Compare commits

...

571 Commits

Author SHA1 Message Date
Max Schaefer
eb3d0f5b0e Add merlyn.md which explains the changes on this branch. 2021-04-19 15:04:21 +01:00
Max Schaefer
09cf8e8b01 Remove RequestHeaderAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
bd8212c090 Remove RequestInputAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
f106d186e4 Remove MultipartyRemoteFlow. 2021-04-19 15:04:21 +01:00
Max Schaefer
e2c84407b4 Revert changes to Express::RequestInputAccess in c45d84f8f3 and 9cacfab7c6. 2021-04-19 15:04:21 +01:00
Max Schaefer
67b15125c7 Revert changes to Express::RequestInputAccess in d84f1b47c2. 2021-04-19 15:04:21 +01:00
Max Schaefer
caf763a969 Revert changes to Express::RequestInputAccess in ed48efe5b4. 2021-04-19 15:04:21 +01:00
Max Schaefer
4f8f5048f3 Revert changes to Express::RequestInputAccess in 83f0514475. 2021-04-19 15:04:21 +01:00
Max Schaefer
2366679d9b Revert changes to Express::RequestInputAccess in e2fbf8a68c. 2021-04-19 15:04:21 +01:00
Max Schaefer
66399c055e Remove MicroBodyParserCall. 2021-04-19 15:04:21 +01:00
Max Schaefer
85c02a430e Remove ServerRequestDataEvent. 2021-04-19 15:04:20 +01:00
Max Schaefer
29945b8ed0 Remove VueRouterFlowSource. 2021-04-19 15:04:20 +01:00
Max Schaefer
a8ef1bc32a Remove ServerlessHandlerEventAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
0781a138af Remove ReceivedItemAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
6fd67c4d8e Remove ReactRouterSource. 2021-04-19 15:04:19 +01:00
Max Schaefer
89747ecf83 Revert changes to `PostMessageEventHandler in cb7de27. 2021-04-19 15:03:51 +01:00
Max Schaefer
c013e3f9c3 Remove NodeJSNetServerItemAsRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
3b14b27635 Remove NextParams. 2021-04-19 15:03:51 +01:00
Max Schaefer
2ae32be934 Revert changes to ClientRequestData from 0b55aed626. 2021-04-19 15:03:51 +01:00
Max Schaefer
6647f6b9c4 Remove FormidableRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
41ceb291de Remove BusBoyRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
615418d2e3 Remove AngularSource. 2021-04-19 15:03:49 +01:00
Max Schaefer
0ba76f7d0e Revert "JS: Move $() sink into separate dataflow config"
This reverts commit 50a015c73e.
2021-04-19 15:03:11 +01:00
Max Schaefer
d97a10ef8a Revert "JS: Address review comments"
This reverts commit c91cdb5194.
2021-04-19 14:57:18 +01:00
Shati Patel
2d618d6b92 Merge pull request #5625 from shati-patel/docs/cli-manual
Docs: Link to CodeQL CLI manual from the sidebar
2021-04-09 15:30:24 +01:00
Jonas Jensen
e1d0bbb021 Merge pull request #5607 from MathiasVP/smart-pointer-ast-read-store-steps
C++: read and store steps for smart pointers in AST dataflow
2021-04-09 16:11:48 +02:00
CodeQL CI
6fd4a8afff Merge pull request #5567 from asgerf/js/sql-models
Approved by esbena
2021-04-09 07:11:10 -07:00
CodeQL CI
be2fe6e171 Merge pull request #5630 from erik-krogh/urlStep
Approved by esbena
2021-04-09 07:05:43 -07:00
CodeQL CI
8d2768b2ce Merge pull request #5634 from erik-krogh/fileSource
Approved by asgerf
2021-04-09 07:04:42 -07:00
Anders Schack-Mulligen
701e815368 Merge pull request #5628 from hvitved/java/remove-unique
Java: Remove `unique` wrapper from `DataFlow::Node::getEnclosingCallable()`
2021-04-09 15:21:26 +02:00
Mathias Vorreiter Pedersen
cd310eb9d5 C++: Remove unused import. 2021-04-09 15:08:48 +02:00
Tamás Vajk
992a4df12f Merge pull request #5619 from tamasvajk/feature/fix-default-argument-value-extraction
C# Improve default argument value extraction
2021-04-09 14:58:35 +02:00
Mathias Vorreiter Pedersen
996cda9b97 C++: Fix incorrect test annotation. 2021-04-09 14:46:46 +02:00
Mathias Vorreiter Pedersen
80d5b17900 C++: Remove the dataflow rule for smart_ptr -> *smart_ptr. 2021-04-09 14:20:51 +02:00
Mathias Vorreiter Pedersen
cae0060a89 C++: Replace the new rules in DataFlowUtil with a dataflow model for pointer wrapper classes. 2021-04-09 14:06:58 +02:00
Tamas Vajk
46197e6e69 Address review comments 2021-04-09 13:39:37 +02:00
Erik Krogh Kristensen
595bdedb22 rename predicate to getStem, and update regexp 2021-04-09 13:07:54 +02:00
CodeQL CI
652e8b4872 Merge pull request #5586 from asgerf/js/tsconfig-file-inclusion-handling
Approved by esbena
2021-04-09 02:50:51 -07:00
Tom Hvitved
c9c4c067b6 Merge pull request #5633 from hvitved/csharp/get-a-source-type-perf
C#: Improve performance of `Dispatch::SimpleTypeDataFlow::getASourceType()`
2021-04-09 11:42:34 +02:00
Tamás Vajk
a335bb0115 Merge pull request #5609 from tamasvajk/feature/dapper
C#: Dapper support
2021-04-09 10:52:17 +02:00
CodeQL CI
ad267404c9 Merge pull request #5137 from asgerf/js/redux-less
Approved by erik-krogh
2021-04-09 01:24:19 -07:00
Tamas Vajk
d7f0b9a7fa Add change note 2021-04-09 09:58:37 +02:00
Tamas Vajk
749db379ca Address code review findings 2021-04-09 09:55:37 +02:00
Tamas Vajk
dbb3d3dc17 Add change note 2021-04-09 09:50:55 +02:00
Tamás Vajk
8adaee05b6 Merge pull request #5453 from tamasvajk/feature/use_codeql_stubs
C#: Adjust make_stubs.py to use codeql instead of odasa
2021-04-08 16:16:05 +02:00
Anders Schack-Mulligen
6109ef5e88 Merge pull request #5475 from Marcono1234/marcono1234/minus-literal
Java: Improve documentation regarding minus in front of numeric literals
2021-04-08 16:11:14 +02:00
Asger Feldthaus
7d300b53d7 JS: Autoformat 2021-04-08 15:06:48 +01:00
Anders Schack-Mulligen
d42a01cb3a qldoc fixup 2021-04-08 15:45:21 +02:00
Tamas Vajk
e5160929eb Remove ODASA reference from make_stubs.py 2021-04-08 15:04:02 +02:00
Erik Krogh Kristensen
30ba69d991 treat "files" in a package.json as main modules, if "main" is not present 2021-04-08 14:42:12 +02:00
Tom Hvitved
036e181bc1 C#: Improve performance of Dispatch::SimpleTypeDataFlow::getASourceType() 2021-04-08 14:27:28 +02:00
Tom Hvitved
716568ebd1 Merge pull request #5623 from hvitved/csharp/enclosing
C#: Compute enclosing callable as a transitive closure
2021-04-08 14:20:09 +02:00
Tom Hvitved
9820116734 Merge pull request #5603 from hvitved/csharp/dataflow/no-unique
C#: Remove `unique` wrappers from `DataFlow::Node::get(EnclosingCallable|ControlFlowNode)`
2021-04-08 14:19:34 +02:00
Asger Feldthaus
52a2260dc7 JS: Rename change note file 2021-04-08 12:52:23 +01:00
Rasmus Wriedt Larsen
c738f387b1 Merge pull request #5624 from tausbn/python-make-callcfgnode-a-localsourcenode
Python: Improve `CallCfgNode` interface
2021-04-08 13:38:24 +02:00
Taus
cf5f760ecd Merge pull request #5582 from RasmusWL/all-tuple
Python: Add support for `__all__` assigned to tuple
2021-04-08 13:03:27 +02:00
Tamas Vajk
a790eb8110 Fix for unconstrained generic types 2021-04-08 12:20:01 +02:00
Tamas Vajk
a8cbdc92b9 Add more test cases 2021-04-08 12:17:19 +02:00
Tamas Vajk
551a7ce9e5 Fix expression value of struct default argument values 2021-04-08 12:14:53 +02:00
Tamas Vajk
c069c3384e Fix tests 2021-04-08 12:07:36 +02:00
Tamas Vajk
cb9a9db356 C# Improve default argument value extraction 2021-04-08 12:07:22 +02:00
Tamas Vajk
2ac1e60406 C#: Add parameter default value tests 2021-04-08 12:04:18 +02:00
Jonas Jensen
51bab81f56 Merge pull request #5622 from MathiasVP/inline-is-before
C++: Inline Location::isBefore
2021-04-08 11:24:33 +02:00
Erik Krogh Kristensen
99dd5330c2 add taint-step for URL construction in js/request-forgery 2021-04-08 11:10:33 +02:00
CodeQL CI
a9527fd913 Merge pull request #5621 from erik-krogh/shellSink
Approved by esbena
2021-04-08 09:47:45 +01:00
Tom Hvitved
2faf52b6bd Java: Remove unique wrapper from DataFlow::Node::getEnclosingCallable()` 2021-04-08 10:07:19 +02:00
Shati Patel
4cf0b8e725 Merge pull request #5626 from shati-patel/docs/broken-links
Docs: Fix broken link to cached "RemoteFlowSource"
2021-04-07 19:01:33 +01:00
Shati Patel
f372274857 Docs: Fix broken links 2021-04-07 18:02:29 +01:00
Shati Patel
2373bf2dfb Docs: Link to CodeQL CLI manual from the sidebar 2021-04-07 17:55:05 +01:00
Tom Hvitved
1cf30d2a9e C#: Compute enclosing callable as a transitive closure 2021-04-07 17:44:41 +02:00
Jonas Jensen
ab58cb3d44 Merge pull request #5604 from MathiasVP/fix-false-positive-in-assign-where-compare-meant
C++: Fix FP in cpp/assign-where-compare-meant
2021-04-07 16:54:45 +02:00
CodeQL CI
f0491af64c Merge pull request #5529 from erik-krogh/socketInput
Approved by esbena
2021-04-07 15:03:13 +01:00
Asger F
0c724a8427 Merge pull request #5304 from asgerf/js/non-alert-data
JS: Implement new metric queries for line counting
2021-04-07 14:52:51 +01:00
Mathias Vorreiter Pedersen
03b12dbc6d C++: Inline Location::isBefore. 2021-04-07 15:45:08 +02:00
Erik Krogh Kristensen
365b4d722d backtrack string-concatenations from shell-execution sinks 2021-04-07 15:34:54 +02:00
Taus
903f364dab Python: Improve CallCfgNode interface
Call nodes are always local sources (specifically sources of the return
value of the call), and so inheriting from `LocalSourceNode` will have
no effect on results, but _should_ make it a bit more smooth to use the
API.
2021-04-07 13:31:12 +00:00
CodeQL CI
073a43ce74 Merge pull request #5606 from erik-krogh/shellInput
Approved by esbena
2021-04-07 14:30:31 +01:00
Shati Patel
461d4e45af Merge pull request #5608 from shati-patel/docs/telemetry-settings
Docs: Mention telemetry in "customizing settings"
2021-04-07 13:44:32 +01:00
Erik Krogh Kristensen
c9f54ea1ad update expected output 2021-04-07 12:37:17 +00:00
Asger Feldthaus
ee13ff71d6 JS: Add another change note 2021-04-07 12:29:06 +01:00
Asger Feldthaus
26cddc7d04 JS: Update test output 2021-04-07 12:28:45 +01:00
Asger Feldthaus
69973d0fa2 JS: Autoformat 2021-04-07 11:24:11 +01:00
Erik Krogh Kristensen
a66083d685 change "Uncontrolled path" to "Path concatenation" 2021-04-07 08:23:07 +00:00
CodeQL CI
fd4e8f8282 Merge pull request #5526 from erik-krogh/quotedShell
Approved by esbena
2021-04-07 08:39:01 +01:00
CodeQL CI
61880ba90a Merge pull request #5530 from erik-krogh/moreFS
Approved by esbena
2021-04-07 08:37:23 +01:00
Robert Marsh
e22ec50dee Merge pull request #5613 from github/hmakholm/pr/fix-redos
Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
2021-04-06 15:54:27 -07:00
Henning Makholm
2d615ef503 Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
The sub-regex `(\s|.)*` aims to capture arbitrary string content
(in contrast to `.*` which doesn't match newlines), but it is
unsafe, since non-newline whitespace can match both alternatives.

This caused an evaluator crash in the wild.

Replace with `[\s\S]*`, which matches everything in a safe way.
2021-04-06 20:10:57 +02:00
Tamas Vajk
ffcb345916 C#: Add Dapper support to SQL injection queries 2021-04-06 17:06:20 +02:00
Shati Patel
9a41c80626 Merge pull request #5574 from github/smowton/admin/update-supported-go-version
Update supported Go version to 1.16
2021-04-06 14:54:36 +01:00
Shati Patel
695b02a94c Docs: Mention telemetry in "customizing settings" 2021-04-06 14:30:17 +01:00
Erik Krogh Kristensen
2c1cc9ead6 use local variable instead of module.exports in example
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-04-06 15:17:31 +02:00
Tom Hvitved
f45916efda Merge pull request #5605 from hvitved/csharp/exclude-dependency-queries
C#: Remove mentions of `exclude-dependency-queries.yml`
2021-04-06 14:58:49 +02:00
Mathias Vorreiter Pedersen
8382e85901 C++: Add flow into the source of read step and out of the target of a store step for smart pointers in AST dataflow. 2021-04-06 14:05:55 +02:00
Mathias Vorreiter Pedersen
f07d844362 C++: Add a test containing missing read/store dataflow steps for smart pointers. 2021-04-06 13:59:27 +02:00
Tamas Vajk
98001c494f C#: Add Dapper stub and new SqlInjection test cases 2021-04-06 13:30:31 +02:00
Erik Krogh Kristensen
41b89669a9 add joined paths as a sink to js/shell-command-constructed-from-input 2021-04-06 12:14:00 +02:00
Rasmus Wriedt Larsen
bc49bc7095 Python: Add variable with underscore to __all__ tests 2021-04-06 11:54:25 +02:00
Tom Hvitved
e0e58b24ea C#: Remove mentions of exclude-dependency-queries.yml 2021-04-06 11:50:36 +02:00
Rasmus Wriedt Larsen
224d3790b5 Python: Highlight all_indirect.py is not super important
At least not in my mind
2021-04-06 11:50:04 +02:00
Rasmus Wriedt Larsen
b11703cc74 Python: all_dybamic2 => all_indirect 2021-04-06 11:49:55 +02:00
Mathias Vorreiter Pedersen
5eb1f8abbd C++: Add change-note. 2021-04-06 11:47:57 +02:00
Rasmus Wriedt Larsen
0ebb24ebeb Merge pull request #5398 from yoff/python-api-enhancements
Python: Add small api enhancements determined useful during documentation work
2021-04-06 11:44:51 +02:00
Tom Hvitved
667b26b5d9 Merge pull request #5540 from hvitved/csharp/ssa-impl-tweaks
C#: Performance tweaks in `SsaImplCommon.qll`
2021-04-06 11:43:08 +02:00
Mathias Vorreiter Pedersen
a5f4d43d61 C++: Fix false positive by adding another allow-list pattern in AssignWhereCompareMeant. 2021-04-06 11:01:38 +02:00
Mathias Vorreiter Pedersen
7045597139 C++: Add testcase with false positive from #5318. 2021-04-06 10:58:15 +02:00
Erik Krogh Kristensen
c194598d37 recognize headers/url from the HTTP request to a server WebSocket. 2021-04-06 10:11:27 +02:00
Tom Hvitved
e852540254 C#: Remove unique wrappers from DataFlow::Node::get(EnclosingCallable|ControlFlowNode) 2021-04-06 09:56:09 +02:00
Rasmus Lerchedahl Petersen
c777f1d8d7 Merge branch 'main' of github.com:github/codeql into python-api-enhancements 2021-04-06 09:31:26 +02:00
yoff
a23d8deb10 Merge pull request #5483 from RasmusWL/minor-fixup-django
Python: Better text for getSourceType in Django
2021-04-06 08:30:58 +02:00
Asger Feldthaus
32500c834d JS: Change note 2021-04-01 16:41:03 +01:00
Asger Feldthaus
acc28df785 JS: Bugfix in tsconfig file inclusion handling 2021-04-01 16:33:05 +01:00
Asger Feldthaus
564a6873f8 JS: Add baseUrl test 2021-04-01 16:33:05 +01:00
Asger Feldthaus
c4ab6fb7b4 JS: Add ImportGraph meta query 2021-04-01 16:33:05 +01:00
Asger Feldthaus
f07030ba97 JS: Update AdditionalFlowStep -> SharedFlowStep 2021-04-01 13:16:47 +01:00
Asger Feldthaus
a9566728b5 JS: Update an import of Unit type 2021-04-01 13:16:47 +01:00
Asger Feldthaus
7119eda009 JS: Add redux change note 2021-04-01 13:16:47 +01:00
Asger Feldthaus
86bc0eb853 JS: Autoformat 2021-04-01 13:16:47 +01:00
Asger Feldthaus
b43989e6a1 JS: Use API nodes to track dispatch/dispatched value sources 2021-04-01 13:16:47 +01:00
Asger Feldthaus
2850b8e952 JS: Fix RangeAnalysis after BasicBlock.dominates change 2021-04-01 13:16:47 +01:00
Asger Feldthaus
cbfa5ad303 JS: Change type of a parameter 2021-04-01 13:16:47 +01:00
Asger Feldthaus
cee1a12489 JS: Fix typo in qldoc 2021-04-01 13:16:47 +01:00
Asger Feldthaus
c926a47d50 JS: QLDoc and test for HeuristicConnectEntryPoint 2021-04-01 13:16:47 +01:00
Asger Feldthaus
cca38a64be JS: Add test for flow to a closure body under a type guard 2021-04-01 13:16:46 +01:00
Asger Feldthaus
53def60e4f JS: Add test for if-based type check 2021-04-01 13:16:46 +01:00
Asger Feldthaus
1ce7c3448f JS: Address some review comments 2021-04-01 13:16:46 +01:00
Asger Feldthaus
fd7cbd0c96 JS: Tweak BasicBlock.dominates and friends 2021-04-01 13:16:46 +01:00
Asger Feldthaus
8fa3fb0561 JS: Redux model 2021-04-01 13:16:46 +01:00
Asger Feldthaus
314839fc09 JS: Add @reduxjs/toolkit to composed functions 2021-04-01 13:16:46 +01:00
Asger Feldthaus
c1651ad30c JS: Factor out Unit type 2021-04-01 13:16:46 +01:00
Asger Feldthaus
125d1465c8 JS: Add DataFlow::functionForwardingStep 2021-04-01 13:16:46 +01:00
Asger Feldthaus
a3421e7ab2 JS: Add getALocalUse 2021-04-01 13:16:45 +01:00
CodeQL CI
20416ae034 Merge pull request #5585 from asgerf/js/more-metadata
Approved by esbena
2021-04-01 13:13:01 +01:00
Asger Feldthaus
c96ee8671e JS: Update more query metadata 2021-04-01 12:15:54 +01:00
CodeQL CI
a1fab8ac52 Merge pull request #5581 from asgerf/js/dependency-info
Approved by esbena
2021-04-01 09:07:21 +01:00
Shati Patel
36bdee0e8b Merge pull request #5571 from github/docs/bug-fix
Docs: Typo fix
2021-03-31 21:59:43 +01:00
Rasmus Wriedt Larsen
95ac2c8edd Python: Add another dynamic __all__ test 2021-03-31 17:31:55 +02:00
CodeQL CI
f08a0e5653 Merge pull request #5580 from asgerf/js/more-metadata-fix
Approved by esbena
2021-03-31 16:29:33 +01:00
Rasmus Wriedt Larsen
ab3edf37d7 Python: Handle __all__ assigned to a tuple
Examples where this is used in real code:

- 76c0b32f82/django/core/files/temp.py (L24)
- 76c0b32f82/django/contrib/gis/gdal/__init__.py (L44-L49)
2021-03-31 17:25:19 +02:00
Rasmus Wriedt Larsen
43306f4700 Python: Add tests for Module.declaredInAll 2021-03-31 17:24:17 +02:00
Asger Feldthaus
8c8e4e6a70 JS: Add test 2021-03-31 16:17:54 +01:00
Asger Feldthaus
068a9d88e7 JS: Ensure Dependency.info() exists even if version range could not be parsed 2021-03-31 16:08:08 +01:00
Asger Feldthaus
c541390c1b JS: Remove precision tag from ExternalDependencies.ql 2021-03-31 13:54:15 +01:00
Mathias Vorreiter Pedersen
e9e93c0eea Merge pull request #5558 from geoffw0/replace-tostring
Replace toString use
2021-03-31 13:50:41 +02:00
Geoffrey White
85ecfe2723 Update cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
2021-03-31 11:34:56 +01:00
Calum Grant
49d1937dc4 Merge pull request #5552 from RasmusWL/revert-import-change
Python: Revert #5506 due to bad performance
2021-03-31 09:51:39 +01:00
Asger F
d4877a9038 Merge pull request #5572 from asgerf/js/remove-flow-summary-kinds
JS: Change kind of summary-extraction queries to table
2021-03-31 09:28:56 +01:00
Asger Feldthaus
57784dc746 JS: Update test output 2021-03-31 09:23:47 +01:00
Chris Smowton
4f9b6d1192 Update supported Go version to 1.16 2021-03-31 08:56:27 +01:00
Asger Feldthaus
bc5b477f79 JS: Change kind of summary-extraction queries to table 2021-03-30 21:26:58 +01:00
Dave Bartolomeo
0cc8eaf3b4 Merge pull request #5543 from MathiasVP/smart-ptr-like-class
C++: Add a class that models wrapped pointer types
2021-03-30 16:00:13 -04:00
Rasmus Wriedt Larsen
51c27de049 Merge branch 'main' into revert-import-change 2021-03-30 21:51:53 +02:00
Shati Patel
b9788eb53c Merge pull request #5568 from shati-patel/docs-binding-sets
Docs: Mention that binding sets are available for classes
2021-03-30 18:08:23 +01:00
Sarita Iyer
649286995a Merge pull request #5562 from saritai/saritai/cli-remove-1.23-references
Remove Enterprise 1.23 special instructions and replace references
2021-03-30 13:07:42 -04:00
Shati Patel
fb004bacc3 Describe predicates first 2021-03-30 17:31:20 +01:00
Shati Patel
67835ee273 Address review comments 2021-03-30 17:29:43 +01:00
Shati Patel
23df459c16 remove accidental punctuation 2021-03-30 17:23:33 +01:00
Mathias Vorreiter Pedersen
fe76b0849b Merge pull request #5569 from geoffw0/memoryfree
C++: Add a test of memory freed queries with strdup.
2021-03-30 17:22:18 +02:00
Mathias Vorreiter Pedersen
92839123ae Merge pull request #5570 from geoffw0/mutextest
C++: Add mutex test cases.
2021-03-30 17:16:19 +02:00
Geoffrey White
a8284d5b97 C++: Add mutex test case. 2021-03-30 15:39:21 +01:00
Sarah Edwards
e0a73ce797 Merge pull request #5560 from skedwards88/patch-1
download LGTM database from a project slug
2021-03-30 06:58:28 -07:00
Geoffrey White
244966e216 C++: Add a test with strdup. 2021-03-30 14:49:05 +01:00
Shati Patel
62de15cd22 Docs: Mention that binding sets are available for classes 2021-03-30 14:46:59 +01:00
Asger Feldthaus
f8bbda0cdc JS: Change note 2021-03-30 13:54:01 +01:00
Asger Feldthaus
9db235ac36 JS: Improve @google-cloud/spanner model 2021-03-30 13:54:00 +01:00
Asger Feldthaus
35f294f096 JS: Improve sequelize model 2021-03-30 13:54:00 +01:00
Mathias Vorreiter Pedersen
4b51e22bb4 Merge pull request #5565 from geoffw0/avrule79
C++: Test strdup with AV rule 79
2021-03-30 14:34:46 +02:00
Geoffrey White
ec952248a9 C++: Test strdup with AV Rule 79. 2021-03-30 12:58:04 +01:00
Geoffrey White
f27203cc43 C++: Test spacing. 2021-03-30 12:57:43 +01:00
Asger Feldthaus
93500bd95a JS: Improve mssql model 2021-03-30 11:34:01 +01:00
Asger Feldthaus
95937c9ac7 JS: Improve sqlite3 model 2021-03-30 11:34:01 +01:00
Asger Feldthaus
0b21b273ed JS: Improve pg model 2021-03-30 11:33:59 +01:00
Asger Feldthaus
937a620f4d JS: Improve mysql2 model 2021-03-30 11:33:42 +01:00
CodeQL CI
e8d7925084 Merge pull request #5555 from asgerf/js/misc-steps
Approved by esbena
2021-03-30 11:30:12 +01:00
CodeQL CI
25e26b9ac0 Merge pull request #5554 from asgerf/js/non-recursive-propref
Approved by esbena
2021-03-30 11:29:32 +01:00
CodeQL CI
6cceb73807 Merge pull request #5553 from asgerf/js/pg-promise
Approved by esbena
2021-03-30 11:28:24 +01:00
Geoffrey White
d2b991bcb5 Merge pull request #5541 from MathiasVP/definitions-for-unique_ptr
C++: Add shared_ptr and unique_ptr implementations
2021-03-30 09:47:56 +01:00
Mathias Vorreiter Pedersen
09ba25fe9b C++: Accept test changes. I'm actually not sure why we lose these results (and lose the field conflation, yay) It might be due to #3364. 2021-03-30 10:24:01 +02:00
Mathias Vorreiter Pedersen
8c95a9ae39 Merge branch 'main' into definitions-for-unique_ptr 2021-03-30 10:20:36 +02:00
Laura Coursen
2dadc752d6 Merge pull request #5563 from lecoursen/stronger-rec-to-use-lgtm.com-branch
Make stronger recommendations around the use of the lgtm.com branch
2021-03-29 14:29:24 -05:00
Laura Coursen
d57ec5d1ac Merge branch 'stronger-rec-to-use-lgtm.com-branch' of https://github.com/lecoursen/codeql into stronger-rec-to-use-lgtm.com-branch 2021-03-29 14:05:46 -05:00
Laura Coursen
e3b052199a Suggest lgtm.com branch first 2021-03-29 14:04:59 -05:00
Laura Coursen
eb01ffbdae Use correct terminology
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
2021-03-29 14:03:30 -05:00
Ethan Palm
2f98212eca Merge pull request #5561 from ethanpalm/fix-broken-links
Fix broken links
2021-03-29 14:28:49 -04:00
Laura Coursen
8f1c7c57a8 Add 💅 2021-03-29 12:53:16 -05:00
Ethan P
909dc84bb6 Update broken link 2021-03-29 13:46:45 -04:00
Laura Coursen
a18cd74756 Fix typo 2021-03-29 12:42:09 -05:00
Laura Coursen
21576387f3 Add 💅 2021-03-29 12:41:48 -05:00
Laura Coursen
50523e0ac0 Clarify use cases for lgtm.com branch 2021-03-29 12:40:31 -05:00
Ethan P
d126c0a1d3 Fix broken links 2021-03-29 13:38:04 -04:00
Sarita Iyer
3db5dd4661 removed 1.23 instructions and replaced references
Removed special instructions for LGTM 1.23, and replaced leftover references to 1.23 with 1.27.
2021-03-29 13:37:55 -04:00
Sarah Edwards
108bcef104 download LGTM database from a project slug 2021-03-29 10:37:00 -07:00
Henry Mercer
0f710b1981 Merge pull request #5545 from github/henrymercer/ql-pack-version-doc-update
CodeQL CLI Docs: Mention that QL packs use SemVer versioning
2021-03-29 18:18:45 +01:00
Calum Grant
c26d05b1d5 Merge pull request #5532 from RasmusWL/python-cleanup
Python: Delete filter queries, code duplication library, and precision tag from metric queries
2021-03-29 17:16:43 +01:00
Mathias Vorreiter Pedersen
5a4efab742 C++: Add tests for shared_ptr. 2021-03-29 18:04:20 +02:00
Rasmus Wriedt Larsen
96a66fa4ee Python: Apply suggestions from code review 2021-03-29 17:02:56 +02:00
Asger Feldthaus
67ad6d9a0f JS: Update test output 2021-03-29 15:30:29 +01:00
Asger Feldthaus
faf07dac91 JS: Autoformat 2021-03-29 14:52:37 +01:00
Asger Feldthaus
3e26236648 JS: Add recursion guard test 2021-03-29 14:32:13 +01:00
Asger Feldthaus
2770a53d38 JS: More babel.transform steps 2021-03-29 13:00:23 +01:00
Asger Feldthaus
c103939c2d JS: Fix handling of createRequire 2021-03-29 12:47:23 +01:00
Asger Feldthaus
49ca88957c JS: Use types 2021-03-29 12:25:15 +01:00
Asger Feldthaus
603843e698 JS: Add task tests 2021-03-29 12:05:47 +01:00
CodeQL CI
3613ceb07f Merge pull request #5535 from tausbn/python-prevent-bad-TCs
Approved by yoff
2021-03-29 12:03:08 +01:00
Asger F
f1d0b50670 Update javascript/ql/src/semmle/javascript/frameworks/SQL.qll
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-03-29 11:54:45 +01:00
Asger Feldthaus
f453fe26c6 JS: Autoformat 2021-03-29 11:28:46 +01:00
Asger Feldthaus
b381f4826c JS: Add change note 2021-03-29 11:25:28 +01:00
Asger Feldthaus
149af57eac JS: Add model of pg-promise 2021-03-29 11:25:28 +01:00
Asger Feldthaus
88fee2748e JS: Add change note 2021-03-29 11:21:03 +01:00
Rasmus Wriedt Larsen
92e0e195a4 Revert "Merge pull request #5506 from tausbn/python-allow-absolute-imports-from-source-directory"
This reverts commit 8d15680af4, reversing
changes made to 63831cc62b.

This PR caused performance problems, so reverting now to clear up immediate
problems.
2021-03-27 18:08:20 +01:00
Geoffrey White
c6e7b8d4fd C++: Repair test. 2021-03-26 19:12:09 +00:00
Geoffrey White
4100d68a71 C++: Test failures. 2021-03-26 18:21:05 +00:00
Geoffrey White
725122decc C++: Replace toString logic. 2021-03-26 17:29:05 +00:00
Taus Brock-Nannestad
f17bbd9982 Python: Fix another bad TC.
This one is a bit awkward, since the previous version was supposed to
improve indexing. Unfortunately this is vastly outweighed by the slow
convergence of the TC. Right now we pay the cost of inverting the
`hasFlowSource` relation, but this is still cheaper.
2021-03-26 16:38:13 +01:00
Henry Mercer
c83daa66e7 CodeQL CLI Docs: Mention that QL packs use SemVer versioning 2021-03-26 15:30:23 +00:00
Mathias Vorreiter Pedersen
b466f0515d C++: Respond to more review comments. (1) Use getClassAndName to ensure a good join order, and (2) unify the two abstract predicates on PointerWrapper. 2021-03-26 16:16:23 +01:00
Mathias Vorreiter Pedersen
0ce08617ba C++: Respond to review comments. 2021-03-26 13:42:18 +01:00
Tom Hvitved
e345064a53 C#: Performance tweaks in SsaImplCommon.qll 2021-03-26 13:24:34 +01:00
Jonas Jensen
7f16c52217 Merge pull request #3364 from github/rdmarsh/cpp/use-taint-configuration-dtt
C++: use TaintTracking::Configuration in DefaultTaintTracking
2021-03-26 12:39:25 +01:00
Tom Hvitved
1dbfe2369d Merge pull request #5542 from hvitved/csharp/update-suites
C#: Remove deleted queries from suites
2021-03-26 12:13:09 +01:00
CodeQL CI
f584ff9acf Merge pull request #5533 from asgerf/js/fix-query-metadata
Approved by esbena
2021-03-26 11:09:54 +00:00
Mathias Vorreiter Pedersen
8dc7b6403a C++: Add shared_ptr and unique_ptr implementations. Also add some very basic tests. 2021-03-26 12:03:59 +01:00
Mathias Vorreiter Pedersen
d20a0c9e82 C++: Add a class that models wrapped pointer types. 2021-03-26 11:50:06 +01:00
Asger Feldthaus
cc2a531684 JS: Cache PropRef.getBase 2021-03-26 10:48:25 +00:00
Tom Hvitved
9d1ef21d85 C#: Remove deleted queries from suites 2021-03-26 11:17:27 +01:00
Mathias Vorreiter Pedersen
c7c65736a9 C++: Accept test changes. These happened because of the incorrect usage of multiple configurations in 6c1ec6d96b. 2021-03-26 10:57:58 +01:00
Jonas Jensen
86755c6a98 Merge pull request #5515 from criemen/fix-query-metadata
C++: Fix query metadata warnings.
2021-03-26 10:19:46 +01:00
Anders Schack-Mulligen
506c95d098 Merge pull request #5372 from smowton/smowton/feature/commons-lang-models-to-csv
Java: Convert existing Commons Lang models to CSV
2021-03-26 10:18:23 +01:00
Tom Hvitved
d4ce42ac4f Merge pull request #5416 from hvitved/csharp/rework-summaries
C#: Rework flow summary implementation
2021-03-26 09:47:15 +01:00
Tom Hvitved
e93b72d563 Merge pull request #5459 from hvitved/csharp/update-nuget
C#: Update more nuget packages
2021-03-26 09:28:09 +01:00
Mathias Vorreiter Pedersen
983b64a05f Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-26 09:11:12 +01:00
Tom Hvitved
57fd2e3578 C#: Rename parameter in fieldOf() 2021-03-26 08:49:06 +01:00
yoff
208d5157fa Merge pull request #5500 from RasmusWL/django-forms
Python: Model RemoteFlowSources on Django forms/fields
2021-03-25 20:43:19 +01:00
Taus Brock-Nannestad
c2f112cb92 Python: Filter _before_ the cartesian product
It's always a sad thing to see a good plan go wrong:

86860032 ~0%      {4} r26 = JOIN r19 WITH DataFlowPublic::TupleElementContent#class#ff CARTESIAN PRODUCT OUTPUT Lhs.0 'nodeFrom', Lhs.1 'nodeTo', Rhs.0, Rhs.1
129256   ~3%      {4} r27 = SELECT r26 ON In.3 <= 7
129256   ~0%      {3} r28 = SCAN r27 OUTPUT In.0 'nodeFrom', In.2 'c', In.1 'nodeTo'

Happily, now it looks like this:

129256  ~0%      {3} r20 = JOIN r19 WITH DataFlowPrivate::small_tuple#f CARTESIAN PRODUCT OUTPUT Lhs.0 'nodeFrom', Rhs.0, Lhs.1 'nodeTo'
2021-03-25 19:06:05 +01:00
Erik Krogh Kristensen
5e59f6d558 Update javascript/ql/src/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentCustomizations.qll
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2021-03-25 19:03:37 +01:00
Taus Brock-Nannestad
8734df334b Python: Slight cleanup 2021-03-25 18:35:16 +01:00
Taus Brock-Nannestad
229250dc54 Python: Limit size of TupleElementContent
A more principled approach is possible here, but in the short term
this will prevent an explosion.

For reference, openstack/cinder has roughly 19000 `ForTarget`s and
tuples of size up to 5300, and we were calculating the cartesian
product of these.
2021-03-25 18:28:49 +01:00
yoff
716e0f1404 Merge pull request #5517 from tausbn/python-prevent-potentially-bad-join-order
Python: Prevent potentially bad join order
2021-03-25 18:14:47 +01:00
Tom Hvitved
f100c8a9c0 C++: Make Windows autobuilder tests pass again 2021-03-25 17:43:48 +01:00
Tom Hvitved
ed78acb1d4 C#: Update more nuget packages 2021-03-25 17:32:12 +01:00
Taus Brock-Nannestad
dbef36cbbb Python: Prevent bad TC and add a bit of caching
Using `simpleLocalFlowStep+` with the first argument specialised to
`CfgNode` was causing the compiler to turn this into a very slowly
converging manual TC computation.

Instead, we use `simpleLocalFlowStep*` (which is fast) and then join
that with a single step from any `CfgNode`. This should amount to the
same thing.

I also noticed that the charpred for `LocalSourceNode` was getting
recomputed a lot, so this is now cached. (The recomputation was
especially bad since it relied on `simpleLocalFlowStep+`, but anyway
it's a good idea not to recompute this.)
2021-03-25 17:28:37 +01:00
Chris Smowton
eaa2d4d831 Stop using wildcard Argument
All instances are replaced with a specific Argument or range.
2021-03-25 15:42:35 +00:00
Chris Smowton
2f34588770 Constructor models: use Argument[-1] for the result, not ReturnValue 2021-03-25 15:23:08 +00:00
Asger Feldthaus
a456458a38 JS: Add change note for code duplication library removal 2021-03-25 15:21:48 +00:00
Asger Feldthaus
446ad5ec9e JS: Remove code duplication library 2021-03-25 15:20:59 +00:00
Asger Feldthaus
c812bd948a JS: Add @problem.severity to an example query 2021-03-25 15:14:48 +00:00
Asger Feldthaus
7aae51c876 JS: Add change note for filter query removal 2021-03-25 15:13:51 +00:00
Anders Schack-Mulligen
28fb0edfbe Merge pull request #4920 from luchua-bc/java/hash-without-salt
Java: Query to detect hash without salt
2021-03-25 16:13:26 +01:00
Asger Feldthaus
6cab85712f JS: Delete filter queries 2021-03-25 15:12:35 +00:00
Asger Feldthaus
1c27ca610a JS: Remove precision atags from metric queries 2021-03-25 15:12:09 +00:00
Chris Smowton
a5220bf616 Convert StrBuilder models to CSV 2021-03-25 15:11:52 +00:00
Chris Smowton
25a0e09130 Convert StringUtils models to CSV 2021-03-25 15:11:52 +00:00
Chris Smowton
1beac06236 Translate ArrayUtils models to CSV 2021-03-25 15:11:51 +00:00
Chris Smowton
7fb5bd0cab Add tests for and slightly expand models of Commons Lang's ArrayUtils class 2021-03-25 15:11:51 +00:00
Rasmus Wriedt Larsen
9abe02f419 Python: Fix query metadata for old queries that have been ported
I'm not sure even I want to keep these around much longer. They seem to be
causing more problem than they are doing good.
2021-03-25 16:01:56 +01:00
Jonas Jensen
bc9682c22d Merge pull request #5528 from MathiasVP/fix-join-order-in-avrule-79
C++: Fix join order in AV rule 79
2021-03-25 15:45:41 +01:00
Rasmus Wriedt Larsen
ed2cb739c5 Merge pull request #5486 from yoff/python-document-api-import-node
Python, doc: Note ephemeral nature of import nodes
2021-03-25 15:45:10 +01:00
Anders Schack-Mulligen
344c2d3c3d Update java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql 2021-03-25 15:42:57 +01:00
Tom Hvitved
90868a4788 Merge pull request #5524 from hvitved/csharp/cleanup
C#: Remove legacy queries and `@precision` tags from metric queries
2021-03-25 15:36:12 +01:00
Rasmus Wriedt Larsen
203b0e3d88 Python: Add change note 2021-03-25 15:34:09 +01:00
Tom Hvitved
cdd613358b C#: Sync SSA files 2021-03-25 15:33:06 +01:00
Tom Hvitved
7e20829f36 Merge remote-tracking branch 'upstream/main' into csharp/rework-summaries 2021-03-25 15:32:32 +01:00
Tom Hvitved
6a3859fc83 C#: Remove unnecessary pre call in FlowSummaryImpl.qll 2021-03-25 15:31:43 +01:00
Rasmus Wriedt Larsen
bd4934380a Python: Remove code duplication library 2021-03-25 15:27:55 +01:00
Tom Hvitved
33c990f6b0 Merge pull request #5440 from hvitved/csharp/cil/ssa
C#: Add CIL SSA library
2021-03-25 15:22:40 +01:00
Erik Krogh Kristensen
3d49b8cb91 consider quoted string concatenations as sanitizers for js/shell-command-injection-from-environment 2021-03-25 15:17:02 +01:00
yo-h
0fe4baec34 Merge pull request #5525 from aschackmull/java/cleanup
Java: Delete filter queries, code duplication library, and precision tag from metric queries.
2021-03-25 10:09:41 -04:00
Rasmus Wriedt Larsen
09fbf480db Python: Remove precision tag from metric queries 2021-03-25 15:06:47 +01:00
Rasmus Wriedt Larsen
e3b2e0a1de Python: Delete filter queries 2021-03-25 15:06:46 +01:00
Erik Krogh Kristensen
3b82452d76 detect fs modules that pass through a reduce call 2021-03-25 14:47:43 +01:00
Anders Schack-Mulligen
75afa011ff Java: Add metadata to several more experimental queries. 2021-03-25 13:09:26 +01:00
CodeQL CI
e90035a5a5 Merge pull request #5439 from erik-krogh/topPack
Approved by esbena
2021-03-25 11:49:03 +00:00
Mathias Vorreiter Pedersen
24360d3a4c C++: Fix join order in AV rule 79 by joining with GVN after the recursive call. 2021-03-25 12:00:49 +01:00
Erik Krogh Kristensen
77ba7b473d Merge branch 'main' into topPack 2021-03-25 11:52:58 +01:00
CodeQL CI
0511e72520 Merge pull request #5458 from erik-krogh/shellTrue
Approved by asgerf
2021-03-25 10:49:24 +00:00
Tom Hvitved
6bfc49c069 C#: Address review comments 2021-03-25 11:43:25 +01:00
yoff
32b264bdee Apply suggestions from code review
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
2021-03-25 10:48:59 +01:00
Anders Schack-Mulligen
d53c334488 Merge branch 'java/fix-experimental-query-metadata' into java/cleanup 2021-03-25 10:36:36 +01:00
Anders Schack-Mulligen
28ff3f412d Java: Add severity and precision metadata to experimental queries. 2021-03-25 10:29:47 +01:00
Cornelius Riemenschneider
867471b122 C++: Delete old queries. 2021-03-25 10:23:17 +01:00
CodeQL CI
9d52db3ca7 Merge pull request #5507 from erik-krogh/joins
Approved by asgerf
2021-03-25 09:18:26 +00:00
Anders Schack-Mulligen
5b905cfe18 Java: Add change note for code duplication library removal. 2021-03-25 10:12:58 +01:00
Anders Schack-Mulligen
1564aee57a Java: Add change note for filter query removal. 2021-03-25 10:11:30 +01:00
Anders Schack-Mulligen
c82b5eb040 Java: Remove code duplication library. 2021-03-25 10:06:10 +01:00
Asger Feldthaus
dbc6cf63c2 JS: Fix bad join order in PropertyProjection 2021-03-25 09:00:10 +00:00
Asger Feldthaus
bd3f6d1234 JS: Add o[o.length] = y taint step 2021-03-25 09:00:10 +00:00
Asger Feldthaus
51f489211b JS: Support react-native-base64 2021-03-25 09:00:10 +00:00
Asger Feldthaus
5d9778c64d JS: Step through babel.transform 2021-03-25 09:00:10 +00:00
Asger Feldthaus
3e67ebacb0 JS: Support lodash-es 2021-03-25 09:00:10 +00:00
Erik Krogh Kristensen
3b6b40489f Merge branch 'main' into topPack 2021-03-25 09:58:15 +01:00
Anders Schack-Mulligen
4b7440d4d5 Java: Remove precision tag from metric queries. 2021-03-25 09:52:05 +01:00
Tom Hvitved
419fbe77ab C#: Remove @precision tags from metric queries 2021-03-25 09:50:24 +01:00
Tom Hvitved
b83da2255c C#: Add change note 2021-03-25 09:50:24 +01:00
Tom Hvitved
b94c189946 C#: Remove VulnerablePackage.ql query 2021-03-25 09:50:24 +01:00
Tom Hvitved
7e33b571c9 C#: Add change note 2021-03-25 09:50:24 +01:00
Tom Hvitved
eeb8c74666 C#: Remove filter and external queries
These are legacy queries that are no longer used.
2021-03-25 09:50:01 +01:00
Anders Schack-Mulligen
70824b3f0b Java: Delete filter queries. 2021-03-25 09:47:31 +01:00
Esben Sparre Andreasen
801eb538db Merge pull request #5514 from github/aibaars/fix-javascript-metadata
Javascript: remove bad QLDoc tag
2021-03-25 08:56:08 +01:00
Taus Brock-Nannestad
0ae8b69102 Python: Prevent joining on scope in PointsToContext::appliesTo
One of those cases where I _wish_ `pragma[inline]` also meant "don't
join on the stuff inside this predicate -- it's inlined for a reason".

Unsurprisingly, joining on the scope first works poorly.
2021-03-24 23:12:48 +01:00
Taus Brock-Nannestad
28d6cad3d0 Python: Prevent joining on name as the first thing
Many instances of `lookup` are restricted by the presence of
`attributeRequired`, but this does not work well if we join on
`name`. A few instances of `only_bind_into` prevents this.
2021-03-24 23:11:09 +01:00
yo-h
72ae902e0d Merge pull request #5371 from aschackmull/java/framework-coverage
Java: Add query for CSV framework coverage.
2021-03-24 17:36:13 -04:00
Erik Krogh Kristensen
c146b27c1a Merge branch 'main' into shellTrue 2021-03-24 20:09:23 +01:00
CodeQL CI
8ff9c98d26 Merge pull request #5449 from erik-krogh/asExec
Approved by esbena
2021-03-24 19:04:30 +00:00
Aditya Sharad
32dc894d54 Merge pull request #5516 from github/adityasharad/actions/remove-docs-review-workflow
Actions: Remove docs-review workflow
2021-03-24 11:48:03 -07:00
Aditya Sharad
a0465d20cb Actions: Remove docs-review workflow
Being replaced by internal automation that polls the repo for open labelled PRs, since this workflow currently cannot tag the docs team in a comment.
2021-03-24 11:26:00 -07:00
Taus Brock-Nannestad
ed8ffab356 Python: Prevent potentially bad join order
This has no effect on the current compilation (indeed,
`ssa_filter_definition_bool` is not currently inlined), but will
prevent this from ever occurring, should the heuristics for inlining
ever change...
2021-03-24 19:20:19 +01:00
Cornelius Riemenschneider
47530d7526 C++: Fix query metadata warnings. 2021-03-24 18:01:21 +01:00
Arthur Baars
b25dc03dac Javascript: remove bad QLDoc tag 2021-03-24 16:47:27 +01:00
Asger Feldthaus
e13a9c9716 JS: Avoid recursion through SourceNode::Range, again 2021-03-24 15:26:50 +00:00
Anders Schack-Mulligen
d3485cac34 Merge pull request #5512 from aschackmull/java/csv-argument-ranges
Java: Support argument and parameter ranges in CSV models.
2021-03-24 15:03:22 +01:00
yoff
8d15680af4 Merge pull request #5506 from tausbn/python-allow-absolute-imports-from-source-directory
Python: Allow absolute imports in directories with scripts
2021-03-24 14:42:14 +01:00
Anders Schack-Mulligen
4955f95f64 Apply suggestions from code review
Clarify documentation.

Co-authored-by: Chris Smowton <smowton@github.com>
2021-03-24 14:32:18 +01:00
Anders Schack-Mulligen
63831cc62b Merge pull request #5099 from porcupineyhairs/javaLogInjection
Java : Add Log Injection Vulnerability
2021-03-24 14:30:34 +01:00
yoff
b023d73016 Merge pull request #5504 from RasmusWL/type-tracking-first-predicate-private
Python: Ensure first type-tracking predicate is private
2021-03-24 14:23:27 +01:00
Rasmus Wriedt Larsen
1473778bb8 Merge pull request #5493 from yoff/python-add-experimental-structure
Python: Add stub structure to `experimental` for external contributions
2021-03-24 14:11:13 +01:00
Rasmus Wriedt Larsen
70974ea197 Python: Fix grammar in QLDoc
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-03-24 14:06:06 +01:00
Taus Brock-Nannestad
47686a6e4c Python: Disregard all files matching .py% 2021-03-24 14:03:00 +01:00
Taus Brock-Nannestad
8d30ee5c3c Python: Include unmarked Python file in snapshot
Sadly, it seems we're not interpreting this as Python code, even if we
explicitly ask to have it included.
2021-03-24 14:01:13 +01:00
Anders Schack-Mulligen
a1ccbcdaf1 Merge pull request #5260 from artem-smotrakov/spring-http-invoker
Java: Query for detecting unsafe deserialization with Spring exporters
2021-03-24 13:57:17 +01:00
Asger Feldthaus
de879c0707 JS: Make PropRef.getBase non-recursive 2021-03-24 12:57:16 +00:00
Asger Feldthaus
2f2d72f282 JS: Improve react-router support 2021-03-24 12:53:26 +00:00
Asger Feldthaus
88932a495c JS: Handle redux-form HOCs 2021-03-24 12:53:26 +00:00
Rasmus Wriedt Larsen
59200386a7 Python: Fix mistake in refactor 2021-03-24 13:51:29 +01:00
Tom Hvitved
f2fb26df37 C#: Document input/output stack restrictions 2021-03-24 13:48:32 +01:00
CodeQL CI
e3ab94fc6b Merge pull request #5498 from asgerf/js/flow-through-accessors
Approved by erik-krogh, max-schaefer
2021-03-24 12:46:05 +00:00
Anders Schack-Mulligen
41168e2b36 Java: Support argument and parameter ranges. 2021-03-24 13:32:30 +01:00
Anders Schack-Mulligen
234f62fd05 Java: Merge packages that likely belong to the same framework. 2021-03-24 13:17:04 +01:00
Taus Brock-Nannestad
6d86239929 Python: Test all cases
Note that the test in `no_py_extension` isn't complete, since we're
not extracting the `main` file there.
2021-03-24 13:15:59 +01:00
Erik Krogh Kristensen
9610ed163a remove SourceNode type to preserve behavior 2021-03-24 11:59:56 +01:00
CodeQL CI
12a6410a0a Merge pull request #5478 from asgerf/js/shared-flow-step
Approved by erik-krogh
2021-03-24 10:58:30 +00:00
Tom Hvitved
c5c80204d5 C#: Rework flow summary implementation 2021-03-24 11:27:01 +01:00
Tom Hvitved
c96b8301ed C#: Add change note 2021-03-24 09:58:44 +01:00
Anders Schack-Mulligen
02a5c0875e Merge pull request #5502 from smowton/smowton/fix/less-fluent-method-inferred-edges
Java: partial revert: only introduce inferred taint edges from callsite-crossing value edges if an original taint edge targets the *start* of the value edge.
2021-03-24 08:41:51 +01:00
Rasmus Lerchedahl Petersen
a9af135d7e Python: Remove getALocalTaintSource
and `taintFlowsTo` for now..
2021-03-24 01:22:21 +01:00
yoff
ac0430883a Update docs/codeql/codeql-language-guides/using-api-graphs-in-python.rst
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-03-24 01:08:12 +01:00
yoff
61cff8faed Update python/ql/src/experimental/semmle/python/Concepts.qll
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-03-24 01:06:03 +01:00
Erik Krogh Kristensen
b8bfdcc719 improve performance in ServiceDefinitions by inlining, and refactoring away a SourceNode 2021-03-23 19:13:40 +01:00
Erik Krogh Kristensen
93bcc3724a use pragma to improve 2 join-orders in TaintTracking 2021-03-23 19:12:33 +01:00
Taus Brock-Nannestad
17d1768259 Python: Allow absolute imports in directories with scripts
Fixes the import logic to account for absolute imports.

We do this by classifying which files and folders may serve as the
entry point for execution, based on a few simple heuristics. If the
file `module.py` is in the same folder as a file `main.py` that may be
executed directly, then we allow `module` to be a valid name for
`module.py` so that `import module` will work as expected.
2021-03-23 18:32:17 +01:00
Taus Brock-Nannestad
4289e358bf Python: Add module import test case
This one will require some explanation...

First, the file structure. This commit adds a test consisting
representing a few different kinds of imports.

- Absolute imports, from `module.py` to `main.py` when the latter is
  executed directly.
- A package (contained in the `package` folder)
- A namespace package (contained in the `namespace_package` folder)

All of these are inside a folder called `code` for reasons I will
detail later.

The file `main.py` is identified as a script, by the presence of the
`!#` comment in its first line.

The files themselves are executable, and `python3 main.py` will print
out all modules in the order they are imported.

The test itself is very simple. It simply lists all modules and their
corresponding names. As is plainly visible, without modification we
only pick up `package` and its component modules as having names. This
is the bit that needs to be fixed.

Convincing the test runner to extract this test in a way that mimics
reality is, unfortunately, a bit complicated. By default, the test
runner itself includes any Python files in the test directory as
modules in the invocation of the extractor, and so we must hide
everything in the `code` subdirectory.

Secondly, a `--path` argument (set to the test directory) is
automatically added, and this would also interfere with extraction,
and hence we must prevent this. Luckily, if we supply our own `--path`
argument -- even if it doesn't make any sense -- then the other
argument is left out.

Finally, we must actually tell the extractor to extract the files (or
it would just happily pass the test with zero files extracted), so the
`-R .` argument ensures that we recurse over the files in the test
directory after all.
2021-03-23 18:21:58 +01:00
Tom Hvitved
6d6150d051 C#: Change some data-flow toString()s 2021-03-23 16:42:58 +01:00
Rasmus Wriedt Larsen
deefbefffc Python: Minor refactor to use CallCfgNode 2021-03-23 16:42:41 +01:00
Rasmus Wriedt Larsen
1f5e52e822 Python: Cleanup "first" type-tracking predicate to be private
Since it's exposed nicely in the version that doesn't have a
`DataFlow::TypeTracker` parameter, these should be private.

Also found one instance where I had accidentially used DataFlow::Node instead of
LocalSourceNode
2021-03-23 16:40:56 +01:00
Asger Feldthaus
98cee7d339 JS: Update Collection step test and its output 2021-03-23 14:53:15 +00:00
Asger Feldthaus
c067d519d9 JS: Inline some public predicates in GlobalAccessPaths 2021-03-23 14:53:15 +00:00
Asger Feldthaus
61e89d4841 JS: Cache StepSummary and PropertyName 2021-03-23 14:53:14 +00:00
Asger Feldthaus
0056c39bdd JS: Deprecate AdditionalFlowStep 2021-03-23 14:53:14 +00:00
Asger Feldthaus
9e6aac8ef4 JS: Deprecate CollectionFlowStep 2021-03-23 14:53:14 +00:00
Asger Feldthaus
f8f3770a58 JS: BadRandomness can just use type-tracking now 2021-03-23 14:53:14 +00:00
Asger Feldthaus
52c2e37aca JS: Update CollectionStep usage in HTTP 2021-03-23 14:53:14 +00:00
Asger Feldthaus
2759d53f42 JS: SetKeys 2021-03-23 14:53:14 +00:00
Asger Feldthaus
c5ddd40dc3 JS: MapAndSetValues 2021-03-23 14:53:14 +00:00
Asger Feldthaus
9abaad65c6 JS: MapSet 2021-03-23 14:53:14 +00:00
Asger Feldthaus
530be38b84 JS: MapGet 2021-03-23 14:53:14 +00:00
Asger Feldthaus
4a45731c85 JS: SetMapForEach 2021-03-23 14:53:14 +00:00
Asger Feldthaus
c9c99464cf JS: ForOfStep (unify with Arrays version) 2021-03-23 14:53:13 +00:00
Asger Feldthaus
1a5eede39f JS: SetConstructor 2021-03-23 14:53:13 +00:00
Asger Feldthaus
5c9a239776 JS: SetAdd 2021-03-23 14:53:13 +00:00
Asger Feldthaus
98398a9efd JS: add two-prop version of loadStoreStep and infer pseudo properties
Initial step towards migrating CollectionFlowStep to PreCallGraphStep
2021-03-23 14:53:13 +00:00
Asger Feldthaus
67ec5d325c JS: Stop caching AdditionalFlowStep 2021-03-23 14:53:13 +00:00
Asger Feldthaus
adaf3234ec JS: IteratorExceptionStep 2021-03-23 14:53:13 +00:00
Asger Feldthaus
7021be05c5 JS: FlowStepThroughImport 2021-03-23 14:53:13 +00:00
Asger Feldthaus
52279d4bea JS: Rename some test predicates to reflect reality 2021-03-23 14:53:13 +00:00
Asger Feldthaus
fae907df65 JS: Update some uses in tests 2021-03-23 14:53:13 +00:00
Asger Feldthaus
bda074835e JS: Replace uses in ExternalApiUsedWithUntrustedData 2021-03-23 14:53:12 +00:00
Asger Feldthaus
2012e97842 JS: NextJSStaticReactComponentPropsStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
64c7d4e597 JS: NextJSStaticPropsStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
0035defd72 JS: ExceptionStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
5051f10586 JS: ImmutableConstructionStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
3e54136086 JS: Rename EventEmitterFlowStep to reflect reality 2021-03-23 14:53:12 +00:00
Asger Feldthaus
5fe3c1a0a9 JS: EventEmitterTaintStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
3a2f87f0a7 JS: AdditionalTypeTrackingStep -> SharedTypeTrackingStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
b8049f19e2 JS: SharedFlowStepFromPreCallGraph 2021-03-23 14:53:12 +00:00
Asger Feldthaus
8f750d4ad3 JS: UrlSearchParamsTaintStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
f84a05526d JS: ArraySliceStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
633152940c JS: ArrayConcatStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
17d1e6d614 JS: ArraySpliceStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
5d6c6b4b9b JS: ArrayCreationStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
5bfd2ad07f JS: ArrayPopStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
36a8134490 JS: ArrayIndexingAccess 2021-03-23 14:53:11 +00:00
Asger Feldthaus
b7ae62c3a3 JS: ArrayAppendStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
1c815f12da JS: ArrayCopySpread 2021-03-23 14:53:11 +00:00
Asger Feldthaus
151420fd0f JS: ArrayFrom 2021-03-23 14:53:11 +00:00
Asger Feldthaus
e42f8439de JS: Replace uses of AdditionalFlowStep with SharedFlowStep 2021-03-23 14:53:10 +00:00
Asger Feldthaus
24539dc0ee JS: Remove unneeded default case in loadStoreStep 2021-03-23 14:53:10 +00:00
CodeQL CI
a43bb1fb6d Merge pull request #5499 from asgerf/js/non-recursive-sourcenode
Approved by erik-krogh
2021-03-23 14:52:10 +00:00
Asger Feldthaus
23d2f11840 JS: Handle inheritance 2021-03-23 14:39:37 +00:00
Chris Smowton
fa90655dd0 Partial revert: only introduce inferred taint edges from callsite-crossing value edges if an original taint edge targets the *start* of the value edge.
Previously we would also take a taint edge targeting a result and a value-preserving edge propagating another argument to the result to imply a taint edge targeting that argument.
2021-03-23 14:35:03 +00:00
Asger Feldthaus
3d94ccf5dd JS: Support accessor-calls in object literals via local flow 2021-03-23 14:16:06 +00:00
Mathias Vorreiter Pedersen
ce638096de Merge pull request #5492 from geoffw0/samateissue
C++: Test taint regression
2021-03-23 14:01:03 +01:00
Rasmus Wriedt Larsen
f2bc413318 Python: remove single commented out line of code 2021-03-23 14:00:38 +01:00
Tom Hvitved
3c26779f40 Merge pull request #5415 from tamasvajk/feature/async-flow
C#: add store step for return statements inside async methods
2021-03-23 13:59:19 +01:00
Rasmus Wriedt Larsen
a4924856a2 Python: Model known form/field subclasses in Django
I used some ad-hoc QL queries to help me find all these extra instances, but not
quite ready to share that code yet :P
2021-03-23 13:57:39 +01:00
Rasmus Wriedt Larsen
8d0f6086af Python: Model django forms/fields
I'm not feeling 100% confident about `SelfRefMixin`, but since I needed it for
both DjangoViewClass and DjangoFormClass, I wanted to avoid copy-pasting this
code around. However, I'm not so opitimistic about it that I want to add it to a
sharable utility qll file :D
2021-03-23 13:57:38 +01:00
Anders Schack-Mulligen
27408fefe2 Merge pull request #5008 from torque59/cwe-346
Java: Queries to detect remote source flow origins to CORS header.
2021-03-23 13:54:00 +01:00
Anders Schack-Mulligen
9a56601dd3 Merge pull request #5164 from luchua-bc/java/insecure-ldap-endpoint
Java: CWE-297 Query to detect insecure LDAP endpoint configuration
2021-03-23 13:53:51 +01:00
Asger Feldthaus
b5be9d07aa JS: Add change note 2021-03-23 12:51:14 +00:00
Geoffrey White
b38a9d51e6 C++: Effect of 'Don't override getParameterSizeIndex in the model for Accept'... 2021-03-23 12:26:59 +00:00
Geoffrey White
13eb9e0833 C++: Fix the test. 2021-03-23 12:26:58 +00:00
Geoffrey White
30e1b88b7f C++: Extend test. 2021-03-23 12:26:58 +00:00
Asger Feldthaus
6c8b4a82c1 JS: Autoformat 2021-03-23 11:55:37 +00:00
Geoffrey White
da08c6e63e Merge pull request #5496 from MathiasVP/accept-model-getParameterSizeIndex-should-be-none
C++: Don't override getParameterSizeIndex in Accept
2021-03-23 11:42:50 +00:00
Asger Feldthaus
98143b071d JS: Autoformat 2021-03-23 11:26:29 +00:00
Anders Schack-Mulligen
1e6b5391d6 Merge pull request #4994 from haby0/main
Java: CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
2021-03-23 12:05:53 +01:00
Taus
b46a3616d8 Merge pull request #5490 from RasmusWL/private-imports
Python: Make import private for better auto-complete
2021-03-23 12:00:35 +01:00
Mathias Vorreiter Pedersen
585606a933 C++: Respond to review comments. 2021-03-23 11:14:29 +01:00
Mathias Vorreiter Pedersen
0b4650a4c9 C++: Accept test changes. 2021-03-23 10:27:19 +01:00
Tom Hvitved
20aa05b090 C#: Add CIL SSA library 2021-03-23 10:07:36 +01:00
Mathias Vorreiter Pedersen
7d0cfc69f1 C++: Don't override getParameterSizeIndex in the model for Accept. This fixes IR construction of calls to accept. 2021-03-23 09:53:09 +01:00
Mathias Vorreiter Pedersen
0ff7cc845c C++: Add reduced testcase that broke IR construction in #5492. 2021-03-23 09:53:04 +01:00
yoff
921b560e89 Merge pull request #5489 from tausbn/python-make-getacall-return-a-callcfgnode
Python: Make `API::Node::getACall` return a `CallCfgNode`
2021-03-23 09:31:38 +01:00
Rasmus Lerchedahl Petersen
198a4ca79b Python: Add files to experimental 2021-03-22 21:42:06 +01:00
Marcono1234
993999f64f Java: Add test for negative numeric literals 2021-03-22 17:43:34 +01:00
Asger Feldthaus
6b19e69d30 JS: Fix some join orders 2021-03-22 16:17:19 +00:00
Rasmus Wriedt Larsen
1890e63d4c Python: Make import private for better auto-complete
With the non-private imports, auto-completing on `API::` gave ALL results
available from `import python`, as well as the ones specified in the `API`
module.

The non-private import in Attributes.qll did the same for `DataFlow::`.
2021-03-22 16:45:44 +01:00
Taus Brock-Nannestad
4a6589d0ae Python: Make API::Node::getACall return a CallCfgNode
This should eliminate the need for explicit casting to
`CallCfgNode` (which does not appear in our code as far as I can see,
but was observed in an external contribution).
2021-03-22 16:37:24 +01:00
Asger Feldthaus
42e6c7eb2e JS: Remove field from InvokeNode 2021-03-22 15:19:31 +00:00
Asger Feldthaus
c03e9d6c75 JS: Address review comments 2021-03-22 15:19:31 +00:00
Asger Feldthaus
5bfdca895b JS: Remove recursive def of SourceNode::Range 2021-03-22 15:07:38 +00:00
Asger Feldthaus
230b9cf5d3 JS: Avoid recursion in SourceNode::Range 2021-03-22 15:07:38 +00:00
Rasmus Lerchedahl Petersen
c1e3ccfb6c Python, doc: Note ephemeral nature of import nodes 2021-03-22 15:07:51 +01:00
Tamas Vajk
7a0bfd1a69 Skip through any stub preamble 2021-03-22 12:29:13 +01:00
Asger Feldthaus
54a91c73b0 JS: Tweak summarizedHigherOrderCall 2021-03-22 10:56:03 +00:00
Mathias Vorreiter Pedersen
d09458a486 C++: Add another taint tracking copy to identical-files.json 2021-03-22 11:35:59 +01:00
Mathias Vorreiter Pedersen
7ec86b5e7f C++: AdjustedConfiguration should not extend the same dataflow configuration as FromGlobalVarTaintTrackingCfg as this causes multiple configurations to be in scope for dataflow. 2021-03-22 11:35:29 +01:00
haby0
fe046ec71e Merge remote-tracking branch 'upstream/main' into main 2021-03-22 17:25:37 +08:00
Rasmus Wriedt Larsen
3a83ecf067 Python: Add test for taint in django forms/fields 2021-03-22 10:03:32 +01:00
Rasmus Wriedt Larsen
f800bf243f Python: Better text for getSourceType in Django 2021-03-22 01:39:19 +01:00
Marcono1234
1534b387bb Java: Improve documentation regarding minus in front of numeric literals 2021-03-22 00:54:14 +01:00
Asger Feldthaus
a54e810804 JS: Include accessor-calls in CallGraph.ql 2021-03-20 13:59:38 +00:00
Asger Feldthaus
f4a476ea4e JS: Change type ValueNode -> Node 2021-03-20 09:05:04 +00:00
Asger Feldthaus
405c1f3fc7 JS: Update test suite 2021-03-19 16:45:31 +00:00
Asger Feldthaus
fa2ae1420a JS: Rename Diagnostics folder to Summary 2021-03-19 16:43:23 +00:00
Asger Feldthaus
347cbe422d JS: Remove the other summary queries 2021-03-19 16:42:43 +00:00
Asger Feldthaus
0c0556bb38 JS: Update LinesOfCode.ql to match the style from C++ 2021-03-19 16:42:05 +00:00
Asger Feldthaus
6ca425f033 JS: Implement new metric queries for line counting 2021-03-19 16:34:29 +00:00
Asger Feldthaus
ea8c8df653 JS: Fix bad join orders in summarizedHigherOrderCall 2021-03-19 15:30:49 +00:00
Mathias Vorreiter Pedersen
6c1ec6d96b C++: Accept test changes. 2021-03-19 16:09:05 +01:00
Erik Krogh Kristensen
8949b9eb0a add shell interpreted arrays as sinks for js/shell-command-constructed-from-input 2021-03-19 15:59:06 +01:00
Asger Feldthaus
01fd00de56 JS: Fix join order in argumentPassing 2021-03-19 11:49:06 +00:00
Asger F
2f3d516413 JS: Track flow into ES accessors 2021-03-19 11:11:25 +00:00
Asger F
4f46908224 JS: Add test with ES getters/setters 2021-03-19 11:07:15 +00:00
Tamas Vajk
79d6731ed8 C#: Adjust make_stubs.py to use codeql instead of odasa 2021-03-19 11:01:28 +01:00
Erik Krogh Kristensen
36b0ab1de5 Apply suggestions from code review
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-03-19 10:29:38 +01:00
Erik Krogh Kristensen
a28a36ab29 add change-note 2021-03-19 10:10:56 +01:00
Erik Krogh Kristensen
e90fb1a225 reuse classes modelling standard library functions 2021-03-19 10:09:33 +01:00
Erik Krogh Kristensen
d489d63b8e recognize object transformations in module.exports when looking for library inputs 2021-03-18 20:54:33 +01:00
Erik Krogh Kristensen
28ad667578 add model for async-execute 2021-03-18 19:40:46 +01:00
Erik Krogh Kristensen
af5a61782c also look for main modules in a lib folder 2021-03-18 14:51:11 +01:00
Erik Krogh Kristensen
0e98ea0c10 remove spurious import of PackageExports 2021-03-18 14:09:08 +01:00
Erik Krogh Kristensen
67a5831ac0 update expected output 2021-03-18 13:59:44 +01:00
Erik Krogh Kristensen
c0bb169342 recognize a src/index.js file as a main module for a package 2021-03-18 13:41:36 +01:00
Erik Krogh Kristensen
add0c88530 loosen the requirement that the package.json file must be the top-most package.json 2021-03-18 13:39:12 +01:00
Erik Krogh Kristensen
d998d06b94 add link to source in alert-message for js/shell-command-constructed-from-input 2021-03-18 13:37:18 +01:00
Porcuiney Hairs
a88c3682ff remove sanitiserGuards 2021-03-18 16:12:00 +05:30
Porcuiney Hairs
84c9137152 Include suggestions from review 2021-03-18 16:12:00 +05:30
porcupineyhairs
f27d2bdf6d Update java/ql/src/experimental/semmle/code/java/Logging.qll
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-03-18 16:12:00 +05:30
Porcuiney Hairs
d0c82d3756 Add flogger and android logging support 2021-03-18 16:12:00 +05:30
Porcuiney Hairs
17d7ba8049 Add Log Injection Vulnerability 2021-03-18 16:12:00 +05:30
Rasmus Lerchedahl Petersen
b3ff3f7ee7 PythonÆ adjust test expectations
I suspect it has to do with ParameterNode being a LocalSourceNode,
but I really have no idea...
2021-03-17 15:11:17 +01:00
Rasmus Lerchedahl Petersen
8f467003d2 Python: More review suggestions 2021-03-17 15:11:17 +01:00
yoff
63b732ce1f Apply suggestions from code review
Co-authored-by: Taus <tausbn@github.com>
2021-03-17 15:11:17 +01:00
Rasmus Lerchedahl Petersen
4d856d4461 Python: Add small api enhancements
determined useful during documentation work.
2021-03-17 15:11:17 +01:00
Mathias Vorreiter Pedersen
3914a93504 C++: Remove commonTaintStep from DefaultTaintTracking. 2021-03-17 11:56:59 +01:00
haby0
c516d69b98 Merge remote-tracking branch 'upstream/main' into main 2021-03-17 16:42:48 +08:00
Tamas Vajk
0b1705f302 C#: Adjust Callable::canReturn to handle Task-like async return types 2021-03-17 09:25:57 +01:00
Mathias Vorreiter Pedersen
43fbcc1c8a C++: Convert all the dataflow configurations to taint configurations. 2021-03-16 22:36:17 +01:00
Mathias Vorreiter Pedersen
dd6b27df24 C++: Fix test annotation. 2021-03-16 22:35:47 +01:00
Tamas Vajk
cd820917bc Remove duplicate yield return entries from global dataflow test 2021-03-16 21:28:58 +01:00
Tamas Vajk
2541e9cb6a C#: Handle async data flow in expression bodied callables 2021-03-16 16:32:47 +01:00
Tamas Vajk
048c72a0f2 C#: Remove YieldReturnKind 2021-03-16 16:20:04 +01:00
Tamas Vajk
aa2abf76ba Make ReturnNodes disjoint (normal, yield, async) 2021-03-16 16:17:27 +01:00
Tamas Vajk
732ef92830 C#: add store step for return statements inside async methods 2021-03-16 15:18:00 +01:00
Tamas Vajk
c684b74b3d C#: Add async dataflow tests 2021-03-16 14:46:16 +01:00
Mathias Vorreiter Pedersen
0ffb80e3b1 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-15 09:42:32 +01:00
Mathias Vorreiter Pedersen
5667901a2a C++: Accept test changes after merge from main (which changed the path explanations). 2021-03-11 21:16:57 +01:00
luchua-bc
57953c523c Update qldoc 2021-03-11 17:16:36 +00:00
Mathias Vorreiter Pedersen
a2d75c4fed Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-11 18:06:37 +01:00
Artem Smotrakov
4b7c57c077 Added a comment for getBeanIdentifier()
Co-authored-by: Chris Smowton <smowton@github.com>
2021-03-11 11:52:07 +01:00
Artem Smotrakov
0a5d58ed8a Cover more configurations in UnsafeSpringExporterInConfigurationClass.ql 2021-03-10 21:15:19 +03:00
Mathias Vorreiter Pedersen
bc36e0db43 C++: Accept more test changes. 2021-03-10 16:51:13 +01:00
Mathias Vorreiter Pedersen
cc592b124b Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-10 15:59:48 +01:00
Mathias Vorreiter Pedersen
0b6589c8be C++: Accept test changes. 2021-03-10 15:47:06 +01:00
Anders Schack-Mulligen
4941d9b7bf Java: Add query for CSV framework coverage. 2021-03-10 12:03:44 +01:00
Artem Smotrakov
df60268023 Split qhelp files 2021-03-10 10:49:47 +03:00
Mathias Vorreiter Pedersen
19d08d7b40 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-09 12:35:44 +01:00
Artem Smotrakov
a78f2115f2 Split SpringExporterUnsafeDeserialization.ql 2021-03-09 00:06:38 +03:00
Mathias Vorreiter Pedersen
bb53780ba9 C++: Add flow through unary instructions and pointer/indirection conflation for parameters. These rules are copy/pasted from DefaultTaintTracking. The conflation rules will hopefully be removed as part of #5089. 2021-03-08 09:42:47 +01:00
luchua-bc
0ef3eee4ed Revamp the source and the sink of the query 2021-03-06 22:41:54 +00:00
Artem Smotrakov
891b975899 Use correct file names in SpringExporterUnsafeDeserialization.qhelp 2021-03-06 22:07:43 +01:00
Artem Smotrakov
bda223771b Added another example for SpringExporterUnsafeDeserialization.ql 2021-03-06 22:05:00 +01:00
Artem Smotrakov
82cb4a8d68 Renamed SpringHttpInvokerUnsafeDeserialization.ql 2021-03-06 21:48:35 +01:00
Artem Smotrakov
dcabce679a Cover beans from XML configs in SpringHttpInvokerUnsafeDeserialization.ql 2021-03-06 21:40:35 +01:00
haby0
ecdadd1826 move the query to experimental folder 2021-03-05 14:38:04 +08:00
Francis Alexander
abdebc29f9 Move to experimental and review feedback 2021-03-05 07:26:29 +05:30
Mathias Vorreiter Pedersen
23876cb581 C++: Only allow taint to a FieldAddressInstruction if it's a union type. 2021-03-04 16:29:44 +01:00
luchua-bc
1784c202a7 Clean up the query 2021-03-03 17:03:37 +00:00
Artem Smotrakov
617ba65ef5 Improved docs for SpringHttpInvokerUnsafeDeserialization.ql 2021-03-02 21:36:14 +01:00
Mathias Vorreiter Pedersen
eb4f1e1ba0 C++: Restore some of the lost test results by doing operand -> instruction taint steps in IR TaintTracking. 2021-03-02 15:45:40 +01:00
Mathias Vorreiter Pedersen
23d3109071 C++: Use taintedWithPath in more tests. This is the predicate that's currently hooked up to the new IR taint tracking library. 2021-03-02 13:40:39 +01:00
Mathias Vorreiter Pedersen
6ba35f4aac C++: Fix function renaming and accept test change. 2021-03-02 11:31:24 +01:00
Mathias Vorreiter Pedersen
9f02c144a8 C++: Remove files that were incorrectly added when resolving merge conflicts. 2021-03-02 11:14:49 +01:00
Mathias Vorreiter Pedersen
ffc6af73b7 C++: Accept test changes. 2021-03-02 11:00:43 +01:00
Mathias Vorreiter Pedersen
748f5344ff Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-02 10:43:37 +01:00
Artem Smotrakov
15a43ffe36 Simplified returnsRemoteInvocationSerializingExporter() 2021-02-27 13:41:20 +01:00
Artem Smotrakov
e02b51f42b Improved SpringHttpInvokerUnsafeDeserialization.qhelp 2021-02-24 22:35:20 +01:00
Artem Smotrakov
aac0c27dcd Added tests for SpringHttpInvokerUnsafeDeserialization.ql 2021-02-24 22:35:20 +01:00
Artem Smotrakov
95284ad71d Added SpringHttpInvokerUnsafeDeserialization.qhelp and example 2021-02-24 22:35:20 +01:00
Artem Smotrakov
476309af6d Added SpringHttpInvokerUnsafeDeserialization.ql 2021-02-24 22:35:20 +01:00
Francis Alexander
45bdb22db8 Switch from sanitizer to tainttracking, formatting and qldoc changes 2021-02-21 16:45:48 +05:30
Francis Alexander
2baf2aa5c1 Apply suggestions from code review - improved sanitizer checks.
Co-authored-by: Alvaro Muñoz <pwntester@github.com>
2021-02-17 18:58:32 +05:30
Francis Alexander
40f4e71b86 Merge branch 'main' into cwe-346 2021-02-17 18:55:31 +05:30
Francis Alexander
58971f9f4e Switch qualified name to available CollectionType 2021-02-17 16:01:27 +05:30
Francis Alexander
520ba47293 Sanitizer improvements from code review 2021-02-17 08:35:50 +05:30
luchua-bc
e698ee77f7 Update qldoc and test method 2021-02-16 14:11:39 +00:00
haby0
2c96e6cf96 Merge remote-tracking branch 'upstream/main' into main 2021-02-16 17:54:01 +08:00
luchua-bc
5ce3af0591 Enhance the query and update qldoc 2021-02-15 21:38:54 +00:00
haby0
92c00cb741 Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-02-16 00:09:21 +08:00
haby0
f1e44bce4a Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-02-16 00:07:44 +08:00
luchua-bc
a03e6faf37 Optimize the query and update qldoc 2021-02-15 14:10:17 +00:00
Francis Alexander
409d95c522 Sanitizer checks to decrease FP 2021-02-15 14:01:14 +05:30
luchua-bc
23f620d255 Query to detect insecure LDAP endpoint configuration 2021-02-15 05:31:29 +00:00
luchua-bc
6a6727fc80 Reduce the scope of the query to reduce FPs 2021-02-14 15:01:06 +00:00
haby0
6901cd4899 Merge branch 'main' of https://github.com/haby0/codeql into main 2021-02-12 11:18:33 +08:00
haby0
22e741c7a3 *)add XQExpression.executeCommand(0) sink 2021-02-12 11:17:42 +08:00
haby0
dbb3d458f5 *)add XQExpression.executeCommand(0) sink 2021-02-12 10:47:41 +08:00
haby0
a6a0fa28c4 *)add XQExpression.executeQuery(0) sink 2021-02-11 16:05:48 +08:00
haby0
97690b4eb7 Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp
Co-authored-by: Felicity Chapman <felicitymay@github.com>
2021-02-08 19:15:28 +08:00
luchua-bc
ff1ed3a012 Revamp the query to use three configurations to detect password hash without salt 2021-01-29 03:39:02 +00:00
haby0
81c56b9bed Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-27 19:47:12 +08:00
haby0
31deca016f Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-27 19:46:45 +08:00
haby0
ca2e6587fe Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-27 19:46:15 +08:00
haby0
b5ae417851 *)update CWE-652 qhelp references 2021-01-27 10:19:04 +08:00
haby0
b76854a384 *)add CWE-652 test case 2021-01-27 10:14:33 +08:00
Francis Alexander
19872e9aed More Feedback integration 2021-01-26 17:24:17 +05:30
Francis Alexander
985d3d469a PR feedback integration 2021-01-25 23:26:36 +05:30
haby0
42f55e1ebe Merge pull request #1 from smowton/smowton/admin/rewrite-xquery
Rewrite XQuery injection to use an additional taint step instead of multiple configurations
2021-01-25 19:49:20 +08:00
Chris Smowton
d34233b44f Rewrite XQuery injection to use an additional taint step instead of multiple configurations.
Also remove a needless barrier -- the method in question doesn't conduct taint by default, so excluding particular instances of that call is not necessary.
2021-01-25 11:18:45 +00:00
haby0
16308fe557 Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-25 19:16:18 +08:00
haby0
14a23eed4f Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-25 19:15:59 +08:00
Francis Alexander
75b79039a1 Example fixes 2021-01-24 20:46:37 +05:30
Francis Alexander
81e372d078 Formatting changes 2021-01-24 20:44:21 +05:30
Francis Alexander
a64fc2b24e Java: Queries to detect remote source flow to CORS header 2021-01-24 18:58:39 +05:30
haby0
0b326aae20 *)update XQueryInjectionLib.qll 2021-01-23 18:27:38 +08:00
haby0
44d99f8cd4 *)update XQueryInjection.ql 2021-01-23 18:26:58 +08:00
haby0
ec4c155043 *)update XQueryInjection.qhelp 2021-01-23 18:26:15 +08:00
haby0
a56dd60baa *)add CWE-652 XQueryInjection detection 2021-01-21 19:18:10 +08:00
luchua-bc
b9809b071e Update the query to work with wrapper classes 2021-01-18 19:22:34 +00:00
luchua-bc
048167d39a Revamp the query to reduce FPs introduced by wrapper calls 2021-01-18 04:23:30 +00:00
luchua-bc
3af8773dd6 Add more cases 2021-01-15 16:20:31 +00:00
luchua-bc
86c04e6971 Detect the scenario of passwords concatenated with a salt to reduce FPs 2021-01-11 16:59:57 +00:00
luchua-bc
39103af718 Remove additional taint step 2021-01-08 13:02:57 +00:00
luchua-bc
b56fe2b25f Remove specific method name in additional taint step 2021-01-07 16:31:21 +00:00
luchua-bc
19ff00bad4 Enhance the additional step flow and update qldoc 2021-01-07 13:15:30 +00:00
luchua-bc
ce2db21f15 Query to detect hash without salt 2021-01-06 17:30:04 +00:00
Robert Marsh
77729918c1 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Update for submodule pointer
2020-11-18 13:09:02 -08:00
Robert Marsh
5aed82a210 C++: Autoformat more 2020-11-17 13:44:20 -08:00
Robert Marsh
04641a3f2d Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2020-11-17 12:55:12 -08:00
Robert Marsh
c2e44fa180 C++: autoformat 2020-11-17 09:28:39 -08:00
Robert Marsh
db8766ca69 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2020-11-16 17:46:20 -08:00
Robert Marsh
525aeb6551 C++: autoformat 2020-11-13 16:14:07 -08:00
Robert Marsh
29eacbd28b Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Update for submodule bump
2020-11-13 12:22:41 -08:00
Robert Marsh
bd00988c37 C++: accept test output for DefaultTaintTracking 2020-11-12 14:38:53 -08:00
Robert Marsh
68040b717e C++: autoformat 2020-11-12 14:32:19 -08:00
Robert Marsh
275d75295c Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Fix test conflict
2020-11-12 13:28:10 -08:00
Robert Marsh
049bff09e6 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Make this branch a valid taget for a submodule bump
2020-11-10 14:25:05 -08:00
Robert Marsh
2a6ba40a93 C++: Accept more test changes 2020-11-10 13:59:35 -08:00
Robert Marsh
04ad94d1cc C++: model taint from pointers to aliased buffers 2020-11-09 13:52:08 -08:00
Robert Marsh
afbeca0d54 C++: Accept test outputs 2020-11-09 13:24:31 -08:00
Robert Marsh
95ed5465de C++: improve handling of function arguments in DTT 2020-11-09 13:02:06 -08:00
Robert Marsh
fbe857d1fa C++: require that other operands be predictable
This brings back a constraint that was lost when switching
DefaultTaintTracking to use a TaintTracking::Configuration
2020-11-09 13:00:55 -08:00
Robert Marsh
7d79be71d1 C++: taint tracking conf in DefaultTaintTracking
Switch from using additional flow steps with a DataFlow::Configuration
in DefaultTaintTracking to using a TaintTracking::Configuration. This
makes future improvements to TaintTracking::Configuration reflected in
DefaultTaintTracking without further effort. It also removes the
predictability constraint in DefaultTaintTracking, which increases the
number of results, with both new true positives and new false positives.
Those may need to be addressed on a per-query basis.

There are some additional regressions from losing pointer/object
conflation for arguments. Those can be worked around by adding that
conflation to TaintTracking::Configuration until precise indirect
parameter flow is ready.
2020-11-09 13:00:55 -08:00
669 changed files with 18908 additions and 12428 deletions

View File

@@ -1,29 +0,0 @@
# When a PR is labelled with 'ready-for-docs-review',
# this workflow comments on the PR to notify the GitHub CodeQL docs team.
name: Request docs review
on:
# Runs in the context of the base repo.
# This gives the workflow write access to comment on PRs.
# The workflow should not check out or build the given ref,
# or use untrusted data from the event payload in a command line.
pull_request_target:
types: [labeled]
jobs:
request-docs-review:
name: Request docs review
# Run only on labelled PRs to the main repository.
# Do not run on PRs to forks.
if:
github.event.label.name == 'ready-for-docs-review'
&& github.event.pull_request.draft == false
&& github.event.pull_request.base.repo.full_name == 'github/codeql'
runs-on: ubuntu-latest
steps:
- name: Comment to request docs review
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
gh pr comment "$PR_NUMBER" --repo "github/codeql" \
--body "Hello @github/docs-content-codeql - this PR is ready for docs review."

View File

@@ -70,4 +70,3 @@
## Changes to libraries ## Changes to libraries
* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction. * The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, subclasses should instead be based on `HtmlInjectionConfiguration`. To use both configurations in a query, see [Xss.ql](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql) for an example.

View File

@@ -36,6 +36,7 @@
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll", "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll", "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll", "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll", "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll", "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll", "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -376,7 +377,6 @@
], ],
"DuplicationProblems.inc.qhelp": [ "DuplicationProblems.inc.qhelp": [
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp", "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
"csharp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp", "javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp" "python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
], ],
@@ -429,7 +429,8 @@
"SSA C#": [ "SSA C#": [
"csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll", "csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
"csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll", "csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll" "csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
"csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
], ],
"CryptoAlgorithms Python/JS": [ "CryptoAlgorithms Python/JS": [
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll", "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",

View File

@@ -5,6 +5,7 @@ using System;
using System.Linq; using System.Linq;
using Microsoft.Build.Construction; using Microsoft.Build.Construction;
using System.Xml; using System.Xml;
using System.IO;
namespace Semmle.Autobuild.Cpp.Tests namespace Semmle.Autobuild.Cpp.Tests
{ {
@@ -43,6 +44,8 @@ namespace Semmle.Autobuild.Cpp.Tests
public IDictionary<string, int> RunProcess = new Dictionary<string, int>(); public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>(); public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>(); public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
public HashSet<string> CreateDirectories { get; } = new HashSet<string>();
public HashSet<(string, string)> DownloadFiles { get; } = new HashSet<(string, string)>();
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut) int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
{ {
@@ -135,6 +138,14 @@ namespace Semmle.Autobuild.Cpp.Tests
string IBuildActions.GetFullPath(string path) => path; string IBuildActions.GetFullPath(string path) => path;
string? IBuildActions.GetFileName(string? path) => Path.GetFileName(path?.Replace('\\', '/'));
public string? GetDirectoryName(string? path)
{
var dir = Path.GetDirectoryName(path?.Replace('\\', '/'));
return dir is null ? path : path?.Substring(0, dir.Length);
}
void IBuildActions.WriteAllText(string filename, string contents) void IBuildActions.WriteAllText(string filename, string contents)
{ {
} }
@@ -153,6 +164,18 @@ namespace Semmle.Autobuild.Cpp.Tests
s = s.Replace($"%{kvp.Key}%", kvp.Value); s = s.Replace($"%{kvp.Key}%", kvp.Value);
return s; return s;
} }
public void CreateDirectory(string path)
{
if (!CreateDirectories.Contains(path))
throw new ArgumentException($"Missing CreateDirectory, {path}");
}
public void DownloadFile(string address, string fileName)
{
if (!DownloadFiles.Contains((address, fileName)))
throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
}
} }
/// <summary> /// <summary>
@@ -213,6 +236,7 @@ namespace Semmle.Autobuild.Cpp.Tests
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = ""; Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}"; Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java"; Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa"; Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java"; Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools"; Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
@@ -273,7 +297,8 @@ namespace Semmle.Autobuild.Cpp.Tests
[Fact] [Fact]
public void TestCppAutobuilderSuccess() public void TestCppAutobuilderSuccess()
{ {
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test.sln"] = 1; Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0; Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = ""; Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1; Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
@@ -286,11 +311,13 @@ namespace Semmle.Autobuild.Cpp.Tests
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx"; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
Actions.EnumerateDirectories[@"C:\Project"] = ""; Actions.EnumerateDirectories[@"C:\Project"] = "";
Actions.CreateDirectories.Add(@"C:\Project\.nuget");
Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
var autobuilder = CreateAutoBuilder(true); var autobuilder = CreateAutoBuilder(true);
var solution = new TestSolution(@"C:\Project\test.sln"); var solution = new TestSolution(@"C:\Project\test.sln");
autobuilder.ProjectsOrSolutionsToBuild.Add(solution); autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
TestAutobuilderScript(autobuilder, 0, 2); TestAutobuilderScript(autobuilder, 0, 3);
} }
} }
} }

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.

View File

@@ -54,7 +54,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
override predicate isWhitelisted() { override predicate isWhitelisted() {
this.getConversion().(ParenthesisExpr).isParenthesised() this.getConversion().(ParenthesisExpr).isParenthesised()
or or
// whitelist this assignment if all comparison operations in the expression that this // Allow this assignment if all comparison operations in the expression that this
// assignment is part of, are not parenthesized. In that case it seems like programmer // assignment is part of, are not parenthesized. In that case it seems like programmer
// is fine with unparenthesized comparison operands to binary logical operators, and // is fine with unparenthesized comparison operands to binary logical operators, and
// the parenthesis around this assignment was used to call it out as an assignment. // the parenthesis around this assignment was used to call it out as an assignment.
@@ -62,6 +62,21 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) | forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
not op.isParenthesised() not op.isParenthesised()
) )
or
// Match a pattern like:
// ```
// if((a = b) && use_value(a)) { ... }
// ```
// where the assignment is meant to update the value of `a` before it's used in some other boolean
// subexpression that is guarenteed to be evaluate _after_ the assignment.
this.isParenthesised() and
exists(LogicalAndExpr parent, Variable var, VariableAccess access |
var = this.getLValue().(VariableAccess).getTarget() and
access = var.getAnAccess() and
not access.isUsedAsLValue() and
parent.getRightOperand() = access.getParent*() and
parent.getLeftOperand() = this.getParent*()
)
} }
} }

View File

@@ -5,7 +5,6 @@
* @kind treemap * @kind treemap
* @treemap.warnOn highValues * @treemap.warnOn highValues
* @metricType externalDependency * @metricType externalDependency
* @precision medium
* @id cpp/external-dependencies * @id cpp/external-dependencies
* @tags modularity * @tags modularity
*/ */

View File

@@ -7,7 +7,6 @@
* @treemap.warnOn highValues * @treemap.warnOn highValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision very-high
* @id cpp/lines-of-code-in-files * @id cpp/lines-of-code-in-files
* @tags maintainability * @tags maintainability
* complexity * complexity

View File

@@ -5,7 +5,6 @@
* @treemap.warnOn highValues * @treemap.warnOn highValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision high
* @id cpp/lines-of-commented-out-code-in-files * @id cpp/lines-of-commented-out-code-in-files
* @tags documentation * @tags documentation
*/ */

View File

@@ -7,7 +7,6 @@
* @treemap.warnOn lowValues * @treemap.warnOn lowValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision very-high
* @id cpp/lines-of-comments-in-files * @id cpp/lines-of-comments-in-files
* @tags maintainability * @tags maintainability
* documentation * documentation

View File

@@ -8,7 +8,6 @@
* @treemap.warnOn highValues * @treemap.warnOn highValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision high
* @id cpp/duplicated-lines-in-files * @id cpp/duplicated-lines-in-files
* @tags testability * @tags testability
* modularity * modularity

View File

@@ -5,7 +5,6 @@
* @treemap.warnOn lowValues * @treemap.warnOn lowValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision medium
* @id cpp/tests-in-files * @id cpp/tests-in-files
* @tags maintainability * @tags maintainability
*/ */

View File

@@ -93,7 +93,7 @@ class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Confi
bindingset[s] bindingset[s]
predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) { predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
s.regexpMatch("\"([^\"])*\"(\\s|.)*") // The first element (path) is quoted s.regexpMatch("\"([^\"])*\"[\\s\\S]*") // The first element (path) is quoted
or or
s.regexpMatch("[^\\s]+") // There are no spaces in the string s.regexpMatch("[^\\s]+") // There are no spaces in the string
} }

View File

@@ -72,9 +72,9 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
} }
/** /**
* Holds if `(std::nothrow)` exists in call `operator new`. * Holds if `(std::nothrow)` or `(std::noexcept)` exists in call `operator new`.
*/ */
predicate isExistsNothrow() { this.getAChild().toString() = "nothrow" } predicate isExistsNothrow() { getTarget().isNoExcept() or getTarget().isNoThrow() }
} }
from WrongCheckErrorOperatorNew op from WrongCheckErrorOperatorNew op

View File

@@ -1,12 +0,0 @@
/**
* @name Defect filter
* @description Only include results in large files (200) lines of code, and change the message.
* @tags filter
*/
import cpp
import external.DefectFilter
from DefectResult res
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
select res, "Large files: " + res.getMessage()

View File

@@ -1,18 +0,0 @@
/**
* @name Defect from external data
* @description Insert description here...
* @kind problem
* @problem.severity warning
* @tags external-data
*/
import cpp
import external.ExternalArtifact
from ExternalData d, File u
where
d.getQueryPath() = "external-data.ql" and
u.getShortName() = d.getField(0)
select u,
d.getField(5) + ", " + d.getFieldAsDate(1) + ", " + d.getField(2) + ", " + d.getFieldAsFloat(3) +
", " + d.getFieldAsInt(4) + ": " + d.getNumFields()

View File

@@ -1,12 +0,0 @@
/**
* @name Metric filter
* @description Only include results in large files (200) lines of code.
* @tags filter
*/
import cpp
import external.MetricFilter
from MetricResult res
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
select res, res.getValue()

View File

@@ -1,16 +0,0 @@
/**
* @name Filter: exclude results from files that are autogenerated
* @description Use this filter to return results only if they are
* located in files that are maintained manually.
* @kind problem
* @id cpp/autogenerated-filter
* @tags filter
*/
import cpp
import semmle.code.cpp.AutogeneratedFile
import external.DefectFilter
from DefectResult res
where not res.getFile() instanceof AutogeneratedFile
select res, res.getMessage()

View File

@@ -1,16 +0,0 @@
/**
* @name Metric filter: exclude results from files that are autogenerated
* @description Use this filter to return results only if they are
* located in files that are maintained manually.
* @kind treemap
* @id cpp/autogenerated-for-metric-filter
* @tags filter
*/
import cpp
import semmle.code.cpp.AutogeneratedFile
import external.MetricFilter
from MetricResult res
where not res.getFile() instanceof AutogeneratedFile
select res, res.getValue()

View File

@@ -1,16 +0,0 @@
/**
* @name Filter: exclude results from files for which we do not have
* source code
* @description Use this filter to return results only if they are
* located in files for which we have source code.
* @kind problem
* @id cpp/from-source-filter
* @tags filter
*/
import cpp
import external.DefectFilter
from DefectResult res
where res.getFile().fromSource()
select res, res.getMessage()

View File

@@ -1,36 +0,0 @@
/**
* @name Filter: exclude results on lines covered by a macro expansion
* @description Use this filter to return results only when there is no
* macro expansion whose location spans all the lines of
* the result's location.
* @kind problem
* @id cpp/macros-filter
* @tags filter
*/
import cpp
import external.DefectFilter
predicate macroLocation(File f, int startLine, int endLine) {
exists(MacroInvocation mi, Location l |
l = mi.getLocation() and
l.getFile() = f and
l.getStartLine() = startLine and
l.getEndLine() = endLine
)
}
predicate macroCovering(DefectResult r) {
exists(File f, int macroStart, int macroEnd, int defectStart, int defectEnd |
f = r.getFile() and
defectStart = r.getStartLine() and
defectEnd = r.getEndLine() and
macroLocation(f, macroStart, macroEnd) and
macroStart <= defectStart and
macroEnd >= defectEnd
)
}
from DefectResult res
where not macroCovering(res)
select res, res.getMessage()

View File

@@ -91,16 +91,17 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
// `e` is a call to a release function and `released` is the released argument // `e` is a call to a release function and `released` is the released argument
releaseExpr(e, released, kind) releaseExpr(e, released, kind)
or or
exists(Function f, int arg | exists(int arg, VariableAccess access, Function f |
// `e` is a call to a function that releases one of it's parameters, // `e` is a call to a function that releases one of it's parameters,
// and `released` is the corresponding argument // and `released` is the corresponding argument
( (
e.(FunctionCall).getTarget() = f or e.(FunctionCall).getTarget() = f or
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
) and ) and
access = f.getParameter(arg).getAnAccess() and
e.(FunctionCall).getArgument(arg) = released and e.(FunctionCall).getArgument(arg) = released and
exprReleases(_, exprReleases(_,
exprOrDereference(globalValueNumber(f.getParameter(arg).getAnAccess()).getAnExpr()), kind) pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
) )
or or
exists(Function f, ThisExpr innerThis | exists(Function f, ThisExpr innerThis |
@@ -112,7 +113,7 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
) and ) and
e.(FunctionCall).getQualifier() = exprOrDereference(released) and e.(FunctionCall).getQualifier() = exprOrDereference(released) and
innerThis.getEnclosingFunction() = f and innerThis.getEnclosingFunction() = f and
exprReleases(_, globalValueNumber(innerThis).getAnExpr(), kind) exprReleases(_, pragma[only_bind_into](globalValueNumber(innerThis).getAnExpr()), kind)
) )
} }

View File

@@ -72,6 +72,7 @@ class Location extends @location {
} }
/** Holds if `this` comes on a line strictly before `l`. */ /** Holds if `this` comes on a line strictly before `l`. */
pragma[inline]
predicate isBefore(Location l) { predicate isBefore(Location l) {
this.getFile() = l.getFile() and this.getEndLine() < l.getStartLine() this.getFile() = l.getFile() and this.getEndLine() < l.getStartLine()
} }

View File

@@ -300,6 +300,14 @@ class FunctionCall extends Call, @funbindexpr {
} }
} }
/** A _user-defined_ unary `operator*` function. */
class OverloadedPointerDereferenceFunction extends Function {
OverloadedPointerDereferenceFunction() {
this.hasName("operator*") and
this.getEffectiveNumberOfParameters() = 1
}
}
/** /**
* An instance of a _user-defined_ unary `operator*` applied to its argument. * An instance of a _user-defined_ unary `operator*` applied to its argument.
* ``` * ```
@@ -309,8 +317,7 @@ class FunctionCall extends Call, @funbindexpr {
*/ */
class OverloadedPointerDereferenceExpr extends FunctionCall { class OverloadedPointerDereferenceExpr extends FunctionCall {
OverloadedPointerDereferenceExpr() { OverloadedPointerDereferenceExpr() {
getTarget().hasName("operator*") and this.getTarget() instanceof OverloadedPointerDereferenceFunction
getTarget().getEffectiveNumberOfParameters() = 1
} }
override string getAPrimaryQlClass() { result = "OverloadedPointerDereferenceExpr" } override string getAPrimaryQlClass() { result = "OverloadedPointerDereferenceExpr" }

View File

@@ -2,13 +2,16 @@ import cpp
import semmle.code.cpp.security.Security import semmle.code.cpp.security.Security
private import semmle.code.cpp.ir.dataflow.DataFlow private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import semmle.code.cpp.ir.dataflow.DataFlow2
private import semmle.code.cpp.ir.dataflow.DataFlow3 private import semmle.code.cpp.ir.dataflow.DataFlow3
private import semmle.code.cpp.ir.IR private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
private import semmle.code.cpp.controlflow.IRGuards private import semmle.code.cpp.controlflow.IRGuards
private import semmle.code.cpp.models.interfaces.Taint private import semmle.code.cpp.models.interfaces.Taint
private import semmle.code.cpp.models.interfaces.DataFlow private import semmle.code.cpp.models.interfaces.DataFlow
private import semmle.code.cpp.ir.dataflow.TaintTracking
private import semmle.code.cpp.ir.dataflow.TaintTracking2
private import semmle.code.cpp.ir.dataflow.TaintTracking3
private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
/** /**
* A predictable instruction is one where an external user can predict * A predictable instruction is one where an external user can predict
@@ -65,23 +68,19 @@ private DataFlow::Node getNodeForExpr(Expr node) {
not argv(node.(VariableAccess).getTarget()) not argv(node.(VariableAccess).getTarget())
} }
private class DefaultTaintTrackingCfg extends DataFlow::Configuration { private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" } DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) } override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) } override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
commonTaintStep(n1, n2)
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
} }
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) } private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
}
private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" } ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) } override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
@@ -90,20 +89,18 @@ private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
sink.asVariable() instanceof GlobalOrNamespaceVariable sink.asVariable() instanceof GlobalOrNamespaceVariable
} }
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
commonTaintStep(n1, n2)
or
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable)) writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
or or
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable)) readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
} }
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) } override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) } override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
} }
private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration { private class FromGlobalVarTaintTrackingCfg extends TaintTracking2::Configuration {
FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" } FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
override predicate isSource(DataFlow::Node source) { override predicate isSource(DataFlow::Node source) {
@@ -114,18 +111,16 @@ private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration {
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) } override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
commonTaintStep(n1, n2)
or
// Additional step for flow out of variables. There is no flow _into_ // Additional step for flow out of variables. There is no flow _into_
// variables in this configuration, so this step only serves to take flow // variables in this configuration, so this step only serves to take flow
// out of a variable that's a source. // out of a variable that's a source.
readsVariable(n2.asInstruction(), n1.asVariable()) readsVariable(n2.asInstruction(), n1.asVariable())
} }
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) } override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) } override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
} }
private predicate readsVariable(LoadInstruction load, Variable var) { private predicate readsVariable(LoadInstruction load, Variable var) {
@@ -202,206 +197,26 @@ private predicate nodeIsBarrierIn(DataFlow::Node node) {
// `getNodeForSource`. // `getNodeForSource`.
node = DataFlow::definitionByReferenceNodeFromArgument(source) node = DataFlow::definitionByReferenceNodeFromArgument(source)
) )
}
cached
private predicate commonTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
operandToInstructionTaintStep(fromNode.asOperand(), toNode.asInstruction())
or or
instructionToOperandTaintStep(fromNode.asInstruction(), toNode.asOperand()) // don't use dataflow into binary instructions if both operands are unpredictable
} exists(BinaryInstruction iTo |
iTo = node.asInstruction() and
private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) { not predictableInstruction(iTo.getLeft()) and
// Propagate flow from the definition of an operand to the operand, even when the overlap is inexact. not predictableInstruction(iTo.getRight()) and
// We only do this in certain cases: // propagate taint from either the pointer or the offset, regardless of predictability
// 1. The instruction's result must not be conflated, and not iTo instanceof PointerArithmeticInstruction
// 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
// this is array types and union types. This matches the other two cases of element-to-object flow in
// `DefaultTaintTracking`.
toOperand.getAnyDef() = fromInstr and
not fromInstr.isResultConflated() and
(
fromInstr.getResultType() instanceof ArrayType or
fromInstr.getResultType() instanceof Union
) )
or or
exists(ReadSideEffectInstruction readInstr | // don't use dataflow through calls to pure functions if two or more operands
fromInstr = readInstr.getArgumentDef() and // are unpredictable
toOperand = readInstr.getSideEffectOperand() exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
) iTo = node.asInstruction() and
} isPureFunction(iTo.getStaticCallTarget().getName()) and
iFrom1 = iTo.getAnArgument() and
private predicate operandToInstructionTaintStep(Operand fromOperand, Instruction toInstr) { iFrom2 = iTo.getAnArgument() and
// Expressions computed from tainted data are also tainted not predictableInstruction(iFrom1) and
exists(CallInstruction call, int argIndex | call = toInstr | not predictableInstruction(iFrom2) and
isPureFunction(call.getStaticCallTarget().getName()) and iFrom1 != iFrom2
fromOperand = getACallArgumentOrIndirection(call, argIndex) and
forall(Operand argOperand | argOperand = call.getAnArgumentOperand() |
argOperand = getACallArgumentOrIndirection(call, argIndex) or
predictableInstruction(argOperand.getAnyDef())
) and
// flow through `strlen` tends to cause dubious results, if the length is
// bounded.
not call.getStaticCallTarget().getName() = "strlen"
)
or
// Flow from argument to return value
toInstr =
any(CallInstruction call |
exists(int indexIn |
modelTaintToReturnValue(call.getStaticCallTarget(), indexIn) and
fromOperand = getACallArgumentOrIndirection(call, indexIn) and
not predictableOnlyFlow(call.getStaticCallTarget().getName())
)
)
or
// Flow from input argument to output argument
// TODO: This won't work in practice as long as all aliased memory is tracked
// together in a single virtual variable.
// TODO: Will this work on the test for `TaintedPath.ql`, where the output arg
// is a pointer addition expression?
toInstr =
any(WriteSideEffectInstruction outInstr |
exists(CallInstruction call, int indexIn, int indexOut |
modelTaintToParameter(call.getStaticCallTarget(), indexIn, indexOut) and
fromOperand = getACallArgumentOrIndirection(call, indexIn) and
outInstr.getIndex() = indexOut and
outInstr.getPrimaryInstruction() = call
)
)
or
// Flow through pointer dereference
toInstr.(LoadInstruction).getSourceAddressOperand() = fromOperand
or
// Flow through partial reads of arrays and unions
toInstr.(LoadInstruction).getSourceValueOperand() = fromOperand and
exists(Instruction fromInstr | fromInstr = fromOperand.getAnyDef() |
not fromInstr.isResultConflated() and
(
fromInstr.getResultType() instanceof ArrayType or
fromInstr.getResultType() instanceof Union
)
)
or
// Unary instructions tend to preserve enough information in practice that we
// want taint to flow through.
// The exception is `FieldAddressInstruction`. Together with the rule for
// `LoadInstruction` above and for `ChiInstruction` below, flow through
// `FieldAddressInstruction` could cause flow into one field to come out an
// unrelated field. This would happen across function boundaries, where the IR
// would not be able to match loads to stores.
toInstr.(UnaryInstruction).getUnaryOperand() = fromOperand and
(
not toInstr instanceof FieldAddressInstruction
or
toInstr.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
)
or
// Flow from an element to an array or union that contains it.
toInstr.(ChiInstruction).getPartialOperand() = fromOperand and
not toInstr.isResultConflated() and
exists(Type t | toInstr.getResultLanguageType().hasType(t, false) |
t instanceof Union
or
t instanceof ArrayType
)
or
exists(BinaryInstruction bin |
bin = toInstr and
predictableInstruction(toInstr.getAnOperand().getDef()) and
fromOperand = toInstr.getAnOperand()
)
or
// This is part of the translation of `a[i]`, where we want taint to flow
// from `a`.
toInstr.(PointerAddInstruction).getLeftOperand() = fromOperand
or
// Until we have flow through indirections across calls, we'll take flow out
// of the indirection and into the argument.
// When we get proper flow through indirections across calls, this code can be
// moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
exists(ReadSideEffectInstruction read |
read.getSideEffectOperand() = fromOperand and
read.getArgumentDef() = toInstr
)
or
// Until we have from through indirections across calls, we'll take flow out
// of the parameter and into its indirection.
// `InitializeIndirectionInstruction` only has a single operand: the address of the
// value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
// the IR looks like this:
// ```
// m1 = InitializeParameter[p] : &r1
// r2 = Load[p] : r2, m1
// m3 = InitializeIndirection[p] : &r2
// ```
// So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
// `LoadOperand`'s overlap being exact.
toInstr.(InitializeIndirectionInstruction).getAnOperand() = fromOperand
}
/**
* Returns the index of the side effect instruction corresponding to the specified function output,
* if one exists.
*/
private int getWriteSideEffectIndex(FunctionOutput output) {
output.isParameterDeref(result)
or
output.isQualifierObject() and result = -1
}
/**
* Get an operand that goes into argument `argumentIndex` of `call`. This
* can be either directly or through one pointer indirection.
*/
private Operand getACallArgumentOrIndirection(CallInstruction call, int argumentIndex) {
result = call.getPositionalArgumentOperand(argumentIndex)
or
exists(ReadSideEffectInstruction readSE |
// TODO: why are read side effect operands imprecise?
result = readSE.getSideEffectOperand() and
readSE.getPrimaryInstruction() = call and
readSE.getIndex() = argumentIndex
)
}
private predicate modelTaintToParameter(Function f, int parameterIn, int parameterOut) {
exists(FunctionInput modelIn, FunctionOutput modelOut |
(
f.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
or
f.(TaintFunction).hasTaintFlow(modelIn, modelOut)
) and
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
parameterOut = getWriteSideEffectIndex(modelOut)
)
}
private predicate modelTaintToReturnValue(Function f, int parameterIn) {
// Taint flow from parameter to return value
exists(FunctionInput modelIn, FunctionOutput modelOut |
f.(TaintFunction).hasTaintFlow(modelIn, modelOut) and
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
(modelOut.isReturnValue() or modelOut.isReturnValueDeref())
)
or
// Data flow (not taint flow) to where the return value points. For the time
// being we will conflate pointers and objects in taint tracking.
exists(FunctionInput modelIn, FunctionOutput modelOut |
f.(DataFlowFunction).hasDataFlow(modelIn, modelOut) and
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
modelOut.isReturnValueDeref()
)
or
// Taint flow from one argument to another and data flow from an argument to a
// return value. This happens in functions like `strcat` and `memcpy`. We
// could model this flow in two separate steps, but that would add reverse
// flow from the write side-effect to the call instruction, which may not be
// desirable.
exists(int parameterMid, InParameter modelMid, OutReturnValue returnOut |
modelTaintToParameter(f, parameterIn, parameterMid) and
modelMid.isParameter(parameterMid) and
f.(DataFlowFunction).hasDataFlow(modelMid, returnOut)
) )
} }
@@ -440,6 +255,14 @@ private Element adjustedSink(DataFlow::Node sink) {
or or
// Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted. // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
result.(AssignOperation).getAnOperand() = sink.asExpr() result.(AssignOperation).getAnOperand() = sink.asExpr()
or
result =
sink.asOperand()
.(SideEffectOperand)
.getUse()
.(ReadSideEffectInstruction)
.getArgumentDef()
.getUnconvertedResultExpression()
} }
/** /**
@@ -558,7 +381,7 @@ module TaintedWithPath {
string toString() { result = "TaintTrackingConfiguration" } string toString() { result = "TaintTrackingConfiguration" }
} }
private class AdjustedConfiguration extends DataFlow3::Configuration { private class AdjustedConfiguration extends TaintTracking3::Configuration {
AdjustedConfiguration() { this = "AdjustedConfiguration" } AdjustedConfiguration() { this = "AdjustedConfiguration" }
override predicate isSource(DataFlow::Node source) { override predicate isSource(DataFlow::Node source) {
@@ -571,21 +394,34 @@ module TaintedWithPath {
exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink))) exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
} }
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
commonTaintStep(n1, n2) // Steps into and out of global variables
or
exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() | exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable)) writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
or or
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable)) readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
) )
or
// Step to return value of a modeled function when an input taints the
// dereference of the return value
exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
n1.asOperand() = callInput(call, modelIn) and
(
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
or
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
) and
call.getStaticCallTarget() = func and
modelOut.isReturnValueDeref() and
call = n2.asInstruction()
)
} }
override predicate isBarrier(DataFlow::Node node) { override predicate isSanitizer(DataFlow::Node node) {
exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e)) exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
} }
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) } override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
} }
/* /*

View File

@@ -0,0 +1,15 @@
/**
* Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
* module. Use this class when data-flow configurations or taint-tracking
* configurations must depend on each other. Two classes extending
* `DataFlow::Configuration` should never depend on each other, but one of them
* should instead depend on a `DataFlow2::Configuration`, a
* `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
* `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
* `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
*
* See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
*/
module TaintTracking3 {
import semmle.code.cpp.ir.dataflow.internal.tainttracking3.TaintTrackingImpl
}

View File

@@ -9,30 +9,18 @@ private import semmle.code.cpp.ir.dataflow.DataFlow
/** /**
* Gets the instruction that goes into `input` for `call`. * Gets the instruction that goes into `input` for `call`.
*/ */
DataFlow::Node callInput(CallInstruction call, FunctionInput input) { Operand callInput(CallInstruction call, FunctionInput input) {
// A positional argument // An argument or qualifier
exists(int index | exists(int index |
result.asInstruction() = call.getPositionalArgument(index) and result = call.getArgumentOperand(index) and
input.isParameter(index) input.isParameterOrQualifierAddress(index)
) )
or or
// A value pointed to by a positional argument // A value pointed to by an argument or qualifier
exists(ReadSideEffectInstruction read | exists(ReadSideEffectInstruction read |
result.asOperand() = read.getSideEffectOperand() and result = read.getSideEffectOperand() and
read.getPrimaryInstruction() = call and read.getPrimaryInstruction() = call and
input.isParameterDeref(read.getIndex()) input.isParameterDerefOrQualifierObject(read.getIndex())
)
or
// The qualifier pointer
result.asInstruction() = call.getThisArgument() and
input.isQualifierAddress()
or
// The qualifier object
exists(ReadSideEffectInstruction read |
result.asOperand() = read.getSideEffectOperand() and
read.getPrimaryInstruction() = call and
read.getIndex() = -1 and
input.isQualifierObject()
) )
} }
@@ -44,19 +32,11 @@ Instruction callOutput(CallInstruction call, FunctionOutput output) {
result = call and result = call and
output.isReturnValue() output.isReturnValue()
or or
// The side effect of a call on the value pointed to by a positional argument // The side effect of a call on the value pointed to by an argument or qualifier
exists(WriteSideEffectInstruction effect | exists(WriteSideEffectInstruction effect |
result = effect and result = effect and
effect.getPrimaryInstruction() = call and effect.getPrimaryInstruction() = call and
output.isParameterDeref(effect.getIndex()) output.isParameterDerefOrQualifierObject(effect.getIndex())
)
or
// The side effect of a call on the qualifier object
exists(WriteSideEffectInstruction effect |
result = effect and
effect.getPrimaryInstruction() = call and
effect.getIndex() = -1 and
output.isQualifierObject()
) )
// TODO: return value dereference // TODO: return value dereference
} }

View File

@@ -21,53 +21,104 @@ predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
*/ */
cached cached
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
localInstructionTaintStep(nodeFrom.asInstruction(), nodeTo.asInstruction()) operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction())
or or
modeledTaintStep(nodeFrom, nodeTo) instructionToOperandTaintStep(nodeFrom.asInstruction(), nodeTo.asOperand())
}
private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) {
// Propagate flow from the definition of an operand to the operand, even when the overlap is inexact.
// We only do this in certain cases:
// 1. The instruction's result must not be conflated, and
// 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
// this is array types and union types. This matches the other two cases of element-to-object flow in
// `DefaultTaintTracking`.
toOperand.getAnyDef() = fromInstr and
not fromInstr.isResultConflated() and
(
fromInstr.getResultType() instanceof ArrayType or
fromInstr.getResultType() instanceof Union
)
or
exists(ReadSideEffectInstruction readInstr |
fromInstr = readInstr.getArgumentDef() and
toOperand = readInstr.getSideEffectOperand()
)
or
toOperand.(LoadOperand).getAnyDef() = fromInstr
} }
/** /**
* Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
* (intra-procedural) step. * (intra-procedural) step.
*/ */
private predicate localInstructionTaintStep(Instruction nodeFrom, Instruction nodeTo) { private predicate operandToInstructionTaintStep(Operand opFrom, Instruction instrTo) {
// Taint can flow through expressions that alter the value but preserve // Taint can flow through expressions that alter the value but preserve
// more than one bit of it _or_ expressions that follow data through // more than one bit of it _or_ expressions that follow data through
// pointer indirections. // pointer indirections.
nodeTo.getAnOperand().getAnyDef() = nodeFrom and instrTo.getAnOperand() = opFrom and
( (
nodeTo instanceof ArithmeticInstruction instrTo instanceof ArithmeticInstruction
or or
nodeTo instanceof BitwiseInstruction instrTo instanceof BitwiseInstruction
or or
nodeTo instanceof PointerArithmeticInstruction instrTo instanceof PointerArithmeticInstruction
or
nodeTo instanceof FieldAddressInstruction
or or
// The `CopyInstruction` case is also present in non-taint data flow, but // The `CopyInstruction` case is also present in non-taint data flow, but
// that uses `getDef` rather than `getAnyDef`. For taint, we want flow // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
// from a definition of `myStruct` to a `myStruct.myField` expression. // from a definition of `myStruct` to a `myStruct.myField` expression.
nodeTo instanceof CopyInstruction instrTo instanceof CopyInstruction
) )
or or
nodeTo.(LoadInstruction).getSourceAddress() = nodeFrom // Unary instructions tend to preserve enough information in practice that we
or // want taint to flow through.
// Flow through partial reads of arrays and unions // The exception is `FieldAddressInstruction`. Together with the rules below for
nodeTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = nodeFrom and // `LoadInstruction`s and `ChiInstruction`s, flow through `FieldAddressInstruction`
not nodeFrom.isResultConflated() and // could cause flow into one field to come out an unrelated field.
// This would happen across function boundaries, where the IR would not be able to
// match loads to stores.
instrTo.(UnaryInstruction).getUnaryOperand() = opFrom and
( (
nodeFrom.getResultType() instanceof ArrayType or not instrTo instanceof FieldAddressInstruction
nodeFrom.getResultType() instanceof Union or
instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
) )
or or
instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
or
// Flow from an element to an array or union that contains it. // Flow from an element to an array or union that contains it.
nodeTo.(ChiInstruction).getPartial() = nodeFrom and instrTo.(ChiInstruction).getPartialOperand() = opFrom and
not nodeTo.isResultConflated() and not instrTo.isResultConflated() and
exists(Type t | nodeTo.getResultLanguageType().hasType(t, false) | exists(Type t | instrTo.getResultLanguageType().hasType(t, false) |
t instanceof Union t instanceof Union
or or
t instanceof ArrayType t instanceof ArrayType
) )
or
// Until we have flow through indirections across calls, we'll take flow out
// of the indirection and into the argument.
// When we get proper flow through indirections across calls, this code can be
// moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
exists(ReadSideEffectInstruction read |
read.getSideEffectOperand() = opFrom and
read.getArgumentDef() = instrTo
)
or
// Until we have from through indirections across calls, we'll take flow out
// of the parameter and into its indirection.
// `InitializeIndirectionInstruction` only has a single operand: the address of the
// value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
// the IR looks like this:
// ```
// m1 = InitializeParameter[p] : &r1
// r2 = Load[p] : r2, m1
// m3 = InitializeIndirection[p] : &r2
// ```
// So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
// `LoadOperand`'s overlap being exact.
instrTo.(InitializeIndirectionInstruction).getAnOperand() = opFrom
or
modeledTaintStep(opFrom, instrTo)
} }
/** /**
@@ -110,17 +161,19 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
* Holds if taint can flow from `instrIn` to `instrOut` through a call to a * Holds if taint can flow from `instrIn` to `instrOut` through a call to a
* modeled function. * modeled function.
*/ */
predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) { predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut | exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
( (
nodeIn = callInput(call, modelIn) nodeIn = callInput(call, modelIn)
or or
exists(int n | exists(int n |
modelIn.isParameterDeref(n) and modelIn.isParameterDerefOrQualifierObject(n) and
nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n)) if n = -1
then nodeIn = callInput(call, any(InQualifierObject inQualifier))
else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
) )
) and ) and
nodeOut.asInstruction() = callOutput(call, modelOut) and nodeOut = callOutput(call, modelOut) and
call.getStaticCallTarget() = func and call.getStaticCallTarget() = func and
func.hasTaintFlow(modelIn, modelOut) func.hasTaintFlow(modelIn, modelOut)
) )
@@ -135,11 +188,29 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
int indexMid, InParameter modelMidIn, OutReturnValue modelOut int indexMid, InParameter modelMidIn, OutReturnValue modelOut
| |
nodeIn = callInput(call, modelIn) and nodeIn = callInput(call, modelIn) and
nodeOut.asInstruction() = callOutput(call, modelOut) and nodeOut = callOutput(call, modelOut) and
call.getStaticCallTarget() = func and call.getStaticCallTarget() = func and
func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and
func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and
modelMidOut.isParameterDeref(indexMid) and modelMidOut.isParameterDeref(indexMid) and
modelMidIn.isParameter(indexMid) modelMidIn.isParameter(indexMid)
) )
or
// Taint flow from a pointer argument to an output, when the model specifies flow from the deref
// to that output, but the deref is not modeled in the IR for the caller.
exists(
CallInstruction call, ReadSideEffectInstruction read, Function func, FunctionInput modelIn,
FunctionOutput modelOut
|
read.getSideEffectOperand() = callInput(call, modelIn) and
read.getArgumentDef() = nodeIn.getDef() and
not read.getSideEffect().isResultModeled() and
call.getStaticCallTarget() = func and
(
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
or
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
) and
nodeOut = callOutput(call, modelOut)
)
} }

View File

@@ -0,0 +1,115 @@
/**
* Provides an implementation of global (interprocedural) taint tracking.
* This file re-exports the local (intraprocedural) taint-tracking analysis
* from `TaintTrackingParameter::Public` and adds a global analysis, mainly
* exposed through the `Configuration` class. For some languages, this file
* exists in several identical copies, allowing queries to use multiple
* `Configuration` classes that depend on each other without introducing
* mutual recursion among those configurations.
*/
import TaintTrackingParameter::Public
private import TaintTrackingParameter::Private
/**
* A configuration of interprocedural taint tracking analysis. This defines
* sources, sinks, and any other configurable aspect of the analysis. Each
* use of the taint tracking library must define its own unique extension of
* this abstract class.
*
* A taint-tracking configuration is a special data flow configuration
* (`DataFlow::Configuration`) that allows for flow through nodes that do not
* necessarily preserve values but are still relevant from a taint tracking
* perspective. (For example, string concatenation, where one of the operands
* is tainted.)
*
* To create a configuration, extend this class with a subclass whose
* characteristic predicate is a unique singleton string. For example, write
*
* ```ql
* class MyAnalysisConfiguration extends TaintTracking::Configuration {
* MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
* // Override `isSource` and `isSink`.
* // Optionally override `isSanitizer`.
* // Optionally override `isSanitizerIn`.
* // Optionally override `isSanitizerOut`.
* // Optionally override `isSanitizerGuard`.
* // Optionally override `isAdditionalTaintStep`.
* }
* ```
*
* Then, to query whether there is flow between some `source` and `sink`,
* write
*
* ```ql
* exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
* ```
*
* Multiple configurations can coexist, but it is unsupported to depend on
* another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
* overridden predicates that define sources, sinks, or additional steps.
* Instead, the dependency should go to a `TaintTracking2::Configuration` or a
* `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
*/
abstract class Configuration extends DataFlow::Configuration {
bindingset[this]
Configuration() { any() }
/**
* Holds if `source` is a relevant taint source.
*
* The smaller this predicate is, the faster `hasFlow()` will converge.
*/
// overridden to provide taint-tracking specific qldoc
abstract override predicate isSource(DataFlow::Node source);
/**
* Holds if `sink` is a relevant taint sink.
*
* The smaller this predicate is, the faster `hasFlow()` will converge.
*/
// overridden to provide taint-tracking specific qldoc
abstract override predicate isSink(DataFlow::Node sink);
/** Holds if the node `node` is a taint sanitizer. */
predicate isSanitizer(DataFlow::Node node) { none() }
final override predicate isBarrier(DataFlow::Node node) {
isSanitizer(node) or
defaultTaintSanitizer(node)
}
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
predicate isSanitizerOut(DataFlow::Node node) { none() }
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
/**
* Holds if the additional taint propagation step from `node1` to `node2`
* must be taken into account in the analysis.
*/
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalTaintStep(node1, node2) or
defaultAdditionalTaintStep(node1, node2)
}
/**
* Holds if taint may flow from `source` to `sink` for this configuration.
*/
// overridden to provide taint-tracking specific qldoc
override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
super.hasFlow(source, sink)
}
}

View File

@@ -0,0 +1,5 @@
import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
module Private {
import semmle.code.cpp.ir.dataflow.DataFlow3::DataFlow3 as DataFlow
}

View File

@@ -15,9 +15,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction { private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) } Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
override predicate hasArrayWithVariableSize(int bufParam, int countParam) { override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 1 }
bufParam = 1 and countParam = 2
}
override predicate hasArrayInput(int bufParam) { bufParam = 1 } override predicate hasArrayInput(int bufParam) { bufParam = 1 }
@@ -46,8 +44,8 @@ private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEf
i = 1 and buffer = false i = 1 and buffer = false
} }
override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 } // NOTE: The size parameter is a pointer to the size. So we can't implement `getParameterSizeIndex` for
// this model.
// NOTE: We implement thse two predicates as none because we can't model the low-level changes made to // NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
// the structure pointed to by the file-descriptor argument. // the structure pointed to by the file-descriptor argument.
override predicate hasOnlySpecificReadSideEffects() { none() } override predicate hasOnlySpecificReadSideEffects() { none() }

View File

@@ -1,10 +1,35 @@
import semmle.code.cpp.models.interfaces.Taint import semmle.code.cpp.models.interfaces.Taint
import semmle.code.cpp.models.interfaces.DataFlow
import semmle.code.cpp.models.interfaces.PointerWrapper
/** /**
* The `std::shared_ptr` and `std::unique_ptr` template classes. * The `std::shared_ptr` and `std::unique_ptr` template classes.
*/ */
private class UniqueOrSharedPtr extends Class { private class UniqueOrSharedPtr extends Class, PointerWrapper {
UniqueOrSharedPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "unique_ptr"]) } UniqueOrSharedPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "unique_ptr"]) }
override MemberFunction getAnUnwrapperFunction() {
result.(OverloadedPointerDereferenceFunction).getDeclaringType() = this
or
result.getClassAndName(["operator->", "get"]) = this
}
}
/** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
private class PointerWrapperDataFlow extends DataFlowFunction {
PointerWrapperDataFlow() {
this = any(PointerWrapper wrapper).getAnUnwrapperFunction() and
not this.getUnspecifiedType() instanceof ReferenceType
}
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
input.isQualifierAddress() and output.isReturnValue()
or
input.isQualifierObject() and output.isReturnValueDeref()
or
input.isReturnValueDeref() and
output.isQualifierObject()
}
} }
/** /**

View File

@@ -0,0 +1,14 @@
/** Provides classes for modeling pointer wrapper types and expressions. */
private import cpp
/** A class that wraps a pointer type. For example, `std::unique_ptr` and `std::shared_ptr`. */
abstract class PointerWrapper extends Class {
/**
* Gets a member function of this class that returns the wrapped pointer, if any.
*
* This includes both functions that return the wrapped pointer by value, and functions
* that return a reference to the pointed-to object.
*/
abstract MemberFunction getAnUnwrapperFunction();
}

View File

@@ -14,8 +14,8 @@ using namespace std;
void* operator new(std::size_t _Size); void* operator new(std::size_t _Size);
void* operator new[](std::size_t _Size); void* operator new[](std::size_t _Size);
void* operator new( std::size_t count, const std::nothrow_t& tag ); void* operator new( std::size_t count, const std::nothrow_t& tag ) noexcept;
void* operator new[]( std::size_t count, const std::nothrow_t& tag ); void* operator new[]( std::size_t count, const std::nothrow_t& tag ) noexcept;
void badNew_0_0() void badNew_0_0()
{ {

View File

@@ -6,6 +6,7 @@
import cpp import cpp
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
import TestUtilities.InlineExpectationsTest import TestUtilities.InlineExpectationsTest
predicate isSink(Element sink) { predicate isSink(Element sink) {
@@ -17,7 +18,13 @@ predicate isSink(Element sink) {
predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) } predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
predicate irTaint(Expr source, Element sink) { IRDefaultTaintTracking::tainted(source, sink) } class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { any() }
}
predicate irTaint(Expr source, Element sink) {
TaintedWithPath::taintedWithPath(source, sink, _, _)
}
class IRDefaultTaintTrackingTest extends InlineExpectationsTest { class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" } IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }

View File

@@ -19,7 +19,7 @@ int main() {
char untainted_buf[100] = ""; char untainted_buf[100] = "";
char buf[100] = "VAR = "; char buf[100] = "VAR = ";
sink(strcat(buf, getenv("VAR"))); // $ ast,ir sink(strcat(buf, getenv("VAR"))); // $ ast MISSING: ir
sink(buf); // $ ast,ir sink(buf); // $ ast,ir
sink(untainted_buf); // the two buffers would be conflated if we added flow through all partial chi inputs sink(untainted_buf); // the two buffers would be conflated if we added flow through all partial chi inputs
@@ -250,12 +250,12 @@ void sink(iovec);
int test_readv_and_writev(iovec* iovs) { int test_readv_and_writev(iovec* iovs) {
readv(0, iovs, 16); readv(0, iovs, 16);
sink(iovs); // $ast,ir sink(iovs); // $ast,ir
sink(iovs[0]); // $ast MISSING: ir sink(iovs[0]); // $ast,ir
sink(*iovs); // $ast MISSING: ir sink(*iovs); // $ast,ir
char* p = (char*)iovs[1].iov_base; char* p = (char*)iovs[1].iov_base;
sink(p); // $ MISSING: ast,ir sink(p); // $ ir MISSING: ast
sink(*p); // $ MISSING: ast,ir sink(*p); // $ ir MISSING: ast
writev(0, iovs, 16); // $ remote writev(0, iovs, 16); // $ remote
} }

View File

@@ -73,7 +73,7 @@ void test_string()
sink(b); // clean sink(b); // clean
sink(c); // $ ir MISSING: ast sink(c); // $ ir MISSING: ast
sink(b.c_str()); // clean sink(b.c_str()); // clean
sink(c.c_str()); // $ MISSING: ast,ir sink(c.c_str()); // $ ir MISSING: ast
} }
void test_stringstream() void test_stringstream()
@@ -93,10 +93,10 @@ void test_stringstream()
sink(ss4); // $ ir MISSING: ast sink(ss4); // $ ir MISSING: ast
sink(ss5); // $ ir MISSING: ast sink(ss5); // $ ir MISSING: ast
sink(ss1.str()); sink(ss1.str());
sink(ss2.str()); // $ MISSING: ast,ir sink(ss2.str()); // $ ir MISSING: ast
sink(ss3.str()); // $ MISSING: ast,ir sink(ss3.str()); // $ MISSING: ast,ir
sink(ss4.str()); // $ MISSING: ast,ir sink(ss4.str()); // $ ir MISSING: ast
sink(ss5.str()); // $ MISSING: ast,ir sink(ss5.str()); // $ ir MISSING: ast
} }
void test_stringstream_int(int source) void test_stringstream_int(int source)
@@ -123,14 +123,14 @@ void sink(const char *filename, const char *mode);
void test_strings2() void test_strings2()
{ {
string path1 = user_input(); string path1 = user_input();
sink(path1.c_str(), "r"); // $ MISSING: ast,ir sink(path1.c_str(), "r"); // $ ir MISSING: ast
string path2; string path2;
path2 = user_input(); path2 = user_input();
sink(path2.c_str(), "r"); // $ MISSING: ast,ir sink(path2.c_str(), "r"); // $ ir MISSING: ast
string path3(user_input()); string path3(user_input());
sink(path3.c_str(), "r"); // $ MISSING: ast,ir sink(path3.c_str(), "r"); // $ ir MISSING: ast
} }
void test_string3() void test_string3()
@@ -154,6 +154,6 @@ void test_string4()
// convert back std::string -> char * // convert back std::string -> char *
cs = ss.c_str(); cs = ss.c_str();
sink(cs); // $ ast MISSING: ir sink(cs); // $ ast,ir
sink(ss); // $ ir MISSING: ast sink(ss); // $ ir MISSING: ast
} }

View File

@@ -7,9 +7,10 @@
import cpp import cpp
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
import TestUtilities.InlineExpectationsTest import TestUtilities.InlineExpectationsTest
predicate isSink(Element sink) { predicate argToSinkCall(Element sink) {
exists(FunctionCall call | exists(FunctionCall call |
call.getTarget().getName() = "sink" and call.getTarget().getName() = "sink" and
sink = call.getAnArgument() sink = call.getAnArgument()
@@ -17,11 +18,15 @@ predicate isSink(Element sink) {
} }
predicate astTaint(Expr source, Element sink) { predicate astTaint(Expr source, Element sink) {
ASTTaintTracking::tainted(source, sink) and isSink(sink) ASTTaintTracking::tainted(source, sink) and argToSinkCall(sink)
}
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { argToSinkCall(e) }
} }
predicate irTaint(Expr source, Element sink) { predicate irTaint(Expr source, Element sink) {
IRDefaultTaintTracking::tainted(source, sink) and isSink(sink) TaintedWithPath::taintedWithPath(source, sink, _, _)
} }
class IRDefaultTaintTrackingTest extends InlineExpectationsTest { class IRDefaultTaintTrackingTest extends InlineExpectationsTest {

View File

@@ -1,19 +1,42 @@
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | AST only |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only | | test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only | | test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only | | test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only | | test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only | | test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | AST only |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only | | test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only | | test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only | | test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only | | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only | | test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only | | test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only | | test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only | | test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | AST only |
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only | | test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | AST only |
| test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only | | test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only |
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only | | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only | | test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only | | test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only | | test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |

View File

@@ -2,14 +2,18 @@ import semmle.code.cpp.security.TaintTrackingImpl as AST
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IR import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IR
import cpp import cpp
class SourceConfiguration extends IR::TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { any() }
}
from Expr source, Element tainted, string side from Expr source, Element tainted, string side
where where
AST::taintedIncludingGlobalVars(source, tainted, _) and AST::taintedIncludingGlobalVars(source, tainted, _) and
not IR::taintedIncludingGlobalVars(source, tainted, _) and not IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
not tainted.getLocation().getFile().getExtension() = "h" and not tainted.getLocation().getFile().getExtension() = "h" and
side = "AST only" side = "AST only"
or or
IR::taintedIncludingGlobalVars(source, tainted, _) and IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
not AST::taintedIncludingGlobalVars(source, tainted, _) and not AST::taintedIncludingGlobalVars(source, tainted, _) and
not tainted.getLocation().getFile().getExtension() = "h" and not tainted.getLocation().getFile().getExtension() = "h" and
side = "IR only" side = "IR only"

View File

@@ -1,71 +1,48 @@
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp | | | test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... | | | test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr | | | test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | | | test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | | | test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv | | | test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... | | | test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr | | | test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | | | test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | | | test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | | | test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv | | | test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... | | | test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr | | | test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... | | | test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp | | | test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... | | | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal | | | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | | | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | | | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | | | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName | | | test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | | | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi | | | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | | | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | |
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | |
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets | |
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | |
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | |
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy | |

View File

@@ -1,7 +1,11 @@
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
from Expr source, Element tainted, string globalVar class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { any() }
}
from Expr source, Element tainted
where where
taintedIncludingGlobalVars(source, tainted, globalVar) and TaintedWithPath::taintedWithPath(source, tainted, _, _) and
not tainted.getLocation().getFile().getExtension() = "h" not tainted.getLocation().getFile().getExtension() = "h"
select source, tainted, globalVar select source, tainted

View File

@@ -0,0 +1,127 @@
namespace std {
namespace detail {
template<typename T>
class compressed_pair_element {
T element;
public:
compressed_pair_element() = default;
compressed_pair_element(const T& t) : element(t) {}
T& get() { return element; }
const T& get() const { return element; }
};
template<typename T, typename U>
struct compressed_pair : private compressed_pair_element<T>, private compressed_pair_element<U> {
compressed_pair() = default;
compressed_pair(T& t) : compressed_pair_element<T>(t), compressed_pair_element<U>() {}
compressed_pair(const compressed_pair&) = delete;
compressed_pair(compressed_pair<T, U>&&) noexcept = default;
T& first() { return static_cast<compressed_pair_element<T>&>(*this).get(); }
U& second() { return static_cast<compressed_pair_element<U>&>(*this).get(); }
const T& first() const { return static_cast<const compressed_pair_element<T>&>(*this).get(); }
const U& second() const { return static_cast<const compressed_pair_element<U>&>(*this).get(); }
};
}
template<class T>
struct default_delete {
void operator()(T* ptr) const { delete ptr; }
};
template<class T>
struct default_delete<T[]> {
template<class U>
void operator()(U* ptr) const { delete[] ptr; }
};
template<class T, class Deleter = default_delete<T> >
class unique_ptr {
private:
detail::compressed_pair<T*, Deleter> data;
public:
constexpr unique_ptr() noexcept {}
explicit unique_ptr(T* ptr) noexcept : data(ptr) {}
unique_ptr(const unique_ptr& ptr) = delete;
unique_ptr(unique_ptr&& ptr) noexcept = default;
unique_ptr& operator=(unique_ptr&& ptr) noexcept = default;
T& operator*() const { return *get(); }
T* operator->() const noexcept { return get(); }
T* get() const noexcept { return data.first(); }
~unique_ptr() {
Deleter& d = data.second();
d(data.first());
}
};
template<typename T, class... Args> unique_ptr<T> make_unique(Args&&... args) {
return unique_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
}
class ctrl_block {
unsigned uses;
public:
ctrl_block() : uses(1) {}
void inc() { ++uses; }
bool dec() { return --uses == 0; }
virtual void destroy() = 0;
virtual ~ctrl_block() {}
};
template<typename T, class Deleter = default_delete<T> >
struct ctrl_block_impl: public ctrl_block {
T* ptr;
Deleter d;
ctrl_block_impl(T* ptr, Deleter d) : ptr(ptr), d(d) {}
virtual void destroy() override { d(ptr); }
};
template<class T>
class shared_ptr {
private:
ctrl_block* ctrl;
T* ptr;
void dec() {
if(ctrl->dec()) {
ctrl->destroy();
delete ctrl;
}
}
void inc() {
ctrl->inc();
}
public:
constexpr shared_ptr() noexcept = default;
shared_ptr(T* ptr) : ctrl(new ctrl_block_impl<T>(ptr, default_delete<T>())) {}
shared_ptr(const shared_ptr& s) noexcept : ptr(s.ptr), ctrl(s.ctrl) {
inc();
}
shared_ptr(shared_ptr&& s) noexcept = default;
T* operator->() const { return ptr; }
T& operator*() const { return *ptr; }
~shared_ptr() { dec(); }
};
template<typename T, class... Args> shared_ptr<T> make_shared(Args&&... args) {
return shared_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
}
}

View File

@@ -0,0 +1,39 @@
import TestUtilities.dataflow.FlowTestCommon
module ASTTest {
private import semmle.code.cpp.dataflow.TaintTracking
class ASTSmartPointerTaintConfig extends TaintTracking::Configuration {
ASTSmartPointerTaintConfig() { this = "ASTSmartPointerTaintConfig" }
override predicate isSource(DataFlow::Node source) {
source.asExpr().(FunctionCall).getTarget().getName() = "source"
}
override predicate isSink(DataFlow::Node sink) {
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
}
module IRTest {
private import semmle.code.cpp.ir.dataflow.TaintTracking
class IRSmartPointerTaintConfig extends TaintTracking::Configuration {
IRSmartPointerTaintConfig() { this = "IRSmartPointerTaintConfig" }
override predicate isSource(DataFlow::Node source) {
source.asExpr().(FunctionCall).getTarget().getName() = "source"
}
override predicate isSink(DataFlow::Node sink) {
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
}

View File

@@ -0,0 +1,46 @@
#include "memory.h"
int source();
void sink(int);
void test_unique_ptr_int() {
std::unique_ptr<int> p1(new int(source()));
std::unique_ptr<int> p2 = std::make_unique<int>(source());
sink(*p1); // $ MISSING: ast,ir
sink(*p2); // $ ast ir=8:50
}
struct A {
int x, y;
A(int x, int y) : x(x), y(y) {}
};
void test_unique_ptr_struct() {
std::unique_ptr<A> p1(new A{source(), 0});
std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
sink(p1->x); // $ MISSING: ast,ir
sink(p1->y);
sink(p2->x); // $ MISSING: ast,ir
sink(p2->y);
}
void test_shared_ptr_int() {
std::shared_ptr<int> p1(new int(source()));
std::shared_ptr<int> p2 = std::make_shared<int>(source());
sink(*p1); // $ ast
sink(*p2); // $ ast ir=32:50
}
void test_shared_ptr_struct() {
std::shared_ptr<A> p1(new A{source(), 0});
std::shared_ptr<A> p2 = std::make_shared<A>(source(), 0);
sink(p1->x); // $ MISSING: ast,ir
sink(p1->y);
sink(p2->x); // $ MISSING: ast,ir
sink(p2->y);
}

View File

@@ -19,6 +19,6 @@ void test_accept() {
int size = sizeof(sockaddr); int size = sizeof(sockaddr);
int a = accept(s, &addr, &size); int a = accept(s, &addr, &size);
sink(a); // $ ast=17:11 SPURIOUS: ast=18:12 MISSING: ir sink(a); // $ ast=17:11 ir SPURIOUS: ast=18:12
sink(addr); // $ ast MISSING: ir sink(addr); // $ ast,ir
} }

View File

@@ -3260,15 +3260,59 @@
| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT | | smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
| smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p | | | smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p | |
| smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT | | smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
| smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get | TAINT | | smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get | |
| smart_pointer.cpp:52:12:52:14 | ref arg call to get | smart_pointer.cpp:52:10:52:10 | ref arg p | |
| smart_pointer.cpp:56:30:56:50 | call to make_unique | smart_pointer.cpp:57:10:57:10 | p | | | smart_pointer.cpp:56:30:56:50 | call to make_unique | smart_pointer.cpp:57:10:57:10 | p | |
| smart_pointer.cpp:56:52:56:57 | call to source | smart_pointer.cpp:56:30:56:50 | call to make_unique | TAINT | | smart_pointer.cpp:56:52:56:57 | call to source | smart_pointer.cpp:56:30:56:50 | call to make_unique | TAINT |
| smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get | TAINT | | smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get | |
| smart_pointer.cpp:57:12:57:14 | ref arg call to get | smart_pointer.cpp:57:10:57:10 | ref arg p | |
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:66:10:66:10 | p | | | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:66:10:66:10 | p | |
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p | | | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p | |
| smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT | | smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
| smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT | | smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
| smart_pointer.cpp:66:10:66:10 | p | smart_pointer.cpp:66:11:66:11 | call to operator-> | |
| smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p | | | smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p | |
| smart_pointer.cpp:67:10:67:10 | p | smart_pointer.cpp:67:11:67:11 | call to operator-> | |
| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:77:3:77:3 | p | |
| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:78:8:78:8 | p | |
| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:79:8:79:8 | p | |
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:81:3:81:3 | q | |
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:82:8:82:8 | q | |
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:83:8:83:8 | q | |
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:84:8:84:8 | q | |
| smart_pointer.cpp:77:3:77:3 | p | smart_pointer.cpp:77:4:77:4 | call to operator-> | |
| smart_pointer.cpp:77:3:77:3 | ref arg p | smart_pointer.cpp:78:8:78:8 | p | |
| smart_pointer.cpp:77:3:77:3 | ref arg p | smart_pointer.cpp:79:8:79:8 | p | |
| smart_pointer.cpp:77:3:77:17 | ... = ... | smart_pointer.cpp:77:6:77:6 | x [post update] | |
| smart_pointer.cpp:77:3:77:17 | ... = ... | smart_pointer.cpp:78:11:78:11 | x | |
| smart_pointer.cpp:77:4:77:4 | call to operator-> [post update] | smart_pointer.cpp:77:3:77:3 | ref arg p | |
| smart_pointer.cpp:77:10:77:15 | call to source | smart_pointer.cpp:77:3:77:17 | ... = ... | |
| smart_pointer.cpp:78:8:78:8 | p | smart_pointer.cpp:78:9:78:9 | call to operator-> | |
| smart_pointer.cpp:78:8:78:8 | ref arg p | smart_pointer.cpp:79:8:79:8 | p | |
| smart_pointer.cpp:79:8:79:8 | p | smart_pointer.cpp:79:9:79:9 | call to operator-> | |
| smart_pointer.cpp:81:3:81:3 | q | smart_pointer.cpp:81:4:81:4 | call to operator-> | |
| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:82:8:82:8 | q | |
| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:83:8:83:8 | q | |
| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:84:8:84:8 | q | |
| smart_pointer.cpp:81:3:81:20 | ... = ... | smart_pointer.cpp:81:9:81:9 | x [post update] | |
| smart_pointer.cpp:81:3:81:20 | ... = ... | smart_pointer.cpp:82:14:82:14 | x | |
| smart_pointer.cpp:81:4:81:4 | call to operator-> [post update] | smart_pointer.cpp:81:3:81:3 | ref arg q | |
| smart_pointer.cpp:81:13:81:18 | call to source | smart_pointer.cpp:81:3:81:20 | ... = ... | |
| smart_pointer.cpp:82:8:82:8 | q | smart_pointer.cpp:82:9:82:9 | call to operator-> | |
| smart_pointer.cpp:82:8:82:8 | ref arg q | smart_pointer.cpp:83:8:83:8 | q | |
| smart_pointer.cpp:82:8:82:8 | ref arg q | smart_pointer.cpp:84:8:84:8 | q | |
| smart_pointer.cpp:83:8:83:8 | q | smart_pointer.cpp:83:9:83:9 | call to operator-> | |
| smart_pointer.cpp:83:8:83:8 | ref arg q | smart_pointer.cpp:84:8:84:8 | q | |
| smart_pointer.cpp:84:8:84:8 | q | smart_pointer.cpp:84:9:84:9 | call to operator-> | |
| smart_pointer.cpp:87:17:87:18 | pa | smart_pointer.cpp:88:5:88:6 | pa | |
| smart_pointer.cpp:88:5:88:20 | ... = ... | smart_pointer.cpp:88:9:88:9 | x [post update] | |
| smart_pointer.cpp:88:13:88:18 | call to source | smart_pointer.cpp:88:5:88:20 | ... = ... | |
| smart_pointer.cpp:92:25:92:50 | call to unique_ptr | smart_pointer.cpp:93:11:93:11 | p | |
| smart_pointer.cpp:92:25:92:50 | call to unique_ptr | smart_pointer.cpp:94:8:94:8 | p | |
| smart_pointer.cpp:93:11:93:11 | p | smart_pointer.cpp:93:13:93:15 | call to get | |
| smart_pointer.cpp:93:11:93:11 | ref arg p | smart_pointer.cpp:94:8:94:8 | p | |
| smart_pointer.cpp:93:13:93:15 | ref arg call to get | smart_pointer.cpp:93:11:93:11 | ref arg p | |
| smart_pointer.cpp:94:8:94:8 | p | smart_pointer.cpp:94:9:94:9 | call to operator-> | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 | | | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 | | | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 | |
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 | | | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 | |

View File

@@ -152,8 +152,8 @@ void test_map()
for (i2 = m2.begin(); i2 != m2.end(); i2++) for (i2 = m2.begin(); i2 != m2.end(); i2++)
{ {
sink(*i2); // $ ast,ir sink(*i2); // $ ast,ir
sink(i2->first); // $ SPURIOUS: ir sink(i2->first); // clean
sink(i2->second); // $ ir MISSING: ast sink(i2->second); // $ MISSING: ast,ir
} }
for (i3 = m3.begin(); i3 != m3.end(); i3++) for (i3 = m3.begin(); i3 != m3.end(); i3++)
{ {
@@ -304,8 +304,8 @@ void test_unordered_map()
for (i2 = m2.begin(); i2 != m2.end(); i2++) for (i2 = m2.begin(); i2 != m2.end(); i2++)
{ {
sink(*i2); // $ ast,ir sink(*i2); // $ ast,ir
sink(i2->first); // $ SPURIOUS: ir sink(i2->first); // clean
sink(i2->second); // $ ir MISSING: ast sink(i2->second); // $ MISSING: ast,ir
} }
for (i3 = m3.begin(); i3 != m3.end(); i3++) for (i3 = m3.begin(); i3 != m3.end(); i3++)
{ {

View File

@@ -66,3 +66,30 @@ void test_shared_field_member() {
sink(p->x); // $ MISSING: ast,ir sink(p->x); // $ MISSING: ast,ir
sink(p->y); // not tainted sink(p->y); // not tainted
} }
struct B {
A a1;
A a2;
int z;
};
void test_operator_arrow(std::unique_ptr<A> p, std::unique_ptr<B> q) {
p->x = source();
sink(p->x); // $ ast MISSING: ir
sink(p->y);
q->a1.x = source();
sink(q->a1.x); // $ ast MISSING: ir
sink(q->a1.y);
sink(q->a2.x);
}
void taint_x(A* pa) {
pa->x = source();
}
void reverse_taint_smart_pointer() {
std::unique_ptr<A> p = std::unique_ptr<A>(new A);
taint_x(p.get());
sink(p->x); // $ ast MISSING: ir
}

View File

@@ -39,13 +39,13 @@ public:
void test_typedefs(int_iterator_by_typedefs source1) { void test_typedefs(int_iterator_by_typedefs source1) {
sink(*source1); // $ ast,ir sink(*source1); // $ ast,ir
sink(*(source1++)); // $ ast,ir sink(*(source1++)); // $ ast,ir
sink(*(++source1)); // $ ast MISSING: ir sink(*(++source1)); // $ ast,ir
} }
void test_trait(int_iterator_by_trait source1) { void test_trait(int_iterator_by_trait source1) {
sink(*source1); // $ ast,ir sink(*source1); // $ ast,ir
sink(*(source1++)); // $ ast,ir sink(*(source1++)); // $ ast,ir
sink(*(++source1)); // $ ast MISSING: ir sink(*(++source1)); // $ ast,ir
} }
void test_non_iterator(non_iterator source1) { void test_non_iterator(non_iterator source1) {

View File

@@ -396,9 +396,9 @@ void test_string_iterators() {
sink(*(i2+1)); // $ ast,ir sink(*(i2+1)); // $ ast,ir
sink(*(i2-1)); // $ ast,ir sink(*(i2-1)); // $ ast,ir
i3 = i2; i3 = i2;
sink(*(++i3)); // $ ast MISSING: ir sink(*(++i3)); // $ ast,ir
i4 = i2; i4 = i2;
sink(*(--i4)); // $ ast MISSING: ir sink(*(--i4)); // $ ast,ir
i5 = i2; i5 = i2;
i5++; i5++;
sink(*i5); // $ ast,ir sink(*i5); // $ ast,ir
@@ -406,9 +406,9 @@ void test_string_iterators() {
i6--; i6--;
sink(*i6); // $ ast,ir sink(*i6); // $ ast,ir
i7 = i2; i7 = i2;
sink(*(i7+=1)); // $ ast MISSING: ir sink(*(i7+=1)); // $ ast,ir
i8 = i2; i8 = i2;
sink(*(i8-=1)); // $ ast MISSING: ir sink(*(i8-=1)); // $ ast,ir
i9 = s2.end(); i9 = s2.end();
--i9; --i9;

View File

@@ -32,18 +32,18 @@ void test_stringstream_string(int amount)
sink(ss2 << source()); // $ ast,ir sink(ss2 << source()); // $ ast,ir
sink(ss3 << "123" << source()); // $ ast,ir sink(ss3 << "123" << source()); // $ ast,ir
sink(ss4 << source() << "456"); // $ ast,ir sink(ss4 << source() << "456"); // $ ast,ir
sink(ss5 << t); // $ ast MISSING: ir sink(ss5 << t); // $ ast,ir
sink(ss1); sink(ss1);
sink(ss2); // $ ast,ir sink(ss2); // $ ast,ir
sink(ss3); // $ ast MISSING: ir sink(ss3); // $ ast MISSING: ir
sink(ss4); // $ ast,ir sink(ss4); // $ ast,ir
sink(ss5); // $ ast MISSING: ir sink(ss5); // $ ast,ir
sink(ss1.str()); sink(ss1.str());
sink(ss2.str()); // $ ast,ir sink(ss2.str()); // $ ast,ir
sink(ss3.str()); // $ ast MISSING: ir sink(ss3.str()); // $ ast MISSING: ir
sink(ss4.str()); // $ ast,ir sink(ss4.str()); // $ ast,ir
sink(ss5.str()); // $ ast MISSING: ir sink(ss5.str()); // $ ast,ir
ss6.str("abc"); ss6.str("abc");
ss6.str(source()); // (overwrites) ss6.str(source()); // (overwrites)
@@ -229,7 +229,7 @@ void test_getline()
sink(ss2.getline(b7, 1000).getline(b8, 1000)); // $ ast,ir sink(ss2.getline(b7, 1000).getline(b8, 1000)); // $ ast,ir
sink(b7); // $ ast,ir sink(b7); // $ ast,ir
sink(b8); // $ ast MISSING: ir sink(b8); // $ ast,ir
sink(getline(ss1, s1)); sink(getline(ss1, s1));
sink(getline(ss2, s2)); // $ ast,ir sink(getline(ss2, s2)); // $ ast,ir
@@ -261,7 +261,7 @@ void test_chaining()
sink(ss1.get(b1, 100).unget().get(b2, 100)); // $ ast,ir sink(ss1.get(b1, 100).unget().get(b2, 100)); // $ ast,ir
sink(b1); // $ ast,ir sink(b1); // $ ast,ir
sink(b2); // $ ast MISSING: ir sink(b2); // $ ast,ir
sink(ss2.write("abc", 3).flush().write(source(), 3).flush().write("xyz", 3)); // $ ast MISSING: ir sink(ss2.write("abc", 3).flush().write(source(), 3).flush().write("xyz", 3)); // $ ast MISSING: ir
sink(ss2); // $ ast MISSING: ir sink(ss2); // $ ast MISSING: ir

View File

@@ -192,7 +192,7 @@ void *memcpy(void *dest, void *src, int len);
void test_memcpy(int *source) { void test_memcpy(int *source) {
int x; int x;
memcpy(&x, source, sizeof(int)); memcpy(&x, source, sizeof(int));
sink(x); // $ ast=192:23 MISSING: ir SPURIOUS: ast=193:6 sink(x); // $ ast=192:23 ir SPURIOUS: ast=193:6
} }
// --- std::swap --- // --- std::swap ---
@@ -369,9 +369,9 @@ void test_strdup(char *source)
a = strdup(source); a = strdup(source);
b = strdup("hello, world"); b = strdup("hello, world");
c = strndup(source, 100); c = strndup(source, 100);
sink(a); // $ ast MISSING: ir sink(a); // $ ast,ir
sink(b); sink(b);
sink(c); // $ ast MISSING: ir sink(c); // $ ast,ir
} }
void test_strndup(int source) void test_strndup(int source)
@@ -388,7 +388,7 @@ void test_wcsdup(wchar_t *source)
a = wcsdup(source); a = wcsdup(source);
b = wcsdup(L"hello, world"); b = wcsdup(L"hello, world");
sink(a); // $ ast MISSING: ir sink(a); // $ ast,ir
sink(b); sink(b);
} }
@@ -518,7 +518,7 @@ void *mempcpy(void *dest, const void *src, size_t n);
void test_mempcpy(int *source) { void test_mempcpy(int *source) {
int x; int x;
mempcpy(&x, source, sizeof(int)); mempcpy(&x, source, sizeof(int));
sink(x); // $ ast=518:24 MISSING: ir SPURIOUS: ast=519:6 sink(x); // $ ast=518:24 ir SPURIOUS: ast=519:6
} }
// --- memccpy --- // --- memccpy ---
@@ -528,7 +528,7 @@ void *memccpy(void *dest, const void *src, int c, size_t n);
void test_memccpy(int *source) { void test_memccpy(int *source) {
int dest[16]; int dest[16];
memccpy(dest, source, 42, sizeof(dest)); memccpy(dest, source, 42, sizeof(dest));
sink(dest); // $ ast=528:24 MISSING: ir SPURIOUS: ast=529:6 sink(dest); // $ ast=528:24 ir SPURIOUS: ast=529:6
} }
// --- strcat and related functions --- // --- strcat and related functions ---

View File

@@ -0,0 +1,7 @@
void accept(int arg, char *buf, unsigned long* bufSize);
void testAccept(int socket1, int socket2)
{
char buffer[1024];
accept(socket2, 0, 0);
}

View File

@@ -10,3 +10,4 @@
| test.cpp:89:18:89:23 | call to malloc | This memory is never freed | | test.cpp:89:18:89:23 | call to malloc | This memory is never freed |
| test.cpp:156:3:156:26 | new | This memory is never freed | | test.cpp:156:3:156:26 | new | This memory is never freed |
| test.cpp:157:3:157:26 | new[] | This memory is never freed | | test.cpp:157:3:157:26 | new[] | This memory is never freed |
| test.cpp:167:14:167:19 | call to strdup | This memory is never freed |

View File

@@ -156,3 +156,15 @@ int overloadedNew() {
new(std::nothrow) int(3); // BAD new(std::nothrow) int(3); // BAD
new(std::nothrow) int[2]; // BAD new(std::nothrow) int[2]; // BAD
} }
// --- strdup ---
char *strdup(const char *s1);
void output_msg(const char *msg);
void test_strdup() {
char msg[] = "OctoCat";
char *cpy = strdup(msg); // BAD
output_msg(cpy);
}

View File

@@ -19,3 +19,7 @@
| test.cpp:144:32:144:36 | ... = ... | Use of '=' where '==' may have been intended. | | test.cpp:144:32:144:36 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:150:32:150:36 | ... = ... | Use of '=' where '==' may have been intended. | | test.cpp:150:32:150:36 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:153:46:153:50 | ... = ... | Use of '=' where '==' may have been intended. | | test.cpp:153:46:153:50 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:166:22:166:27 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:168:24:168:29 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:169:23:169:28 | ... = ... | Use of '=' where '==' may have been intended. |
| test.cpp:171:7:171:12 | ... = ... | Use of '=' where '==' may have been intended. |

View File

@@ -153,3 +153,21 @@ void f3(int x, int y) {
if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD
} }
} }
bool use(int);
void f4(int x, bool b) {
if((x = 10) && use(x)) {} // GOOD: This is likely just a short-hand way of writing an assignment
// followed by a boolean check.
if((x = 10) && b && use(x)) {} // GOOD: Same reason as above
if((x = 10) && use(x) && b) {} // GOOD: Same reason as above
if((x = 10) && (use(x) && b)) {} // GOOD: Same reason as above
if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison.
// This doesn't match the usual pattern.
if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above
if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above
if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in
// a boolean check.
}

View File

@@ -3,11 +3,15 @@ edges
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... | | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
nodes nodes
| test.c:9:23:9:26 | argv | semmle.label | argv | | test.c:9:23:9:26 | argv | semmle.label | argv |
| test.c:9:23:9:26 | argv | semmle.label | argv | | test.c:9:23:9:26 | argv | semmle.label | argv |
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... | | test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... | | test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
| test.c:17:11:17:18 | fileName | semmle.label | fileName | | test.c:17:11:17:18 | fileName | semmle.label | fileName |
| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
#select #select
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) | | test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |

View File

@@ -1,13 +1,17 @@
edges edges
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | (const char *)... | | search.c:14:24:14:28 | *query | search.c:17:8:17:12 | (const char *)... |
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query | | search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query |
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query indirection |
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... | | search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query | | search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query | | search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query indirection |
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query | | search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query | | search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query indirection |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query | | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query | | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query indirection |
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query | | search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query | | search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection | | search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
@@ -28,11 +32,15 @@ nodes
| search.c:17:8:17:12 | query | semmle.label | query | | search.c:17:8:17:12 | query | semmle.label | query |
| search.c:17:8:17:12 | query | semmle.label | query | | search.c:17:8:17:12 | query | semmle.label | query |
| search.c:17:8:17:12 | query | semmle.label | query | | search.c:17:8:17:12 | query | semmle.label | query |
| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
| search.c:22:24:22:28 | *query | semmle.label | *query | | search.c:22:24:22:28 | *query | semmle.label | *query |
| search.c:22:24:22:28 | query | semmle.label | query | | search.c:22:24:22:28 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query | | search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query | | search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query | | search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv | | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv | | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:55:5:55:15 | raw_query | semmle.label | raw_query | | search.c:55:5:55:15 | raw_query | semmle.label | raw_query |

View File

@@ -3,11 +3,15 @@ edges
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... | | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
nodes nodes
| test.c:15:20:15:23 | argv | semmle.label | argv | | test.c:15:20:15:23 | argv | semmle.label | argv |
| test.c:15:20:15:23 | argv | semmle.label | argv | | test.c:15:20:15:23 | argv | semmle.label | argv |
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... | | test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... | | test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:21:18:21:23 | query1 | semmle.label | query1 | | test.c:21:18:21:23 | query1 | semmle.label | query1 |
| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
#select #select
| test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) | | test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |

View File

@@ -1,12 +1,16 @@
edges edges
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command | | test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command | | test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command indirection |
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command | | test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command | | test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command indirection |
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command | | test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command | | test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command indirection |
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command | | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command | | test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command indirection |
| test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command | | test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command |
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv | | test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv |
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection | | test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection |
@@ -21,31 +25,55 @@ edges
| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command | | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command |
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... | | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer | | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer indirection |
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... | | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... |
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data indirection |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... | | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer | | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... | | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data | | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... | | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... |
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer indirection |
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | (const char *)... | | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | (const char *)... |
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data |
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data indirection |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | (const char *)... | | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | (const char *)... |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer | | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... | | test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data | | test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data indirection |
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | (const char *)... |
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer indirection |
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | (const char *)... |
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | (const char *)... |
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer indirection |
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | (const char *)... |
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
nodes nodes
| test.cpp:24:30:24:36 | *command | semmle.label | *command | | test.cpp:24:30:24:36 | *command | semmle.label | *command |
| test.cpp:24:30:24:36 | command | semmle.label | command | | test.cpp:24:30:24:36 | command | semmle.label | command |
| test.cpp:26:10:26:16 | command | semmle.label | command | | test.cpp:26:10:26:16 | command | semmle.label | command |
| test.cpp:26:10:26:16 | command | semmle.label | command | | test.cpp:26:10:26:16 | command | semmle.label | command |
| test.cpp:26:10:26:16 | command | semmle.label | command | | test.cpp:26:10:26:16 | command | semmle.label | command |
| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
| test.cpp:29:30:29:36 | *command | semmle.label | *command | | test.cpp:29:30:29:36 | *command | semmle.label | *command |
| test.cpp:29:30:29:36 | command | semmle.label | command | | test.cpp:29:30:29:36 | command | semmle.label | command |
| test.cpp:31:10:31:16 | command | semmle.label | command | | test.cpp:31:10:31:16 | command | semmle.label | command |
| test.cpp:31:10:31:16 | command | semmle.label | command | | test.cpp:31:10:31:16 | command | semmle.label | command |
| test.cpp:31:10:31:16 | command | semmle.label | command | | test.cpp:31:10:31:16 | command | semmle.label | command |
| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
| test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv | | test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv |
| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv | | test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... | | test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
@@ -59,17 +87,39 @@ nodes
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... | | test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... | | test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:62:10:62:15 | buffer | semmle.label | buffer | | test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... | | test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... | | test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:63:10:63:13 | data | semmle.label | data | | test.cpp:63:10:63:13 | data | semmle.label | data |
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
| test.cpp:76:12:76:17 | buffer | semmle.label | buffer | | test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
| test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument | | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... | | test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... | | test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:78:10:78:15 | buffer | semmle.label | buffer | | test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... | | test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... | | test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:79:10:79:13 | data | semmle.label | data | | test.cpp:79:10:79:13 | data | semmle.label | data |
| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
| test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
| test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
#select #select
| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv | | test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv | | test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
@@ -77,3 +127,5 @@ nodes
| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer | | test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer | | test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
| test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer | | test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:98:17:98:22 | buffer | buffer |
| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:106:17:106:22 | buffer | buffer |

View File

@@ -81,3 +81,29 @@ void testReferencePointer2()
system(data2); // BAD [NOT DETECTED] system(data2); // BAD [NOT DETECTED]
} }
} }
// ---
typedef unsigned long size_t;
void accept(int arg, char *buf, size_t *bufSize);
void recv(int arg, char *buf, size_t bufSize);
void LoadLibrary(const char *arg);
void testAcceptRecv(int socket1, int socket2)
{
{
char buffer[1024];
recv(socket1, buffer, 1024);
LoadLibrary(buffer); // BAD: using data from recv
}
{
char buffer[1024];
accept(socket2, 0, 0);
recv(socket2, buffer, 1024);
LoadLibrary(buffer); // BAD: using data from recv
}
}

View File

@@ -5,16 +5,50 @@ edges
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 |
| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 indirection |
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 |
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 indirection |
| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 |
| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 |
| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 |
| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 |
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
nodes nodes
| tests.c:28:22:28:25 | argv | semmle.label | argv | | tests.c:28:22:28:25 | argv | semmle.label | argv |
| tests.c:28:22:28:25 | argv | semmle.label | argv | | tests.c:28:22:28:25 | argv | semmle.label | argv |
@@ -23,21 +57,30 @@ nodes
| tests.c:28:22:28:28 | access to array | semmle.label | access to array | | tests.c:28:22:28:28 | access to array | semmle.label | access to array |
| tests.c:28:22:28:28 | access to array | semmle.label | access to array | | tests.c:28:22:28:28 | access to array | semmle.label | access to array |
| tests.c:28:22:28:28 | access to array | semmle.label | access to array | | tests.c:28:22:28:28 | access to array | semmle.label | access to array |
| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
| tests.c:29:28:29:31 | argv | semmle.label | argv | | tests.c:29:28:29:31 | argv | semmle.label | argv |
| tests.c:29:28:29:31 | argv | semmle.label | argv | | tests.c:29:28:29:31 | argv | semmle.label | argv |
| tests.c:29:28:29:34 | access to array | semmle.label | access to array | | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
| tests.c:29:28:29:34 | access to array | semmle.label | access to array | | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
| tests.c:29:28:29:34 | access to array | semmle.label | access to array | | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion | | tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion | | tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 | | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 | | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 | | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
| tests.c:31:15:31:23 | scanf output argument | semmle.label | scanf output argument |
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion | | tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion | | tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 | | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 | | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 | | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
| tests.c:34:10:34:13 | argv | semmle.label | argv | | tests.c:34:10:34:13 | argv | semmle.label | argv |
| tests.c:34:10:34:13 | argv | semmle.label | argv | | tests.c:34:10:34:13 | argv | semmle.label | argv |
| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... | | tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
@@ -45,9 +88,16 @@ nodes
| tests.c:34:10:34:16 | access to array | semmle.label | access to array | | tests.c:34:10:34:16 | access to array | semmle.label | access to array |
| tests.c:34:10:34:16 | access to array | semmle.label | access to array | | tests.c:34:10:34:16 | access to array | semmle.label | access to array |
| tests.c:34:10:34:16 | access to array | semmle.label | access to array | | tests.c:34:10:34:16 | access to array | semmle.label | access to array |
| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
#select #select
| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv | | tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv | | tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
| tests.c:31:15:31:23 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
| tests.c:31:15:31:23 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 | | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
| tests.c:33:21:33:29 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
| tests.c:33:21:33:29 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
| tests.c:33:21:33:29 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 | | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv | | tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |

View File

@@ -5,54 +5,76 @@ edges
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array | | argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array indirection |
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array indirection |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array | | argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
@@ -61,10 +83,14 @@ edges
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
@@ -73,36 +99,50 @@ edges
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument | | argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument |
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument | | argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 indirection |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:2:122:13 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:2:122:13 | i4 |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ indirection |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ indirection |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
@@ -111,56 +151,80 @@ edges
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument |
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... indirection |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... | | argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... indirection |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 indirection |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 indirection |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 indirection |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 indirection |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 indirection |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 indirection |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 indirection |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 indirection |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 indirection |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 indirection |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
@@ -176,11 +240,15 @@ nodes
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array | | argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv | | argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv | | argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array | | argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv | | argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv | | argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
@@ -188,9 +256,13 @@ nodes
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 | | argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 | | argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
| argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
| argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv | | argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv | | argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
@@ -198,68 +270,97 @@ nodes
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array | | argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array | | argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
| argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... | | argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... | | argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv | | argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 | | argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
| argvLocal.c:117:2:117:13 | i3 | semmle.label | i3 | | argvLocal.c:117:2:117:13 | i3 | semmle.label | i3 |
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 | | argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection | | argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 | | argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
| argvLocal.c:122:2:122:13 | i4 | semmle.label | i4 | | argvLocal.c:122:2:122:13 | i4 | semmle.label | i4 |
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 | | argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection | | argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv | | argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 | | argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
| argvLocal.c:128:2:128:13 | i5 | semmle.label | i5 | | argvLocal.c:128:2:128:13 | i5 | semmle.label | i5 |
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion | | argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 | | argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection | | argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument | | argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... | | argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... | | argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ | | argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... | | argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 | | argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 | | argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv | | argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv | | argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
@@ -267,36 +368,52 @@ nodes
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 | | argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 | | argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv | | argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv | | argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 | | argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
| argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
| argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 | | argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
| argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
| argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv | | argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv | | argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 | | argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
| argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
| argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 | | argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
| argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
| argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv | | argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv | | argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... | | argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... | | argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... | | argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
| argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
| argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 | | argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... | | argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... | | argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 | | argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |

View File

@@ -1,51 +1,71 @@
edges edges
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 indirection |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 indirection |
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... | | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... |
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 indirection |
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... | | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... |
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 | | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 indirection |
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... | | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... |
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 | | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 indirection |
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... | | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... |
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 indirection |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 indirection |
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 indirection |
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... | | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 indirection |
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... | | funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 | | funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 indirection |
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... | | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 | | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 indirection |
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... | | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 | | funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 indirection |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 | | funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 indirection |
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 indirection |
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... | | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 | | funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 indirection |
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... | | funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 | | funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 indirection |
nodes nodes
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument | | funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 | | funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 | | funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 | | funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 | | funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets | | funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets | | funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument | | funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
@@ -55,11 +75,15 @@ nodes
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 | | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 | | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 | | funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 | | funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 | | funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets | | funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets | | funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument | | funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
@@ -69,9 +93,13 @@ nodes
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 | | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 | | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 | | funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... | | funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 | | funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
#select #select
| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread | | funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets | | funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |

View File

@@ -29,18 +29,23 @@ edges
| globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | *argv | | globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | *argv |
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... | | globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... |
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy | | globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy indirection |
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy | | globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy | | globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy | | globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy indirection |
| globalVars.c:35:2:35:9 | copy | globalVars.c:15:21:15:23 | val | | globalVars.c:35:2:35:9 | copy | globalVars.c:15:21:15:23 | val |
| globalVars.c:35:11:35:14 | copy | globalVars.c:35:2:35:9 | copy | | globalVars.c:35:11:35:14 | copy | globalVars.c:35:2:35:9 | copy |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... | | globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 | | globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 indirection |
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 | | globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 | | globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 | | globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 indirection |
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... | | globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... |
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 | | globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 indirection |
nodes nodes
| globalVars.c:8:7:8:10 | copy | semmle.label | copy | | globalVars.c:8:7:8:10 | copy | semmle.label | copy |
| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 | | globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
@@ -58,9 +63,13 @@ nodes
| globalVars.c:27:9:27:12 | copy | semmle.label | copy | | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
| globalVars.c:27:9:27:12 | copy | semmle.label | copy | | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
| globalVars.c:27:9:27:12 | copy | semmle.label | copy | | globalVars.c:27:9:27:12 | copy | semmle.label | copy |
| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
| globalVars.c:30:15:30:18 | copy | semmle.label | copy | | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
| globalVars.c:30:15:30:18 | copy | semmle.label | copy | | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
| globalVars.c:30:15:30:18 | copy | semmle.label | copy | | globalVars.c:30:15:30:18 | copy | semmle.label | copy |
| globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
| globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
| globalVars.c:35:2:35:9 | copy | semmle.label | copy | | globalVars.c:35:2:35:9 | copy | semmle.label | copy |
| globalVars.c:35:11:35:14 | copy | semmle.label | copy | | globalVars.c:35:11:35:14 | copy | semmle.label | copy |
| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... | | globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
@@ -68,14 +77,20 @@ nodes
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 | | globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 | | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 | | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 | | globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
| globalVars.c:41:15:41:19 | copy2 indirection | semmle.label | copy2 indirection |
| globalVars.c:41:15:41:19 | copy2 indirection | semmle.label | copy2 indirection |
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... | | globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... | | globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 | | globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
#select #select
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv | | globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv | | globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |

View File

@@ -5,66 +5,88 @@ edges
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 indirection |
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 indirection |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 indirection |
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 indirection |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 indirection |
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 indirection |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 indirection |
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 indirection |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 indirection |
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 indirection |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 indirection |
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 indirection |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 indirection |
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 indirection |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 | | ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 indirection |
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 indirection |
nodes nodes
| ifs.c:61:8:61:11 | argv | semmle.label | argv | | ifs.c:61:8:61:11 | argv | semmle.label | argv |
| ifs.c:61:8:61:11 | argv | semmle.label | argv | | ifs.c:61:8:61:11 | argv | semmle.label | argv |
@@ -73,6 +95,8 @@ nodes
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 | | ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
| ifs.c:68:8:68:11 | argv | semmle.label | argv | | ifs.c:68:8:68:11 | argv | semmle.label | argv |
| ifs.c:68:8:68:11 | argv | semmle.label | argv | | ifs.c:68:8:68:11 | argv | semmle.label | argv |
| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
@@ -80,6 +104,8 @@ nodes
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 | | ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 | | ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 | | ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
| ifs.c:74:8:74:11 | argv | semmle.label | argv | | ifs.c:74:8:74:11 | argv | semmle.label | argv |
| ifs.c:74:8:74:11 | argv | semmle.label | argv | | ifs.c:74:8:74:11 | argv | semmle.label | argv |
| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
@@ -87,6 +113,8 @@ nodes
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 | | ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 | | ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 | | ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
| ifs.c:80:8:80:11 | argv | semmle.label | argv | | ifs.c:80:8:80:11 | argv | semmle.label | argv |
| ifs.c:80:8:80:11 | argv | semmle.label | argv | | ifs.c:80:8:80:11 | argv | semmle.label | argv |
| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
@@ -94,6 +122,8 @@ nodes
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 | | ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 | | ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 | | ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
| ifs.c:86:8:86:11 | argv | semmle.label | argv | | ifs.c:86:8:86:11 | argv | semmle.label | argv |
| ifs.c:86:8:86:11 | argv | semmle.label | argv | | ifs.c:86:8:86:11 | argv | semmle.label | argv |
| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
@@ -101,6 +131,8 @@ nodes
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 | | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 | | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 | | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
| ifs.c:92:8:92:11 | argv | semmle.label | argv | | ifs.c:92:8:92:11 | argv | semmle.label | argv |
| ifs.c:92:8:92:11 | argv | semmle.label | argv | | ifs.c:92:8:92:11 | argv | semmle.label | argv |
| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
@@ -108,6 +140,8 @@ nodes
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 | | ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 | | ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 | | ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
| ifs.c:98:8:98:11 | argv | semmle.label | argv | | ifs.c:98:8:98:11 | argv | semmle.label | argv |
| ifs.c:98:8:98:11 | argv | semmle.label | argv | | ifs.c:98:8:98:11 | argv | semmle.label | argv |
| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
@@ -115,6 +149,8 @@ nodes
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 | | ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 | | ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 | | ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
| ifs.c:105:8:105:11 | argv | semmle.label | argv | | ifs.c:105:8:105:11 | argv | semmle.label | argv |
| ifs.c:105:8:105:11 | argv | semmle.label | argv | | ifs.c:105:8:105:11 | argv | semmle.label | argv |
| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
@@ -122,6 +158,8 @@ nodes
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 | | ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 | | ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 | | ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
| ifs.c:111:8:111:11 | argv | semmle.label | argv | | ifs.c:111:8:111:11 | argv | semmle.label | argv |
| ifs.c:111:8:111:11 | argv | semmle.label | argv | | ifs.c:111:8:111:11 | argv | semmle.label | argv |
| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
@@ -129,6 +167,8 @@ nodes
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 | | ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
| ifs.c:117:8:117:11 | argv | semmle.label | argv | | ifs.c:117:8:117:11 | argv | semmle.label | argv |
| ifs.c:117:8:117:11 | argv | semmle.label | argv | | ifs.c:117:8:117:11 | argv | semmle.label | argv |
| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
@@ -136,6 +176,8 @@ nodes
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 | | ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 | | ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 | | ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
| ifs.c:123:8:123:11 | argv | semmle.label | argv | | ifs.c:123:8:123:11 | argv | semmle.label | argv |
| ifs.c:123:8:123:11 | argv | semmle.label | argv | | ifs.c:123:8:123:11 | argv | semmle.label | argv |
| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... | | ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
@@ -143,6 +185,8 @@ nodes
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 | | ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 | | ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 | | ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
#select #select
| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv | | ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv | | ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |

View File

@@ -27,6 +27,24 @@ edges
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
| test.cpp:97:18:97:23 | buffer | test.cpp:100:4:100:15 | buffer |
| test.cpp:97:18:97:23 | buffer | test.cpp:100:17:100:22 | buffer indirection |
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | ... + ... |
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | buffer |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:4:100:15 | buffer |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:17:100:22 | buffer indirection |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | ... + ... |
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | buffer |
| test.cpp:100:4:100:15 | buffer | test.cpp:100:17:100:22 | processData1 output argument |
| test.cpp:100:17:100:22 | buffer indirection | test.cpp:100:17:100:22 | processData1 output argument |
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | ... + ... |
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | buffer |
| test.cpp:101:4:101:15 | ... + ... | test.cpp:75:38:75:40 | end |
| test.cpp:101:4:101:15 | buffer | test.cpp:75:25:75:29 | start |
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... | | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
@@ -106,6 +124,21 @@ nodes
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... | | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... | | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... | | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
| test.cpp:64:25:64:30 | buffer | semmle.label | buffer |
| test.cpp:75:25:75:29 | start | semmle.label | start |
| test.cpp:75:38:75:40 | end | semmle.label | end |
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
| test.cpp:97:18:97:23 | buffer | semmle.label | buffer |
| test.cpp:97:18:97:23 | fread output argument | semmle.label | fread output argument |
| test.cpp:100:4:100:15 | buffer | semmle.label | buffer |
| test.cpp:100:17:100:22 | buffer indirection | semmle.label | buffer indirection |
| test.cpp:100:17:100:22 | processData1 output argument | semmle.label | processData1 output argument |
| test.cpp:101:4:101:15 | ... + ... | semmle.label | ... + ... |
| test.cpp:101:4:101:15 | buffer | semmle.label | buffer |
| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv | | test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... | | test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... | | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
@@ -180,6 +213,7 @@ nodes
| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | | test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | | test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | | test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
| test.cpp:79:9:79:29 | new[] | test.cpp:97:18:97:23 | buffer | test.cpp:79:18:79:28 | ... - ... | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |
| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) | | test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) | | test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) | | test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |

View File

@@ -76,7 +76,7 @@ void processData2(char *start, char *end)
{ {
char *copy; char *copy;
copy = new char[end - start]; // GOOD copy = new char[end - start]; // GOOD [FALSE POSITIVE]
// ... // ...

View File

@@ -28,7 +28,7 @@ void randomTester2()
{ {
int r; int r;
get_rand2(&r); get_rand2(&r);
r = r + 100; // BAD [NOT DETECTED] r = r + 100; // BAD
} }
{ {

View File

@@ -1,32 +1,44 @@
edges edges
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address indirection |
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address | | test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address | | test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address indirection |
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address indirection |
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address | | test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address | | test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address indirection |
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address indirection |
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address | | test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address | | test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address indirection |
nodes nodes
| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv | | test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... | | test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:20:14:20:20 | address | semmle.label | address | | test.cpp:20:14:20:20 | address | semmle.label | address |
| test.cpp:20:14:20:20 | address | semmle.label | address | | test.cpp:20:14:20:20 | address | semmle.label | address |
| test.cpp:20:14:20:20 | address | semmle.label | address | | test.cpp:20:14:20:20 | address | semmle.label | address |
| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv | | test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... | | test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:31:14:31:20 | address | semmle.label | address | | test.cpp:31:14:31:20 | address | semmle.label | address |
| test.cpp:31:14:31:20 | address | semmle.label | address | | test.cpp:31:14:31:20 | address | semmle.label | address |
| test.cpp:31:14:31:20 | address | semmle.label | address | | test.cpp:31:14:31:20 | address | semmle.label | address |
| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv | | test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... | | test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:42:14:42:20 | address | semmle.label | address | | test.cpp:42:14:42:20 | address | semmle.label | address |
| test.cpp:42:14:42:20 | address | semmle.label | address | | test.cpp:42:14:42:20 | address | semmle.label | address |
| test.cpp:42:14:42:20 | address | semmle.label | address | | test.cpp:42:14:42:20 | address | semmle.label | address |
| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
#select #select
| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv | | test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv | | test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |

View File

@@ -3,11 +3,15 @@ edges
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
nodes nodes
| test.cpp:54:17:54:20 | argv | semmle.label | argv | | test.cpp:54:17:54:20 | argv | semmle.label | argv |
| test.cpp:54:17:54:20 | argv | semmle.label | argv | | test.cpp:54:17:54:20 | argv | semmle.label | argv |
| test.cpp:58:25:58:29 | input | semmle.label | input | | test.cpp:58:25:58:29 | input | semmle.label | input |
| test.cpp:58:25:58:29 | input | semmle.label | input | | test.cpp:58:25:58:29 | input | semmle.label | input |
| test.cpp:58:25:58:29 | input | semmle.label | input | | test.cpp:58:25:58:29 | input | semmle.label | input |
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
#select #select
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) | | test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |

View File

@@ -7,3 +7,4 @@
| test.cpp:303:11:303:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. | | test.cpp:303:11:303:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
| test.cpp:313:11:313:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. | | test.cpp:313:11:313:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
| test.cpp:442:8:442:17 | call to mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. | | test.cpp:442:8:442:17 | call to mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
| test.cpp:482:2:482:19 | call to pthread_mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |

View File

@@ -445,3 +445,46 @@ bool test_mutex(data_t *data)
return true; return true;
} }
// ---
struct pthread_mutex
{
// ...
};
void pthread_mutex_lock(pthread_mutex *m);
void pthread_mutex_unlock(pthread_mutex *m);
class MyClass
{
public:
pthread_mutex lock;
};
bool maybe();
int test_MyClass_good(MyClass *obj)
{
pthread_mutex_lock(&obj->lock);
if (maybe()) {
pthread_mutex_unlock(&obj->lock);
return -1; // GOOD
}
pthread_mutex_unlock(&obj->lock); // GOOD
return 0;
}
int test_MyClass_bad(MyClass *obj)
{
pthread_mutex_lock(&obj->lock);
if (maybe()) {
return -1; // BAD
}
pthread_mutex_unlock(&obj->lock); // GOOD
return 0;
}

View File

@@ -1,37 +1,21 @@
edges edges
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp | | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:35 | (bool)... |
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp | | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:38 | (bool)... |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... | | test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp | | test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:35 | (bool)... |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... | | test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp | | test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:38 | (bool)... |
| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:10:24:35 | ! ... |
| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:11:24:35 | (bool)... |
| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:10:41:38 | ! ... |
| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:11:41:38 | (bool)... |
nodes nodes
| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv | | test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... | | test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... | | test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp | | test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp | | test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... | | test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp | | test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp | | test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
#select #select
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... | | test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... | | test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |

View File

@@ -18,9 +18,10 @@
| NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. | | NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
| PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. | | PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
| SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. | | SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. |
| Variants.cpp:25:3:25:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. | | Variants.cpp:26:3:26:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
| Variants.cpp:65:3:65:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. | | Variants.cpp:69:3:69:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:66:3:66:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. | | Variants.cpp:70:3:70:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:67:3:67:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. | | Variants.cpp:71:3:71:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
| Variants.cpp:72:3:72:22 | ... = ... | Resource d is acquired by class MyClass6 but not released anywhere in this class. |
| Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. | | Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. |
| Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. | | Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. |

View File

@@ -5,6 +5,7 @@ void *malloc(size_t size);
void *calloc(size_t nmemb, size_t size); void *calloc(size_t nmemb, size_t size);
void *realloc(void *ptr, size_t size); void *realloc(void *ptr, size_t size);
void free(void* ptr); void free(void* ptr);
char *strdup(const char *s1);
int *ID(int *x) int *ID(int *x)
{ {
@@ -45,6 +46,7 @@ public:
a = new int[10]; // GOOD a = new int[10]; // GOOD
b = (int *)calloc(10, sizeof(int)); // GOOD b = (int *)calloc(10, sizeof(int)); // GOOD
c = (int *)realloc(0, 10 * sizeof(int)); // GOOD c = (int *)realloc(0, 10 * sizeof(int)); // GOOD
d = strdup("string");
} }
~MyClass5() ~MyClass5()
@@ -52,9 +54,11 @@ public:
delete [] a; delete [] a;
free(b); free(b);
free(c); free(c);
free(d);
} }
int *a, *b, *c; int *a, *b, *c;
char *d;
}; };
class MyClass6 class MyClass6
@@ -65,6 +69,7 @@ public:
a = new int[10]; // BAD a = new int[10]; // BAD
b = (int *)calloc(10, sizeof(int)); // BAD b = (int *)calloc(10, sizeof(int)); // BAD
c = (int *)realloc(0, 10 * sizeof(int)); // BAD c = (int *)realloc(0, 10 * sizeof(int)); // BAD
d = strdup("string"); // BAD
} }
~MyClass6() ~MyClass6()
@@ -72,6 +77,7 @@ public:
} }
int *a, *b, *c; int *a, *b, *c;
char *d;
}; };
class MyClass7 class MyClass7

View File

@@ -1,7 +1,6 @@
<Project Sdk="Microsoft.NET.Sdk"> <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup> <PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net5.0</TargetFramework> <TargetFramework>net5.0</TargetFramework>
<GenerateAssemblyInfo>false</GenerateAssemblyInfo> <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers> <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
@@ -12,10 +11,11 @@
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" /> <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" /> <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
<PackageReference Include="xunit" Version="2.4.1" /> <PackageReference Include="xunit" Version="2.4.1" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1"> <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
<PrivateAssets>all</PrivateAssets> <PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets> <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference> </PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>

View File

@@ -18,7 +18,7 @@
<ItemGroup> <ItemGroup>
<PackageReference Include="Microsoft.Build" Version="16.9.0" /> <PackageReference Include="Microsoft.Build" Version="16.9.0" />
<PackageReference Include="Newtonsoft.Json" Version="12.0.3" /> <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A static single assignment (SSA) library has been added to the CIL analysis library. The SSA library replaces the existing `DefUse` module, which has been deprecated.

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Legacy queries in the folders `external` and `filters` have all been removed.

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query `VulnerablePackage.ql` has been removed.

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Support for the Dapper ORM library has been added to the SQL injection checks.

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The extractor has been improved to store default argument values for parameters that are extracted from referenced assemblies.

View File

@@ -4,8 +4,6 @@
@_namespace com.lgtm/csharp-queries @_namespace com.lgtm/csharp-queries
+ odasa-csharp-metrics/Files/FLinesOfCommentedCode.ql: /Metrics/Documentation + odasa-csharp-metrics/Files/FLinesOfCommentedCode.ql: /Metrics/Documentation
@_namespace com.lgtm/csharp-queries @_namespace com.lgtm/csharp-queries
+ odasa-csharp-metrics/Files/FLinesOfDuplicatedCode.ql: /Metrics/Coupling
@_namespace com.lgtm/csharp-queries
+ odasa-csharp-metrics/Files/FNumberOfTests.ql: /Metrics/Size + odasa-csharp-metrics/Files/FNumberOfTests.ql: /Metrics/Size
@_namespace com.lgtm/csharp-queries @_namespace com.lgtm/csharp-queries

View File

@@ -164,6 +164,39 @@ namespace Semmle.Extraction.CSharp.Entities
} }
} }
/// <summary>
/// Creates a generated expression for a default argument value.
/// </summary>
public static Expression? CreateGenerated(Context cx, IParameterSymbol parameter, IExpressionParentEntity parent,
int childIndex, Extraction.Entities.Location location)
{
if (!parameter.HasExplicitDefaultValue)
{
return null;
}
var defaultValue = parameter.ExplicitDefaultValue;
if (parameter.Type is INamedTypeSymbol nt && nt.EnumUnderlyingType is not null)
{
// = (MyEnum)1, = MyEnum.Value1, = default(MyEnum), = new MyEnum()
// we're generating a (MyEnum)value cast expression:
defaultValue ??= 0;
Action<Expression, int> createChild = (parent, index) => Literal.CreateGenerated(cx, parent, index, nt.EnumUnderlyingType, defaultValue, location);
return Cast.CreateGenerated(cx, parent, childIndex, parameter.Type, defaultValue, createChild, location);
}
if (defaultValue is null)
{
// = null, = default, = default(T), = new MyStruct()
// we're generating a default expression:
return Default.CreateGenerated(cx, parent, childIndex, location, parameter.Type.IsReferenceType ? ValueAsString(null) : null);
}
// const literal:
return Literal.CreateGenerated(cx, parent, childIndex, parameter.Type, defaultValue, location);
}
/// <summary> /// <summary>
/// Adapt the operator kind depending on whether it's a dynamic call or a user-operator call. /// Adapt the operator kind depending on whether it's a dynamic call or a user-operator call.
/// </summary> /// </summary>

View File

@@ -14,5 +14,20 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
{ {
TypeAccess.Create(Context, Syntax.Type, this, 0); TypeAccess.Create(Context, Syntax.Type, this, 0);
} }
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Extraction.Entities.Location location, string? value)
{
var info = new ExpressionInfo(
cx,
null,
location,
ExprKind.DEFAULT,
parent,
childIndex,
true,
value);
return new Expression(info);
}
} }
} }

View File

@@ -4,6 +4,7 @@ using System.Linq;
using Microsoft.CodeAnalysis.CSharp.Syntax; using Microsoft.CodeAnalysis.CSharp.Syntax;
using Semmle.Extraction.Entities; using Semmle.Extraction.Entities;
using System.IO; using System.IO;
using System;
namespace Semmle.Extraction.CSharp.Entities namespace Semmle.Extraction.CSharp.Entities
{ {
@@ -124,6 +125,17 @@ namespace Semmle.Extraction.CSharp.Entities
trapFile.param_location(this, Context.CreateLocation()); trapFile.param_location(this, Context.CreateLocation());
} }
if (Symbol.HasExplicitDefaultValue && Context.Defines(Symbol))
{
var defaultValueSyntax = GetDefaultValueFromSyntax(Symbol);
Action defaultValueExpressionCreation = defaultValueSyntax is not null
? () => Expression.Create(Context, defaultValueSyntax.Value, this, 0)
: () => Expression.CreateGenerated(Context, Symbol, this, 0, Location);
Context.PopulateLater(defaultValueExpressionCreation);
}
if (!IsSourceDeclaration || !Symbol.FromSource()) if (!IsSourceDeclaration || !Symbol.FromSource())
return; return;
@@ -139,36 +151,28 @@ namespace Semmle.Extraction.CSharp.Entities
TypeMention.Create(Context, syntax.Type!, this, type); TypeMention.Create(Context, syntax.Type!, this, type);
} }
} }
}
if (Symbol.HasExplicitDefaultValue && Context.Defines(Symbol)) private static EqualsValueClauseSyntax? GetDefaultValueFromSyntax(IParameterSymbol symbol)
{ {
// This is a slight bug in the dbscheme // This is a slight bug in the dbscheme
// We should really define param_default(param, string) // We should really define param_default(param, string)
// And use parameter child #0 to encode the default expression. // And use parameter child #0 to encode the default expression.
var defaultValue = GetParameterDefaultValue(Symbol); var defaultValue = GetParameterDefaultValue(symbol);
if (defaultValue is null) if (defaultValue is null)
{ {
// In case this parameter belongs to an accessor of an indexer, we need // In case this parameter belongs to an accessor of an indexer, we need
// to get the default value from the corresponding parameter belonging // to get the default value from the corresponding parameter belonging
// to the indexer itself // to the indexer itself
var method = (IMethodSymbol)Symbol.ContainingSymbol; if (symbol.ContainingSymbol is IMethodSymbol method)
if (method is not null)
{ {
var i = method.Parameters.IndexOf(Symbol); var i = method.Parameters.IndexOf(symbol);
var indexer = (IPropertySymbol?)method.AssociatedSymbol; if (method.AssociatedSymbol is IPropertySymbol indexer)
if (indexer is not null)
defaultValue = GetParameterDefaultValue(indexer.Parameters[i]); defaultValue = GetParameterDefaultValue(indexer.Parameters[i]);
} }
} }
if (defaultValue is not null) return defaultValue;
{
Context.PopulateLater(() =>
{
Expression.Create(Context, defaultValue.Value, this, 0);
});
}
}
} }
public override bool IsSourceDeclaration => Symbol.IsSourceDeclaration(); public override bool IsSourceDeclaration => Symbol.IsSourceDeclaration();

View File

@@ -1,7 +1,6 @@
<Project Sdk="Microsoft.NET.Sdk"> <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup> <PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net5.0</TargetFramework> <TargetFramework>net5.0</TargetFramework>
<GenerateAssemblyInfo>false</GenerateAssemblyInfo> <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers> <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
@@ -12,10 +11,11 @@
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" /> <PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" /> <PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
<PackageReference Include="xunit" Version="2.4.1" /> <PackageReference Include="xunit" Version="2.4.1" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1"> <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
<PrivateAssets>all</PrivateAssets> <PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets> <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference> </PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>

View File

@@ -16,7 +16,7 @@
<ItemGroup> <ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis" Version="3.9.0" /> <PackageReference Include="Microsoft.CodeAnalysis" Version="3.9.0" />
<PackageReference Include="GitInfo" Version="2.0.20"> <PackageReference Include="GitInfo" Version="2.1.2">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets> <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets> <PrivateAssets>all</PrivateAssets>
</PackageReference> </PackageReference>

View File

@@ -1,7 +1,6 @@
<Project Sdk="Microsoft.NET.Sdk"> <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup> <PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net5.0</TargetFramework> <TargetFramework>net5.0</TargetFramework>
<GenerateAssemblyInfo>false</GenerateAssemblyInfo> <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers> <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
@@ -10,10 +9,11 @@
<ItemGroup> <ItemGroup>
<PackageReference Include="xunit" Version="2.4.1" /> <PackageReference Include="xunit" Version="2.4.1" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1"> <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
<PrivateAssets>all</PrivateAssets> <PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets> <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference> </PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>

View File

@@ -5,7 +5,6 @@
* @kind treemap * @kind treemap
* @treemap.warnOn highValues * @treemap.warnOn highValues
* @metricType externalDependency * @metricType externalDependency
* @precision medium
* @id cs/external-dependencies * @id cs/external-dependencies
*/ */

View File

@@ -1,16 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Duplicated code increases overall code size, making the code base
harder to maintain and harder to understand. It also becomes harder to fix bugs,
since a programmer applying a fix to one copy has to always remember to update
other copies accordingly. Finally, code duplication is generally an indication of
a poorly designed or hastily written code base, which typically suffers from other
problems as well.
</p>
</overview>
</qhelp>

View File

@@ -5,7 +5,6 @@
* @treemap.warnOn highValues * @treemap.warnOn highValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision very-high
* @id cs/lines-of-code-in-files * @id cs/lines-of-code-in-files
* @tags maintainability * @tags maintainability
* complexity * complexity

View File

@@ -5,7 +5,6 @@
* @treemap.warnOn lowValues * @treemap.warnOn lowValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision very-high
* @id cs/lines-of-comments-in-files * @id cs/lines-of-comments-in-files
* @tags maintainability * @tags maintainability
* documentation * documentation

View File

@@ -5,7 +5,6 @@
* @treemap.warnOn highValues * @treemap.warnOn highValues
* @metricType file * @metricType file
* @metricAggregate avg sum max * @metricAggregate avg sum max
* @precision high
* @id cs/lines-of-commented-out-code-in-files * @id cs/lines-of-commented-out-code-in-files
* @tags maintainability * @tags maintainability
* documentation * documentation

View File

@@ -1,30 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
A file that contains many lines that are duplicated within the code base is problematic
for a number of reasons.
</p>
</overview>
<include src="DuplicationProblems.inc.qhelp" />
<recommendation>
<p>
Refactor files with lots of duplicated code to extract the common code into
shared classes and assemblies.
</p>
</recommendation>
<references>
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Duplicate_code">Duplicate code</a>.</li>
<li>M. Fowler, <em>Refactoring</em>. Addison-Wesley, 1999.</li>
</references>
</qhelp>

View File

@@ -1,27 +0,0 @@
/**
* @deprecated
* @name Duplicated lines in files
* @description The number of lines in a file, including code, comment and whitespace lines,
* which are duplicated in at least one other place.
* @kind treemap
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision high
* @id cs/duplicated-lines-in-files
* @tags testability
* modularity
*/
import external.CodeDuplication
from SourceFile f, int n
where
n =
count(int line |
exists(DuplicateBlock d | d.sourceFile() = f |
line in [d.sourceStartLine() .. d.sourceEndLine()] and
not whitelistedLineForDuplication(f, line)
)
)
select f, n order by n desc

Some files were not shown because too many files have changed in this diff Show More