hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into cpp/use-flow-state-inout-barriers

Browse Source
This commit is contained in:
Jeroen Ketema
2025-08-25 17:04:30 +02:00
committed by GitHub
parent 53dbfcb3aa 7de34e4be0
commit a104600d4d
29400 changed files with 2771434 additions and 889441 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/integration-tests/header-variant-tests/clang-pch/a.c Normal file
View File

@@ -0,0 +1,2 @@
#include "a.h"
#define FOUR 4

0
cpp/ql/test/header-variant-tests/clang-pch/a.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/a.h
View File

6
cpp/ql/integration-tests/header-variant-tests/clang-pch/b.c Normal file
View File

@@ -0,0 +1,6 @@
#define TWO 2
#include "b.h"
int main() {
return ONE + TWO + THREE + FOUR;
}

0
cpp/ql/test/header-variant-tests/clang-pch/b.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/b.h
View File

3
cpp/ql/integration-tests/header-variant-tests/clang-pch/c.c Normal file
View File

@@ -0,0 +1,3 @@
int main() {
return ONE + FOUR;
}

1
cpp/ql/test/header-variant-tests/clang-pch/clang-pch.expected → cpp/ql/integration-tests/header-variant-tests/clang-pch/clang-pch.expected
View File

@@ -1,6 +1,7 @@
| b.c:5:3:5:34 | return ... | 10 |
| c.c:2:3:2:20 | return ... | 5 |
| e.c:2:3:2:19 | return ... | 17 |
| g.c:3:3:3:12 | return ... | 20 |
| i.c:3:3:3:12 | return ... | 30 |
| i.c:8:3:8:12 | return ... | 31 |
| i.c:13:3:13:12 | return ... | 32 |

0
cpp/ql/test/header-variant-tests/clang-pch/clang-pch.ql → cpp/ql/integration-tests/header-variant-tests/clang-pch/clang-pch.ql
View File

1
cpp/ql/integration-tests/header-variant-tests/clang-pch/d.c Normal file
View File

@@ -0,0 +1 @@
#import "d.h"

0
cpp/ql/test/header-variant-tests/clang-pch/d.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/d.h
View File

3
cpp/ql/integration-tests/header-variant-tests/clang-pch/e.c Normal file
View File

@@ -0,0 +1,3 @@
int main() {
return SEVENTEEN;
}

5
cpp/ql/integration-tests/header-variant-tests/clang-pch/f.c Normal file
View File

@@ -0,0 +1,5 @@
#if 1
#pragma hdrstop
extern int x;
#define SEEN_F
#endif

5
cpp/ql/integration-tests/header-variant-tests/clang-pch/g.c Normal file
View File

@@ -0,0 +1,5 @@
#ifdef SEEN_F
static int g() {
return 20;
}
#endif

4
cpp/ql/integration-tests/header-variant-tests/clang-pch/h.c Normal file
View File

@@ -0,0 +1,4 @@
#include "h1.h"
#pragma hdrstop
#include "h2.h"
#define SEEN_H

0
cpp/ql/test/header-variant-tests/clang-pch/h1.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/h1.h
View File

0
cpp/ql/test/header-variant-tests/clang-pch/h2.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/h2.h
View File

15
cpp/ql/integration-tests/header-variant-tests/clang-pch/i.c Normal file
View File

@@ -0,0 +1,15 @@
#ifdef SEEN_H
static int h() {
return 30;
}
#endif
#ifdef H1
static int h1() {
return 31;
}
#endif
#ifdef H2
static int h2() {
return 32;
}
#endif

17
cpp/ql/integration-tests/header-variant-tests/clang-pch/test.py Normal file
View File

@@ -0,0 +1,17 @@
import os
def test(codeql, cpp):
os.mkdir("pch")
extractor = cpp.get_tool("extractor")
codeql.database.create(command=[
f'"{extractor}" --mimic-clang -emit-pch -o pch/a.pch a.c',
f'"{extractor}" --mimic-clang -include-pch pch/a.pch -Iextra_dummy_path b.c',
f'"{extractor}" --mimic-clang -include pch/a -Iextra_dummy_path c.c',
f'"{extractor}" --mimic-clang -emit-pch -o pch/d.pch d.c',
f'"{extractor}" --mimic-clang -include-pch pch/d.pch e.c',
f'"{extractor}" --mimic-clang -emit-pch -o pch/f.pch f.c',
f'"{extractor}" --mimic-clang -include-pch pch/f.pch g.c',
f'"{extractor}" --mimic-clang -emit-pch -o pch/h.pch h.c',
f'"{extractor}" --mimic-clang -include-pch pch/h.pch i.c',
])

1
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/a.c Normal file
View File

@@ -0,0 +1 @@
#include "a.h"

0
cpp/ql/test/header-variant-tests/microsoft-pch/a.h → cpp/ql/integration-tests/header-variant-tests/microsoft-pch/a.h
View File

6
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/b.c Normal file
View File

@@ -0,0 +1,6 @@
#pragma hdrstop
#include "b.h"
int b() {
return A;
}

6
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/c.c Normal file
View File

@@ -0,0 +1,6 @@
#include "d.h"
#include "c.h"
int c() {
return A;
}

0
cpp/ql/test/header-variant-tests/microsoft-pch/microsoft-pch.expected → cpp/ql/integration-tests/header-variant-tests/microsoft-pch/microsoft-pch.expected
View File

0
cpp/ql/test/header-variant-tests/microsoft-pch/microsoft-pch.ql → cpp/ql/integration-tests/header-variant-tests/microsoft-pch/microsoft-pch.ql
View File

11
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/test.py Normal file
View File

@@ -0,0 +1,11 @@
import os
def test(codeql, cpp):
os.mkdir("pch")
extractor = cpp.get_tool("extractor")
codeql.database.create(command=[
f'"{extractor}" --mimic-cl /Yca.h /Fppch/a.pch a.c',
f'"{extractor}" --mimic-cl /Yub.h /Fppch/a.pch b.c',
f'"{extractor}" --mimic-cl /Yuc.h /Fppch/a.pch c.c',
])

1
cpp/ql/integration-tests/query-suite/cpp-code-quality-extended.qls.expected Normal file
View File

@@ -0,0 +1 @@

1
cpp/ql/integration-tests/query-suite/cpp-code-quality.qls.expected Normal file
View File

@@ -0,0 +1 @@

60
cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected Normal file
View File

@@ -0,0 +1,60 @@
ql/cpp/ql/src/Critical/DoubleFree.ql
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
ql/cpp/ql/src/Critical/OverflowStatic.ql
ql/cpp/ql/src/Critical/UseAfterFree.ql
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
ql/cpp/ql/src/Summary/LinesOfCode.ql
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

181
cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected Normal file
View File

@@ -0,0 +1,181 @@
ql/cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql
ql/cpp/ql/src/Best Practices/ComplexCondition.ql
ql/cpp/ql/src/Best Practices/Exceptions/AccidentalRethrow.ql
ql/cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql
ql/cpp/ql/src/Best Practices/Exceptions/LeakyCatch.ql
ql/cpp/ql/src/Best Practices/Exceptions/ThrowingPointers.ql
ql/cpp/ql/src/Best Practices/GuardedFree.ql
ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesParameter.ql
ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql
ql/cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
ql/cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql
ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
ql/cpp/ql/src/Best Practices/Likely Errors/Slicing.ql
ql/cpp/ql/src/Best Practices/RuleOfTwo.ql
ql/cpp/ql/src/Best Practices/SloppyGlobal.ql
ql/cpp/ql/src/Best Practices/SwitchLongCase.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql
ql/cpp/ql/src/Best Practices/UseOfGoto.ql
ql/cpp/ql/src/Critical/DeadCodeGoto.ql
ql/cpp/ql/src/Critical/DoubleFree.ql
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
ql/cpp/ql/src/Critical/LargeParameter.ql
ql/cpp/ql/src/Critical/MissingCheckScanf.ql
ql/cpp/ql/src/Critical/NewArrayDeleteMismatch.ql
ql/cpp/ql/src/Critical/NewDeleteArrayMismatch.ql
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
ql/cpp/ql/src/Critical/OverflowStatic.ql
ql/cpp/ql/src/Critical/SizeCheck.ql
ql/cpp/ql/src/Critical/SizeCheck2.ql
ql/cpp/ql/src/Critical/UseAfterFree.ql
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
ql/cpp/ql/src/Documentation/CommentedOutCode.ql
ql/cpp/ql/src/Documentation/FixmeComments.ql
ql/cpp/ql/src/Documentation/UncommentedFunction.ql
ql/cpp/ql/src/Header Cleanup/Cleanup-DuplicateIncludeGuard.ql
ql/cpp/ql/src/Likely Bugs/AmbiguouslySignedBitField.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/UnsignedGEZero.ql
ql/cpp/ql/src/Likely Bugs/ContinueInFalseLoop.ql
ql/cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
ql/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql
ql/cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql
ql/cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.ql
ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
ql/cpp/ql/src/Likely Bugs/Format/TooManyFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/InconsistentCallOnResult.ql
ql/cpp/ql/src/Likely Bugs/InconsistentCheckReturnNull.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/DubiousNullCheck.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/FutileConditional.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/StackAddressEscapes.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
ql/cpp/ql/src/Likely Bugs/NestedLoopSameVar.ql
ql/cpp/ql/src/Likely Bugs/OO/IncorrectConstructorDelegation.ql
ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql
ql/cpp/ql/src/Likely Bugs/OO/ThrowInDestructor.ql
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
ql/cpp/ql/src/Likely Bugs/ReturnConstType.ql
ql/cpp/ql/src/Likely Bugs/ReturnConstTypeMember.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.ql
ql/cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
ql/cpp/ql/src/Summary/LinesOfCode.ql
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 35.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.1.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 89.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 95.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 107.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql
ql/cpp/ql/src/jsf/4.17 Types/AV Rule 148.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 166.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 196.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 197.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.ql

97
cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected Normal file
View File

@@ -0,0 +1,97 @@
ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
ql/cpp/ql/src/Critical/DoubleFree.ql
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
ql/cpp/ql/src/Critical/MissingCheckScanf.ql
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
ql/cpp/ql/src/Critical/OverflowStatic.ql
ql/cpp/ql/src/Critical/SizeCheck.ql
ql/cpp/ql/src/Critical/SizeCheck2.ql
ql/cpp/ql/src/Critical/UseAfterFree.ql
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
ql/cpp/ql/src/Summary/LinesOfCode.ql
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

448
cpp/ql/integration-tests/query-suite/not_included_in_qls.expected Normal file
View File

@@ -0,0 +1,448 @@
ql/cpp/ql/src/AlertSuppression.ql
ql/cpp/ql/src/Architecture/FeatureEnvy.ql
ql/cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql
ql/cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql
ql/cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql
ql/cpp/ql/src/Architecture/General Namespace-Level Information/CyclicNamespaces.ql
ql/cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql
ql/cpp/ql/src/Architecture/General Namespace-Level Information/NamespaceDependencies.ql
ql/cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql
ql/cpp/ql/src/Architecture/InappropriateIntimacy.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/CyclomaticComplexity.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql
ql/cpp/ql/src/Best Practices/Magic Constants/JapaneseEraDate.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicNumbersUseConstant.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicStringsUseConstant.ql
ql/cpp/ql/src/Best Practices/NVI.ql
ql/cpp/ql/src/Best Practices/NVIHub.ql
ql/cpp/ql/src/Best Practices/RuleOfThree.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedIncludes.ql
ql/cpp/ql/src/Critical/DeadCodeCondition.ql
ql/cpp/ql/src/Critical/DeadCodeFunction.ql
ql/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
ql/cpp/ql/src/Critical/DescriptorNeverClosed.ql
ql/cpp/ql/src/Critical/FileMayNotBeClosed.ql
ql/cpp/ql/src/Critical/FileNeverClosed.ql
ql/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
ql/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
ql/cpp/ql/src/Critical/InitialisationNotRun.ql
ql/cpp/ql/src/Critical/LateNegativeTest.ql
ql/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
ql/cpp/ql/src/Critical/MemoryNeverFreed.ql
ql/cpp/ql/src/Critical/MissingNegativityTest.ql
ql/cpp/ql/src/Critical/MissingNullTest.ql
ql/cpp/ql/src/Critical/NotInitialised.ql
ql/cpp/ql/src/Critical/OverflowCalculated.ql
ql/cpp/ql/src/Critical/OverflowDestination.ql
ql/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
ql/cpp/ql/src/Critical/ReturnValueIgnored.ql
ql/cpp/ql/src/Critical/Unused.ql
ql/cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql
ql/cpp/ql/src/Documentation/DocumentApi.ql
ql/cpp/ql/src/Documentation/TodoComments.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/ExitNonterminatingLoop.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/LoopBounds.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 04/Recursion.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 05/HeapMemory.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 07/ThreadSafety.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidNestedSemaphores.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidSemaphores.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/OutOfOrderLocks.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/ReleaseLocksWhenAcquired.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowGoto.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 12/EnumInitialization.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/ExternDeclsInHeader.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeLocalHidesGlobal.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 14/CheckingReturnValues.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 15/CheckingParameterValues.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsConstant.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsDensity.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsNonBoolean.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsSideEffect.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 18/CompoundExpressions.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 19/NoBooleanSideEffects.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUse.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseIfdef.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUsePartial.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseUndisciplined.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 21/MacroInBlock.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 22/UseOfUndef.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleStmtsPerLine.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleVarDeclsPerLine.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 25/FunctionSizeLimits.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 26/DeclarationPointerNesting.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 27/PointerDereferenceInStmt.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerDereferenceMacro.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerIndirectionTypedef.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 31/IncludesFirst.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
ql/cpp/ql/src/Likely Bugs/Conversion/ConversionChangesSign.ql
ql/cpp/ql/src/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql
ql/cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql
ql/cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/BoolValueInBitOp.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/LogicalExprCouldBeSimplified.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/More64BitWaste.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.ql
ql/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
ql/cpp/ql/src/Likely Bugs/OO/VirtualCallInStructor.ql
ql/cpp/ql/src/Likely Bugs/ShortLoopVarName.ql
ql/cpp/ql/src/Metrics/Classes/CAfferentCoupling.ql
ql/cpp/ql/src/Metrics/Classes/CEfferentCoupling.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadBugs.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadDifficulty.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadEffort.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadLength.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadVocabulary.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadVolume.ql
ql/cpp/ql/src/Metrics/Classes/CInheritanceDepth.ql
ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionCK.ql
ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionHS.ql
ql/cpp/ql/src/Metrics/Classes/CLinesOfCode.ql
ql/cpp/ql/src/Metrics/Classes/CNumberOfFields.ql
ql/cpp/ql/src/Metrics/Classes/CNumberOfFunctions.ql
ql/cpp/ql/src/Metrics/Classes/CNumberOfStatements.ql
ql/cpp/ql/src/Metrics/Classes/CPercentageOfComplexCode.ql
ql/cpp/ql/src/Metrics/Classes/CResponse.ql
ql/cpp/ql/src/Metrics/Classes/CSizeOfAPI.ql
ql/cpp/ql/src/Metrics/Classes/CSpecialisation.ql
ql/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
ql/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
ql/cpp/ql/src/Metrics/External/FileCompilationDisplayStrings.ql
ql/cpp/ql/src/Metrics/External/FileCompilationSourceLinks.ql
ql/cpp/ql/src/Metrics/Files/AutogeneratedLOC.ql
ql/cpp/ql/src/Metrics/Files/ConditionalSegmentConditions.ql
ql/cpp/ql/src/Metrics/Files/ConditionalSegmentLines.ql
ql/cpp/ql/src/Metrics/Files/FAfferentCoupling.ql
ql/cpp/ql/src/Metrics/Files/FCommentRatio.ql
ql/cpp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
ql/cpp/ql/src/Metrics/Files/FDirectIncludes.ql
ql/cpp/ql/src/Metrics/Files/FEfferentCoupling.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadBugs.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadDifficulty.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadEffort.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadLength.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadVocabulary.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadVolume.ql
ql/cpp/ql/src/Metrics/Files/FLines.ql
ql/cpp/ql/src/Metrics/Files/FLinesOfCode.ql
ql/cpp/ql/src/Metrics/Files/FLinesOfCommentedOutCode.ql
ql/cpp/ql/src/Metrics/Files/FLinesOfComments.ql
ql/cpp/ql/src/Metrics/Files/FMacroRatio.ql
ql/cpp/ql/src/Metrics/Files/FNumberOfClasses.ql
ql/cpp/ql/src/Metrics/Files/FNumberOfTests.ql
ql/cpp/ql/src/Metrics/Files/FTimeInFrontend.ql
ql/cpp/ql/src/Metrics/Files/FTodoComments.ql
ql/cpp/ql/src/Metrics/Files/FTransitiveIncludes.ql
ql/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.ql
ql/cpp/ql/src/Metrics/Files/FunctionLength.ql
ql/cpp/ql/src/Metrics/Files/NumberOfFunctions.ql
ql/cpp/ql/src/Metrics/Files/NumberOfGlobals.ql
ql/cpp/ql/src/Metrics/Files/NumberOfParameters.ql
ql/cpp/ql/src/Metrics/Files/NumberOfPublicFunctions.ql
ql/cpp/ql/src/Metrics/Files/NumberOfPublicGlobals.ql
ql/cpp/ql/src/Metrics/Functions/FunCyclomaticComplexity.ql
ql/cpp/ql/src/Metrics/Functions/FunIterationNestingDepth.ql
ql/cpp/ql/src/Metrics/Functions/FunLinesOfCode.ql
ql/cpp/ql/src/Metrics/Functions/FunLinesOfComments.ql
ql/cpp/ql/src/Metrics/Functions/FunNumberOfCalls.ql
ql/cpp/ql/src/Metrics/Functions/FunNumberOfParameters.ql
ql/cpp/ql/src/Metrics/Functions/FunNumberOfStatements.ql
ql/cpp/ql/src/Metrics/Functions/FunPercentageOfComments.ql
ql/cpp/ql/src/Metrics/Functions/StatementNestingDepth.ql
ql/cpp/ql/src/Metrics/Internal/ASTConsistency.ql
ql/cpp/ql/src/Metrics/Internal/CallableDisplayStrings.ql
ql/cpp/ql/src/Metrics/Internal/CallableExtents.ql
ql/cpp/ql/src/Metrics/Internal/CallableSourceLinks.ql
ql/cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql
ql/cpp/ql/src/Metrics/Internal/IRConsistency.ql
ql/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql
ql/cpp/ql/src/Metrics/Internal/ReftypeDisplayStrings.ql
ql/cpp/ql/src/Metrics/Internal/ReftypeSourceLinks.ql
ql/cpp/ql/src/Metrics/Namespaces/AbstractNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/ConcreteNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/HighAfferentCouplingNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/HighDistanceFromMainLineNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/HighEfferentCouplingNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/StableNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/UnstableNamespaces.ql
ql/cpp/ql/src/Microsoft/CallWithNullSAL.ql
ql/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
ql/cpp/ql/src/Microsoft/InconsistentSAL.ql
ql/cpp/ql/src/PointsTo/Debug.ql
ql/cpp/ql/src/PointsTo/PreparedStagedPointsTo.ql
ql/cpp/ql/src/PointsTo/Stats.ql
ql/cpp/ql/src/PointsTo/TaintedFormatStrings.ql
ql/cpp/ql/src/Power of 10/Rule 1/UseOfGoto.ql
ql/cpp/ql/src/Power of 10/Rule 1/UseOfJmp.ql
ql/cpp/ql/src/Power of 10/Rule 1/UseOfRecursion.ql
ql/cpp/ql/src/Power of 10/Rule 2/BoundedLoopIterations.ql
ql/cpp/ql/src/Power of 10/Rule 2/ExitPermanentLoop.ql
ql/cpp/ql/src/Power of 10/Rule 3/DynamicAllocAfterInit.ql
ql/cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql
ql/cpp/ql/src/Power of 10/Rule 4/OneStmtPerLine.ql
ql/cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql
ql/cpp/ql/src/Power of 10/Rule 5/AssertionSideEffect.ql
ql/cpp/ql/src/Power of 10/Rule 5/ConstantAssertion.ql
ql/cpp/ql/src/Power of 10/Rule 5/NonBooleanAssertion.ql
ql/cpp/ql/src/Power of 10/Rule 6/GlobalCouldBeStatic.ql
ql/cpp/ql/src/Power of 10/Rule 6/VariableScopeTooLarge.ql
ql/cpp/ql/src/Power of 10/Rule 7/CheckArguments.ql
ql/cpp/ql/src/Power of 10/Rule 7/CheckReturnValues.ql
ql/cpp/ql/src/Power of 10/Rule 8/AvoidConditionalCompilation.ql
ql/cpp/ql/src/Power of 10/Rule 8/PartialMacro.ql
ql/cpp/ql/src/Power of 10/Rule 8/RestrictPreprocessor.ql
ql/cpp/ql/src/Power of 10/Rule 8/UndisciplinedMacro.ql
ql/cpp/ql/src/Power of 10/Rule 9/FunctionPointer.ql
ql/cpp/ql/src/Power of 10/Rule 9/HiddenPointerIndirection.ql
ql/cpp/ql/src/Power of 10/Rule 9/PointerNesting.ql
ql/cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
ql/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
ql/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
ql/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
ql/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
ql/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
ql/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
ql/cpp/ql/src/definitions.ql
ql/cpp/ql/src/experimental/Best Practices/UselessTest.ql
ql/cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql
ql/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
ql/cpp/ql/src/experimental/Likely Bugs/DerefNullResult.ql
ql/cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql
ql/cpp/ql/src/experimental/quantum/PrintCBOMGraph.ql
ql/cpp/ql/src/external/examples/filters/BumpMetricBy10.ql
ql/cpp/ql/src/external/examples/filters/EditDefectMessage.ql
ql/cpp/ql/src/external/examples/filters/ExcludeGeneratedCode.ql
ql/cpp/ql/src/filters/ClassifyFiles.ql
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 1.ql
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 2.ql
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 11.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 12.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 13.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 14.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 9.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 17.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 18.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 19.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 20.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 21.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 22.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 25.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 26.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 27.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 28.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 29.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 30.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 31.ql
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 33.ql
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 39.ql
ql/cpp/ql/src/jsf/4.08 Implementation Files/AV Rule 40.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 41.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 42.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 43.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 44.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 45.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 46.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 47.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 48.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 49.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 50.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 51.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 52.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 54.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 57.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 58.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 59.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 60.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 61.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 63.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 68.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 69.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 70.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 73.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 74.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 75.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 77.1.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 78.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 85.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.1.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 94.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.1.ql
ql/cpp/ql/src/jsf/4.11 Namespaces/AV Rule 99.ql
ql/cpp/ql/src/jsf/4.12 Templates/AV Rule 104.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 108.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 110.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 111.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 113.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 115.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 119.ql
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 126.ql
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 127.ql
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 133.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 135.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 138.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 139.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 140.ql
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 142.ql
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 143.ql
ql/cpp/ql/src/jsf/4.17 Types/AV Rule 147.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 149.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 150.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.1.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.ql
ql/cpp/ql/src/jsf/4.19 Variables/AV Rule 152.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 154.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 155.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 156.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 157.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 158.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 159.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 160.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 162.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 163.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 164.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 170.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 171.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 175.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 176.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 178.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 179.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 180.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 181.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 182.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 184.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 185.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 186.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 187.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 188.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 190.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 191.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 192.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 193.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 194.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 195.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 198.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 199.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 200.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.1.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 205.ql
ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 206.ql
ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 207.ql
ql/cpp/ql/src/jsf/4.27 Fault Handling/AV Rule 208.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 209.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 210.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 212.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 213.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 214.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 215.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

14
cpp/ql/integration-tests/query-suite/test.py Normal file
View File

@@ -0,0 +1,14 @@
import runs_on
import pytest
from query_suites import *
well_known_query_suites = ['cpp-code-quality.qls', 'cpp-code-quality-extended.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
@runs_on.posix
@pytest.mark.parametrize("query_suite", well_known_query_suites)
def test(codeql, cpp, check_query_suite, query_suite):
check_query_suite(query_suite)
@runs_on.posix
def test_not_included_queries(codeql, cpp, check_queries_not_included):
check_queries_not_included('cpp', well_known_query_suites)

6
cpp/ql/lib/BUILD.bazel
View File

@@ -1,15 +1,13 @@
package(default_visibility = ["//cpp:__pkg__"])
load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
load("@rules_pkg//:mappings.bzl", "pkg_files")
package(default_visibility = ["//cpp:__pkg__"])
pkg_files(
name = "dbscheme",
srcs = ["semmlecode.cpp.dbscheme"],
prefix = "cpp",
)
pkg_files(
name = "dbscheme-stats",
srcs = ["semmlecode.cpp.dbscheme.stats"],
prefix = "cpp",
)

475
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,478 @@
## 5.4.1
### Minor Analysis Improvements
* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.
## 5.4.0
### New Features
* Exposed various SSA-related classes (`Definition`, `PhiNode`, `ExplicitDefinition`, `DirectExplicitDefinition`, and `IndirectExplicitDefinition`) which were previously only usable inside the internal dataflow directory.
### Minor Analysis Improvements
* The `cpp/overrun-write` query now recognizes more bound checks and thus produces fewer false positives.
## 5.3.0
### Deprecated APIs
* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.
### New Features
* Added a `isFinalValueOfParameter` predicate to `DataFlow::Node` which holds when a dataflow node represents the final value of an output parameter of a function.
### Minor Analysis Improvements
* The `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.
* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.
* Added support for `__fp16 _Complex` and `__bf16 _Complex` types
* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.
## 5.2.0
### Deprecated APIs
* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
### New Features
* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
* The Microsoft-specific `__leave` statement is now supported.
* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
### Bug Fixes
* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.
## 5.1.0
### New Features
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
## 5.0.0
### Breaking Changes
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
### New Features
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
* Added support for `wmain` as part of the ArgvSource model.
### Bug Fixes
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
## 4.3.1
### Bug Fixes
* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.
## 4.3.0
### New Features
* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
## 4.2.0
### New Features
* Calling conventions explicitly specified on function declarations (`__cdecl`, `__stdcall`, `__fastcall`, etc.) are now represented as specifiers of those declarations.
* A new class `CallingConventionSpecifier` extending the `Specifier` class was introduced, which represents explicitly specified calling conventions.
## 4.1.0
### New Features
* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
## 4.0.3
No user-facing changes.
## 4.0.2
### Minor Analysis Improvements
* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.
## 4.0.1
No user-facing changes.
## 4.0.0
### Breaking Changes
* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead.
### New Features
* A new predicate `getOffsetInClass` was added to the `Field` class, which computes the byte offset of a field relative to a given `Class`.
* New classes `PreprocessorElifdef` and `PreprocessorElifndef` were introduced, which represents the C23/C++23 `#elifdef` and `#elifndef` preprocessor directives.
* A new class `TypeLibraryImport` was introduced, which represents the `#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
## 3.2.0
### New Features
* Add a new predicate `getAnIndirectBarrier` to the parameterized module `InstructionBarrierGuard` in `semmle.code.cpp.dataflow.new.DataFlow` for computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to the `getAnIndirectBarrier` predicate on the parameterized module `BarrierGuard`.
* A new predicate `getDecltype` was added to the `ProxyClass` class, which yields the decltype for the proxy class.
* Template classes that are of `struct` type are now also instances of the `Struct` class.
* Template classes that are of `union` type are now also instances of the `Union` class.
* A new abstract class `ConfigurationTestFile` (`semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile`) was introduced, which represents files created to test the build configuration. A subclass `CmakeTryCompileFile` of `ConfigurationTestFile` was also introduced, which represents files created by CMake to test the build configuration.
* New predicates `getARequiresClause`, `getTemplateRequiresClause` and `getFunctionRequiresClause` were added to the `FunctionDeclarationEntry` class, which yield the requires clauses when the entry represents a function template declaration with requires clauses.
* A new predicate `getRequiresClause` was added to the `TypeDeclarationEntry` class, which yields the requires clause when the entry represents a class template declaration with a requires clause.
* A new predicate `getRequiresClause` was added to the `VariableDeclarationEntry` class, which yields the requires clause when the entry represents a variable template declaration with a requires clause.
* A new predicate `getTypeConstraint` was added to the `TypeTemplateParameter` class, which yields the type constraint of the parameter if it exists.
* A new class `VariableTemplateSpecialization` was introduced, which represents explicit specializations of variable templates.
* A new predicate `isSpecialization` was added to the `Variable` class, which holds if the variable is a template specialization.
* A new class `ConceptIdExpr` was introduced, which represents C++20 concept id expressions.
* A new class `Concept` was introduced, which represents C++20 concepts.
* The `getTemplateArgumentType` and `getTemplateArgumentValue` predicates of the `Declaration` class now also yield template arguments of concepts.
* A new class `ConstevalIfStmt` was introduced, which represents the C++23 `if consteval` and `if ! consteval` statements.
### Minor Analysis Improvements
* `DefaultOptions::exits` now holds for C23 functions with the `_Noreturn` or `___Noreturn__` attribute.
## 3.1.0
### Deprecated APIs
* The `TemplateParameter` class, representing C++ type template parameters has been deprecated. Use `TypeTemplateParameter` instead.
### New Features
* New classes `SizeofPackExprOperator` and `SizeofPackTypeOperator` were introduced, which represent the C++ `sizeof...` operator taking expressions and type arguments, respectively.
* A new class `TemplateTemplateParameterInstantiation` was introduced, which represents instantiations of template template parameters.
* A new predicate `getAnInstantiation` was added to the `TemplateTemplateParameter` class, which yields instantiations of template template parameters.
* The `getTemplateArgumentType` and `getTemplateArgumentValue` predicates of the `Declaration` class now also yield template arguments of template template parameters.
* A new class `NonTypeTemplateParameter` was introduced, which represents C++ non-type template parameters.
* A new class `TemplateParameterBase` was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.
### Minor Analysis Improvements
* The `Guards` library (`semmle.code.cpp.controlflow.Guards`) has been improved to recognize more guard conditions.
## 3.0.0
### Breaking Changes
* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
### Deprecated APIs
* The `NonThrowingFunction` class (`semmle.code.cpp.models.interfaces.NonThrowing.NonThrowingFunction`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.
## 2.1.1
No user-facing changes.
## 2.1.0
### New Features
* Added a new predicate `DataFlow::getARuntimeTarget` for getting a function that may be invoked by a `Call` expression. Unlike `Call.getTarget` this new predicate may also resolve function pointers.
* Added the predicate `mayBeFromImplicitlyDeclaredFunction()` to the `Call` class to represent calls that may be the return value of an implicitly declared C function.
* Added the predicate `getAnExplicitDeclarationEntry()` to the `Function` class to get a `FunctionDeclarationEntry` that is not implicit.
* Added classes `RequiresExpr`, `SimpleRequirementExpr`, `TypeRequirementExpr`, `CompoundRequirementExpr`, and `NestedRequirementExpr` to represent C++20 requires expressions and the simple, type, compound, and nested requirements that can occur in `requires` expressions.
### Minor Analysis Improvements
* The function call target resolution algorithm has been improved to resolve more calls through function pointers. As a result, dataflow queries may have more results.
## 2.0.2
### Minor Analysis Improvements
* Added taint flow model for `fopen` and related functions.
* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.
## 2.0.1
No user-facing changes.
## 2.0.0
### Breaking Changes
* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
### New Features
* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
* Added a subclass of `Expr` for `__datasizeof` expressions.
### Minor Analysis Improvements
* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.
## 1.4.2
No user-facing changes.
## 1.4.1
No user-facing changes.
## 1.4.0
### New Features
* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete.
### Minor Analysis Improvements
* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.
## 1.3.0
### New Features
* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.
## 1.2.0
### New Features
* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
### Minor Analysis Improvements
* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.
## 1.1.1
No user-facing changes.
## 1.1.0
### New Features
* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.
### Minor Analysis Improvements
* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
## 0.13.1
No user-facing changes.
## 0.13.0
### Breaking Changes
* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
### New Features
* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
### Minor Analysis Improvements
* Source models have been added for the standard library function `getc` (and variations).
* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
* Parameters of functions without definitions now have `ParameterNode`s.
* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
## 0.12.11
No user-facing changes.
## 0.12.10
### New Features
* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant.
* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant.
* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
### Minor Analysis Improvements
* Added destructors for temporary objects with extended lifetimes to the intermediate representation.
## 0.12.9
No user-facing changes.
## 0.12.8
No user-facing changes.
## 0.12.7
### Minor Analysis Improvements
* Added destructors for named objects to the intermediate representation.
## 0.12.6
### New Features
* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.
## 0.12.5
### New Features
* Added the `PreprocBlock.qll` library to this repository. This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.
## 0.12.4
### Minor Analysis Improvements
* Deleted many deprecated predicates and classes with uppercase `XML`, `SSA`, `SAL`, `SQL`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated `StrcatFunction` class, use `semmle.code.cpp.models.implementations.Strcat.qll` instead.
## 0.12.3
### Deprecated APIs
* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
### New Features
* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
### Minor Analysis Improvements
* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
* The deprecated `DefaultTaintTracking` library has been removed.
* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
### Bug Fixes
* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.
## 0.12.2
No user-facing changes.
## 0.12.1
### New Features
* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
## 0.12.0
### Breaking Changes
* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
### Minor Analysis Improvements
* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
* Added models for `strlcpy` and `strlcat`.
* Added models for the `sprintf` variants from the `StrSafe.h` header.
* Added SQL API models for `ODBC`.
* Added taint models for `realloc` and related functions.
## 0.11.0
### Breaking Changes
* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
### New Features
* Added a new class `AdditionalCallTarget` for specifying additional call targets.
### Minor Analysis Improvements
* More field accesses are identified as `ImplicitThisFieldAccess`.
* Added support for new floating-point types in C23 and C++23.
## 0.10.1
### Minor Analysis Improvements
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
## 0.10.0
### Minor Analysis Improvements
* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
non-returning in the IR and dataflow.
* Treat functions that reach the end of the function as returning in the IR.
They used to be treated as unreachable but it is allowed in C.
* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.
## 0.9.3
No user-facing changes.
## 0.9.2
### Deprecated APIs
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
### New Features
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
### Minor Analysis Improvements
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
## 0.9.1
No user-facing changes.

11
cpp/ql/lib/Customizations.qll Normal file
View File

@@ -0,0 +1,11 @@
/**
* Contains customizations to the standard library.
*
* This module is imported by `cpp.qll`, so any customizations defined here automatically
* apply to all queries.
*
* Typical examples of customizations include adding new subclasses of abstract classes such as
* the `RemoteFlowSource` class to model frameworks that are not covered by the standard library.
*/
import cpp

11
cpp/ql/lib/DefaultOptions.qll
View File

@@ -52,17 +52,18 @@ class Options extends string {
/**
* Holds if a call to this function will never return.
*
* By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
* `longjmp`, `__builtin_unreachable` and any function with a
* `noreturn` attribute or specifier.
* By default, this holds for `exit`, `_exit`, `_Exit`, `abort`,
* `__assert_fail`, `longjmp`, `__builtin_unreachable` and any
* function with a `noreturn`, `__noreturn__`, or `_Noreturn`
* attribute or `noreturn` specifier.
*/
predicate exits(Function f) {
f.getAnAttribute().hasName("noreturn")
f.getAnAttribute().hasName(["noreturn", "__noreturn__", "_Noreturn"])
or
f.getASpecifier().hasName("noreturn")
or
f.hasGlobalOrStdName([
"exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
"exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
])
or
CustomOptions::exits(f) // old Options.qll

11
cpp/ql/lib/IDEContextual.qll
View File

@@ -3,6 +3,7 @@
*/
import semmle.files.FileSystem
private import codeql.util.FileSystem
/**
* Returns the `File` matching the given source file name as encoded by the VS
@@ -10,13 +11,5 @@ import semmle.files.FileSystem
*/
cached
File getFileBySourceArchiveName(string name) {
// The name provided for a file in the source archive by the VS Code extension
// has some differences from the absolute path in the database:
// 1. colons are replaced by underscores
// 2. there's a leading slash, even for Windows paths: "C:/foo/bar" ->
// "/C_/foo/bar"
// 3. double slashes in UNC prefixes are replaced with a single slash
// We can handle 2 and 3 together by unconditionally adding a leading slash
// before replacing double slashes.
name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/")
result = IdeContextual<File>::getFileBySourceArchiveName(name)
}

4
cpp/ql/lib/change-notes/2023-08-24-no-taint-argv-indirections.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

4
cpp/ql/lib/change-notes/2023-08-25-delete-or-delete-array.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`

4
cpp/ql/lib/change-notes/2023-08-25-getAllocatorCall-deprecated.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.

4
cpp/ql/lib/change-notes/2023-08-29-delete-ir.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.

4
cpp/ql/lib/change-notes/2023-09-06-as-defining-argument-off-by-one-fix.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.

5
cpp/ql/lib/change-notes/2023-09-07-return-from-end.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Treat functions that reach the end of the function as returning in the IR.
They used to be treated as unreachable but it is allowed in C.

5
cpp/ql/lib/change-notes/2023-09-08-more-unreachble.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
non-returning in the IR and dataflow.

4
cpp/ql/lib/change-notes/2025-08-19-virtual-dispatch.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The new dataflow/taint-tracking library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`) now resolves virtual function calls more precisely. This results in fewer false positives when running dataflow/taint-tracking queries on C++ projects.

9
cpp/ql/lib/change-notes/released/0.10.0.md Normal file
View File

@@ -0,0 +1,9 @@
## 0.10.0
### Minor Analysis Improvements
* Functions that do not return due to calling functions that don't return (e.g. `exit`) are now detected as
non-returning in the IR and dataflow.
* Treat functions that reach the end of the function as returning in the IR.
They used to be treated as unreachable but it is allowed in C.
* The `DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at `1` instead of `2`. Queries that depend on the single-parameter version of `DataFlow::asDefiningArgument` should have their arguments updated accordingly.

6
cpp/ql/lib/change-notes/released/0.10.1.md Normal file
View File

@@ -0,0 +1,6 @@
## 0.10.1
### Minor Analysis Improvements
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

14
cpp/ql/lib/change-notes/released/0.11.0.md Normal file
View File

@@ -0,0 +1,14 @@
## 0.11.0
### Breaking Changes
* The `Container` and `Folder` classes now derive from `ElementBase` instead of `Locatable`, and no longer expose the `getLocation` predicate. Use `getURL` instead.
### New Features
* Added a new class `AdditionalCallTarget` for specifying additional call targets.
### Minor Analysis Improvements
* More field accesses are identified as `ImplicitThisFieldAccess`.
* Added support for new floating-point types in C23 and C++23.

13
cpp/ql/lib/change-notes/released/0.12.0.md Normal file
View File

@@ -0,0 +1,13 @@
## 0.12.0
### Breaking Changes
* The expressions `AssignPointerAddExpr` and `AssignPointerSubExpr` are no longer subtypes of `AssignBitwiseOperation`.
### Minor Analysis Improvements
* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
* Added models for `strlcpy` and `strlcat`.
* Added models for the `sprintf` variants from the `StrSafe.h` header.
* Added SQL API models for `ODBC`.
* Added taint models for `realloc` and related functions.

5
cpp/ql/lib/change-notes/released/0.12.1.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.12.1
### New Features
* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.

14
cpp/ql/lib/change-notes/released/0.12.10.md Normal file
View File

@@ -0,0 +1,14 @@
## 0.12.10
### New Features
* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant.
* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant.
* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
### Minor Analysis Improvements
* Added destructors for temporary objects with extended lifetimes to the intermediate representation.

3
cpp/ql/lib/change-notes/released/0.12.11.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.12.11
No user-facing changes.

3
cpp/ql/lib/change-notes/released/0.12.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.12.2
No user-facing changes.

20
cpp/ql/lib/change-notes/released/0.12.3.md Normal file
View File

@@ -0,0 +1,20 @@
## 0.12.3
### Deprecated APIs
* The `isUserInput`, `userInputArgument`, and `userInputReturned` predicates from `SecurityOptions` have been deprecated. Use `FlowSource` instead.
### New Features
* `UserDefineLiteral` and `DeductionGuide` classes have been added, representing C++11 user defined literals and C++17 deduction guides.
### Minor Analysis Improvements
* Changed the output of `Node.toString` to better reflect how many indirections a given dataflow node has.
* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
* The deprecated `DefaultTaintTracking` library has been removed.
* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.
### Bug Fixes
* Under certain circumstances a function declaration that is not also a definition could be associated with a `Function` that did not have the definition as a `FunctionDeclarationEntry`. This is now fixed when only one definition exists, and a unique `Function` will exist that has both the declaration and the definition as a `FunctionDeclarationEntry`.

6
cpp/ql/lib/change-notes/released/0.12.4.md Normal file
View File

@@ -0,0 +1,6 @@
## 0.12.4
### Minor Analysis Improvements
* Deleted many deprecated predicates and classes with uppercase `XML`, `SSA`, `SAL`, `SQL`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated `StrcatFunction` class, use `semmle.code.cpp.models.implementations.Strcat.qll` instead.

6
cpp/ql/lib/change-notes/released/0.12.5.md Normal file
View File

@@ -0,0 +1,6 @@
## 0.12.5
### New Features
* Added the `PreprocBlock.qll` library to this repository. This library offers a view of `#if`, `#elif`, `#else` and similar directives as a tree with navigable parent-child relationships.
* Added a new `ThrowingFunction` abstract class that can be used to model an external function that may throw an exception.

5
cpp/ql/lib/change-notes/released/0.12.6.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.12.6
### New Features
* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.

5
cpp/ql/lib/change-notes/released/0.12.7.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.12.7
### Minor Analysis Improvements
* Added destructors for named objects to the intermediate representation.

3
cpp/ql/lib/change-notes/released/0.12.8.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.12.8
No user-facing changes.

3
cpp/ql/lib/change-notes/released/0.12.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.12.9
No user-facing changes.

16
cpp/ql/lib/change-notes/released/0.13.0.md Normal file
View File

@@ -0,0 +1,16 @@
## 0.13.0
### Breaking Changes
* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
### New Features
* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
### Minor Analysis Improvements
* Source models have been added for the standard library function `getc` (and variations).
* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
* Parameters of functions without definitions now have `ParameterNode`s.
* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.

3
cpp/ql/lib/change-notes/released/0.13.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.13.1
No user-facing changes.

14
cpp/ql/lib/change-notes/released/0.9.2.md Normal file
View File

@@ -0,0 +1,14 @@
## 0.9.2
### Deprecated APIs
* `getAllocatorCall` on `DeleteExpr` and `DeleteArrayExpr` has been deprecated. `getDeallocatorCall` should be used instead.
### New Features
* Added `DeleteOrDeleteArrayExpr` as a super type of `DeleteExpr` and `DeleteArrayExpr`
### Minor Analysis Improvements
* `delete` and `delete[]` are now modeled as calls to the relevant `operator delete` in the IR. In the case of a dynamic delete call a new instruction `VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.

3
cpp/ql/lib/change-notes/released/0.9.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.9.3
No user-facing changes.

5
cpp/ql/lib/change-notes/released/1.0.0.md Normal file
View File

@@ -0,0 +1,5 @@
## 1.0.0
### Breaking Changes
* CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

9
cpp/ql/lib/change-notes/released/1.1.0.md Normal file
View File

@@ -0,0 +1,9 @@
## 1.1.0
### New Features
* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.
### Minor Analysis Improvements
* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.

3
cpp/ql/lib/change-notes/released/1.1.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.1.1
No user-facing changes.

11
cpp/ql/lib/change-notes/released/1.2.0.md Normal file
View File

@@ -0,0 +1,11 @@
## 1.2.0
### New Features
* The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See `dataflow/ExternalFlow.qll` for the updated documentation and specification for the model format.
* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.
### Minor Analysis Improvements
* The queries "Potential double free" (`cpp/double-free`) and "Potential use after free" (`cpp/use-after-free`) now produce fewer false positives.
* The "Guards" library (`semmle.code.cpp.controlflow.Guards`) now also infers guards from calls to the builtin operation `__builtin_expect`. As a result, some queries may produce fewer false positives.

7
cpp/ql/lib/change-notes/released/1.3.0.md Normal file
View File

@@ -0,0 +1,7 @@
## 1.3.0
### New Features
* Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example, `.qlref`s that reference path-problem queries) will need to be have their expected output updated accordingly.
* Added subclasses of `BuiltInOperations` for `__builtin_has_attribute`, `__builtin_is_corresponding_member`, `__builtin_is_pointer_interconvertible_with_class`, `__is_assignable_no_precondition_check`, `__is_bounded_array`, `__is_convertible`, `__is_corresponding_member`, `__is_nothrow_convertible`, `__is_pointer_interconvertible_with_class`, `__is_referenceable`, `__is_same_as`, `__is_trivially_copy_assignable`, `__is_unbounded_array`, `__is_valid_winrt_type`, `_is_win_class`, `__is_win_interface`, `__reference_binds_to_temporary`, `__reference_constructs_from_temporary`, and `__reference_converts_from_temporary`.
* The class `NewArrayExpr` adds a predicate `getArraySize()` to allow a more convenient way to access the static size of the array when the extent is missing.

14
cpp/ql/lib/change-notes/released/1.4.0.md Normal file
View File

@@ -0,0 +1,14 @@
## 1.4.0
### New Features
* A `getTemplateClass` predicate was added to the `DeductionGuide` class to get the class template for which the deduction guide is a guide.
* An `isExplicit` predicate was added to the `Function` class that determines whether the function was declared as explicit.
* A `getExplicitExpr` predicate was added to the `Function` class that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit.
* A `isDestroyingDeleteDeallocation` predicate was added to the `NewOrNewArrayExpr` and `DeleteOrDeleteArrayExpr` classes to indicate whether the deallocation function is a destroying delete.
### Minor Analysis Improvements
* The controlling expression of a `constexpr if` is now always recognized as an unevaluated expression.
* Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
* A `UsingEnumDeclarationEntry` class has been added for C++ `using enum` declarations. As part of this, synthesized `UsingDeclarationEntry`s are no longer emitted for individual enumerators of the referenced enumeration.

3
cpp/ql/lib/change-notes/released/1.4.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.1
No user-facing changes.

3
cpp/ql/lib/change-notes/released/1.4.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.2
No user-facing changes.

23
cpp/ql/lib/change-notes/released/2.0.0.md Normal file
View File

@@ -0,0 +1,23 @@
## 2.0.0
### Breaking Changes
* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
* Deleted the deprecated `hasQualifiedName` and `isDefined` predicates from the `Declaration` class, use `hasGlobalName` and `hasDefinition` respectively instead.
* Deleted the `getFullSignature` predicate from the `Function` class, use `getIdentityString(Declaration)` from `semmle.code.cpp.Print` instead.
* Deleted the deprecated `freeCall` predicate from `Alloc.qll`. Use `DeallocationExpr` instead.
* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
* Deleted the deprecated `getFieldExpr` predicate from `ClassAggregateLiteral`, use `getAFieldExpr` instead.
* Deleted the deprecated `getElementExpr` predicate from `ArrayOrVectorAggregateLiteral`, use `getAnElementExpr` instead.
### New Features
* Added a class `C11GenericExpr` to represent C11 generic selection expressions. The generic selection is represented as a `Conversion` on the expression that will be selected.
* Added subclasses of `BuiltInOperations` for the `__is_scoped_enum`, `__is_trivially_equality_comparable`, and `__is_trivially_relocatable` builtin operations.
* Added a subclass of `Expr` for `__datasizeof` expressions.
### Minor Analysis Improvements
* Added a data flow model for `swap` member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through `swap` member functions might affect the results.
* Added a data flow model for `realloc`-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through `realloc`-like functions might affect the results.

3
cpp/ql/lib/change-notes/released/2.0.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.0.1
No user-facing changes.

6
cpp/ql/lib/change-notes/released/2.0.2.md Normal file
View File

@@ -0,0 +1,6 @@
## 2.0.2
### Minor Analysis Improvements
* Added taint flow model for `fopen` and related functions.
* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.

12
cpp/ql/lib/change-notes/released/2.1.0.md Normal file
View File

@@ -0,0 +1,12 @@
## 2.1.0
### New Features
* Added a new predicate `DataFlow::getARuntimeTarget` for getting a function that may be invoked by a `Call` expression. Unlike `Call.getTarget` this new predicate may also resolve function pointers.
* Added the predicate `mayBeFromImplicitlyDeclaredFunction()` to the `Call` class to represent calls that may be the return value of an implicitly declared C function.
* Added the predicate `getAnExplicitDeclarationEntry()` to the `Function` class to get a `FunctionDeclarationEntry` that is not implicit.
* Added classes `RequiresExpr`, `SimpleRequirementExpr`, `TypeRequirementExpr`, `CompoundRequirementExpr`, and `NestedRequirementExpr` to represent C++20 requires expressions and the simple, type, compound, and nested requirements that can occur in `requires` expressions.
### Minor Analysis Improvements
* The function call target resolution algorithm has been improved to resolve more calls through function pointers. As a result, dataflow queries may have more results.

3
cpp/ql/lib/change-notes/released/2.1.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.1.1
No user-facing changes.

9
cpp/ql/lib/change-notes/released/3.0.0.md Normal file
View File

@@ -0,0 +1,9 @@
## 3.0.0
### Breaking Changes
* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
### Deprecated APIs
* The `NonThrowingFunction` class (`semmle.code.cpp.models.interfaces.NonThrowing.NonThrowingFunction`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.

18
cpp/ql/lib/change-notes/released/3.1.0.md Normal file
View File

@@ -0,0 +1,18 @@
## 3.1.0
### Deprecated APIs
* The `TemplateParameter` class, representing C++ type template parameters has been deprecated. Use `TypeTemplateParameter` instead.
### New Features
* New classes `SizeofPackExprOperator` and `SizeofPackTypeOperator` were introduced, which represent the C++ `sizeof...` operator taking expressions and type arguments, respectively.
* A new class `TemplateTemplateParameterInstantiation` was introduced, which represents instantiations of template template parameters.
* A new predicate `getAnInstantiation` was added to the `TemplateTemplateParameter` class, which yields instantiations of template template parameters.
* The `getTemplateArgumentType` and `getTemplateArgumentValue` predicates of the `Declaration` class now also yield template arguments of template template parameters.
* A new class `NonTypeTemplateParameter` was introduced, which represents C++ non-type template parameters.
* A new class `TemplateParameterBase` was introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.
### Minor Analysis Improvements
* The `Guards` library (`semmle.code.cpp.controlflow.Guards`) has been improved to recognize more guard conditions.

23
cpp/ql/lib/change-notes/released/3.2.0.md Normal file
View File

@@ -0,0 +1,23 @@
## 3.2.0
### New Features
* Add a new predicate `getAnIndirectBarrier` to the parameterized module `InstructionBarrierGuard` in `semmle.code.cpp.dataflow.new.DataFlow` for computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to the `getAnIndirectBarrier` predicate on the parameterized module `BarrierGuard`.
* A new predicate `getDecltype` was added to the `ProxyClass` class, which yields the decltype for the proxy class.
* Template classes that are of `struct` type are now also instances of the `Struct` class.
* Template classes that are of `union` type are now also instances of the `Union` class.
* A new abstract class `ConfigurationTestFile` (`semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile`) was introduced, which represents files created to test the build configuration. A subclass `CmakeTryCompileFile` of `ConfigurationTestFile` was also introduced, which represents files created by CMake to test the build configuration.
* New predicates `getARequiresClause`, `getTemplateRequiresClause` and `getFunctionRequiresClause` were added to the `FunctionDeclarationEntry` class, which yield the requires clauses when the entry represents a function template declaration with requires clauses.
* A new predicate `getRequiresClause` was added to the `TypeDeclarationEntry` class, which yields the requires clause when the entry represents a class template declaration with a requires clause.
* A new predicate `getRequiresClause` was added to the `VariableDeclarationEntry` class, which yields the requires clause when the entry represents a variable template declaration with a requires clause.
* A new predicate `getTypeConstraint` was added to the `TypeTemplateParameter` class, which yields the type constraint of the parameter if it exists.
* A new class `VariableTemplateSpecialization` was introduced, which represents explicit specializations of variable templates.
* A new predicate `isSpecialization` was added to the `Variable` class, which holds if the variable is a template specialization.
* A new class `ConceptIdExpr` was introduced, which represents C++20 concept id expressions.
* A new class `Concept` was introduced, which represents C++20 concepts.
* The `getTemplateArgumentType` and `getTemplateArgumentValue` predicates of the `Declaration` class now also yield template arguments of concepts.
* A new class `ConstevalIfStmt` was introduced, which represents the C++23 `if consteval` and `if ! consteval` statements.
### Minor Analysis Improvements
* `DefaultOptions::exits` now holds for C23 functions with the `_Noreturn` or `___Noreturn__` attribute.

11
cpp/ql/lib/change-notes/released/4.0.0.md Normal file
View File

@@ -0,0 +1,11 @@
## 4.0.0
### Breaking Changes
* Deleted the deprecated `getAllocatorCall` predicate from `DeleteOrDeleteArrayExpr`, use `getDeallocatorCall` instead.
### New Features
* A new predicate `getOffsetInClass` was added to the `Field` class, which computes the byte offset of a field relative to a given `Class`.
* New classes `PreprocessorElifdef` and `PreprocessorElifndef` were introduced, which represents the C23/C++23 `#elifdef` and `#elifndef` preprocessor directives.
* A new class `TypeLibraryImport` was introduced, which represents the `#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.

3
cpp/ql/lib/change-notes/released/4.0.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 4.0.1
No user-facing changes.

6
cpp/ql/lib/change-notes/released/4.0.2.md Normal file
View File

@@ -0,0 +1,6 @@
## 4.0.2
### Minor Analysis Improvements
* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.

3
cpp/ql/lib/change-notes/released/4.0.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 4.0.3
No user-facing changes.

5
cpp/ql/lib/change-notes/released/4.1.0.md Normal file
View File

@@ -0,0 +1,5 @@
## 4.1.0
### New Features
* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.

6
cpp/ql/lib/change-notes/released/4.2.0.md Normal file
View File

@@ -0,0 +1,6 @@
## 4.2.0
### New Features
* Calling conventions explicitly specified on function declarations (`__cdecl`, `__stdcall`, `__fastcall`, etc.) are now represented as specifiers of those declarations.
* A new class `CallingConventionSpecifier` extending the `Specifier` class was introduced, which represents explicitly specified calling conventions.

8
cpp/ql/lib/change-notes/released/4.3.0.md Normal file
View File

@@ -0,0 +1,8 @@
## 4.3.0
### New Features
* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).

5
cpp/ql/lib/change-notes/released/4.3.1.md Normal file
View File

@@ -0,0 +1,5 @@
## 4.3.1
### Bug Fixes
* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.

23
cpp/ql/lib/change-notes/released/5.0.0.md Normal file
View File

@@ -0,0 +1,23 @@
## 5.0.0
### Breaking Changes
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
### New Features
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
* Added support for `wmain` as part of the ArgvSource model.
### Bug Fixes
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

5
cpp/ql/lib/change-notes/released/5.1.0.md Normal file
View File

@@ -0,0 +1,5 @@
## 5.1.0
### New Features
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.

16
cpp/ql/lib/change-notes/released/5.2.0.md Normal file
View File

@@ -0,0 +1,16 @@
## 5.2.0
### Deprecated APIs
* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
### New Features
* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
* The Microsoft-specific `__leave` statement is now supported.
* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
### Bug Fixes
* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.

16
cpp/ql/lib/change-notes/released/5.3.0.md Normal file
View File

@@ -0,0 +1,16 @@
## 5.3.0
### Deprecated APIs
* The `UnknownDefaultLocation`, `UnknownExprLocation`, and `UnknownStmtLocation` classes have been deprecated. Use `UnknownLocation` instead.
### New Features
* Added a `isFinalValueOfParameter` predicate to `DataFlow::Node` which holds when a dataflow node represents the final value of an output parameter of a function.
### Minor Analysis Improvements
* The `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.
* The analysis of C/C++ code targeting 64-bit Arm platforms has been improved. This includes support for the Arm-specific builtin functions, support for the `arm_neon.h` header and Neon vector types, and support for the `fp8` scalar type. The `arm_sve.h` header and scalable vectors are only partially supported at this point.
* Added support for `__fp16 _Complex` and `__bf16 _Complex` types
* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

9
cpp/ql/lib/change-notes/released/5.4.0.md Normal file
View File

@@ -0,0 +1,9 @@
## 5.4.0
### New Features
* Exposed various SSA-related classes (`Definition`, `PhiNode`, `ExplicitDefinition`, `DirectExplicitDefinition`, and `IndirectExplicitDefinition`) which were previously only usable inside the internal dataflow directory.
### Minor Analysis Improvements
* The `cpp/overrun-write` query now recognizes more bound checks and thus produces fewer false positives.

7
cpp/ql/lib/change-notes/released/5.4.1.md Normal file
View File

@@ -0,0 +1,7 @@
## 5.4.1
### Minor Analysis Improvements
* The guards libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been improved to recognize more guards.
* Improved dataflow through global variables in the new dataflow library (`semmle.code.cpp.dataflow.new.DataFlow` and `semmle.code.cpp.dataflow.new.TaintTracking`). Queries based on these libraries will produce more results on codebases with many global variables.
* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering` and `semmle.code.cpp.ir.ValueNumbering`) has been improved so more expressions are assigned the same value number.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.1
lastReleaseVersion: 5.4.1

3
cpp/ql/lib/cpp.qll
View File

@@ -13,10 +13,12 @@
* https://github.com/cplusplus/draft/raw/master/papers/n4140.pdf
*/
import Customizations
import semmle.code.cpp.File
import semmle.code.cpp.Linkage
import semmle.code.cpp.Location
import semmle.code.cpp.Compilation
import semmle.code.cpp.Concept
import semmle.code.cpp.Element
import semmle.code.cpp.Namespace
import semmle.code.cpp.Specifier
@@ -34,6 +36,7 @@ import semmle.code.cpp.Field
import semmle.code.cpp.Function
import semmle.code.cpp.MemberFunction
import semmle.code.cpp.Parameter
import semmle.code.cpp.TemplateParameter
import semmle.code.cpp.Variable
import semmle.code.cpp.Initializer
import semmle.code.cpp.FriendDecl

3
cpp/ql/lib/experimental/cryptography/Concepts.qll Normal file
View File

@@ -0,0 +1,3 @@
import experimental.cryptography.CryptoArtifact
import experimental.cryptography.CryptoAlgorithmNames
import experimental.cryptography.modules.OpenSSL as OpenSSL

239
cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll Normal file
View File

@@ -0,0 +1,239 @@
/**
* Names of known cryptographic algorithms.
* The names are standardized into upper-case, no spaces, dashes or underscores.
*/
/**
* Returns a string to represent generally unknown algorithms.
* Predicate is to be used to get a consistent string representation
* for unknown algorithms.
*/
string unknownAlgorithm() { result = "UNKNOWN" }
string getHashType() { result = "HASH" }
string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" }
string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" }
string getKeyDerivationType() { result = "KEY_DERIVATION" }
string getCipherBlockModeType() { result = "BLOCK_MODE" }
string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" }
string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" }
string getEllipticCurveType() { result = "ELLIPTIC_CURVE" }
string getSignatureType() { result = "SIGNATURE" }
string getKeyExchangeType() { result = "KEY_EXCHANGE" }
string getAsymmetricType() {
result in [
getAsymmetricEncryptionType(), getSignatureType(), getKeyExchangeType(),
getEllipticCurveType()
]
}
predicate isKnownType(string algType) {
algType in [
getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(),
getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(),
getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType()
]
}
predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) }
predicate isKnownAlgorithm(string name, string algType) {
isHashingAlgorithm(name) and algType = "HASH"
or
isEncryptionAlgorithm(name, algType) and
algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"]
or
isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION"
or
isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE"
or
isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"]
or
isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE"
or
isSignatureAlgorithm(name) and algType = "SIGNATURE"
or
isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE"
}
/**
* Holds if `name` is a known hashing algorithm in the model/library.
*/
predicate isHashingAlgorithm(string name) {
name =
[
"BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224",
"SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256",
"SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD",
"RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1",
"MDC2", "SIPHASH"
]
}
predicate isEncryptionAlgorithm(string name, string algType) {
isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION"
or
isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION"
}
predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) }
/**
* Holds if `name` corresponds to a known symmetric encryption algorithm.
*/
predicate isSymmetricEncryptionAlgorithm(string name) {
// NOTE: AES is meant to caputure all possible key lengths
name =
[
"AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5",
"CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20",
"CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789",
"GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012",
"GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES",
"DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5",
"RC5", "MAGMA", "KUZNYECHIK"
]
}
/**
* Holds if `name` corresponds to a known key derivation algorithm.
*/
predicate isKeyDerivationAlgorithm(string name) {
name =
[
"ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF",
"HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT",
"X963KDF", "EVPKDF"
]
}
/**
* Holds if `name` corresponds to a known cipher block mode
*/
predicate isCipherBlockModeAlgorithm(string name) {
name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"]
}
/**
* Holds if `name` corresponds to a known padding algorithm
*/
predicate isPaddingAlgorithm(string name, string algType) {
isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING"
or
isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING"
}
/**
* holds if `name` corresponds to a known symmetric padding algorithm
*/
predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] }
/**
* Holds if `name` corresponds to a known asymmetric padding algorithm
*/
predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] }
predicate isBrainpoolCurve(string curveName, int keySize) {
// ALL BRAINPOOL CURVES
keySize in [160, 192, 224, 256, 320, 384, 512] and
(
curveName = "BRAINPOOLP" + keySize.toString() + "R1"
or
curveName = "BRAINPOOLP" + keySize.toString() + "T1"
)
}
predicate isSecCurve(string curveName, int keySize) {
// ALL SEC CURVES
keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and
exists(string suff | suff in ["R1", "R2", "K1"] |
curveName = "SECT" + keySize.toString() + suff or
curveName = "SECP" + keySize.toString() + suff
)
}
predicate isC2Curve(string curveName, int keySize) {
// ALL C2 CURVES
keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and
exists(string pre, string suff |
pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"]
|
curveName = "C2" + pre + keySize.toString() + suff
)
}
predicate isPrimeCurve(string curveName, int keySize) {
// ALL PRIME CURVES
keySize in [192, 239, 256] and
exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff)
}
predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) }
/**
* Holds if `name` corresponds to a known elliptic curve.
*/
predicate isEllipticCurveAlgorithm(string curveName, int keySize) {
isSecCurve(curveName, keySize)
or
isBrainpoolCurve(curveName, keySize)
or
isC2Curve(curveName, keySize)
or
isPrimeCurve(curveName, keySize)
or
curveName = "ES256" and keySize = 256
or
curveName = "CURVE25519" and keySize = 255
or
curveName = "X25519" and keySize = 255
or
curveName = "ED25519" and keySize = 255
or
curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size
or
curveName = "ED448" and keySize = 448
or
curveName = "X448" and keySize = 448
or
curveName = "NUMSP256T1" and keySize = 256
or
curveName = "NUMSP384T1" and keySize = 384
or
curveName = "NUMSP512T1" and keySize = 512
or
curveName = "SM2" and keySize in [256, 512]
}
/**
* Holds if `name` corresponds to a known signature algorithm.
*/
predicate isSignatureAlgorithm(string name) {
name =
[
"DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256",
"ECDSA384", "ECDSA512"
]
}
/**
* Holds if `name` is a key exchange algorithm.
*/
predicate isKeyExchangeAlgorithm(string name) {
name = ["ECDH", "DH", "DIFFIEHELLMAN", "X25519", "X448"]
}
/**
* Holds if `name` corresponds to a known asymmetric encryption.
*/
predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] }

316
cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll Normal file
View File

@@ -0,0 +1,316 @@
import cpp
private import experimental.cryptography.CryptoAlgorithmNames
import semmle.code.cpp.ir.dataflow.TaintTracking
/*
* A cryptographic artifact is a DataFlow::Node associated with some
* operation, algorithm, or any other aspect of cryptography.
*/
abstract class CryptographicArtifact extends Expr { }
// /**
// * Associates a symmetric encryption algorithm with a block mode.
// * The DataFlow::Node representing this association should be the
// * point where the algorithm and block mode are combined.
// * This may be at the call to encryption or in the construction
// * of an object prior to encryption.
// */
// abstract class SymmetricCipher extends CryptographicArtifact{
// abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
// abstract BlockMode getBlockMode();
// final predicate hasBlockMode(){
// exists(this.getBlockMode())
// }
// }
// /**
// * A cryptographic operation is a method call that invokes a cryptographic
// * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm
// * (key generation).
// *
// * Since operations are related to or in support of algorithms, operations must
// * provide a reference to their associated algorithm. Often operataions themselves
// * encapsulate algorithms, so operations can also extend CryptographicAlgorithm
// * and refer to themselves as the target algorithm.
// */
// abstract class CryptographicOperation extends CryptographicArtifact, Call{
// // bindingset[paramName, ind]
// // final DataFlow::Node getParameterSource(int ind, string paramName){
// // result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName))
// // }
// final string getAlgorithmName(){
// if exists(this.getAlgorithm().getName())
// then result = this.getAlgorithm().getName()
// else result = unknownAlgorithm()
// }
// final predicate hasAlgorithm(){
// exists(this.getAlgorithm())
// }
// final predicate isUnknownAlgorithm(){
// this.getAlgorithmName() = unknownAlgorithm()
// or
// not this.hasAlgorithm()
// }
// // TODO: this might have to be parameterized by a configuration source for
// // situations where an operation is passed an algorithm
// abstract CryptographicAlgorithm getAlgorithm();
// }
// /** A key generation operation for asymmetric keys */
// abstract class KeyGen extends CryptographicOperation{
// int getAKeySizeInBits(){
// result = getKeySizeInBits(_)
// }
// final predicate hasKeySize(Expr configSrc){
// exists(this.getKeySizeInBits(configSrc))
// }
// final predicate hasKeySize(){
// exists(this.getAKeySizeInBits())
// }
// abstract Expr getKeyConfigSrc();
// abstract int getKeySizeInBits(Expr configSrc);
// }
abstract class CryptographicOperation extends CryptographicArtifact, Call { }
abstract class KeyGeneration extends CryptographicOperation {
// TODO: what if the algorithm is UNKNOWN?
abstract Expr getKeyConfigurationSource(CryptographicAlgorithm alg);
abstract CryptographicAlgorithm getAlgorithm();
int getKeySizeInBits(CryptographicAlgorithm alg) {
result = this.getKeyConfigurationSource(alg).(Literal).getValue().toInt()
}
predicate hasConstantKeySize(CryptographicAlgorithm alg) { exists(this.getKeySizeInBits(alg)) }
predicate hasKeyConfigurationSource(CryptographicAlgorithm alg) {
exists(this.getKeyConfigurationSource(alg))
}
Expr getAKeyConfigurationSource() { result = this.getKeyConfigurationSource(_) }
}
abstract class AsymmetricKeyGeneration extends KeyGeneration { }
abstract class SymmetricKeyGeneration extends KeyGeneration { }
/**
* A cryptographic algorithm is a `CryptographicArtifact`
* representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`).
* Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5)
* or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")).
* Cryptogrpahic algorithms may also be operations that wrap or abstract one or
* more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7).
*
* In principle, this class should model the location where an algorithm enters the program, not
* necessarily where it is used.
*/
abstract class CryptographicAlgorithm extends CryptographicArtifact {
abstract string getName();
abstract string getAlgType();
// string getAlgType(){
// if this instanceof HashAlgorithm then result = getHashType()
// else if this instanceof KeyDerivationAlgorithm then result = getKeyDerivationType()
// else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricEncryptionType()
// else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricEncryptionType()
// else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricPaddingType()
// else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricPaddingType()
// else if this instanceof EllipticCurveAlgorithm then result = getEllipticCurveType()
// else if this instanceof BlockMode then result = getCipherBlockModeType()
// else if this instanceof KeyExchangeAlgorithm then result = getKeyExchangeType()
// else if this instanceof SigningAlgorithm then result = getSignatureType()
// else result = unknownAlgorithm()
// }
// TODO: handle case where name isn't known, not just unknown?
/**
* Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
* Subclassess should override for more api-specific normalization.
* By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
*/
bindingset[s]
string normalizeName(string s) {
exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]|/", "") |
result = normStr and isKnownAlgorithm(result)
or
result = unknownAlgorithm() and not isKnownAlgorithm(normStr)
)
}
abstract Expr configurationSink();
predicate hasConfigurationSink() { exists(this.configurationSink()) }
}
abstract class HashAlgorithm extends CryptographicAlgorithm {
final string getHashName() {
if exists(string n | n = this.getName() and isHashingAlgorithm(n))
then isHashingAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
override string getAlgType() { result = getHashType() }
}
abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm {
final string getKDFName() {
if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n))
then isKeyDerivationAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
override string getAlgType() { result = getKeyDerivationType() }
}
// abstract class KeyDerivationOperation extends CryptographicOperation{
// DataFlow::Node getIterationSizeSrc(){
// none()
// }
// DataFlow::Node getSaltConfigSrc(){
// none()
// }
// DataFlow::Node getHashConfigSrc(){
// none()
// }
// // TODO: get encryption algorithm for CBC-based KDF?
// DataFlow::Node getDerivedKeySizeSrc(){
// none()
// }
// DataFlow::Node getModeSrc(){
// none()
// }
// // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type?
// abstract predicate requiresIteration();
// abstract predicate requiresSalt();
// abstract predicate requiresHash();
// //abstract predicate requiresKeySize(); // Going to assume all requires a size
// abstract predicate requiresMode();
// }
abstract class EncryptionAlgorithm extends CryptographicAlgorithm {
final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm }
final predicate isSymmetric() { not this.isAsymmetric() }
// NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent
// class does not have this common predicate.
}
/**
* A parent class to represent any algorithm for which
* asymmetric cryptography is involved.
* Intended to be distinct from AsymmetricEncryptionAlgorithm
* which is intended only for asymmetric algorithms that specifically encrypt.
*/
abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { }
/**
* Algorithms directly or indirectly related to asymmetric encryption,
* e.g., RSA, DSA, but also RSA padding algorithms
*/
abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm {
final string getEncryptionName() {
if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n))
then isAsymmetricEncryptionAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
override string getAlgType() { result = getAsymmetricEncryptionType() }
}
/**
* Algorithms directly or indirectly related to symmetric encryption,
* e.g., AES, DES, but also block modes and padding
*/
abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm {
final string getEncryptionName() {
if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
// TODO: add a stream cipher predicate?
override string getAlgType() { result = getSymmetricEncryptionType() }
}
// Used only to categorize all padding into a single object,
// DO_NOT add predicates here. Only for categorization purposes.
abstract class PaddingAlgorithm extends CryptographicAlgorithm { }
abstract class SymmetricPadding extends PaddingAlgorithm {
final string getPaddingName() {
if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n))
then isSymmetricPaddingAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
override string getAlgType() { result = getSymmetricPaddingType() }
}
abstract class AsymmetricPadding extends PaddingAlgorithm {
final string getPaddingName() {
if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n))
then isAsymmetricPaddingAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
override string getAlgType() { result = getAsymmetricPaddingType() }
}
abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm {
final string getCurveName() {
if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n))
then isEllipticCurveAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) }
override string getAlgType() { result = getEllipticCurveType() }
}
abstract class BlockModeAlgorithm extends CryptographicAlgorithm {
final string getBlockModeName() {
if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
then isCipherBlockModeAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
/**
* Gets the source of the IV configuration.
*/
abstract Expr getIVorNonce();
final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
override string getAlgType() { result = getCipherBlockModeType() }
}
// abstract class KeyWrapOperation extends CryptographicOperation{
// }
abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm {
final string getAuthticatedEncryptionName() {
if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
}
abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm {
final string getKeyExchangeName() {
if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))
then isKeyExchangeAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
override string getAlgType() { result = getKeyExchangeType() }
}
abstract class SigningAlgorithm extends AsymmetricAlgorithm {
final string getSigningName() {
if exists(string n | n = this.getName() and isSignatureAlgorithm(n))
then isSignatureAlgorithm(result) and result = this.getName()
else result = unknownAlgorithm()
}
override string getAlgType() { result = getSignatureType() }
}

718
cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll Normal file
View File

@@ -0,0 +1,718 @@
import cpp
import experimental.cryptography.CryptoAlgorithmNames
import experimental.cryptography.CryptoArtifact
import experimental.cryptography.utils.OpenSSL.CryptoFunction
import experimental.cryptography.utils.OpenSSL.AlgorithmSink
import experimental.cryptography.utils.OpenSSL.PassthroughFunction
import experimental.cryptography.utils.OpenSSL.CryptoAlgorithm
import experimental.cryptography.CryptoArtifact
// import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.ir.dataflow.DataFlow
/**
* Problematic case in OpenSSL speed.c
* static const char *names[ALGOR_NUM] = {
* "md2", "mdc2", "md4", "md5", "sha1", "rmd160",
* "sha256", "sha512", "whirlpool", "hmac(md5)",
* "des-cbc", "des-ede3", "rc4", "idea-cbc", "seed-cbc",
* "rc2-cbc", "rc5-cbc", "blowfish", "cast-cbc",
* "aes-128-cbc", "aes-192-cbc", "aes-256-cbc",
* "camellia-128-cbc", "camellia-192-cbc", "camellia-256-cbc",
* "evp", "ghash", "rand", "cmac"
* };
*
* Every entry is considered a block mode, hash, and symmetric encryption algorithm
* getEncryptionName for example, will return unknown
*/
predicate nodeToExpr(DataFlow::Node node, Expr e) {
e = node.asExpr() or e = node.asIndirectArgument()
}
Expr getExprFromNode(DataFlow::Node node) { nodeToExpr(node, result) }
DataFlow::Node getNodeFromExpr(Expr e) { nodeToExpr(result, e) }
predicate isEVP_PKEY_CTX(Type t) { t.getUnderlyingType().stripType().getName() = "evp_pkey_ctx_st" }
/**
* An expression representing an EVP_PKEY_CTX* at the location of a
* known AlgorithmSinkArgument.
* The EVP_PKEY_CTX* represents the location where the CTX is tied to the algorithm,
* and can be used as a source for tracing EVP_PKEY_CTX to other operations.
*/
class Known_EVP_PKEY_CTX_Ptr_Source extends Expr {
Known_EVP_PKEY_CTX_Ptr_Source() {
isEVP_PKEY_CTX(this.getUnderlyingType()) and
this.getUnderlyingType() instanceof PointerType and
exists(AlgorithmSinkArgument arg, Call sinkCall |
arg.getSinkCall() = sinkCall and
sinkCall.getAnArgument() = this
or
this = sinkCall
)
}
}
// module CTXFlow implements DataFlow::ConfigSig{
// predicate isSource(DataFlow::Node source) {
// // ASSUMPTION: at a sink, an algorithm is converted into a CTX through a return of the call only
// // and is the primary source of interest for CTX tracing
// source.asExpr() instanceof AlgorithmSinkArgument
// }
// predicate isSink(DataFlow::Node sink){
// sink.asExpr() instanceof CTXSink
// }
// predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
// // cls.getName() = "asn1_object_st" flow out on any EVP_PKEY_CTX which is "evp_pkey_ctx_st"
// exists(Call c |
// isEVP_PKEY_CTX(c.getUnderlyingType()) and
// node1.asExpr() = c.getAnArgument() and c = node2.asExpr())
// }
// }
// module CTXFlowConfig = DataFlow::Global<CTXFlow>;
// TODO: currently only handles tracing from literals to sinks
module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr() instanceof Literal and
// Optimization to reduce literal tracing on integers to only those that are known/relevant NIDs.
(
exists(source.asExpr().getValue().toInt())
implies
source.asExpr().getValue().toInt() < getNIDMax()
) and
// False positives observed inside OBJ_nid2* and OBJ_sn2* functions where NULL is a possible assignment.
// While this is a concern, it only occurs if the object being referenced is NULL to begin with
// Perhaps a different query should be used to find these caes if they represent a threat.
// Filter out any open ssl function source in a function namae Obj_*
// False positives in OpenSSL also observed for CRYPTO_strndup (filtering any CRYPTO_* function)
// due to setting a null byte in the string
(
isPossibleOpenSSLFunction(source.getFunction())
implies
(
not source.getFunction().getName().matches("OBJ_%") and
not source.getFunction().getName().matches("CRYPTO_%")
)
)
}
predicate isSink(DataFlow::Node sink) {
// A sink is a call to a function that takes an algorithm as an argument
// must include checks for asIndirectArgument since the input may be a pointer to an object
// and the member of the object holds the algorithm on the trace.
getExprFromNode(sink) instanceof AlgorithmSinkArgument
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
knownPassThroughStep(node1, node2)
}
predicate isBarrier(DataFlow::Node node) {
// If the node is the 'next' argument of a isCallPassThrough, it is only allowed if it is an out parameter
// i.e., a defining argument. This barrier says that if the node is an expression not an out parameter, it is filtered.
// Out arguments will not be filtered.
exists(Call c | knownPassthoughCall(c, _, node.asExpr()) and c.getAnArgument() = node.asExpr())
or
// False positive reducer, don't flow out through argv
node.asVariable().hasName("argv")
or
node.asIndirectVariable().hasName("argv")
}
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
// Assume a read on crypto identifying field for any object of type asn1_object_st (i.e., ASN1_OBJECT)
exists(Class cls | cls.getName() = "asn1_object_st" |
node.getType().getUnspecifiedType().stripType() = cls and
c.(DataFlow::FieldContent).getField() = cls.getAMember() and
c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]
)
}
}
module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;
/**
* `source` is an expression that is a source of an algorithm of type `algType`.
* `algType` may be `UNKONWN`.
* See CryptoAlgorithmNames for other possible values of `algType`.
*/
bindingset[sinkAlgType]
predicate hasLiteralPathToAlgSink(DataFlow::Node source, DataFlow::Node sink, string sinkAlgType) {
LiteralAlgorithmTracer::flow(source, sink) and
getExprFromNode(sink).(AlgorithmSinkArgument).algType() = sinkAlgType
}
private predicate knownTracedAlgorithm(Literal e, string srcSinkType) {
knownTracedAlgorithm(e, srcSinkType, srcSinkType)
}
private predicate knownTracedAlgorithm(Literal e, string srcType, string sinkType) {
resolveAlgorithmFromLiteral(e, _, srcType) and
hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
isKnownType(sinkType) and
isKnownType(srcType)
}
private predicate unknownTracedLiteralAlgorithm(Literal e, string srcSinkType) {
// Asymmetric special case:
// Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
// an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
if getAsymmetricType() = srcSinkType
then forall(string t | t = getAsymmetricType() | unknownTracedLiteralAlgorithm(e, t, srcSinkType))
else unknownTracedLiteralAlgorithm(e, srcSinkType, srcSinkType)
}
private predicate unknownTracedLiteralAlgorithm(Literal e, string srcType, string sinkType) {
// the literal resolves to an algorithm, but not to the sinktype
// or generally doesn't resolve to any algorithm type
// this case covers 'nonsense' cases e.g., use RSA for symmetric encryption
not resolveAlgorithmFromLiteral(e, _, srcType) and
isValidAlgorithmLiteral(e) and
hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and
isKnownType(sinkType) and
isKnownType(srcType)
}
private predicate unknownTracedNonLiteralAlgorithm(AlgorithmSinkArgument e, string srcSinkType) {
// Asymmetric special case:
// Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms
// an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink
if getAsymmetricType() = srcSinkType
then
forall(string t | t = getAsymmetricType() | unknownTracedNonLiteralAlgorithm(e, t, srcSinkType))
else unknownTracedNonLiteralAlgorithm(e, srcSinkType, srcSinkType)
}
private predicate unknownTracedNonLiteralAlgorithm(
AlgorithmSinkArgument e, string srcType, string sinkType
) {
not hasLiteralPathToAlgSink(_, getNodeFromExpr(e), srcType) and
LiteralAlgorithmTracerConfig::isSink(getNodeFromExpr(e)) and
e.algType() = sinkType and
isKnownType(srcType) and
isKnownType(sinkType)
}
private predicate functionAlgorithm(Call c, string algType) {
isOpenSSLCryptoFunctionCall(c, _, algType)
}
abstract class OpenSSLTracedAlgorithm extends CryptographicAlgorithm {
override string getName() { resolveAlgorithmFromLiteral(this, result, this.getAlgType()) }
override Expr configurationSink() {
exists(DataFlow::Node sink |
hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
|
result = getExprFromNode(sink)
)
}
}
abstract class OpenSSLFunctionAlgorithm extends CryptographicAlgorithm {
override string getName() { isOpenSSLCryptoFunctionCall(this, result, this.getAlgType()) }
override Expr configurationSink() { result = this }
}
abstract class OpenSSLUnknownTracedLiteralAlgorithm extends CryptographicAlgorithm {
override string getName() { result = unknownAlgorithm() }
override Expr configurationSink() {
exists(DataFlow::Node sink |
hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType())
|
result = getExprFromNode(sink)
)
}
}
abstract class OpenSSLUnknownTracedNonLiteralAlgorithm extends CryptographicAlgorithm {
override string getName() { result = unknownAlgorithm() }
override Expr configurationSink() { result = this }
}
module SymmetricEncryption {
abstract class OpenSSLSymmetricEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { }
class OpenSSLSymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
OpenSSLSymmetricEncryptionAlgorithm
{
OpenSSLSymmetricEncryptionTracedAlgorithm() {
knownTracedAlgorithm(this, getSymmetricEncryptionType())
}
}
class OpenSSLSymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
OpenSSLSymmetricEncryptionAlgorithm
{
OpenSSLSymmetricEncryptionFunctionAlgorithm() {
functionAlgorithm(this, getSymmetricEncryptionType())
}
}
class OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
OpenSSLSymmetricEncryptionAlgorithm
{
OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm() {
unknownTracedLiteralAlgorithm(this, getSymmetricEncryptionType())
}
}
class OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
OpenSSLSymmetricEncryptionAlgorithm
{
OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
unknownTracedNonLiteralAlgorithm(this, getSymmetricEncryptionType())
}
}
}
module BlockModes {
/**
* In OpenSSL, block modes are associated directly with symmetric encryption algorithms.
* As such, OpenSSLBLockModes are modeled as extensions of any openssl symmetric encryption algorithm
*/
class OpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
{
OpenSSLBlockModeAlgorithm() {
//two cases, either the block mode is a literal or it is a function call
resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE")
or
isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
}
override string getName() {
resolveAlgorithmFromLiteral(this, result, "BLOCK_MODE")
or
isOpenSSLCryptoFunctionCall(this, result, "BLOCK_MODE")
}
override Expr configurationSink() {
result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
}
override Expr getIVorNonce() {
// TODO
none()
}
}
class UnknownOpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm
{
UnknownOpenSSLBlockModeAlgorithm() {
//two cases, either the block mode is a literal or it is a function call
not resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE") and
not isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE")
}
override string getName() { result = unknownAlgorithm() }
override Expr configurationSink() {
result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink()
}
override Expr getIVorNonce() { none() }
}
}
module Hashes {
abstract class OpenSSLHashAlgorithm extends HashAlgorithm { }
class OpenSSLHashTracedAlgorithm extends OpenSSLTracedAlgorithm, OpenSSLHashAlgorithm {
OpenSSLHashTracedAlgorithm() { knownTracedAlgorithm(this, getHashType()) }
}
class OpenSSLHashFunctionAlgorithm extends OpenSSLFunctionAlgorithm, OpenSSLHashAlgorithm {
OpenSSLHashFunctionAlgorithm() { functionAlgorithm(this, getHashType()) }
}
class OpenSSLHashTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
OpenSSLHashAlgorithm
{
OpenSSLHashTracedUnknownLiteralAlgorithm() {
unknownTracedLiteralAlgorithm(this, getHashType())
}
}
class OpenSSLHashUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
OpenSSLHashAlgorithm
{
OpenSSLHashUnknownNonLiteralTracedAlgorithm() {
unknownTracedNonLiteralAlgorithm(this, getHashType())
}
}
class OpenSSLNullHash extends HashAlgorithm {
OpenSSLNullHash() {
exists(Call c |
this = c and
isPossibleOpenSSLFunction(c.getTarget()) and
c.getTarget().getName() in ["EVP_md_null"]
)
}
override string getName() { result = unknownAlgorithm() }
override Expr configurationSink() { result = this }
}
}
module EllipticCurves {
// TODO: need to address EVP_PKEY_Q_keygen where the type is "EC" but the curve is UNKNOWN?
class OpenSSLEllipticCurveTracedAlgorithm extends OpenSSLTracedAlgorithm, EllipticCurveAlgorithm {
OpenSSLEllipticCurveTracedAlgorithm() { knownTracedAlgorithm(this, getEllipticCurveType()) }
}
class OpenSSLEllipticCurveFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
EllipticCurveAlgorithm
{
OpenSSLEllipticCurveFunctionAlgorithm() { functionAlgorithm(this, getEllipticCurveType()) }
}
class OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
EllipticCurveAlgorithm
{
OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm() {
unknownTracedLiteralAlgorithm(this, getEllipticCurveType())
}
}
class OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
EllipticCurveAlgorithm
{
OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm() {
unknownTracedNonLiteralAlgorithm(this, getEllipticCurveType())
}
}
// https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_ex.html
class OpenSSLNullEllipticCurve extends EllipticCurveAlgorithm {
OpenSSLNullEllipticCurve() {
exists(Call c |
this = c and
isPossibleOpenSSLFunction(c.getTarget()) and
c.getTarget().getName() in ["EC_KEY_new", "EC_KEY_new_ex"]
)
}
override string getName() { result = unknownAlgorithm() }
override Expr configurationSink() { result = this }
}
}
module AsymmetricEncryption {
class OpenSSLAsymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm,
AsymmetricEncryptionAlgorithm
{
OpenSSLAsymmetricEncryptionTracedAlgorithm() {
knownTracedAlgorithm(this, getAsymmetricEncryptionType())
}
}
class OpenSSLAsymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm,
AsymmetricEncryptionAlgorithm
{
OpenSSLAsymmetricEncryptionFunctionAlgorithm() {
functionAlgorithm(this, getAsymmetricEncryptionType())
}
}
class OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
AsymmetricEncryptionAlgorithm
{
OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm() {
unknownTracedLiteralAlgorithm(this, getAsymmetricEncryptionType())
}
}
class OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
AsymmetricEncryptionAlgorithm
{
OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm() {
unknownTracedNonLiteralAlgorithm(this, getAsymmetricEncryptionType())
}
}
}
module SigningAlgorithms {
class OpenSSLSignatureTracedAlgorithm extends OpenSSLTracedAlgorithm, SigningAlgorithm {
OpenSSLSignatureTracedAlgorithm() { knownTracedAlgorithm(this, getSignatureType()) }
}
class OpenSSLSignatureFunctionAlgorithm extends OpenSSLFunctionAlgorithm, SigningAlgorithm {
OpenSSLSignatureFunctionAlgorithm() { functionAlgorithm(this, getSignatureType()) }
}
class OpenSSLSignatureTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
SigningAlgorithm
{
OpenSSLSignatureTracedUnknownLiteralAlgorithm() {
unknownTracedLiteralAlgorithm(this, getSignatureType())
}
}
class OpenSSLSignatureUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
SigningAlgorithm
{
OpenSSLSignatureUnknownNonLiteralTracedAlgorithm() {
unknownTracedNonLiteralAlgorithm(this, getSignatureType())
}
}
}
module KeyExchange {
class OpenSSLKeyExchangeTracedAlgorithm extends OpenSSLTracedAlgorithm, KeyExchangeAlgorithm {
OpenSSLKeyExchangeTracedAlgorithm() { knownTracedAlgorithm(this, getKeyExchangeType()) }
}
class OpenSSLKeyExchangeFunctionAlgorithm extends OpenSSLFunctionAlgorithm, KeyExchangeAlgorithm {
OpenSSLKeyExchangeFunctionAlgorithm() { functionAlgorithm(this, getKeyExchangeType()) }
}
class OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm,
KeyExchangeAlgorithm
{
OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm() {
unknownTracedLiteralAlgorithm(this, getKeyExchangeType())
}
}
class OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm,
KeyExchangeAlgorithm
{
OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm() {
unknownTracedNonLiteralAlgorithm(this, getKeyExchangeType())
}
}
}
module KeyGeneration {
/**
* Functions that explicitly set key generation parameters.
* `sizeInd` is the parameter specifying the size of the key.
* `outInd` is the parameter or return value that the key is written to.
* `outInd` is -1 if the key is written to the return value.
*/
predicate isAsymmetricKeyGenExplicitAlgorithm(Function func, int sizeInd, int outInd) {
isPossibleOpenSSLFunction(func) and
exists(string name | func.hasGlobalName(name) |
name in [
"EVP_PKEY_CTX_set_dsa_paramgen_bits", "DSA_generate_parameters_ex",
"EVP_PKEY_CTX_set_rsa_keygen_bits", "RSA_generate_key_ex", "RSA_generate_key_fips",
"EVP_PKEY_CTX_set_dh_paramgen_prime_len", "DH_generate_parameters_ex"
] and
sizeInd = 1 and
outInd = 0
or
name in ["DSA_generate_parameters", "RSA_generate_key", "DH_generate_parameters"] and
sizeInd = 0 and
outInd = -1
) and
exists(Type t |
(
if sizeInd = -1
then t = func.getType().getUnderlyingType()
else t = func.getParameter(sizeInd).getUnderlyingType()
) and
t instanceof IntegralType and
not t instanceof CharType
)
}
module AsymExplicitAlgKeyLengthFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
// Optimizations to avoid tracing all integers
node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
node.asExpr().(Literal).getValue().toInt() < 8500
}
predicate isSink(DataFlow::Node node) {
exists(FunctionCall c, int sizeInd |
isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), sizeInd, _) and
c.getArgument(sizeInd) = node.asExpr()
)
}
}
module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;
class OpenSSLAsymmetricKeyGenTiedToAlgorithm extends AsymmetricKeyGeneration {
OpenSSLAsymmetricKeyGenTiedToAlgorithm() {
exists(Call c |
this = c and
isPossibleOpenSSLFunction(c.getTarget()) and
isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), _, _)
)
}
override CryptographicAlgorithm getAlgorithm() { result = this }
override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
alg = this and
exists(int sizeInd |
isAsymmetricKeyGenExplicitAlgorithm(this.getTarget(), sizeInd, _) and
AsymExplicitAlgKeyLengthFlow::flow(DataFlow::exprNode(result),
DataFlow::exprNode(this.getArgument(sizeInd)))
)
}
}
module Length_to_RSA_EVP_PKEY_Q_keygen_Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
// Optimizations to avoid tracing all integers
node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values
node.asExpr().(Literal).getValue().toInt() < 5000
}
predicate isSink(DataFlow::Node node) {
exists(FunctionCall c |
c.getTarget().getName() = "EVP_PKEY_Q_keygen" and
isPossibleOpenSSLFunction(c.getTarget()) and
c.getArgument(3) = node.asExpr()
)
}
}
module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =
DataFlow::Global<Length_to_RSA_EVP_PKEY_Q_keygen_Config>;
class OpenSSL_RSA_EVP_PKEY_Q_keygen extends AsymmetricKeyGeneration {
OpenSSL_RSA_EVP_PKEY_Q_keygen() {
exists(Call c |
this = c and
isPossibleOpenSSLFunction(c.getTarget()) and
this.getTarget().getName() = "EVP_PKEY_Q_keygen" and
this.getArgument(3).getUnderlyingType() instanceof IntegralType
)
}
override CryptographicAlgorithm getAlgorithm() {
result.configurationSink().(AlgorithmSinkArgument).getSinkCall() = this
}
override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) {
alg = this.getAlgorithm() and
Length_to_RSA_EVP_PKEY_Q_keygen_Flow::flow(DataFlow::exprNode(result),
DataFlow::exprNode(this.getArgument(3)))
}
}
predicate isKeyGenOperationWithNoSize(Function func) {
isPossibleOpenSSLFunction(func) and
exists(string name | func.hasGlobalName(name) |
name in ["EVP_PKEY_keygen", "DSA_generate_key", "DH_generate_key", "EVP_PKEY_generate"]
)
}
module KeyGenKeySizeInitToKeyGenConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
exists(Call c, Function func, int outInd |
isAsymmetricKeyGenExplicitAlgorithm(func, _, outInd) and
c.getTarget() = func
|
if outInd = -1 then node.asExpr() = c else node.asExpr() = c.getArgument(outInd)
)
}
predicate isSink(DataFlow::Node node) {
exists(Call c |
isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()
)
}
}
module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;
predicate isEVP_PKEY_CTX_Source(DataFlow::Node node, CryptographicAlgorithm alg) {
exists(Call c |
alg.configurationSink().(AlgorithmSinkArgument).getSinkCall() = c and
(
node.asExpr() = c
or
node.asExpr() = c.getAnArgument()
or
node.asDefiningArgument() = c.getAnArgument()
)
) and
(
node.asExpr() instanceof Known_EVP_PKEY_CTX_Ptr_Source
or
node.asDefiningArgument() instanceof Known_EVP_PKEY_CTX_Ptr_Source
)
}
predicate isKeyGen_EVP_PKEY_CTX_Sink(DataFlow::Node node, Call c) {
isKeyGenOperationWithNoSize(c.getTarget()) and nodeToExpr(node, c.getAnArgument())
}
/**
* Trace from EVP_PKEY_CTX* at algorithm sink to keygen,
* users can then extrapolatae the matching algorithm from the alg sink to the keygen
*/
module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
}
module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
DataFlow::Global<EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize>;
/**
* UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume
* is it set on context prior to the call). No path from a key configuration to these operations
* means the key size is UNKNOWN, or more precisely the key size is DEFAULT but
* the defaults can change with each version of OpenSSL, we simply assume the size is generally UNKNOWN.
* ASSUMPTION/TODO: we currently model all known locations where a key size is set explicitly.
* When a key is set implicitly, this usually means a key generation operation
* is called where the operation takes in no key size, and no flow to this operation
* initializes the context with a key size.
* Currently, without a definitive source (set of sources) to start tracing from, we cannot determine
* determine if a single path exists that initializes the context with a key size and another that doesn't.
* Rather than attempt to model all possible sources, we assume that if no path
* from a key config location reaches a generic key generation operation, then the key size is not set.
* NOTE: while this is true, it is possible a key size is set in one path, but not in another
* meaning this approach (and other similar approaches used in this model for UNKNOWN)
* can produce false negatives.
*/
class OpenSSLDefaultKeyGeneration extends AsymmetricKeyGeneration {
OpenSSLDefaultKeyGeneration() {
// this is a call to a function matching isKeyGenOperationWithNoSize
// and there is no flow from a key configuration source to this call
exists(Call c |
this = c and
isKeyGenOperationWithNoSize(this.getTarget()) and
not exists(DataFlow::Node src, DataFlow::Node sink |
KeyGenKeySizeInitToKeyGenFlow::flow(src, sink) and
nodeToExpr(sink, this.getAnArgument())
)
)
}
override CryptographicAlgorithm getAlgorithm() {
if this.getTarget().getName() in ["DSA_generate_key", "DH_generate_key"]
then result = this
else
// NOTE/ASSUMPTION: EVP_PKEY_keygen, EVP_PKEY_generate assume only other possibilities,
// each take in a CTX as the first arg, need to trace from an alg sink from this CTX param
// get every alg sink, get the corresponding call, trace out on any CTX type variable
// to the key gen
// NOTE: looking for any cryptographic algorithm tracing to the keygen to handle
// any odd cases we aren't awaare of where keygen can be used for other algorithm types
exists(DataFlow::Node src, DataFlow::Node sink |
EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow::flow(src, sink) and
isEVP_PKEY_CTX_Source(src, result) and
isKeyGen_EVP_PKEY_CTX_Sink(sink, this)
// TODO: what if there is no CTX source? then the keygen becomes an UNKNOWN sink
)
}
/**
* For this class, there is no known configuration source for any algorithm
*/
override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { none() }
}
}

296
cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll Normal file
View File

@@ -0,0 +1,296 @@
/**
* Predicates/classes for identifying algorithm sinks.
* An Algorithm Sink is a function that takes an algorithm as an argument.
* In particular, any function that takes in an algorithm that until the call
* the algorithm is not definitely known to be an algorithm (e.g., an integer used as an identifier to fetch an algorithm)
*/
//TODO: enforce a hierarchy of AlgorithmSinkArgument, e.g., so I can get all Asymmetric SinkArguments that includes all the strictly RSA etc.
import cpp
import experimental.cryptography.utils.OpenSSL.LibraryFunction
import experimental.cryptography.CryptoAlgorithmNames
predicate isAlgorithmSink(AlgorithmSinkArgument arg, string algType) { arg.algType() = algType }
abstract class AlgorithmSinkArgument extends Expr {
AlgorithmSinkArgument() {
exists(Call c | c.getAnArgument() = this and openSSLLibraryFunc(c.getTarget()))
}
/**
* Gets the function call in which the argument exists
*/
Call getSinkCall() { result.getAnArgument() = this }
abstract string algType();
}
// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
predicate cipherAlgorithmSink(string funcName, int argInd) {
funcName in ["EVP_get_cipherbyname", "EVP_get_cipherbynid", "EVP_get_cipherbyobj"] and argInd = 0
or
funcName = "EVP_CIPHER_fetch" and argInd = 1
}
class CipherAlgorithmSink extends AlgorithmSinkArgument {
CipherAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
cipherAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = getSymmetricEncryptionType() }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_MAC_fetch
predicate macAlgorithmSink(string funcName, int argInd) {
(funcName = "EVP_MAC_fetch" and argInd = 1)
}
class MACAlgorithmSink extends AlgorithmSinkArgument {
MACAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
macAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = "TBD" }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_MD_fetch
predicate messageDigestAlgorithmSink(string funcName, int argInd) {
funcName in ["EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"] and argInd = 0
or
funcName = "EVP_MD_fetch" and argInd = 1
}
class MessageDigestAlgorithmSink extends AlgorithmSinkArgument {
MessageDigestAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
messageDigestAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = getHashType() }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_KEYEXCH_fetch
// https://www.openssl.org/docs/manmaster/man3/EVP_KEM_fetch
predicate keyExchangeAlgorithmSink(string funcName, int argInd) {
funcName = "EVP_KEYEXCH_fetch" and argInd = 1
or
funcName = "EVP_KEM_fetch" and argInd = 1
}
class KeyExchangeAlgorithmSink extends AlgorithmSinkArgument {
KeyExchangeAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
keyExchangeAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = getKeyExchangeType() }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_KEYMGMT_fetch
predicate keyManagementAlgorithmSink(string funcName, int argInd) {
funcName = "EVP_KEYMGMT_fetch" and argInd = 1
}
class KeyManagementAlgorithmSink extends AlgorithmSinkArgument {
KeyManagementAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
keyManagementAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = "TBD" }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_KDF
predicate keyDerivationAlgorithmSink(string funcName, int argInd) {
funcName = "EVP_KDF_fetch" and argInd = 1
}
class KeyDerivationAlgorithmSink extends AlgorithmSinkArgument {
KeyDerivationAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
keyDerivationAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = getKeyDerivationType() }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_ASYM_CIPHER_fetch
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new_CMAC_key.html
predicate asymmetricCipherAlgorithmSink(string funcName, int argInd) {
funcName = "EVP_ASYM_CIPHER_fetch" and argInd = 1
or
funcName = "EVP_PKEY_new_CMAC_key" and argInd = 3
// NOTE: other cases are handled by AsymmetricAlgorithmSink
}
class AsymmetricCipherAlgorithmSink extends AlgorithmSinkArgument {
AsymmetricCipherAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
asymmetricCipherAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
}
class AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen() {
exists(Call c, string funcName |
funcName = c.getTarget().getName() and
this = c.getArgument(3)
|
funcName = "EVP_PKEY_Q_keygen" and
c.getArgument(3).getType().getUnderlyingType() instanceof IntegralType
)
}
override string algType() { result = "ASYMMETRIC_ENCRYPTION" }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_RAND_fetch
predicate randomAlgorithmSink(string funcName, int argInd) {
funcName = "EVP_RAND_fetch" and argInd = 1
}
class RandomAlgorithmSink extends AlgorithmSinkArgument {
RandomAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
randomAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = "TBD" }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_SIGNATURE_fetch
predicate signatureAlgorithmSink(string funcName, int argInd) {
funcName = "EVP_SIGNATURE_fetch" and argInd = 1
}
class SignatureAlgorithmSink extends AlgorithmSinkArgument {
SignatureAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
signatureAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = getSignatureType() }
}
// https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_by_curve_name.html
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.html
predicate ellipticCurveAlgorithmSink(string funcName, int argInd) {
funcName in ["EC_KEY_new_by_curve_name", "EVP_EC_gen"] and argInd = 0
or
funcName = "EC_KEY_new_by_curve_name_ex" and argInd = 2
or
funcName in ["EVP_PKEY_CTX_set_ec_paramgen_curve_nid"] and argInd = 1
}
class EllipticCurveAlgorithmSink extends AlgorithmSinkArgument {
EllipticCurveAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
ellipticCurveAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = getEllipticCurveType() }
}
/**
* Special cased to address the fact that arg index 3 (zero offset based) is the curve name.
* ASSUMPTION: if the arg ind 3 is a char* assume it is an elliptic curve
*/
class EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen() {
exists(Call c, string funcName |
funcName = c.getTarget().getName() and
this = c.getArgument(3)
|
funcName = "EVP_PKEY_Q_keygen" and
c.getArgument(3).getType().getUnderlyingType() instanceof PointerType and
c.getArgument(3).getType().getUnderlyingType().stripType() instanceof CharType
)
}
override string algType() { result = getEllipticCurveType() }
}
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id.html
// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_new_raw_private_key.html
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_Q_keygen.html
// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html
predicate asymmetricAlgorithmSink(string funcName, int argInd) {
funcName = "EVP_PKEY_CTX_new_id" and argInd = 0
or
funcName = "EVP_PKEY_CTX_new_from_name" and argInd = 1
or
funcName in [
"EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key", "EVP_PKEY_new_mac_key"
] and
argInd = 0
or
funcName in ["EVP_PKEY_new_raw_private_key_ex", "EVP_PKEY_new_raw_public_key_ex"] and argInd = 1
or
// special casing this as arg index 3 must be specified depending on if RSA or ECC, and otherwise not specified for other algs
// funcName = "EVP_PKEY_Q_keygen" and argInd = 2
funcName in ["EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"] and argInd = 1
// TODO consider void cases EVP_PKEY_new
}
class AsymmetricAlgorithmSink extends AlgorithmSinkArgument {
AsymmetricAlgorithmSink() {
exists(Call c, string funcName, int argInd |
funcName = c.getTarget().getName() and this = c.getArgument(argInd)
|
asymmetricAlgorithmSink(funcName, argInd)
)
}
override string algType() { result = getAsymmetricType() }
}
class AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument {
AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen() {
exists(Call c, string funcName |
funcName = c.getTarget().getName() and
this = c.getArgument(2)
|
funcName = "EVP_PKEY_Q_keygen" and
not exists(c.getArgument(3))
)
}
override string algType() { result = getAsymmetricType() }
}

Some files were not shown because too many files have changed in this diff Show More