hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-07 14:41:41 +02:00
Code Issues Packages Projects Releases Wiki Activity
74,384 Commits 1,747 Branches 166 Tags
b144c2f5974841dfd81e0c12e60307ac5cff5484
Commit Graph

27 Commits

Author SHA1 Message Date
Mathias Vorreiter Pedersen
5476f42d2c C++: Simplify use of 'GuardCondition's in 'cpp/missing-check-scanf'. 2024-03-20 16:44:43 +00:00
Mathias Vorreiter Pedersen
14aff5c94c C++: Convert 'cpp/missing-check-scanf' to a path-problem query. 2024-03-20 14:54:53 +00:00
Mathias Vorreiter Pedersen
c9dbb7c5a9 C++: Rewrite 'cpp/missing-check-scanf' to use standard dataflow configurations. 2024-03-20 12:01:57 +00:00
Alex Eyers-Taylor
12e24a2b44 CPP: Exclude incorrect scanf checks from missing scanf checks 2023-11-24 16:57:59 +00:00
Mathias Vorreiter Pedersen
0db05fe4fa C++: Use the new dataflow library in the 'missing scanf' query. 2023-04-13 14:51:08 +01:00
Jeroen Ketema
ecdeb9a970 C++: Revert semmle.code.cpp.dataflow to its old state 
While here make sure all queries and tests use IR dataflow when appropriate.
 2023-02-10 14:21:44 +01:00
Nora Dimitrijević
1df0be3ca2 C++: Fix join order in cpp/missing-check-scanf 
The issues were:
* `revFlow`: `revFlow` joins `fwdFlow` on `vn`.
* `Node.getASuccessor()`: `MkNode` self-join on `vn`.
* `hasFlow/5`: `MkNode` self-join on `vn`.
 2023-02-01 16:29:43 +01:00
Mathias Vorreiter Pedersen
59072f9e81 C++: Improve QLDoc. 2023-01-13 11:01:23 +00:00
Mathias Vorreiter Pedersen
dd8bead21a C++: Fix spurious backticks. 2023-01-13 10:57:44 +00:00
Mathias Vorreiter Pedersen
1ae52b6c7e C++: Speedup 'MissingCheckScanf'. 2023-01-12 10:13:02 +00:00
Jeroen Ketema
0b4c4fd580 C++: Simplify deallocation check 2022-12-15 12:46:32 +01:00
Jeroen Ketema
4fb43d56b3 C++: Exclude deallocation functions as scanf result accesses 2022-12-15 09:39:16 +01:00
erik-krogh
40bea78186 remove more instances of the alert-loc being repeated as a link 2022-09-23 14:45:59 +02:00
erik-krogh
a30c38f38c CPP: make more alert messages follow the style-guide 2022-09-23 14:45:59 +02:00
Nora Dimitrijević
f5a30c7bbe C++: Add correctness tag 
As that seems to be appropriate for this query.
 2022-08-31 16:59:57 +02:00
Nora Dimitrijević
38f185bee4 C++: Correct CWE tags in metadata 2022-08-31 16:58:05 +02:00
Nora Dimitrijević
0729e42536 C++: Update metadata based on cwe-scores 
Though the codeql/cwe-scores update-queries.py script did not make any changes on its own,
I looked up the score of the CWEs that @geoffw0 suggested using the explain.py script.

As discussed elsewhere, this should be more of a warning than a recommendation.
 2022-08-31 15:50:37 +02:00
Nora Dimitrijević
e10042be7d C++: Improve docs based on doc-review 
Thanks to @mchammer01 and @geoffw0 for the suggestions latest.
 2022-08-30 11:14:57 +02:00
Nora Dimitrijević
7d24d96d80 C++: Optimize MissingCheckScanf/bigStep() 2022-08-25 17:12:25 +02:00
Nora Dimitrijević
ad56274a73 C++: Small improvements to query qldoc and message 2022-08-25 15:22:41 +02:00
Nora Dimitrijević
a6a30b3725 C++: clarify ScanfOutput.getMinimumGuardConstant() 2022-08-25 15:07:39 +02:00
Nora Dimitrijević
e39229d59e C++: Remove unique-Instruction kludge in ScanfOutput 
Passes tests.
 2022-08-25 14:38:58 +02:00
Nora Dimitrijević
d8800c03b6 C++: new helper predicates in ScanfFunctionCall 
Extract some of the logic from the `cpp/missing-check-scanf` query into
the more generally useful `getOutputArgument(int index)`, `getAnOutputArgument()`,
and `getNumberOfOutputArguments()` predicates.
 2022-08-25 14:32:15 +02:00
Nora Dimitrijević
170d12bf5a Write MissingCheckScanf.qhelp 2022-08-24 19:58:19 +02:00
Nora Dimitrijević
ca162a4365 C++: complete initial implementation of cpp/missing-check-scanf 
There are still some remaining FPs (haven't fully tested them)
that should be ironed out in a follow-up to increase the precision, e.g.:

  * if scanf(&i) != 1 return
    if maybe() && scanf(&i) != 1 return
    use(i) // should be OK on both counts

  * The minimum guard constant for the *_s variants may not be right.

  * int i[2]
    scanf(i, i+1) // second i is flagged as a use of the first

  * Maybe loosen the "unguarded or badly guarded use() = bad" policy to
    "unguarded but already-initialized = good" and "badly guarded = bad",
    since a lot of FPs in MRVA fall into the "unguarded but already-
    initialized" bucket.
 2022-08-24 11:25:06 +02:00
Geoffrey White
c62ae3b350 C++: First working. We now prefer flagging the cases where the variable was initialized, as in real world cases we haven't seen it done safely. 2022-08-11 12:27:48 +02:00
Geoffrey White
76ef779f60 C++: Add test and placeholder query. 2022-08-11 12:27:39 +02:00