Merge pull request #17054 from geoffw0/scanf

C++: Fix false positives in cpp/incorrectly-checked-scanf

cpp/ql/src/Critical/ScanfChecks.qll

@@ -38,11 +38,18 @@ private string getEofValue() {
 private predicate checkedForEof(ScanfFunctionCall call) {
   exists(IRGuardCondition gc |
     exists(Instruction i | i.getUnconvertedResultExpression() = call |
-      // call == EOF
-      gc.comparesEq(valueNumber(i).getAUse(), getEofValue().toInt(), _, _)
+      exists(int val | gc.comparesEq(valueNumber(i).getAUse(), val, _, _) |
+        // call == EOF
+        val = getEofValue().toInt()
+        or
+        // call == [any positive number]
+        val > 0
+      )
       or
-      // call < 0 (EOF is guaranteed to be negative)
-      gc.comparesLt(valueNumber(i).getAUse(), 0, true, _)
+      exists(int val | gc.comparesLt(valueNumber(i).getAUse(), val, true, _) |
+        // call < [any non-negative number] (EOF is guaranteed to be negative)
+        val >= 0
+      )
     )
   )
 }

cpp/ql/src/change-notes/2024-07-23-incorrectly-checked-scanf.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/incorrectly-checked-scanf` ("Incorrect return-value check for a 'scanf'-like function") query now produces fewer false positive results.