:3:294:13 | ... = ... |
| test_free.cpp:294:3:294:3 | *s [post update] [buf] | test_free.cpp:295:12:295:12 | *s [buf] |
| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:3:294:3 | *s [post update] [buf] |
| test_free.cpp:295:12:295:12 | *s [buf] | test_free.cpp:295:14:295:16 | buf |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | provenance | |
| test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | provenance | |
| test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | provenance | |
| test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | provenance | |
| test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | provenance | |
| test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | provenance | |
| test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | provenance | |
| test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | provenance | |
| test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | provenance | |
| test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | provenance | |
| test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | provenance | |
| test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | provenance | |
| test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | provenance | |
| test_free.cpp:277:8:277:8 | *s [post update] [buf] | test_free.cpp:278:12:278:12 | *s [buf] | provenance | |
| test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:277:8:277:8 | *s [post update] [buf] | provenance | |
| test_free.cpp:278:12:278:12 | *s [buf] | test_free.cpp:278:15:278:17 | buf | provenance | |
| test_free.cpp:282:8:282:8 | *s [post update] [buf] | test_free.cpp:283:12:283:12 | *s [buf] | provenance | |
| test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:282:8:282:8 | *s [post update] [buf] | provenance | |
| test_free.cpp:283:12:283:12 | *s [buf] | test_free.cpp:283:14:283:16 | buf | provenance | |
| test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:294:3:294:13 | ... = ... | provenance | |
| test_free.cpp:294:3:294:3 | *s [post update] [buf] | test_free.cpp:295:12:295:12 | *s [buf] | provenance | |
| test_free.cpp:294:3:294:13 | ... = ... | test_free.cpp:294:3:294:3 | *s [post update] [buf] | provenance | |
| test_free.cpp:295:12:295:12 | *s [buf] | test_free.cpp:295:14:295:16 | buf | provenance | |
nodes
| test_free.cpp:11:10:11:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test_free.cpp:12:5:12:5 | a | semmle.label | a |

42
cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected
View File

@@ -1,25 +1,25 @@
edges
| test.cpp:26:29:26:29 | b | test.cpp:27:2:27:2 | b |
| test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b |
| test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b |
| test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b |
| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d |
| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d |
| test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b |
| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d |
| test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b |
| test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b |
| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss |
| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b |
| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss |
| test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b |
| test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b |
| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 |
| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b |
| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 |
| test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b |
| test.cpp:26:29:26:29 | b | test.cpp:27:2:27:2 | b | provenance | |
| test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b | provenance | |
| test.cpp:34:31:34:31 | b | test.cpp:35:2:35:2 | b | provenance | |
| test.cpp:57:19:57:19 | d | test.cpp:26:29:26:29 | b | provenance | |
| test.cpp:57:19:57:19 | d | test.cpp:58:25:58:25 | d | provenance | |
| test.cpp:57:19:57:19 | d | test.cpp:59:21:59:21 | d | provenance | |
| test.cpp:58:25:58:25 | d | test.cpp:30:34:30:34 | b | provenance | |
| test.cpp:58:25:58:25 | d | test.cpp:59:21:59:21 | d | provenance | |
| test.cpp:59:21:59:21 | d | test.cpp:34:31:34:31 | b | provenance | |
| test.cpp:74:19:74:21 | dss | test.cpp:26:29:26:29 | b | provenance | |
| test.cpp:74:19:74:21 | dss | test.cpp:75:25:75:27 | dss | provenance | |
| test.cpp:74:19:74:21 | dss | test.cpp:76:21:76:23 | dss | provenance | |
| test.cpp:75:25:75:27 | dss | test.cpp:30:34:30:34 | b | provenance | |
| test.cpp:75:25:75:27 | dss | test.cpp:76:21:76:23 | dss | provenance | |
| test.cpp:76:21:76:23 | dss | test.cpp:34:31:34:31 | b | provenance | |
| test.cpp:86:19:86:20 | d2 | test.cpp:26:29:26:29 | b | provenance | |
| test.cpp:86:19:86:20 | d2 | test.cpp:87:25:87:26 | d2 | provenance | |
| test.cpp:86:19:86:20 | d2 | test.cpp:88:21:88:22 | d2 | provenance | |
| test.cpp:87:25:87:26 | d2 | test.cpp:30:34:30:34 | b | provenance | |
| test.cpp:87:25:87:26 | d2 | test.cpp:88:21:88:22 | d2 | provenance | |
| test.cpp:88:21:88:22 | d2 | test.cpp:34:31:34:31 | b | provenance | |
nodes
| test.cpp:26:29:26:29 | b | semmle.label | b |
| test.cpp:27:2:27:2 | b | semmle.label | b |

2
cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected
View File

@@ -1,5 +1,5 @@
edges
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | provenance | |
nodes
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | semmle.label | *data |

10
cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -1,9 +1,9 @@
edges
| test.c:8:27:8:30 | **argv | test.c:17:11:17:18 | *fileName |
| test.c:8:27:8:30 | **argv | test.c:32:11:32:18 | *fileName |
| test.c:8:27:8:30 | **argv | test.c:57:10:57:16 | *access to array |
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | *fileName |
| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | *fileName |
| test.c:8:27:8:30 | **argv | test.c:17:11:17:18 | *fileName | provenance | |
| test.c:8:27:8:30 | **argv | test.c:32:11:32:18 | *fileName | provenance | |
| test.c:8:27:8:30 | **argv | test.c:57:10:57:16 | *access to array | provenance | |
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | *fileName | provenance | |
| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | *fileName | provenance | |
nodes
| test.c:8:27:8:30 | **argv | semmle.label | **argv |
| test.c:17:11:17:18 | *fileName | semmle.label | *fileName |

10
cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected
View File

@@ -1,9 +1,9 @@
edges
| tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource |
| tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:38:39:38:49 | *environment |
| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | **badSource |
| tests.cpp:38:39:38:49 | *environment | tests.cpp:38:25:38:36 | strncat output argument |
| tests.cpp:51:12:51:20 | *call to badSource | tests.cpp:53:16:53:19 | *data |
| tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource | provenance | |
| tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:38:39:38:49 | *environment | provenance | |
| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:26:15:26:23 | **badSource | provenance | |
| tests.cpp:38:39:38:49 | *environment | tests.cpp:38:25:38:36 | strncat output argument | provenance | |
| tests.cpp:51:12:51:20 | *call to badSource | tests.cpp:53:16:53:19 | *data | provenance | |
nodes
| tests.cpp:26:15:26:23 | **badSource | semmle.label | **badSource |
| tests.cpp:33:34:33:39 | *call to getenv | semmle.label | *call to getenv |

132
cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
View File

@@ -1,70 +1,70 @@
edges
| test.cpp:15:27:15:30 | **argv | test.cpp:22:45:22:52 | *userName |
| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | *command1 |
| test.cpp:22:45:22:52 | *userName | test.cpp:22:13:22:20 | sprintf output argument |
| test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags |
| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command |
| test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument |
| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename |
| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command |
| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument |
| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename |
| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command |
| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument |
| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename |
| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path |
| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument |
| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path |
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str |
| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ |
| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str |
| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ |
| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ |
| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ |
| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path |
| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data |
| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ |
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str |
| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command |
| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument |
| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command |
| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument |
| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument |
| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument |
| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename |
| test.cpp:15:27:15:30 | **argv | test.cpp:22:45:22:52 | *userName | provenance | |
| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | *command1 | provenance | |
| test.cpp:22:45:22:52 | *userName | test.cpp:22:13:22:20 | sprintf output argument | provenance | |
| test.cpp:47:21:47:26 | *call to getenv | test.cpp:50:35:50:43 | *envCflags | provenance | |
| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | *command | provenance | |
| test.cpp:50:35:50:43 | *envCflags | test.cpp:50:11:50:17 | sprintf output argument | provenance | |
| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | *filename | provenance | |
| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | *command | provenance | |
| test.cpp:64:20:64:27 | *filename | test.cpp:64:11:64:17 | strncat output argument | provenance | |
| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | *filename | provenance | |
| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | *command | provenance | |
| test.cpp:84:20:84:27 | *filename | test.cpp:84:11:84:17 | strncat output argument | provenance | |
| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | *filename | provenance | |
| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | *path | provenance | |
| test.cpp:93:17:93:24 | *filename | test.cpp:93:11:93:14 | strncat output argument | provenance | |
| test.cpp:106:20:106:38 | *call to getenv | test.cpp:107:33:107:36 | *path | provenance | |
| test.cpp:107:31:107:31 | call to operator+ | test.cpp:108:18:108:22 | *call to c_str | provenance | |
| test.cpp:107:33:107:36 | *path | test.cpp:107:31:107:31 | call to operator+ | provenance | |
| test.cpp:113:20:113:38 | *call to getenv | test.cpp:114:19:114:22 | *path | provenance | |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | |
| test.cpp:114:10:114:23 | call to operator+ | test.cpp:114:25:114:29 | *call to c_str | provenance | |
| test.cpp:114:17:114:17 | call to operator+ | test.cpp:114:10:114:23 | call to operator+ | provenance | |
| test.cpp:114:19:114:22 | *path | test.cpp:114:10:114:23 | call to operator+ | provenance | |
| test.cpp:114:19:114:22 | *path | test.cpp:114:17:114:17 | call to operator+ | provenance | |
| test.cpp:119:20:119:38 | *call to getenv | test.cpp:120:19:120:22 | *path | provenance | |
| test.cpp:120:17:120:17 | call to operator+ | test.cpp:120:10:120:30 | *call to data | provenance | |
| test.cpp:120:19:120:22 | *path | test.cpp:120:17:120:17 | call to operator+ | provenance | |
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | *str | provenance | |
| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | *command | provenance | |
| test.cpp:142:31:142:33 | *str | test.cpp:142:11:142:17 | sprintf output argument | provenance | |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | *filename | provenance | |
| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | *filename | provenance | |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance | |
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:178:22:178:26 | *flags | provenance | |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | |
| test.cpp:177:20:177:27 | *filename | test.cpp:177:13:177:17 | strncat output argument | provenance | |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | |
| test.cpp:178:22:178:26 | *flags | test.cpp:178:13:178:19 | strncat output argument | provenance | |
| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | *command | provenance | |
| test.cpp:180:22:180:29 | *filename | test.cpp:180:13:180:19 | strncat output argument | provenance | |
| test.cpp:186:47:186:54 | *filename | test.cpp:187:18:187:25 | *filename | provenance | |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance | |
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:20:188:24 | *flags | provenance | |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | |
| test.cpp:187:18:187:25 | *filename | test.cpp:187:11:187:15 | strncat output argument | provenance | |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | |
| test.cpp:188:20:188:24 | *flags | test.cpp:188:11:188:17 | strncat output argument | provenance | |
| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:26:196:33 | *filename | provenance | |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance | |
| test.cpp:196:10:196:16 | concat output argument | test.cpp:198:32:198:38 | *command | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:186:47:186:54 | *filename | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | |
| test.cpp:196:26:196:33 | *filename | test.cpp:196:10:196:16 | concat output argument | provenance | |
| test.cpp:218:9:218:16 | fread output argument | test.cpp:220:19:220:26 | *filename | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:10:220:16 | strncat output argument | test.cpp:222:32:222:38 | *command | provenance | |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:10:220:16 | strncat output argument | provenance | |
| test.cpp:220:19:220:26 | *filename | test.cpp:220:19:220:26 | *filename | provenance | |
nodes
| test.cpp:15:27:15:30 | **argv | semmle.label | **argv |
| test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |

18
cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
View File

@@ -1,13 +1,13 @@
edges
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query |
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query |
| search.c:55:24:55:28 | *query | search.c:62:8:62:17 | *query_text |
| search.c:67:21:67:26 | *call to getenv | search.c:71:17:71:25 | *raw_query |
| search.c:67:21:67:26 | *call to getenv | search.c:73:17:73:25 | *raw_query |
| search.c:67:21:67:26 | *call to getenv | search.c:77:17:77:25 | *raw_query |
| search.c:71:17:71:25 | *raw_query | search.c:14:24:14:28 | *query |
| search.c:73:17:73:25 | *raw_query | search.c:22:24:22:28 | *query |
| search.c:77:17:77:25 | *raw_query | search.c:55:24:55:28 | *query |
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query | provenance | |
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query | provenance | |
| search.c:55:24:55:28 | *query | search.c:62:8:62:17 | *query_text | provenance | |
| search.c:67:21:67:26 | *call to getenv | search.c:71:17:71:25 | *raw_query | provenance | |
| search.c:67:21:67:26 | *call to getenv | search.c:73:17:73:25 | *raw_query | provenance | |
| search.c:67:21:67:26 | *call to getenv | search.c:77:17:77:25 | *raw_query | provenance | |
| search.c:71:17:71:25 | *raw_query | search.c:14:24:14:28 | *query | provenance | |
| search.c:73:17:73:25 | *raw_query | search.c:22:24:22:28 | *query | provenance | |
| search.c:77:17:77:25 | *raw_query | search.c:55:24:55:28 | *query | provenance | |
nodes
| search.c:14:24:14:28 | *query | semmle.label | *query |
| search.c:17:8:17:12 | *query | semmle.label | *query |

16
cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
View File

@@ -1,12 +1,12 @@
edges
| test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 |
| test.c:14:27:14:30 | **argv | test.c:35:16:35:23 | *userName |
| test.c:35:16:35:23 | *userName | test.c:40:25:40:32 | *username |
| test.c:38:7:38:20 | **globalUsername | test.c:51:18:51:23 | *query1 |
| test.c:40:25:40:32 | *username | test.c:38:7:38:20 | **globalUsername |
| test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput |
| test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput |
| test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array |
| test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | provenance | |
| test.c:14:27:14:30 | **argv | test.c:35:16:35:23 | *userName | provenance | |
| test.c:35:16:35:23 | *userName | test.c:40:25:40:32 | *username | provenance | |
| test.c:38:7:38:20 | **globalUsername | test.c:51:18:51:23 | *query1 | provenance | |
| test.c:40:25:40:32 | *username | test.c:38:7:38:20 | **globalUsername | provenance | |
| test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | provenance | |
| test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | provenance | |
nodes
| test.c:14:27:14:30 | **argv | semmle.label | **argv |
| test.c:21:18:21:23 | *query1 | semmle.label | *query1 |

6
cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
View File

@@ -1,7 +1,7 @@
edges
| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data |
| test.cpp:64:30:64:35 | *call to getenv | test.cpp:73:24:73:27 | *data |
| test.cpp:73:24:73:27 | *data | test.cpp:37:73:37:76 | *data |
| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data | provenance | |
| test.cpp:64:30:64:35 | *call to getenv | test.cpp:73:24:73:27 | *data | provenance | |
| test.cpp:73:24:73:27 | *data | test.cpp:37:73:37:76 | *data | provenance | |
nodes
| test.cpp:37:73:37:76 | *data | semmle.label | *data |
| test.cpp:43:32:43:35 | *data | semmle.label | *data |

24
cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
View File

@@ -1,16 +1,16 @@
edges
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command |
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command |
| test.cpp:42:18:42:34 | *call to getenv | test.cpp:24:30:24:36 | *command |
| test.cpp:43:18:43:34 | *call to getenv | test.cpp:29:30:29:36 | *command |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer |
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer |
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer |
| test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr |
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command | provenance | |
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command | provenance | |
| test.cpp:42:18:42:34 | *call to getenv | test.cpp:24:30:24:36 | *command | provenance | |
| test.cpp:43:18:43:34 | *call to getenv | test.cpp:29:30:29:36 | *command | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | provenance | |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | provenance | |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | provenance | |
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | provenance | |
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | provenance | |
| test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | provenance | |
nodes
| test.cpp:24:30:24:36 | *command | semmle.label | *command |
| test.cpp:26:10:26:16 | *command | semmle.label | *command |

116
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected
View File

@@ -1,62 +1,62 @@
edges
| test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] |
| test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] |
| test.cpp:18:5:18:30 | ... = ... | test.cpp:18:5:18:7 | *str [post update] [string] |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... |
| test.cpp:19:5:19:7 | *str [string] | test.cpp:16:11:16:21 | **mk_string_t [string] |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:42:13:42:15 | *str [string] |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:72:17:72:19 | *str [string] |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:80:17:80:19 | *str [string] |
| test.cpp:42:13:42:15 | *str [string] | test.cpp:42:18:42:23 | string |
| test.cpp:72:17:72:19 | *str [string] | test.cpp:72:22:72:27 | string |
| test.cpp:80:17:80:19 | *str [string] | test.cpp:80:22:80:27 | string |
| test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] |
| test.cpp:90:5:90:7 | *str [post update] [string] | test.cpp:91:5:91:7 | *str [string] |
| test.cpp:90:5:90:34 | ... = ... | test.cpp:90:5:90:7 | *str [post update] [string] |
| test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... |
| test.cpp:91:5:91:7 | *str [string] | test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:99:13:99:15 | *str [string] |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:129:17:129:19 | *str [string] |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:137:17:137:19 | *str [string] |
| test.cpp:99:13:99:15 | *str [string] | test.cpp:99:18:99:23 | string |
| test.cpp:129:17:129:19 | *str [string] | test.cpp:129:22:129:27 | string |
| test.cpp:137:17:137:19 | *str [string] | test.cpp:137:22:137:27 | string |
| test.cpp:147:5:147:7 | *str [post update] [string] | test.cpp:148:5:148:7 | *str [string] |
| test.cpp:147:5:147:34 | ... = ... | test.cpp:147:5:147:7 | *str [post update] [string] |
| test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:152:13:152:15 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:154:13:154:15 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:156:13:156:15 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:175:17:175:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:187:17:187:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:195:17:195:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:199:17:199:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:203:17:203:19 | *str [string] |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:207:17:207:19 | *str [string] |
| test.cpp:152:13:152:15 | *str [string] | test.cpp:152:18:152:23 | string |
| test.cpp:154:13:154:15 | *str [string] | test.cpp:154:18:154:23 | string |
| test.cpp:156:13:156:15 | *str [string] | test.cpp:156:18:156:23 | string |
| test.cpp:175:17:175:19 | *str [string] | test.cpp:175:22:175:27 | string |
| test.cpp:187:17:187:19 | *str [string] | test.cpp:187:22:187:27 | string |
| test.cpp:195:17:195:19 | *str [string] | test.cpp:195:22:195:27 | string |
| test.cpp:199:17:199:19 | *str [string] | test.cpp:199:22:199:27 | string |
| test.cpp:203:17:203:19 | *str [string] | test.cpp:203:22:203:27 | string |
| test.cpp:207:17:207:19 | *str [string] | test.cpp:207:22:207:27 | string |
| test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p |
| test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer |
| test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p |
| test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer |
| test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... |
| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | *p_str [post update] [string] |
| test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer |
| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | *str [string] |
| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer |
| test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] |
| test.cpp:243:12:243:14 | *str [string] | test.cpp:243:12:243:21 | string |
| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p |
| test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p |
| test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p |
| test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p |
| test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] | provenance | |
| test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] | provenance | |
| test.cpp:18:5:18:30 | ... = ... | test.cpp:18:5:18:7 | *str [post update] [string] | provenance | |
| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | ... = ... | provenance | |
| test.cpp:19:5:19:7 | *str [string] | test.cpp:16:11:16:21 | **mk_string_t [string] | provenance | |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:42:13:42:15 | *str [string] | provenance | |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:72:17:72:19 | *str [string] | provenance | |
| test.cpp:39:21:39:31 | *call to mk_string_t [string] | test.cpp:80:17:80:19 | *str [string] | provenance | |
| test.cpp:42:13:42:15 | *str [string] | test.cpp:42:18:42:23 | string | provenance | |
| test.cpp:72:17:72:19 | *str [string] | test.cpp:72:22:72:27 | string | provenance | |
| test.cpp:80:17:80:19 | *str [string] | test.cpp:80:22:80:27 | string | provenance | |
| test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | provenance | |
| test.cpp:90:5:90:7 | *str [post update] [string] | test.cpp:91:5:91:7 | *str [string] | provenance | |
| test.cpp:90:5:90:34 | ... = ... | test.cpp:90:5:90:7 | *str [post update] [string] | provenance | |
| test.cpp:90:19:90:24 | call to malloc | test.cpp:90:5:90:34 | ... = ... | provenance | |
| test.cpp:91:5:91:7 | *str [string] | test.cpp:88:11:88:30 | **mk_string_t_plus_one [string] | provenance | |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:99:13:99:15 | *str [string] | provenance | |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:129:17:129:19 | *str [string] | provenance | |
| test.cpp:96:21:96:40 | *call to mk_string_t_plus_one [string] | test.cpp:137:17:137:19 | *str [string] | provenance | |
| test.cpp:99:13:99:15 | *str [string] | test.cpp:99:18:99:23 | string | provenance | |
| test.cpp:129:17:129:19 | *str [string] | test.cpp:129:22:129:27 | string | provenance | |
| test.cpp:137:17:137:19 | *str [string] | test.cpp:137:22:137:27 | string | provenance | |
| test.cpp:147:5:147:7 | *str [post update] [string] | test.cpp:148:5:148:7 | *str [string] | provenance | |
| test.cpp:147:5:147:34 | ... = ... | test.cpp:147:5:147:7 | *str [post update] [string] | provenance | |
| test.cpp:147:19:147:24 | call to malloc | test.cpp:147:5:147:34 | ... = ... | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:152:13:152:15 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:154:13:154:15 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:156:13:156:15 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:175:17:175:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:187:17:187:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:195:17:195:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:199:17:199:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:203:17:203:19 | *str [string] | provenance | |
| test.cpp:148:5:148:7 | *str [string] | test.cpp:207:17:207:19 | *str [string] | provenance | |
| test.cpp:152:13:152:15 | *str [string] | test.cpp:152:18:152:23 | string | provenance | |
| test.cpp:154:13:154:15 | *str [string] | test.cpp:154:18:154:23 | string | provenance | |
| test.cpp:156:13:156:15 | *str [string] | test.cpp:156:18:156:23 | string | provenance | |
| test.cpp:175:17:175:19 | *str [string] | test.cpp:175:22:175:27 | string | provenance | |
| test.cpp:187:17:187:19 | *str [string] | test.cpp:187:22:187:27 | string | provenance | |
| test.cpp:195:17:195:19 | *str [string] | test.cpp:195:22:195:27 | string | provenance | |
| test.cpp:199:17:199:19 | *str [string] | test.cpp:199:22:199:27 | string | provenance | |
| test.cpp:203:17:203:19 | *str [string] | test.cpp:203:22:203:27 | string | provenance | |
| test.cpp:207:17:207:19 | *str [string] | test.cpp:207:22:207:27 | string | provenance | |
| test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p | provenance | |
| test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer | provenance | |
| test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p | provenance | |
| test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer | provenance | |
| test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... | provenance | |
| test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | *p_str [post update] [string] | provenance | |
| test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer | provenance | |
| test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | *str [string] | provenance | |
| test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | provenance | |
| test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] | provenance | |
| test.cpp:243:12:243:14 | *str [string] | test.cpp:243:12:243:21 | string | provenance | |
| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | provenance | |
| test.cpp:256:9:256:25 | call to malloc | test.cpp:257:12:257:12 | p | provenance | |
| test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | provenance | |
| test.cpp:264:13:264:30 | call to malloc | test.cpp:266:12:266:12 | p | provenance | |
nodes
| test.cpp:16:11:16:21 | **mk_string_t [string] | semmle.label | **mk_string_t [string] |
| test.cpp:18:5:18:7 | *str [post update] [string] | semmle.label | *str [post update] [string] |

20
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
View File

@@ -1,14 +1,14 @@
edges
| main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv |
| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src |
| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:15:53:17 | *src |
| overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | *src2 |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | *src |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | *src |
| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src |
| overflowdestination.cpp:76:30:76:32 | *src | overflowdestination.cpp:57:52:57:54 | *src |
| main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | |
| main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | |
| overflowdestination.cpp:23:45:23:48 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | provenance | |
| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | provenance | |
| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:53:15:53:17 | *src | provenance | |
| overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | *src2 | provenance | |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | *src | provenance | |
| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | *src | provenance | |
| overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | provenance | |
| overflowdestination.cpp:76:30:76:32 | *src | overflowdestination.cpp:57:52:57:54 | *src | provenance | |
nodes
| main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
| main.cpp:7:33:7:36 | **argv | semmle.label | **argv |

26
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
View File

@@ -1,17 +1,17 @@
edges
| main.cpp:6:27:6:30 | **argv | main.cpp:10:20:10:23 | **argv |
| main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv |
| tests.cpp:613:19:613:24 | *source | tests.cpp:615:17:615:22 | *source |
| tests.cpp:622:19:622:24 | *source | tests.cpp:625:2:625:16 | *... = ... |
| tests.cpp:625:2:625:2 | *s [post update] [*home] | tests.cpp:628:14:628:14 | *s [*home] |
| tests.cpp:625:2:625:16 | *... = ... | tests.cpp:625:2:625:2 | *s [post update] [*home] |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home |
| tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array |
| tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source |
| tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source |
| main.cpp:6:27:6:30 | **argv | main.cpp:10:20:10:23 | **argv | provenance | |
| main.cpp:10:20:10:23 | **argv | tests.cpp:657:32:657:35 | **argv | provenance | |
| tests.cpp:613:19:613:24 | *source | tests.cpp:615:17:615:22 | *source | provenance | |
| tests.cpp:622:19:622:24 | *source | tests.cpp:625:2:625:16 | *... = ... | provenance | |
| tests.cpp:625:2:625:2 | *s [post update] [*home] | tests.cpp:628:14:628:14 | *s [*home] | provenance | |
| tests.cpp:625:2:625:16 | *... = ... | tests.cpp:625:2:625:2 | *s [post update] [*home] | provenance | |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:14:628:19 | *home | provenance | |
| tests.cpp:628:14:628:14 | *s [*home] | tests.cpp:628:16:628:19 | *home | provenance | |
| tests.cpp:628:16:628:19 | *home | tests.cpp:628:14:628:19 | *home | provenance | |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:682:9:682:15 | *access to array | provenance | |
| tests.cpp:657:32:657:35 | **argv | tests.cpp:683:9:683:15 | *access to array | provenance | |
| tests.cpp:682:9:682:15 | *access to array | tests.cpp:613:19:613:24 | *source | provenance | |
| tests.cpp:683:9:683:15 | *access to array | tests.cpp:622:19:622:24 | *source | provenance | |
nodes
| main.cpp:6:27:6:30 | **argv | semmle.label | **argv |
| main.cpp:10:20:10:23 | **argv | semmle.label | **argv |

6
cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
View File

@@ -1,7 +1,7 @@
edges
| tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array |
| tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array |
| tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array |
| tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | provenance | |
| tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | provenance | |
| tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | provenance | |
nodes
| tests.c:16:26:16:29 | **argv | semmle.label | **argv |
| tests.c:28:22:28:28 | *access to array | semmle.label | *access to array |

2
cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
View File

@@ -1,5 +1,5 @@
edges
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data |
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | provenance | |
nodes
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | semmle.label | fgets output argument |
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | semmle.label | data |

18
cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected
View File

@@ -1,13 +1,13 @@
edges
| test1.c:7:26:7:29 | **argv | test1.c:9:9:9:9 | i |
| test1.c:7:26:7:29 | **argv | test1.c:11:9:11:9 | i |
| test1.c:7:26:7:29 | **argv | test1.c:13:9:13:9 | i |
| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i |
| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i |
| test1.c:13:9:13:9 | i | test1.c:48:16:48:16 | i |
| test1.c:16:16:16:16 | i | test1.c:18:16:18:16 | i |
| test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i |
| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j |
| test1.c:7:26:7:29 | **argv | test1.c:9:9:9:9 | i | provenance | |
| test1.c:7:26:7:29 | **argv | test1.c:11:9:11:9 | i | provenance | |
| test1.c:7:26:7:29 | **argv | test1.c:13:9:13:9 | i | provenance | |
| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i | provenance | |
| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i | provenance | |
| test1.c:13:9:13:9 | i | test1.c:48:16:48:16 | i | provenance | |
| test1.c:16:16:16:16 | i | test1.c:18:16:18:16 | i | provenance | |
| test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i | provenance | |
| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j | provenance | |
nodes
| test1.c:7:26:7:29 | **argv | semmle.label | **argv |
| test1.c:9:9:9:9 | i | semmle.label | i |

6
cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected
View File

@@ -1,7 +1,7 @@
edges
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data |
| char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | provenance | |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | provenance | |
| char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | provenance | |
nodes
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | semmle.label | recv output argument |
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | semmle.label | *data |

48
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
View File

@@ -1,28 +1,28 @@
edges
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | provenance | |
| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | provenance | |
nodes
| argvLocal.c:13:27:13:30 | **argv | semmle.label | **argv |
| argvLocal.c:95:9:95:15 | *access to array | semmle.label | *access to array |

16
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
View File

@@ -1,12 +1,12 @@
edges
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 |
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 |
| funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 |
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 |
| funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 |
| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... |
| funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | provenance | |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | provenance | |
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | provenance | |
| funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | provenance | |
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | provenance | |
| funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | provenance | |
| funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | provenance | |
| funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | provenance | |
nodes
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
| funcsLocal.c:17:9:17:10 | *i1 | semmle.label | *i1 |

22
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected
View File

@@ -1,15 +1,15 @@
edges
| globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 |
| globalVars.c:11:22:11:25 | **argv | globalVars.c:8:7:8:10 | **copy |
| globalVars.c:15:21:15:23 | *val | globalVars.c:9:7:9:11 | **copy2 |
| globalVars.c:23:27:23:30 | **argv | globalVars.c:24:11:24:14 | **argv |
| globalVars.c:24:11:24:14 | **argv | globalVars.c:11:22:11:25 | **argv |
| globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance | |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance | |
| globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy | provenance | |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 | provenance | |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance | |
| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 | provenance | |
| globalVars.c:11:22:11:25 | **argv | globalVars.c:8:7:8:10 | **copy | provenance | |
| globalVars.c:15:21:15:23 | *val | globalVars.c:9:7:9:11 | **copy2 | provenance | |
| globalVars.c:23:27:23:30 | **argv | globalVars.c:24:11:24:14 | **argv | provenance | |
| globalVars.c:24:11:24:14 | **argv | globalVars.c:11:22:11:25 | **argv | provenance | |
| globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | provenance | |
nodes
| globalVars.c:8:7:8:10 | **copy | semmle.label | **copy |
| globalVars.c:9:7:9:11 | **copy2 | semmle.label | **copy2 |

22
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
View File

@@ -1,15 +1,15 @@
edges
| ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 |
| ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 |
| ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 |
| ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 |
| ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 |
| ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 |
| ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 |
| ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 |
| ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 |
| ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 |
| ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 |
| ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | provenance | |
| ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | provenance | |
nodes
| ifs.c:16:27:16:30 | **argv | semmle.label | **argv |
| ifs.c:62:9:62:10 | *c7 | semmle.label | *c7 |

2
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected
View File

@@ -1,5 +1,5 @@
edges
| examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
| examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | provenance | |
nodes
| examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument |
| examples.cpp:66:11:66:14 | data | semmle.label | data |

24
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected
View File

@@ -1,16 +1,16 @@
edges
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | provenance | |
nodes
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |

64
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected
View File

@@ -1,36 +1,36 @@
edges
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
| test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r |
| test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r |
| test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r |
| test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r |
| test.cpp:6:5:6:12 | *get_rand | test.cpp:24:11:24:18 | call to get_rand |
| test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | *get_rand |
| test.cpp:11:21:11:24 | *dest | test.cpp:30:13:30:14 | get_rand2 output argument |
| test.cpp:13:10:13:13 | call to rand | test.cpp:11:21:11:24 | *dest |
| test.cpp:16:21:16:24 | *dest | test.cpp:36:13:36:13 | get_rand3 output argument |
| test.cpp:18:9:18:12 | call to rand | test.cpp:16:21:16:24 | *dest |
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r |
| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r |
| test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x |
| test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x |
| test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y |
| test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b |
| test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y |
| test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x |
| test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x |
| test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x |
| test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y |
| test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y |
| test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y |
| test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x |
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | provenance | |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | provenance | |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | provenance | |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | provenance | |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | provenance | |
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | provenance | |
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | provenance | |
| test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | provenance | |
| test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | provenance | |
| test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | provenance | |
| test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | provenance | |
| test.cpp:6:5:6:12 | *get_rand | test.cpp:24:11:24:18 | call to get_rand | provenance | |
| test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | *get_rand | provenance | |
| test.cpp:11:21:11:24 | *dest | test.cpp:30:13:30:14 | get_rand2 output argument | provenance | |
| test.cpp:13:10:13:13 | call to rand | test.cpp:11:21:11:24 | *dest | provenance | |
| test.cpp:16:21:16:24 | *dest | test.cpp:36:13:36:13 | get_rand3 output argument | provenance | |
| test.cpp:18:9:18:12 | call to rand | test.cpp:16:21:16:24 | *dest | provenance | |
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r | provenance | |
| test.cpp:30:13:30:14 | get_rand2 output argument | test.cpp:31:7:31:7 | r | provenance | |
| test.cpp:36:13:36:13 | get_rand3 output argument | test.cpp:37:7:37:7 | r | provenance | |
| test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | provenance | |
| test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | provenance | |
| test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | provenance | |
| test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | provenance | |
| test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | provenance | |
| test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | provenance | |
| test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | provenance | |
| test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | provenance | |
| test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | provenance | |
| test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | provenance | |
| test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | provenance | |
| test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | provenance | |
nodes
| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
| test.c:21:17:21:17 | r | semmle.label | r |

48
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -1,28 +1,28 @@
edges
| test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted |
| test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... |
| test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... |
| test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size |
| test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size |
| test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... |
| test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... |
| test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... |
| test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... |
| test.cpp:209:8:209:23 | *get_tainted_size | test.cpp:241:9:241:24 | call to get_tainted_size |
| test.cpp:211:14:211:27 | *call to getenv | test.cpp:209:8:209:23 | *get_tainted_size |
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:239:9:239:18 | local_size |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:245:11:245:20 | local_size |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:247:10:247:19 | local_size |
| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
| test.cpp:250:20:250:27 | *out_size | test.cpp:289:17:289:20 | get_size output argument |
| test.cpp:250:20:250:27 | *out_size | test.cpp:305:18:305:21 | get_size output argument |
| test.cpp:251:18:251:31 | *call to getenv | test.cpp:250:20:250:27 | *out_size |
| test.cpp:259:20:259:33 | *call to getenv | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... |
| test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:355:35:355:38 | size |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:356:35:356:38 | size |
| test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | provenance | |
| test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | provenance | |
| test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | provenance | |
| test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | provenance | |
| test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | provenance | |
| test.cpp:209:8:209:23 | *get_tainted_size | test.cpp:241:9:241:24 | call to get_tainted_size | provenance | |
| test.cpp:211:14:211:27 | *call to getenv | test.cpp:209:8:209:23 | *get_tainted_size | provenance | |
| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s | provenance | |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:239:9:239:18 | local_size | provenance | |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:245:11:245:20 | local_size | provenance | |
| test.cpp:237:24:237:37 | *call to getenv | test.cpp:247:10:247:19 | local_size | provenance | |
| test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s | provenance | |
| test.cpp:250:20:250:27 | *out_size | test.cpp:289:17:289:20 | get_size output argument | provenance | |
| test.cpp:250:20:250:27 | *out_size | test.cpp:305:18:305:21 | get_size output argument | provenance | |
| test.cpp:251:18:251:31 | *call to getenv | test.cpp:250:20:250:27 | *out_size | provenance | |
| test.cpp:259:20:259:33 | *call to getenv | test.cpp:263:11:263:29 | ... * ... | provenance | |
| test.cpp:289:17:289:20 | get_size output argument | test.cpp:291:11:291:28 | ... * ... | provenance | |
| test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... | provenance | |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:355:35:355:38 | size | provenance | |
| test.cpp:353:18:353:31 | *call to getenv | test.cpp:356:35:356:38 | size | provenance | |
nodes
| test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |

30
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
View File

@@ -1,19 +1,19 @@
edges
| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:13:27:13 | v |
| test2.cpp:27:13:27:13 | v | test2.cpp:12:21:12:21 | v |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num |
| test3.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections |
| test3.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 |
| test3.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:17:6:17:18 | call to getTaintedInt |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:18:6:18:18 | call to getTaintedInt |
| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:5:5:5:17 | *getTaintedInt |
| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
| test.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections |
| test.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 |
| test.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 |
| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v | provenance | |
| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:13:27:13 | v | provenance | |
| test2.cpp:27:13:27:13 | v | test2.cpp:12:21:12:21 | v | provenance | |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | provenance | |
| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | provenance | |
| test3.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections | provenance | |
| test3.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 | provenance | |
| test3.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 | provenance | |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:17:6:17:18 | call to getTaintedInt | provenance | |
| test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:18:6:18:18 | call to getTaintedInt | provenance | |
| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:5:5:5:17 | *getTaintedInt | provenance | |
| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y | provenance | |
| test.c:10:27:10:30 | **argv | test.c:14:15:14:28 | maxConnections | provenance | |
| test.c:10:27:10:30 | **argv | test.c:44:7:44:10 | len2 | provenance | |
| test.c:10:27:10:30 | **argv | test.c:54:7:54:10 | len3 | provenance | |
nodes
| test2.cpp:12:21:12:21 | v | semmle.label | v |
| test2.cpp:14:11:14:11 | v | semmle.label | v |

204
cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected
View File

@@ -1,106 +1,106 @@
edges
| test.cpp:4:15:4:33 | call to malloc | test.cpp:5:15:5:22 | ... + ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | ... + ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... |
| test.cpp:6:14:6:15 | * ... | test.cpp:8:14:8:21 | * ... |
| test.cpp:16:15:16:33 | call to malloc | test.cpp:20:14:20:21 | * ... |
| test.cpp:28:15:28:37 | call to malloc | test.cpp:29:15:29:28 | ... + ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | ... + ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... |
| test.cpp:30:14:30:15 | * ... | test.cpp:32:14:32:21 | * ... |
| test.cpp:51:33:51:35 | *end | test.cpp:60:34:60:37 | mk_array output argument |
| test.cpp:52:19:52:37 | call to malloc | test.cpp:53:12:53:23 | ... + ... |
| test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | *end |
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... |
| test.cpp:205:15:205:33 | call to malloc | test.cpp:206:17:206:23 | ... + ... |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | ... + ... |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... |
| test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:261:14:261:21 | ... + ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... |
| test.cpp:270:13:270:24 | new[] | test.cpp:271:14:271:21 | ... + ... |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:271:14:271:21 | ... + ... |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... |
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... |
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... |
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... |
| test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... |
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... |
| test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... |
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... |
| test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... |
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... |
| test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | ... = ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... |
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... |
| test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | ... = ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... |
| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... |
| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... |
| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... |
| test.cpp:730:12:730:28 | new[] | test.cpp:732:16:732:26 | ... + ... |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:732:16:732:26 | ... + ... |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array |
| test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array |
| test.cpp:792:60:792:62 | *end | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument |
| test.cpp:792:60:792:62 | *end | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument |
| test.cpp:793:14:793:32 | call to malloc | test.cpp:794:12:794:24 | ... + ... |
| test.cpp:794:12:794:24 | ... + ... | test.cpp:792:60:792:62 | *end |
| test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | test.cpp:807:7:807:12 | ... = ... |
| test.cpp:815:52:815:54 | end | test.cpp:815:52:815:54 | end |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... |
| test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | test.cpp:833:37:833:39 | end |
| test.cpp:833:37:833:39 | end | test.cpp:815:52:815:54 | end |
| test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... |
| test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... |
| test.cpp:856:12:856:35 | call to malloc | test.cpp:857:16:857:29 | ... + ... |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:857:16:857:29 | ... + ... |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... |
| test.cpp:4:15:4:33 | call to malloc | test.cpp:5:15:5:22 | ... + ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | ... + ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... | provenance | |
| test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... | provenance | |
| test.cpp:6:14:6:15 | * ... | test.cpp:8:14:8:21 | * ... | provenance | |
| test.cpp:16:15:16:33 | call to malloc | test.cpp:20:14:20:21 | * ... | provenance | |
| test.cpp:28:15:28:37 | call to malloc | test.cpp:29:15:29:28 | ... + ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | ... + ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... | provenance | |
| test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... | provenance | |
| test.cpp:30:14:30:15 | * ... | test.cpp:32:14:32:21 | * ... | provenance | |
| test.cpp:51:33:51:35 | *end | test.cpp:60:34:60:37 | mk_array output argument | provenance | |
| test.cpp:52:19:52:37 | call to malloc | test.cpp:53:12:53:23 | ... + ... | provenance | |
| test.cpp:53:12:53:23 | ... + ... | test.cpp:51:33:51:35 | *end | provenance | |
| test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... | provenance | |
| test.cpp:205:15:205:33 | call to malloc | test.cpp:206:17:206:23 | ... + ... | provenance | |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | ... + ... | provenance | |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... | provenance | |
| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... | provenance | |
| test.cpp:260:13:260:24 | new[] | test.cpp:261:14:261:21 | ... + ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:261:14:261:21 | ... + ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:264:13:264:14 | * ... | test.cpp:264:13:264:14 | * ... | provenance | |
| test.cpp:270:13:270:24 | new[] | test.cpp:271:14:271:21 | ... + ... | provenance | |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:271:14:271:21 | ... + ... | provenance | |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... | provenance | |
| test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | ... = ... | provenance | |
| test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:23 | ... + ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:356:15:356:23 | ... + ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:358:14:358:26 | * ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... | provenance | |
| test.cpp:356:15:356:23 | ... + ... | test.cpp:359:14:359:32 | * ... | provenance | |
| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:23 | ... + ... | provenance | |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... | provenance | |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... | provenance | |
| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | * ... | provenance | |
| test.cpp:410:14:410:27 | new[] | test.cpp:411:15:411:23 | & ... | provenance | |
| test.cpp:410:14:410:27 | new[] | test.cpp:415:7:415:15 | ... = ... | provenance | |
| test.cpp:411:15:411:23 | & ... | test.cpp:411:15:411:23 | & ... | provenance | |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... | provenance | |
| test.cpp:411:15:411:23 | & ... | test.cpp:415:7:415:15 | ... = ... | provenance | |
| test.cpp:421:14:421:27 | new[] | test.cpp:422:15:422:23 | & ... | provenance | |
| test.cpp:421:14:421:27 | new[] | test.cpp:426:7:426:15 | ... = ... | provenance | |
| test.cpp:422:15:422:23 | & ... | test.cpp:422:15:422:23 | & ... | provenance | |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... | provenance | |
| test.cpp:422:15:422:23 | & ... | test.cpp:426:7:426:15 | ... = ... | provenance | |
| test.cpp:432:14:432:27 | new[] | test.cpp:433:15:433:23 | & ... | provenance | |
| test.cpp:432:14:432:27 | new[] | test.cpp:438:7:438:15 | ... = ... | provenance | |
| test.cpp:433:15:433:23 | & ... | test.cpp:433:15:433:23 | & ... | provenance | |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... | provenance | |
| test.cpp:433:15:433:23 | & ... | test.cpp:438:7:438:15 | ... = ... | provenance | |
| test.cpp:444:14:444:27 | new[] | test.cpp:445:15:445:23 | & ... | provenance | |
| test.cpp:444:14:444:27 | new[] | test.cpp:450:7:450:15 | ... = ... | provenance | |
| test.cpp:445:15:445:23 | & ... | test.cpp:445:15:445:23 | & ... | provenance | |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... | provenance | |
| test.cpp:445:15:445:23 | & ... | test.cpp:450:7:450:15 | ... = ... | provenance | |
| test.cpp:480:14:480:27 | new[] | test.cpp:481:15:481:23 | & ... | provenance | |
| test.cpp:480:14:480:27 | new[] | test.cpp:486:7:486:15 | ... = ... | provenance | |
| test.cpp:481:15:481:23 | & ... | test.cpp:481:15:481:23 | & ... | provenance | |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... | provenance | |
| test.cpp:481:15:481:23 | & ... | test.cpp:486:7:486:15 | ... = ... | provenance | |
| test.cpp:543:14:543:27 | new[] | test.cpp:548:5:548:19 | ... = ... | provenance | |
| test.cpp:554:14:554:27 | new[] | test.cpp:559:5:559:19 | ... = ... | provenance | |
| test.cpp:642:14:642:31 | new[] | test.cpp:647:5:647:19 | ... = ... | provenance | |
| test.cpp:730:12:730:28 | new[] | test.cpp:732:16:732:26 | ... + ... | provenance | |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:732:16:732:26 | ... + ... | provenance | |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... | provenance | |
| test.cpp:732:16:732:26 | ... + ... | test.cpp:733:5:733:12 | ... = ... | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:767:16:767:29 | access to array | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | provenance | |
| test.cpp:754:18:754:31 | new[] | test.cpp:772:16:772:29 | access to array | provenance | |
| test.cpp:781:14:781:27 | new[] | test.cpp:786:18:786:27 | access to array | provenance | |
| test.cpp:792:60:792:62 | *end | test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | provenance | |
| test.cpp:792:60:792:62 | *end | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | provenance | |
| test.cpp:793:14:793:32 | call to malloc | test.cpp:794:12:794:24 | ... + ... | provenance | |
| test.cpp:794:12:794:24 | ... + ... | test.cpp:792:60:792:62 | *end | provenance | |
| test.cpp:800:40:800:43 | mk_array_no_field_flow output argument | test.cpp:807:7:807:12 | ... = ... | provenance | |
| test.cpp:815:52:815:54 | end | test.cpp:815:52:815:54 | end | provenance | |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... | provenance | |
| test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... | provenance | |
| test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | test.cpp:833:37:833:39 | end | provenance | |
| test.cpp:833:37:833:39 | end | test.cpp:815:52:815:54 | end | provenance | |
| test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... | provenance | |
| test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... | provenance | |
| test.cpp:856:12:856:35 | call to malloc | test.cpp:857:16:857:29 | ... + ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:857:16:857:29 | ... + ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | |
| test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | |
nodes
| test.cpp:4:15:4:33 | call to malloc | semmle.label | call to malloc |
| test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... |

12
cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected
View File

@@ -1,10 +1,10 @@
edges
| test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address |
| test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address |
| test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address |
| test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | provenance | |
| test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | provenance | |
| test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | provenance | |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | provenance | |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | provenance | |
| test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | provenance | |
nodes
| test.cpp:16:25:16:42 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:20:14:20:20 | *address | semmle.label | *address |

2
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
View File

@@ -1,5 +1,5 @@
edges
| test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input |
| test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | provenance | |
nodes
| test2.cpp:110:3:110:6 | *call to gets | semmle.label | *call to gets |
| test.cpp:53:27:53:30 | **argv | semmle.label | **argv |

12
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
View File

@@ -1,10 +1,10 @@
edges
| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
| test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf |
| test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | *buf |
| test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer |
| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
| test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword |
| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | provenance | |
| test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | provenance | |
| test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | *buf | provenance | |
| test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | provenance | |
| test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | provenance | |
| test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | provenance | |
nodes
| test2.cpp:43:36:43:43 | password | semmle.label | password |
| test2.cpp:44:37:44:45 | thepasswd | semmle.label | thepasswd |

64
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
View File

@@ -1,36 +1,36 @@
edges
| test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr |
| test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr |
| test3.cpp:112:20:112:25 | buffer | test3.cpp:114:14:114:19 | buffer |
| test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | *id |
| test3.cpp:124:7:124:20 | *get_global_str | test3.cpp:144:16:144:29 | call to get_global_str |
| test3.cpp:126:9:126:23 | global_password | test3.cpp:124:7:124:20 | *get_global_str |
| test3.cpp:134:11:134:18 | password | test3.cpp:112:20:112:25 | buffer |
| test3.cpp:138:21:138:22 | call to id | test3.cpp:140:15:140:17 | ptr |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:138:21:138:22 | call to id |
| test3.cpp:144:16:144:29 | call to get_global_str | test3.cpp:146:15:146:18 | data |
| test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer |
| test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data |
| test3.cpp:278:20:278:23 | data | test3.cpp:280:14:280:17 | data |
| test3.cpp:283:20:283:23 | data | test3.cpp:285:14:285:17 | data |
| test3.cpp:288:20:288:23 | data | test3.cpp:290:14:290:17 | data |
| test3.cpp:293:20:293:23 | data | test3.cpp:295:14:295:17 | data |
| test3.cpp:298:20:298:23 | data | test3.cpp:300:14:300:17 | data |
| test3.cpp:313:11:313:19 | password1 | test3.cpp:278:20:278:23 | data |
| test3.cpp:314:11:314:19 | password1 | test3.cpp:283:20:283:23 | data |
| test3.cpp:316:11:316:19 | password1 | test3.cpp:283:20:283:23 | data |
| test3.cpp:317:11:317:19 | password1 | test3.cpp:288:20:288:23 | data |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:324:11:324:14 | data |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:325:11:325:14 | data |
| test3.cpp:324:11:324:14 | data | test3.cpp:293:20:293:23 | data |
| test3.cpp:325:11:325:14 | data | test3.cpp:298:20:298:23 | data |
| test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer |
| test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer |
| test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer |
| test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer |
| test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str |
| test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str |
| test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | provenance | |
| test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | provenance | |
| test3.cpp:112:20:112:25 | buffer | test3.cpp:114:14:114:19 | buffer | provenance | |
| test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | *id | provenance | |
| test3.cpp:124:7:124:20 | *get_global_str | test3.cpp:144:16:144:29 | call to get_global_str | provenance | |
| test3.cpp:126:9:126:23 | global_password | test3.cpp:124:7:124:20 | *get_global_str | provenance | |
| test3.cpp:134:11:134:18 | password | test3.cpp:112:20:112:25 | buffer | provenance | |
| test3.cpp:138:21:138:22 | call to id | test3.cpp:140:15:140:17 | ptr | provenance | |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer | provenance | |
| test3.cpp:138:24:138:32 | password1 | test3.cpp:138:21:138:22 | call to id | provenance | |
| test3.cpp:144:16:144:29 | call to get_global_str | test3.cpp:146:15:146:18 | data | provenance | |
| test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | provenance | |
| test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | provenance | |
| test3.cpp:278:20:278:23 | data | test3.cpp:280:14:280:17 | data | provenance | |
| test3.cpp:283:20:283:23 | data | test3.cpp:285:14:285:17 | data | provenance | |
| test3.cpp:288:20:288:23 | data | test3.cpp:290:14:290:17 | data | provenance | |
| test3.cpp:293:20:293:23 | data | test3.cpp:295:14:295:17 | data | provenance | |
| test3.cpp:298:20:298:23 | data | test3.cpp:300:14:300:17 | data | provenance | |
| test3.cpp:313:11:313:19 | password1 | test3.cpp:278:20:278:23 | data | provenance | |
| test3.cpp:314:11:314:19 | password1 | test3.cpp:283:20:283:23 | data | provenance | |
| test3.cpp:316:11:316:19 | password1 | test3.cpp:283:20:283:23 | data | provenance | |
| test3.cpp:317:11:317:19 | password1 | test3.cpp:288:20:288:23 | data | provenance | |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:324:11:324:14 | data | provenance | |
| test3.cpp:322:16:322:24 | password2 | test3.cpp:325:11:325:14 | data | provenance | |
| test3.cpp:324:11:324:14 | data | test3.cpp:293:20:293:23 | data | provenance | |
| test3.cpp:325:11:325:14 | data | test3.cpp:298:20:298:23 | data | provenance | |
| test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | provenance | |
| test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | provenance | |
| test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | provenance | |
| test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | provenance | |
| test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | provenance | |
| test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | provenance | |
nodes
| test3.cpp:22:15:22:23 | password1 | semmle.label | password1 |
| test3.cpp:26:15:26:23 | password2 | semmle.label | password2 |

26
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
View File

@@ -1,17 +1,17 @@
edges
| test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url |
| test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g |
| test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:13:24:17 | **url_g |
| test.cpp:28:10:28:29 | *http://example.com | test.cpp:11:26:11:28 | *url |
| test.cpp:35:23:35:42 | *http://example.com | test.cpp:39:11:39:15 | *url_l |
| test.cpp:36:26:36:45 | *http://example.com | test.cpp:40:11:40:17 | *access to array |
| test.cpp:38:11:38:15 | *url_g | test.cpp:11:26:11:28 | *url |
| test.cpp:39:11:39:15 | *url_l | test.cpp:11:26:11:28 | *url |
| test.cpp:40:11:40:17 | *access to array | test.cpp:11:26:11:28 | *url |
| test.cpp:46:18:46:26 | *http:// | test.cpp:49:11:49:16 | *buffer |
| test.cpp:49:11:49:16 | *buffer | test.cpp:11:26:11:28 | *url |
| test.cpp:110:21:110:40 | *http://example.com | test.cpp:121:11:121:13 | *ptr |
| test.cpp:121:11:121:13 | *ptr | test.cpp:11:26:11:28 | *url |
| test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url | provenance | |
| test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g | provenance | |
| test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:13:24:17 | **url_g | provenance | |
| test.cpp:28:10:28:29 | *http://example.com | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:35:23:35:42 | *http://example.com | test.cpp:39:11:39:15 | *url_l | provenance | |
| test.cpp:36:26:36:45 | *http://example.com | test.cpp:40:11:40:17 | *access to array | provenance | |
| test.cpp:38:11:38:15 | *url_g | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:39:11:39:15 | *url_l | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:40:11:40:17 | *access to array | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:46:18:46:26 | *http:// | test.cpp:49:11:49:16 | *buffer | provenance | |
| test.cpp:49:11:49:16 | *buffer | test.cpp:11:26:11:28 | *url | provenance | |
| test.cpp:110:21:110:40 | *http://example.com | test.cpp:121:11:121:13 | *ptr | provenance | |
| test.cpp:121:11:121:13 | *ptr | test.cpp:11:26:11:28 | *url | provenance | |
nodes
| test.cpp:11:26:11:28 | *url | semmle.label | *url |
| test.cpp:15:30:15:32 | *url | semmle.label | *url |

24
cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected
View File

@@ -1,16 +1,16 @@
edges
| test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data |
| test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data |
| test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data |
| test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data |
| test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... |
| test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data |
| test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data |
| test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data |
| test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data |
| test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x |
| test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | provenance | |
| test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | provenance | |
| test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | provenance | |
| test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | provenance | |
| test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | provenance | |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | provenance | |
| test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | provenance | |
| test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | provenance | |
| test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | provenance | |
| test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | provenance | |
| test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | provenance | |
| test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | provenance | |
nodes
| test.cpp:39:7:39:10 | pointer to free output argument | semmle.label | pointer to free output argument |
| test.cpp:41:6:41:9 | data | semmle.label | data |

2
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected
View File

@@ -1,5 +1,5 @@
edges
| tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password |
| tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | provenance | |
nodes
| tests.c:57:21:57:28 | *password | semmle.label | *password |
| tests.c:70:70:70:77 | *password | semmle.label | *password |

32
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
View File

@@ -1,20 +1,20 @@
edges
| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 |
| tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer |
| tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 |
| tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw |
| tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] | tests2.cpp:111:14:111:15 | *c1 [*ptr] |
| tests2.cpp:109:3:109:36 | *... = ... | tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] |
| tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:109:3:109:36 | *... = ... |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf |
| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 | provenance | |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 | provenance | |
| tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | provenance | |
| tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | provenance | |
| tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | provenance | |
| tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] | tests2.cpp:111:14:111:15 | *c1 [*ptr] | provenance | |
| tests2.cpp:109:3:109:36 | *... = ... | tests2.cpp:109:3:109:4 | *c1 [post update] [*ptr] | provenance | |
| tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:109:3:109:36 | *... = ... | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance | |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance | |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | provenance | |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | provenance | |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | provenance | |
nodes
| tests2.cpp:50:13:50:19 | **global1 | semmle.label | **global1 |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | semmle.label | *call to mysql_get_client_info |

28
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected
View File

@@ -1,18 +1,18 @@
edges
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:71:27:71:38 | *global_token |
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:73:27:73:31 | *maybe |
| tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:62:7:62:18 | **global_token |
| tests.cpp:86:29:86:31 | *msg | tests.cpp:88:15:88:17 | *msg |
| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:86:29:86:31 | *msg |
| tests.cpp:107:30:107:32 | *msg | tests.cpp:111:15:111:17 | *tmp |
| tests.cpp:114:30:114:32 | *msg | tests.cpp:119:7:119:12 | *buffer |
| tests.cpp:122:30:122:32 | *msg | tests.cpp:124:15:124:17 | *msg |
| tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:107:30:107:32 | *msg |
| tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:114:30:114:32 | *msg |
| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:122:30:122:32 | *msg |
| tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd |
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:71:27:71:38 | *global_token | provenance | |
| tests.cpp:62:7:62:18 | **global_token | tests.cpp:73:27:73:31 | *maybe | provenance | |
| tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:62:7:62:18 | **global_token | provenance | |
| tests.cpp:86:29:86:31 | *msg | tests.cpp:88:15:88:17 | *msg | provenance | |
| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:86:29:86:31 | *msg | provenance | |
| tests.cpp:107:30:107:32 | *msg | tests.cpp:111:15:111:17 | *tmp | provenance | |
| tests.cpp:114:30:114:32 | *msg | tests.cpp:119:7:119:12 | *buffer | provenance | |
| tests.cpp:122:30:122:32 | *msg | tests.cpp:124:15:124:17 | *msg | provenance | |
| tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:107:30:107:32 | *msg | provenance | |
| tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:114:30:114:32 | *msg | provenance | |
| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:122:30:122:32 | *msg | provenance | |
| tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | provenance | |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | provenance | |
| tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | provenance | |
nodes
| tests.cpp:48:15:48:36 | *call to getenv | semmle.label | *call to getenv |
| tests.cpp:49:15:49:36 | *call to getenv | semmle.label | *call to getenv |

96
cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected
View File

@@ -1,52 +1,52 @@
edges
| tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p |
| tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p |
| tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p |
| tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p |
| tests3.cpp:35:16:35:20 | **p_3_3 | tests3.cpp:38:2:38:6 | *p_3_3 |
| tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:35:16:35:20 | **p_3_3 |
| tests3.cpp:48:16:48:20 | **p_3_5 | tests3.cpp:56:2:56:6 | *p_3_5 |
| tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:48:16:48:20 | **p_3_5 |
| tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p |
| tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p |
| tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p |
| tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p |
| tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p |
| tests5.cpp:63:21:63:24 | **g_p2 | tests5.cpp:77:2:77:5 | *g_p2 |
| tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:63:21:63:24 | **g_p2 |
| tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p |
| tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p |
| tests5.cpp:83:2:83:2 | *p | tests5.cpp:85:2:85:2 | *p |
| tests5.cpp:85:2:85:2 | *p | tests5.cpp:86:2:86:2 | *p |
| tests5.cpp:86:2:86:2 | *p | tests5.cpp:88:2:88:2 | *p |
| tests5.cpp:88:2:88:2 | *p | tests5.cpp:89:2:89:2 | *p |
| tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p |
| tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p |
| tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:37:2:37:2 | *p |
| tests.cpp:37:2:37:2 | *p | tests.cpp:37:2:37:2 | *p |
| tests.cpp:37:2:37:2 | *p | tests.cpp:38:2:38:2 | *p |
| tests.cpp:38:2:38:2 | *p | tests.cpp:38:2:38:2 | *p |
| tests.cpp:38:2:38:2 | *p | tests.cpp:39:2:39:2 | *p |
| tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:53:2:53:2 | *p |
| tests.cpp:53:2:53:2 | *p | tests.cpp:53:2:53:2 | *p |
| tests.cpp:53:2:53:2 | *p | tests.cpp:55:2:55:2 | *p |
| tests.cpp:55:2:55:2 | *p | tests.cpp:55:2:55:2 | *p |
| tests.cpp:55:2:55:2 | *p | tests.cpp:56:2:56:2 | *p |
| tests.cpp:55:2:55:2 | *p | tests.cpp:57:2:57:2 | *p |
| tests.cpp:57:2:57:2 | *p | tests.cpp:57:2:57:2 | *p |
| tests.cpp:57:2:57:2 | *p | tests.cpp:59:2:59:2 | *p |
| tests.cpp:59:2:59:2 | *p | tests.cpp:59:2:59:2 | *p |
| tests.cpp:59:2:59:2 | *p | tests.cpp:60:2:60:2 | *p |
| tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p |
| tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p |
| tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q |
| tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q |
| tests.cpp:112:39:112:39 | *p | tests.cpp:113:2:113:2 | *p |
| tests.cpp:116:39:116:39 | *p | tests.cpp:117:2:117:2 | *p |
| tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:126:18:126:18 | *q |
| tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:128:18:128:18 | *q |
| tests.cpp:126:18:126:18 | *q | tests.cpp:112:39:112:39 | *p |
| tests.cpp:128:18:128:18 | *q | tests.cpp:116:39:116:39 | *p |
| tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | provenance | |
| tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | provenance | |
| tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | provenance | |
| tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | provenance | |
| tests3.cpp:35:16:35:20 | **p_3_3 | tests3.cpp:38:2:38:6 | *p_3_3 | provenance | |
| tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:35:16:35:20 | **p_3_3 | provenance | |
| tests3.cpp:48:16:48:20 | **p_3_5 | tests3.cpp:56:2:56:6 | *p_3_5 | provenance | |
| tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:48:16:48:20 | **p_3_5 | provenance | |
| tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | provenance | |
| tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p | provenance | |
| tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | provenance | |
| tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | provenance | |
| tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | provenance | |
| tests5.cpp:63:21:63:24 | **g_p2 | tests5.cpp:77:2:77:5 | *g_p2 | provenance | |
| tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:63:21:63:24 | **g_p2 | provenance | |
| tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | provenance | |
| tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | provenance | |
| tests5.cpp:83:2:83:2 | *p | tests5.cpp:85:2:85:2 | *p | provenance | |
| tests5.cpp:85:2:85:2 | *p | tests5.cpp:86:2:86:2 | *p | provenance | |
| tests5.cpp:86:2:86:2 | *p | tests5.cpp:88:2:88:2 | *p | provenance | |
| tests5.cpp:88:2:88:2 | *p | tests5.cpp:89:2:89:2 | *p | provenance | |
| tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p | provenance | |
| tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p | provenance | |
| tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:37:2:37:2 | *p | provenance | |
| tests.cpp:37:2:37:2 | *p | tests.cpp:37:2:37:2 | *p | provenance | |
| tests.cpp:37:2:37:2 | *p | tests.cpp:38:2:38:2 | *p | provenance | |
| tests.cpp:38:2:38:2 | *p | tests.cpp:38:2:38:2 | *p | provenance | |
| tests.cpp:38:2:38:2 | *p | tests.cpp:39:2:39:2 | *p | provenance | |
| tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:53:2:53:2 | *p | provenance | |
| tests.cpp:53:2:53:2 | *p | tests.cpp:53:2:53:2 | *p | provenance | |
| tests.cpp:53:2:53:2 | *p | tests.cpp:55:2:55:2 | *p | provenance | |
| tests.cpp:55:2:55:2 | *p | tests.cpp:55:2:55:2 | *p | provenance | |
| tests.cpp:55:2:55:2 | *p | tests.cpp:56:2:56:2 | *p | provenance | |
| tests.cpp:55:2:55:2 | *p | tests.cpp:57:2:57:2 | *p | provenance | |
| tests.cpp:57:2:57:2 | *p | tests.cpp:57:2:57:2 | *p | provenance | |
| tests.cpp:57:2:57:2 | *p | tests.cpp:59:2:59:2 | *p | provenance | |
| tests.cpp:59:2:59:2 | *p | tests.cpp:59:2:59:2 | *p | provenance | |
| tests.cpp:59:2:59:2 | *p | tests.cpp:60:2:60:2 | *p | provenance | |
| tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p | provenance | |
| tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | provenance | |
| tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | provenance | |
| tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | provenance | |
| tests.cpp:112:39:112:39 | *p | tests.cpp:113:2:113:2 | *p | provenance | |
| tests.cpp:116:39:116:39 | *p | tests.cpp:117:2:117:2 | *p | provenance | |
| tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:126:18:126:18 | *q | provenance | |
| tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:128:18:128:18 | *q | provenance | |
| tests.cpp:126:18:126:18 | *q | tests.cpp:112:39:112:39 | *p | provenance | |
| tests.cpp:128:18:128:18 | *q | tests.cpp:116:39:116:39 | *p | provenance | |
nodes
| tests2.cpp:20:17:20:31 | call to SAXParser | semmle.label | call to SAXParser |
| tests2.cpp:22:2:22:2 | *p | semmle.label | *p |

2
cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected
View File

@@ -1,5 +1,5 @@
edges
| test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... |
| test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | provenance | |
nodes
| test.cpp:20:29:20:47 | *call to getenv | semmle.label | *call to getenv |
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |