hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-25 00:27:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into update-typegen-2

Browse Source
This commit is contained in:
Chanel
2025-05-21 09:27:44 -07:00
committed by GitHub
parent a410e85d85 2f0b064ee2
commit a17f10d4a9
897 changed files with 47999 additions and 4873 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/mad_modelDiff.yml vendored
View File

@@ -68,7 +68,7 @@ jobs:
DATABASE=$2
cd codeql-$QL_VARIANT
SHORTNAME=`basename $DATABASE`
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
mkdir -p $MODELS/$SHORTNAME
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
cd ..

2
.github/workflows/powershell-pr-check.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
- name: Install PowerShell
run: |
$path = Split-Path (Get-Command codeql).Source
./powershell/build.ps1 $path
./powershell/build-win64.ps1 $path
- name: Run QL tests
run: |
codeql test run --threads=0 powershell/ql/test

1
CODEOWNERS
View File

@@ -17,6 +17,7 @@
# Experimental CodeQL cryptography
**/experimental/quantum/ @github/ps-codeql
/shared/quantum/ @github/ps-codeql
# CodeQL tools and associated docs
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers

17
MODULE.bazel
View File

@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
bazel_dep(name = "fmt", version = "10.0.0")
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
bazel_dep(name = "gazelle", version = "0.40.0")
bazel_dep(name = "rules_dotnet", version = "0.17.4")
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -193,10 +193,6 @@ use_repo(
kotlin_extractor_deps,
"codeql_kotlin_defaults",
"codeql_kotlin_embeddable",
"kotlin-compiler-1.5.0",
"kotlin-compiler-1.5.10",
"kotlin-compiler-1.5.20",
"kotlin-compiler-1.5.30",
"kotlin-compiler-1.6.0",
"kotlin-compiler-1.6.20",
"kotlin-compiler-1.7.0",
@@ -208,10 +204,7 @@ use_repo(
"kotlin-compiler-2.0.20-Beta2",
"kotlin-compiler-2.1.0-Beta1",
"kotlin-compiler-2.1.20-Beta1",
"kotlin-compiler-embeddable-1.5.0",
"kotlin-compiler-embeddable-1.5.10",
"kotlin-compiler-embeddable-1.5.20",
"kotlin-compiler-embeddable-1.5.30",
"kotlin-compiler-2.2.0-Beta1",
"kotlin-compiler-embeddable-1.6.0",
"kotlin-compiler-embeddable-1.6.20",
"kotlin-compiler-embeddable-1.7.0",
@@ -223,10 +216,7 @@ use_repo(
"kotlin-compiler-embeddable-2.0.20-Beta2",
"kotlin-compiler-embeddable-2.1.0-Beta1",
"kotlin-compiler-embeddable-2.1.20-Beta1",
"kotlin-stdlib-1.5.0",
"kotlin-stdlib-1.5.10",
"kotlin-stdlib-1.5.20",
"kotlin-stdlib-1.5.30",
"kotlin-compiler-embeddable-2.2.0-Beta1",
"kotlin-stdlib-1.6.0",
"kotlin-stdlib-1.6.20",
"kotlin-stdlib-1.7.0",
@@ -238,6 +228,7 @@ use_repo(
"kotlin-stdlib-2.0.20-Beta2",
"kotlin-stdlib-2.1.0-Beta1",
"kotlin-stdlib-2.1.20-Beta1",
"kotlin-stdlib-2.2.0-Beta1",
)
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

4
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.9
No user-facing changes.
## 0.4.8
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.9
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.8
lastReleaseVersion: 0.4.9

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.8
version: 0.4.9
library: true
warnOnImplicitThis: true
dependencies:

4
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.1
No user-facing changes.
## 0.6.0
### Breaking Changes

3
actions/ql/src/change-notes/released/0.6.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.1
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.0
lastReleaseVersion: 0.6.1

4
actions/ql/src/codeql-suites/actions-code-quality.qls
View File

@@ -1 +1,3 @@
[]
- queries: .
- apply: code-quality-selectors.yml
from: codeql/suite-helpers

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.0
version: 0.6.1
library: false
warnOnImplicitThis: true
groups: [actions, queries]

2
cpp/ql/integration-tests/header-variant-tests/clang-pch/a.c Normal file
View File

@@ -0,0 +1,2 @@
#include "a.h"
#define FOUR 4

0
cpp/ql/test/header-variant-tests/clang-pch/a.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/a.h
View File

0
cpp/ql/test/header-variant-tests/clang-pch/b.c → cpp/ql/integration-tests/header-variant-tests/clang-pch/b.c
View File

0
cpp/ql/test/header-variant-tests/clang-pch/b.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/b.h
View File

3
cpp/ql/integration-tests/header-variant-tests/clang-pch/c.c Normal file
View File

@@ -0,0 +1,3 @@
int main() {
return ONE + FOUR;
}

0
cpp/ql/test/header-variant-tests/clang-pch/clang-pch.expected → cpp/ql/integration-tests/header-variant-tests/clang-pch/clang-pch.expected
View File

0
cpp/ql/test/header-variant-tests/clang-pch/clang-pch.ql → cpp/ql/integration-tests/header-variant-tests/clang-pch/clang-pch.ql
View File

1
cpp/ql/integration-tests/header-variant-tests/clang-pch/d.c Normal file
View File

@@ -0,0 +1 @@
#import "d.h"

0
cpp/ql/test/header-variant-tests/clang-pch/d.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/d.h
View File

3
cpp/ql/integration-tests/header-variant-tests/clang-pch/e.c Normal file
View File

@@ -0,0 +1,3 @@
int main() {
return SEVENTEEN;
}

5
cpp/ql/integration-tests/header-variant-tests/clang-pch/f.c Normal file
View File

@@ -0,0 +1,5 @@
#if 1
#pragma hdrstop
extern int x;
#define SEEN_F
#endif

5
cpp/ql/integration-tests/header-variant-tests/clang-pch/g.c Normal file
View File

@@ -0,0 +1,5 @@
#ifdef SEEN_F
static int g() {
return 20;
}
#endif

4
cpp/ql/integration-tests/header-variant-tests/clang-pch/h.c Normal file
View File

@@ -0,0 +1,4 @@
#include "h1.h"
#pragma hdrstop
#include "h2.h"
#define SEEN_H

0
cpp/ql/test/header-variant-tests/clang-pch/h1.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/h1.h
View File

0
cpp/ql/test/header-variant-tests/clang-pch/h2.h → cpp/ql/integration-tests/header-variant-tests/clang-pch/h2.h
View File

1
cpp/ql/test/header-variant-tests/clang-pch/i.c → cpp/ql/integration-tests/header-variant-tests/clang-pch/i.c
View File

@@ -13,4 +13,3 @@ static int h2() {
return 32;
}
#endif
// semmle-extractor-options: --clang -include-pch ${testdir}/clang-pch.testproj/h.pch

17
cpp/ql/integration-tests/header-variant-tests/clang-pch/test.py Normal file
View File

@@ -0,0 +1,17 @@
import os
def test(codeql, cpp):
os.mkdir("pch")
extractor = cpp.get_tool("extractor")
codeql.database.create(command=[
f'"{extractor}" --mimic-clang -emit-pch -o pch/a.pch a.c',
f'"{extractor}" --mimic-clang -include-pch pch/a.pch -Iextra_dummy_path b.c',
f'"{extractor}" --mimic-clang -include pch/a -Iextra_dummy_path c.c',
f'"{extractor}" --mimic-clang -emit-pch -o pch/d.pch d.c',
f'"{extractor}" --mimic-clang -include-pch pch/d.pch e.c',
f'"{extractor}" --mimic-clang -emit-pch -o pch/f.pch f.c',
f'"{extractor}" --mimic-clang -include-pch pch/f.pch g.c',
f'"{extractor}" --mimic-clang -emit-pch -o pch/h.pch h.c',
f'"{extractor}" --mimic-clang -include-pch pch/h.pch i.c',
])

1
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/a.c Normal file
View File

@@ -0,0 +1 @@
#include "a.h"

0
cpp/ql/test/header-variant-tests/microsoft-pch/a.h → cpp/ql/integration-tests/header-variant-tests/microsoft-pch/a.h
View File

6
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/b.c Normal file
View File

@@ -0,0 +1,6 @@
#pragma hdrstop
#include "b.h"
int b() {
return A;
}

6
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/c.c Normal file
View File

@@ -0,0 +1,6 @@
#include "d.h"
#include "c.h"
int c() {
return A;
}

0
cpp/ql/test/header-variant-tests/microsoft-pch/microsoft-pch.expected → cpp/ql/integration-tests/header-variant-tests/microsoft-pch/microsoft-pch.expected
View File

0
cpp/ql/test/header-variant-tests/microsoft-pch/microsoft-pch.ql → cpp/ql/integration-tests/header-variant-tests/microsoft-pch/microsoft-pch.ql
View File

11
cpp/ql/integration-tests/header-variant-tests/microsoft-pch/test.py Normal file
View File

@@ -0,0 +1,11 @@
import os
def test(codeql, cpp):
os.mkdir("pch")
extractor = cpp.get_tool("extractor")
codeql.database.create(command=[
f'"{extractor}" --mimic-cl /Yca.h /Fppch/a.pch a.c',
f'"{extractor}" --mimic-cl /Yub.h /Fppch/a.pch b.c',
f'"{extractor}" --mimic-cl /Yuc.h /Fppch/a.pch c.c',
])

1
cpp/ql/integration-tests/query-suite/cpp-code-quality.qls.expected Normal file
View File

@@ -0,0 +1 @@

60
cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected Normal file
View File

@@ -0,0 +1,60 @@
ql/cpp/ql/src/Critical/DoubleFree.ql
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
ql/cpp/ql/src/Critical/OverflowStatic.ql
ql/cpp/ql/src/Critical/UseAfterFree.ql
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
ql/cpp/ql/src/Summary/LinesOfCode.ql
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

181
cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected Normal file
View File

@@ -0,0 +1,181 @@
ql/cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql
ql/cpp/ql/src/Best Practices/ComplexCondition.ql
ql/cpp/ql/src/Best Practices/Exceptions/AccidentalRethrow.ql
ql/cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql
ql/cpp/ql/src/Best Practices/Exceptions/LeakyCatch.ql
ql/cpp/ql/src/Best Practices/Exceptions/ThrowingPointers.ql
ql/cpp/ql/src/Best Practices/GuardedFree.ql
ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesParameter.ql
ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql
ql/cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
ql/cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql
ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
ql/cpp/ql/src/Best Practices/Likely Errors/Slicing.ql
ql/cpp/ql/src/Best Practices/RuleOfTwo.ql
ql/cpp/ql/src/Best Practices/SloppyGlobal.ql
ql/cpp/ql/src/Best Practices/SwitchLongCase.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql
ql/cpp/ql/src/Best Practices/UseOfGoto.ql
ql/cpp/ql/src/Critical/DeadCodeGoto.ql
ql/cpp/ql/src/Critical/DoubleFree.ql
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
ql/cpp/ql/src/Critical/LargeParameter.ql
ql/cpp/ql/src/Critical/MissingCheckScanf.ql
ql/cpp/ql/src/Critical/NewArrayDeleteMismatch.ql
ql/cpp/ql/src/Critical/NewDeleteArrayMismatch.ql
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
ql/cpp/ql/src/Critical/OverflowStatic.ql
ql/cpp/ql/src/Critical/SizeCheck.ql
ql/cpp/ql/src/Critical/SizeCheck2.ql
ql/cpp/ql/src/Critical/UseAfterFree.ql
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
ql/cpp/ql/src/Documentation/CommentedOutCode.ql
ql/cpp/ql/src/Documentation/FixmeComments.ql
ql/cpp/ql/src/Documentation/UncommentedFunction.ql
ql/cpp/ql/src/Header Cleanup/Cleanup-DuplicateIncludeGuard.ql
ql/cpp/ql/src/Likely Bugs/AmbiguouslySignedBitField.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/UnsignedGEZero.ql
ql/cpp/ql/src/Likely Bugs/ContinueInFalseLoop.ql
ql/cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
ql/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql
ql/cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql
ql/cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.ql
ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
ql/cpp/ql/src/Likely Bugs/Format/TooManyFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/InconsistentCallOnResult.ql
ql/cpp/ql/src/Likely Bugs/InconsistentCheckReturnNull.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/DubiousNullCheck.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/FutileConditional.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/StackAddressEscapes.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
ql/cpp/ql/src/Likely Bugs/NestedLoopSameVar.ql
ql/cpp/ql/src/Likely Bugs/OO/IncorrectConstructorDelegation.ql
ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql
ql/cpp/ql/src/Likely Bugs/OO/ThrowInDestructor.ql
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
ql/cpp/ql/src/Likely Bugs/ReturnConstType.ql
ql/cpp/ql/src/Likely Bugs/ReturnConstTypeMember.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.ql
ql/cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
ql/cpp/ql/src/Summary/LinesOfCode.ql
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 35.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.1.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 89.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 95.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 107.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql
ql/cpp/ql/src/jsf/4.17 Types/AV Rule 148.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 166.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 196.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 197.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.ql

97
cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected Normal file
View File

@@ -0,0 +1,97 @@
ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
ql/cpp/ql/src/Critical/DoubleFree.ql
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
ql/cpp/ql/src/Critical/MissingCheckScanf.ql
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
ql/cpp/ql/src/Critical/OverflowStatic.ql
ql/cpp/ql/src/Critical/SizeCheck.ql
ql/cpp/ql/src/Critical/SizeCheck2.ql
ql/cpp/ql/src/Critical/UseAfterFree.ql
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
ql/cpp/ql/src/Summary/LinesOfCode.ql
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

448
cpp/ql/integration-tests/query-suite/not_included_in_qls.expected Normal file
View File

@@ -0,0 +1,448 @@
ql/cpp/ql/src/AlertSuppression.ql
ql/cpp/ql/src/Architecture/FeatureEnvy.ql
ql/cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql
ql/cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql
ql/cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql
ql/cpp/ql/src/Architecture/General Namespace-Level Information/CyclicNamespaces.ql
ql/cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql
ql/cpp/ql/src/Architecture/General Namespace-Level Information/NamespaceDependencies.ql
ql/cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql
ql/cpp/ql/src/Architecture/InappropriateIntimacy.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/CyclomaticComplexity.ql
ql/cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql
ql/cpp/ql/src/Best Practices/Magic Constants/JapaneseEraDate.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicNumbersUseConstant.ql
ql/cpp/ql/src/Best Practices/Magic Constants/MagicStringsUseConstant.ql
ql/cpp/ql/src/Best Practices/NVI.ql
ql/cpp/ql/src/Best Practices/NVIHub.ql
ql/cpp/ql/src/Best Practices/RuleOfThree.ql
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedIncludes.ql
ql/cpp/ql/src/Critical/DeadCodeCondition.ql
ql/cpp/ql/src/Critical/DeadCodeFunction.ql
ql/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
ql/cpp/ql/src/Critical/DescriptorNeverClosed.ql
ql/cpp/ql/src/Critical/FileMayNotBeClosed.ql
ql/cpp/ql/src/Critical/FileNeverClosed.ql
ql/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
ql/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
ql/cpp/ql/src/Critical/InitialisationNotRun.ql
ql/cpp/ql/src/Critical/LateNegativeTest.ql
ql/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
ql/cpp/ql/src/Critical/MemoryNeverFreed.ql
ql/cpp/ql/src/Critical/MissingNegativityTest.ql
ql/cpp/ql/src/Critical/MissingNullTest.ql
ql/cpp/ql/src/Critical/NotInitialised.ql
ql/cpp/ql/src/Critical/OverflowCalculated.ql
ql/cpp/ql/src/Critical/OverflowDestination.ql
ql/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
ql/cpp/ql/src/Critical/ReturnValueIgnored.ql
ql/cpp/ql/src/Critical/Unused.ql
ql/cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql
ql/cpp/ql/src/Documentation/DocumentApi.ql
ql/cpp/ql/src/Documentation/TodoComments.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/ExitNonterminatingLoop.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/LoopBounds.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 04/Recursion.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 05/HeapMemory.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 07/ThreadSafety.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidNestedSemaphores.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidSemaphores.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/OutOfOrderLocks.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/ReleaseLocksWhenAcquired.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowGoto.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql
ql/cpp/ql/src/JPL_C/LOC-2/Rule 12/EnumInitialization.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/ExternDeclsInHeader.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeLocalHidesGlobal.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 14/CheckingReturnValues.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 15/CheckingParameterValues.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsConstant.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsDensity.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsNonBoolean.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsSideEffect.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 18/CompoundExpressions.ql
ql/cpp/ql/src/JPL_C/LOC-3/Rule 19/NoBooleanSideEffects.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUse.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseIfdef.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUsePartial.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseUndisciplined.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 21/MacroInBlock.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 22/UseOfUndef.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleStmtsPerLine.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleVarDeclsPerLine.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 25/FunctionSizeLimits.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 26/DeclarationPointerNesting.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 27/PointerDereferenceInStmt.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerDereferenceMacro.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerIndirectionTypedef.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql
ql/cpp/ql/src/JPL_C/LOC-4/Rule 31/IncludesFirst.ql
ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
ql/cpp/ql/src/Likely Bugs/Conversion/ConversionChangesSign.ql
ql/cpp/ql/src/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql
ql/cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql
ql/cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql
ql/cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/BoolValueInBitOp.ql
ql/cpp/ql/src/Likely Bugs/Likely Typos/LogicalExprCouldBeSimplified.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/More64BitWaste.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.ql
ql/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
ql/cpp/ql/src/Likely Bugs/OO/VirtualCallInStructor.ql
ql/cpp/ql/src/Likely Bugs/ShortLoopVarName.ql
ql/cpp/ql/src/Metrics/Classes/CAfferentCoupling.ql
ql/cpp/ql/src/Metrics/Classes/CEfferentCoupling.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadBugs.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadDifficulty.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadEffort.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadLength.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadVocabulary.ql
ql/cpp/ql/src/Metrics/Classes/CHalsteadVolume.ql
ql/cpp/ql/src/Metrics/Classes/CInheritanceDepth.ql
ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionCK.ql
ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionHS.ql
ql/cpp/ql/src/Metrics/Classes/CLinesOfCode.ql
ql/cpp/ql/src/Metrics/Classes/CNumberOfFields.ql
ql/cpp/ql/src/Metrics/Classes/CNumberOfFunctions.ql
ql/cpp/ql/src/Metrics/Classes/CNumberOfStatements.ql
ql/cpp/ql/src/Metrics/Classes/CPercentageOfComplexCode.ql
ql/cpp/ql/src/Metrics/Classes/CResponse.ql
ql/cpp/ql/src/Metrics/Classes/CSizeOfAPI.ql
ql/cpp/ql/src/Metrics/Classes/CSpecialisation.ql
ql/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
ql/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
ql/cpp/ql/src/Metrics/External/FileCompilationDisplayStrings.ql
ql/cpp/ql/src/Metrics/External/FileCompilationSourceLinks.ql
ql/cpp/ql/src/Metrics/Files/AutogeneratedLOC.ql
ql/cpp/ql/src/Metrics/Files/ConditionalSegmentConditions.ql
ql/cpp/ql/src/Metrics/Files/ConditionalSegmentLines.ql
ql/cpp/ql/src/Metrics/Files/FAfferentCoupling.ql
ql/cpp/ql/src/Metrics/Files/FCommentRatio.ql
ql/cpp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
ql/cpp/ql/src/Metrics/Files/FDirectIncludes.ql
ql/cpp/ql/src/Metrics/Files/FEfferentCoupling.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadBugs.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadDifficulty.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadEffort.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadLength.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadVocabulary.ql
ql/cpp/ql/src/Metrics/Files/FHalsteadVolume.ql
ql/cpp/ql/src/Metrics/Files/FLines.ql
ql/cpp/ql/src/Metrics/Files/FLinesOfCode.ql
ql/cpp/ql/src/Metrics/Files/FLinesOfCommentedOutCode.ql
ql/cpp/ql/src/Metrics/Files/FLinesOfComments.ql
ql/cpp/ql/src/Metrics/Files/FMacroRatio.ql
ql/cpp/ql/src/Metrics/Files/FNumberOfClasses.ql
ql/cpp/ql/src/Metrics/Files/FNumberOfTests.ql
ql/cpp/ql/src/Metrics/Files/FTimeInFrontend.ql
ql/cpp/ql/src/Metrics/Files/FTodoComments.ql
ql/cpp/ql/src/Metrics/Files/FTransitiveIncludes.ql
ql/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.ql
ql/cpp/ql/src/Metrics/Files/FunctionLength.ql
ql/cpp/ql/src/Metrics/Files/NumberOfFunctions.ql
ql/cpp/ql/src/Metrics/Files/NumberOfGlobals.ql
ql/cpp/ql/src/Metrics/Files/NumberOfParameters.ql
ql/cpp/ql/src/Metrics/Files/NumberOfPublicFunctions.ql
ql/cpp/ql/src/Metrics/Files/NumberOfPublicGlobals.ql
ql/cpp/ql/src/Metrics/Functions/FunCyclomaticComplexity.ql
ql/cpp/ql/src/Metrics/Functions/FunIterationNestingDepth.ql
ql/cpp/ql/src/Metrics/Functions/FunLinesOfCode.ql
ql/cpp/ql/src/Metrics/Functions/FunLinesOfComments.ql
ql/cpp/ql/src/Metrics/Functions/FunNumberOfCalls.ql
ql/cpp/ql/src/Metrics/Functions/FunNumberOfParameters.ql
ql/cpp/ql/src/Metrics/Functions/FunNumberOfStatements.ql
ql/cpp/ql/src/Metrics/Functions/FunPercentageOfComments.ql
ql/cpp/ql/src/Metrics/Functions/StatementNestingDepth.ql
ql/cpp/ql/src/Metrics/Internal/ASTConsistency.ql
ql/cpp/ql/src/Metrics/Internal/CallableDisplayStrings.ql
ql/cpp/ql/src/Metrics/Internal/CallableExtents.ql
ql/cpp/ql/src/Metrics/Internal/CallableSourceLinks.ql
ql/cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql
ql/cpp/ql/src/Metrics/Internal/IRConsistency.ql
ql/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql
ql/cpp/ql/src/Metrics/Internal/ReftypeDisplayStrings.ql
ql/cpp/ql/src/Metrics/Internal/ReftypeSourceLinks.ql
ql/cpp/ql/src/Metrics/Namespaces/AbstractNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/ConcreteNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/HighAfferentCouplingNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/HighDistanceFromMainLineNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/HighEfferentCouplingNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/StableNamespaces.ql
ql/cpp/ql/src/Metrics/Namespaces/UnstableNamespaces.ql
ql/cpp/ql/src/Microsoft/CallWithNullSAL.ql
ql/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
ql/cpp/ql/src/Microsoft/InconsistentSAL.ql
ql/cpp/ql/src/PointsTo/Debug.ql
ql/cpp/ql/src/PointsTo/PreparedStagedPointsTo.ql
ql/cpp/ql/src/PointsTo/Stats.ql
ql/cpp/ql/src/PointsTo/TaintedFormatStrings.ql
ql/cpp/ql/src/Power of 10/Rule 1/UseOfGoto.ql
ql/cpp/ql/src/Power of 10/Rule 1/UseOfJmp.ql
ql/cpp/ql/src/Power of 10/Rule 1/UseOfRecursion.ql
ql/cpp/ql/src/Power of 10/Rule 2/BoundedLoopIterations.ql
ql/cpp/ql/src/Power of 10/Rule 2/ExitPermanentLoop.ql
ql/cpp/ql/src/Power of 10/Rule 3/DynamicAllocAfterInit.ql
ql/cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql
ql/cpp/ql/src/Power of 10/Rule 4/OneStmtPerLine.ql
ql/cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql
ql/cpp/ql/src/Power of 10/Rule 5/AssertionSideEffect.ql
ql/cpp/ql/src/Power of 10/Rule 5/ConstantAssertion.ql
ql/cpp/ql/src/Power of 10/Rule 5/NonBooleanAssertion.ql
ql/cpp/ql/src/Power of 10/Rule 6/GlobalCouldBeStatic.ql
ql/cpp/ql/src/Power of 10/Rule 6/VariableScopeTooLarge.ql
ql/cpp/ql/src/Power of 10/Rule 7/CheckArguments.ql
ql/cpp/ql/src/Power of 10/Rule 7/CheckReturnValues.ql
ql/cpp/ql/src/Power of 10/Rule 8/AvoidConditionalCompilation.ql
ql/cpp/ql/src/Power of 10/Rule 8/PartialMacro.ql
ql/cpp/ql/src/Power of 10/Rule 8/RestrictPreprocessor.ql
ql/cpp/ql/src/Power of 10/Rule 8/UndisciplinedMacro.ql
ql/cpp/ql/src/Power of 10/Rule 9/FunctionPointer.ql
ql/cpp/ql/src/Power of 10/Rule 9/HiddenPointerIndirection.ql
ql/cpp/ql/src/Power of 10/Rule 9/PointerNesting.ql
ql/cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
ql/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
ql/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
ql/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
ql/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
ql/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
ql/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
ql/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
ql/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
ql/cpp/ql/src/definitions.ql
ql/cpp/ql/src/experimental/Best Practices/UselessTest.ql
ql/cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql
ql/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
ql/cpp/ql/src/experimental/Likely Bugs/DerefNullResult.ql
ql/cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
ql/cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql
ql/cpp/ql/src/experimental/quantum/PrintCBOMGraph.ql
ql/cpp/ql/src/external/examples/filters/BumpMetricBy10.ql
ql/cpp/ql/src/external/examples/filters/EditDefectMessage.ql
ql/cpp/ql/src/external/examples/filters/ExcludeGeneratedCode.ql
ql/cpp/ql/src/filters/ClassifyFiles.ql
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 1.ql
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 2.ql
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 11.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 12.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 13.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 14.ql
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 9.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 17.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 18.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 19.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 20.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 21.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 22.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 25.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 26.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 27.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 28.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 29.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 30.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 31.ql
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 33.ql
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 39.ql
ql/cpp/ql/src/jsf/4.08 Implementation Files/AV Rule 40.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 41.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 42.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 43.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 44.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 45.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 46.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 47.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 48.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 49.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 50.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 51.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 52.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 54.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 57.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 58.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 59.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 60.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 61.ql
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 63.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 68.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 69.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 70.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 73.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 74.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 75.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 77.1.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 78.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 85.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.1.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 94.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.1.ql
ql/cpp/ql/src/jsf/4.11 Namespaces/AV Rule 99.ql
ql/cpp/ql/src/jsf/4.12 Templates/AV Rule 104.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 108.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 110.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 111.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 113.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 115.ql
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 119.ql
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 126.ql
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 127.ql
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 133.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 135.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 138.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 139.ql
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 140.ql
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 142.ql
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 143.ql
ql/cpp/ql/src/jsf/4.17 Types/AV Rule 147.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 149.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 150.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.1.ql
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.ql
ql/cpp/ql/src/jsf/4.19 Variables/AV Rule 152.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 154.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 155.ql
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 156.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 157.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 158.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 159.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 160.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 162.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 163.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 164.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 170.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 171.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 175.ql
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 176.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 178.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 179.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 180.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 181.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 182.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 184.ql
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 185.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 186.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 187.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 188.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 190.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 191.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 192.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 193.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 194.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 195.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 198.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 199.ql
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 200.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.1.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.ql
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 205.ql
ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 206.ql
ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 207.ql
ql/cpp/ql/src/jsf/4.27 Fault Handling/AV Rule 208.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 209.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 210.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 212.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 213.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 214.ql
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 215.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
ql/cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

14
cpp/ql/integration-tests/query-suite/test.py Normal file
View File

@@ -0,0 +1,14 @@
import runs_on
import pytest
from query_suites import *
well_known_query_suites = ['cpp-code-quality.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
@runs_on.posix
@pytest.mark.parametrize("query_suite", well_known_query_suites)
def test(codeql, cpp, check_query_suite, query_suite):
check_query_suite(query_suite)
@runs_on.posix
def test_not_included_queries(codeql, cpp, check_queries_not_included):
check_queries_not_included('cpp', well_known_query_suites)

6
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 4.3.1
### Bug Fixes
* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.
## 4.3.0
### New Features

5
cpp/ql/lib/change-notes/released/4.3.1.md Normal file
View File

@@ -0,0 +1,5 @@
## 4.3.1
### Bug Fixes
* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.3.0
lastReleaseVersion: 4.3.1

113
cpp/ql/lib/experimental/quantum/Language.qll Normal file
View File

@@ -0,0 +1,113 @@
private import cpp as Language
import semmle.code.cpp.dataflow.new.DataFlow
import codeql.quantum.experimental.Model
module CryptoInput implements InputSig<Language::Location> {
class DataFlowNode = DataFlow::Node;
class LocatableElement = Language::Locatable;
class UnknownLocation = Language::UnknownDefaultLocation;
LocatableElement dfn_to_element(DataFlow::Node node) {
result = node.asExpr() or
result = node.asParameter() or
result = node.asVariable()
}
string locationToFileBaseNameAndLineNumberString(Location location) {
result = location.getFile().getBaseName() + ":" + location.getStartLine()
}
predicate artifactOutputFlowsToGenericInput(
DataFlow::Node artifactOutput, DataFlow::Node otherInput
) {
ArtifactFlow::flow(artifactOutput, otherInput)
}
}
module Crypto = CryptographyBase<Language::Location, CryptoInput>;
module ArtifactFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source = any(Crypto::ArtifactInstance artifact).getOutputNode()
}
predicate isSink(DataFlow::Node sink) {
sink = any(Crypto::FlowAwareElement other).getInputNode()
}
predicate isBarrierOut(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getInputNode()
}
predicate isBarrierIn(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getOutputNode()
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
node1.(AdditionalFlowInputStep).getOutput() = node2
}
}
module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
/**
* Artifact output to node input configuration
*/
abstract class AdditionalFlowInputStep extends DataFlow::Node {
abstract DataFlow::Node getOutput();
final DataFlow::Node getInput() { result = this }
}
/**
* Generic data source to node input configuration
*/
module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source = any(Crypto::GenericSourceInstance i).getOutputNode()
}
predicate isSink(DataFlow::Node sink) {
sink = any(Crypto::FlowAwareElement other).getInputNode()
}
predicate isBarrierOut(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getInputNode()
}
predicate isBarrierIn(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getOutputNode()
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
node1.(AdditionalFlowInputStep).getOutput() = node2
}
}
module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source = any(Crypto::ArtifactInstance artifact).getOutputNode()
}
predicate isSink(DataFlow::Node sink) {
sink = any(Crypto::FlowAwareElement other).getInputNode()
}
predicate isBarrierOut(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getInputNode()
}
predicate isBarrierIn(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getOutputNode()
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
node1.(AdditionalFlowInputStep).getOutput() = node2
}
}
module ArtifactUniversalFlow = DataFlow::Global<ArtifactUniversalFlowConfig>;
import OpenSSL.OpenSSL

170
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll Normal file
View File

@@ -0,0 +1,170 @@
import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
/**
* Traces 'known algorithms' to AVCs, specifically
* algorithms that are in the set of known algorithm constants.
* Padding-specific consumers exist that have their own values that
* overlap with the known algorithm constants.
* Padding consumers (specific padding consumers) are excluded from the set of sinks.
*/
module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
}
predicate isSink(DataFlow::Node sink) {
exists(OpenSSLAlgorithmValueConsumer c |
c.getInputNode() = sink and
not c instanceof PaddingAlgorithmValueConsumer
)
}
predicate isBarrier(DataFlow::Node node) {
// False positive reducer, don't flow out through argv
exists(VariableAccess va, Variable v |
v.getAnAccess() = va and va = node.asExpr()
or
va = node.asIndirectExpr()
|
v.getName().matches("%argv")
)
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
knownPassThroughStep(node1, node2)
}
}
module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
}
predicate isSink(DataFlow::Node sink) {
exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
knownPassThroughStep(node1, node2)
}
}
module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
DataFlow::Global<RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
class OpenSSLAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
OpenSSLAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
override DataFlow::Node getOutput() {
exists(AlgorithmPassthroughCall c | c.getInNode() = this and c.getOutNode() = result)
}
}
abstract class AlgorithmPassthroughCall extends Call {
abstract DataFlow::Node getInNode();
abstract DataFlow::Node getOutNode();
}
class CopyAndDupAlgorithmPassthroughCall extends AlgorithmPassthroughCall {
DataFlow::Node inNode;
DataFlow::Node outNode;
CopyAndDupAlgorithmPassthroughCall() {
// Flow out through any return or other argument of the same type
// Assume flow in and out is asIndirectExpr or asDefinitingArgument since a pointer is assumed
// to be involved
// NOTE: not attempting to detect openssl specific copy/dup functions, but anything suspected to be copy/dup
this.getTarget().getName().toLowerCase().matches(["%_dup%", "%_copy%"]) and
exists(Expr inArg, Type t |
inArg = this.getAnArgument() and t = inArg.getUnspecifiedType().stripType()
|
inNode.asIndirectExpr() = inArg and
(
// Case 1: flow through another argument as an out arg of the same type
exists(Expr outArg |
outArg = this.getAnArgument() and
outArg != inArg and
outArg.getUnspecifiedType().stripType() = t
|
outNode.asDefiningArgument() = outArg
)
or
// Case 2: flow through the return value if the result is the same as the intput type
exists(Expr outArg | outArg = this and outArg.getUnspecifiedType().stripType() = t |
outNode.asIndirectExpr() = outArg
)
)
)
}
override DataFlow::Node getInNode() { result = inNode }
override DataFlow::Node getOutNode() { result = outNode }
}
class NIDToPointerPassthroughCall extends AlgorithmPassthroughCall {
DataFlow::Node inNode;
DataFlow::Node outNode;
NIDToPointerPassthroughCall() {
this.getTarget().getName() in ["OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn"] and
inNode.asExpr() = this.getArgument(0) and
outNode.asExpr() = this
//outNode.asIndirectExpr() = this
}
override DataFlow::Node getInNode() { result = inNode }
override DataFlow::Node getOutNode() { result = outNode }
}
class PointerToPointerPassthroughCall extends AlgorithmPassthroughCall {
DataFlow::Node inNode;
DataFlow::Node outNode;
PointerToPointerPassthroughCall() {
this.getTarget().getName() = "OBJ_txt2obj" and
inNode.asIndirectExpr() = this.getArgument(0) and
outNode.asIndirectExpr() = this
or
//outNode.asExpr() = this
this.getTarget().getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and
inNode.asIndirectExpr() = this.getArgument(2) and
outNode.asDefiningArgument() = this.getArgument(0)
}
override DataFlow::Node getInNode() { result = inNode }
override DataFlow::Node getOutNode() { result = outNode }
}
class PointerToNIDPassthroughCall extends AlgorithmPassthroughCall {
DataFlow::Node inNode;
DataFlow::Node outNode;
PointerToNIDPassthroughCall() {
this.getTarget().getName() in ["OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid", "OBJ_txt2nid"] and
(
inNode.asIndirectExpr() = this.getArgument(0)
or
inNode.asExpr() = this.getArgument(0)
) and
outNode.asExpr() = this
}
override DataFlow::Node getInNode() { result = inNode }
override DataFlow::Node getOutNode() { result = outNode }
}
// TODO: pkeys pass through EVP_PKEY_CTX_new and any similar variant
predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(AlgorithmPassthroughCall c | c.getInNode() = node1 and c.getOutNode() = node2)
}

76
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll Normal file
View File

@@ -0,0 +1,76 @@
import cpp
import experimental.quantum.Language
import OpenSSLAlgorithmInstanceBase
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
import AlgToAVCFlow
/**
* Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
* Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
*/
predicate knownOpenSSLConstantToBlockModeFamilyType(
KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
) {
exists(string name |
name = e.getNormalizedName() and
(
name.matches("CBC") and type instanceof Crypto::CBC
or
name.matches("CFB%") and type instanceof Crypto::CFB
or
name.matches("CTR") and type instanceof Crypto::CTR
or
name.matches("GCM") and type instanceof Crypto::GCM
or
name.matches("OFB") and type instanceof Crypto::OFB
or
name.matches("XTS") and type instanceof Crypto::XTS
or
name.matches("CCM") and type instanceof Crypto::CCM
or
name.matches("GCM") and type instanceof Crypto::GCM
or
name.matches("CCM") and type instanceof Crypto::CCM
or
name.matches("ECB") and type instanceof Crypto::ECB
)
)
}
class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
Crypto::ModeOfOperationAlgorithmInstance instanceof KnownOpenSSLBlockModeAlgorithmConstant
{
OpenSSLAlgorithmValueConsumer getterCall;
KnownOpenSSLBlockModeConstantAlgorithmInstance() {
// Two possibilities:
// 1) The source is a literal and flows to a getter, then we know we have an instance
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
// Possibility 1:
this instanceof Literal and
exists(DataFlow::Node src, DataFlow::Node sink |
// Sink is an argument to a CipherGetterCall
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
// Source is `this`
src.asExpr() = this and
// This traces to a getter
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
)
or
// Possibility 2:
this instanceof DirectAlgorithmValueConsumer and getterCall = this
}
override Crypto::TBlockCipherModeOfOperationType getModeType() {
knownOpenSSLConstantToBlockModeFamilyType(this, result)
or
not knownOpenSSLConstantToBlockModeFamilyType(this, _) and result = Crypto::OtherMode()
}
// NOTE: I'm not going to attempt to parse out the mode specific part, so returning
// the same as the raw name for now.
override string getRawModeAlgorithmName() { result = this.(Literal).getValue().toString() }
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
}

126
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll Normal file
View File

@@ -0,0 +1,126 @@
import cpp
import experimental.quantum.Language
import KnownAlgorithmConstants
import Crypto::KeyOpAlg as KeyOpAlg
import OpenSSLAlgorithmInstanceBase
import PaddingAlgorithmInstance
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
import AlgToAVCFlow
import BlockAlgorithmInstance
/**
* Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
* Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
*/
predicate knownOpenSSLConstantToCipherFamilyType(
KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
) {
exists(string name |
name = e.getNormalizedName() and
(
name.matches("AES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
or
name.matches("ARIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::ARIA())
or
name.matches("BLOWFISH%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
or
name.matches("BF%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
or
name.matches("CAMELLIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAMELLIA())
or
name.matches("CHACHA20%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CHACHA20())
or
name.matches("CAST5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAST5())
or
name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DoubleDES())
or
name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TripleDES())
or
name.matches("DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES())
or
name.matches("DESX%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DESX())
or
name.matches("GOST%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::GOST())
or
name.matches("IDEA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA())
or
name.matches("KUZNYECHIK%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::KUZNYECHIK())
or
name.matches("MAGMA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::MAGMA())
or
name.matches("RC2%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2())
or
name.matches("RC4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4())
or
name.matches("RC5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC5())
or
name.matches("RSA%") and type = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA())
or
name.matches("SEED%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SEED())
or
name.matches("SM4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SM4())
)
)
}
class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSSLCipherAlgorithmConstant
{
OpenSSLAlgorithmValueConsumer getterCall;
KnownOpenSSLCipherConstantAlgorithmInstance() {
// Two possibilities:
// 1) The source is a literal and flows to a getter, then we know we have an instance
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
// Possibility 1:
this instanceof Literal and
exists(DataFlow::Node src, DataFlow::Node sink |
// Sink is an argument to a CipherGetterCall
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
// Source is `this`
src.asExpr() = this and
// This traces to a getter
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
)
or
// Possibility 2:
this instanceof DirectAlgorithmValueConsumer and getterCall = this
}
override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
// if there is a block mode associated with the same element, then that's the block mode
// note, if none are associated, we may need to parse if the cipher is a block cipher
// to determine if this is an unknown vs not relevant.
result = this
}
override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() {
//TODO: the padding is either self, or it flows through getter ctx to a set padding call
// like EVP_PKEY_CTX_set_rsa_padding
result = this
// TODO or trace through getter ctx to set padding
}
override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
override string getKeySizeFixed() {
exists(int keySize |
this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
result = keySize.toString()
)
}
override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
knownOpenSSLConstantToCipherFamilyType(this, result)
or
not knownOpenSSLConstantToCipherFamilyType(this, _) and
result = Crypto::KeyOpAlg::TUnknownKeyOperationAlgorithmType()
}
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
// TODO: trace to any key size initializer, symmetric and asymmetric
none()
}
}

83
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll Normal file
View File

@@ -0,0 +1,83 @@
import cpp
import experimental.quantum.Language
import KnownAlgorithmConstants
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
import AlgToAVCFlow
predicate knownOpenSSLConstantToHashFamilyType(
KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
) {
exists(string name |
name = e.getNormalizedName() and
(
name.matches("BLAKE2B") and type instanceof Crypto::BLAKE2B
or
name.matches("BLAKE2S") and type instanceof Crypto::BLAKE2S
or
name.matches("GOST%") and type instanceof Crypto::GOSTHash
or
name.matches("MD2") and type instanceof Crypto::MD2
or
name.matches("MD4") and type instanceof Crypto::MD4
or
name.matches("MD5") and type instanceof Crypto::MD5
or
name.matches("MDC2") and type instanceof Crypto::MDC2
or
name.matches("POLY1305") and type instanceof Crypto::POLY1305
or
name.matches(["SHA", "SHA1"]) and type instanceof Crypto::SHA1
or
name.matches("SHA+%") and not name.matches(["SHA1", "SHA3-"]) and type instanceof Crypto::SHA2
or
name.matches("SHA3-%") and type instanceof Crypto::SHA3
or
name.matches(["SHAKE"]) and type instanceof Crypto::SHAKE
or
name.matches("SM3") and type instanceof Crypto::SM3
or
name.matches("RIPEMD160") and type instanceof Crypto::RIPEMD160
or
name.matches("WHIRLPOOL") and type instanceof Crypto::WHIRLPOOL
)
)
}
class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
Crypto::HashAlgorithmInstance instanceof KnownOpenSSLHashAlgorithmConstant
{
OpenSSLAlgorithmValueConsumer getterCall;
KnownOpenSSLHashConstantAlgorithmInstance() {
// Two possibilities:
// 1) The source is a literal and flows to a getter, then we know we have an instance
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
// Possibility 1:
this instanceof Literal and
exists(DataFlow::Node src, DataFlow::Node sink |
// Sink is an argument to a CipherGetterCall
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
// Source is `this`
src.asExpr() = this and
// This traces to a getter
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
)
or
// Possibility 2:
this instanceof DirectAlgorithmValueConsumer and getterCall = this
}
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
override Crypto::THashType getHashFamily() {
knownOpenSSLConstantToHashFamilyType(this, result)
or
not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
}
override string getRawHashAlgorithmName() { result = this.(Literal).getValue().toString() }
override int getFixedDigestLength() {
this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result
}
}

2962
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll Normal file
View File

File diff suppressed because it is too large Load Diff

6
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll Normal file
View File

@@ -0,0 +1,6 @@
import experimental.quantum.Language
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
abstract OpenSSLAlgorithmValueConsumer getAVC();
}

5
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll Normal file
View File

@@ -0,0 +1,5 @@
import OpenSSLAlgorithmInstanceBase
import CipherAlgorithmInstance
import PaddingAlgorithmInstance
import BlockAlgorithmInstance
import HashAlgorithmInstance

167
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll Normal file
View File

@@ -0,0 +1,167 @@
import cpp
import experimental.quantum.Language
import OpenSSLAlgorithmInstanceBase
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
import AlgToAVCFlow
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
/**
* Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type.
* Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
*/
predicate knownOpenSSLConstantToPaddingFamilyType(
KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type
) {
exists(string name |
name = e.getNormalizedName() and
(
name.matches("OAEP") and type = Crypto::OAEP()
or
name.matches("PSS") and type = Crypto::PSS()
or
name.matches("PKCS7") and type = Crypto::PKCS7()
or
name.matches("PKCS1V15") and type = Crypto::PKCS1_v1_5()
)
)
}
//abstract class OpenSSLPaddingAlgorithmInstance extends OpenSSLAlgorithmInstance, Crypto::PaddingAlgorithmInstance{}
// TODO: need to alter this to include known padding constants which don't have the
// same mechanics as those with known nids
class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
Crypto::PaddingAlgorithmInstance instanceof Expr
{
OpenSSLAlgorithmValueConsumer getterCall;
boolean isPaddingSpecificConsumer;
KnownOpenSSLPaddingConstantAlgorithmInstance() {
// three possibilities:
// 1) The source is a 'typical' literal and flows to a getter, then we know we have an instance
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
// 3) the source is a padding-specific literal flowing to a padding-specific consumer
// Possibility 1:
this instanceof Literal and
this instanceof KnownOpenSSLPaddingAlgorithmConstant and
exists(DataFlow::Node src, DataFlow::Node sink |
// Sink is an argument to a CipherGetterCall
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
// Source is `this`
src.asExpr() = this and
// This traces to a getter
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink) and
isPaddingSpecificConsumer = false
)
or
// Possibility 2:
this instanceof DirectAlgorithmValueConsumer and
getterCall = this and
this instanceof KnownOpenSSLPaddingAlgorithmConstant and
isPaddingSpecificConsumer = false
or
// Possibility 3:
// from rsa.h in openssl:
// # define RSA_PKCS1_PADDING 1
// # define RSA_NO_PADDING 3
// # define RSA_PKCS1_OAEP_PADDING 4
// # define RSA_X931_PADDING 5
// /* EVP_PKEY_ only */
// # define RSA_PKCS1_PSS_PADDING 6
// # define RSA_PKCS1_WITH_TLS_PADDING 7
// /* internal RSA_ only */
// # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
this instanceof Literal and
this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] and
exists(DataFlow::Node src, DataFlow::Node sink |
// Sink is an argument to a CipherGetterCall
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
// Source is `this`
src.asExpr() = this and
// This traces to a padding-specific consumer
RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
) and
isPaddingSpecificConsumer = true
}
override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
override Crypto::TPaddingType getPaddingType() {
isPaddingSpecificConsumer = true and
(
if this.(Literal).getValue().toInt() in [1, 7, 8]
then result = Crypto::PKCS1_v1_5()
else
if this.(Literal).getValue().toInt() = 3
then result = Crypto::NoPadding()
else
if this.(Literal).getValue().toInt() = 4
then result = Crypto::OAEP()
else
if this.(Literal).getValue().toInt() = 5
then result = Crypto::ANSI_X9_23()
else
if this.(Literal).getValue().toInt() = 6
then result = Crypto::PSS()
else result = Crypto::OtherPadding()
)
or
isPaddingSpecificConsumer = false and
knownOpenSSLConstantToPaddingFamilyType(this, result)
}
}
// // Values used for EVP_PKEY_CTX_set_rsa_padding, these are
// // not the same as 'typical' constants found in the set of known algorithm constants
// // they do not have an NID
// // TODO: what about setting the padding directly?
// class KnownRSAPaddingConstant extends OpenSSLPaddingAlgorithmInstance, Crypto::PaddingAlgorithmInstance instanceof Literal
// {
// KnownRSAPaddingConstant() {
// // from rsa.h in openssl:
// // # define RSA_PKCS1_PADDING 1
// // # define RSA_NO_PADDING 3
// // # define RSA_PKCS1_OAEP_PADDING 4
// // # define RSA_X931_PADDING 5
// // /* EVP_PKEY_ only */
// // # define RSA_PKCS1_PSS_PADDING 6
// // # define RSA_PKCS1_WITH_TLS_PADDING 7
// // /* internal RSA_ only */
// // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
// this instanceof Literal and
// this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8]
// // TODO: trace to padding-specific consumers
// RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
// }
// override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
// override Crypto::TPaddingType getPaddingType() {
// if this.(Literal).getValue().toInt() in [1, 6, 7, 8]
// then result = Crypto::PKCS1_v1_5()
// else
// if this.(Literal).getValue().toInt() = 3
// then result = Crypto::NoPadding()
// else
// if this.(Literal).getValue().toInt() = 4
// then result = Crypto::OAEP()
// else
// if this.(Literal).getValue().toInt() = 5
// then result = Crypto::ANSI_X9_23()
// else result = Crypto::OtherPadding()
// }
// }
class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance,
KnownOpenSSLPaddingConstantAlgorithmInstance
{
OAEPPaddingAlgorithmInstance() {
this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = Crypto::OAEP()
}
override Crypto::HashAlgorithmInstance getOAEPEncodingHashAlgorithm() {
none() //TODO
}
override Crypto::HashAlgorithmInstance getMGF1HashAlgorithm() {
none() //TODO
}
}

39
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll Normal file
View File

@@ -0,0 +1,39 @@
import cpp
import experimental.quantum.Language
import experimental.quantum.OpenSSL.LibraryDetector
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
import OpenSSLAlgorithmValueConsumerBase
abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
DataFlow::Node valueArgNode;
DataFlow::Node resultNode;
EVPCipherAlgorithmValueConsumer() {
resultNode.asExpr() = this and
isPossibleOpenSSLFunction(this.(Call).getTarget()) and
(
this.(Call).getTarget().getName() in [
"EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"
] and
valueArgNode.asExpr() = this.(Call).getArgument(0)
or
this.(Call).getTarget().getName() in ["EVP_CIPHER_fetch", "EVP_ASYM_CIPHER_fetch"] and
valueArgNode.asExpr() = this.(Call).getArgument(1)
)
}
override DataFlow::Node getResultNode() { result = resultNode }
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
// override DataFlow::Node getInputNode() { result = valueArgNode }
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
//TODO: As a potential alternative, for OpenSSL only, add a generic source node for literals and only create flow (flowsTo) to
// OpenSSL AVCs... the unknown literal sources would have to be any literals not in the known set.
}
}

36
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll Normal file
View File

@@ -0,0 +1,36 @@
import cpp
import experimental.quantum.Language
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
// TODO: can self referential to itself, which is also an algorithm (Known algorithm)
/**
* Cases like EVP_MD5(),
* there is no input, rather it directly gets an algorithm
* and returns it.
*/
class DirectAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer {
DataFlow::Node resultNode;
Expr resultExpr;
DirectAlgorithmValueConsumer() {
this instanceof KnownOpenSSLAlgorithmConstant and
this instanceof Call and
resultExpr = this and
resultNode.asExpr() = resultExpr
}
/**
* These cases take in no explicit value (the value is implicit)
*/
override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
override DataFlow::Node getResultNode() { result = resultNode }
// override DataFlow::Node getOutputNode() { result = resultNode }
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
// Note: algorithm source definitions enforces that
// this class will be a known algorithm source
result = this
}
}

35
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll Normal file
View File

@@ -0,0 +1,35 @@
// import EVPHashInitializer
// import EVPHashOperation
// import EVPHashAlgorithmSource
import cpp
import experimental.quantum.Language
import semmle.code.cpp.dataflow.new.DataFlow
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
import experimental.quantum.OpenSSL.LibraryDetector
abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
/**
* EVP_Q_Digest directly consumes algorithm constant values
*/
class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
EVP_Q_Digest_Algorithm_Consumer() {
isPossibleOpenSSLFunction(this.(Call).getTarget()) and
this.(Call).getTarget().getName() = "EVP_Q_digest"
}
override Crypto::ConsumerInputDataFlowNode getInputNode() {
result.asExpr() = this.(Call).getArgument(1)
}
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
}
override DataFlow::Node getResultNode() {
// EVP_Q_Digest directly consumes the algorithm constant value and performs the operation, there is no
// algorithm result
none()
}
}

9
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll Normal file
View File

@@ -0,0 +1,9 @@
import experimental.quantum.Language
import semmle.code.cpp.dataflow.new.DataFlow
abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call {
/**
* Returns the node representing the resulting algorithm
*/
abstract DataFlow::Node getResultNode();
}

5
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll Normal file
View File

@@ -0,0 +1,5 @@
import OpenSSLAlgorithmValueConsumerBase
import CipherAlgorithmValueConsumer
import DirectAlgorithmValueConsumer
import PaddingAlgorithmValueConsumer
import HashAlgorithmValueConsumer

36
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll Normal file
View File

@@ -0,0 +1,36 @@
import cpp
import experimental.quantum.Language
import experimental.quantum.OpenSSL.LibraryDetector
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
import OpenSSLAlgorithmValueConsumerBase
abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
// https://docs.openssl.org/master/man7/EVP_ASYM_CIPHER-RSA/#rsa-asymmetric-cipher-parameters
// TODO: need to handle setting padding through EVP_PKEY_CTX_set_params, where modes like "OSSL_PKEY_RSA_PAD_MODE_OAEP"
// are set.
class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorithmValueConsumer {
DataFlow::Node valueArgNode;
DataFlow::Node resultNode;
EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() {
resultNode.asExpr() = this and
isPossibleOpenSSLFunction(this.(Call).getTarget()) and
(
this.(Call).getTarget().getName() in ["EVP_PKEY_CTX_set_rsa_padding"] and
valueArgNode.asExpr() = this.(Call).getArgument(1)
)
}
override DataFlow::Node getResultNode() { result = resultNode }
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
// override DataFlow::Node getInputNode() { result = valueArgNode }
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
//TODO: As a potential alternative, for OpenSSL only, add a generic source node for literals and only create flow (flowsTo) to
// OpenSSL AVCs... the unknown literal sources would have to be any literals not in the known set.
}
}

99
cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll Normal file
View File

@@ -0,0 +1,99 @@
//TODO: model as data on open APIs should be able to get common flows, and obviate some of this
// e.g., copy/dup calls, need to ingest those models for openSSL and refactor.
/**
* In OpenSSL, flow between 'context' parameters is often used to
* store state/config of how an operation will eventually be performed.
* Tracing algorithms and configurations to operations therefore
* requires tracing context parameters for many OpenSSL apis.
*
* This library provides a dataflow analysis to track context parameters
* between any two functions accepting openssl context parameters.
* The dataflow takes into consideration flowing through duplication and copy calls
* as well as flow through flow killers (free/reset calls).
*
* TODO: we may need to revisit 'free' as a dataflow killer, depending on how
* we want to model use after frees.
*
* This library also provides classes to represent context Types and relevant
* arguments/expressions.
*/
import semmle.code.cpp.dataflow.new.DataFlow
class CTXType extends Type {
CTXType() {
// TODO: should we limit this to an openssl path?
this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
}
}
class CTXPointerExpr extends Expr {
CTXPointerExpr() {
this.getType() instanceof CTXType and
this.getType() instanceof PointerType
}
}
class CTXPointerArgument extends CTXPointerExpr {
CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) }
Call getCall() { result.getAnArgument() = this }
}
class CTXClearCall extends Call {
CTXClearCall() {
this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and
this.getAnArgument() instanceof CTXPointerArgument
}
}
class CTXCopyOutArgCall extends Call {
CTXCopyOutArgCall() {
this.getTarget().getName().toLowerCase().matches(["%copy%"]) and
this.getAnArgument() instanceof CTXPointerArgument
}
}
class CTXCopyReturnCall extends Call {
CTXCopyReturnCall() {
this.getTarget().getName().toLowerCase().matches(["%dup%"]) and
this.getAnArgument() instanceof CTXPointerArgument and
this instanceof CTXPointerExpr
}
}
module OpenSSLCTXArgumentFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CTXPointerArgument }
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CTXPointerArgument }
predicate isBarrier(DataFlow::Node node) {
exists(CTXClearCall c | c.getAnArgument() = node.asExpr())
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(CTXCopyOutArgCall c |
c.getAnArgument() = node1.asExpr() and
c.getAnArgument() = node2.asExpr() and
node1.asExpr() != node2.asExpr() and
node2.asExpr().getType() instanceof CTXType
)
or
exists(CTXCopyReturnCall c |
c.getAnArgument() = node1.asExpr() and
c = node2.asExpr() and
node1.asExpr() != node2.asExpr() and
node2.asExpr().getType() instanceof CTXType
)
}
}
module OpenSSLCTXArgumentFlow = DataFlow::Global<OpenSSLCTXArgumentFlowConfig>;
predicate ctxArgFlowsToCtxArg(CTXPointerArgument source, CTXPointerArgument sink) {
exists(DataFlow::Node a, DataFlow::Node b |
OpenSSLCTXArgumentFlow::flow(a, b) and
a.asExpr() = source and
b.asExpr() = sink
)
}

7
cpp/ql/lib/experimental/quantum/OpenSSL/LibraryDetector.qll Normal file
View File

@@ -0,0 +1,7 @@
import cpp
predicate isPossibleOpenSSLFunction(Function f) {
isPossibleOpenSSLLocation(f.getADeclarationLocation())
}
predicate isPossibleOpenSSLLocation(Location l) { l.toString().toLowerCase().matches("%openssl%") }

9
cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll Normal file
View File

@@ -0,0 +1,9 @@
import cpp
import semmle.code.cpp.dataflow.new.DataFlow
module OpenSSLModel {
import experimental.quantum.Language
import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
}

123
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll Normal file
View File

@@ -0,0 +1,123 @@
/**
* see: https://docs.openssl.org/master/man3/EVP_EncryptInit/
* Models cipher initialization for EVP cipher operations.
*/
import experimental.quantum.Language
import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }
predicate isSink(DataFlow::Node sink) {
exists(EVP_Cipher_Initializer initCall | sink.asExpr() = initCall.getOperationSubtypeArg())
}
}
module EncValToInitEncArgFlow = DataFlow::Global<EncValToInitEncArgConfig>;
int getEncConfigValue(Expr e) {
exists(EVP_Cipher_Initializer initCall | e = initCall.getOperationSubtypeArg()) and
exists(DataFlow::Node a, DataFlow::Node b |
EncValToInitEncArgFlow::flow(a, b) and b.asExpr() = e and result = a.asExpr().getValue().toInt()
)
}
bindingset[i]
Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {
if i = 0
then result instanceof Crypto::TEncryptMode
else
if i = 1
then result instanceof Crypto::TDecryptMode
else result instanceof Crypto::TUnknownKeyOperationMode
}
// TODO: need to add key consumer
abstract class EVP_Cipher_Initializer extends Call {
Expr getContextArg() { result = this.(Call).getArgument(0) }
Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
abstract Expr getKeyArg();
abstract Expr getIVArg();
// abstract Crypto::CipherOperationSubtype getCipherOperationSubtype();
abstract Expr getOperationSubtypeArg();
Crypto::KeyOperationSubtype getCipherOperationSubtype() {
if this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
then result instanceof Crypto::TEncryptMode
else
if this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
then result instanceof Crypto::TDecryptMode
else
if exists(getEncConfigValue(this.getOperationSubtypeArg()))
then result = intToCipherOperationSubtype(getEncConfigValue(this.getOperationSubtypeArg()))
else result instanceof Crypto::TUnknownKeyOperationMode
}
}
abstract class EVP_EX_Initializer extends EVP_Cipher_Initializer {
override Expr getKeyArg() { result = this.(Call).getArgument(3) }
override Expr getIVArg() { result = this.(Call).getArgument(4) }
}
abstract class EVP_EX2_Initializer extends EVP_Cipher_Initializer {
override Expr getKeyArg() { result = this.(Call).getArgument(2) }
override Expr getIVArg() { result = this.(Call).getArgument(3) }
}
class EVP_Cipher_EX_Init_Call extends EVP_EX_Initializer {
EVP_Cipher_EX_Init_Call() {
this.(Call).getTarget().getName() in [
"EVP_EncryptInit_ex", "EVP_DecryptInit_ex", "EVP_CipherInit_ex"
]
}
override Expr getOperationSubtypeArg() {
this.(Call).getTarget().getName().toLowerCase().matches("%cipherinit%") and
result = this.(Call).getArgument(5)
}
}
class EVP_Cipher_EX2_or_Simple_Init_Call extends EVP_EX2_Initializer {
EVP_Cipher_EX2_or_Simple_Init_Call() {
this.(Call).getTarget().getName() in [
"EVP_EncryptInit_ex2", "EVP_DecryptInit_ex2", "EVP_CipherInit_ex2", "EVP_EncryptInit",
"EVP_DecryptInit", "EVP_CipherInit"
]
}
override Expr getOperationSubtypeArg() {
this.(Call).getTarget().getName().toLowerCase().matches("%cipherinit%") and
result = this.(Call).getArgument(4)
}
}
class EVP_CipherInit_SKEY_Call extends EVP_EX2_Initializer {
EVP_CipherInit_SKEY_Call() { this.(Call).getTarget().getName() in ["EVP_CipherInit_SKEY"] }
override Expr getOperationSubtypeArg() { result = this.(Call).getArgument(5) }
}
class EVPCipherInitializerAlgorithmArgument extends Expr {
EVPCipherInitializerAlgorithmArgument() {
exists(EVP_Cipher_Initializer initCall | this = initCall.getAlgorithmArg())
}
}
class EVPCipherInitializerKeyArgument extends Expr {
EVPCipherInitializerKeyArgument() {
exists(EVP_Cipher_Initializer initCall | this = initCall.getKeyArg())
}
}
class EVPCipherInitializerIVArgument extends Expr {
EVPCipherInitializerIVArgument() {
exists(EVP_Cipher_Initializer initCall | this = initCall.getIVArg())
}
}

116
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll Normal file
View File

@@ -0,0 +1,116 @@
import experimental.quantum.Language
import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
import EVPCipherInitializer
import OpenSSLOperationBase
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
}
predicate isSink(DataFlow::Node sink) {
exists(EVP_Cipher_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
}
}
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
// import experimental.quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers
// import OpenSSLOperation
// class EVPCipherOutput extends CipherOutputArtifact {
// EVPCipherOutput() { exists(EVP_Cipher_Operation op | op.getOutputArg() = this) }
// override DataFlow::Node getOutputNode() { result.asDefiningArgument() = this }
// }
//
/**
* see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
* Base configuration for all EVP cipher operations.
* NOTE: cannot extend instance of OpenSSLOperation, as we need to override
* elements of OpenSSLOperation (i.e., we are creating an instance)
*/
abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
Expr getContextArg() { result = this.(Call).getArgument(0) }
override Expr getOutputArg() { result = this.(Call).getArgument(1) }
override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
result instanceof Crypto::TEncryptMode and
this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
or
result instanceof Crypto::TDecryptMode and
this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
or
result = this.getInitCall().getCipherOperationSubtype() and
this.(Call).getTarget().getName().toLowerCase().matches("%cipher%")
}
EVP_Cipher_Initializer getInitCall() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
}
override Crypto::ConsumerInputDataFlowNode getNonceConsumer() {
this.getInitCall().getIVArg() = result.asExpr()
}
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
this.getInitCall().getKeyArg() = result.asExpr()
}
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
}
}
// abstract class EVP_Update_Call extends EVP_Cipher_Operation { }
abstract class EVP_Final_Call extends EVP_Cipher_Operation {
override Expr getInputArg() { none() }
}
// TODO: only model Final (model final as operation and model update but not as an operation)
// Updates are multiple input consumers (most important)
// TODO: assuming update doesn't ouput, otherwise it outputs artifacts, but is not an operation
class EVP_Cipher_Call extends EVP_Cipher_Operation {
EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
override Expr getInputArg() { result = this.(Call).getArgument(2) }
}
// ******* TODO: model UPDATE but not as the core operation, rather a step towards final
// see the JCA
// class EVP_Encrypt_Decrypt_or_Cipher_Update_Call extends EVP_Update_Call {
// EVP_Encrypt_Decrypt_or_Cipher_Update_Call() {
// this.(Call).getTarget().getName() in [
// "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
// ]
// }
// override Expr getInputArg() { result = this.(Call).getArgument(3) }
// }
class EVP_Encrypt_Decrypt_or_Cipher_Final_Call extends EVP_Final_Call {
EVP_Encrypt_Decrypt_or_Cipher_Final_Call() {
this.(Call).getTarget().getName() in [
"EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
"EVP_DecryptFinal", "EVP_CipherFinal"
]
}
}
class EVP_PKEY_Operation extends EVP_Cipher_Operation {
EVP_PKEY_Operation() {
this.(Call).getTarget().getName() in ["EVP_PKEY_decrypt", "EVP_PKEY_encrypt"]
}
override Expr getInputArg() { result = this.(Call).getArgument(3) }
// TODO: how PKEY is initialized is different that symmetric cipher
// Consider making an entirely new class for this and specializing
// the get init call
}
class EVPCipherInputArgument extends Expr {
EVPCipherInputArgument() { exists(EVP_Cipher_Operation op | op.getInputArg() = this) }
}

17
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashInitializer.qll Normal file
View File

@@ -0,0 +1,17 @@
import cpp
abstract class EVP_Hash_Initializer extends Call {
Expr getContextArg() { result = this.(Call).getArgument(0) }
abstract Expr getAlgorithmArg();
}
class EVP_DigestInit_Variant_Calls extends EVP_Hash_Initializer {
EVP_DigestInit_Variant_Calls() {
this.(Call).getTarget().getName() in [
"EVP_DigestInit", "EVP_DigestInit_ex", "EVP_DigestInit_ex2"
]
}
override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
}

117
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll Normal file
View File

@@ -0,0 +1,117 @@
/**
* https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
*/
import experimental.quantum.Language
import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
import experimental.quantum.OpenSSL.LibraryDetector
import OpenSSLOperationBase
import EVPHashInitializer
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
// import EVPHashConsumers
abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
Expr getContextArg() { result = this.(Call).getArgument(0) }
EVP_Hash_Initializer getInitCall() {
CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
}
}
private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
}
predicate isSink(DataFlow::Node sink) {
exists(EVP_Hash_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
}
}
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
//https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
EVP_Q_Digest_Operation() {
this.(Call).getTarget().getName() = "EVP_Q_digest" and
isPossibleOpenSSLFunction(this.(Call).getTarget())
}
//override Crypto::AlgorithmConsumer getAlgorithmConsumer() { }
override EVP_Hash_Initializer getInitCall() {
// This variant of digest does not use an init
// and even if it were used, the init would be ignored/undefined
none()
}
override Expr getOutputArg() { result = this.(Call).getArgument(5) }
override Expr getInputArg() { result = this.(Call).getArgument(3) }
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
// The operation is a direct algorithm consumer
// NOTE: the operation itself is already modeld as a value consumer, so we can
// simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
this = result
}
}
class EVP_Digest_Operation extends EVP_Hash_Operation {
EVP_Digest_Operation() {
this.(Call).getTarget().getName() = "EVP_Digest" and
isPossibleOpenSSLFunction(this.(Call).getTarget())
}
// There is no context argument for this function
override Expr getContextArg() { none() }
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
DataFlow::exprNode(this.(Call).getArgument(4)))
}
override EVP_Hash_Initializer getInitCall() {
// This variant of digest does not use an init
// and even if it were used, the init would be ignored/undefined
none()
}
override Expr getOutputArg() { result = this.(Call).getArgument(2) }
override Expr getInputArg() { result = this.(Call).getArgument(0) }
override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
}
// // override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
// // AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
// // DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
// // }
// // ***** TODO *** complete modelinlg for hash operations, but have consideration for terminal and non-terminal (non intermedaite) steps
// // see the JCA. May need to update the cipher operations similarly
// // ALSO SEE cipher for how we currently model initialization of the algorithm through an init call
// class EVP_DigestUpdate_Operation extends EVP_Hash_Operation {
// EVP_DigestUpdate_Operation() {
// this.(Call).getTarget().getName() = "EVP_DigestUpdate" and
// isPossibleOpenSSLFunction(this.(Call).getTarget())
// }
// override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
// this.getInitCall().getAlgorithmArg() = result
// }
// }
// class EVP_DigestFinal_Variants_Operation extends EVP_Hash_Operation {
// EVP_DigestFinal_Variants_Operation() {
// this.(Call).getTarget().getName() in [
// "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
// ] and
// isPossibleOpenSSLFunction(this.(Call).getTarget())
// }
// override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
// this.getInitCall().getAlgorithmArg() = result
// }
// }

21
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll Normal file
View File

@@ -0,0 +1,21 @@
import experimental.quantum.Language
abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
abstract Expr getInputArg();
/**
* Can be an argument of a call or a return value of a function.
*/
abstract Expr getOutputArg();
DataFlow::Node getInputNode() {
// Assumed to be default to asExpr
result.asExpr() = this.getInputArg()
}
DataFlow::Node getOutputNode() {
if exists(Call c | c.getAnArgument() = this)
then result.asDefiningArgument() = this
else result.asExpr() = this
}
}

3
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll Normal file
View File

@@ -0,0 +1,3 @@
import OpenSSLOperationBase
import EVPCipherOperation
import EVPHashOperation

18
cpp/ql/lib/experimental/quantum/OpenSSL/Random.qll Normal file
View File

@@ -0,0 +1,18 @@
import cpp
private import experimental.quantum.Language
private import LibraryDetector
private import semmle.code.cpp.dataflow.new.DataFlow
class OpenSSLRandomNumberGeneratorInstance extends Crypto::RandomNumberGenerationInstance instanceof Call
{
OpenSSLRandomNumberGeneratorInstance() {
this.(Call).getTarget().getName() in ["RAND_bytes", "RAND_pseudo_bytes"] and
isPossibleOpenSSLFunction(this.(Call).getTarget())
}
override Crypto::DataFlowNode getOutputNode() {
result.asDefiningArgument() = this.(Call).getArgument(0)
}
override string getGeneratorName() { result = this.(Call).getTarget().getName() }
}

4
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 4.3.0
version: 4.3.1
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp
@@ -8,12 +8,14 @@ upgrades: upgrades
dependencies:
codeql/dataflow: ${workspace}
codeql/mad: ${workspace}
codeql/quantum: ${workspace}
codeql/rangeanalysis: ${workspace}
codeql/ssa: ${workspace}
codeql/typeflow: ${workspace}
codeql/tutorial: ${workspace}
codeql/util: ${workspace}
codeql/xml: ${workspace}
codeql/global-controlflow: ${workspace}
dataExtensions:
- ext/*.model.yml
- ext/generated/*.model.yml

11
cpp/ql/lib/semmle/code/cpp/interproccontrolflow/ControlFlow.qll Normal file
View File

@@ -0,0 +1,11 @@
import cpp
/**
* Provides classes for performing global (inter-procedural) control flow analyses.
*/
module ControlFlow {
private import internal.ControlFlowSpecific
private import codeql.globalcontrolflow.ControlFlow
import ControlFlowMake<Location, CppControlFlow>
import Public
}

41
cpp/ql/lib/semmle/code/cpp/interproccontrolflow/internal/ControlFlowPrivate.qll Normal file
View File

@@ -0,0 +1,41 @@
private import semmle.code.cpp.ir.IR
private import cpp as Cpp
private import ControlFlowPublic
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
predicate edge(Node n1, Node n2) { n1.asInstruction().getASuccessor() = n2.asInstruction() }
predicate callTarget(CallNode call, Callable target) {
exists(DataFlowPrivate::DataFlowCall dfCall | dfCall.asCallInstruction() = call.asInstruction() |
DataFlowImplCommon::viableCallableCached(dfCall).asSourceCallable() = target
or
DataFlowImplCommon::viableCallableLambda(dfCall, _).asSourceCallable() = target
)
}
predicate flowEntry(Callable c, Node entry) {
entry.asInstruction().(EnterFunctionInstruction).getEnclosingFunction() = c
}
predicate flowExit(Callable c, Node exitNode) {
exitNode.asInstruction().(ExitFunctionInstruction).getEnclosingFunction() = c
}
Callable getEnclosingCallable(Node n) { n.getEnclosingFunction() = result }
predicate hiddenNode(Node n) { n.asInstruction() instanceof PhiInstruction }
private newtype TSplit = TNone() { none() }
class Split extends TSplit {
abstract string toString();
abstract Cpp::Location getLocation();
abstract predicate entry(Node n1, Node n2);
abstract predicate exit(Node n1, Node n2);
abstract predicate blocked(Node n1, Node n2);
}

79
cpp/ql/lib/semmle/code/cpp/interproccontrolflow/internal/ControlFlowPublic.qll Normal file
View File

@@ -0,0 +1,79 @@
private import semmle.code.cpp.ir.IR
private import cpp
private newtype TNode = TInstructionNode(Instruction i)
abstract private class NodeImpl extends TNode {
/** Gets the `Instruction` associated with this node, if any. */
Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
/** Gets the `Expr` associated with this node, if any. */
Expr asExpr() { result = this.(ExprNode).getExpr() }
/** Gets the `Parameter` associated with this node, if any. */
Parameter asParameter() { result = this.(ParameterNode).getParameter() }
/** Gets the location of this node. */
Location getLocation() { none() }
/**
* Holds if this element is at the specified location.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
final predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
}
/** Gets a textual representation of this node. */
abstract string toString();
/** Gets the enclosing callable of this node. */
abstract Callable getEnclosingFunction();
}
final class Node = NodeImpl;
private class InstructionNode extends NodeImpl {
Instruction instr;
InstructionNode() { this = TInstructionNode(instr) }
/** Gets the `Instruction` associated with this node. */
Instruction getInstruction() { result = instr }
final override Location getLocation() { result = instr.getLocation() }
final override string toString() { result = instr.getAst().toString() }
final override Callable getEnclosingFunction() { result = instr.getEnclosingFunction() }
}
private class ExprNode extends InstructionNode {
Expr e;
ExprNode() { e = this.getInstruction().getConvertedResultExpression() }
/** Gets the `Expr` associated with this node. */
Expr getExpr() { result = e }
}
private class ParameterNode extends InstructionNode {
override InitializeParameterInstruction instr;
Parameter p;
ParameterNode() { p = instr.getParameter() }
/** Gets the `Parameter` associated with this node. */
Parameter getParameter() { result = p }
}
class CallNode extends InstructionNode {
override CallInstruction instr;
}
class Callable = Function;

19
cpp/ql/lib/semmle/code/cpp/interproccontrolflow/internal/ControlFlowSpecific.qll Normal file
View File

@@ -0,0 +1,19 @@
/**
* Provides IR-specific definitions for use in the data flow library.
*/
private import cpp
private import codeql.globalcontrolflow.ControlFlow
module Private {
import ControlFlowPrivate
}
module Public {
import ControlFlowPublic
}
module CppControlFlow implements InputSig<Location> {
import Private
import Public
}

2
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll
View File

@@ -31,4 +31,6 @@ module CppDataFlow implements InputSig<Location> {
predicate viableImplInCallContext = Private::viableImplInCallContext/2;
predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
int defaultFieldFlowBranchLimit() { result = 3 }
}

12
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -1567,7 +1567,7 @@ private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, Parame
|
exists(Ssa::UseImpl use | use.hasIndexInBlock(useblock, _, sv))
or
exists(Ssa::DefImpl def | def.hasIndexInBlock(useblock, _, sv))
exists(Ssa::DefImpl def | def.hasIndexInBlock(sv, useblock, _))
)
)
)
@@ -1652,8 +1652,6 @@ predicate validParameterAliasStep(Node node1, Node node2) {
)
}
private predicate isTopLevel(Cpp::Stmt s) { any(Function f).getBlock().getAStmt() = s }
private Cpp::Stmt getAChainedBranch(Cpp::IfStmt s) {
result = s.getThen()
or
@@ -1684,11 +1682,9 @@ private Instruction getAnInstruction(Node n) {
}
private newtype TDataFlowSecondLevelScope =
TTopLevelIfBranch(Cpp::Stmt s) {
exists(Cpp::IfStmt ifstmt | s = getAChainedBranch(ifstmt) and isTopLevel(ifstmt))
} or
TTopLevelIfBranch(Cpp::Stmt s) { s = getAChainedBranch(_) } or
TTopLevelSwitchCase(Cpp::SwitchCase s) {
exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase() and isTopLevel(switchstmt))
exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase())
}
/**
@@ -1818,7 +1814,7 @@ module IteratorFlow {
*/
private predicate isIteratorWrite(Instruction write, Operand address) {
exists(Ssa::DefImpl writeDef, IRBlock bb, int i |
writeDef.hasIndexInBlock(bb, i, _) and
writeDef.hasIndexInBlock(_, bb, i) and
bb.getInstruction(i) = write and
address = writeDef.getAddressOperand()
)

9
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
View File

@@ -191,7 +191,7 @@ abstract class DefImpl extends TDefImpl {
* Holds if this definition (or use) has index `index` in block `block`,
* and is a definition (or use) of the variable `sv`
*/
final predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
final predicate hasIndexInBlock(SourceVariable sv, IRBlock block, int index) {
this.hasIndexInBlock(block, index) and
sv = this.getSourceVariable()
}
@@ -891,12 +891,12 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {
DataFlowImplCommon::forceCachingInSameStage() and
(
exists(DefImpl def | def.hasIndexInBlock(bb, i, v) |
exists(DefImpl def | def.hasIndexInBlock(v, bb, i) |
if def.isCertain() then certain = true else certain = false
)
or
exists(GlobalDefImpl global |
global.hasIndexInBlock(bb, i, v) and
global.hasIndexInBlock(v, bb, i) and
certain = true
)
)
@@ -934,10 +934,11 @@ module SsaCached {
}
/** Gets the `DefImpl` corresponding to `def`. */
pragma[nomagic]
private DefImpl getDefImpl(SsaImpl::Definition def) {
exists(SourceVariable sv, IRBlock bb, int i |
def.definesAt(sv, bb, i) and
result.hasIndexInBlock(bb, i, sv)
result.hasIndexInBlock(sv, bb, i)
)
}

8
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll
View File

@@ -58,4 +58,12 @@ class IRFunction extends IRFunctionBase {
* Gets all blocks in this function.
*/
final IRBlock getABlock() { result.getEnclosingIRFunction() = this }
/**
* Holds if this function may have incomplete def-use information.
*
* Def-use information may be omitted for a function when it is too expensive
* to compute.
*/
final predicate hasIncompleteSsa() { Construction::hasIncompleteSsa(this) }
}

4
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
View File

@@ -235,7 +235,7 @@ private newtype TMemoryLocation =
*
* Some of these memory locations will be filtered out for performance reasons before being passed to SSA construction.
*/
abstract private class MemoryLocation0 extends TMemoryLocation {
abstract class MemoryLocation0 extends TMemoryLocation {
final string toString() {
if this.isMayAccess()
then result = "?" + this.toStringInternal()
@@ -874,7 +874,7 @@ private int numberOfOverlappingUses(MemoryLocation0 def) {
* Holds if `def` is a busy definition. That is, it has a large number of
* overlapping uses.
*/
private predicate isBusyDef(MemoryLocation0 def) { numberOfOverlappingUses(def) > 1024 }
predicate isBusyDef(MemoryLocation0 def) { numberOfOverlappingUses(def) > 1024 }
/** Holds if `use` is a use that overlaps with a busy definition. */
private predicate useOverlapWithBusyDef(MemoryLocation0 use) {

14
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
View File

@@ -731,6 +731,20 @@ private module Cached {
or
instruction = getChi(result.(UninitializedGroupInstruction))
}
/**
* Holds if the def-use information for `f` may have been omitted because it
* was too expensive to compute. This happens if one of the memory allocations
* in `f` is a busy definition (i.e., it has many different overlapping uses).
*/
pragma[nomagic]
cached
predicate hasIncompleteSsa(IRFunction f) {
exists(Alias::MemoryLocation0 defLocation |
Alias::isBusyDef(pragma[only_bind_into](defLocation)) and
defLocation.getIRFunction() = f
)
}
}
private Instruction getNewInstruction(OldInstruction instr) { getOldInstruction(result) = instr }

8
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll
View File

@@ -58,4 +58,12 @@ class IRFunction extends IRFunctionBase {
* Gets all blocks in this function.
*/
final IRBlock getABlock() { result.getEnclosingIRFunction() = this }
/**
* Holds if this function may have incomplete def-use information.
*
* Def-use information may be omitted for a function when it is too expensive
* to compute.
*/
final predicate hasIncompleteSsa() { Construction::hasIncompleteSsa(this) }
}

2
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
View File

@@ -220,6 +220,8 @@ Instruction getMemoryOperandDefinition(
none()
}
predicate hasIncompleteSsa(IRFunction f) { none() }
/**
* Holds if the operand totally overlaps with its definition and consumes the
* bit range `[startBitOffset, endBitOffset)`.

8
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll
View File

@@ -58,4 +58,12 @@ class IRFunction extends IRFunctionBase {
* Gets all blocks in this function.
*/
final IRBlock getABlock() { result.getEnclosingIRFunction() = this }
/**
* Holds if this function may have incomplete def-use information.
*
* Def-use information may be omitted for a function when it is too expensive
* to compute.
*/
final predicate hasIncompleteSsa() { Construction::hasIncompleteSsa(this) }
}

14
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
View File

@@ -731,6 +731,20 @@ private module Cached {
or
instruction = getChi(result.(UninitializedGroupInstruction))
}
/**
* Holds if the def-use information for `f` may have been omitted because it
* was too expensive to compute. This happens if one of the memory allocations
* in `f` is a busy definition (i.e., it has many different overlapping uses).
*/
pragma[nomagic]
cached
predicate hasIncompleteSsa(IRFunction f) {
exists(Alias::MemoryLocation0 defLocation |
Alias::isBusyDef(pragma[only_bind_into](defLocation)) and
defLocation.getIRFunction() = f
)
}
}
private Instruction getNewInstruction(OldInstruction instr) { getOldInstruction(result) = instr }

8
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
View File

@@ -73,6 +73,8 @@ class MemoryLocation extends TMemoryLocation {
final predicate canReuseSsa() { canReuseSsaForVariable(var) }
}
class MemoryLocation0 = MemoryLocation;
predicate canReuseSsaForOldResult(Instruction instr) { none() }
abstract class VariableGroup extends Unit {
@@ -141,3 +143,9 @@ int getStartBitOffset(MemoryLocation location) { none() }
/** Gets the end bit offset of a `MemoryLocation`, if any. */
int getEndBitOffset(MemoryLocation location) { none() }
/**
* Holds if `def` is a busy definition. That is, it has a large number of
* overlapping uses.
*/
predicate isBusyDef(MemoryLocation def) { none() }

9
cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll
View File

@@ -112,7 +112,14 @@ module SemanticExprConfig {
}
/** Holds if no range analysis should be performed on the phi edges in `f`. */
private predicate excludeFunction(Cpp::Function f) { count(f.getEntryPoint()) > 1 }
private predicate excludeFunction(Cpp::Function f) {
count(f.getEntryPoint()) > 1
or
exists(IR::IRFunction irFunction |
irFunction.getFunction() = f and
irFunction.hasIncompleteSsa()
)
}
SemType getUnknownExprType(Expr expr) { result = getSemanticType(expr.getResultIRType()) }

11
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 1.4.0
### Query Metadata Changes
* The tag `external/cwe/cwe-14` has been removed from `cpp/memset-may-be-deleted` and the tag `external/cwe/cwe-014` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/late-check-of-function-argument` and the tag `external/cwe/cwe-020` has been added.
## 1.3.9
No user-facing changes.

4
cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
View File

@@ -44,6 +44,10 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
) and
getFullyConvertedType(node) = state
}
predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
}
/**

2
cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
View File

@@ -8,7 +8,7 @@
* @security-severity 7.8
* @precision high
* @tags security
* external/cwe/cwe-14
* external/cwe/cwe-014
*/
import cpp

2
cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
View File

@@ -5,7 +5,7 @@
* to it.
* @id cpp/count-untrusted-data-external-api
* @kind table
* @tags security external/cwe/cwe-20
* @tags security external/cwe/cwe-020
*/
import cpp

2
cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
View File

@@ -5,7 +5,7 @@
* to it.
* @id cpp/count-untrusted-data-external-api-ir
* @kind table
* @tags security external/cwe/cwe-20
* @tags security external/cwe/cwe-020
*/
import cpp

2
cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
View File

@@ -6,7 +6,7 @@
* @precision low
* @problem.severity error
* @security-severity 7.8
* @tags security external/cwe/cwe-20
* @tags security external/cwe/cwe-020
*/
import cpp

2
cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
View File

@@ -6,7 +6,7 @@
* @precision low
* @problem.severity error
* @security-severity 7.8
* @tags security external/cwe/cwe-20
* @tags security external/cwe/cwe-020
*/
import cpp

10
cpp/ql/src/change-notes/released/1.4.0.md Normal file
View File

@@ -0,0 +1,10 @@
## 1.4.0
### Query Metadata Changes
* The tag `external/cwe/cwe-14` has been removed from `cpp/memset-may-be-deleted` and the tag `external/cwe/cwe-014` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api` and the tag `external/cwe/cwe-020` has been added.
* The tag `external/cwe/cwe-20` has been removed from `cpp/late-check-of-function-argument` and the tag `external/cwe/cwe-020` has been added.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.3.9
lastReleaseVersion: 1.4.0

4
cpp/ql/src/codeql-suites/cpp-code-quality.qls
View File

@@ -1 +1,3 @@
[]
- queries: .
- apply: code-quality-selectors.yml
from: codeql/suite-helpers

2
cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
View File

@@ -10,7 +10,7 @@
* @tags correctness
* security
* experimental
* external/cwe/cwe-20
* external/cwe/cwe-020
*/
import cpp

23
cpp/ql/src/experimental/quantum/PrintCBOMGraph.ql Normal file
View File

@@ -0,0 +1,23 @@
/**
* @name Print CBOM Graph
* @description Outputs a graph representation of the cryptographic bill of materials.
* This query only supports DGML output, as CodeQL DOT output omits properties.
* @kind graph
* @id cpp/print-cbom-graph
* @tags quantum
* experimental
*/
import experimental.quantum.Language
query predicate nodes(Crypto::NodeBase node, string key, string value) {
Crypto::nodes_graph_impl(node, key, value)
}
query predicate edges(Crypto::NodeBase source, Crypto::NodeBase target, string key, string value) {
Crypto::edges_graph_impl(source, target, key, value)
}
query predicate graphProperties(string key, string value) {
key = "semmle.graphKind" and value = "graph"
}

Some files were not shown because too many files have changed in this diff Show More