mirror of
https://github.com/github/codeql.git
synced 2026-05-16 04:09:27 +02:00
Compare commits
4 Commits
codeql-cli
...
ginsbach/O
| Author | SHA1 | Date | |
|---|---|---|---|
|
9a11e29c01 | ||
|
|
b6ac00f642 | ||
|
|
2a187e5922 | ||
|
|
bebe3f4fe5 |
6
.github/workflows/build-ripunzip.yml
vendored
6
.github/workflows/build-ripunzip.yml
vendored
@@ -6,18 +6,18 @@ on:
|
||||
ripunzip-version:
|
||||
description: "what reference to checktout from google/runzip"
|
||||
required: false
|
||||
default: v2.0.2
|
||||
default: v1.2.1
|
||||
openssl-version:
|
||||
description: "what reference to checkout from openssl/openssl for Linux"
|
||||
required: false
|
||||
default: openssl-3.5.0
|
||||
default: openssl-3.3.0
|
||||
|
||||
jobs:
|
||||
build:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: [ubuntu-22.04, macos-13, windows-2022]
|
||||
os: [ubuntu-22.04, macos-13, windows-2019]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
4
.github/workflows/csharp-qltest.yml
vendored
4
.github/workflows/csharp-qltest.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
||||
unit-tests:
|
||||
strategy:
|
||||
matrix:
|
||||
os: [ubuntu-latest, windows-latest]
|
||||
os: [ubuntu-latest, windows-2019]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
@@ -66,6 +66,6 @@ jobs:
|
||||
# Update existing stubs in the repo with the freshly generated ones
|
||||
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
||||
git status
|
||||
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
||||
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
|
||||
3
.github/workflows/go-tests-other-os.yml
vendored
3
.github/workflows/go-tests-other-os.yml
vendored
@@ -26,8 +26,9 @@ jobs:
|
||||
uses: ./go/actions/test
|
||||
|
||||
test-win:
|
||||
if: github.repository_owner == 'github'
|
||||
name: Test Windows
|
||||
runs-on: windows-latest
|
||||
runs-on: windows-latest-xl
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
2
.github/workflows/mad_modelDiff.yml
vendored
2
.github/workflows/mad_modelDiff.yml
vendored
@@ -68,7 +68,7 @@ jobs:
|
||||
DATABASE=$2
|
||||
cd codeql-$QL_VARIANT
|
||||
SHORTNAME=`basename $DATABASE`
|
||||
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
||||
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
||||
mkdir -p $MODELS/$SHORTNAME
|
||||
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
|
||||
cd ..
|
||||
|
||||
2
.github/workflows/ruby-qltest-rtjo.yml
vendored
2
.github/workflows/ruby-qltest-rtjo.yml
vendored
@@ -35,6 +35,6 @@ jobs:
|
||||
key: ruby-qltest
|
||||
- name: Run QL tests
|
||||
run: |
|
||||
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
|
||||
2
.github/workflows/ruby-qltest.yml
vendored
2
.github/workflows/ruby-qltest.yml
vendored
@@ -68,6 +68,6 @@ jobs:
|
||||
key: ruby-qltest
|
||||
- name: Run QL tests
|
||||
run: |
|
||||
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
|
||||
2
.github/workflows/swift.yml
vendored
2
.github/workflows/swift.yml
vendored
@@ -32,7 +32,7 @@ jobs:
|
||||
if: github.repository_owner == 'github'
|
||||
strategy:
|
||||
matrix:
|
||||
runner: [ubuntu-latest, macos-15-xlarge]
|
||||
runner: [ubuntu-latest, macos-13-xlarge]
|
||||
fail-fast: false
|
||||
runs-on: ${{ matrix.runner }}
|
||||
steps:
|
||||
|
||||
2
.github/workflows/validate-change-notes.yml
vendored
2
.github/workflows/validate-change-notes.yml
vendored
@@ -31,4 +31,4 @@ jobs:
|
||||
- name: Fail if there are any errors with existing change notes
|
||||
|
||||
run: |
|
||||
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
|
||||
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
|
||||
|
||||
5
.gitignore
vendored
5
.gitignore
vendored
@@ -62,7 +62,6 @@ node_modules/
|
||||
|
||||
# Temporary folders for working with generated models
|
||||
.model-temp
|
||||
/mad-generation-build
|
||||
|
||||
# bazel-built in-tree extractor packs
|
||||
/*/extractor-pack
|
||||
@@ -72,7 +71,3 @@ node_modules/
|
||||
|
||||
# cargo build directory
|
||||
/target
|
||||
|
||||
# some upgrade/downgrade checks create these files
|
||||
**/upgrades/*/*.dbscheme.stats
|
||||
**/downgrades/*/*.dbscheme.stats
|
||||
|
||||
@@ -16,8 +16,7 @@
|
||||
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
||||
|
||||
# Experimental CodeQL cryptography
|
||||
**/experimental/**/quantum/ @github/ps-codeql
|
||||
/shared/quantum/ @github/ps-codeql
|
||||
**/experimental/quantum/ @github/ps-codeql
|
||||
|
||||
# CodeQL tools and associated docs
|
||||
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
||||
|
||||
46
Cargo.lock
generated
46
Cargo.lock
generated
@@ -242,8 +242,6 @@ version = "1.2.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7"
|
||||
dependencies = [
|
||||
"jobserver",
|
||||
"libc",
|
||||
"shlex",
|
||||
]
|
||||
|
||||
@@ -392,7 +390,6 @@ dependencies = [
|
||||
"tree-sitter",
|
||||
"tree-sitter-json",
|
||||
"tree-sitter-ql",
|
||||
"zstd",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -986,15 +983,6 @@ version = "1.0.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
|
||||
|
||||
[[package]]
|
||||
name = "jobserver"
|
||||
version = "0.1.32"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
|
||||
dependencies = [
|
||||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "jod-thread"
|
||||
version = "0.1.2"
|
||||
@@ -1346,12 +1334,6 @@ version = "0.2.16"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
|
||||
|
||||
[[package]]
|
||||
name = "pkg-config"
|
||||
version = "0.3.32"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
|
||||
|
||||
[[package]]
|
||||
name = "portable-atomic"
|
||||
version = "1.11.0"
|
||||
@@ -3045,31 +3027,3 @@ dependencies = [
|
||||
"quote",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "zstd"
|
||||
version = "0.13.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
|
||||
dependencies = [
|
||||
"zstd-safe",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "zstd-safe"
|
||||
version = "7.2.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
|
||||
dependencies = [
|
||||
"zstd-sys",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "zstd-sys"
|
||||
version = "2.0.15+zstd.1.5.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
|
||||
dependencies = [
|
||||
"cc",
|
||||
"pkg-config",
|
||||
]
|
||||
|
||||
@@ -10,7 +10,6 @@ members = [
|
||||
"rust/ast-generator",
|
||||
"rust/autobuild",
|
||||
]
|
||||
exclude = ["mad-generation-build"]
|
||||
|
||||
[patch.crates-io]
|
||||
# patch for build script bug preventing bazel build
|
||||
|
||||
38
MODULE.bazel
38
MODULE.bazel
@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
|
||||
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
|
||||
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
||||
bazel_dep(name = "fmt", version = "10.0.0")
|
||||
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
|
||||
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
|
||||
bazel_dep(name = "gazelle", version = "0.40.0")
|
||||
bazel_dep(name = "rules_dotnet", version = "0.17.4")
|
||||
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
||||
@@ -124,7 +124,6 @@ use_repo(
|
||||
"vendor_ts__tree-sitter-ruby-0.23.1",
|
||||
"vendor_ts__triomphe-0.1.14",
|
||||
"vendor_ts__ungrammar-1.16.1",
|
||||
"vendor_ts__zstd-0.13.3",
|
||||
)
|
||||
|
||||
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
||||
@@ -194,6 +193,10 @@ use_repo(
|
||||
kotlin_extractor_deps,
|
||||
"codeql_kotlin_defaults",
|
||||
"codeql_kotlin_embeddable",
|
||||
"kotlin-compiler-1.5.0",
|
||||
"kotlin-compiler-1.5.10",
|
||||
"kotlin-compiler-1.5.20",
|
||||
"kotlin-compiler-1.5.30",
|
||||
"kotlin-compiler-1.6.0",
|
||||
"kotlin-compiler-1.6.20",
|
||||
"kotlin-compiler-1.7.0",
|
||||
@@ -205,7 +208,10 @@ use_repo(
|
||||
"kotlin-compiler-2.0.20-Beta2",
|
||||
"kotlin-compiler-2.1.0-Beta1",
|
||||
"kotlin-compiler-2.1.20-Beta1",
|
||||
"kotlin-compiler-2.2.0-Beta1",
|
||||
"kotlin-compiler-embeddable-1.5.0",
|
||||
"kotlin-compiler-embeddable-1.5.10",
|
||||
"kotlin-compiler-embeddable-1.5.20",
|
||||
"kotlin-compiler-embeddable-1.5.30",
|
||||
"kotlin-compiler-embeddable-1.6.0",
|
||||
"kotlin-compiler-embeddable-1.6.20",
|
||||
"kotlin-compiler-embeddable-1.7.0",
|
||||
@@ -217,7 +223,10 @@ use_repo(
|
||||
"kotlin-compiler-embeddable-2.0.20-Beta2",
|
||||
"kotlin-compiler-embeddable-2.1.0-Beta1",
|
||||
"kotlin-compiler-embeddable-2.1.20-Beta1",
|
||||
"kotlin-compiler-embeddable-2.2.0-Beta1",
|
||||
"kotlin-stdlib-1.5.0",
|
||||
"kotlin-stdlib-1.5.10",
|
||||
"kotlin-stdlib-1.5.20",
|
||||
"kotlin-stdlib-1.5.30",
|
||||
"kotlin-stdlib-1.6.0",
|
||||
"kotlin-stdlib-1.6.20",
|
||||
"kotlin-stdlib-1.7.0",
|
||||
@@ -229,7 +238,6 @@ use_repo(
|
||||
"kotlin-stdlib-2.0.20-Beta2",
|
||||
"kotlin-stdlib-2.1.0-Beta1",
|
||||
"kotlin-stdlib-2.1.20-Beta1",
|
||||
"kotlin-stdlib-2.2.0-Beta1",
|
||||
)
|
||||
|
||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||
@@ -239,24 +247,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
|
||||
|
||||
lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
|
||||
lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
|
||||
|
||||
lfs_archive(
|
||||
lfs_files(
|
||||
name = "ripunzip-linux",
|
||||
src = "//misc/ripunzip:ripunzip-Linux.zip",
|
||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
||||
srcs = ["//misc/ripunzip:ripunzip-linux"],
|
||||
executable = True,
|
||||
)
|
||||
|
||||
lfs_archive(
|
||||
lfs_files(
|
||||
name = "ripunzip-windows",
|
||||
src = "//misc/ripunzip:ripunzip-Windows.zip",
|
||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
||||
srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
|
||||
executable = True,
|
||||
)
|
||||
|
||||
lfs_archive(
|
||||
lfs_files(
|
||||
name = "ripunzip-macos",
|
||||
src = "//misc/ripunzip:ripunzip-macOS.zip",
|
||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
||||
srcs = ["//misc/ripunzip:ripunzip-macos"],
|
||||
executable = True,
|
||||
)
|
||||
|
||||
register_toolchains(
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
@@ -1,27 +0,0 @@
|
||||
ql/actions/ql/src/Debug/SyntaxError.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
||||
ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
|
||||
@@ -1,23 +0,0 @@
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
||||
@@ -1,17 +0,0 @@
|
||||
ql/actions/ql/src/Debug/partial.ql
|
||||
ql/actions/ql/src/Models/CompositeActionsSinks.ql
|
||||
ql/actions/ql/src/Models/CompositeActionsSources.ql
|
||||
ql/actions/ql/src/Models/CompositeActionsSummaries.ql
|
||||
ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
|
||||
ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
|
||||
ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
|
||||
@@ -1,14 +0,0 @@
|
||||
import runs_on
|
||||
import pytest
|
||||
from query_suites import *
|
||||
|
||||
well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
|
||||
|
||||
@runs_on.posix
|
||||
@pytest.mark.parametrize("query_suite", well_known_query_suites)
|
||||
def test(codeql, actions, check_query_suite, query_suite):
|
||||
check_query_suite(query_suite)
|
||||
|
||||
@runs_on.posix
|
||||
def test_not_included_queries(codeql, actions, check_queries_not_included):
|
||||
check_queries_not_included('actions', well_known_query_suites)
|
||||
@@ -1,24 +1,6 @@
|
||||
## 0.4.11
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.10
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.9
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.8
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.7
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.6
|
||||
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.10
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.11
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,5 +1,3 @@
|
||||
## 0.4.7
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.8
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.9
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.11
|
||||
lastReleaseVersion: 0.4.7
|
||||
|
||||
@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
|
||||
string getNormalizedExpression() { result = normalizeExpr(expression) }
|
||||
}
|
||||
|
||||
/** An `env` in workflow, job or step. */
|
||||
class Env extends AstNode instanceof EnvImpl {
|
||||
/** A common class for `env` in workflow, job or step. */
|
||||
abstract class Env extends AstNode instanceof EnvImpl {
|
||||
/** Gets an environment variable value given its name. */
|
||||
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
|
||||
|
||||
|
||||
@@ -22,21 +22,16 @@ extensions:
|
||||
- ["actions/stale", "pull-requests: write"]
|
||||
- ["actions/attest-build-provenance", "id-token: write"]
|
||||
- ["actions/attest-build-provenance", "attestations: write"]
|
||||
- ["actions/deploy-pages", "pages: write"]
|
||||
- ["actions/deploy-pages", "id-token: write"]
|
||||
- ["actions/delete-package-versions", "packages: write"]
|
||||
- ["actions/jekyll-build-pages", "contents: read"]
|
||||
- ["actions/jekyll-build-pages", "pages: write"]
|
||||
- ["actions/jekyll-build-pages", "id-token: write"]
|
||||
- ["actions/publish-action", "contents: write"]
|
||||
- ["actions/versions-package-tools", "contents: read"]
|
||||
- ["actions/versions-package-tools", "contents: read"]
|
||||
- ["actions/versions-package-tools", "actions: read"]
|
||||
- ["actions/reusable-workflows", "contents: read"]
|
||||
- ["actions/reusable-workflows", "contents: read"]
|
||||
- ["actions/reusable-workflows", "actions: read"]
|
||||
- ["actions/ai-inference", "contents: read"]
|
||||
- ["actions/ai-inference", "models: read"]
|
||||
# TODO: Add permissions for actions/download-artifact
|
||||
# TODO: Add permissions for actions/upload-artifact
|
||||
# No permissions needed for actions/upload-pages-artifact
|
||||
# TODO: Add permissions for actions/cache
|
||||
# No permissions needed for actions/configure-pages
|
||||
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.11
|
||||
version: 0.4.8-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,43 +1,5 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
|
||||
## 0.6.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The following queries have been removed from the `security-and-quality` suite.
|
||||
They are not intended to produce user-facing
|
||||
alerts describing vulnerabilities.
|
||||
Any existing alerts for these queries will be closed automatically.
|
||||
* `actions/composite-action-sinks`
|
||||
* `actions/composite-action-sources`
|
||||
* `actions/composite-action-summaries`
|
||||
* `actions/reusable-workflow-sinks`
|
||||
(renamed from `actions/reusable-wokflow-sinks`)
|
||||
* `actions/reusable-workflow-sources`
|
||||
* `actions/reusable-workflow-summaries`
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
|
||||
|
||||
## 0.5.4
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id actions/reusable-workflow-sinks
|
||||
* @id actions/reusable-wokflow-sinks
|
||||
* @tags actions
|
||||
* model-generator
|
||||
* external/cwe/cwe-020
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
|
||||
@@ -1,9 +1,5 @@
|
||||
## 0.5.4
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
|
||||
|
||||
@@ -1,19 +0,0 @@
|
||||
## 0.6.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The following queries have been removed from the `security-and-quality` suite.
|
||||
They are not intended to produce user-facing
|
||||
alerts describing vulnerabilities.
|
||||
Any existing alerts for these queries will be closed automatically.
|
||||
* `actions/composite-action-sinks`
|
||||
* `actions/composite-action-sources`
|
||||
* `actions/composite-action-summaries`
|
||||
* `actions/reusable-workflow-sinks`
|
||||
(renamed from `actions/reusable-wokflow-sinks`)
|
||||
* `actions/reusable-workflow-sources`
|
||||
* `actions/reusable-workflow-summaries`
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.6.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,5 +0,0 @@
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.3
|
||||
lastReleaseVersion: 0.5.4
|
||||
|
||||
@@ -1,3 +1 @@
|
||||
- queries: .
|
||||
- apply: code-quality-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
[]
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.3
|
||||
version: 0.5.5-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/ai-inference
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/deploy-pages
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/delete-package-versions
|
||||
@@ -3,6 +3,3 @@
|
||||
| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
|
||||
| .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
|
||||
| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
|
||||
| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
|
||||
| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
|
||||
| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |
|
||||
|
||||
123
annotateOverlayLocal.py
Normal file
123
annotateOverlayLocal.py
Normal file
@@ -0,0 +1,123 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import os
|
||||
|
||||
|
||||
def process_single_file(filename):
|
||||
if not filename.endswith(".qll"):
|
||||
return
|
||||
|
||||
with open(filename, 'r') as file_in:
|
||||
lines = [line for line in file_in]
|
||||
|
||||
configuresDataflow = any(
|
||||
"implements DataFlow::ConfigSig" in line for line in lines)
|
||||
|
||||
moduleAnnotations = ""
|
||||
if any(line for line in lines if line.rstrip().endswith("module;")):
|
||||
for line in lines:
|
||||
moduleAnnotations += line
|
||||
if line.rstrip().endswith("module;"):
|
||||
break
|
||||
|
||||
moduleAnnotations = strip_comments(moduleAnnotations)
|
||||
|
||||
isFileLevelAnnotated = ("overlay[local]" in moduleAnnotations or
|
||||
"overlay[local?]" in moduleAnnotations)
|
||||
|
||||
if configuresDataflow or isFileLevelAnnotated or filename.endswith("Query.qll"):
|
||||
if isFileLevelAnnotated and configuresDataflow:
|
||||
print("WARNING: file \""+filename +
|
||||
"\" configures dataflow, but is annotated local")
|
||||
elif configuresDataflow and not filename.endswith("Query.qll"):
|
||||
print("WARNING: file \""+filename +
|
||||
"\" configures dataflow but is not a [...]Query.qll file")
|
||||
elif filename.endswith("Query.qll") and not configuresDataflow:
|
||||
print("WARNING: file \""+filename +
|
||||
"\" is a [...]Query.qll file that does not configure dataflow")
|
||||
elif isFileLevelAnnotated and filename.endswith("Query.qll"):
|
||||
print("WARNING: file \""+filename +
|
||||
"\" is a [...]Query.qll file, but is annotated local")
|
||||
elif any(line for line in lines if line.rstrip().endswith("module;")):
|
||||
print("file \""+filename +
|
||||
" was annotated using an existing file-level module statment")
|
||||
with open(filename, "w") as file_out:
|
||||
for line in lines:
|
||||
if line.rstrip().endswith("module;"):
|
||||
file_out.write("overlay[local?]\n")
|
||||
file_out.write(line)
|
||||
elif (lines[0].startswith("import ") or lines[0].startswith("private ") or
|
||||
lines[0].startswith("newtype ") or lines[0].startswith("module ") or
|
||||
lines[0].startswith("signature ")):
|
||||
print("file \""+filename+" was annotated at the very start of the file")
|
||||
with open(filename, "w") as file_out:
|
||||
file_out.write("overlay[local?]\nmodule;\n\n")
|
||||
for line in lines:
|
||||
file_out.write(line)
|
||||
elif (strip_comments("".join(lines)).lstrip().startswith("import") or
|
||||
strip_comments("".join(lines)).lstrip().startswith("private import")):
|
||||
print("file \""+filename+" was annotated at the first import statement")
|
||||
with open(filename, "w") as file_out:
|
||||
firstImport = True
|
||||
addEmptyLine = ""
|
||||
for line in lines:
|
||||
if not line.strip():
|
||||
if addEmptyLine:
|
||||
file_out.write(addEmptyLine)
|
||||
addEmptyLine = line
|
||||
else:
|
||||
if firstImport and (line.startswith("import") or line.startswith("private")):
|
||||
file_out.write("overlay[local?]\nmodule;\n")
|
||||
firstImport = False
|
||||
|
||||
if addEmptyLine:
|
||||
file_out.write(addEmptyLine)
|
||||
addEmptyLine = ""
|
||||
file_out.write(line)
|
||||
elif (len(lines) > 2 and lines[0].startswith("/** ") and lines[0].endswith(" */\n") and
|
||||
not lines[1].strip() and lines[2].startswith("/**")):
|
||||
print("file \""+filename+" was annotated after single-line file module qldoc")
|
||||
with open(filename, "w") as file_out:
|
||||
file_out.write(lines[0])
|
||||
file_out.write("overlay[local?]\nmodule;\n")
|
||||
for line in lines[1:]:
|
||||
file_out.write(line)
|
||||
else:
|
||||
print("ERROR: failure to annotate file \""+filename+"\"")
|
||||
|
||||
|
||||
def strip_comments(str):
|
||||
prev = ""
|
||||
in_multiline = False
|
||||
in_singleline = False
|
||||
|
||||
result = ""
|
||||
for c in str:
|
||||
if c == '*' and prev == '/':
|
||||
in_multiline = True
|
||||
prev = ""
|
||||
elif c == '/' and prev == '/':
|
||||
in_singleline = True
|
||||
prev = ""
|
||||
elif in_multiline and c == '/' and prev == '*':
|
||||
in_multiline = False
|
||||
prev = ""
|
||||
elif in_singleline and c == '\n':
|
||||
in_singleline = False
|
||||
result += '\n'
|
||||
prev = ""
|
||||
else:
|
||||
if not in_multiline and not in_singleline:
|
||||
if prev == '/':
|
||||
result += '/'
|
||||
if c != '/':
|
||||
result += c
|
||||
prev = c
|
||||
return result
|
||||
|
||||
|
||||
for roots in ["java/ql/lib/semmle/code", "shared"]:
|
||||
for dirpath, dirnames, filenames in os.walk(roots):
|
||||
for filename in filenames:
|
||||
if filename.endswith(".qll"):
|
||||
process_single_file(os.path.join(dirpath, filename))
|
||||
@@ -11,7 +11,7 @@ int getKind(int kind) {
|
||||
if kind = 14
|
||||
then result = 6 // Represent MSFT #import as #include
|
||||
else
|
||||
if kind = 15 or kind = 16
|
||||
if kind = 15 or kind = 6
|
||||
then result = 3 // Represent #elifdef and #elifndef as #elif
|
||||
else result = kind
|
||||
}
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
class Type extends @type {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
class Expr extends @expr {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
from Type decltype, Expr expr, Type basetype, boolean parentheses
|
||||
where decltypes(decltype, expr, _, basetype, parentheses)
|
||||
select decltype, expr, basetype, parentheses
|
||||
@@ -1,19 +0,0 @@
|
||||
class Type extends @type {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
predicate derivedType(Type type, string name, int kind, Type type_id) {
|
||||
derivedtypes(type, name, kind, type_id)
|
||||
}
|
||||
|
||||
predicate typeTransformation(Type type, string name, int kind, Type type_id) {
|
||||
type_operators(type, _, _, type_id) and
|
||||
name = "" and
|
||||
kind = 3 // @type_with_specifiers
|
||||
}
|
||||
|
||||
from Type type, string name, int kind, Type type_id
|
||||
where
|
||||
derivedType(type, name, kind, type_id) or
|
||||
typeTransformation(type, name, kind, type_id)
|
||||
select type, name, kind, type_id
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,5 +0,0 @@
|
||||
description: Support C23 typeof and typeof_unqual
|
||||
compatibility: backwards
|
||||
decltypes.rel: run decltypes.qlo
|
||||
derivedtypes.rel: run derivedtypes.qlo
|
||||
type_operators.rel: delete
|
||||
@@ -1,9 +0,0 @@
|
||||
{
|
||||
"strategy": "dca",
|
||||
"language": "cpp",
|
||||
"targets": [
|
||||
{ "name": "openssl", "with-sources": false, "with-sinks": false },
|
||||
{ "name": "sqlite", "with-sources": false, "with-sinks": false }
|
||||
],
|
||||
"destination": "cpp/ql/lib/ext/generated"
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
#include "a.h"
|
||||
#define FOUR 4
|
||||
@@ -1,3 +0,0 @@
|
||||
int main() {
|
||||
return ONE + FOUR;
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
#import "d.h"
|
||||
@@ -1,3 +0,0 @@
|
||||
int main() {
|
||||
return SEVENTEEN;
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
#if 1
|
||||
#pragma hdrstop
|
||||
extern int x;
|
||||
#define SEEN_F
|
||||
#endif
|
||||
@@ -1,5 +0,0 @@
|
||||
#ifdef SEEN_F
|
||||
static int g() {
|
||||
return 20;
|
||||
}
|
||||
#endif
|
||||
@@ -1,4 +0,0 @@
|
||||
#include "h1.h"
|
||||
#pragma hdrstop
|
||||
#include "h2.h"
|
||||
#define SEEN_H
|
||||
@@ -1,17 +0,0 @@
|
||||
import os
|
||||
|
||||
|
||||
def test(codeql, cpp):
|
||||
os.mkdir("pch")
|
||||
extractor = cpp.get_tool("extractor")
|
||||
codeql.database.create(command=[
|
||||
f'"{extractor}" --mimic-clang -emit-pch -o pch/a.pch a.c',
|
||||
f'"{extractor}" --mimic-clang -include-pch pch/a.pch -Iextra_dummy_path b.c',
|
||||
f'"{extractor}" --mimic-clang -include pch/a -Iextra_dummy_path c.c',
|
||||
f'"{extractor}" --mimic-clang -emit-pch -o pch/d.pch d.c',
|
||||
f'"{extractor}" --mimic-clang -include-pch pch/d.pch e.c',
|
||||
f'"{extractor}" --mimic-clang -emit-pch -o pch/f.pch f.c',
|
||||
f'"{extractor}" --mimic-clang -include-pch pch/f.pch g.c',
|
||||
f'"{extractor}" --mimic-clang -emit-pch -o pch/h.pch h.c',
|
||||
f'"{extractor}" --mimic-clang -include-pch pch/h.pch i.c',
|
||||
])
|
||||
@@ -1 +0,0 @@
|
||||
#include "a.h"
|
||||
@@ -1,6 +0,0 @@
|
||||
#pragma hdrstop
|
||||
#include "b.h"
|
||||
|
||||
int b() {
|
||||
return A;
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
#include "d.h"
|
||||
#include "c.h"
|
||||
|
||||
int c() {
|
||||
return A;
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
import os
|
||||
|
||||
|
||||
def test(codeql, cpp):
|
||||
os.mkdir("pch")
|
||||
extractor = cpp.get_tool("extractor")
|
||||
codeql.database.create(command=[
|
||||
f'"{extractor}" --mimic-cl /Yca.h /Fppch/a.pch a.c',
|
||||
f'"{extractor}" --mimic-cl /Yub.h /Fppch/a.pch b.c',
|
||||
f'"{extractor}" --mimic-cl /Yuc.h /Fppch/a.pch c.c',
|
||||
])
|
||||
@@ -1,60 +0,0 @@
|
||||
ql/cpp/ql/src/Critical/DoubleFree.ql
|
||||
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
|
||||
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
|
||||
ql/cpp/ql/src/Critical/OverflowStatic.ql
|
||||
ql/cpp/ql/src/Critical/UseAfterFree.ql
|
||||
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
|
||||
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
|
||||
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
|
||||
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
|
||||
ql/cpp/ql/src/Summary/LinesOfCode.ql
|
||||
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
|
||||
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
|
||||
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
|
||||
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
|
||||
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
|
||||
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
|
||||
@@ -1,181 +0,0 @@
|
||||
ql/cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql
|
||||
ql/cpp/ql/src/Best Practices/ComplexCondition.ql
|
||||
ql/cpp/ql/src/Best Practices/Exceptions/AccidentalRethrow.ql
|
||||
ql/cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql
|
||||
ql/cpp/ql/src/Best Practices/Exceptions/LeakyCatch.ql
|
||||
ql/cpp/ql/src/Best Practices/Exceptions/ThrowingPointers.ql
|
||||
ql/cpp/ql/src/Best Practices/GuardedFree.ql
|
||||
ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesParameter.ql
|
||||
ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql
|
||||
ql/cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
|
||||
ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
|
||||
ql/cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql
|
||||
ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
|
||||
ql/cpp/ql/src/Best Practices/Likely Errors/Slicing.ql
|
||||
ql/cpp/ql/src/Best Practices/RuleOfTwo.ql
|
||||
ql/cpp/ql/src/Best Practices/SloppyGlobal.ql
|
||||
ql/cpp/ql/src/Best Practices/SwitchLongCase.ql
|
||||
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql
|
||||
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql
|
||||
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql
|
||||
ql/cpp/ql/src/Best Practices/UseOfGoto.ql
|
||||
ql/cpp/ql/src/Critical/DeadCodeGoto.ql
|
||||
ql/cpp/ql/src/Critical/DoubleFree.ql
|
||||
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
|
||||
ql/cpp/ql/src/Critical/LargeParameter.ql
|
||||
ql/cpp/ql/src/Critical/MissingCheckScanf.ql
|
||||
ql/cpp/ql/src/Critical/NewArrayDeleteMismatch.ql
|
||||
ql/cpp/ql/src/Critical/NewDeleteArrayMismatch.ql
|
||||
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
|
||||
ql/cpp/ql/src/Critical/OverflowStatic.ql
|
||||
ql/cpp/ql/src/Critical/SizeCheck.ql
|
||||
ql/cpp/ql/src/Critical/SizeCheck2.ql
|
||||
ql/cpp/ql/src/Critical/UseAfterFree.ql
|
||||
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
|
||||
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
|
||||
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
|
||||
ql/cpp/ql/src/Documentation/CommentedOutCode.ql
|
||||
ql/cpp/ql/src/Documentation/FixmeComments.ql
|
||||
ql/cpp/ql/src/Documentation/UncommentedFunction.ql
|
||||
ql/cpp/ql/src/Header Cleanup/Cleanup-DuplicateIncludeGuard.ql
|
||||
ql/cpp/ql/src/Likely Bugs/AmbiguouslySignedBitField.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/UnsignedGEZero.ql
|
||||
ql/cpp/ql/src/Likely Bugs/ContinueInFalseLoop.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/TooManyFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/InconsistentCallOnResult.ql
|
||||
ql/cpp/ql/src/Likely Bugs/InconsistentCheckReturnNull.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/DubiousNullCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/FutileConditional.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/StackAddressEscapes.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
|
||||
ql/cpp/ql/src/Likely Bugs/NestedLoopSameVar.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/IncorrectConstructorDelegation.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/ThrowInDestructor.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
|
||||
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
|
||||
ql/cpp/ql/src/Likely Bugs/ReturnConstType.ql
|
||||
ql/cpp/ql/src/Likely Bugs/ReturnConstTypeMember.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
|
||||
ql/cpp/ql/src/Summary/LinesOfCode.ql
|
||||
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
|
||||
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
|
||||
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
|
||||
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
|
||||
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
|
||||
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
|
||||
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
|
||||
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 35.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.1.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 89.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 95.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 107.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
|
||||
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql
|
||||
ql/cpp/ql/src/jsf/4.17 Types/AV Rule 148.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 166.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 196.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 197.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.ql
|
||||
@@ -1,97 +0,0 @@
|
||||
ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
|
||||
ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
|
||||
ql/cpp/ql/src/Critical/DoubleFree.ql
|
||||
ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
|
||||
ql/cpp/ql/src/Critical/MissingCheckScanf.ql
|
||||
ql/cpp/ql/src/Critical/NewFreeMismatch.ql
|
||||
ql/cpp/ql/src/Critical/OverflowStatic.ql
|
||||
ql/cpp/ql/src/Critical/SizeCheck.ql
|
||||
ql/cpp/ql/src/Critical/SizeCheck2.ql
|
||||
ql/cpp/ql/src/Critical/UseAfterFree.ql
|
||||
ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
|
||||
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
|
||||
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
|
||||
ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
|
||||
ql/cpp/ql/src/Summary/LinesOfCode.ql
|
||||
ql/cpp/ql/src/Summary/LinesOfUserCode.ql
|
||||
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
|
||||
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
|
||||
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
|
||||
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
|
||||
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
|
||||
@@ -1,448 +0,0 @@
|
||||
ql/cpp/ql/src/AlertSuppression.ql
|
||||
ql/cpp/ql/src/Architecture/FeatureEnvy.ql
|
||||
ql/cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql
|
||||
ql/cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql
|
||||
ql/cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql
|
||||
ql/cpp/ql/src/Architecture/General Namespace-Level Information/CyclicNamespaces.ql
|
||||
ql/cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql
|
||||
ql/cpp/ql/src/Architecture/General Namespace-Level Information/NamespaceDependencies.ql
|
||||
ql/cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql
|
||||
ql/cpp/ql/src/Architecture/InappropriateIntimacy.ql
|
||||
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql
|
||||
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql
|
||||
ql/cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql
|
||||
ql/cpp/ql/src/Architecture/Refactoring Opportunities/CyclomaticComplexity.ql
|
||||
ql/cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql
|
||||
ql/cpp/ql/src/Best Practices/Magic Constants/JapaneseEraDate.ql
|
||||
ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.ql
|
||||
ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.ql
|
||||
ql/cpp/ql/src/Best Practices/Magic Constants/MagicNumbersUseConstant.ql
|
||||
ql/cpp/ql/src/Best Practices/Magic Constants/MagicStringsUseConstant.ql
|
||||
ql/cpp/ql/src/Best Practices/NVI.ql
|
||||
ql/cpp/ql/src/Best Practices/NVIHub.ql
|
||||
ql/cpp/ql/src/Best Practices/RuleOfThree.ql
|
||||
ql/cpp/ql/src/Best Practices/Unused Entities/UnusedIncludes.ql
|
||||
ql/cpp/ql/src/Critical/DeadCodeCondition.ql
|
||||
ql/cpp/ql/src/Critical/DeadCodeFunction.ql
|
||||
ql/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
|
||||
ql/cpp/ql/src/Critical/DescriptorNeverClosed.ql
|
||||
ql/cpp/ql/src/Critical/FileMayNotBeClosed.ql
|
||||
ql/cpp/ql/src/Critical/FileNeverClosed.ql
|
||||
ql/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
|
||||
ql/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
|
||||
ql/cpp/ql/src/Critical/InitialisationNotRun.ql
|
||||
ql/cpp/ql/src/Critical/LateNegativeTest.ql
|
||||
ql/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
|
||||
ql/cpp/ql/src/Critical/MemoryNeverFreed.ql
|
||||
ql/cpp/ql/src/Critical/MissingNegativityTest.ql
|
||||
ql/cpp/ql/src/Critical/MissingNullTest.ql
|
||||
ql/cpp/ql/src/Critical/NotInitialised.ql
|
||||
ql/cpp/ql/src/Critical/OverflowCalculated.ql
|
||||
ql/cpp/ql/src/Critical/OverflowDestination.ql
|
||||
ql/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
|
||||
ql/cpp/ql/src/Critical/ReturnValueIgnored.ql
|
||||
ql/cpp/ql/src/Critical/Unused.ql
|
||||
ql/cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql
|
||||
ql/cpp/ql/src/Documentation/DocumentApi.ql
|
||||
ql/cpp/ql/src/Documentation/TodoComments.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/ExitNonterminatingLoop.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/LoopBounds.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 04/Recursion.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 05/HeapMemory.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 07/ThreadSafety.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidNestedSemaphores.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidSemaphores.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/OutOfOrderLocks.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/ReleaseLocksWhenAcquired.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowGoto.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-2/Rule 12/EnumInitialization.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/ExternDeclsInHeader.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeLocalHidesGlobal.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 14/CheckingReturnValues.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 15/CheckingParameterValues.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsConstant.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsDensity.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsNonBoolean.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsSideEffect.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 18/CompoundExpressions.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-3/Rule 19/NoBooleanSideEffects.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUse.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseIfdef.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUsePartial.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseUndisciplined.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 21/MacroInBlock.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 22/UseOfUndef.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleStmtsPerLine.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleVarDeclsPerLine.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 25/FunctionSizeLimits.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 26/DeclarationPointerNesting.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 27/PointerDereferenceInStmt.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerDereferenceMacro.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerIndirectionTypedef.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql
|
||||
ql/cpp/ql/src/JPL_C/LOC-4/Rule 31/IncludesFirst.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/ConversionChangesSign.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql
|
||||
ql/cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql
|
||||
ql/cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/BoolValueInBitOp.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Likely Typos/LogicalExprCouldBeSimplified.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/More64BitWaste.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/OO/VirtualCallInStructor.ql
|
||||
ql/cpp/ql/src/Likely Bugs/ShortLoopVarName.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CAfferentCoupling.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CEfferentCoupling.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CHalsteadBugs.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CHalsteadDifficulty.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CHalsteadEffort.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CHalsteadLength.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CHalsteadVocabulary.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CHalsteadVolume.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CInheritanceDepth.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionCK.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionHS.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CLinesOfCode.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CNumberOfFields.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CNumberOfFunctions.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CNumberOfStatements.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CPercentageOfComplexCode.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CResponse.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CSizeOfAPI.ql
|
||||
ql/cpp/ql/src/Metrics/Classes/CSpecialisation.ql
|
||||
ql/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
|
||||
ql/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
|
||||
ql/cpp/ql/src/Metrics/External/FileCompilationDisplayStrings.ql
|
||||
ql/cpp/ql/src/Metrics/External/FileCompilationSourceLinks.ql
|
||||
ql/cpp/ql/src/Metrics/Files/AutogeneratedLOC.ql
|
||||
ql/cpp/ql/src/Metrics/Files/ConditionalSegmentConditions.ql
|
||||
ql/cpp/ql/src/Metrics/Files/ConditionalSegmentLines.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FAfferentCoupling.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FCommentRatio.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FDirectIncludes.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FEfferentCoupling.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FHalsteadBugs.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FHalsteadDifficulty.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FHalsteadEffort.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FHalsteadLength.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FHalsteadVocabulary.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FHalsteadVolume.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FLines.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FLinesOfCode.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FLinesOfCommentedOutCode.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FLinesOfComments.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FMacroRatio.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FNumberOfClasses.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FNumberOfTests.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FTimeInFrontend.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FTodoComments.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FTransitiveIncludes.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.ql
|
||||
ql/cpp/ql/src/Metrics/Files/FunctionLength.ql
|
||||
ql/cpp/ql/src/Metrics/Files/NumberOfFunctions.ql
|
||||
ql/cpp/ql/src/Metrics/Files/NumberOfGlobals.ql
|
||||
ql/cpp/ql/src/Metrics/Files/NumberOfParameters.ql
|
||||
ql/cpp/ql/src/Metrics/Files/NumberOfPublicFunctions.ql
|
||||
ql/cpp/ql/src/Metrics/Files/NumberOfPublicGlobals.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunCyclomaticComplexity.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunIterationNestingDepth.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunLinesOfCode.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunLinesOfComments.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunNumberOfCalls.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunNumberOfParameters.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunNumberOfStatements.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/FunPercentageOfComments.ql
|
||||
ql/cpp/ql/src/Metrics/Functions/StatementNestingDepth.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/ASTConsistency.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/CallableDisplayStrings.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/CallableExtents.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/CallableSourceLinks.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/IRConsistency.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/ReftypeDisplayStrings.ql
|
||||
ql/cpp/ql/src/Metrics/Internal/ReftypeSourceLinks.ql
|
||||
ql/cpp/ql/src/Metrics/Namespaces/AbstractNamespaces.ql
|
||||
ql/cpp/ql/src/Metrics/Namespaces/ConcreteNamespaces.ql
|
||||
ql/cpp/ql/src/Metrics/Namespaces/HighAfferentCouplingNamespaces.ql
|
||||
ql/cpp/ql/src/Metrics/Namespaces/HighDistanceFromMainLineNamespaces.ql
|
||||
ql/cpp/ql/src/Metrics/Namespaces/HighEfferentCouplingNamespaces.ql
|
||||
ql/cpp/ql/src/Metrics/Namespaces/StableNamespaces.ql
|
||||
ql/cpp/ql/src/Metrics/Namespaces/UnstableNamespaces.ql
|
||||
ql/cpp/ql/src/Microsoft/CallWithNullSAL.ql
|
||||
ql/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
|
||||
ql/cpp/ql/src/Microsoft/InconsistentSAL.ql
|
||||
ql/cpp/ql/src/PointsTo/Debug.ql
|
||||
ql/cpp/ql/src/PointsTo/PreparedStagedPointsTo.ql
|
||||
ql/cpp/ql/src/PointsTo/Stats.ql
|
||||
ql/cpp/ql/src/PointsTo/TaintedFormatStrings.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 1/UseOfGoto.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 1/UseOfJmp.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 1/UseOfRecursion.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 2/BoundedLoopIterations.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 2/ExitPermanentLoop.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 3/DynamicAllocAfterInit.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 4/OneStmtPerLine.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 5/AssertionSideEffect.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 5/ConstantAssertion.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 5/NonBooleanAssertion.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 6/GlobalCouldBeStatic.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 6/VariableScopeTooLarge.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 7/CheckArguments.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 7/CheckReturnValues.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 8/AvoidConditionalCompilation.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 8/PartialMacro.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 8/RestrictPreprocessor.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 8/UndisciplinedMacro.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 9/FunctionPointer.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 9/HiddenPointerIndirection.ql
|
||||
ql/cpp/ql/src/Power of 10/Rule 9/PointerNesting.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
|
||||
ql/cpp/ql/src/definitions.ql
|
||||
ql/cpp/ql/src/experimental/Best Practices/UselessTest.ql
|
||||
ql/cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql
|
||||
ql/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
|
||||
ql/cpp/ql/src/experimental/Likely Bugs/DerefNullResult.ql
|
||||
ql/cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
|
||||
ql/cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql
|
||||
ql/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql
|
||||
ql/cpp/ql/src/experimental/quantum/PrintCBOMGraph.ql
|
||||
ql/cpp/ql/src/external/examples/filters/BumpMetricBy10.ql
|
||||
ql/cpp/ql/src/external/examples/filters/EditDefectMessage.ql
|
||||
ql/cpp/ql/src/external/examples/filters/ExcludeGeneratedCode.ql
|
||||
ql/cpp/ql/src/filters/ClassifyFiles.ql
|
||||
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 1.ql
|
||||
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 2.ql
|
||||
ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql
|
||||
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 11.ql
|
||||
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 12.ql
|
||||
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 13.ql
|
||||
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 14.ql
|
||||
ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 9.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 17.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 18.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 19.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 20.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 21.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 22.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql
|
||||
ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 25.ql
|
||||
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 26.ql
|
||||
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 27.ql
|
||||
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 28.ql
|
||||
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 29.ql
|
||||
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 30.ql
|
||||
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 31.ql
|
||||
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 33.ql
|
||||
ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 39.ql
|
||||
ql/cpp/ql/src/jsf/4.08 Implementation Files/AV Rule 40.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 41.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 42.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 43.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 44.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 45.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 46.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 47.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 48.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 49.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 50.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 51.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 52.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 54.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 57.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 58.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 59.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 60.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 61.ql
|
||||
ql/cpp/ql/src/jsf/4.09 Style/AV Rule 63.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 68.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 69.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 70.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 73.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 74.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 75.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 77.1.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 78.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 85.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.1.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 94.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql
|
||||
ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.1.ql
|
||||
ql/cpp/ql/src/jsf/4.11 Namespaces/AV Rule 99.ql
|
||||
ql/cpp/ql/src/jsf/4.12 Templates/AV Rule 104.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 108.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 110.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 111.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 113.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 115.ql
|
||||
ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 119.ql
|
||||
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 126.ql
|
||||
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 127.ql
|
||||
ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 133.ql
|
||||
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 135.ql
|
||||
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 138.ql
|
||||
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 139.ql
|
||||
ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 140.ql
|
||||
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 142.ql
|
||||
ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 143.ql
|
||||
ql/cpp/ql/src/jsf/4.17 Types/AV Rule 147.ql
|
||||
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 149.ql
|
||||
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 150.ql
|
||||
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.1.ql
|
||||
ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.ql
|
||||
ql/cpp/ql/src/jsf/4.19 Variables/AV Rule 152.ql
|
||||
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql
|
||||
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 154.ql
|
||||
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 155.ql
|
||||
ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 156.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 157.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 158.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 159.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 160.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 162.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 163.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 164.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql
|
||||
ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql
|
||||
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 170.ql
|
||||
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 171.ql
|
||||
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql
|
||||
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 175.ql
|
||||
ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 176.ql
|
||||
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 178.ql
|
||||
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 179.ql
|
||||
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 180.ql
|
||||
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 181.ql
|
||||
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 182.ql
|
||||
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 184.ql
|
||||
ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 185.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 186.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 187.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 188.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 190.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 191.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 192.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 193.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 194.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 195.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 198.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 199.ql
|
||||
ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 200.ql
|
||||
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql
|
||||
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.1.ql
|
||||
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.ql
|
||||
ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 205.ql
|
||||
ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 206.ql
|
||||
ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 207.ql
|
||||
ql/cpp/ql/src/jsf/4.27 Fault Handling/AV Rule 208.ql
|
||||
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 209.ql
|
||||
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 210.ql
|
||||
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 212.ql
|
||||
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 213.ql
|
||||
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 214.ql
|
||||
ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 215.ql
|
||||
ql/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
|
||||
ql/cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
|
||||
ql/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
|
||||
ql/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
|
||||
ql/cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
|
||||
@@ -1,14 +0,0 @@
|
||||
import runs_on
|
||||
import pytest
|
||||
from query_suites import *
|
||||
|
||||
well_known_query_suites = ['cpp-code-quality.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
|
||||
|
||||
@runs_on.posix
|
||||
@pytest.mark.parametrize("query_suite", well_known_query_suites)
|
||||
def test(codeql, cpp, check_query_suite, query_suite):
|
||||
check_query_suite(query_suite)
|
||||
|
||||
@runs_on.posix
|
||||
def test_not_included_queries(codeql, cpp, check_queries_not_included):
|
||||
check_queries_not_included('cpp', well_known_query_suites)
|
||||
@@ -1,48 +1,3 @@
|
||||
## 5.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
|
||||
|
||||
## 5.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
|
||||
## 4.3.1
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.
|
||||
|
||||
## 4.3.0
|
||||
|
||||
### New Features
|
||||
|
||||
* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
|
||||
* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
|
||||
* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
|
||||
* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
|
||||
|
||||
## 4.2.0
|
||||
|
||||
### New Features
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
|
||||
@@ -1,8 +0,0 @@
|
||||
## 4.3.0
|
||||
|
||||
### New Features
|
||||
|
||||
* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
|
||||
* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
|
||||
* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
|
||||
* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
|
||||
@@ -1,5 +0,0 @@
|
||||
## 4.3.1
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.
|
||||
@@ -1,23 +0,0 @@
|
||||
## 5.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
|
||||
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
|
||||
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
|
||||
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
|
||||
* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
|
||||
* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
|
||||
* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
|
||||
* Added support for `wmain` as part of the ArgvSource model.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
|
||||
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
|
||||
@@ -1,5 +0,0 @@
|
||||
## 5.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 5.1.0
|
||||
lastReleaseVersion: 4.2.0
|
||||
|
||||
@@ -1,129 +0,0 @@
|
||||
private import cpp as Language
|
||||
import semmle.code.cpp.dataflow.new.TaintTracking
|
||||
import codeql.quantum.experimental.Model
|
||||
private import OpenSSL.GenericSourceCandidateLiteral
|
||||
|
||||
module CryptoInput implements InputSig<Language::Location> {
|
||||
class DataFlowNode = DataFlow::Node;
|
||||
|
||||
class LocatableElement = Language::Locatable;
|
||||
|
||||
class UnknownLocation = Language::UnknownDefaultLocation;
|
||||
|
||||
LocatableElement dfn_to_element(DataFlow::Node node) {
|
||||
result = node.asExpr() or
|
||||
result = node.asParameter() or
|
||||
result = node.asVariable()
|
||||
}
|
||||
|
||||
string locationToFileBaseNameAndLineNumberString(Location location) {
|
||||
result = location.getFile().getBaseName() + ":" + location.getStartLine()
|
||||
}
|
||||
|
||||
predicate artifactOutputFlowsToGenericInput(
|
||||
DataFlow::Node artifactOutput, DataFlow::Node otherInput
|
||||
) {
|
||||
ArtifactFlow::flow(artifactOutput, otherInput)
|
||||
}
|
||||
}
|
||||
|
||||
module Crypto = CryptographyBase<Language::Location, CryptoInput>;
|
||||
|
||||
module ArtifactFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source = any(Crypto::ArtifactInstance artifact).getOutputNode()
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink = any(Crypto::FlowAwareElement other).getInputNode()
|
||||
}
|
||||
|
||||
predicate isBarrierOut(DataFlow::Node node) {
|
||||
node = any(Crypto::FlowAwareElement element).getInputNode()
|
||||
}
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) {
|
||||
node = any(Crypto::FlowAwareElement element).getOutputNode()
|
||||
}
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
node1.(AdditionalFlowInputStep).getOutput() = node2
|
||||
}
|
||||
}
|
||||
|
||||
module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
|
||||
|
||||
/**
|
||||
* Artifact output to node input configuration
|
||||
*/
|
||||
abstract class AdditionalFlowInputStep extends DataFlow::Node {
|
||||
abstract DataFlow::Node getOutput();
|
||||
|
||||
final DataFlow::Node getInput() { result = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* Generic data source to node input configuration
|
||||
*/
|
||||
module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source = any(Crypto::GenericSourceInstance i).getOutputNode()
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink = any(Crypto::FlowAwareElement other).getInputNode()
|
||||
}
|
||||
|
||||
predicate isBarrierOut(DataFlow::Node node) {
|
||||
node = any(Crypto::FlowAwareElement element).getInputNode()
|
||||
}
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) {
|
||||
node = any(Crypto::FlowAwareElement element).getOutputNode()
|
||||
}
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
node1.(AdditionalFlowInputStep).getOutput() = node2
|
||||
}
|
||||
}
|
||||
|
||||
module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
|
||||
|
||||
private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
|
||||
ConstantDataSource() { this instanceof OpenSSLGenericSourceCandidateLiteral }
|
||||
|
||||
override DataFlow::Node getOutputNode() { result.asExpr() = this }
|
||||
|
||||
override predicate flowsTo(Crypto::FlowAwareElement other) {
|
||||
// TODO: separate config to avoid blowing up data-flow analysis
|
||||
GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
|
||||
}
|
||||
|
||||
override string getAdditionalDescription() { result = this.toString() }
|
||||
}
|
||||
|
||||
module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source = any(Crypto::ArtifactInstance artifact).getOutputNode()
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink = any(Crypto::FlowAwareElement other).getInputNode()
|
||||
}
|
||||
|
||||
predicate isBarrierOut(DataFlow::Node node) {
|
||||
node = any(Crypto::FlowAwareElement element).getInputNode()
|
||||
}
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) {
|
||||
node = any(Crypto::FlowAwareElement element).getOutputNode()
|
||||
}
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
node1.(AdditionalFlowInputStep).getOutput() = node2
|
||||
}
|
||||
}
|
||||
|
||||
module ArtifactUniversalFlow = DataFlow::Global<ArtifactUniversalFlowConfig>;
|
||||
|
||||
import OpenSSL.OpenSSL
|
||||
@@ -1,173 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import semmle.code.cpp.dataflow.new.DataFlow
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
|
||||
private import PaddingAlgorithmInstance
|
||||
|
||||
/**
|
||||
* Traces 'known algorithms' to AVCs, specifically
|
||||
* algorithms that are in the set of known algorithm constants.
|
||||
* Padding-specific consumers exist that have their own values that
|
||||
* overlap with the known algorithm constants.
|
||||
* Padding consumers (specific padding consumers) are excluded from the set of sinks.
|
||||
*/
|
||||
module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(OpenSSLAlgorithmValueConsumer c |
|
||||
c.getInputNode() = sink and
|
||||
// exclude padding algorithm consumers, since
|
||||
// these consumers take in different constant values
|
||||
// not in the typical "known algorithm" set
|
||||
not c instanceof PaddingAlgorithmValueConsumer
|
||||
)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
// False positive reducer, don't flow out through argv
|
||||
exists(VariableAccess va, Variable v |
|
||||
v.getAnAccess() = va and va = node.asExpr()
|
||||
or
|
||||
va = node.asIndirectExpr()
|
||||
|
|
||||
v.getName().matches("%argv")
|
||||
)
|
||||
}
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
knownPassThroughStep(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
|
||||
DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
|
||||
|
||||
module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSSLPaddingLiteral }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)
|
||||
}
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
knownPassThroughStep(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
|
||||
DataFlow::Global<RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
|
||||
|
||||
class OpenSSLAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
|
||||
OpenSSLAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
|
||||
|
||||
override DataFlow::Node getOutput() {
|
||||
exists(AlgorithmPassthroughCall c | c.getInNode() = this and c.getOutNode() = result)
|
||||
}
|
||||
}
|
||||
|
||||
abstract class AlgorithmPassthroughCall extends Call {
|
||||
abstract DataFlow::Node getInNode();
|
||||
|
||||
abstract DataFlow::Node getOutNode();
|
||||
}
|
||||
|
||||
class CopyAndDupAlgorithmPassthroughCall extends AlgorithmPassthroughCall {
|
||||
DataFlow::Node inNode;
|
||||
DataFlow::Node outNode;
|
||||
|
||||
CopyAndDupAlgorithmPassthroughCall() {
|
||||
// Flow out through any return or other argument of the same type
|
||||
// Assume flow in and out is asIndirectExpr or asDefinitingArgument since a pointer is assumed
|
||||
// to be involved
|
||||
// NOTE: not attempting to detect openssl specific copy/dup functions, but anything suspected to be copy/dup
|
||||
this.getTarget().getName().toLowerCase().matches(["%_dup%", "%_copy%"]) and
|
||||
exists(Expr inArg, Type t |
|
||||
inArg = this.getAnArgument() and t = inArg.getUnspecifiedType().stripType()
|
||||
|
|
||||
inNode.asIndirectExpr() = inArg and
|
||||
(
|
||||
// Case 1: flow through another argument as an out arg of the same type
|
||||
exists(Expr outArg |
|
||||
outArg = this.getAnArgument() and
|
||||
outArg != inArg and
|
||||
outArg.getUnspecifiedType().stripType() = t
|
||||
|
|
||||
outNode.asDefiningArgument() = outArg
|
||||
)
|
||||
or
|
||||
// Case 2: flow through the return value if the result is the same as the intput type
|
||||
exists(Expr outArg | outArg = this and outArg.getUnspecifiedType().stripType() = t |
|
||||
outNode.asIndirectExpr() = outArg
|
||||
)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
override DataFlow::Node getInNode() { result = inNode }
|
||||
|
||||
override DataFlow::Node getOutNode() { result = outNode }
|
||||
}
|
||||
|
||||
class NIDToPointerPassthroughCall extends AlgorithmPassthroughCall {
|
||||
DataFlow::Node inNode;
|
||||
DataFlow::Node outNode;
|
||||
|
||||
NIDToPointerPassthroughCall() {
|
||||
this.getTarget().getName() in ["OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn"] and
|
||||
inNode.asExpr() = this.getArgument(0) and
|
||||
outNode.asExpr() = this
|
||||
//outNode.asIndirectExpr() = this
|
||||
}
|
||||
|
||||
override DataFlow::Node getInNode() { result = inNode }
|
||||
|
||||
override DataFlow::Node getOutNode() { result = outNode }
|
||||
}
|
||||
|
||||
class PointerToPointerPassthroughCall extends AlgorithmPassthroughCall {
|
||||
DataFlow::Node inNode;
|
||||
DataFlow::Node outNode;
|
||||
|
||||
PointerToPointerPassthroughCall() {
|
||||
this.getTarget().getName() = "OBJ_txt2obj" and
|
||||
inNode.asIndirectExpr() = this.getArgument(0) and
|
||||
outNode.asIndirectExpr() = this
|
||||
or
|
||||
//outNode.asExpr() = this
|
||||
this.getTarget().getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and
|
||||
inNode.asIndirectExpr() = this.getArgument(2) and
|
||||
outNode.asDefiningArgument() = this.getArgument(0)
|
||||
}
|
||||
|
||||
override DataFlow::Node getInNode() { result = inNode }
|
||||
|
||||
override DataFlow::Node getOutNode() { result = outNode }
|
||||
}
|
||||
|
||||
class PointerToNIDPassthroughCall extends AlgorithmPassthroughCall {
|
||||
DataFlow::Node inNode;
|
||||
DataFlow::Node outNode;
|
||||
|
||||
PointerToNIDPassthroughCall() {
|
||||
this.getTarget().getName() in ["OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid", "OBJ_txt2nid"] and
|
||||
(
|
||||
inNode.asIndirectExpr() = this.getArgument(0)
|
||||
or
|
||||
inNode.asExpr() = this.getArgument(0)
|
||||
) and
|
||||
outNode.asExpr() = this
|
||||
}
|
||||
|
||||
override DataFlow::Node getInNode() { result = inNode }
|
||||
|
||||
override DataFlow::Node getOutNode() { result = outNode }
|
||||
}
|
||||
|
||||
// TODO: pkeys pass through EVP_PKEY_CTX_new and any similar variant
|
||||
predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(AlgorithmPassthroughCall c | c.getInNode() = node1 and c.getOutNode() = node2)
|
||||
}
|
||||
@@ -1,81 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import OpenSSLAlgorithmInstanceBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import AlgToAVCFlow
|
||||
|
||||
/**
|
||||
* Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
|
||||
* Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
|
||||
*/
|
||||
predicate knownOpenSSLConstantToBlockModeFamilyType(
|
||||
KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
|
||||
) {
|
||||
exists(string name |
|
||||
name = e.getNormalizedName() and
|
||||
(
|
||||
name.matches("CBC") and type instanceof Crypto::CBC
|
||||
or
|
||||
name.matches("CFB%") and type instanceof Crypto::CFB
|
||||
or
|
||||
name.matches("CTR") and type instanceof Crypto::CTR
|
||||
or
|
||||
name.matches("GCM") and type instanceof Crypto::GCM
|
||||
or
|
||||
name.matches("OFB") and type instanceof Crypto::OFB
|
||||
or
|
||||
name.matches("XTS") and type instanceof Crypto::XTS
|
||||
or
|
||||
name.matches("CCM") and type instanceof Crypto::CCM
|
||||
or
|
||||
name.matches("GCM") and type instanceof Crypto::GCM
|
||||
or
|
||||
name.matches("CCM") and type instanceof Crypto::CCM
|
||||
or
|
||||
name.matches("ECB") and type instanceof Crypto::ECB
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
|
||||
Crypto::ModeOfOperationAlgorithmInstance instanceof KnownOpenSSLBlockModeAlgorithmConstant
|
||||
{
|
||||
OpenSSLAlgorithmValueConsumer getterCall;
|
||||
|
||||
KnownOpenSSLBlockModeConstantAlgorithmInstance() {
|
||||
// Two possibilities:
|
||||
// 1) The source is a literal and flows to a getter, then we know we have an instance
|
||||
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
|
||||
// Possibility 1:
|
||||
this instanceof Literal and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
// Sink is an argument to a CipherGetterCall
|
||||
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
|
||||
// Source is `this`
|
||||
src.asExpr() = this and
|
||||
// This traces to a getter
|
||||
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
|
||||
)
|
||||
or
|
||||
// Possibility 2:
|
||||
this instanceof DirectAlgorithmValueConsumer and getterCall = this
|
||||
}
|
||||
|
||||
override Crypto::TBlockCipherModeOfOperationType getModeType() {
|
||||
knownOpenSSLConstantToBlockModeFamilyType(this, result)
|
||||
or
|
||||
not knownOpenSSLConstantToBlockModeFamilyType(this, _) and result = Crypto::OtherMode()
|
||||
}
|
||||
|
||||
// NOTE: I'm not going to attempt to parse out the mode specific part, so returning
|
||||
// the same as the raw name for now.
|
||||
override string getRawModeAlgorithmName() {
|
||||
result = this.(Literal).getValue().toString()
|
||||
or
|
||||
result = this.(Call).getTarget().getName()
|
||||
}
|
||||
|
||||
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
|
||||
}
|
||||
@@ -1,128 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import KnownAlgorithmConstants
|
||||
private import Crypto::KeyOpAlg as KeyOpAlg
|
||||
private import OpenSSLAlgorithmInstanceBase
|
||||
private import PaddingAlgorithmInstance
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
|
||||
private import AlgToAVCFlow
|
||||
private import BlockAlgorithmInstance
|
||||
|
||||
/**
|
||||
* Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
|
||||
* Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
|
||||
*/
|
||||
predicate knownOpenSSLConstantToCipherFamilyType(
|
||||
KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
|
||||
) {
|
||||
exists(string name |
|
||||
name = e.getNormalizedName() and
|
||||
(
|
||||
name.matches("AES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
|
||||
or
|
||||
name.matches("ARIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::ARIA())
|
||||
or
|
||||
name.matches("BLOWFISH%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
|
||||
or
|
||||
name.matches("BF%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
|
||||
or
|
||||
name.matches("CAMELLIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAMELLIA())
|
||||
or
|
||||
name.matches("CHACHA20%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CHACHA20())
|
||||
or
|
||||
name.matches("CAST5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAST5())
|
||||
or
|
||||
name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DoubleDES())
|
||||
or
|
||||
name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TripleDES())
|
||||
or
|
||||
name.matches("DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES())
|
||||
or
|
||||
name.matches("DESX%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DESX())
|
||||
or
|
||||
name.matches("GOST%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::GOST())
|
||||
or
|
||||
name.matches("IDEA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA())
|
||||
or
|
||||
name.matches("KUZNYECHIK%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::KUZNYECHIK())
|
||||
or
|
||||
name.matches("MAGMA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::MAGMA())
|
||||
or
|
||||
name.matches("RC2%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2())
|
||||
or
|
||||
name.matches("RC4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4())
|
||||
or
|
||||
name.matches("RC5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC5())
|
||||
or
|
||||
name.matches("RSA%") and type = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA())
|
||||
or
|
||||
name.matches("SEED%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SEED())
|
||||
or
|
||||
name.matches("SM4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SM4())
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
|
||||
Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSSLCipherAlgorithmConstant
|
||||
{
|
||||
OpenSSLAlgorithmValueConsumer getterCall;
|
||||
|
||||
KnownOpenSSLCipherConstantAlgorithmInstance() {
|
||||
// Two possibilities:
|
||||
// 1) The source is a literal and flows to a getter, then we know we have an instance
|
||||
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
|
||||
// Possibility 1:
|
||||
this instanceof Literal and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
// Sink is an argument to a CipherGetterCall
|
||||
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
|
||||
// Source is `this`
|
||||
src.asExpr() = this and
|
||||
// This traces to a getter
|
||||
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
|
||||
)
|
||||
or
|
||||
// Possibility 2:
|
||||
this instanceof DirectAlgorithmValueConsumer and getterCall = this
|
||||
}
|
||||
|
||||
override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
|
||||
// if there is a block mode associated with the same element, then that's the block mode
|
||||
// note, if none are associated, we may need to parse if the cipher is a block cipher
|
||||
// to determine if this is an unknown vs not relevant.
|
||||
result = this
|
||||
}
|
||||
|
||||
override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() {
|
||||
//TODO: the padding is either self, or it flows through getter ctx to a set padding call
|
||||
// like EVP_PKEY_CTX_set_rsa_padding
|
||||
result = this
|
||||
// TODO or trace through getter ctx to set padding
|
||||
}
|
||||
|
||||
override string getRawAlgorithmName() {
|
||||
result = this.(Literal).getValue().toString()
|
||||
or
|
||||
result = this.(Call).getTarget().getName()
|
||||
}
|
||||
|
||||
override int getKeySizeFixed() {
|
||||
this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
|
||||
}
|
||||
|
||||
override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
|
||||
knownOpenSSLConstantToCipherFamilyType(this, result)
|
||||
or
|
||||
not knownOpenSSLConstantToCipherFamilyType(this, _) and
|
||||
result = Crypto::KeyOpAlg::TUnknownKeyOperationAlgorithmType()
|
||||
}
|
||||
|
||||
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
|
||||
// TODO: trace to any key size initializer, symmetric and asymmetric
|
||||
none()
|
||||
}
|
||||
}
|
||||
@@ -1,53 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import KnownAlgorithmConstants
|
||||
private import OpenSSLAlgorithmInstanceBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
|
||||
private import AlgToAVCFlow
|
||||
|
||||
class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
|
||||
Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
|
||||
{
|
||||
OpenSSLAlgorithmValueConsumer getterCall;
|
||||
|
||||
KnownOpenSSLEllipticCurveConstantAlgorithmInstance() {
|
||||
// Two possibilities:
|
||||
// 1) The source is a literal and flows to a getter, then we know we have an instance
|
||||
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
|
||||
// Possibility 1:
|
||||
this instanceof Literal and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
// Sink is an argument to a CipherGetterCall
|
||||
sink = getterCall.getInputNode() and
|
||||
// Source is `this`
|
||||
src.asExpr() = this and
|
||||
// This traces to a getter
|
||||
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
|
||||
)
|
||||
or
|
||||
// Possibility 2:
|
||||
this instanceof DirectAlgorithmValueConsumer and getterCall = this
|
||||
}
|
||||
|
||||
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
|
||||
|
||||
override string getRawEllipticCurveName() {
|
||||
result = this.(Literal).getValue().toString()
|
||||
or
|
||||
result = this.(Call).getTarget().getName()
|
||||
}
|
||||
|
||||
override Crypto::TEllipticCurveType getEllipticCurveType() {
|
||||
Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
|
||||
}
|
||||
|
||||
override string getParsedEllipticCurveName() {
|
||||
result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
|
||||
}
|
||||
|
||||
override int getKeySize() {
|
||||
Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
|
||||
.getNormalizedName(), result, _)
|
||||
}
|
||||
}
|
||||
@@ -1,88 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
|
||||
private import AlgToAVCFlow
|
||||
|
||||
predicate knownOpenSSLConstantToHashFamilyType(
|
||||
KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
|
||||
) {
|
||||
exists(string name |
|
||||
name = e.getNormalizedName() and
|
||||
(
|
||||
name.matches("BLAKE2B") and type instanceof Crypto::BLAKE2B
|
||||
or
|
||||
name.matches("BLAKE2S") and type instanceof Crypto::BLAKE2S
|
||||
or
|
||||
name.matches("GOST%") and type instanceof Crypto::GOSTHash
|
||||
or
|
||||
name.matches("MD2") and type instanceof Crypto::MD2
|
||||
or
|
||||
name.matches("MD4") and type instanceof Crypto::MD4
|
||||
or
|
||||
name.matches("MD5") and type instanceof Crypto::MD5
|
||||
or
|
||||
name.matches("MDC2") and type instanceof Crypto::MDC2
|
||||
or
|
||||
name.matches("POLY1305") and type instanceof Crypto::POLY1305
|
||||
or
|
||||
name.matches(["SHA", "SHA1"]) and type instanceof Crypto::SHA1
|
||||
or
|
||||
name.matches("SHA+%") and not name.matches(["SHA1", "SHA3-"]) and type instanceof Crypto::SHA2
|
||||
or
|
||||
name.matches("SHA3-%") and type instanceof Crypto::SHA3
|
||||
or
|
||||
name.matches(["SHAKE"]) and type instanceof Crypto::SHAKE
|
||||
or
|
||||
name.matches("SM3") and type instanceof Crypto::SM3
|
||||
or
|
||||
name.matches("RIPEMD160") and type instanceof Crypto::RIPEMD160
|
||||
or
|
||||
name.matches("WHIRLPOOL") and type instanceof Crypto::WHIRLPOOL
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
|
||||
Crypto::HashAlgorithmInstance instanceof KnownOpenSSLHashAlgorithmConstant
|
||||
{
|
||||
OpenSSLAlgorithmValueConsumer getterCall;
|
||||
|
||||
KnownOpenSSLHashConstantAlgorithmInstance() {
|
||||
// Two possibilities:
|
||||
// 1) The source is a literal and flows to a getter, then we know we have an instance
|
||||
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
|
||||
// Possibility 1:
|
||||
this instanceof Literal and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
// Sink is an argument to a CipherGetterCall
|
||||
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
|
||||
// Source is `this`
|
||||
src.asExpr() = this and
|
||||
// This traces to a getter
|
||||
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
|
||||
)
|
||||
or
|
||||
// Possibility 2:
|
||||
this instanceof DirectAlgorithmValueConsumer and getterCall = this
|
||||
}
|
||||
|
||||
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
|
||||
|
||||
override Crypto::THashType getHashFamily() {
|
||||
knownOpenSSLConstantToHashFamilyType(this, result)
|
||||
or
|
||||
not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
|
||||
}
|
||||
|
||||
override string getRawHashAlgorithmName() {
|
||||
result = this.(Literal).getValue().toString()
|
||||
or
|
||||
result = this.(Call).getTarget().getName()
|
||||
}
|
||||
|
||||
override int getFixedDigestLength() {
|
||||
this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result
|
||||
}
|
||||
}
|
||||
@@ -1,63 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
|
||||
private import AlgToAVCFlow
|
||||
|
||||
predicate knownOpenSSLConstantToKeyAgreementFamilyType(
|
||||
KnownOpenSSLKeyAgreementAlgorithmConstant e, Crypto::TKeyAgreementType type
|
||||
) {
|
||||
exists(string name |
|
||||
name = e.getNormalizedName() and
|
||||
(
|
||||
name = "ECDH" and type = Crypto::ECDH()
|
||||
or
|
||||
name = "DH" and type = Crypto::DH()
|
||||
or
|
||||
name = "EDH" and type = Crypto::EDH()
|
||||
or
|
||||
name = "ESDH" and type = Crypto::EDH()
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
|
||||
Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSSLKeyAgreementAlgorithmConstant
|
||||
{
|
||||
OpenSSLAlgorithmValueConsumer getterCall;
|
||||
|
||||
KnownOpenSSLHashConstantAlgorithmInstance() {
|
||||
// Two possibilities:
|
||||
// 1) The source is a literal and flows to a getter, then we know we have an instance
|
||||
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
|
||||
// Possibility 1:
|
||||
this instanceof Literal and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
// Sink is an argument to a CipherGetterCall
|
||||
sink = getterCall.getInputNode() and
|
||||
// Source is `this`
|
||||
src.asExpr() = this and
|
||||
// This traces to a getter
|
||||
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
|
||||
)
|
||||
or
|
||||
// Possibility 2:
|
||||
this instanceof DirectAlgorithmValueConsumer and getterCall = this
|
||||
}
|
||||
|
||||
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
|
||||
|
||||
override Crypto::TKeyAgreementType getKeyAgreementType() {
|
||||
knownOpenSSLConstantToKeyAgreementFamilyType(this, result)
|
||||
or
|
||||
not knownOpenSSLConstantToKeyAgreementFamilyType(this, _) and
|
||||
result = Crypto::OtherKeyAgreementType()
|
||||
}
|
||||
|
||||
override string getRawKeyAgreementAlgorithmName() {
|
||||
result = this.(Literal).getValue().toString()
|
||||
or
|
||||
result = this.(Call).getTarget().getName()
|
||||
}
|
||||
}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,6 +0,0 @@
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
|
||||
abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
|
||||
abstract OpenSSLAlgorithmValueConsumer getAVC();
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
import OpenSSLAlgorithmInstanceBase
|
||||
import CipherAlgorithmInstance
|
||||
import PaddingAlgorithmInstance
|
||||
import BlockAlgorithmInstance
|
||||
import HashAlgorithmInstance
|
||||
import EllipticCurveAlgorithmInstance
|
||||
@@ -1,178 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import OpenSSLAlgorithmInstanceBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import AlgToAVCFlow
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
|
||||
/**
|
||||
* A class to define padding specific integer values.
|
||||
* from rsa.h in openssl:
|
||||
* # define RSA_PKCS1_PADDING 1
|
||||
* # define RSA_NO_PADDING 3
|
||||
* # define RSA_PKCS1_OAEP_PADDING 4
|
||||
* # define RSA_X931_PADDING 5
|
||||
* # define RSA_PKCS1_PSS_PADDING 6
|
||||
* # define RSA_PKCS1_WITH_TLS_PADDING 7
|
||||
* # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
|
||||
*/
|
||||
class OpenSSLPaddingLiteral extends Literal {
|
||||
// TODO: we can be more specific about where the literal is in a larger expression
|
||||
// to avoid literals that are clealy not representing an algorithm, e.g., array indices.
|
||||
OpenSSLPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] }
|
||||
}
|
||||
|
||||
/**
|
||||
* Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type.
|
||||
* Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
|
||||
*/
|
||||
predicate knownOpenSSLConstantToPaddingFamilyType(
|
||||
KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type
|
||||
) {
|
||||
exists(string name |
|
||||
name = e.getNormalizedName() and
|
||||
(
|
||||
name.matches("OAEP") and type = Crypto::OAEP()
|
||||
or
|
||||
name.matches("PSS") and type = Crypto::PSS()
|
||||
or
|
||||
name.matches("PKCS7") and type = Crypto::PKCS7()
|
||||
or
|
||||
name.matches("PKCS1V15") and type = Crypto::PKCS1_v1_5()
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
//abstract class OpenSSLPaddingAlgorithmInstance extends OpenSSLAlgorithmInstance, Crypto::PaddingAlgorithmInstance{}
|
||||
// TODO: need to alter this to include known padding constants which don't have the
|
||||
// same mechanics as those with known nids
|
||||
class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
|
||||
Crypto::PaddingAlgorithmInstance instanceof Expr
|
||||
{
|
||||
OpenSSLAlgorithmValueConsumer getterCall;
|
||||
boolean isPaddingSpecificConsumer;
|
||||
|
||||
KnownOpenSSLPaddingConstantAlgorithmInstance() {
|
||||
// three possibilities:
|
||||
// 1) The source is a 'typical' literal and flows to a getter, then we know we have an instance
|
||||
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
|
||||
// 3) the source is a padding-specific literal flowing to a padding-specific consumer
|
||||
// Possibility 1:
|
||||
this instanceof Literal and
|
||||
this instanceof KnownOpenSSLPaddingAlgorithmConstant and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
// Sink is an argument to a CipherGetterCall
|
||||
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
|
||||
// Source is `this`
|
||||
src.asExpr() = this and
|
||||
// This traces to a getter
|
||||
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink) and
|
||||
isPaddingSpecificConsumer = false
|
||||
)
|
||||
or
|
||||
// Possibility 2:
|
||||
this instanceof DirectAlgorithmValueConsumer and
|
||||
getterCall = this and
|
||||
this instanceof KnownOpenSSLPaddingAlgorithmConstant and
|
||||
isPaddingSpecificConsumer = false
|
||||
or
|
||||
// Possibility 3: padding-specific literal
|
||||
this instanceof OpenSSLPaddingLiteral and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
// Sink is an argument to a CipherGetterCall
|
||||
sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
|
||||
// Source is `this`
|
||||
src.asExpr() = this and
|
||||
// This traces to a padding-specific consumer
|
||||
RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
|
||||
) and
|
||||
isPaddingSpecificConsumer = true
|
||||
}
|
||||
|
||||
override string getRawPaddingAlgorithmName() {
|
||||
result = this.(Literal).getValue().toString()
|
||||
or
|
||||
result = this.(Call).getTarget().getName()
|
||||
}
|
||||
|
||||
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
|
||||
|
||||
Crypto::TPaddingType getKnownPaddingType() {
|
||||
this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
|
||||
or
|
||||
this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
|
||||
or
|
||||
this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
|
||||
or
|
||||
this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
|
||||
or
|
||||
this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
|
||||
}
|
||||
|
||||
override Crypto::TPaddingType getPaddingType() {
|
||||
isPaddingSpecificConsumer = true and
|
||||
(
|
||||
result = this.getKnownPaddingType()
|
||||
or
|
||||
not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
|
||||
)
|
||||
or
|
||||
isPaddingSpecificConsumer = false and
|
||||
knownOpenSSLConstantToPaddingFamilyType(this, result)
|
||||
}
|
||||
}
|
||||
|
||||
// // Values used for EVP_PKEY_CTX_set_rsa_padding, these are
|
||||
// // not the same as 'typical' constants found in the set of known algorithm constants
|
||||
// // they do not have an NID
|
||||
// // TODO: what about setting the padding directly?
|
||||
// class KnownRSAPaddingConstant extends OpenSSLPaddingAlgorithmInstance, Crypto::PaddingAlgorithmInstance instanceof Literal
|
||||
// {
|
||||
// KnownRSAPaddingConstant() {
|
||||
// // from rsa.h in openssl:
|
||||
// // # define RSA_PKCS1_PADDING 1
|
||||
// // # define RSA_NO_PADDING 3
|
||||
// // # define RSA_PKCS1_OAEP_PADDING 4
|
||||
// // # define RSA_X931_PADDING 5
|
||||
// // /* EVP_PKEY_ only */
|
||||
// // # define RSA_PKCS1_PSS_PADDING 6
|
||||
// // # define RSA_PKCS1_WITH_TLS_PADDING 7
|
||||
// // /* internal RSA_ only */
|
||||
// // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
|
||||
// this instanceof Literal and
|
||||
// this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8]
|
||||
// // TODO: trace to padding-specific consumers
|
||||
// RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
|
||||
// }
|
||||
// override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
|
||||
// override Crypto::TPaddingType getPaddingType() {
|
||||
// if this.(Literal).getValue().toInt() in [1, 6, 7, 8]
|
||||
// then result = Crypto::PKCS1_v1_5()
|
||||
// else
|
||||
// if this.(Literal).getValue().toInt() = 3
|
||||
// then result = Crypto::NoPadding()
|
||||
// else
|
||||
// if this.(Literal).getValue().toInt() = 4
|
||||
// then result = Crypto::OAEP()
|
||||
// else
|
||||
// if this.(Literal).getValue().toInt() = 5
|
||||
// then result = Crypto::ANSI_X9_23()
|
||||
// else result = Crypto::OtherPadding()
|
||||
// }
|
||||
// }
|
||||
class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance,
|
||||
KnownOpenSSLPaddingConstantAlgorithmInstance
|
||||
{
|
||||
OAEPPaddingAlgorithmInstance() {
|
||||
this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = Crypto::OAEP()
|
||||
}
|
||||
|
||||
override Crypto::HashAlgorithmInstance getOAEPEncodingHashAlgorithm() {
|
||||
none() //TODO
|
||||
}
|
||||
|
||||
override Crypto::HashAlgorithmInstance getMGF1HashAlgorithm() {
|
||||
none() //TODO
|
||||
}
|
||||
}
|
||||
@@ -1,37 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
|
||||
private import OpenSSLAlgorithmValueConsumerBase
|
||||
|
||||
abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
|
||||
|
||||
// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html
|
||||
class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
|
||||
DataFlow::Node valueArgNode;
|
||||
DataFlow::Node resultNode;
|
||||
|
||||
EVPCipherAlgorithmValueConsumer() {
|
||||
resultNode.asExpr() = this and
|
||||
(
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"
|
||||
] and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(0)
|
||||
or
|
||||
this.(Call).getTarget().getName() in ["EVP_CIPHER_fetch", "EVP_ASYM_CIPHER_fetch"] and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(1)
|
||||
)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
|
||||
|
||||
// override DataFlow::Node getInputNode() { result = valueArgNode }
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
//TODO: As a potential alternative, for OpenSSL only, add a generic source node for literals and only create flow (flowsTo) to
|
||||
// OpenSSL AVCs... the unknown literal sources would have to be any literals not in the known set.
|
||||
}
|
||||
}
|
||||
@@ -1,35 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
|
||||
/**
|
||||
* Cases like EVP_MD5(),
|
||||
* there is no input, rather it directly gets an algorithm
|
||||
* and returns it.
|
||||
*/
|
||||
class DirectAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer {
|
||||
DataFlow::Node resultNode;
|
||||
Expr resultExpr;
|
||||
|
||||
DirectAlgorithmValueConsumer() {
|
||||
this instanceof KnownOpenSSLAlgorithmConstant and
|
||||
this instanceof Call and
|
||||
resultExpr = this and
|
||||
resultNode.asExpr() = resultExpr
|
||||
}
|
||||
|
||||
/**
|
||||
* These cases take in no explicit value (the value is implicit)
|
||||
*/
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
// override DataFlow::Node getOutputNode() { result = resultNode }
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
// Note: algorithm source definitions enforces that
|
||||
// this class will be a known algorithm source
|
||||
result = this
|
||||
}
|
||||
}
|
||||
@@ -1,34 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
|
||||
|
||||
abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { }
|
||||
|
||||
//https://docs.openssl.org/3.0/man3/EC_KEY_new/#name
|
||||
class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer {
|
||||
DataFlow::Node valueArgNode;
|
||||
DataFlow::Node resultNode;
|
||||
|
||||
EVPEllipticCurveAlgorithmConsumer() {
|
||||
resultNode.asExpr() = this.(Call) and // in all cases the result is the return
|
||||
(
|
||||
this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(0)
|
||||
or
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EC_KEY_new_by_curve_name_ex", "EVP_PKEY_CTX_set_ec_paramgen_curve_nid"
|
||||
] and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(2)
|
||||
)
|
||||
}
|
||||
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
|
||||
}
|
||||
@@ -1,58 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import semmle.code.cpp.dataflow.new.DataFlow
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
|
||||
|
||||
abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
|
||||
|
||||
/**
|
||||
* EVP_Q_Digest directly consumes algorithm constant values
|
||||
*/
|
||||
class EVP_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
|
||||
EVP_Q_Digest_Algorithm_Consumer() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() {
|
||||
result.asExpr() = this.(Call).getArgument(1)
|
||||
}
|
||||
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() {
|
||||
// EVP_Q_Digest directly consumes the algorithm constant value and performs the operation, there is no
|
||||
// algorithm result
|
||||
none()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The EVP digest algorithm getters
|
||||
* https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
|
||||
*/
|
||||
class EVPDigestAlgorithmValueConsumer extends HashAlgorithmValueConsumer {
|
||||
DataFlow::Node valueArgNode;
|
||||
DataFlow::Node resultNode;
|
||||
|
||||
EVPDigestAlgorithmValueConsumer() {
|
||||
resultNode.asExpr() = this and
|
||||
(
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"
|
||||
] and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(0)
|
||||
or
|
||||
this.(Call).getTarget().getName() = "EVP_MD_fetch" and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(1)
|
||||
)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
|
||||
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
}
|
||||
}
|
||||
@@ -1,28 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import semmle.code.cpp.dataflow.new.DataFlow
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
|
||||
|
||||
abstract class KEMAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
|
||||
|
||||
class EVPKEMAlgorithmValueConsumer extends KEMAlgorithmValueConsumer {
|
||||
DataFlow::Node valueArgNode;
|
||||
DataFlow::Node resultNode;
|
||||
|
||||
EVPKEMAlgorithmValueConsumer() {
|
||||
resultNode.asExpr() = this and
|
||||
(
|
||||
this.(Call).getTarget().getName() = "EVP_KEM_fetch" and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(1)
|
||||
)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
|
||||
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
}
|
||||
}
|
||||
@@ -1,28 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import semmle.code.cpp.dataflow.new.DataFlow
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
|
||||
|
||||
abstract class KeyExchangeAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
|
||||
|
||||
class EVPKeyExchangeAlgorithmValueConsumer extends KeyExchangeAlgorithmValueConsumer {
|
||||
DataFlow::Node valueArgNode;
|
||||
DataFlow::Node resultNode;
|
||||
|
||||
EVPKeyExchangeAlgorithmValueConsumer() {
|
||||
resultNode.asExpr() = this and
|
||||
(
|
||||
this.(Call).getTarget().getName() = "EVP_KEYEXCH_fetch" and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(1)
|
||||
)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
|
||||
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
}
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
private import experimental.quantum.Language
|
||||
|
||||
abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call {
|
||||
/**
|
||||
* Returns the node representing the resulting algorithm
|
||||
*/
|
||||
abstract DataFlow::Node getResultNode();
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
import OpenSSLAlgorithmValueConsumerBase
|
||||
import CipherAlgorithmValueConsumer
|
||||
import DirectAlgorithmValueConsumer
|
||||
import PaddingAlgorithmValueConsumer
|
||||
import HashAlgorithmValueConsumer
|
||||
import EllipticCurveAlgorithmValueConsumer
|
||||
import PKeyAlgorithmValueConsumer
|
||||
@@ -1,55 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
|
||||
|
||||
abstract class PKeyValueConsumer extends OpenSSLAlgorithmValueConsumer { }
|
||||
|
||||
class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer {
|
||||
DataFlow::Node valueArgNode;
|
||||
DataFlow::Node resultNode;
|
||||
|
||||
EVPPKeyAlgorithmConsumer() {
|
||||
resultNode.asExpr() = this.(Call) and // in all cases the result is the return
|
||||
(
|
||||
// NOTE: some of these consumers are themselves key gen operations,
|
||||
// in these cases, the operation will be created separately for the same function.
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_PKEY_CTX_new_id", "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key",
|
||||
"EVP_PKEY_new_mac_key"
|
||||
] and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(0)
|
||||
or
|
||||
this.(Call).getTarget().getName() in [
|
||||
"EVP_PKEY_CTX_new_from_name", "EVP_PKEY_new_raw_private_key_ex",
|
||||
"EVP_PKEY_new_raw_public_key_ex", "EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"
|
||||
] and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(1)
|
||||
or
|
||||
// argInd 2 is 'type' which can be RSA, or EC
|
||||
// if RSA argInd 3 is the key size, else if EC argInd 3 is the curve name
|
||||
// In all other cases there is no argInd 3, and argInd 2 is the algorithm.
|
||||
// Since this is a key gen operation, handling the key size should be handled
|
||||
// when the operation is again modeled as a key gen operation.
|
||||
this.(Call).getTarget().getName() = "EVP_PKEY_Q_keygen" and
|
||||
(
|
||||
// Elliptic curve case
|
||||
// If the argInd 3 is a derived type (pointer or array) then assume it is a curve name
|
||||
if this.(Call).getArgument(3).getType().getUnderlyingType() instanceof DerivedType
|
||||
then valueArgNode.asExpr() = this.(Call).getArgument(3)
|
||||
else
|
||||
// All other cases
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(2)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
|
||||
}
|
||||
@@ -1,32 +0,0 @@
|
||||
import cpp
|
||||
private import experimental.quantum.Language
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
|
||||
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
|
||||
private import OpenSSLAlgorithmValueConsumerBase
|
||||
|
||||
abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
|
||||
|
||||
// https://docs.openssl.org/master/man7/EVP_ASYM_CIPHER-RSA/#rsa-asymmetric-cipher-parameters
|
||||
// TODO: need to handle setting padding through EVP_PKEY_CTX_set_params, where modes like "OSSL_PKEY_RSA_PAD_MODE_OAEP"
|
||||
// are set.
|
||||
class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorithmValueConsumer {
|
||||
DataFlow::Node valueArgNode;
|
||||
DataFlow::Node resultNode;
|
||||
|
||||
EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() {
|
||||
resultNode.asExpr() = this and
|
||||
this.(Call).getTarget().getName() = "EVP_PKEY_CTX_set_rsa_padding" and
|
||||
valueArgNode.asExpr() = this.(Call).getArgument(1)
|
||||
}
|
||||
|
||||
override DataFlow::Node getResultNode() { result = resultNode }
|
||||
|
||||
override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
|
||||
|
||||
// override DataFlow::Node getInputNode() { result = valueArgNode }
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
|
||||
//TODO: As a potential alternative, for OpenSSL only, add a generic source node for literals and only create flow (flowsTo) to
|
||||
// OpenSSL AVCs... the unknown literal sources would have to be any literals not in the known set.
|
||||
}
|
||||
}
|
||||
@@ -1,139 +0,0 @@
|
||||
//TODO: model as data on open APIs should be able to get common flows, and obviate some of this
|
||||
// e.g., copy/dup calls, need to ingest those models for openSSL and refactor.
|
||||
/**
|
||||
* In OpenSSL, flow between 'context' parameters is often used to
|
||||
* store state/config of how an operation will eventually be performed.
|
||||
* Tracing algorithms and configurations to operations therefore
|
||||
* requires tracing context parameters for many OpenSSL apis.
|
||||
*
|
||||
* This library provides a dataflow analysis to track context parameters
|
||||
* between any two functions accepting openssl context parameters.
|
||||
* The dataflow takes into consideration flowing through duplication and copy calls
|
||||
* as well as flow through flow killers (free/reset calls).
|
||||
*
|
||||
* TODO: we may need to revisit 'free' as a dataflow killer, depending on how
|
||||
* we want to model use after frees.
|
||||
*
|
||||
* This library also provides classes to represent context Types and relevant
|
||||
* arguments/expressions.
|
||||
*/
|
||||
|
||||
import semmle.code.cpp.dataflow.new.DataFlow
|
||||
|
||||
/**
|
||||
* An openSSL CTX type, which is type for which the stripped underlying type
|
||||
* matches the pattern 'evp_%ctx_%st'.
|
||||
* This includes types like:
|
||||
* - EVP_CIPHER_CTX
|
||||
* - EVP_MD_CTX
|
||||
* - EVP_PKEY_CTX
|
||||
*/
|
||||
private class CtxType extends Type {
|
||||
CtxType() {
|
||||
// It is possible for users to use the underlying type of the CTX variables
|
||||
// these have a name matching 'evp_%ctx_%st
|
||||
this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
|
||||
or
|
||||
// In principal the above check should be sufficient, but in case of build mode none issues
|
||||
// i.e., if a typedef cannot be resolved,
|
||||
// or issues with properly stubbing test cases, we also explicitly check for the wrapping type defs
|
||||
// i.e., patterns matching 'EVP_%_CTX'
|
||||
exists(Type base | base = this or base = this.(DerivedType).getBaseType() |
|
||||
base.getName().matches("EVP_%_CTX")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A pointer to a CtxType
|
||||
*/
|
||||
private class CtxPointerExpr extends Expr {
|
||||
CtxPointerExpr() {
|
||||
this.getType() instanceof CtxType and
|
||||
this.getType() instanceof PointerType
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A call argument of type CtxPointerExpr.
|
||||
*/
|
||||
private class CtxPointerArgument extends CtxPointerExpr {
|
||||
CtxPointerArgument() { exists(Call c | c.getAnArgument() = this) }
|
||||
|
||||
Call getCall() { result.getAnArgument() = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* A call whose target contains 'free' or 'reset' and has an argument of type
|
||||
* CtxPointerArgument.
|
||||
*/
|
||||
private class CtxClearCall extends Call {
|
||||
CtxClearCall() {
|
||||
this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and
|
||||
this.getAnArgument() instanceof CtxPointerArgument
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A call whose target contains 'copy' and has an argument of type
|
||||
* CtxPointerArgument.
|
||||
*/
|
||||
private class CtxCopyOutArgCall extends Call {
|
||||
CtxCopyOutArgCall() {
|
||||
this.getTarget().getName().toLowerCase().matches("%copy%") and
|
||||
this.getAnArgument() instanceof CtxPointerArgument
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A call whose target contains 'dup' and has an argument of type
|
||||
* CtxPointerArgument.
|
||||
*/
|
||||
private class CtxCopyReturnCall extends Call, CtxPointerExpr {
|
||||
CtxCopyReturnCall() {
|
||||
this.getTarget().getName().toLowerCase().matches("%dup%") and
|
||||
this.getAnArgument() instanceof CtxPointerArgument
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Flow from any CtxPointerArgument to any other CtxPointerArgument
|
||||
*/
|
||||
module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CtxPointerArgument }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CtxPointerArgument }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
exists(CtxClearCall c | c.getAnArgument() = node.asExpr())
|
||||
}
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(CtxCopyOutArgCall c |
|
||||
c.getAnArgument() = node1.asExpr() and
|
||||
c.getAnArgument() = node2.asExpr() and
|
||||
node1.asExpr() != node2.asExpr() and
|
||||
node2.asExpr().getType() instanceof CtxType
|
||||
)
|
||||
or
|
||||
exists(CtxCopyReturnCall c |
|
||||
c.getAnArgument() = node1.asExpr() and
|
||||
c = node2.asExpr() and
|
||||
node1.asExpr() != node2.asExpr() and
|
||||
node2.asExpr().getType() instanceof CtxType
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
module OpenSSLCtxArgumentFlow = DataFlow::Global<OpenSSLCtxArgumentFlowConfig>;
|
||||
|
||||
/**
|
||||
* Holds if there is a context flow from the source to the sink.
|
||||
*/
|
||||
predicate ctxArgFlowsToCtxArg(CtxPointerArgument source, CtxPointerArgument sink) {
|
||||
exists(DataFlow::Node a, DataFlow::Node b |
|
||||
OpenSSLCtxArgumentFlow::flow(a, b) and
|
||||
a.asExpr() = source and
|
||||
b.asExpr() = sink
|
||||
)
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user