C++: Fix some Ql4Ql violations.

2026-04-28 10:15:14 +02:00 · 2025-09-03 08:14:20 +02:00
parent 31852985e5
commit 83d53baf82
33 changed files with 111 additions and 85 deletions
--- a/Bugs/RedundantNullCheckParam.ql
+++ b/Bugs/RedundantNullCheckParam.ql
@@ -47,7 +47,7 @@ where
  // for a function parameter
  unchecked.getTarget() = param and
  // this function parameter is not overwritten
-  count(param.getAnAssignment()) = 0 and
+  not exists(param.getAnAssignment()) and
  check.getTarget() = param and
  // which is once checked
  candidateResultChecked(check, eqop) and
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -19,16 +19,17 @@ import cpp
 * Errors when using a variable declaration inside a loop.
 */
 class DangerousWhileLoop extends WhileStmt {
-  Expr exp;
  Declaration dl;

  DangerousWhileLoop() {
    this = dl.getParentScope().(BlockStmt).getParent*() and
-    exp = this.getCondition().getAChild*() and
-    not exp instanceof PointerFieldAccess and
-    not exp instanceof ValueFieldAccess and
-    exp.(VariableAccess).getTarget().getName() = dl.getName() and
-    not exp.getParent*() instanceof FunctionCall
+    exists(Expr exp |
+      exp = this.getCondition().getAChild*() and
+      not exp instanceof PointerFieldAccess and
+      not exp instanceof ValueFieldAccess and
+      exp.(VariableAccess).getTarget().getName() = dl.getName() and
+      not exp.getParent*() instanceof FunctionCall
+    )
  }

  Declaration getDeclaration() { result = dl }
--- a/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
@@ -46,7 +46,7 @@ predicate exprMayBeString(Expr exp) {
  )
 }

-/** Holds if expression is constant or operator call `sizeof`. */
+/** Holds if expression `exp` is constant or operator call `sizeof`. */
 predicate argConstOrSizeof(Expr exp) {
  exp.getValue().toInt() > 1 or
  exp.(SizeofTypeOperator).getTypeOperand().getSize() > 1
--- a/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
@@ -15,7 +15,7 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions

-/** Holds if a `fc` function call is available before or after a `chdir` function call. */
+/** Holds if a `fcp` function call is available before or after a `chdir` function call. */
 predicate inExistsChdir(FunctionCall fcp) {
  exists(FunctionCall fctmp |
    (
@@ -29,7 +29,7 @@ predicate inExistsChdir(FunctionCall fcp) {
  )
 }

-/** Holds if a `fc` function call is available before or after a function call containing a `chdir` call. */
+/** Holds if a `fcp` function call is available before or after a function call containing a `chdir` call. */
 predicate outExistsChdir(FunctionCall fcp) {
  exists(FunctionCall fctmp |
    exists(FunctionCall fctmp2 |
--- a/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
@@ -266,7 +266,7 @@ class LifetimePointerType extends LifetimeIndirectionType {
 class FullExpr extends Expr {
  FullExpr() {
    // A full-expression is not a subexpression
-    not exists(Expr p | this.getParent() = p)
+    not this.getParent() instanceof Expr
    or
    // A sub-expression that is an unevaluated operand
    this.isUnevaluated()