mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
Compare commits
571 Commits
codeql-cli
...
experiment
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
eb3d0f5b0e | ||
|
|
09cf8e8b01 | ||
|
|
bd8212c090 | ||
|
|
f106d186e4 | ||
|
|
e2c84407b4 | ||
|
|
67b15125c7 | ||
|
|
caf763a969 | ||
|
|
4f8f5048f3 | ||
|
|
2366679d9b | ||
|
|
66399c055e | ||
|
|
85c02a430e | ||
|
|
29945b8ed0 | ||
|
|
a8ef1bc32a | ||
|
|
0781a138af | ||
|
|
6fd67c4d8e | ||
|
|
89747ecf83 | ||
|
|
c013e3f9c3 | ||
|
|
3b14b27635 | ||
|
|
2ae32be934 | ||
|
|
6647f6b9c4 | ||
|
|
41ceb291de | ||
|
|
615418d2e3 | ||
|
|
0ba76f7d0e | ||
|
|
d97a10ef8a | ||
|
|
2d618d6b92 | ||
|
|
e1d0bbb021 | ||
|
|
6fd4a8afff | ||
|
|
be2fe6e171 | ||
|
|
8d2768b2ce | ||
|
|
701e815368 | ||
|
|
cd310eb9d5 | ||
|
|
992a4df12f | ||
|
|
996cda9b97 | ||
|
|
80d5b17900 | ||
|
|
cae0060a89 | ||
|
|
46197e6e69 | ||
|
|
595bdedb22 | ||
|
|
652e8b4872 | ||
|
|
c9c4c067b6 | ||
|
|
a335bb0115 | ||
|
|
ad267404c9 | ||
|
|
d7f0b9a7fa | ||
|
|
749db379ca | ||
|
|
dbb3d3dc17 | ||
|
|
8adaee05b6 | ||
|
|
6109ef5e88 | ||
|
|
7d300b53d7 | ||
|
|
d42a01cb3a | ||
|
|
e5160929eb | ||
|
|
30ba69d991 | ||
|
|
036e181bc1 | ||
|
|
716568ebd1 | ||
|
|
9820116734 | ||
|
|
52a2260dc7 | ||
|
|
c738f387b1 | ||
|
|
cf5f760ecd | ||
|
|
a790eb8110 | ||
|
|
a8cbdc92b9 | ||
|
|
551a7ce9e5 | ||
|
|
c069c3384e | ||
|
|
cb9a9db356 | ||
|
|
2ac1e60406 | ||
|
|
51bab81f56 | ||
|
|
99dd5330c2 | ||
|
|
a9527fd913 | ||
|
|
2faf52b6bd | ||
|
|
4cf0b8e725 | ||
|
|
f372274857 | ||
|
|
2373bf2dfb | ||
|
|
1cf30d2a9e | ||
|
|
ab58cb3d44 | ||
|
|
f0491af64c | ||
|
|
0c724a8427 | ||
|
|
03b12dbc6d | ||
|
|
365b4d722d | ||
|
|
903f364dab | ||
|
|
073a43ce74 | ||
|
|
461d4e45af | ||
|
|
c9f54ea1ad | ||
|
|
ee13ff71d6 | ||
|
|
26cddc7d04 | ||
|
|
69973d0fa2 | ||
|
|
a66083d685 | ||
|
|
fd4e8f8282 | ||
|
|
61880ba90a | ||
|
|
e22ec50dee | ||
|
|
2d615ef503 | ||
|
|
ffcb345916 | ||
|
|
9a41c80626 | ||
|
|
695b02a94c | ||
|
|
2c1cc9ead6 | ||
|
|
f45916efda | ||
|
|
8382e85901 | ||
|
|
f07d844362 | ||
|
|
98001c494f | ||
|
|
41b89669a9 | ||
|
|
bc49bc7095 | ||
|
|
e0e58b24ea | ||
|
|
224d3790b5 | ||
|
|
b11703cc74 | ||
|
|
5eb1f8abbd | ||
|
|
0ebb24ebeb | ||
|
|
667b26b5d9 | ||
|
|
a5f4d43d61 | ||
|
|
7045597139 | ||
|
|
c194598d37 | ||
|
|
e852540254 | ||
|
|
c777f1d8d7 | ||
|
|
a23d8deb10 | ||
|
|
32500c834d | ||
|
|
acc28df785 | ||
|
|
564a6873f8 | ||
|
|
c4ab6fb7b4 | ||
|
|
f07030ba97 | ||
|
|
a9566728b5 | ||
|
|
7119eda009 | ||
|
|
86bc0eb853 | ||
|
|
b43989e6a1 | ||
|
|
2850b8e952 | ||
|
|
cbfa5ad303 | ||
|
|
cee1a12489 | ||
|
|
c926a47d50 | ||
|
|
cca38a64be | ||
|
|
53def60e4f | ||
|
|
1ce7c3448f | ||
|
|
fd7cbd0c96 | ||
|
|
8fa3fb0561 | ||
|
|
314839fc09 | ||
|
|
c1651ad30c | ||
|
|
125d1465c8 | ||
|
|
a3421e7ab2 | ||
|
|
20416ae034 | ||
|
|
c96ee8671e | ||
|
|
a1fab8ac52 | ||
|
|
36bdee0e8b | ||
|
|
95ac2c8edd | ||
|
|
f08a0e5653 | ||
|
|
ab3edf37d7 | ||
|
|
43306f4700 | ||
|
|
8c8e4e6a70 | ||
|
|
068a9d88e7 | ||
|
|
c541390c1b | ||
|
|
e9e93c0eea | ||
|
|
85ecfe2723 | ||
|
|
49d1937dc4 | ||
|
|
d4877a9038 | ||
|
|
57784dc746 | ||
|
|
4f9b6d1192 | ||
|
|
bc5b477f79 | ||
|
|
0cc8eaf3b4 | ||
|
|
51c27de049 | ||
|
|
b9788eb53c | ||
|
|
649286995a | ||
|
|
fb004bacc3 | ||
|
|
67835ee273 | ||
|
|
23df459c16 | ||
|
|
fe76b0849b | ||
|
|
92839123ae | ||
|
|
a8284d5b97 | ||
|
|
e0a73ce797 | ||
|
|
244966e216 | ||
|
|
62de15cd22 | ||
|
|
f8bbda0cdc | ||
|
|
9db235ac36 | ||
|
|
35f294f096 | ||
|
|
4b51e22bb4 | ||
|
|
ec952248a9 | ||
|
|
f27203cc43 | ||
|
|
93500bd95a | ||
|
|
95937c9ac7 | ||
|
|
0b21b273ed | ||
|
|
937a620f4d | ||
|
|
e8d7925084 | ||
|
|
25e26b9ac0 | ||
|
|
6cceb73807 | ||
|
|
d2b991bcb5 | ||
|
|
09ba25fe9b | ||
|
|
8c95a9ae39 | ||
|
|
2dadc752d6 | ||
|
|
d57ec5d1ac | ||
|
|
e3b052199a | ||
|
|
eb01ffbdae | ||
|
|
2f98212eca | ||
|
|
8f1c7c57a8 | ||
|
|
909dc84bb6 | ||
|
|
a18cd74756 | ||
|
|
21576387f3 | ||
|
|
50523e0ac0 | ||
|
|
d126c0a1d3 | ||
|
|
3db5dd4661 | ||
|
|
108bcef104 | ||
|
|
0f710b1981 | ||
|
|
c26d05b1d5 | ||
|
|
5a4efab742 | ||
|
|
96a66fa4ee | ||
|
|
67ad6d9a0f | ||
|
|
faf07dac91 | ||
|
|
3e26236648 | ||
|
|
2770a53d38 | ||
|
|
c103939c2d | ||
|
|
49ca88957c | ||
|
|
603843e698 | ||
|
|
3613ceb07f | ||
|
|
f1d0b50670 | ||
|
|
f453fe26c6 | ||
|
|
b381f4826c | ||
|
|
149af57eac | ||
|
|
88fee2748e | ||
|
|
92e0e195a4 | ||
|
|
c6e7b8d4fd | ||
|
|
4100d68a71 | ||
|
|
725122decc | ||
|
|
f17bbd9982 | ||
|
|
c83daa66e7 | ||
|
|
b466f0515d | ||
|
|
0ce08617ba | ||
|
|
e345064a53 | ||
|
|
7f16c52217 | ||
|
|
1dbfe2369d | ||
|
|
f584ff9acf | ||
|
|
8dc7b6403a | ||
|
|
d20a0c9e82 | ||
|
|
cc2a531684 | ||
|
|
9d1ef21d85 | ||
|
|
c7c65736a9 | ||
|
|
86755c6a98 | ||
|
|
506c95d098 | ||
|
|
d4ce42ac4f | ||
|
|
e93b72d563 | ||
|
|
983b64a05f | ||
|
|
57fd2e3578 | ||
|
|
208d5157fa | ||
|
|
c2f112cb92 | ||
|
|
5e59f6d558 | ||
|
|
8734df334b | ||
|
|
229250dc54 | ||
|
|
716e0f1404 | ||
|
|
f100c8a9c0 | ||
|
|
ed78acb1d4 | ||
|
|
dbef36cbbb | ||
|
|
eaa2d4d831 | ||
|
|
2f34588770 | ||
|
|
a456458a38 | ||
|
|
446ad5ec9e | ||
|
|
c812bd948a | ||
|
|
7aae51c876 | ||
|
|
28fb0edfbe | ||
|
|
6cab85712f | ||
|
|
1c27ca610a | ||
|
|
a5220bf616 | ||
|
|
25a0e09130 | ||
|
|
1beac06236 | ||
|
|
7fb5bd0cab | ||
|
|
9abe02f419 | ||
|
|
bc9682c22d | ||
|
|
ed2cb739c5 | ||
|
|
344c2d3c3d | ||
|
|
90868a4788 | ||
|
|
203b0e3d88 | ||
|
|
cdd613358b | ||
|
|
7e20829f36 | ||
|
|
6a3859fc83 | ||
|
|
bd4934380a | ||
|
|
33c990f6b0 | ||
|
|
3d49b8cb91 | ||
|
|
0fe4baec34 | ||
|
|
09fbf480db | ||
|
|
e3b2e0a1de | ||
|
|
3b82452d76 | ||
|
|
75afa011ff | ||
|
|
e90035a5a5 | ||
|
|
24360d3a4c | ||
|
|
77ba7b473d | ||
|
|
0511e72520 | ||
|
|
6bfc49c069 | ||
|
|
32b264bdee | ||
|
|
d53c334488 | ||
|
|
28ff3f412d | ||
|
|
867471b122 | ||
|
|
9d52db3ca7 | ||
|
|
5b905cfe18 | ||
|
|
1564aee57a | ||
|
|
c82b5eb040 | ||
|
|
dbc6cf63c2 | ||
|
|
bd3f6d1234 | ||
|
|
51f489211b | ||
|
|
5d9778c64d | ||
|
|
3e67ebacb0 | ||
|
|
3b6b40489f | ||
|
|
4b7440d4d5 | ||
|
|
419fbe77ab | ||
|
|
b83da2255c | ||
|
|
b94c189946 | ||
|
|
7e33b571c9 | ||
|
|
eeb8c74666 | ||
|
|
70824b3f0b | ||
|
|
801eb538db | ||
|
|
0ae8b69102 | ||
|
|
28d6cad3d0 | ||
|
|
72ae902e0d | ||
|
|
c146b27c1a | ||
|
|
8ff9c98d26 | ||
|
|
32dc894d54 | ||
|
|
a0465d20cb | ||
|
|
ed8ffab356 | ||
|
|
47530d7526 | ||
|
|
b25dc03dac | ||
|
|
e13a9c9716 | ||
|
|
d3485cac34 | ||
|
|
8d15680af4 | ||
|
|
4955f95f64 | ||
|
|
63831cc62b | ||
|
|
b023d73016 | ||
|
|
1473778bb8 | ||
|
|
70974ea197 | ||
|
|
47686a6e4c | ||
|
|
8d30ee5c3c | ||
|
|
a1ccbcdaf1 | ||
|
|
de879c0707 | ||
|
|
2f2d72f282 | ||
|
|
88932a495c | ||
|
|
59200386a7 | ||
|
|
f2fb26df37 | ||
|
|
e3ab94fc6b | ||
|
|
41168e2b36 | ||
|
|
234f62fd05 | ||
|
|
6d86239929 | ||
|
|
9610ed163a | ||
|
|
12a6410a0a | ||
|
|
c5c80204d5 | ||
|
|
c96b8301ed | ||
|
|
02a5c0875e | ||
|
|
a9af135d7e | ||
|
|
ac0430883a | ||
|
|
61cff8faed | ||
|
|
b8bfdcc719 | ||
|
|
93bcc3724a | ||
|
|
17d1768259 | ||
|
|
4289e358bf | ||
|
|
6d6150d051 | ||
|
|
deefbefffc | ||
|
|
1f5e52e822 | ||
|
|
98cee7d339 | ||
|
|
c067d519d9 | ||
|
|
61e89d4841 | ||
|
|
0056c39bdd | ||
|
|
9e6aac8ef4 | ||
|
|
f8f3770a58 | ||
|
|
52c2e37aca | ||
|
|
2759d53f42 | ||
|
|
c5ddd40dc3 | ||
|
|
9abaad65c6 | ||
|
|
530be38b84 | ||
|
|
4a45731c85 | ||
|
|
c9c99464cf | ||
|
|
1a5eede39f | ||
|
|
5c9a239776 | ||
|
|
98398a9efd | ||
|
|
67ec5d325c | ||
|
|
adaf3234ec | ||
|
|
7021be05c5 | ||
|
|
52279d4bea | ||
|
|
fae907df65 | ||
|
|
bda074835e | ||
|
|
2012e97842 | ||
|
|
64c7d4e597 | ||
|
|
0035defd72 | ||
|
|
5051f10586 | ||
|
|
3e54136086 | ||
|
|
5fe3c1a0a9 | ||
|
|
3a2f87f0a7 | ||
|
|
b8049f19e2 | ||
|
|
8f750d4ad3 | ||
|
|
f84a05526d | ||
|
|
633152940c | ||
|
|
17d1e6d614 | ||
|
|
5d6c6b4b9b | ||
|
|
5bfd2ad07f | ||
|
|
36a8134490 | ||
|
|
b7ae62c3a3 | ||
|
|
1c815f12da | ||
|
|
151420fd0f | ||
|
|
e42f8439de | ||
|
|
24539dc0ee | ||
|
|
a43bb1fb6d | ||
|
|
23d2f11840 | ||
|
|
fa90655dd0 | ||
|
|
3d94ccf5dd | ||
|
|
ce638096de | ||
|
|
f2bc413318 | ||
|
|
3c26779f40 | ||
|
|
a4924856a2 | ||
|
|
8d0f6086af | ||
|
|
27408fefe2 | ||
|
|
9a56601dd3 | ||
|
|
b5be9d07aa | ||
|
|
b38a9d51e6 | ||
|
|
13eb9e0833 | ||
|
|
30e1b88b7f | ||
|
|
6c8b4a82c1 | ||
|
|
da08c6e63e | ||
|
|
98143b071d | ||
|
|
1e6b5391d6 | ||
|
|
b46a3616d8 | ||
|
|
585606a933 | ||
|
|
0b4650a4c9 | ||
|
|
20aa05b090 | ||
|
|
7d0cfc69f1 | ||
|
|
0ff7cc845c | ||
|
|
921b560e89 | ||
|
|
198a4ca79b | ||
|
|
993999f64f | ||
|
|
6b19e69d30 | ||
|
|
1890e63d4c | ||
|
|
4a6589d0ae | ||
|
|
42e6c7eb2e | ||
|
|
c03e9d6c75 | ||
|
|
5bfdca895b | ||
|
|
230b9cf5d3 | ||
|
|
c1e3ccfb6c | ||
|
|
7a0bfd1a69 | ||
|
|
54a91c73b0 | ||
|
|
d09458a486 | ||
|
|
7ec86b5e7f | ||
|
|
fe046ec71e | ||
|
|
3a83ecf067 | ||
|
|
f800bf243f | ||
|
|
1534b387bb | ||
|
|
a54e810804 | ||
|
|
f4a476ea4e | ||
|
|
405c1f3fc7 | ||
|
|
fa2ae1420a | ||
|
|
347cbe422d | ||
|
|
0c0556bb38 | ||
|
|
6ca425f033 | ||
|
|
ea8c8df653 | ||
|
|
6c1ec6d96b | ||
|
|
8949b9eb0a | ||
|
|
01fd00de56 | ||
|
|
2f3d516413 | ||
|
|
4f46908224 | ||
|
|
79d6731ed8 | ||
|
|
36b0ab1de5 | ||
|
|
a28a36ab29 | ||
|
|
e90fb1a225 | ||
|
|
d489d63b8e | ||
|
|
28ad667578 | ||
|
|
af5a61782c | ||
|
|
0e98ea0c10 | ||
|
|
67a5831ac0 | ||
|
|
c0bb169342 | ||
|
|
add0c88530 | ||
|
|
d998d06b94 | ||
|
|
a88c3682ff | ||
|
|
84c9137152 | ||
|
|
f27d2bdf6d | ||
|
|
d0c82d3756 | ||
|
|
17d7ba8049 | ||
|
|
b3ff3f7ee7 | ||
|
|
8f467003d2 | ||
|
|
63b732ce1f | ||
|
|
4d856d4461 | ||
|
|
3914a93504 | ||
|
|
c516d69b98 | ||
|
|
0b1705f302 | ||
|
|
43fbcc1c8a | ||
|
|
dd6b27df24 | ||
|
|
cd820917bc | ||
|
|
2541e9cb6a | ||
|
|
048c72a0f2 | ||
|
|
aa2abf76ba | ||
|
|
732ef92830 | ||
|
|
c684b74b3d | ||
|
|
0ffb80e3b1 | ||
|
|
5667901a2a | ||
|
|
57953c523c | ||
|
|
a2d75c4fed | ||
|
|
4b7c57c077 | ||
|
|
0a5d58ed8a | ||
|
|
bc36e0db43 | ||
|
|
cc592b124b | ||
|
|
0b6589c8be | ||
|
|
4941d9b7bf | ||
|
|
df60268023 | ||
|
|
19d08d7b40 | ||
|
|
a78f2115f2 | ||
|
|
bb53780ba9 | ||
|
|
0ef3eee4ed | ||
|
|
891b975899 | ||
|
|
bda223771b | ||
|
|
82cb4a8d68 | ||
|
|
dcabce679a | ||
|
|
ecdadd1826 | ||
|
|
abdebc29f9 | ||
|
|
23876cb581 | ||
|
|
1784c202a7 | ||
|
|
617ba65ef5 | ||
|
|
eb4f1e1ba0 | ||
|
|
23d3109071 | ||
|
|
6ba35f4aac | ||
|
|
9f02c144a8 | ||
|
|
ffc6af73b7 | ||
|
|
748f5344ff | ||
|
|
15a43ffe36 | ||
|
|
e02b51f42b | ||
|
|
aac0c27dcd | ||
|
|
95284ad71d | ||
|
|
476309af6d | ||
|
|
45bdb22db8 | ||
|
|
2baf2aa5c1 | ||
|
|
40f4e71b86 | ||
|
|
58971f9f4e | ||
|
|
520ba47293 | ||
|
|
e698ee77f7 | ||
|
|
2c96e6cf96 | ||
|
|
5ce3af0591 | ||
|
|
92c00cb741 | ||
|
|
f1e44bce4a | ||
|
|
a03e6faf37 | ||
|
|
409d95c522 | ||
|
|
23f620d255 | ||
|
|
6a6727fc80 | ||
|
|
6901cd4899 | ||
|
|
22e741c7a3 | ||
|
|
dbb3d458f5 | ||
|
|
a6a0fa28c4 | ||
|
|
97690b4eb7 | ||
|
|
ff1ed3a012 | ||
|
|
81c56b9bed | ||
|
|
31deca016f | ||
|
|
ca2e6587fe | ||
|
|
b5ae417851 | ||
|
|
b76854a384 | ||
|
|
19872e9aed | ||
|
|
985d3d469a | ||
|
|
42f55e1ebe | ||
|
|
d34233b44f | ||
|
|
16308fe557 | ||
|
|
14a23eed4f | ||
|
|
75b79039a1 | ||
|
|
81e372d078 | ||
|
|
a64fc2b24e | ||
|
|
0b326aae20 | ||
|
|
44d99f8cd4 | ||
|
|
ec4c155043 | ||
|
|
a56dd60baa | ||
|
|
b9809b071e | ||
|
|
048167d39a | ||
|
|
3af8773dd6 | ||
|
|
86c04e6971 | ||
|
|
39103af718 | ||
|
|
b56fe2b25f | ||
|
|
19ff00bad4 | ||
|
|
ce2db21f15 | ||
|
|
77729918c1 | ||
|
|
5aed82a210 | ||
|
|
04641a3f2d | ||
|
|
c2e44fa180 | ||
|
|
db8766ca69 | ||
|
|
525aeb6551 | ||
|
|
29eacbd28b | ||
|
|
bd00988c37 | ||
|
|
68040b717e | ||
|
|
275d75295c | ||
|
|
049bff09e6 | ||
|
|
2a6ba40a93 | ||
|
|
04ad94d1cc | ||
|
|
afbeca0d54 | ||
|
|
95ed5465de | ||
|
|
fbe857d1fa | ||
|
|
7d79be71d1 |
29
.github/workflows/docs-review.yml
vendored
29
.github/workflows/docs-review.yml
vendored
@@ -1,29 +0,0 @@
|
|||||||
# When a PR is labelled with 'ready-for-docs-review',
|
|
||||||
# this workflow comments on the PR to notify the GitHub CodeQL docs team.
|
|
||||||
name: Request docs review
|
|
||||||
on:
|
|
||||||
# Runs in the context of the base repo.
|
|
||||||
# This gives the workflow write access to comment on PRs.
|
|
||||||
# The workflow should not check out or build the given ref,
|
|
||||||
# or use untrusted data from the event payload in a command line.
|
|
||||||
pull_request_target:
|
|
||||||
types: [labeled]
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
request-docs-review:
|
|
||||||
name: Request docs review
|
|
||||||
# Run only on labelled PRs to the main repository.
|
|
||||||
# Do not run on PRs to forks.
|
|
||||||
if:
|
|
||||||
github.event.label.name == 'ready-for-docs-review'
|
|
||||||
&& github.event.pull_request.draft == false
|
|
||||||
&& github.event.pull_request.base.repo.full_name == 'github/codeql'
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Comment to request docs review
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
||||||
run: |
|
|
||||||
gh pr comment "$PR_NUMBER" --repo "github/codeql" \
|
|
||||||
--body "Hello @github/docs-content-codeql - this PR is ready for docs review."
|
|
||||||
@@ -70,4 +70,3 @@
|
|||||||
|
|
||||||
## Changes to libraries
|
## Changes to libraries
|
||||||
* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
|
* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
|
||||||
* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, subclasses should instead be based on `HtmlInjectionConfiguration`. To use both configurations in a query, see [Xss.ql](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql) for an example.
|
|
||||||
|
|||||||
@@ -36,6 +36,7 @@
|
|||||||
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
@@ -376,7 +377,6 @@
|
|||||||
],
|
],
|
||||||
"DuplicationProblems.inc.qhelp": [
|
"DuplicationProblems.inc.qhelp": [
|
||||||
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
|
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
|
||||||
"csharp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
|
|
||||||
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
|
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
|
||||||
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
|
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
|
||||||
],
|
],
|
||||||
@@ -429,7 +429,8 @@
|
|||||||
"SSA C#": [
|
"SSA C#": [
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
|
"csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll"
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
|
||||||
|
"csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
|
||||||
],
|
],
|
||||||
"CryptoAlgorithms Python/JS": [
|
"CryptoAlgorithms Python/JS": [
|
||||||
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ using System;
|
|||||||
using System.Linq;
|
using System.Linq;
|
||||||
using Microsoft.Build.Construction;
|
using Microsoft.Build.Construction;
|
||||||
using System.Xml;
|
using System.Xml;
|
||||||
|
using System.IO;
|
||||||
|
|
||||||
namespace Semmle.Autobuild.Cpp.Tests
|
namespace Semmle.Autobuild.Cpp.Tests
|
||||||
{
|
{
|
||||||
@@ -43,6 +44,8 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
|
public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
|
||||||
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
|
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
|
||||||
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
|
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
|
||||||
|
public HashSet<string> CreateDirectories { get; } = new HashSet<string>();
|
||||||
|
public HashSet<(string, string)> DownloadFiles { get; } = new HashSet<(string, string)>();
|
||||||
|
|
||||||
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
|
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
|
||||||
{
|
{
|
||||||
@@ -135,6 +138,14 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
|
|
||||||
string IBuildActions.GetFullPath(string path) => path;
|
string IBuildActions.GetFullPath(string path) => path;
|
||||||
|
|
||||||
|
string? IBuildActions.GetFileName(string? path) => Path.GetFileName(path?.Replace('\\', '/'));
|
||||||
|
|
||||||
|
public string? GetDirectoryName(string? path)
|
||||||
|
{
|
||||||
|
var dir = Path.GetDirectoryName(path?.Replace('\\', '/'));
|
||||||
|
return dir is null ? path : path?.Substring(0, dir.Length);
|
||||||
|
}
|
||||||
|
|
||||||
void IBuildActions.WriteAllText(string filename, string contents)
|
void IBuildActions.WriteAllText(string filename, string contents)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
@@ -153,6 +164,18 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
s = s.Replace($"%{kvp.Key}%", kvp.Value);
|
s = s.Replace($"%{kvp.Key}%", kvp.Value);
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void CreateDirectory(string path)
|
||||||
|
{
|
||||||
|
if (!CreateDirectories.Contains(path))
|
||||||
|
throw new ArgumentException($"Missing CreateDirectory, {path}");
|
||||||
|
}
|
||||||
|
|
||||||
|
public void DownloadFile(string address, string fileName)
|
||||||
|
{
|
||||||
|
if (!DownloadFiles.Contains((address, fileName)))
|
||||||
|
throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
@@ -213,6 +236,7 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
||||||
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
||||||
|
Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
|
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
|
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
|
||||||
@@ -273,7 +297,8 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
[Fact]
|
[Fact]
|
||||||
public void TestCppAutobuilderSuccess()
|
public void TestCppAutobuilderSuccess()
|
||||||
{
|
{
|
||||||
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test.sln"] = 1;
|
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
|
||||||
|
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
|
||||||
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
|
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
|
||||||
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
||||||
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
||||||
@@ -286,11 +311,13 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
||||||
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
||||||
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
||||||
|
Actions.CreateDirectories.Add(@"C:\Project\.nuget");
|
||||||
|
Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
|
||||||
|
|
||||||
var autobuilder = CreateAutoBuilder(true);
|
var autobuilder = CreateAutoBuilder(true);
|
||||||
var solution = new TestSolution(@"C:\Project\test.sln");
|
var solution = new TestSolution(@"C:\Project\test.sln");
|
||||||
autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
|
autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
|
||||||
TestAutobuilderScript(autobuilder, 0, 2);
|
TestAutobuilderScript(autobuilder, 0, 3);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.
|
||||||
@@ -54,7 +54,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
|
|||||||
override predicate isWhitelisted() {
|
override predicate isWhitelisted() {
|
||||||
this.getConversion().(ParenthesisExpr).isParenthesised()
|
this.getConversion().(ParenthesisExpr).isParenthesised()
|
||||||
or
|
or
|
||||||
// whitelist this assignment if all comparison operations in the expression that this
|
// Allow this assignment if all comparison operations in the expression that this
|
||||||
// assignment is part of, are not parenthesized. In that case it seems like programmer
|
// assignment is part of, are not parenthesized. In that case it seems like programmer
|
||||||
// is fine with unparenthesized comparison operands to binary logical operators, and
|
// is fine with unparenthesized comparison operands to binary logical operators, and
|
||||||
// the parenthesis around this assignment was used to call it out as an assignment.
|
// the parenthesis around this assignment was used to call it out as an assignment.
|
||||||
@@ -62,6 +62,21 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
|
|||||||
forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
|
forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
|
||||||
not op.isParenthesised()
|
not op.isParenthesised()
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Match a pattern like:
|
||||||
|
// ```
|
||||||
|
// if((a = b) && use_value(a)) { ... }
|
||||||
|
// ```
|
||||||
|
// where the assignment is meant to update the value of `a` before it's used in some other boolean
|
||||||
|
// subexpression that is guarenteed to be evaluate _after_ the assignment.
|
||||||
|
this.isParenthesised() and
|
||||||
|
exists(LogicalAndExpr parent, Variable var, VariableAccess access |
|
||||||
|
var = this.getLValue().(VariableAccess).getTarget() and
|
||||||
|
access = var.getAnAccess() and
|
||||||
|
not access.isUsedAsLValue() and
|
||||||
|
parent.getRightOperand() = access.getParent*() and
|
||||||
|
parent.getLeftOperand() = this.getParent*()
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind treemap
|
* @kind treemap
|
||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType externalDependency
|
* @metricType externalDependency
|
||||||
* @precision medium
|
|
||||||
* @id cpp/external-dependencies
|
* @id cpp/external-dependencies
|
||||||
* @tags modularity
|
* @tags modularity
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -7,7 +7,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cpp/lines-of-code-in-files
|
* @id cpp/lines-of-code-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* complexity
|
* complexity
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision high
|
|
||||||
* @id cpp/lines-of-commented-out-code-in-files
|
* @id cpp/lines-of-commented-out-code-in-files
|
||||||
* @tags documentation
|
* @tags documentation
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -7,7 +7,6 @@
|
|||||||
* @treemap.warnOn lowValues
|
* @treemap.warnOn lowValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cpp/lines-of-comments-in-files
|
* @id cpp/lines-of-comments-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* documentation
|
* documentation
|
||||||
|
|||||||
@@ -8,7 +8,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision high
|
|
||||||
* @id cpp/duplicated-lines-in-files
|
* @id cpp/duplicated-lines-in-files
|
||||||
* @tags testability
|
* @tags testability
|
||||||
* modularity
|
* modularity
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn lowValues
|
* @treemap.warnOn lowValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision medium
|
|
||||||
* @id cpp/tests-in-files
|
* @id cpp/tests-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -93,7 +93,7 @@ class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Confi
|
|||||||
|
|
||||||
bindingset[s]
|
bindingset[s]
|
||||||
predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
|
predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
|
||||||
s.regexpMatch("\"([^\"])*\"(\\s|.)*") // The first element (path) is quoted
|
s.regexpMatch("\"([^\"])*\"[\\s\\S]*") // The first element (path) is quoted
|
||||||
or
|
or
|
||||||
s.regexpMatch("[^\\s]+") // There are no spaces in the string
|
s.regexpMatch("[^\\s]+") // There are no spaces in the string
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -72,9 +72,9 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if `(std::nothrow)` exists in call `operator new`.
|
* Holds if `(std::nothrow)` or `(std::noexcept)` exists in call `operator new`.
|
||||||
*/
|
*/
|
||||||
predicate isExistsNothrow() { this.getAChild().toString() = "nothrow" }
|
predicate isExistsNothrow() { getTarget().isNoExcept() or getTarget().isNoThrow() }
|
||||||
}
|
}
|
||||||
|
|
||||||
from WrongCheckErrorOperatorNew op
|
from WrongCheckErrorOperatorNew op
|
||||||
|
|||||||
12
cpp/ql/src/external/tests/DefectFilter.ql
vendored
12
cpp/ql/src/external/tests/DefectFilter.ql
vendored
@@ -1,12 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Defect filter
|
|
||||||
* @description Only include results in large files (200) lines of code, and change the message.
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
|
|
||||||
select res, "Large files: " + res.getMessage()
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Defect from external data
|
|
||||||
* @description Insert description here...
|
|
||||||
* @kind problem
|
|
||||||
* @problem.severity warning
|
|
||||||
* @tags external-data
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.ExternalArtifact
|
|
||||||
|
|
||||||
from ExternalData d, File u
|
|
||||||
where
|
|
||||||
d.getQueryPath() = "external-data.ql" and
|
|
||||||
u.getShortName() = d.getField(0)
|
|
||||||
select u,
|
|
||||||
d.getField(5) + ", " + d.getFieldAsDate(1) + ", " + d.getField(2) + ", " + d.getFieldAsFloat(3) +
|
|
||||||
", " + d.getFieldAsInt(4) + ": " + d.getNumFields()
|
|
||||||
12
cpp/ql/src/external/tests/MetricFilter.ql
vendored
12
cpp/ql/src/external/tests/MetricFilter.ql
vendored
@@ -1,12 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Metric filter
|
|
||||||
* @description Only include results in large files (200) lines of code.
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.MetricFilter
|
|
||||||
|
|
||||||
from MetricResult res
|
|
||||||
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
|
|
||||||
select res, res.getValue()
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Filter: exclude results from files that are autogenerated
|
|
||||||
* @description Use this filter to return results only if they are
|
|
||||||
* located in files that are maintained manually.
|
|
||||||
* @kind problem
|
|
||||||
* @id cpp/autogenerated-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import semmle.code.cpp.AutogeneratedFile
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where not res.getFile() instanceof AutogeneratedFile
|
|
||||||
select res, res.getMessage()
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Metric filter: exclude results from files that are autogenerated
|
|
||||||
* @description Use this filter to return results only if they are
|
|
||||||
* located in files that are maintained manually.
|
|
||||||
* @kind treemap
|
|
||||||
* @id cpp/autogenerated-for-metric-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import semmle.code.cpp.AutogeneratedFile
|
|
||||||
import external.MetricFilter
|
|
||||||
|
|
||||||
from MetricResult res
|
|
||||||
where not res.getFile() instanceof AutogeneratedFile
|
|
||||||
select res, res.getValue()
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Filter: exclude results from files for which we do not have
|
|
||||||
* source code
|
|
||||||
* @description Use this filter to return results only if they are
|
|
||||||
* located in files for which we have source code.
|
|
||||||
* @kind problem
|
|
||||||
* @id cpp/from-source-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where res.getFile().fromSource()
|
|
||||||
select res, res.getMessage()
|
|
||||||
@@ -1,36 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Filter: exclude results on lines covered by a macro expansion
|
|
||||||
* @description Use this filter to return results only when there is no
|
|
||||||
* macro expansion whose location spans all the lines of
|
|
||||||
* the result's location.
|
|
||||||
* @kind problem
|
|
||||||
* @id cpp/macros-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
predicate macroLocation(File f, int startLine, int endLine) {
|
|
||||||
exists(MacroInvocation mi, Location l |
|
|
||||||
l = mi.getLocation() and
|
|
||||||
l.getFile() = f and
|
|
||||||
l.getStartLine() = startLine and
|
|
||||||
l.getEndLine() = endLine
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate macroCovering(DefectResult r) {
|
|
||||||
exists(File f, int macroStart, int macroEnd, int defectStart, int defectEnd |
|
|
||||||
f = r.getFile() and
|
|
||||||
defectStart = r.getStartLine() and
|
|
||||||
defectEnd = r.getEndLine() and
|
|
||||||
macroLocation(f, macroStart, macroEnd) and
|
|
||||||
macroStart <= defectStart and
|
|
||||||
macroEnd >= defectEnd
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where not macroCovering(res)
|
|
||||||
select res, res.getMessage()
|
|
||||||
@@ -91,16 +91,17 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
|
|||||||
// `e` is a call to a release function and `released` is the released argument
|
// `e` is a call to a release function and `released` is the released argument
|
||||||
releaseExpr(e, released, kind)
|
releaseExpr(e, released, kind)
|
||||||
or
|
or
|
||||||
exists(Function f, int arg |
|
exists(int arg, VariableAccess access, Function f |
|
||||||
// `e` is a call to a function that releases one of it's parameters,
|
// `e` is a call to a function that releases one of it's parameters,
|
||||||
// and `released` is the corresponding argument
|
// and `released` is the corresponding argument
|
||||||
(
|
(
|
||||||
e.(FunctionCall).getTarget() = f or
|
e.(FunctionCall).getTarget() = f or
|
||||||
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
|
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
|
||||||
) and
|
) and
|
||||||
|
access = f.getParameter(arg).getAnAccess() and
|
||||||
e.(FunctionCall).getArgument(arg) = released and
|
e.(FunctionCall).getArgument(arg) = released and
|
||||||
exprReleases(_,
|
exprReleases(_,
|
||||||
exprOrDereference(globalValueNumber(f.getParameter(arg).getAnAccess()).getAnExpr()), kind)
|
pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(Function f, ThisExpr innerThis |
|
exists(Function f, ThisExpr innerThis |
|
||||||
@@ -112,7 +113,7 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
|
|||||||
) and
|
) and
|
||||||
e.(FunctionCall).getQualifier() = exprOrDereference(released) and
|
e.(FunctionCall).getQualifier() = exprOrDereference(released) and
|
||||||
innerThis.getEnclosingFunction() = f and
|
innerThis.getEnclosingFunction() = f and
|
||||||
exprReleases(_, globalValueNumber(innerThis).getAnExpr(), kind)
|
exprReleases(_, pragma[only_bind_into](globalValueNumber(innerThis).getAnExpr()), kind)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -72,6 +72,7 @@ class Location extends @location {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Holds if `this` comes on a line strictly before `l`. */
|
/** Holds if `this` comes on a line strictly before `l`. */
|
||||||
|
pragma[inline]
|
||||||
predicate isBefore(Location l) {
|
predicate isBefore(Location l) {
|
||||||
this.getFile() = l.getFile() and this.getEndLine() < l.getStartLine()
|
this.getFile() = l.getFile() and this.getEndLine() < l.getStartLine()
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -300,6 +300,14 @@ class FunctionCall extends Call, @funbindexpr {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** A _user-defined_ unary `operator*` function. */
|
||||||
|
class OverloadedPointerDereferenceFunction extends Function {
|
||||||
|
OverloadedPointerDereferenceFunction() {
|
||||||
|
this.hasName("operator*") and
|
||||||
|
this.getEffectiveNumberOfParameters() = 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* An instance of a _user-defined_ unary `operator*` applied to its argument.
|
* An instance of a _user-defined_ unary `operator*` applied to its argument.
|
||||||
* ```
|
* ```
|
||||||
@@ -309,8 +317,7 @@ class FunctionCall extends Call, @funbindexpr {
|
|||||||
*/
|
*/
|
||||||
class OverloadedPointerDereferenceExpr extends FunctionCall {
|
class OverloadedPointerDereferenceExpr extends FunctionCall {
|
||||||
OverloadedPointerDereferenceExpr() {
|
OverloadedPointerDereferenceExpr() {
|
||||||
getTarget().hasName("operator*") and
|
this.getTarget() instanceof OverloadedPointerDereferenceFunction
|
||||||
getTarget().getEffectiveNumberOfParameters() = 1
|
|
||||||
}
|
}
|
||||||
|
|
||||||
override string getAPrimaryQlClass() { result = "OverloadedPointerDereferenceExpr" }
|
override string getAPrimaryQlClass() { result = "OverloadedPointerDereferenceExpr" }
|
||||||
|
|||||||
@@ -2,13 +2,16 @@ import cpp
|
|||||||
import semmle.code.cpp.security.Security
|
import semmle.code.cpp.security.Security
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow2
|
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow3
|
private import semmle.code.cpp.ir.dataflow.DataFlow3
|
||||||
private import semmle.code.cpp.ir.IR
|
private import semmle.code.cpp.ir.IR
|
||||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
|
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
|
||||||
private import semmle.code.cpp.controlflow.IRGuards
|
private import semmle.code.cpp.controlflow.IRGuards
|
||||||
private import semmle.code.cpp.models.interfaces.Taint
|
private import semmle.code.cpp.models.interfaces.Taint
|
||||||
private import semmle.code.cpp.models.interfaces.DataFlow
|
private import semmle.code.cpp.models.interfaces.DataFlow
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking2
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking3
|
||||||
|
private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A predictable instruction is one where an external user can predict
|
* A predictable instruction is one where an external user can predict
|
||||||
@@ -65,23 +68,19 @@ private DataFlow::Node getNodeForExpr(Expr node) {
|
|||||||
not argv(node.(VariableAccess).getTarget())
|
not argv(node.(VariableAccess).getTarget())
|
||||||
}
|
}
|
||||||
|
|
||||||
private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
|
private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
|
||||||
DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
|
DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
|
||||||
commonTaintStep(n1, n2)
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
|
private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
|
||||||
ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
|
ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
||||||
@@ -90,20 +89,18 @@ private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
|
|||||||
sink.asVariable() instanceof GlobalOrNamespaceVariable
|
sink.asVariable() instanceof GlobalOrNamespaceVariable
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
commonTaintStep(n1, n2)
|
|
||||||
or
|
|
||||||
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
||||||
or
|
or
|
||||||
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
|
override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
}
|
}
|
||||||
|
|
||||||
private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration {
|
private class FromGlobalVarTaintTrackingCfg extends TaintTracking2::Configuration {
|
||||||
FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
|
FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) {
|
override predicate isSource(DataFlow::Node source) {
|
||||||
@@ -114,18 +111,16 @@ private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration {
|
|||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
commonTaintStep(n1, n2)
|
|
||||||
or
|
|
||||||
// Additional step for flow out of variables. There is no flow _into_
|
// Additional step for flow out of variables. There is no flow _into_
|
||||||
// variables in this configuration, so this step only serves to take flow
|
// variables in this configuration, so this step only serves to take flow
|
||||||
// out of a variable that's a source.
|
// out of a variable that's a source.
|
||||||
readsVariable(n2.asInstruction(), n1.asVariable())
|
readsVariable(n2.asInstruction(), n1.asVariable())
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
|
override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate readsVariable(LoadInstruction load, Variable var) {
|
private predicate readsVariable(LoadInstruction load, Variable var) {
|
||||||
@@ -202,206 +197,26 @@ private predicate nodeIsBarrierIn(DataFlow::Node node) {
|
|||||||
// `getNodeForSource`.
|
// `getNodeForSource`.
|
||||||
node = DataFlow::definitionByReferenceNodeFromArgument(source)
|
node = DataFlow::definitionByReferenceNodeFromArgument(source)
|
||||||
)
|
)
|
||||||
}
|
|
||||||
|
|
||||||
cached
|
|
||||||
private predicate commonTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
|
|
||||||
operandToInstructionTaintStep(fromNode.asOperand(), toNode.asInstruction())
|
|
||||||
or
|
or
|
||||||
instructionToOperandTaintStep(fromNode.asInstruction(), toNode.asOperand())
|
// don't use dataflow into binary instructions if both operands are unpredictable
|
||||||
}
|
exists(BinaryInstruction iTo |
|
||||||
|
iTo = node.asInstruction() and
|
||||||
private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) {
|
not predictableInstruction(iTo.getLeft()) and
|
||||||
// Propagate flow from the definition of an operand to the operand, even when the overlap is inexact.
|
not predictableInstruction(iTo.getRight()) and
|
||||||
// We only do this in certain cases:
|
// propagate taint from either the pointer or the offset, regardless of predictability
|
||||||
// 1. The instruction's result must not be conflated, and
|
not iTo instanceof PointerArithmeticInstruction
|
||||||
// 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
|
|
||||||
// this is array types and union types. This matches the other two cases of element-to-object flow in
|
|
||||||
// `DefaultTaintTracking`.
|
|
||||||
toOperand.getAnyDef() = fromInstr and
|
|
||||||
not fromInstr.isResultConflated() and
|
|
||||||
(
|
|
||||||
fromInstr.getResultType() instanceof ArrayType or
|
|
||||||
fromInstr.getResultType() instanceof Union
|
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(ReadSideEffectInstruction readInstr |
|
// don't use dataflow through calls to pure functions if two or more operands
|
||||||
fromInstr = readInstr.getArgumentDef() and
|
// are unpredictable
|
||||||
toOperand = readInstr.getSideEffectOperand()
|
exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
|
||||||
)
|
iTo = node.asInstruction() and
|
||||||
}
|
isPureFunction(iTo.getStaticCallTarget().getName()) and
|
||||||
|
iFrom1 = iTo.getAnArgument() and
|
||||||
private predicate operandToInstructionTaintStep(Operand fromOperand, Instruction toInstr) {
|
iFrom2 = iTo.getAnArgument() and
|
||||||
// Expressions computed from tainted data are also tainted
|
not predictableInstruction(iFrom1) and
|
||||||
exists(CallInstruction call, int argIndex | call = toInstr |
|
not predictableInstruction(iFrom2) and
|
||||||
isPureFunction(call.getStaticCallTarget().getName()) and
|
iFrom1 != iFrom2
|
||||||
fromOperand = getACallArgumentOrIndirection(call, argIndex) and
|
|
||||||
forall(Operand argOperand | argOperand = call.getAnArgumentOperand() |
|
|
||||||
argOperand = getACallArgumentOrIndirection(call, argIndex) or
|
|
||||||
predictableInstruction(argOperand.getAnyDef())
|
|
||||||
) and
|
|
||||||
// flow through `strlen` tends to cause dubious results, if the length is
|
|
||||||
// bounded.
|
|
||||||
not call.getStaticCallTarget().getName() = "strlen"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow from argument to return value
|
|
||||||
toInstr =
|
|
||||||
any(CallInstruction call |
|
|
||||||
exists(int indexIn |
|
|
||||||
modelTaintToReturnValue(call.getStaticCallTarget(), indexIn) and
|
|
||||||
fromOperand = getACallArgumentOrIndirection(call, indexIn) and
|
|
||||||
not predictableOnlyFlow(call.getStaticCallTarget().getName())
|
|
||||||
)
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow from input argument to output argument
|
|
||||||
// TODO: This won't work in practice as long as all aliased memory is tracked
|
|
||||||
// together in a single virtual variable.
|
|
||||||
// TODO: Will this work on the test for `TaintedPath.ql`, where the output arg
|
|
||||||
// is a pointer addition expression?
|
|
||||||
toInstr =
|
|
||||||
any(WriteSideEffectInstruction outInstr |
|
|
||||||
exists(CallInstruction call, int indexIn, int indexOut |
|
|
||||||
modelTaintToParameter(call.getStaticCallTarget(), indexIn, indexOut) and
|
|
||||||
fromOperand = getACallArgumentOrIndirection(call, indexIn) and
|
|
||||||
outInstr.getIndex() = indexOut and
|
|
||||||
outInstr.getPrimaryInstruction() = call
|
|
||||||
)
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow through pointer dereference
|
|
||||||
toInstr.(LoadInstruction).getSourceAddressOperand() = fromOperand
|
|
||||||
or
|
|
||||||
// Flow through partial reads of arrays and unions
|
|
||||||
toInstr.(LoadInstruction).getSourceValueOperand() = fromOperand and
|
|
||||||
exists(Instruction fromInstr | fromInstr = fromOperand.getAnyDef() |
|
|
||||||
not fromInstr.isResultConflated() and
|
|
||||||
(
|
|
||||||
fromInstr.getResultType() instanceof ArrayType or
|
|
||||||
fromInstr.getResultType() instanceof Union
|
|
||||||
)
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Unary instructions tend to preserve enough information in practice that we
|
|
||||||
// want taint to flow through.
|
|
||||||
// The exception is `FieldAddressInstruction`. Together with the rule for
|
|
||||||
// `LoadInstruction` above and for `ChiInstruction` below, flow through
|
|
||||||
// `FieldAddressInstruction` could cause flow into one field to come out an
|
|
||||||
// unrelated field. This would happen across function boundaries, where the IR
|
|
||||||
// would not be able to match loads to stores.
|
|
||||||
toInstr.(UnaryInstruction).getUnaryOperand() = fromOperand and
|
|
||||||
(
|
|
||||||
not toInstr instanceof FieldAddressInstruction
|
|
||||||
or
|
|
||||||
toInstr.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow from an element to an array or union that contains it.
|
|
||||||
toInstr.(ChiInstruction).getPartialOperand() = fromOperand and
|
|
||||||
not toInstr.isResultConflated() and
|
|
||||||
exists(Type t | toInstr.getResultLanguageType().hasType(t, false) |
|
|
||||||
t instanceof Union
|
|
||||||
or
|
|
||||||
t instanceof ArrayType
|
|
||||||
)
|
|
||||||
or
|
|
||||||
exists(BinaryInstruction bin |
|
|
||||||
bin = toInstr and
|
|
||||||
predictableInstruction(toInstr.getAnOperand().getDef()) and
|
|
||||||
fromOperand = toInstr.getAnOperand()
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// This is part of the translation of `a[i]`, where we want taint to flow
|
|
||||||
// from `a`.
|
|
||||||
toInstr.(PointerAddInstruction).getLeftOperand() = fromOperand
|
|
||||||
or
|
|
||||||
// Until we have flow through indirections across calls, we'll take flow out
|
|
||||||
// of the indirection and into the argument.
|
|
||||||
// When we get proper flow through indirections across calls, this code can be
|
|
||||||
// moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
|
|
||||||
exists(ReadSideEffectInstruction read |
|
|
||||||
read.getSideEffectOperand() = fromOperand and
|
|
||||||
read.getArgumentDef() = toInstr
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Until we have from through indirections across calls, we'll take flow out
|
|
||||||
// of the parameter and into its indirection.
|
|
||||||
// `InitializeIndirectionInstruction` only has a single operand: the address of the
|
|
||||||
// value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
|
|
||||||
// the IR looks like this:
|
|
||||||
// ```
|
|
||||||
// m1 = InitializeParameter[p] : &r1
|
|
||||||
// r2 = Load[p] : r2, m1
|
|
||||||
// m3 = InitializeIndirection[p] : &r2
|
|
||||||
// ```
|
|
||||||
// So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
|
|
||||||
// `LoadOperand`'s overlap being exact.
|
|
||||||
toInstr.(InitializeIndirectionInstruction).getAnOperand() = fromOperand
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Returns the index of the side effect instruction corresponding to the specified function output,
|
|
||||||
* if one exists.
|
|
||||||
*/
|
|
||||||
private int getWriteSideEffectIndex(FunctionOutput output) {
|
|
||||||
output.isParameterDeref(result)
|
|
||||||
or
|
|
||||||
output.isQualifierObject() and result = -1
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Get an operand that goes into argument `argumentIndex` of `call`. This
|
|
||||||
* can be either directly or through one pointer indirection.
|
|
||||||
*/
|
|
||||||
private Operand getACallArgumentOrIndirection(CallInstruction call, int argumentIndex) {
|
|
||||||
result = call.getPositionalArgumentOperand(argumentIndex)
|
|
||||||
or
|
|
||||||
exists(ReadSideEffectInstruction readSE |
|
|
||||||
// TODO: why are read side effect operands imprecise?
|
|
||||||
result = readSE.getSideEffectOperand() and
|
|
||||||
readSE.getPrimaryInstruction() = call and
|
|
||||||
readSE.getIndex() = argumentIndex
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate modelTaintToParameter(Function f, int parameterIn, int parameterOut) {
|
|
||||||
exists(FunctionInput modelIn, FunctionOutput modelOut |
|
|
||||||
(
|
|
||||||
f.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
|
|
||||||
or
|
|
||||||
f.(TaintFunction).hasTaintFlow(modelIn, modelOut)
|
|
||||||
) and
|
|
||||||
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
|
|
||||||
parameterOut = getWriteSideEffectIndex(modelOut)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate modelTaintToReturnValue(Function f, int parameterIn) {
|
|
||||||
// Taint flow from parameter to return value
|
|
||||||
exists(FunctionInput modelIn, FunctionOutput modelOut |
|
|
||||||
f.(TaintFunction).hasTaintFlow(modelIn, modelOut) and
|
|
||||||
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
|
|
||||||
(modelOut.isReturnValue() or modelOut.isReturnValueDeref())
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Data flow (not taint flow) to where the return value points. For the time
|
|
||||||
// being we will conflate pointers and objects in taint tracking.
|
|
||||||
exists(FunctionInput modelIn, FunctionOutput modelOut |
|
|
||||||
f.(DataFlowFunction).hasDataFlow(modelIn, modelOut) and
|
|
||||||
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
|
|
||||||
modelOut.isReturnValueDeref()
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Taint flow from one argument to another and data flow from an argument to a
|
|
||||||
// return value. This happens in functions like `strcat` and `memcpy`. We
|
|
||||||
// could model this flow in two separate steps, but that would add reverse
|
|
||||||
// flow from the write side-effect to the call instruction, which may not be
|
|
||||||
// desirable.
|
|
||||||
exists(int parameterMid, InParameter modelMid, OutReturnValue returnOut |
|
|
||||||
modelTaintToParameter(f, parameterIn, parameterMid) and
|
|
||||||
modelMid.isParameter(parameterMid) and
|
|
||||||
f.(DataFlowFunction).hasDataFlow(modelMid, returnOut)
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -440,6 +255,14 @@ private Element adjustedSink(DataFlow::Node sink) {
|
|||||||
or
|
or
|
||||||
// Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
|
// Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
|
||||||
result.(AssignOperation).getAnOperand() = sink.asExpr()
|
result.(AssignOperation).getAnOperand() = sink.asExpr()
|
||||||
|
or
|
||||||
|
result =
|
||||||
|
sink.asOperand()
|
||||||
|
.(SideEffectOperand)
|
||||||
|
.getUse()
|
||||||
|
.(ReadSideEffectInstruction)
|
||||||
|
.getArgumentDef()
|
||||||
|
.getUnconvertedResultExpression()
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -558,7 +381,7 @@ module TaintedWithPath {
|
|||||||
string toString() { result = "TaintTrackingConfiguration" }
|
string toString() { result = "TaintTrackingConfiguration" }
|
||||||
}
|
}
|
||||||
|
|
||||||
private class AdjustedConfiguration extends DataFlow3::Configuration {
|
private class AdjustedConfiguration extends TaintTracking3::Configuration {
|
||||||
AdjustedConfiguration() { this = "AdjustedConfiguration" }
|
AdjustedConfiguration() { this = "AdjustedConfiguration" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) {
|
override predicate isSource(DataFlow::Node source) {
|
||||||
@@ -571,21 +394,34 @@ module TaintedWithPath {
|
|||||||
exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
|
exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
commonTaintStep(n1, n2)
|
// Steps into and out of global variables
|
||||||
or
|
|
||||||
exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
|
exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
|
||||||
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
||||||
or
|
or
|
||||||
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Step to return value of a modeled function when an input taints the
|
||||||
|
// dereference of the return value
|
||||||
|
exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
|
||||||
|
n1.asOperand() = callInput(call, modelIn) and
|
||||||
|
(
|
||||||
|
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
|
||||||
|
or
|
||||||
|
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
|
||||||
|
) and
|
||||||
|
call.getStaticCallTarget() = func and
|
||||||
|
modelOut.isReturnValueDeref() and
|
||||||
|
call = n2.asInstruction()
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) {
|
override predicate isSanitizer(DataFlow::Node node) {
|
||||||
exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
|
exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
15
cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking3.qll
Normal file
15
cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking3.qll
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
/**
|
||||||
|
* Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
|
||||||
|
* module. Use this class when data-flow configurations or taint-tracking
|
||||||
|
* configurations must depend on each other. Two classes extending
|
||||||
|
* `DataFlow::Configuration` should never depend on each other, but one of them
|
||||||
|
* should instead depend on a `DataFlow2::Configuration`, a
|
||||||
|
* `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
|
||||||
|
* `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
|
||||||
|
* `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
|
||||||
|
*
|
||||||
|
* See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
|
||||||
|
*/
|
||||||
|
module TaintTracking3 {
|
||||||
|
import semmle.code.cpp.ir.dataflow.internal.tainttracking3.TaintTrackingImpl
|
||||||
|
}
|
||||||
@@ -9,30 +9,18 @@ private import semmle.code.cpp.ir.dataflow.DataFlow
|
|||||||
/**
|
/**
|
||||||
* Gets the instruction that goes into `input` for `call`.
|
* Gets the instruction that goes into `input` for `call`.
|
||||||
*/
|
*/
|
||||||
DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
|
Operand callInput(CallInstruction call, FunctionInput input) {
|
||||||
// A positional argument
|
// An argument or qualifier
|
||||||
exists(int index |
|
exists(int index |
|
||||||
result.asInstruction() = call.getPositionalArgument(index) and
|
result = call.getArgumentOperand(index) and
|
||||||
input.isParameter(index)
|
input.isParameterOrQualifierAddress(index)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
// A value pointed to by a positional argument
|
// A value pointed to by an argument or qualifier
|
||||||
exists(ReadSideEffectInstruction read |
|
exists(ReadSideEffectInstruction read |
|
||||||
result.asOperand() = read.getSideEffectOperand() and
|
result = read.getSideEffectOperand() and
|
||||||
read.getPrimaryInstruction() = call and
|
read.getPrimaryInstruction() = call and
|
||||||
input.isParameterDeref(read.getIndex())
|
input.isParameterDerefOrQualifierObject(read.getIndex())
|
||||||
)
|
|
||||||
or
|
|
||||||
// The qualifier pointer
|
|
||||||
result.asInstruction() = call.getThisArgument() and
|
|
||||||
input.isQualifierAddress()
|
|
||||||
or
|
|
||||||
// The qualifier object
|
|
||||||
exists(ReadSideEffectInstruction read |
|
|
||||||
result.asOperand() = read.getSideEffectOperand() and
|
|
||||||
read.getPrimaryInstruction() = call and
|
|
||||||
read.getIndex() = -1 and
|
|
||||||
input.isQualifierObject()
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -44,19 +32,11 @@ Instruction callOutput(CallInstruction call, FunctionOutput output) {
|
|||||||
result = call and
|
result = call and
|
||||||
output.isReturnValue()
|
output.isReturnValue()
|
||||||
or
|
or
|
||||||
// The side effect of a call on the value pointed to by a positional argument
|
// The side effect of a call on the value pointed to by an argument or qualifier
|
||||||
exists(WriteSideEffectInstruction effect |
|
exists(WriteSideEffectInstruction effect |
|
||||||
result = effect and
|
result = effect and
|
||||||
effect.getPrimaryInstruction() = call and
|
effect.getPrimaryInstruction() = call and
|
||||||
output.isParameterDeref(effect.getIndex())
|
output.isParameterDerefOrQualifierObject(effect.getIndex())
|
||||||
)
|
|
||||||
or
|
|
||||||
// The side effect of a call on the qualifier object
|
|
||||||
exists(WriteSideEffectInstruction effect |
|
|
||||||
result = effect and
|
|
||||||
effect.getPrimaryInstruction() = call and
|
|
||||||
effect.getIndex() = -1 and
|
|
||||||
output.isQualifierObject()
|
|
||||||
)
|
)
|
||||||
// TODO: return value dereference
|
// TODO: return value dereference
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -21,53 +21,104 @@ predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
|||||||
*/
|
*/
|
||||||
cached
|
cached
|
||||||
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||||
localInstructionTaintStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
|
operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction())
|
||||||
or
|
or
|
||||||
modeledTaintStep(nodeFrom, nodeTo)
|
instructionToOperandTaintStep(nodeFrom.asInstruction(), nodeTo.asOperand())
|
||||||
|
}
|
||||||
|
|
||||||
|
private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) {
|
||||||
|
// Propagate flow from the definition of an operand to the operand, even when the overlap is inexact.
|
||||||
|
// We only do this in certain cases:
|
||||||
|
// 1. The instruction's result must not be conflated, and
|
||||||
|
// 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
|
||||||
|
// this is array types and union types. This matches the other two cases of element-to-object flow in
|
||||||
|
// `DefaultTaintTracking`.
|
||||||
|
toOperand.getAnyDef() = fromInstr and
|
||||||
|
not fromInstr.isResultConflated() and
|
||||||
|
(
|
||||||
|
fromInstr.getResultType() instanceof ArrayType or
|
||||||
|
fromInstr.getResultType() instanceof Union
|
||||||
|
)
|
||||||
|
or
|
||||||
|
exists(ReadSideEffectInstruction readInstr |
|
||||||
|
fromInstr = readInstr.getArgumentDef() and
|
||||||
|
toOperand = readInstr.getSideEffectOperand()
|
||||||
|
)
|
||||||
|
or
|
||||||
|
toOperand.(LoadOperand).getAnyDef() = fromInstr
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
|
* Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
|
||||||
* (intra-procedural) step.
|
* (intra-procedural) step.
|
||||||
*/
|
*/
|
||||||
private predicate localInstructionTaintStep(Instruction nodeFrom, Instruction nodeTo) {
|
private predicate operandToInstructionTaintStep(Operand opFrom, Instruction instrTo) {
|
||||||
// Taint can flow through expressions that alter the value but preserve
|
// Taint can flow through expressions that alter the value but preserve
|
||||||
// more than one bit of it _or_ expressions that follow data through
|
// more than one bit of it _or_ expressions that follow data through
|
||||||
// pointer indirections.
|
// pointer indirections.
|
||||||
nodeTo.getAnOperand().getAnyDef() = nodeFrom and
|
instrTo.getAnOperand() = opFrom and
|
||||||
(
|
(
|
||||||
nodeTo instanceof ArithmeticInstruction
|
instrTo instanceof ArithmeticInstruction
|
||||||
or
|
or
|
||||||
nodeTo instanceof BitwiseInstruction
|
instrTo instanceof BitwiseInstruction
|
||||||
or
|
or
|
||||||
nodeTo instanceof PointerArithmeticInstruction
|
instrTo instanceof PointerArithmeticInstruction
|
||||||
or
|
|
||||||
nodeTo instanceof FieldAddressInstruction
|
|
||||||
or
|
or
|
||||||
// The `CopyInstruction` case is also present in non-taint data flow, but
|
// The `CopyInstruction` case is also present in non-taint data flow, but
|
||||||
// that uses `getDef` rather than `getAnyDef`. For taint, we want flow
|
// that uses `getDef` rather than `getAnyDef`. For taint, we want flow
|
||||||
// from a definition of `myStruct` to a `myStruct.myField` expression.
|
// from a definition of `myStruct` to a `myStruct.myField` expression.
|
||||||
nodeTo instanceof CopyInstruction
|
instrTo instanceof CopyInstruction
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
nodeTo.(LoadInstruction).getSourceAddress() = nodeFrom
|
// Unary instructions tend to preserve enough information in practice that we
|
||||||
or
|
// want taint to flow through.
|
||||||
// Flow through partial reads of arrays and unions
|
// The exception is `FieldAddressInstruction`. Together with the rules below for
|
||||||
nodeTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = nodeFrom and
|
// `LoadInstruction`s and `ChiInstruction`s, flow through `FieldAddressInstruction`
|
||||||
not nodeFrom.isResultConflated() and
|
// could cause flow into one field to come out an unrelated field.
|
||||||
|
// This would happen across function boundaries, where the IR would not be able to
|
||||||
|
// match loads to stores.
|
||||||
|
instrTo.(UnaryInstruction).getUnaryOperand() = opFrom and
|
||||||
(
|
(
|
||||||
nodeFrom.getResultType() instanceof ArrayType or
|
not instrTo instanceof FieldAddressInstruction
|
||||||
nodeFrom.getResultType() instanceof Union
|
or
|
||||||
|
instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
|
instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
|
||||||
|
or
|
||||||
// Flow from an element to an array or union that contains it.
|
// Flow from an element to an array or union that contains it.
|
||||||
nodeTo.(ChiInstruction).getPartial() = nodeFrom and
|
instrTo.(ChiInstruction).getPartialOperand() = opFrom and
|
||||||
not nodeTo.isResultConflated() and
|
not instrTo.isResultConflated() and
|
||||||
exists(Type t | nodeTo.getResultLanguageType().hasType(t, false) |
|
exists(Type t | instrTo.getResultLanguageType().hasType(t, false) |
|
||||||
t instanceof Union
|
t instanceof Union
|
||||||
or
|
or
|
||||||
t instanceof ArrayType
|
t instanceof ArrayType
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Until we have flow through indirections across calls, we'll take flow out
|
||||||
|
// of the indirection and into the argument.
|
||||||
|
// When we get proper flow through indirections across calls, this code can be
|
||||||
|
// moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
|
||||||
|
exists(ReadSideEffectInstruction read |
|
||||||
|
read.getSideEffectOperand() = opFrom and
|
||||||
|
read.getArgumentDef() = instrTo
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Until we have from through indirections across calls, we'll take flow out
|
||||||
|
// of the parameter and into its indirection.
|
||||||
|
// `InitializeIndirectionInstruction` only has a single operand: the address of the
|
||||||
|
// value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
|
||||||
|
// the IR looks like this:
|
||||||
|
// ```
|
||||||
|
// m1 = InitializeParameter[p] : &r1
|
||||||
|
// r2 = Load[p] : r2, m1
|
||||||
|
// m3 = InitializeIndirection[p] : &r2
|
||||||
|
// ```
|
||||||
|
// So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
|
||||||
|
// `LoadOperand`'s overlap being exact.
|
||||||
|
instrTo.(InitializeIndirectionInstruction).getAnOperand() = opFrom
|
||||||
|
or
|
||||||
|
modeledTaintStep(opFrom, instrTo)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -110,17 +161,19 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
|
|||||||
* Holds if taint can flow from `instrIn` to `instrOut` through a call to a
|
* Holds if taint can flow from `instrIn` to `instrOut` through a call to a
|
||||||
* modeled function.
|
* modeled function.
|
||||||
*/
|
*/
|
||||||
predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
|
predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
|
||||||
exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
|
exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
|
||||||
(
|
(
|
||||||
nodeIn = callInput(call, modelIn)
|
nodeIn = callInput(call, modelIn)
|
||||||
or
|
or
|
||||||
exists(int n |
|
exists(int n |
|
||||||
modelIn.isParameterDeref(n) and
|
modelIn.isParameterDerefOrQualifierObject(n) and
|
||||||
nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
|
if n = -1
|
||||||
|
then nodeIn = callInput(call, any(InQualifierObject inQualifier))
|
||||||
|
else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
|
||||||
)
|
)
|
||||||
) and
|
) and
|
||||||
nodeOut.asInstruction() = callOutput(call, modelOut) and
|
nodeOut = callOutput(call, modelOut) and
|
||||||
call.getStaticCallTarget() = func and
|
call.getStaticCallTarget() = func and
|
||||||
func.hasTaintFlow(modelIn, modelOut)
|
func.hasTaintFlow(modelIn, modelOut)
|
||||||
)
|
)
|
||||||
@@ -135,11 +188,29 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
|
|||||||
int indexMid, InParameter modelMidIn, OutReturnValue modelOut
|
int indexMid, InParameter modelMidIn, OutReturnValue modelOut
|
||||||
|
|
|
|
||||||
nodeIn = callInput(call, modelIn) and
|
nodeIn = callInput(call, modelIn) and
|
||||||
nodeOut.asInstruction() = callOutput(call, modelOut) and
|
nodeOut = callOutput(call, modelOut) and
|
||||||
call.getStaticCallTarget() = func and
|
call.getStaticCallTarget() = func and
|
||||||
func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and
|
func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and
|
||||||
func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and
|
func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and
|
||||||
modelMidOut.isParameterDeref(indexMid) and
|
modelMidOut.isParameterDeref(indexMid) and
|
||||||
modelMidIn.isParameter(indexMid)
|
modelMidIn.isParameter(indexMid)
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Taint flow from a pointer argument to an output, when the model specifies flow from the deref
|
||||||
|
// to that output, but the deref is not modeled in the IR for the caller.
|
||||||
|
exists(
|
||||||
|
CallInstruction call, ReadSideEffectInstruction read, Function func, FunctionInput modelIn,
|
||||||
|
FunctionOutput modelOut
|
||||||
|
|
|
||||||
|
read.getSideEffectOperand() = callInput(call, modelIn) and
|
||||||
|
read.getArgumentDef() = nodeIn.getDef() and
|
||||||
|
not read.getSideEffect().isResultModeled() and
|
||||||
|
call.getStaticCallTarget() = func and
|
||||||
|
(
|
||||||
|
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
|
||||||
|
or
|
||||||
|
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
|
||||||
|
) and
|
||||||
|
nodeOut = callOutput(call, modelOut)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,115 @@
|
|||||||
|
/**
|
||||||
|
* Provides an implementation of global (interprocedural) taint tracking.
|
||||||
|
* This file re-exports the local (intraprocedural) taint-tracking analysis
|
||||||
|
* from `TaintTrackingParameter::Public` and adds a global analysis, mainly
|
||||||
|
* exposed through the `Configuration` class. For some languages, this file
|
||||||
|
* exists in several identical copies, allowing queries to use multiple
|
||||||
|
* `Configuration` classes that depend on each other without introducing
|
||||||
|
* mutual recursion among those configurations.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import TaintTrackingParameter::Public
|
||||||
|
private import TaintTrackingParameter::Private
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A configuration of interprocedural taint tracking analysis. This defines
|
||||||
|
* sources, sinks, and any other configurable aspect of the analysis. Each
|
||||||
|
* use of the taint tracking library must define its own unique extension of
|
||||||
|
* this abstract class.
|
||||||
|
*
|
||||||
|
* A taint-tracking configuration is a special data flow configuration
|
||||||
|
* (`DataFlow::Configuration`) that allows for flow through nodes that do not
|
||||||
|
* necessarily preserve values but are still relevant from a taint tracking
|
||||||
|
* perspective. (For example, string concatenation, where one of the operands
|
||||||
|
* is tainted.)
|
||||||
|
*
|
||||||
|
* To create a configuration, extend this class with a subclass whose
|
||||||
|
* characteristic predicate is a unique singleton string. For example, write
|
||||||
|
*
|
||||||
|
* ```ql
|
||||||
|
* class MyAnalysisConfiguration extends TaintTracking::Configuration {
|
||||||
|
* MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
|
||||||
|
* // Override `isSource` and `isSink`.
|
||||||
|
* // Optionally override `isSanitizer`.
|
||||||
|
* // Optionally override `isSanitizerIn`.
|
||||||
|
* // Optionally override `isSanitizerOut`.
|
||||||
|
* // Optionally override `isSanitizerGuard`.
|
||||||
|
* // Optionally override `isAdditionalTaintStep`.
|
||||||
|
* }
|
||||||
|
* ```
|
||||||
|
*
|
||||||
|
* Then, to query whether there is flow between some `source` and `sink`,
|
||||||
|
* write
|
||||||
|
*
|
||||||
|
* ```ql
|
||||||
|
* exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
|
||||||
|
* ```
|
||||||
|
*
|
||||||
|
* Multiple configurations can coexist, but it is unsupported to depend on
|
||||||
|
* another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
|
||||||
|
* overridden predicates that define sources, sinks, or additional steps.
|
||||||
|
* Instead, the dependency should go to a `TaintTracking2::Configuration` or a
|
||||||
|
* `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
|
||||||
|
*/
|
||||||
|
abstract class Configuration extends DataFlow::Configuration {
|
||||||
|
bindingset[this]
|
||||||
|
Configuration() { any() }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if `source` is a relevant taint source.
|
||||||
|
*
|
||||||
|
* The smaller this predicate is, the faster `hasFlow()` will converge.
|
||||||
|
*/
|
||||||
|
// overridden to provide taint-tracking specific qldoc
|
||||||
|
abstract override predicate isSource(DataFlow::Node source);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if `sink` is a relevant taint sink.
|
||||||
|
*
|
||||||
|
* The smaller this predicate is, the faster `hasFlow()` will converge.
|
||||||
|
*/
|
||||||
|
// overridden to provide taint-tracking specific qldoc
|
||||||
|
abstract override predicate isSink(DataFlow::Node sink);
|
||||||
|
|
||||||
|
/** Holds if the node `node` is a taint sanitizer. */
|
||||||
|
predicate isSanitizer(DataFlow::Node node) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrier(DataFlow::Node node) {
|
||||||
|
isSanitizer(node) or
|
||||||
|
defaultTaintSanitizer(node)
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds if taint propagation into `node` is prohibited. */
|
||||||
|
predicate isSanitizerIn(DataFlow::Node node) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
|
||||||
|
|
||||||
|
/** Holds if taint propagation out of `node` is prohibited. */
|
||||||
|
predicate isSanitizerOut(DataFlow::Node node) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
|
||||||
|
|
||||||
|
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
|
||||||
|
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if the additional taint propagation step from `node1` to `node2`
|
||||||
|
* must be taken into account in the analysis.
|
||||||
|
*/
|
||||||
|
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
|
||||||
|
|
||||||
|
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||||
|
isAdditionalTaintStep(node1, node2) or
|
||||||
|
defaultAdditionalTaintStep(node1, node2)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if taint may flow from `source` to `sink` for this configuration.
|
||||||
|
*/
|
||||||
|
// overridden to provide taint-tracking specific qldoc
|
||||||
|
override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
|
||||||
|
super.hasFlow(source, sink)
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
|
||||||
|
|
||||||
|
module Private {
|
||||||
|
import semmle.code.cpp.ir.dataflow.DataFlow3::DataFlow3 as DataFlow
|
||||||
|
}
|
||||||
@@ -15,9 +15,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
|
|||||||
private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
|
private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
|
||||||
Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
|
Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
|
||||||
|
|
||||||
override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
|
override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 1 }
|
||||||
bufParam = 1 and countParam = 2
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate hasArrayInput(int bufParam) { bufParam = 1 }
|
override predicate hasArrayInput(int bufParam) { bufParam = 1 }
|
||||||
|
|
||||||
@@ -46,8 +44,8 @@ private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEf
|
|||||||
i = 1 and buffer = false
|
i = 1 and buffer = false
|
||||||
}
|
}
|
||||||
|
|
||||||
override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
|
// NOTE: The size parameter is a pointer to the size. So we can't implement `getParameterSizeIndex` for
|
||||||
|
// this model.
|
||||||
// NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
|
// NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
|
||||||
// the structure pointed to by the file-descriptor argument.
|
// the structure pointed to by the file-descriptor argument.
|
||||||
override predicate hasOnlySpecificReadSideEffects() { none() }
|
override predicate hasOnlySpecificReadSideEffects() { none() }
|
||||||
|
|||||||
@@ -1,10 +1,35 @@
|
|||||||
import semmle.code.cpp.models.interfaces.Taint
|
import semmle.code.cpp.models.interfaces.Taint
|
||||||
|
import semmle.code.cpp.models.interfaces.DataFlow
|
||||||
|
import semmle.code.cpp.models.interfaces.PointerWrapper
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The `std::shared_ptr` and `std::unique_ptr` template classes.
|
* The `std::shared_ptr` and `std::unique_ptr` template classes.
|
||||||
*/
|
*/
|
||||||
private class UniqueOrSharedPtr extends Class {
|
private class UniqueOrSharedPtr extends Class, PointerWrapper {
|
||||||
UniqueOrSharedPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "unique_ptr"]) }
|
UniqueOrSharedPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "unique_ptr"]) }
|
||||||
|
|
||||||
|
override MemberFunction getAnUnwrapperFunction() {
|
||||||
|
result.(OverloadedPointerDereferenceFunction).getDeclaringType() = this
|
||||||
|
or
|
||||||
|
result.getClassAndName(["operator->", "get"]) = this
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
|
||||||
|
private class PointerWrapperDataFlow extends DataFlowFunction {
|
||||||
|
PointerWrapperDataFlow() {
|
||||||
|
this = any(PointerWrapper wrapper).getAnUnwrapperFunction() and
|
||||||
|
not this.getUnspecifiedType() instanceof ReferenceType
|
||||||
|
}
|
||||||
|
|
||||||
|
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
|
||||||
|
input.isQualifierAddress() and output.isReturnValue()
|
||||||
|
or
|
||||||
|
input.isQualifierObject() and output.isReturnValueDeref()
|
||||||
|
or
|
||||||
|
input.isReturnValueDeref() and
|
||||||
|
output.isQualifierObject()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -0,0 +1,14 @@
|
|||||||
|
/** Provides classes for modeling pointer wrapper types and expressions. */
|
||||||
|
|
||||||
|
private import cpp
|
||||||
|
|
||||||
|
/** A class that wraps a pointer type. For example, `std::unique_ptr` and `std::shared_ptr`. */
|
||||||
|
abstract class PointerWrapper extends Class {
|
||||||
|
/**
|
||||||
|
* Gets a member function of this class that returns the wrapped pointer, if any.
|
||||||
|
*
|
||||||
|
* This includes both functions that return the wrapped pointer by value, and functions
|
||||||
|
* that return a reference to the pointed-to object.
|
||||||
|
*/
|
||||||
|
abstract MemberFunction getAnUnwrapperFunction();
|
||||||
|
}
|
||||||
@@ -14,8 +14,8 @@ using namespace std;
|
|||||||
|
|
||||||
void* operator new(std::size_t _Size);
|
void* operator new(std::size_t _Size);
|
||||||
void* operator new[](std::size_t _Size);
|
void* operator new[](std::size_t _Size);
|
||||||
void* operator new( std::size_t count, const std::nothrow_t& tag );
|
void* operator new( std::size_t count, const std::nothrow_t& tag ) noexcept;
|
||||||
void* operator new[]( std::size_t count, const std::nothrow_t& tag );
|
void* operator new[]( std::size_t count, const std::nothrow_t& tag ) noexcept;
|
||||||
|
|
||||||
void badNew_0_0()
|
void badNew_0_0()
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
||||||
|
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
predicate isSink(Element sink) {
|
predicate isSink(Element sink) {
|
||||||
@@ -17,7 +18,13 @@ predicate isSink(Element sink) {
|
|||||||
|
|
||||||
predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
|
predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
|
||||||
|
|
||||||
predicate irTaint(Expr source, Element sink) { IRDefaultTaintTracking::tainted(source, sink) }
|
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { any() }
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate irTaint(Expr source, Element sink) {
|
||||||
|
TaintedWithPath::taintedWithPath(source, sink, _, _)
|
||||||
|
}
|
||||||
|
|
||||||
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||||
IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
|
IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ int main() {
|
|||||||
|
|
||||||
char untainted_buf[100] = "";
|
char untainted_buf[100] = "";
|
||||||
char buf[100] = "VAR = ";
|
char buf[100] = "VAR = ";
|
||||||
sink(strcat(buf, getenv("VAR"))); // $ ast,ir
|
sink(strcat(buf, getenv("VAR"))); // $ ast MISSING: ir
|
||||||
|
|
||||||
sink(buf); // $ ast,ir
|
sink(buf); // $ ast,ir
|
||||||
sink(untainted_buf); // the two buffers would be conflated if we added flow through all partial chi inputs
|
sink(untainted_buf); // the two buffers would be conflated if we added flow through all partial chi inputs
|
||||||
@@ -250,12 +250,12 @@ void sink(iovec);
|
|||||||
int test_readv_and_writev(iovec* iovs) {
|
int test_readv_and_writev(iovec* iovs) {
|
||||||
readv(0, iovs, 16);
|
readv(0, iovs, 16);
|
||||||
sink(iovs); // $ast,ir
|
sink(iovs); // $ast,ir
|
||||||
sink(iovs[0]); // $ast MISSING: ir
|
sink(iovs[0]); // $ast,ir
|
||||||
sink(*iovs); // $ast MISSING: ir
|
sink(*iovs); // $ast,ir
|
||||||
|
|
||||||
char* p = (char*)iovs[1].iov_base;
|
char* p = (char*)iovs[1].iov_base;
|
||||||
sink(p); // $ MISSING: ast,ir
|
sink(p); // $ ir MISSING: ast
|
||||||
sink(*p); // $ MISSING: ast,ir
|
sink(*p); // $ ir MISSING: ast
|
||||||
|
|
||||||
writev(0, iovs, 16); // $ remote
|
writev(0, iovs, 16); // $ remote
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -73,7 +73,7 @@ void test_string()
|
|||||||
sink(b); // clean
|
sink(b); // clean
|
||||||
sink(c); // $ ir MISSING: ast
|
sink(c); // $ ir MISSING: ast
|
||||||
sink(b.c_str()); // clean
|
sink(b.c_str()); // clean
|
||||||
sink(c.c_str()); // $ MISSING: ast,ir
|
sink(c.c_str()); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_stringstream()
|
void test_stringstream()
|
||||||
@@ -93,10 +93,10 @@ void test_stringstream()
|
|||||||
sink(ss4); // $ ir MISSING: ast
|
sink(ss4); // $ ir MISSING: ast
|
||||||
sink(ss5); // $ ir MISSING: ast
|
sink(ss5); // $ ir MISSING: ast
|
||||||
sink(ss1.str());
|
sink(ss1.str());
|
||||||
sink(ss2.str()); // $ MISSING: ast,ir
|
sink(ss2.str()); // $ ir MISSING: ast
|
||||||
sink(ss3.str()); // $ MISSING: ast,ir
|
sink(ss3.str()); // $ MISSING: ast,ir
|
||||||
sink(ss4.str()); // $ MISSING: ast,ir
|
sink(ss4.str()); // $ ir MISSING: ast
|
||||||
sink(ss5.str()); // $ MISSING: ast,ir
|
sink(ss5.str()); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_stringstream_int(int source)
|
void test_stringstream_int(int source)
|
||||||
@@ -123,14 +123,14 @@ void sink(const char *filename, const char *mode);
|
|||||||
void test_strings2()
|
void test_strings2()
|
||||||
{
|
{
|
||||||
string path1 = user_input();
|
string path1 = user_input();
|
||||||
sink(path1.c_str(), "r"); // $ MISSING: ast,ir
|
sink(path1.c_str(), "r"); // $ ir MISSING: ast
|
||||||
|
|
||||||
string path2;
|
string path2;
|
||||||
path2 = user_input();
|
path2 = user_input();
|
||||||
sink(path2.c_str(), "r"); // $ MISSING: ast,ir
|
sink(path2.c_str(), "r"); // $ ir MISSING: ast
|
||||||
|
|
||||||
string path3(user_input());
|
string path3(user_input());
|
||||||
sink(path3.c_str(), "r"); // $ MISSING: ast,ir
|
sink(path3.c_str(), "r"); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_string3()
|
void test_string3()
|
||||||
@@ -154,6 +154,6 @@ void test_string4()
|
|||||||
// convert back std::string -> char *
|
// convert back std::string -> char *
|
||||||
cs = ss.c_str();
|
cs = ss.c_str();
|
||||||
|
|
||||||
sink(cs); // $ ast MISSING: ir
|
sink(cs); // $ ast,ir
|
||||||
sink(ss); // $ ir MISSING: ast
|
sink(ss); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,9 +7,10 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
||||||
|
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
predicate isSink(Element sink) {
|
predicate argToSinkCall(Element sink) {
|
||||||
exists(FunctionCall call |
|
exists(FunctionCall call |
|
||||||
call.getTarget().getName() = "sink" and
|
call.getTarget().getName() = "sink" and
|
||||||
sink = call.getAnArgument()
|
sink = call.getAnArgument()
|
||||||
@@ -17,11 +18,15 @@ predicate isSink(Element sink) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
predicate astTaint(Expr source, Element sink) {
|
predicate astTaint(Expr source, Element sink) {
|
||||||
ASTTaintTracking::tainted(source, sink) and isSink(sink)
|
ASTTaintTracking::tainted(source, sink) and argToSinkCall(sink)
|
||||||
|
}
|
||||||
|
|
||||||
|
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { argToSinkCall(e) }
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate irTaint(Expr source, Element sink) {
|
predicate irTaint(Expr source, Element sink) {
|
||||||
IRDefaultTaintTracking::tainted(source, sink) and isSink(sink)
|
TaintedWithPath::taintedWithPath(source, sink, _, _)
|
||||||
}
|
}
|
||||||
|
|
||||||
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||||
|
|||||||
@@ -1,19 +1,42 @@
|
|||||||
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | AST only |
|
||||||
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | AST only |
|
||||||
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | AST only |
|
||||||
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only |
|
||||||
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | AST only |
|
||||||
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
||||||
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only |
|
||||||
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
|
||||||
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
|
||||||
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | AST only |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | AST only |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
|
||||||
|
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | AST only |
|
||||||
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
|
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
|
||||||
|
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | AST only |
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only |
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | AST only |
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | AST only |
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |
|
||||||
|
|||||||
@@ -2,14 +2,18 @@ import semmle.code.cpp.security.TaintTrackingImpl as AST
|
|||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IR
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IR
|
||||||
import cpp
|
import cpp
|
||||||
|
|
||||||
|
class SourceConfiguration extends IR::TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { any() }
|
||||||
|
}
|
||||||
|
|
||||||
from Expr source, Element tainted, string side
|
from Expr source, Element tainted, string side
|
||||||
where
|
where
|
||||||
AST::taintedIncludingGlobalVars(source, tainted, _) and
|
AST::taintedIncludingGlobalVars(source, tainted, _) and
|
||||||
not IR::taintedIncludingGlobalVars(source, tainted, _) and
|
not IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
|
||||||
not tainted.getLocation().getFile().getExtension() = "h" and
|
not tainted.getLocation().getFile().getExtension() = "h" and
|
||||||
side = "AST only"
|
side = "AST only"
|
||||||
or
|
or
|
||||||
IR::taintedIncludingGlobalVars(source, tainted, _) and
|
IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
|
||||||
not AST::taintedIncludingGlobalVars(source, tainted, _) and
|
not AST::taintedIncludingGlobalVars(source, tainted, _) and
|
||||||
not tainted.getLocation().getFile().getExtension() = "h" and
|
not tainted.getLocation().getFile().getExtension() = "h" and
|
||||||
side = "IR only"
|
side = "IR only"
|
||||||
|
|||||||
@@ -1,71 +1,48 @@
|
|||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... | |
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr | |
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv | |
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... | |
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr | |
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... | |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp | |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... | |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal | |
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | |
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | |
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName | |
|
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi | |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | |
|
|
||||||
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | |
|
|
||||||
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets | |
|
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | |
|
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | |
|
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy | |
|
|
||||||
|
|||||||
@@ -1,7 +1,11 @@
|
|||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
|
||||||
|
|
||||||
from Expr source, Element tainted, string globalVar
|
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { any() }
|
||||||
|
}
|
||||||
|
|
||||||
|
from Expr source, Element tainted
|
||||||
where
|
where
|
||||||
taintedIncludingGlobalVars(source, tainted, globalVar) and
|
TaintedWithPath::taintedWithPath(source, tainted, _, _) and
|
||||||
not tainted.getLocation().getFile().getExtension() = "h"
|
not tainted.getLocation().getFile().getExtension() = "h"
|
||||||
select source, tainted, globalVar
|
select source, tainted
|
||||||
|
|||||||
127
cpp/ql/test/library-tests/dataflow/smart-pointers-taint/memory.h
Normal file
127
cpp/ql/test/library-tests/dataflow/smart-pointers-taint/memory.h
Normal file
@@ -0,0 +1,127 @@
|
|||||||
|
|
||||||
|
namespace std {
|
||||||
|
namespace detail {
|
||||||
|
template<typename T>
|
||||||
|
class compressed_pair_element {
|
||||||
|
T element;
|
||||||
|
|
||||||
|
public:
|
||||||
|
compressed_pair_element() = default;
|
||||||
|
compressed_pair_element(const T& t) : element(t) {}
|
||||||
|
|
||||||
|
T& get() { return element; }
|
||||||
|
|
||||||
|
const T& get() const { return element; }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, typename U>
|
||||||
|
struct compressed_pair : private compressed_pair_element<T>, private compressed_pair_element<U> {
|
||||||
|
compressed_pair() = default;
|
||||||
|
compressed_pair(T& t) : compressed_pair_element<T>(t), compressed_pair_element<U>() {}
|
||||||
|
compressed_pair(const compressed_pair&) = delete;
|
||||||
|
compressed_pair(compressed_pair<T, U>&&) noexcept = default;
|
||||||
|
|
||||||
|
T& first() { return static_cast<compressed_pair_element<T>&>(*this).get(); }
|
||||||
|
U& second() { return static_cast<compressed_pair_element<U>&>(*this).get(); }
|
||||||
|
|
||||||
|
const T& first() const { return static_cast<const compressed_pair_element<T>&>(*this).get(); }
|
||||||
|
const U& second() const { return static_cast<const compressed_pair_element<U>&>(*this).get(); }
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
template<class T>
|
||||||
|
struct default_delete {
|
||||||
|
void operator()(T* ptr) const { delete ptr; }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<class T>
|
||||||
|
struct default_delete<T[]> {
|
||||||
|
template<class U>
|
||||||
|
void operator()(U* ptr) const { delete[] ptr; }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<class T, class Deleter = default_delete<T> >
|
||||||
|
class unique_ptr {
|
||||||
|
private:
|
||||||
|
detail::compressed_pair<T*, Deleter> data;
|
||||||
|
public:
|
||||||
|
constexpr unique_ptr() noexcept {}
|
||||||
|
explicit unique_ptr(T* ptr) noexcept : data(ptr) {}
|
||||||
|
unique_ptr(const unique_ptr& ptr) = delete;
|
||||||
|
unique_ptr(unique_ptr&& ptr) noexcept = default;
|
||||||
|
|
||||||
|
unique_ptr& operator=(unique_ptr&& ptr) noexcept = default;
|
||||||
|
|
||||||
|
T& operator*() const { return *get(); }
|
||||||
|
T* operator->() const noexcept { return get(); }
|
||||||
|
|
||||||
|
T* get() const noexcept { return data.first(); }
|
||||||
|
|
||||||
|
~unique_ptr() {
|
||||||
|
Deleter& d = data.second();
|
||||||
|
d(data.first());
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, class... Args> unique_ptr<T> make_unique(Args&&... args) {
|
||||||
|
return unique_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
|
||||||
|
}
|
||||||
|
|
||||||
|
class ctrl_block {
|
||||||
|
unsigned uses;
|
||||||
|
|
||||||
|
public:
|
||||||
|
ctrl_block() : uses(1) {}
|
||||||
|
|
||||||
|
void inc() { ++uses; }
|
||||||
|
bool dec() { return --uses == 0; }
|
||||||
|
|
||||||
|
virtual void destroy() = 0;
|
||||||
|
virtual ~ctrl_block() {}
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, class Deleter = default_delete<T> >
|
||||||
|
struct ctrl_block_impl: public ctrl_block {
|
||||||
|
T* ptr;
|
||||||
|
Deleter d;
|
||||||
|
|
||||||
|
ctrl_block_impl(T* ptr, Deleter d) : ptr(ptr), d(d) {}
|
||||||
|
virtual void destroy() override { d(ptr); }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<class T>
|
||||||
|
class shared_ptr {
|
||||||
|
private:
|
||||||
|
ctrl_block* ctrl;
|
||||||
|
T* ptr;
|
||||||
|
|
||||||
|
void dec() {
|
||||||
|
if(ctrl->dec()) {
|
||||||
|
ctrl->destroy();
|
||||||
|
delete ctrl;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void inc() {
|
||||||
|
ctrl->inc();
|
||||||
|
}
|
||||||
|
|
||||||
|
public:
|
||||||
|
constexpr shared_ptr() noexcept = default;
|
||||||
|
shared_ptr(T* ptr) : ctrl(new ctrl_block_impl<T>(ptr, default_delete<T>())) {}
|
||||||
|
shared_ptr(const shared_ptr& s) noexcept : ptr(s.ptr), ctrl(s.ctrl) {
|
||||||
|
inc();
|
||||||
|
}
|
||||||
|
shared_ptr(shared_ptr&& s) noexcept = default;
|
||||||
|
|
||||||
|
T* operator->() const { return ptr; }
|
||||||
|
|
||||||
|
T& operator*() const { return *ptr; }
|
||||||
|
|
||||||
|
~shared_ptr() { dec(); }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, class... Args> shared_ptr<T> make_shared(Args&&... args) {
|
||||||
|
return shared_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
import TestUtilities.dataflow.FlowTestCommon
|
||||||
|
|
||||||
|
module ASTTest {
|
||||||
|
private import semmle.code.cpp.dataflow.TaintTracking
|
||||||
|
|
||||||
|
class ASTSmartPointerTaintConfig extends TaintTracking::Configuration {
|
||||||
|
ASTSmartPointerTaintConfig() { this = "ASTSmartPointerTaintConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
|
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||||
|
}
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
|
exists(FunctionCall call |
|
||||||
|
call.getTarget().getName() = "sink" and
|
||||||
|
sink.asExpr() = call.getAnArgument()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module IRTest {
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||||
|
|
||||||
|
class IRSmartPointerTaintConfig extends TaintTracking::Configuration {
|
||||||
|
IRSmartPointerTaintConfig() { this = "IRSmartPointerTaintConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
|
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||||
|
}
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
|
exists(FunctionCall call |
|
||||||
|
call.getTarget().getName() = "sink" and
|
||||||
|
sink.asExpr() = call.getAnArgument()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,46 @@
|
|||||||
|
#include "memory.h"
|
||||||
|
|
||||||
|
int source();
|
||||||
|
void sink(int);
|
||||||
|
|
||||||
|
void test_unique_ptr_int() {
|
||||||
|
std::unique_ptr<int> p1(new int(source()));
|
||||||
|
std::unique_ptr<int> p2 = std::make_unique<int>(source());
|
||||||
|
|
||||||
|
sink(*p1); // $ MISSING: ast,ir
|
||||||
|
sink(*p2); // $ ast ir=8:50
|
||||||
|
}
|
||||||
|
|
||||||
|
struct A {
|
||||||
|
int x, y;
|
||||||
|
|
||||||
|
A(int x, int y) : x(x), y(y) {}
|
||||||
|
};
|
||||||
|
|
||||||
|
void test_unique_ptr_struct() {
|
||||||
|
std::unique_ptr<A> p1(new A{source(), 0});
|
||||||
|
std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
|
||||||
|
|
||||||
|
sink(p1->x); // $ MISSING: ast,ir
|
||||||
|
sink(p1->y);
|
||||||
|
sink(p2->x); // $ MISSING: ast,ir
|
||||||
|
sink(p2->y);
|
||||||
|
}
|
||||||
|
|
||||||
|
void test_shared_ptr_int() {
|
||||||
|
std::shared_ptr<int> p1(new int(source()));
|
||||||
|
std::shared_ptr<int> p2 = std::make_shared<int>(source());
|
||||||
|
|
||||||
|
sink(*p1); // $ ast
|
||||||
|
sink(*p2); // $ ast ir=32:50
|
||||||
|
}
|
||||||
|
|
||||||
|
void test_shared_ptr_struct() {
|
||||||
|
std::shared_ptr<A> p1(new A{source(), 0});
|
||||||
|
std::shared_ptr<A> p2 = std::make_shared<A>(source(), 0);
|
||||||
|
|
||||||
|
sink(p1->x); // $ MISSING: ast,ir
|
||||||
|
sink(p1->y);
|
||||||
|
sink(p2->x); // $ MISSING: ast,ir
|
||||||
|
sink(p2->y);
|
||||||
|
}
|
||||||
@@ -19,6 +19,6 @@ void test_accept() {
|
|||||||
int size = sizeof(sockaddr);
|
int size = sizeof(sockaddr);
|
||||||
int a = accept(s, &addr, &size);
|
int a = accept(s, &addr, &size);
|
||||||
|
|
||||||
sink(a); // $ ast=17:11 SPURIOUS: ast=18:12 MISSING: ir
|
sink(a); // $ ast=17:11 ir SPURIOUS: ast=18:12
|
||||||
sink(addr); // $ ast MISSING: ir
|
sink(addr); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3260,15 +3260,59 @@
|
|||||||
| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
|
| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
|
||||||
| smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p | |
|
| smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p | |
|
||||||
| smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
|
| smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
|
||||||
| smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get | TAINT |
|
| smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get | |
|
||||||
|
| smart_pointer.cpp:52:12:52:14 | ref arg call to get | smart_pointer.cpp:52:10:52:10 | ref arg p | |
|
||||||
| smart_pointer.cpp:56:30:56:50 | call to make_unique | smart_pointer.cpp:57:10:57:10 | p | |
|
| smart_pointer.cpp:56:30:56:50 | call to make_unique | smart_pointer.cpp:57:10:57:10 | p | |
|
||||||
| smart_pointer.cpp:56:52:56:57 | call to source | smart_pointer.cpp:56:30:56:50 | call to make_unique | TAINT |
|
| smart_pointer.cpp:56:52:56:57 | call to source | smart_pointer.cpp:56:30:56:50 | call to make_unique | TAINT |
|
||||||
| smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get | TAINT |
|
| smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get | |
|
||||||
|
| smart_pointer.cpp:57:12:57:14 | ref arg call to get | smart_pointer.cpp:57:10:57:10 | ref arg p | |
|
||||||
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:66:10:66:10 | p | |
|
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:66:10:66:10 | p | |
|
||||||
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p | |
|
| smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p | |
|
||||||
| smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
|
| smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
|
||||||
| smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
|
| smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
|
||||||
|
| smart_pointer.cpp:66:10:66:10 | p | smart_pointer.cpp:66:11:66:11 | call to operator-> | |
|
||||||
| smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p | |
|
| smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p | |
|
||||||
|
| smart_pointer.cpp:67:10:67:10 | p | smart_pointer.cpp:67:11:67:11 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:77:3:77:3 | p | |
|
||||||
|
| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:78:8:78:8 | p | |
|
||||||
|
| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:79:8:79:8 | p | |
|
||||||
|
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:81:3:81:3 | q | |
|
||||||
|
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:82:8:82:8 | q | |
|
||||||
|
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:83:8:83:8 | q | |
|
||||||
|
| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:84:8:84:8 | q | |
|
||||||
|
| smart_pointer.cpp:77:3:77:3 | p | smart_pointer.cpp:77:4:77:4 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:77:3:77:3 | ref arg p | smart_pointer.cpp:78:8:78:8 | p | |
|
||||||
|
| smart_pointer.cpp:77:3:77:3 | ref arg p | smart_pointer.cpp:79:8:79:8 | p | |
|
||||||
|
| smart_pointer.cpp:77:3:77:17 | ... = ... | smart_pointer.cpp:77:6:77:6 | x [post update] | |
|
||||||
|
| smart_pointer.cpp:77:3:77:17 | ... = ... | smart_pointer.cpp:78:11:78:11 | x | |
|
||||||
|
| smart_pointer.cpp:77:4:77:4 | call to operator-> [post update] | smart_pointer.cpp:77:3:77:3 | ref arg p | |
|
||||||
|
| smart_pointer.cpp:77:10:77:15 | call to source | smart_pointer.cpp:77:3:77:17 | ... = ... | |
|
||||||
|
| smart_pointer.cpp:78:8:78:8 | p | smart_pointer.cpp:78:9:78:9 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:78:8:78:8 | ref arg p | smart_pointer.cpp:79:8:79:8 | p | |
|
||||||
|
| smart_pointer.cpp:79:8:79:8 | p | smart_pointer.cpp:79:9:79:9 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:81:3:81:3 | q | smart_pointer.cpp:81:4:81:4 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:82:8:82:8 | q | |
|
||||||
|
| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:83:8:83:8 | q | |
|
||||||
|
| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:84:8:84:8 | q | |
|
||||||
|
| smart_pointer.cpp:81:3:81:20 | ... = ... | smart_pointer.cpp:81:9:81:9 | x [post update] | |
|
||||||
|
| smart_pointer.cpp:81:3:81:20 | ... = ... | smart_pointer.cpp:82:14:82:14 | x | |
|
||||||
|
| smart_pointer.cpp:81:4:81:4 | call to operator-> [post update] | smart_pointer.cpp:81:3:81:3 | ref arg q | |
|
||||||
|
| smart_pointer.cpp:81:13:81:18 | call to source | smart_pointer.cpp:81:3:81:20 | ... = ... | |
|
||||||
|
| smart_pointer.cpp:82:8:82:8 | q | smart_pointer.cpp:82:9:82:9 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:82:8:82:8 | ref arg q | smart_pointer.cpp:83:8:83:8 | q | |
|
||||||
|
| smart_pointer.cpp:82:8:82:8 | ref arg q | smart_pointer.cpp:84:8:84:8 | q | |
|
||||||
|
| smart_pointer.cpp:83:8:83:8 | q | smart_pointer.cpp:83:9:83:9 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:83:8:83:8 | ref arg q | smart_pointer.cpp:84:8:84:8 | q | |
|
||||||
|
| smart_pointer.cpp:84:8:84:8 | q | smart_pointer.cpp:84:9:84:9 | call to operator-> | |
|
||||||
|
| smart_pointer.cpp:87:17:87:18 | pa | smart_pointer.cpp:88:5:88:6 | pa | |
|
||||||
|
| smart_pointer.cpp:88:5:88:20 | ... = ... | smart_pointer.cpp:88:9:88:9 | x [post update] | |
|
||||||
|
| smart_pointer.cpp:88:13:88:18 | call to source | smart_pointer.cpp:88:5:88:20 | ... = ... | |
|
||||||
|
| smart_pointer.cpp:92:25:92:50 | call to unique_ptr | smart_pointer.cpp:93:11:93:11 | p | |
|
||||||
|
| smart_pointer.cpp:92:25:92:50 | call to unique_ptr | smart_pointer.cpp:94:8:94:8 | p | |
|
||||||
|
| smart_pointer.cpp:93:11:93:11 | p | smart_pointer.cpp:93:13:93:15 | call to get | |
|
||||||
|
| smart_pointer.cpp:93:11:93:11 | ref arg p | smart_pointer.cpp:94:8:94:8 | p | |
|
||||||
|
| smart_pointer.cpp:93:13:93:15 | ref arg call to get | smart_pointer.cpp:93:11:93:11 | ref arg p | |
|
||||||
|
| smart_pointer.cpp:94:8:94:8 | p | smart_pointer.cpp:94:9:94:9 | call to operator-> | |
|
||||||
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 | |
|
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 | |
|
||||||
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 | |
|
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 | |
|
||||||
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 | |
|
| standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 | |
|
||||||
|
|||||||
@@ -152,8 +152,8 @@ void test_map()
|
|||||||
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
||||||
{
|
{
|
||||||
sink(*i2); // $ ast,ir
|
sink(*i2); // $ ast,ir
|
||||||
sink(i2->first); // $ SPURIOUS: ir
|
sink(i2->first); // clean
|
||||||
sink(i2->second); // $ ir MISSING: ast
|
sink(i2->second); // $ MISSING: ast,ir
|
||||||
}
|
}
|
||||||
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
||||||
{
|
{
|
||||||
@@ -304,8 +304,8 @@ void test_unordered_map()
|
|||||||
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
||||||
{
|
{
|
||||||
sink(*i2); // $ ast,ir
|
sink(*i2); // $ ast,ir
|
||||||
sink(i2->first); // $ SPURIOUS: ir
|
sink(i2->first); // clean
|
||||||
sink(i2->second); // $ ir MISSING: ast
|
sink(i2->second); // $ MISSING: ast,ir
|
||||||
}
|
}
|
||||||
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -66,3 +66,30 @@ void test_shared_field_member() {
|
|||||||
sink(p->x); // $ MISSING: ast,ir
|
sink(p->x); // $ MISSING: ast,ir
|
||||||
sink(p->y); // not tainted
|
sink(p->y); // not tainted
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct B {
|
||||||
|
A a1;
|
||||||
|
A a2;
|
||||||
|
int z;
|
||||||
|
};
|
||||||
|
|
||||||
|
void test_operator_arrow(std::unique_ptr<A> p, std::unique_ptr<B> q) {
|
||||||
|
p->x = source();
|
||||||
|
sink(p->x); // $ ast MISSING: ir
|
||||||
|
sink(p->y);
|
||||||
|
|
||||||
|
q->a1.x = source();
|
||||||
|
sink(q->a1.x); // $ ast MISSING: ir
|
||||||
|
sink(q->a1.y);
|
||||||
|
sink(q->a2.x);
|
||||||
|
}
|
||||||
|
|
||||||
|
void taint_x(A* pa) {
|
||||||
|
pa->x = source();
|
||||||
|
}
|
||||||
|
|
||||||
|
void reverse_taint_smart_pointer() {
|
||||||
|
std::unique_ptr<A> p = std::unique_ptr<A>(new A);
|
||||||
|
taint_x(p.get());
|
||||||
|
sink(p->x); // $ ast MISSING: ir
|
||||||
|
}
|
||||||
@@ -39,13 +39,13 @@ public:
|
|||||||
void test_typedefs(int_iterator_by_typedefs source1) {
|
void test_typedefs(int_iterator_by_typedefs source1) {
|
||||||
sink(*source1); // $ ast,ir
|
sink(*source1); // $ ast,ir
|
||||||
sink(*(source1++)); // $ ast,ir
|
sink(*(source1++)); // $ ast,ir
|
||||||
sink(*(++source1)); // $ ast MISSING: ir
|
sink(*(++source1)); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_trait(int_iterator_by_trait source1) {
|
void test_trait(int_iterator_by_trait source1) {
|
||||||
sink(*source1); // $ ast,ir
|
sink(*source1); // $ ast,ir
|
||||||
sink(*(source1++)); // $ ast,ir
|
sink(*(source1++)); // $ ast,ir
|
||||||
sink(*(++source1)); // $ ast MISSING: ir
|
sink(*(++source1)); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_non_iterator(non_iterator source1) {
|
void test_non_iterator(non_iterator source1) {
|
||||||
|
|||||||
@@ -396,9 +396,9 @@ void test_string_iterators() {
|
|||||||
sink(*(i2+1)); // $ ast,ir
|
sink(*(i2+1)); // $ ast,ir
|
||||||
sink(*(i2-1)); // $ ast,ir
|
sink(*(i2-1)); // $ ast,ir
|
||||||
i3 = i2;
|
i3 = i2;
|
||||||
sink(*(++i3)); // $ ast MISSING: ir
|
sink(*(++i3)); // $ ast,ir
|
||||||
i4 = i2;
|
i4 = i2;
|
||||||
sink(*(--i4)); // $ ast MISSING: ir
|
sink(*(--i4)); // $ ast,ir
|
||||||
i5 = i2;
|
i5 = i2;
|
||||||
i5++;
|
i5++;
|
||||||
sink(*i5); // $ ast,ir
|
sink(*i5); // $ ast,ir
|
||||||
@@ -406,9 +406,9 @@ void test_string_iterators() {
|
|||||||
i6--;
|
i6--;
|
||||||
sink(*i6); // $ ast,ir
|
sink(*i6); // $ ast,ir
|
||||||
i7 = i2;
|
i7 = i2;
|
||||||
sink(*(i7+=1)); // $ ast MISSING: ir
|
sink(*(i7+=1)); // $ ast,ir
|
||||||
i8 = i2;
|
i8 = i2;
|
||||||
sink(*(i8-=1)); // $ ast MISSING: ir
|
sink(*(i8-=1)); // $ ast,ir
|
||||||
|
|
||||||
i9 = s2.end();
|
i9 = s2.end();
|
||||||
--i9;
|
--i9;
|
||||||
|
|||||||
@@ -32,18 +32,18 @@ void test_stringstream_string(int amount)
|
|||||||
sink(ss2 << source()); // $ ast,ir
|
sink(ss2 << source()); // $ ast,ir
|
||||||
sink(ss3 << "123" << source()); // $ ast,ir
|
sink(ss3 << "123" << source()); // $ ast,ir
|
||||||
sink(ss4 << source() << "456"); // $ ast,ir
|
sink(ss4 << source() << "456"); // $ ast,ir
|
||||||
sink(ss5 << t); // $ ast MISSING: ir
|
sink(ss5 << t); // $ ast,ir
|
||||||
|
|
||||||
sink(ss1);
|
sink(ss1);
|
||||||
sink(ss2); // $ ast,ir
|
sink(ss2); // $ ast,ir
|
||||||
sink(ss3); // $ ast MISSING: ir
|
sink(ss3); // $ ast MISSING: ir
|
||||||
sink(ss4); // $ ast,ir
|
sink(ss4); // $ ast,ir
|
||||||
sink(ss5); // $ ast MISSING: ir
|
sink(ss5); // $ ast,ir
|
||||||
sink(ss1.str());
|
sink(ss1.str());
|
||||||
sink(ss2.str()); // $ ast,ir
|
sink(ss2.str()); // $ ast,ir
|
||||||
sink(ss3.str()); // $ ast MISSING: ir
|
sink(ss3.str()); // $ ast MISSING: ir
|
||||||
sink(ss4.str()); // $ ast,ir
|
sink(ss4.str()); // $ ast,ir
|
||||||
sink(ss5.str()); // $ ast MISSING: ir
|
sink(ss5.str()); // $ ast,ir
|
||||||
|
|
||||||
ss6.str("abc");
|
ss6.str("abc");
|
||||||
ss6.str(source()); // (overwrites)
|
ss6.str(source()); // (overwrites)
|
||||||
@@ -229,7 +229,7 @@ void test_getline()
|
|||||||
|
|
||||||
sink(ss2.getline(b7, 1000).getline(b8, 1000)); // $ ast,ir
|
sink(ss2.getline(b7, 1000).getline(b8, 1000)); // $ ast,ir
|
||||||
sink(b7); // $ ast,ir
|
sink(b7); // $ ast,ir
|
||||||
sink(b8); // $ ast MISSING: ir
|
sink(b8); // $ ast,ir
|
||||||
|
|
||||||
sink(getline(ss1, s1));
|
sink(getline(ss1, s1));
|
||||||
sink(getline(ss2, s2)); // $ ast,ir
|
sink(getline(ss2, s2)); // $ ast,ir
|
||||||
@@ -261,7 +261,7 @@ void test_chaining()
|
|||||||
|
|
||||||
sink(ss1.get(b1, 100).unget().get(b2, 100)); // $ ast,ir
|
sink(ss1.get(b1, 100).unget().get(b2, 100)); // $ ast,ir
|
||||||
sink(b1); // $ ast,ir
|
sink(b1); // $ ast,ir
|
||||||
sink(b2); // $ ast MISSING: ir
|
sink(b2); // $ ast,ir
|
||||||
|
|
||||||
sink(ss2.write("abc", 3).flush().write(source(), 3).flush().write("xyz", 3)); // $ ast MISSING: ir
|
sink(ss2.write("abc", 3).flush().write(source(), 3).flush().write("xyz", 3)); // $ ast MISSING: ir
|
||||||
sink(ss2); // $ ast MISSING: ir
|
sink(ss2); // $ ast MISSING: ir
|
||||||
|
|||||||
@@ -192,7 +192,7 @@ void *memcpy(void *dest, void *src, int len);
|
|||||||
void test_memcpy(int *source) {
|
void test_memcpy(int *source) {
|
||||||
int x;
|
int x;
|
||||||
memcpy(&x, source, sizeof(int));
|
memcpy(&x, source, sizeof(int));
|
||||||
sink(x); // $ ast=192:23 MISSING: ir SPURIOUS: ast=193:6
|
sink(x); // $ ast=192:23 ir SPURIOUS: ast=193:6
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- std::swap ---
|
// --- std::swap ---
|
||||||
@@ -369,9 +369,9 @@ void test_strdup(char *source)
|
|||||||
a = strdup(source);
|
a = strdup(source);
|
||||||
b = strdup("hello, world");
|
b = strdup("hello, world");
|
||||||
c = strndup(source, 100);
|
c = strndup(source, 100);
|
||||||
sink(a); // $ ast MISSING: ir
|
sink(a); // $ ast,ir
|
||||||
sink(b);
|
sink(b);
|
||||||
sink(c); // $ ast MISSING: ir
|
sink(c); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_strndup(int source)
|
void test_strndup(int source)
|
||||||
@@ -388,7 +388,7 @@ void test_wcsdup(wchar_t *source)
|
|||||||
|
|
||||||
a = wcsdup(source);
|
a = wcsdup(source);
|
||||||
b = wcsdup(L"hello, world");
|
b = wcsdup(L"hello, world");
|
||||||
sink(a); // $ ast MISSING: ir
|
sink(a); // $ ast,ir
|
||||||
sink(b);
|
sink(b);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ void *mempcpy(void *dest, const void *src, size_t n);
|
|||||||
void test_mempcpy(int *source) {
|
void test_mempcpy(int *source) {
|
||||||
int x;
|
int x;
|
||||||
mempcpy(&x, source, sizeof(int));
|
mempcpy(&x, source, sizeof(int));
|
||||||
sink(x); // $ ast=518:24 MISSING: ir SPURIOUS: ast=519:6
|
sink(x); // $ ast=518:24 ir SPURIOUS: ast=519:6
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- memccpy ---
|
// --- memccpy ---
|
||||||
@@ -528,7 +528,7 @@ void *memccpy(void *dest, const void *src, int c, size_t n);
|
|||||||
void test_memccpy(int *source) {
|
void test_memccpy(int *source) {
|
||||||
int dest[16];
|
int dest[16];
|
||||||
memccpy(dest, source, 42, sizeof(dest));
|
memccpy(dest, source, 42, sizeof(dest));
|
||||||
sink(dest); // $ ast=528:24 MISSING: ir SPURIOUS: ast=529:6
|
sink(dest); // $ ast=528:24 ir SPURIOUS: ast=529:6
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- strcat and related functions ---
|
// --- strcat and related functions ---
|
||||||
|
|||||||
@@ -0,0 +1,7 @@
|
|||||||
|
void accept(int arg, char *buf, unsigned long* bufSize);
|
||||||
|
|
||||||
|
void testAccept(int socket1, int socket2)
|
||||||
|
{
|
||||||
|
char buffer[1024];
|
||||||
|
accept(socket2, 0, 0);
|
||||||
|
}
|
||||||
@@ -10,3 +10,4 @@
|
|||||||
| test.cpp:89:18:89:23 | call to malloc | This memory is never freed |
|
| test.cpp:89:18:89:23 | call to malloc | This memory is never freed |
|
||||||
| test.cpp:156:3:156:26 | new | This memory is never freed |
|
| test.cpp:156:3:156:26 | new | This memory is never freed |
|
||||||
| test.cpp:157:3:157:26 | new[] | This memory is never freed |
|
| test.cpp:157:3:157:26 | new[] | This memory is never freed |
|
||||||
|
| test.cpp:167:14:167:19 | call to strdup | This memory is never freed |
|
||||||
|
|||||||
@@ -156,3 +156,15 @@ int overloadedNew() {
|
|||||||
new(std::nothrow) int(3); // BAD
|
new(std::nothrow) int(3); // BAD
|
||||||
new(std::nothrow) int[2]; // BAD
|
new(std::nothrow) int[2]; // BAD
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// --- strdup ---
|
||||||
|
|
||||||
|
char *strdup(const char *s1);
|
||||||
|
void output_msg(const char *msg);
|
||||||
|
|
||||||
|
void test_strdup() {
|
||||||
|
char msg[] = "OctoCat";
|
||||||
|
char *cpy = strdup(msg); // BAD
|
||||||
|
|
||||||
|
output_msg(cpy);
|
||||||
|
}
|
||||||
|
|||||||
@@ -19,3 +19,7 @@
|
|||||||
| test.cpp:144:32:144:36 | ... = ... | Use of '=' where '==' may have been intended. |
|
| test.cpp:144:32:144:36 | ... = ... | Use of '=' where '==' may have been intended. |
|
||||||
| test.cpp:150:32:150:36 | ... = ... | Use of '=' where '==' may have been intended. |
|
| test.cpp:150:32:150:36 | ... = ... | Use of '=' where '==' may have been intended. |
|
||||||
| test.cpp:153:46:153:50 | ... = ... | Use of '=' where '==' may have been intended. |
|
| test.cpp:153:46:153:50 | ... = ... | Use of '=' where '==' may have been intended. |
|
||||||
|
| test.cpp:166:22:166:27 | ... = ... | Use of '=' where '==' may have been intended. |
|
||||||
|
| test.cpp:168:24:168:29 | ... = ... | Use of '=' where '==' may have been intended. |
|
||||||
|
| test.cpp:169:23:169:28 | ... = ... | Use of '=' where '==' may have been intended. |
|
||||||
|
| test.cpp:171:7:171:12 | ... = ... | Use of '=' where '==' may have been intended. |
|
||||||
|
|||||||
@@ -153,3 +153,21 @@ void f3(int x, int y) {
|
|||||||
if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD
|
if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool use(int);
|
||||||
|
|
||||||
|
void f4(int x, bool b) {
|
||||||
|
if((x = 10) && use(x)) {} // GOOD: This is likely just a short-hand way of writing an assignment
|
||||||
|
// followed by a boolean check.
|
||||||
|
if((x = 10) && b && use(x)) {} // GOOD: Same reason as above
|
||||||
|
if((x = 10) && use(x) && b) {} // GOOD: Same reason as above
|
||||||
|
if((x = 10) && (use(x) && b)) {} // GOOD: Same reason as above
|
||||||
|
|
||||||
|
if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison.
|
||||||
|
// This doesn't match the usual pattern.
|
||||||
|
if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above
|
||||||
|
if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above
|
||||||
|
|
||||||
|
if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in
|
||||||
|
// a boolean check.
|
||||||
|
}
|
||||||
|
|||||||
@@ -3,11 +3,15 @@ edges
|
|||||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
|
||||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
||||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
||||||
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
|
||||||
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
||||||
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
||||||
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:17:11:17:18 | fileName | semmle.label | fileName |
|
| test.c:17:11:17:18 | fileName | semmle.label | fileName |
|
||||||
|
| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
|
||||||
|
| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
|
||||||
#select
|
#select
|
||||||
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
|
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
|
||||||
|
|||||||
@@ -1,13 +1,17 @@
|
|||||||
edges
|
edges
|
||||||
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | (const char *)... |
|
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | (const char *)... |
|
||||||
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query |
|
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query |
|
||||||
|
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query indirection |
|
||||||
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
|
||||||
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
||||||
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
||||||
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query indirection |
|
||||||
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
||||||
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
||||||
|
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query indirection |
|
||||||
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
||||||
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
||||||
|
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query indirection |
|
||||||
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
||||||
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
||||||
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
|
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
|
||||||
@@ -28,11 +32,15 @@ nodes
|
|||||||
| search.c:17:8:17:12 | query | semmle.label | query |
|
| search.c:17:8:17:12 | query | semmle.label | query |
|
||||||
| search.c:17:8:17:12 | query | semmle.label | query |
|
| search.c:17:8:17:12 | query | semmle.label | query |
|
||||||
| search.c:17:8:17:12 | query | semmle.label | query |
|
| search.c:17:8:17:12 | query | semmle.label | query |
|
||||||
|
| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
|
||||||
|
| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
|
||||||
| search.c:22:24:22:28 | *query | semmle.label | *query |
|
| search.c:22:24:22:28 | *query | semmle.label | *query |
|
||||||
| search.c:22:24:22:28 | query | semmle.label | query |
|
| search.c:22:24:22:28 | query | semmle.label | query |
|
||||||
| search.c:23:39:23:43 | query | semmle.label | query |
|
| search.c:23:39:23:43 | query | semmle.label | query |
|
||||||
| search.c:23:39:23:43 | query | semmle.label | query |
|
| search.c:23:39:23:43 | query | semmle.label | query |
|
||||||
| search.c:23:39:23:43 | query | semmle.label | query |
|
| search.c:23:39:23:43 | query | semmle.label | query |
|
||||||
|
| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
|
||||||
|
| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
|
||||||
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
||||||
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
||||||
| search.c:55:5:55:15 | raw_query | semmle.label | raw_query |
|
| search.c:55:5:55:15 | raw_query | semmle.label | raw_query |
|
||||||
|
|||||||
@@ -3,11 +3,15 @@ edges
|
|||||||
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
|
||||||
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
||||||
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
||||||
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
|
||||||
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
||||||
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
||||||
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:21:18:21:23 | query1 | semmle.label | query1 |
|
| test.c:21:18:21:23 | query1 | semmle.label | query1 |
|
||||||
|
| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
|
||||||
|
| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
|
||||||
#select
|
#select
|
||||||
| test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
|
| test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
|
||||||
|
|||||||
@@ -1,12 +1,16 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
||||||
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
||||||
|
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command indirection |
|
||||||
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
||||||
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
||||||
|
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command indirection |
|
||||||
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
||||||
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
||||||
|
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command indirection |
|
||||||
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
||||||
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
||||||
|
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command indirection |
|
||||||
| test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command |
|
| test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command |
|
||||||
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv |
|
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv |
|
||||||
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection |
|
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection |
|
||||||
@@ -21,31 +25,55 @@ edges
|
|||||||
| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command |
|
| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
|
||||||
|
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer indirection |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
|
||||||
|
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
|
||||||
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
|
||||||
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
|
||||||
|
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer indirection |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | (const char *)... |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data |
|
||||||
|
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data indirection |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | (const char *)... |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
|
||||||
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
|
||||||
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data indirection |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | (const char *)... |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer indirection |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | (const char *)... |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | (const char *)... |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer indirection |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | (const char *)... |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:24:30:24:36 | *command | semmle.label | *command |
|
| test.cpp:24:30:24:36 | *command | semmle.label | *command |
|
||||||
| test.cpp:24:30:24:36 | command | semmle.label | command |
|
| test.cpp:24:30:24:36 | command | semmle.label | command |
|
||||||
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
||||||
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
||||||
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
||||||
|
| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
|
||||||
|
| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
|
||||||
| test.cpp:29:30:29:36 | *command | semmle.label | *command |
|
| test.cpp:29:30:29:36 | *command | semmle.label | *command |
|
||||||
| test.cpp:29:30:29:36 | command | semmle.label | command |
|
| test.cpp:29:30:29:36 | command | semmle.label | command |
|
||||||
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
||||||
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
||||||
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
||||||
|
| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
|
||||||
|
| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
|
||||||
| test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -59,17 +87,39 @@ nodes
|
|||||||
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
|
| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:63:10:63:13 | data | semmle.label | data |
|
| test.cpp:63:10:63:13 | data | semmle.label | data |
|
||||||
|
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
|
||||||
|
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
|
||||||
| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
|
| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
|
| test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
|
||||||
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
|
| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:79:10:79:13 | data | semmle.label | data |
|
| test.cpp:79:10:79:13 | data | semmle.label | data |
|
||||||
|
| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
|
||||||
|
| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
|
||||||
|
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
|
||||||
|
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
#select
|
#select
|
||||||
| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
|
| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
|
||||||
| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
|
| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
|
||||||
@@ -77,3 +127,5 @@ nodes
|
|||||||
| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
|
| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
|
||||||
| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
||||||
| test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
| test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
||||||
|
| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:98:17:98:22 | buffer | buffer |
|
||||||
|
| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:106:17:106:22 | buffer | buffer |
|
||||||
|
|||||||
@@ -81,3 +81,29 @@ void testReferencePointer2()
|
|||||||
system(data2); // BAD [NOT DETECTED]
|
system(data2); // BAD [NOT DETECTED]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ---
|
||||||
|
|
||||||
|
typedef unsigned long size_t;
|
||||||
|
|
||||||
|
void accept(int arg, char *buf, size_t *bufSize);
|
||||||
|
void recv(int arg, char *buf, size_t bufSize);
|
||||||
|
void LoadLibrary(const char *arg);
|
||||||
|
|
||||||
|
void testAcceptRecv(int socket1, int socket2)
|
||||||
|
{
|
||||||
|
{
|
||||||
|
char buffer[1024];
|
||||||
|
|
||||||
|
recv(socket1, buffer, 1024);
|
||||||
|
LoadLibrary(buffer); // BAD: using data from recv
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
char buffer[1024];
|
||||||
|
|
||||||
|
accept(socket2, 0, 0);
|
||||||
|
recv(socket2, buffer, 1024);
|
||||||
|
LoadLibrary(buffer); // BAD: using data from recv
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -5,16 +5,50 @@ edges
|
|||||||
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
||||||
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
||||||
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
|
||||||
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
|
||||||
nodes
|
nodes
|
||||||
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
||||||
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
||||||
@@ -23,21 +57,30 @@ nodes
|
|||||||
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
||||||
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
||||||
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
||||||
|
| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
||||||
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
||||||
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
||||||
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
||||||
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
||||||
|
| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | scanf output argument | semmle.label | scanf output argument |
|
||||||
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
||||||
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
||||||
| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
|
| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -45,9 +88,16 @@ nodes
|
|||||||
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
||||||
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
||||||
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
||||||
|
| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
|
||||||
#select
|
#select
|
||||||
| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
||||||
| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
||||||
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
|
||||||
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
|
||||||
| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
|
| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
|
||||||
|
|||||||
@@ -5,54 +5,76 @@ edges
|
|||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||||
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array indirection |
|
||||||
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
|
||||||
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
|
||||||
@@ -61,10 +83,14 @@ edges
|
|||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
||||||
@@ -73,36 +99,50 @@ edges
|
|||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
||||||
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:2:122:13 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:2:122:13 | i4 |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
||||||
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
|
||||||
@@ -111,56 +151,80 @@ edges
|
|||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
|
||||||
| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
||||||
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
|
||||||
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... indirection |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... indirection |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 indirection |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 indirection |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 indirection |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 indirection |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 indirection |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 indirection |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 indirection |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 indirection |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||||
@@ -176,11 +240,15 @@ nodes
|
|||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -188,9 +256,13 @@ nodes
|
|||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||||
|
| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||||
|
| argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -198,68 +270,97 @@ nodes
|
|||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||||
|
| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
|
||||||
|
| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||||
|
| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
|
||||||
|
| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
|
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
|
||||||
|
| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| argvLocal.c:117:2:117:13 | i3 | semmle.label | i3 |
|
| argvLocal.c:117:2:117:13 | i3 | semmle.label | i3 |
|
||||||
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
|
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
|
||||||
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
|
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
||||||
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
|
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
|
||||||
|
| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| argvLocal.c:122:2:122:13 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:2:122:13 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
|
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
||||||
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
|
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
|
||||||
|
| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| argvLocal.c:128:2:128:13 | i5 | semmle.label | i5 |
|
| argvLocal.c:128:2:128:13 | i5 | semmle.label | i5 |
|
||||||
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
|
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
|
||||||
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
|
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
||||||
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
|
||||||
|
| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
|
| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||||
|
| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
|
| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
||||||
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
|
||||||
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||||
|
| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
|
||||||
|
| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
|
||||||
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||||
|
| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
|
| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||||
|
| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
|
||||||
|
| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -267,36 +368,52 @@ nodes
|
|||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||||
|
| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
|
| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||||
|
| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
|
||||||
|
| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
|
| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
|
||||||
|
| argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
|
| argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||||
|
| argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
|
||||||
|
| argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
|
||||||
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
|
| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
|
||||||
|
| argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
|
||||||
|
| argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
|
||||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||||
|
| argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
|
||||||
|
| argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
||||||
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
||||||
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
|
||||||
|
| argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
|
||||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
||||||
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
||||||
|
| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
|
||||||
|
| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
|
||||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||||
|
|||||||
@@ -1,51 +1,71 @@
|
|||||||
edges
|
edges
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 indirection |
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... |
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
|
||||||
|
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 indirection |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... |
|
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
||||||
|
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 indirection |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
|
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
|
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
|
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
|
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
|
||||||
|
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 indirection |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
|
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
||||||
|
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 indirection |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
|
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
|
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
nodes
|
nodes
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
|
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
|
| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
|
||||||
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
|
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
|
||||||
|
| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
|
| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
|
||||||
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
|
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
|
||||||
|
| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
||||||
| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
|
| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
|
||||||
@@ -55,11 +75,15 @@ nodes
|
|||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||||
|
| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
|
| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
|
| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
|
||||||
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
|
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
|
||||||
|
| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
||||||
| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
|
| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
|
||||||
@@ -69,9 +93,13 @@ nodes
|
|||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||||
|
| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
|
| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
|
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
|
||||||
|
| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
|
||||||
|
| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
|
||||||
#select
|
#select
|
||||||
| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
|
| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
|
||||||
| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
|
| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
|
||||||
|
|||||||
@@ -29,18 +29,23 @@ edges
|
|||||||
| globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | *argv |
|
| globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | *argv |
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... |
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... |
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
|
||||||
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy indirection |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
||||||
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy indirection |
|
||||||
| globalVars.c:35:2:35:9 | copy | globalVars.c:15:21:15:23 | val |
|
| globalVars.c:35:2:35:9 | copy | globalVars.c:15:21:15:23 | val |
|
||||||
| globalVars.c:35:11:35:14 | copy | globalVars.c:35:2:35:9 | copy |
|
| globalVars.c:35:11:35:14 | copy | globalVars.c:35:2:35:9 | copy |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
|
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
||||||
|
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 indirection |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
||||||
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 indirection |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... |
|
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
||||||
|
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 indirection |
|
||||||
nodes
|
nodes
|
||||||
| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
|
| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
|
| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
|
||||||
@@ -58,9 +63,13 @@ nodes
|
|||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
||||||
|
| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
|
||||||
|
| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
||||||
|
| globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
|
||||||
|
| globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:35:2:35:9 | copy | semmle.label | copy |
|
| globalVars.c:35:2:35:9 | copy | semmle.label | copy |
|
||||||
| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
|
| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
|
||||||
| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
|
| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -68,14 +77,20 @@ nodes
|
|||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
||||||
|
| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
|
| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
||||||
|
| globalVars.c:41:15:41:19 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
|
| globalVars.c:41:15:41:19 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
||||||
|
| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
|
| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
#select
|
#select
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
||||||
|
|||||||
@@ -5,66 +5,88 @@ edges
|
|||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||||
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 indirection |
|
||||||
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 indirection |
|
||||||
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 indirection |
|
||||||
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 indirection |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 indirection |
|
||||||
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 indirection |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
|
||||||
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
|
||||||
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
|
||||||
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 indirection |
|
||||||
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 indirection |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 indirection |
|
||||||
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 indirection |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 indirection |
|
||||||
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 indirection |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 indirection |
|
||||||
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 indirection |
|
||||||
nodes
|
nodes
|
||||||
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
||||||
@@ -73,6 +95,8 @@ nodes
|
|||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||||
|
| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
|
||||||
|
| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -80,6 +104,8 @@ nodes
|
|||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||||
|
| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
|
||||||
|
| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -87,6 +113,8 @@ nodes
|
|||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||||
|
| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -94,6 +122,8 @@ nodes
|
|||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||||
|
| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
|
||||||
|
| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
|
||||||
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -101,6 +131,8 @@ nodes
|
|||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||||
|
| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -108,6 +140,8 @@ nodes
|
|||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||||
|
| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -115,6 +149,8 @@ nodes
|
|||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||||
|
| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -122,6 +158,8 @@ nodes
|
|||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||||
|
| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
|
| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -129,6 +167,8 @@ nodes
|
|||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||||
|
| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
|
| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -136,6 +176,8 @@ nodes
|
|||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||||
|
| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
|
| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -143,6 +185,8 @@ nodes
|
|||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||||
|
| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
|
| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
#select
|
#select
|
||||||
| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
|
| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
|
||||||
| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
|
| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
|
||||||
|
|||||||
@@ -27,6 +27,24 @@ edges
|
|||||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||||
|
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:100:4:100:15 | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:100:17:100:22 | buffer indirection |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | ... + ... |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:4:100:15 | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:17:100:22 | buffer indirection |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | ... + ... |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | buffer |
|
||||||
|
| test.cpp:100:4:100:15 | buffer | test.cpp:100:17:100:22 | processData1 output argument |
|
||||||
|
| test.cpp:100:17:100:22 | buffer indirection | test.cpp:100:17:100:22 | processData1 output argument |
|
||||||
|
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | ... + ... |
|
||||||
|
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | buffer |
|
||||||
|
| test.cpp:101:4:101:15 | ... + ... | test.cpp:75:38:75:40 | end |
|
||||||
|
| test.cpp:101:4:101:15 | buffer | test.cpp:75:25:75:29 | start |
|
||||||
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
||||||
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
||||||
| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
|
| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
|
||||||
@@ -106,6 +124,21 @@ nodes
|
|||||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||||
|
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
|
||||||
|
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
|
||||||
|
| test.cpp:64:25:64:30 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:75:25:75:29 | start | semmle.label | start |
|
||||||
|
| test.cpp:75:38:75:40 | end | semmle.label | end |
|
||||||
|
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
|
||||||
|
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
|
||||||
|
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | semmle.label | fread output argument |
|
||||||
|
| test.cpp:100:4:100:15 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:100:17:100:22 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:100:17:100:22 | processData1 output argument | semmle.label | processData1 output argument |
|
||||||
|
| test.cpp:101:4:101:15 | ... + ... | semmle.label | ... + ... |
|
||||||
|
| test.cpp:101:4:101:15 | buffer | semmle.label | buffer |
|
||||||
| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
|
||||||
@@ -180,6 +213,7 @@ nodes
|
|||||||
| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||||
| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||||
| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||||
|
| test.cpp:79:9:79:29 | new[] | test.cpp:97:18:97:23 | buffer | test.cpp:79:18:79:28 | ... - ... | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |
|
||||||
| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
|
| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
|
||||||
| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
|
| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
|
||||||
| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
|
| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
|
||||||
|
|||||||
@@ -76,7 +76,7 @@ void processData2(char *start, char *end)
|
|||||||
{
|
{
|
||||||
char *copy;
|
char *copy;
|
||||||
|
|
||||||
copy = new char[end - start]; // GOOD
|
copy = new char[end - start]; // GOOD [FALSE POSITIVE]
|
||||||
|
|
||||||
// ...
|
// ...
|
||||||
|
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ void randomTester2()
|
|||||||
{
|
{
|
||||||
int r;
|
int r;
|
||||||
get_rand2(&r);
|
get_rand2(&r);
|
||||||
r = r + 100; // BAD [NOT DETECTED]
|
r = r + 100; // BAD
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -1,32 +1,44 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
||||||
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
||||||
|
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address indirection |
|
||||||
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
||||||
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
||||||
|
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address indirection |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
||||||
|
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address indirection |
|
||||||
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
||||||
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
||||||
|
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address indirection |
|
||||||
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
||||||
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
||||||
|
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address indirection |
|
||||||
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
||||||
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
||||||
|
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
||||||
|
| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
|
||||||
|
| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
||||||
|
| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
|
||||||
|
| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
||||||
|
| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
|
||||||
|
| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
|
||||||
#select
|
#select
|
||||||
| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
|
| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
|
||||||
| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
|
| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
|
||||||
|
|||||||
@@ -3,11 +3,15 @@ edges
|
|||||||
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
||||||
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
||||||
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
||||||
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
|
||||||
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
||||||
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
||||||
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
||||||
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
||||||
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
||||||
|
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
|
||||||
|
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
|
||||||
#select
|
#select
|
||||||
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
|
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
|
||||||
|
|||||||
@@ -7,3 +7,4 @@
|
|||||||
| test.cpp:303:11:303:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
|
| test.cpp:303:11:303:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
|
||||||
| test.cpp:313:11:313:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
|
| test.cpp:313:11:313:18 | call to try_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
|
||||||
| test.cpp:442:8:442:17 | call to mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
|
| test.cpp:442:8:442:17 | call to mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
|
||||||
|
| test.cpp:482:2:482:19 | call to pthread_mutex_lock | This lock might not be unlocked or might be locked more times than it is unlocked. |
|
||||||
|
|||||||
@@ -445,3 +445,46 @@ bool test_mutex(data_t *data)
|
|||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ---
|
||||||
|
|
||||||
|
struct pthread_mutex
|
||||||
|
{
|
||||||
|
// ...
|
||||||
|
};
|
||||||
|
|
||||||
|
void pthread_mutex_lock(pthread_mutex *m);
|
||||||
|
void pthread_mutex_unlock(pthread_mutex *m);
|
||||||
|
|
||||||
|
class MyClass
|
||||||
|
{
|
||||||
|
public:
|
||||||
|
pthread_mutex lock;
|
||||||
|
};
|
||||||
|
|
||||||
|
bool maybe();
|
||||||
|
|
||||||
|
int test_MyClass_good(MyClass *obj)
|
||||||
|
{
|
||||||
|
pthread_mutex_lock(&obj->lock);
|
||||||
|
|
||||||
|
if (maybe()) {
|
||||||
|
pthread_mutex_unlock(&obj->lock);
|
||||||
|
return -1; // GOOD
|
||||||
|
}
|
||||||
|
|
||||||
|
pthread_mutex_unlock(&obj->lock); // GOOD
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int test_MyClass_bad(MyClass *obj)
|
||||||
|
{
|
||||||
|
pthread_mutex_lock(&obj->lock);
|
||||||
|
|
||||||
|
if (maybe()) {
|
||||||
|
return -1; // BAD
|
||||||
|
}
|
||||||
|
|
||||||
|
pthread_mutex_unlock(&obj->lock); // GOOD
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|||||||
@@ -1,37 +1,21 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:35 | (bool)... |
|
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:38 | (bool)... |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:35 | (bool)... |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:38 | (bool)... |
|
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:10:24:35 | ! ... |
|
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:11:24:35 | (bool)... |
|
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:10:41:38 | ! ... |
|
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:11:41:38 | (bool)... |
|
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
|
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
|
|
||||||
| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
|
|
||||||
| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
|
| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
|
|
||||||
| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
|
|
||||||
#select
|
#select
|
||||||
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
|
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
|
||||||
| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
|
| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
|
||||||
|
|||||||
@@ -18,9 +18,10 @@
|
|||||||
| NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
|
| NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
|
||||||
| PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
|
| PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
|
||||||
| SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. |
|
| SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. |
|
||||||
| Variants.cpp:25:3:25:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
|
| Variants.cpp:26:3:26:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
|
||||||
| Variants.cpp:65:3:65:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
|
| Variants.cpp:69:3:69:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
| Variants.cpp:66:3:66:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
|
| Variants.cpp:70:3:70:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
| Variants.cpp:67:3:67:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
|
| Variants.cpp:71:3:71:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
|
| Variants.cpp:72:3:72:22 | ... = ... | Resource d is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
| Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. |
|
| Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. |
|
||||||
| Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. |
|
| Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. |
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ void *malloc(size_t size);
|
|||||||
void *calloc(size_t nmemb, size_t size);
|
void *calloc(size_t nmemb, size_t size);
|
||||||
void *realloc(void *ptr, size_t size);
|
void *realloc(void *ptr, size_t size);
|
||||||
void free(void* ptr);
|
void free(void* ptr);
|
||||||
|
char *strdup(const char *s1);
|
||||||
|
|
||||||
int *ID(int *x)
|
int *ID(int *x)
|
||||||
{
|
{
|
||||||
@@ -45,6 +46,7 @@ public:
|
|||||||
a = new int[10]; // GOOD
|
a = new int[10]; // GOOD
|
||||||
b = (int *)calloc(10, sizeof(int)); // GOOD
|
b = (int *)calloc(10, sizeof(int)); // GOOD
|
||||||
c = (int *)realloc(0, 10 * sizeof(int)); // GOOD
|
c = (int *)realloc(0, 10 * sizeof(int)); // GOOD
|
||||||
|
d = strdup("string");
|
||||||
}
|
}
|
||||||
|
|
||||||
~MyClass5()
|
~MyClass5()
|
||||||
@@ -52,9 +54,11 @@ public:
|
|||||||
delete [] a;
|
delete [] a;
|
||||||
free(b);
|
free(b);
|
||||||
free(c);
|
free(c);
|
||||||
|
free(d);
|
||||||
}
|
}
|
||||||
|
|
||||||
int *a, *b, *c;
|
int *a, *b, *c;
|
||||||
|
char *d;
|
||||||
};
|
};
|
||||||
|
|
||||||
class MyClass6
|
class MyClass6
|
||||||
@@ -65,6 +69,7 @@ public:
|
|||||||
a = new int[10]; // BAD
|
a = new int[10]; // BAD
|
||||||
b = (int *)calloc(10, sizeof(int)); // BAD
|
b = (int *)calloc(10, sizeof(int)); // BAD
|
||||||
c = (int *)realloc(0, 10 * sizeof(int)); // BAD
|
c = (int *)realloc(0, 10 * sizeof(int)); // BAD
|
||||||
|
d = strdup("string"); // BAD
|
||||||
}
|
}
|
||||||
|
|
||||||
~MyClass6()
|
~MyClass6()
|
||||||
@@ -72,6 +77,7 @@ public:
|
|||||||
}
|
}
|
||||||
|
|
||||||
int *a, *b, *c;
|
int *a, *b, *c;
|
||||||
|
char *d;
|
||||||
};
|
};
|
||||||
|
|
||||||
class MyClass7
|
class MyClass7
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>net5.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
@@ -12,10 +11,11 @@
|
|||||||
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
||||||
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
||||||
<PackageReference Include="xunit" Version="2.4.1" />
|
<PackageReference Include="xunit" Version="2.4.1" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="Microsoft.Build" Version="16.9.0" />
|
<PackageReference Include="Microsoft.Build" Version="16.9.0" />
|
||||||
<PackageReference Include="Newtonsoft.Json" Version="12.0.3" />
|
<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
2
csharp/change-notes/2021-03-24-cil-ssa.md
Normal file
2
csharp/change-notes/2021-03-24-cil-ssa.md
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* A static single assignment (SSA) library has been added to the CIL analysis library. The SSA library replaces the existing `DefUse` module, which has been deprecated.
|
||||||
2
csharp/change-notes/2021-03-24-remove-legacy-queries.md
Normal file
2
csharp/change-notes/2021-03-24-remove-legacy-queries.md
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* Legacy queries in the folders `external` and `filters` have all been removed.
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* The query `VulnerablePackage.ql` has been removed.
|
||||||
2
csharp/change-notes/2021-04-09-dapper-support.md
Normal file
2
csharp/change-notes/2021-04-09-dapper-support.md
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* Support for the Dapper ORM library has been added to the SQL injection checks.
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* The extractor has been improved to store default argument values for parameters that are extracted from referenced assemblies.
|
||||||
@@ -4,8 +4,6 @@
|
|||||||
@_namespace com.lgtm/csharp-queries
|
@_namespace com.lgtm/csharp-queries
|
||||||
+ odasa-csharp-metrics/Files/FLinesOfCommentedCode.ql: /Metrics/Documentation
|
+ odasa-csharp-metrics/Files/FLinesOfCommentedCode.ql: /Metrics/Documentation
|
||||||
@_namespace com.lgtm/csharp-queries
|
@_namespace com.lgtm/csharp-queries
|
||||||
+ odasa-csharp-metrics/Files/FLinesOfDuplicatedCode.ql: /Metrics/Coupling
|
|
||||||
@_namespace com.lgtm/csharp-queries
|
|
||||||
+ odasa-csharp-metrics/Files/FNumberOfTests.ql: /Metrics/Size
|
+ odasa-csharp-metrics/Files/FNumberOfTests.ql: /Metrics/Size
|
||||||
@_namespace com.lgtm/csharp-queries
|
@_namespace com.lgtm/csharp-queries
|
||||||
|
|
||||||
|
|||||||
@@ -164,6 +164,39 @@ namespace Semmle.Extraction.CSharp.Entities
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Creates a generated expression for a default argument value.
|
||||||
|
/// </summary>
|
||||||
|
public static Expression? CreateGenerated(Context cx, IParameterSymbol parameter, IExpressionParentEntity parent,
|
||||||
|
int childIndex, Extraction.Entities.Location location)
|
||||||
|
{
|
||||||
|
if (!parameter.HasExplicitDefaultValue)
|
||||||
|
{
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
var defaultValue = parameter.ExplicitDefaultValue;
|
||||||
|
|
||||||
|
if (parameter.Type is INamedTypeSymbol nt && nt.EnumUnderlyingType is not null)
|
||||||
|
{
|
||||||
|
// = (MyEnum)1, = MyEnum.Value1, = default(MyEnum), = new MyEnum()
|
||||||
|
// we're generating a (MyEnum)value cast expression:
|
||||||
|
defaultValue ??= 0;
|
||||||
|
Action<Expression, int> createChild = (parent, index) => Literal.CreateGenerated(cx, parent, index, nt.EnumUnderlyingType, defaultValue, location);
|
||||||
|
return Cast.CreateGenerated(cx, parent, childIndex, parameter.Type, defaultValue, createChild, location);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (defaultValue is null)
|
||||||
|
{
|
||||||
|
// = null, = default, = default(T), = new MyStruct()
|
||||||
|
// we're generating a default expression:
|
||||||
|
return Default.CreateGenerated(cx, parent, childIndex, location, parameter.Type.IsReferenceType ? ValueAsString(null) : null);
|
||||||
|
}
|
||||||
|
|
||||||
|
// const literal:
|
||||||
|
return Literal.CreateGenerated(cx, parent, childIndex, parameter.Type, defaultValue, location);
|
||||||
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Adapt the operator kind depending on whether it's a dynamic call or a user-operator call.
|
/// Adapt the operator kind depending on whether it's a dynamic call or a user-operator call.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
|
|||||||
@@ -14,5 +14,20 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
|
|||||||
{
|
{
|
||||||
TypeAccess.Create(Context, Syntax.Type, this, 0);
|
TypeAccess.Create(Context, Syntax.Type, this, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Extraction.Entities.Location location, string? value)
|
||||||
|
{
|
||||||
|
var info = new ExpressionInfo(
|
||||||
|
cx,
|
||||||
|
null,
|
||||||
|
location,
|
||||||
|
ExprKind.DEFAULT,
|
||||||
|
parent,
|
||||||
|
childIndex,
|
||||||
|
true,
|
||||||
|
value);
|
||||||
|
|
||||||
|
return new Expression(info);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ using System.Linq;
|
|||||||
using Microsoft.CodeAnalysis.CSharp.Syntax;
|
using Microsoft.CodeAnalysis.CSharp.Syntax;
|
||||||
using Semmle.Extraction.Entities;
|
using Semmle.Extraction.Entities;
|
||||||
using System.IO;
|
using System.IO;
|
||||||
|
using System;
|
||||||
|
|
||||||
namespace Semmle.Extraction.CSharp.Entities
|
namespace Semmle.Extraction.CSharp.Entities
|
||||||
{
|
{
|
||||||
@@ -124,6 +125,17 @@ namespace Semmle.Extraction.CSharp.Entities
|
|||||||
trapFile.param_location(this, Context.CreateLocation());
|
trapFile.param_location(this, Context.CreateLocation());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (Symbol.HasExplicitDefaultValue && Context.Defines(Symbol))
|
||||||
|
{
|
||||||
|
var defaultValueSyntax = GetDefaultValueFromSyntax(Symbol);
|
||||||
|
|
||||||
|
Action defaultValueExpressionCreation = defaultValueSyntax is not null
|
||||||
|
? () => Expression.Create(Context, defaultValueSyntax.Value, this, 0)
|
||||||
|
: () => Expression.CreateGenerated(Context, Symbol, this, 0, Location);
|
||||||
|
|
||||||
|
Context.PopulateLater(defaultValueExpressionCreation);
|
||||||
|
}
|
||||||
|
|
||||||
if (!IsSourceDeclaration || !Symbol.FromSource())
|
if (!IsSourceDeclaration || !Symbol.FromSource())
|
||||||
return;
|
return;
|
||||||
|
|
||||||
@@ -139,36 +151,28 @@ namespace Semmle.Extraction.CSharp.Entities
|
|||||||
TypeMention.Create(Context, syntax.Type!, this, type);
|
TypeMention.Create(Context, syntax.Type!, this, type);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (Symbol.HasExplicitDefaultValue && Context.Defines(Symbol))
|
private static EqualsValueClauseSyntax? GetDefaultValueFromSyntax(IParameterSymbol symbol)
|
||||||
{
|
{
|
||||||
// This is a slight bug in the dbscheme
|
// This is a slight bug in the dbscheme
|
||||||
// We should really define param_default(param, string)
|
// We should really define param_default(param, string)
|
||||||
// And use parameter child #0 to encode the default expression.
|
// And use parameter child #0 to encode the default expression.
|
||||||
var defaultValue = GetParameterDefaultValue(Symbol);
|
var defaultValue = GetParameterDefaultValue(symbol);
|
||||||
if (defaultValue is null)
|
if (defaultValue is null)
|
||||||
{
|
{
|
||||||
// In case this parameter belongs to an accessor of an indexer, we need
|
// In case this parameter belongs to an accessor of an indexer, we need
|
||||||
// to get the default value from the corresponding parameter belonging
|
// to get the default value from the corresponding parameter belonging
|
||||||
// to the indexer itself
|
// to the indexer itself
|
||||||
var method = (IMethodSymbol)Symbol.ContainingSymbol;
|
if (symbol.ContainingSymbol is IMethodSymbol method)
|
||||||
if (method is not null)
|
|
||||||
{
|
{
|
||||||
var i = method.Parameters.IndexOf(Symbol);
|
var i = method.Parameters.IndexOf(symbol);
|
||||||
var indexer = (IPropertySymbol?)method.AssociatedSymbol;
|
if (method.AssociatedSymbol is IPropertySymbol indexer)
|
||||||
if (indexer is not null)
|
|
||||||
defaultValue = GetParameterDefaultValue(indexer.Parameters[i]);
|
defaultValue = GetParameterDefaultValue(indexer.Parameters[i]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (defaultValue is not null)
|
return defaultValue;
|
||||||
{
|
|
||||||
Context.PopulateLater(() =>
|
|
||||||
{
|
|
||||||
Expression.Create(Context, defaultValue.Value, this, 0);
|
|
||||||
});
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public override bool IsSourceDeclaration => Symbol.IsSourceDeclaration();
|
public override bool IsSourceDeclaration => Symbol.IsSourceDeclaration();
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>net5.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
@@ -12,10 +11,11 @@
|
|||||||
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
||||||
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
||||||
<PackageReference Include="xunit" Version="2.4.1" />
|
<PackageReference Include="xunit" Version="2.4.1" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -16,7 +16,7 @@
|
|||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="Microsoft.CodeAnalysis" Version="3.9.0" />
|
<PackageReference Include="Microsoft.CodeAnalysis" Version="3.9.0" />
|
||||||
<PackageReference Include="GitInfo" Version="2.0.20">
|
<PackageReference Include="GitInfo" Version="2.1.2">
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>net5.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
@@ -10,10 +9,11 @@
|
|||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="xunit" Version="2.4.1" />
|
<PackageReference Include="xunit" Version="2.4.1" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind treemap
|
* @kind treemap
|
||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType externalDependency
|
* @metricType externalDependency
|
||||||
* @precision medium
|
|
||||||
* @id cs/external-dependencies
|
* @id cs/external-dependencies
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>
|
|
||||||
Duplicated code increases overall code size, making the code base
|
|
||||||
harder to maintain and harder to understand. It also becomes harder to fix bugs,
|
|
||||||
since a programmer applying a fix to one copy has to always remember to update
|
|
||||||
other copies accordingly. Finally, code duplication is generally an indication of
|
|
||||||
a poorly designed or hastily written code base, which typically suffers from other
|
|
||||||
problems as well.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
</qhelp>
|
|
||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cs/lines-of-code-in-files
|
* @id cs/lines-of-code-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* complexity
|
* complexity
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn lowValues
|
* @treemap.warnOn lowValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cs/lines-of-comments-in-files
|
* @id cs/lines-of-comments-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* documentation
|
* documentation
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision high
|
|
||||||
* @id cs/lines-of-commented-out-code-in-files
|
* @id cs/lines-of-commented-out-code-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* documentation
|
* documentation
|
||||||
|
|||||||
@@ -1,30 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>
|
|
||||||
A file that contains many lines that are duplicated within the code base is problematic
|
|
||||||
for a number of reasons.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
<include src="DuplicationProblems.inc.qhelp" />
|
|
||||||
|
|
||||||
<recommendation>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Refactor files with lots of duplicated code to extract the common code into
|
|
||||||
shared classes and assemblies.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</recommendation>
|
|
||||||
<references>
|
|
||||||
|
|
||||||
|
|
||||||
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Duplicate_code">Duplicate code</a>.</li>
|
|
||||||
<li>M. Fowler, <em>Refactoring</em>. Addison-Wesley, 1999.</li>
|
|
||||||
|
|
||||||
|
|
||||||
</references>
|
|
||||||
</qhelp>
|
|
||||||
@@ -1,27 +0,0 @@
|
|||||||
/**
|
|
||||||
* @deprecated
|
|
||||||
* @name Duplicated lines in files
|
|
||||||
* @description The number of lines in a file, including code, comment and whitespace lines,
|
|
||||||
* which are duplicated in at least one other place.
|
|
||||||
* @kind treemap
|
|
||||||
* @treemap.warnOn highValues
|
|
||||||
* @metricType file
|
|
||||||
* @metricAggregate avg sum max
|
|
||||||
* @precision high
|
|
||||||
* @id cs/duplicated-lines-in-files
|
|
||||||
* @tags testability
|
|
||||||
* modularity
|
|
||||||
*/
|
|
||||||
|
|
||||||
import external.CodeDuplication
|
|
||||||
|
|
||||||
from SourceFile f, int n
|
|
||||||
where
|
|
||||||
n =
|
|
||||||
count(int line |
|
|
||||||
exists(DuplicateBlock d | d.sourceFile() = f |
|
|
||||||
line in [d.sourceStartLine() .. d.sourceEndLine()] and
|
|
||||||
not whitelistedLineForDuplication(f, line)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
select f, n order by n desc
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user