mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
Compare commits
377 Commits
codeql-cli
...
igfoo/unde
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
9f27af5626 | ||
|
|
e0a73ce797 | ||
|
|
4b51e22bb4 | ||
|
|
ec952248a9 | ||
|
|
f27203cc43 | ||
|
|
e8d7925084 | ||
|
|
25e26b9ac0 | ||
|
|
6cceb73807 | ||
|
|
d2b991bcb5 | ||
|
|
09ba25fe9b | ||
|
|
8c95a9ae39 | ||
|
|
2dadc752d6 | ||
|
|
d57ec5d1ac | ||
|
|
e3b052199a | ||
|
|
eb01ffbdae | ||
|
|
2f98212eca | ||
|
|
8f1c7c57a8 | ||
|
|
909dc84bb6 | ||
|
|
a18cd74756 | ||
|
|
21576387f3 | ||
|
|
50523e0ac0 | ||
|
|
d126c0a1d3 | ||
|
|
108bcef104 | ||
|
|
0f710b1981 | ||
|
|
c26d05b1d5 | ||
|
|
5a4efab742 | ||
|
|
96a66fa4ee | ||
|
|
67ad6d9a0f | ||
|
|
faf07dac91 | ||
|
|
3e26236648 | ||
|
|
2770a53d38 | ||
|
|
c103939c2d | ||
|
|
49ca88957c | ||
|
|
603843e698 | ||
|
|
3613ceb07f | ||
|
|
f1d0b50670 | ||
|
|
f453fe26c6 | ||
|
|
b381f4826c | ||
|
|
149af57eac | ||
|
|
88fee2748e | ||
|
|
f17bbd9982 | ||
|
|
c83daa66e7 | ||
|
|
7f16c52217 | ||
|
|
1dbfe2369d | ||
|
|
f584ff9acf | ||
|
|
8dc7b6403a | ||
|
|
cc2a531684 | ||
|
|
9d1ef21d85 | ||
|
|
c7c65736a9 | ||
|
|
86755c6a98 | ||
|
|
506c95d098 | ||
|
|
d4ce42ac4f | ||
|
|
e93b72d563 | ||
|
|
983b64a05f | ||
|
|
57fd2e3578 | ||
|
|
208d5157fa | ||
|
|
c2f112cb92 | ||
|
|
8734df334b | ||
|
|
229250dc54 | ||
|
|
716e0f1404 | ||
|
|
f100c8a9c0 | ||
|
|
ed78acb1d4 | ||
|
|
dbef36cbbb | ||
|
|
eaa2d4d831 | ||
|
|
2f34588770 | ||
|
|
a456458a38 | ||
|
|
446ad5ec9e | ||
|
|
c812bd948a | ||
|
|
7aae51c876 | ||
|
|
28fb0edfbe | ||
|
|
6cab85712f | ||
|
|
1c27ca610a | ||
|
|
a5220bf616 | ||
|
|
25a0e09130 | ||
|
|
1beac06236 | ||
|
|
7fb5bd0cab | ||
|
|
9abe02f419 | ||
|
|
bc9682c22d | ||
|
|
ed2cb739c5 | ||
|
|
344c2d3c3d | ||
|
|
90868a4788 | ||
|
|
203b0e3d88 | ||
|
|
cdd613358b | ||
|
|
7e20829f36 | ||
|
|
6a3859fc83 | ||
|
|
bd4934380a | ||
|
|
33c990f6b0 | ||
|
|
0fe4baec34 | ||
|
|
09fbf480db | ||
|
|
e3b2e0a1de | ||
|
|
75afa011ff | ||
|
|
e90035a5a5 | ||
|
|
24360d3a4c | ||
|
|
77ba7b473d | ||
|
|
0511e72520 | ||
|
|
6bfc49c069 | ||
|
|
32b264bdee | ||
|
|
d53c334488 | ||
|
|
28ff3f412d | ||
|
|
867471b122 | ||
|
|
9d52db3ca7 | ||
|
|
5b905cfe18 | ||
|
|
1564aee57a | ||
|
|
c82b5eb040 | ||
|
|
dbc6cf63c2 | ||
|
|
bd3f6d1234 | ||
|
|
51f489211b | ||
|
|
5d9778c64d | ||
|
|
3e67ebacb0 | ||
|
|
3b6b40489f | ||
|
|
4b7440d4d5 | ||
|
|
419fbe77ab | ||
|
|
b83da2255c | ||
|
|
b94c189946 | ||
|
|
7e33b571c9 | ||
|
|
eeb8c74666 | ||
|
|
70824b3f0b | ||
|
|
801eb538db | ||
|
|
0ae8b69102 | ||
|
|
28d6cad3d0 | ||
|
|
72ae902e0d | ||
|
|
c146b27c1a | ||
|
|
8ff9c98d26 | ||
|
|
32dc894d54 | ||
|
|
a0465d20cb | ||
|
|
ed8ffab356 | ||
|
|
47530d7526 | ||
|
|
b25dc03dac | ||
|
|
e13a9c9716 | ||
|
|
d3485cac34 | ||
|
|
8d15680af4 | ||
|
|
4955f95f64 | ||
|
|
63831cc62b | ||
|
|
b023d73016 | ||
|
|
1473778bb8 | ||
|
|
70974ea197 | ||
|
|
47686a6e4c | ||
|
|
8d30ee5c3c | ||
|
|
a1ccbcdaf1 | ||
|
|
de879c0707 | ||
|
|
2f2d72f282 | ||
|
|
88932a495c | ||
|
|
59200386a7 | ||
|
|
f2fb26df37 | ||
|
|
e3ab94fc6b | ||
|
|
41168e2b36 | ||
|
|
234f62fd05 | ||
|
|
6d86239929 | ||
|
|
9610ed163a | ||
|
|
12a6410a0a | ||
|
|
c5c80204d5 | ||
|
|
c96b8301ed | ||
|
|
02a5c0875e | ||
|
|
ac0430883a | ||
|
|
61cff8faed | ||
|
|
b8bfdcc719 | ||
|
|
93bcc3724a | ||
|
|
17d1768259 | ||
|
|
4289e358bf | ||
|
|
6d6150d051 | ||
|
|
deefbefffc | ||
|
|
1f5e52e822 | ||
|
|
98cee7d339 | ||
|
|
c067d519d9 | ||
|
|
61e89d4841 | ||
|
|
0056c39bdd | ||
|
|
9e6aac8ef4 | ||
|
|
f8f3770a58 | ||
|
|
52c2e37aca | ||
|
|
2759d53f42 | ||
|
|
c5ddd40dc3 | ||
|
|
9abaad65c6 | ||
|
|
530be38b84 | ||
|
|
4a45731c85 | ||
|
|
c9c99464cf | ||
|
|
1a5eede39f | ||
|
|
5c9a239776 | ||
|
|
98398a9efd | ||
|
|
67ec5d325c | ||
|
|
adaf3234ec | ||
|
|
7021be05c5 | ||
|
|
52279d4bea | ||
|
|
fae907df65 | ||
|
|
bda074835e | ||
|
|
2012e97842 | ||
|
|
64c7d4e597 | ||
|
|
0035defd72 | ||
|
|
5051f10586 | ||
|
|
3e54136086 | ||
|
|
5fe3c1a0a9 | ||
|
|
3a2f87f0a7 | ||
|
|
b8049f19e2 | ||
|
|
8f750d4ad3 | ||
|
|
f84a05526d | ||
|
|
633152940c | ||
|
|
17d1e6d614 | ||
|
|
5d6c6b4b9b | ||
|
|
5bfd2ad07f | ||
|
|
36a8134490 | ||
|
|
b7ae62c3a3 | ||
|
|
1c815f12da | ||
|
|
151420fd0f | ||
|
|
e42f8439de | ||
|
|
24539dc0ee | ||
|
|
a43bb1fb6d | ||
|
|
23d2f11840 | ||
|
|
fa90655dd0 | ||
|
|
3d94ccf5dd | ||
|
|
ce638096de | ||
|
|
f2bc413318 | ||
|
|
3c26779f40 | ||
|
|
a4924856a2 | ||
|
|
8d0f6086af | ||
|
|
27408fefe2 | ||
|
|
9a56601dd3 | ||
|
|
b5be9d07aa | ||
|
|
b38a9d51e6 | ||
|
|
13eb9e0833 | ||
|
|
30e1b88b7f | ||
|
|
6c8b4a82c1 | ||
|
|
da08c6e63e | ||
|
|
98143b071d | ||
|
|
1e6b5391d6 | ||
|
|
b46a3616d8 | ||
|
|
585606a933 | ||
|
|
0b4650a4c9 | ||
|
|
20aa05b090 | ||
|
|
7d0cfc69f1 | ||
|
|
0ff7cc845c | ||
|
|
921b560e89 | ||
|
|
198a4ca79b | ||
|
|
6b19e69d30 | ||
|
|
1890e63d4c | ||
|
|
4a6589d0ae | ||
|
|
42e6c7eb2e | ||
|
|
c03e9d6c75 | ||
|
|
5bfdca895b | ||
|
|
230b9cf5d3 | ||
|
|
c1e3ccfb6c | ||
|
|
54a91c73b0 | ||
|
|
d09458a486 | ||
|
|
7ec86b5e7f | ||
|
|
fe046ec71e | ||
|
|
3a83ecf067 | ||
|
|
a54e810804 | ||
|
|
f4a476ea4e | ||
|
|
ea8c8df653 | ||
|
|
6c1ec6d96b | ||
|
|
8949b9eb0a | ||
|
|
01fd00de56 | ||
|
|
2f3d516413 | ||
|
|
4f46908224 | ||
|
|
36b0ab1de5 | ||
|
|
a28a36ab29 | ||
|
|
e90fb1a225 | ||
|
|
d489d63b8e | ||
|
|
28ad667578 | ||
|
|
af5a61782c | ||
|
|
0e98ea0c10 | ||
|
|
67a5831ac0 | ||
|
|
c0bb169342 | ||
|
|
add0c88530 | ||
|
|
d998d06b94 | ||
|
|
a88c3682ff | ||
|
|
84c9137152 | ||
|
|
f27d2bdf6d | ||
|
|
d0c82d3756 | ||
|
|
17d7ba8049 | ||
|
|
3914a93504 | ||
|
|
c516d69b98 | ||
|
|
0b1705f302 | ||
|
|
43fbcc1c8a | ||
|
|
dd6b27df24 | ||
|
|
cd820917bc | ||
|
|
2541e9cb6a | ||
|
|
048c72a0f2 | ||
|
|
aa2abf76ba | ||
|
|
732ef92830 | ||
|
|
c684b74b3d | ||
|
|
0ffb80e3b1 | ||
|
|
5667901a2a | ||
|
|
57953c523c | ||
|
|
a2d75c4fed | ||
|
|
4b7c57c077 | ||
|
|
0a5d58ed8a | ||
|
|
bc36e0db43 | ||
|
|
cc592b124b | ||
|
|
0b6589c8be | ||
|
|
4941d9b7bf | ||
|
|
df60268023 | ||
|
|
19d08d7b40 | ||
|
|
a78f2115f2 | ||
|
|
bb53780ba9 | ||
|
|
0ef3eee4ed | ||
|
|
891b975899 | ||
|
|
bda223771b | ||
|
|
82cb4a8d68 | ||
|
|
dcabce679a | ||
|
|
ecdadd1826 | ||
|
|
abdebc29f9 | ||
|
|
23876cb581 | ||
|
|
1784c202a7 | ||
|
|
617ba65ef5 | ||
|
|
eb4f1e1ba0 | ||
|
|
23d3109071 | ||
|
|
6ba35f4aac | ||
|
|
9f02c144a8 | ||
|
|
ffc6af73b7 | ||
|
|
748f5344ff | ||
|
|
15a43ffe36 | ||
|
|
e02b51f42b | ||
|
|
aac0c27dcd | ||
|
|
95284ad71d | ||
|
|
476309af6d | ||
|
|
45bdb22db8 | ||
|
|
2baf2aa5c1 | ||
|
|
40f4e71b86 | ||
|
|
58971f9f4e | ||
|
|
520ba47293 | ||
|
|
e698ee77f7 | ||
|
|
2c96e6cf96 | ||
|
|
5ce3af0591 | ||
|
|
92c00cb741 | ||
|
|
f1e44bce4a | ||
|
|
a03e6faf37 | ||
|
|
409d95c522 | ||
|
|
23f620d255 | ||
|
|
6a6727fc80 | ||
|
|
6901cd4899 | ||
|
|
22e741c7a3 | ||
|
|
dbb3d458f5 | ||
|
|
a6a0fa28c4 | ||
|
|
97690b4eb7 | ||
|
|
ff1ed3a012 | ||
|
|
81c56b9bed | ||
|
|
31deca016f | ||
|
|
ca2e6587fe | ||
|
|
b5ae417851 | ||
|
|
b76854a384 | ||
|
|
19872e9aed | ||
|
|
985d3d469a | ||
|
|
42f55e1ebe | ||
|
|
d34233b44f | ||
|
|
16308fe557 | ||
|
|
14a23eed4f | ||
|
|
75b79039a1 | ||
|
|
81e372d078 | ||
|
|
a64fc2b24e | ||
|
|
0b326aae20 | ||
|
|
44d99f8cd4 | ||
|
|
ec4c155043 | ||
|
|
a56dd60baa | ||
|
|
b9809b071e | ||
|
|
048167d39a | ||
|
|
3af8773dd6 | ||
|
|
86c04e6971 | ||
|
|
39103af718 | ||
|
|
b56fe2b25f | ||
|
|
19ff00bad4 | ||
|
|
ce2db21f15 | ||
|
|
77729918c1 | ||
|
|
5aed82a210 | ||
|
|
04641a3f2d | ||
|
|
c2e44fa180 | ||
|
|
db8766ca69 | ||
|
|
525aeb6551 | ||
|
|
29eacbd28b | ||
|
|
bd00988c37 | ||
|
|
68040b717e | ||
|
|
275d75295c | ||
|
|
049bff09e6 | ||
|
|
2a6ba40a93 | ||
|
|
04ad94d1cc | ||
|
|
afbeca0d54 | ||
|
|
95ed5465de | ||
|
|
fbe857d1fa | ||
|
|
7d79be71d1 |
29
.github/workflows/docs-review.yml
vendored
29
.github/workflows/docs-review.yml
vendored
@@ -1,29 +0,0 @@
|
|||||||
# When a PR is labelled with 'ready-for-docs-review',
|
|
||||||
# this workflow comments on the PR to notify the GitHub CodeQL docs team.
|
|
||||||
name: Request docs review
|
|
||||||
on:
|
|
||||||
# Runs in the context of the base repo.
|
|
||||||
# This gives the workflow write access to comment on PRs.
|
|
||||||
# The workflow should not check out or build the given ref,
|
|
||||||
# or use untrusted data from the event payload in a command line.
|
|
||||||
pull_request_target:
|
|
||||||
types: [labeled]
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
request-docs-review:
|
|
||||||
name: Request docs review
|
|
||||||
# Run only on labelled PRs to the main repository.
|
|
||||||
# Do not run on PRs to forks.
|
|
||||||
if:
|
|
||||||
github.event.label.name == 'ready-for-docs-review'
|
|
||||||
&& github.event.pull_request.draft == false
|
|
||||||
&& github.event.pull_request.base.repo.full_name == 'github/codeql'
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Comment to request docs review
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
||||||
run: |
|
|
||||||
gh pr comment "$PR_NUMBER" --repo "github/codeql" \
|
|
||||||
--body "Hello @github/docs-content-codeql - this PR is ready for docs review."
|
|
||||||
@@ -36,6 +36,7 @@
|
|||||||
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
@@ -376,7 +377,6 @@
|
|||||||
],
|
],
|
||||||
"DuplicationProblems.inc.qhelp": [
|
"DuplicationProblems.inc.qhelp": [
|
||||||
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
|
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
|
||||||
"csharp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
|
|
||||||
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
|
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
|
||||||
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
|
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
|
||||||
],
|
],
|
||||||
@@ -429,10 +429,11 @@
|
|||||||
"SSA C#": [
|
"SSA C#": [
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
|
"csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll"
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
|
||||||
|
"csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
|
||||||
],
|
],
|
||||||
"CryptoAlgorithms Python/JS": [
|
"CryptoAlgorithms Python/JS": [
|
||||||
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
||||||
"python/ql/src/semmle/crypto/Crypto.qll"
|
"python/ql/src/semmle/crypto/Crypto.qll"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -5,6 +5,7 @@ using System;
|
|||||||
using System.Linq;
|
using System.Linq;
|
||||||
using Microsoft.Build.Construction;
|
using Microsoft.Build.Construction;
|
||||||
using System.Xml;
|
using System.Xml;
|
||||||
|
using System.IO;
|
||||||
|
|
||||||
namespace Semmle.Autobuild.Cpp.Tests
|
namespace Semmle.Autobuild.Cpp.Tests
|
||||||
{
|
{
|
||||||
@@ -43,6 +44,8 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
|
public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
|
||||||
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
|
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
|
||||||
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
|
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
|
||||||
|
public HashSet<string> CreateDirectories { get; } = new HashSet<string>();
|
||||||
|
public HashSet<(string, string)> DownloadFiles { get; } = new HashSet<(string, string)>();
|
||||||
|
|
||||||
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
|
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
|
||||||
{
|
{
|
||||||
@@ -135,6 +138,14 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
|
|
||||||
string IBuildActions.GetFullPath(string path) => path;
|
string IBuildActions.GetFullPath(string path) => path;
|
||||||
|
|
||||||
|
string? IBuildActions.GetFileName(string? path) => Path.GetFileName(path?.Replace('\\', '/'));
|
||||||
|
|
||||||
|
public string? GetDirectoryName(string? path)
|
||||||
|
{
|
||||||
|
var dir = Path.GetDirectoryName(path?.Replace('\\', '/'));
|
||||||
|
return dir is null ? path : path?.Substring(0, dir.Length);
|
||||||
|
}
|
||||||
|
|
||||||
void IBuildActions.WriteAllText(string filename, string contents)
|
void IBuildActions.WriteAllText(string filename, string contents)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
@@ -153,6 +164,18 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
s = s.Replace($"%{kvp.Key}%", kvp.Value);
|
s = s.Replace($"%{kvp.Key}%", kvp.Value);
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void CreateDirectory(string path)
|
||||||
|
{
|
||||||
|
if (!CreateDirectories.Contains(path))
|
||||||
|
throw new ArgumentException($"Missing CreateDirectory, {path}");
|
||||||
|
}
|
||||||
|
|
||||||
|
public void DownloadFile(string address, string fileName)
|
||||||
|
{
|
||||||
|
if (!DownloadFiles.Contains((address, fileName)))
|
||||||
|
throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
@@ -213,6 +236,7 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
||||||
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
||||||
|
Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
|
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
|
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
|
||||||
@@ -273,7 +297,8 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
[Fact]
|
[Fact]
|
||||||
public void TestCppAutobuilderSuccess()
|
public void TestCppAutobuilderSuccess()
|
||||||
{
|
{
|
||||||
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test.sln"] = 1;
|
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
|
||||||
|
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
|
||||||
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
|
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
|
||||||
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
||||||
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
||||||
@@ -286,11 +311,13 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
||||||
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
||||||
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
||||||
|
Actions.CreateDirectories.Add(@"C:\Project\.nuget");
|
||||||
|
Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
|
||||||
|
|
||||||
var autobuilder = CreateAutoBuilder(true);
|
var autobuilder = CreateAutoBuilder(true);
|
||||||
var solution = new TestSolution(@"C:\Project\test.sln");
|
var solution = new TestSolution(@"C:\Project\test.sln");
|
||||||
autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
|
autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
|
||||||
TestAutobuilderScript(autobuilder, 0, 2);
|
TestAutobuilderScript(autobuilder, 0, 3);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind treemap
|
* @kind treemap
|
||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType externalDependency
|
* @metricType externalDependency
|
||||||
* @precision medium
|
|
||||||
* @id cpp/external-dependencies
|
* @id cpp/external-dependencies
|
||||||
* @tags modularity
|
* @tags modularity
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -7,7 +7,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cpp/lines-of-code-in-files
|
* @id cpp/lines-of-code-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* complexity
|
* complexity
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision high
|
|
||||||
* @id cpp/lines-of-commented-out-code-in-files
|
* @id cpp/lines-of-commented-out-code-in-files
|
||||||
* @tags documentation
|
* @tags documentation
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -7,7 +7,6 @@
|
|||||||
* @treemap.warnOn lowValues
|
* @treemap.warnOn lowValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cpp/lines-of-comments-in-files
|
* @id cpp/lines-of-comments-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* documentation
|
* documentation
|
||||||
|
|||||||
@@ -8,7 +8,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision high
|
|
||||||
* @id cpp/duplicated-lines-in-files
|
* @id cpp/duplicated-lines-in-files
|
||||||
* @tags testability
|
* @tags testability
|
||||||
* modularity
|
* modularity
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn lowValues
|
* @treemap.warnOn lowValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision medium
|
|
||||||
* @id cpp/tests-in-files
|
* @id cpp/tests-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
*/
|
*/
|
||||||
|
|||||||
12
cpp/ql/src/external/tests/DefectFilter.ql
vendored
12
cpp/ql/src/external/tests/DefectFilter.ql
vendored
@@ -1,12 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Defect filter
|
|
||||||
* @description Only include results in large files (200) lines of code, and change the message.
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
|
|
||||||
select res, "Large files: " + res.getMessage()
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Defect from external data
|
|
||||||
* @description Insert description here...
|
|
||||||
* @kind problem
|
|
||||||
* @problem.severity warning
|
|
||||||
* @tags external-data
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.ExternalArtifact
|
|
||||||
|
|
||||||
from ExternalData d, File u
|
|
||||||
where
|
|
||||||
d.getQueryPath() = "external-data.ql" and
|
|
||||||
u.getShortName() = d.getField(0)
|
|
||||||
select u,
|
|
||||||
d.getField(5) + ", " + d.getFieldAsDate(1) + ", " + d.getField(2) + ", " + d.getFieldAsFloat(3) +
|
|
||||||
", " + d.getFieldAsInt(4) + ": " + d.getNumFields()
|
|
||||||
12
cpp/ql/src/external/tests/MetricFilter.ql
vendored
12
cpp/ql/src/external/tests/MetricFilter.ql
vendored
@@ -1,12 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Metric filter
|
|
||||||
* @description Only include results in large files (200) lines of code.
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.MetricFilter
|
|
||||||
|
|
||||||
from MetricResult res
|
|
||||||
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
|
|
||||||
select res, res.getValue()
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Filter: exclude results from files that are autogenerated
|
|
||||||
* @description Use this filter to return results only if they are
|
|
||||||
* located in files that are maintained manually.
|
|
||||||
* @kind problem
|
|
||||||
* @id cpp/autogenerated-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import semmle.code.cpp.AutogeneratedFile
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where not res.getFile() instanceof AutogeneratedFile
|
|
||||||
select res, res.getMessage()
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Metric filter: exclude results from files that are autogenerated
|
|
||||||
* @description Use this filter to return results only if they are
|
|
||||||
* located in files that are maintained manually.
|
|
||||||
* @kind treemap
|
|
||||||
* @id cpp/autogenerated-for-metric-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import semmle.code.cpp.AutogeneratedFile
|
|
||||||
import external.MetricFilter
|
|
||||||
|
|
||||||
from MetricResult res
|
|
||||||
where not res.getFile() instanceof AutogeneratedFile
|
|
||||||
select res, res.getValue()
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Filter: exclude results from files for which we do not have
|
|
||||||
* source code
|
|
||||||
* @description Use this filter to return results only if they are
|
|
||||||
* located in files for which we have source code.
|
|
||||||
* @kind problem
|
|
||||||
* @id cpp/from-source-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where res.getFile().fromSource()
|
|
||||||
select res, res.getMessage()
|
|
||||||
@@ -1,36 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Filter: exclude results on lines covered by a macro expansion
|
|
||||||
* @description Use this filter to return results only when there is no
|
|
||||||
* macro expansion whose location spans all the lines of
|
|
||||||
* the result's location.
|
|
||||||
* @kind problem
|
|
||||||
* @id cpp/macros-filter
|
|
||||||
* @tags filter
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import external.DefectFilter
|
|
||||||
|
|
||||||
predicate macroLocation(File f, int startLine, int endLine) {
|
|
||||||
exists(MacroInvocation mi, Location l |
|
|
||||||
l = mi.getLocation() and
|
|
||||||
l.getFile() = f and
|
|
||||||
l.getStartLine() = startLine and
|
|
||||||
l.getEndLine() = endLine
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate macroCovering(DefectResult r) {
|
|
||||||
exists(File f, int macroStart, int macroEnd, int defectStart, int defectEnd |
|
|
||||||
f = r.getFile() and
|
|
||||||
defectStart = r.getStartLine() and
|
|
||||||
defectEnd = r.getEndLine() and
|
|
||||||
macroLocation(f, macroStart, macroEnd) and
|
|
||||||
macroStart <= defectStart and
|
|
||||||
macroEnd >= defectEnd
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
from DefectResult res
|
|
||||||
where not macroCovering(res)
|
|
||||||
select res, res.getMessage()
|
|
||||||
@@ -91,16 +91,17 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
|
|||||||
// `e` is a call to a release function and `released` is the released argument
|
// `e` is a call to a release function and `released` is the released argument
|
||||||
releaseExpr(e, released, kind)
|
releaseExpr(e, released, kind)
|
||||||
or
|
or
|
||||||
exists(Function f, int arg |
|
exists(int arg, VariableAccess access, Function f |
|
||||||
// `e` is a call to a function that releases one of it's parameters,
|
// `e` is a call to a function that releases one of it's parameters,
|
||||||
// and `released` is the corresponding argument
|
// and `released` is the corresponding argument
|
||||||
(
|
(
|
||||||
e.(FunctionCall).getTarget() = f or
|
e.(FunctionCall).getTarget() = f or
|
||||||
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
|
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
|
||||||
) and
|
) and
|
||||||
|
access = f.getParameter(arg).getAnAccess() and
|
||||||
e.(FunctionCall).getArgument(arg) = released and
|
e.(FunctionCall).getArgument(arg) = released and
|
||||||
exprReleases(_,
|
exprReleases(_,
|
||||||
exprOrDereference(globalValueNumber(f.getParameter(arg).getAnAccess()).getAnExpr()), kind)
|
pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(Function f, ThisExpr innerThis |
|
exists(Function f, ThisExpr innerThis |
|
||||||
@@ -112,7 +113,7 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
|
|||||||
) and
|
) and
|
||||||
e.(FunctionCall).getQualifier() = exprOrDereference(released) and
|
e.(FunctionCall).getQualifier() = exprOrDereference(released) and
|
||||||
innerThis.getEnclosingFunction() = f and
|
innerThis.getEnclosingFunction() = f and
|
||||||
exprReleases(_, globalValueNumber(innerThis).getAnExpr(), kind)
|
exprReleases(_, pragma[only_bind_into](globalValueNumber(innerThis).getAnExpr()), kind)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2,13 +2,16 @@ import cpp
|
|||||||
import semmle.code.cpp.security.Security
|
import semmle.code.cpp.security.Security
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow
|
private import semmle.code.cpp.ir.dataflow.DataFlow
|
||||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow2
|
|
||||||
private import semmle.code.cpp.ir.dataflow.DataFlow3
|
private import semmle.code.cpp.ir.dataflow.DataFlow3
|
||||||
private import semmle.code.cpp.ir.IR
|
private import semmle.code.cpp.ir.IR
|
||||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
|
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
|
||||||
private import semmle.code.cpp.controlflow.IRGuards
|
private import semmle.code.cpp.controlflow.IRGuards
|
||||||
private import semmle.code.cpp.models.interfaces.Taint
|
private import semmle.code.cpp.models.interfaces.Taint
|
||||||
private import semmle.code.cpp.models.interfaces.DataFlow
|
private import semmle.code.cpp.models.interfaces.DataFlow
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking2
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking3
|
||||||
|
private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A predictable instruction is one where an external user can predict
|
* A predictable instruction is one where an external user can predict
|
||||||
@@ -65,23 +68,19 @@ private DataFlow::Node getNodeForExpr(Expr node) {
|
|||||||
not argv(node.(VariableAccess).getTarget())
|
not argv(node.(VariableAccess).getTarget())
|
||||||
}
|
}
|
||||||
|
|
||||||
private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
|
private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
|
||||||
DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
|
DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
|
||||||
commonTaintStep(n1, n2)
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
|
private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
|
||||||
ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
|
ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
override predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
||||||
@@ -90,20 +89,18 @@ private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
|
|||||||
sink.asVariable() instanceof GlobalOrNamespaceVariable
|
sink.asVariable() instanceof GlobalOrNamespaceVariable
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
commonTaintStep(n1, n2)
|
|
||||||
or
|
|
||||||
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
||||||
or
|
or
|
||||||
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
|
override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
}
|
}
|
||||||
|
|
||||||
private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration {
|
private class FromGlobalVarTaintTrackingCfg extends TaintTracking2::Configuration {
|
||||||
FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
|
FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) {
|
override predicate isSource(DataFlow::Node source) {
|
||||||
@@ -114,18 +111,16 @@ private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration {
|
|||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
override predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
commonTaintStep(n1, n2)
|
|
||||||
or
|
|
||||||
// Additional step for flow out of variables. There is no flow _into_
|
// Additional step for flow out of variables. There is no flow _into_
|
||||||
// variables in this configuration, so this step only serves to take flow
|
// variables in this configuration, so this step only serves to take flow
|
||||||
// out of a variable that's a source.
|
// out of a variable that's a source.
|
||||||
readsVariable(n2.asInstruction(), n1.asVariable())
|
readsVariable(n2.asInstruction(), n1.asVariable())
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
|
override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate readsVariable(LoadInstruction load, Variable var) {
|
private predicate readsVariable(LoadInstruction load, Variable var) {
|
||||||
@@ -202,206 +197,26 @@ private predicate nodeIsBarrierIn(DataFlow::Node node) {
|
|||||||
// `getNodeForSource`.
|
// `getNodeForSource`.
|
||||||
node = DataFlow::definitionByReferenceNodeFromArgument(source)
|
node = DataFlow::definitionByReferenceNodeFromArgument(source)
|
||||||
)
|
)
|
||||||
}
|
|
||||||
|
|
||||||
cached
|
|
||||||
private predicate commonTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
|
|
||||||
operandToInstructionTaintStep(fromNode.asOperand(), toNode.asInstruction())
|
|
||||||
or
|
or
|
||||||
instructionToOperandTaintStep(fromNode.asInstruction(), toNode.asOperand())
|
// don't use dataflow into binary instructions if both operands are unpredictable
|
||||||
}
|
exists(BinaryInstruction iTo |
|
||||||
|
iTo = node.asInstruction() and
|
||||||
private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) {
|
not predictableInstruction(iTo.getLeft()) and
|
||||||
// Propagate flow from the definition of an operand to the operand, even when the overlap is inexact.
|
not predictableInstruction(iTo.getRight()) and
|
||||||
// We only do this in certain cases:
|
// propagate taint from either the pointer or the offset, regardless of predictability
|
||||||
// 1. The instruction's result must not be conflated, and
|
not iTo instanceof PointerArithmeticInstruction
|
||||||
// 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
|
|
||||||
// this is array types and union types. This matches the other two cases of element-to-object flow in
|
|
||||||
// `DefaultTaintTracking`.
|
|
||||||
toOperand.getAnyDef() = fromInstr and
|
|
||||||
not fromInstr.isResultConflated() and
|
|
||||||
(
|
|
||||||
fromInstr.getResultType() instanceof ArrayType or
|
|
||||||
fromInstr.getResultType() instanceof Union
|
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(ReadSideEffectInstruction readInstr |
|
// don't use dataflow through calls to pure functions if two or more operands
|
||||||
fromInstr = readInstr.getArgumentDef() and
|
// are unpredictable
|
||||||
toOperand = readInstr.getSideEffectOperand()
|
exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
|
||||||
)
|
iTo = node.asInstruction() and
|
||||||
}
|
isPureFunction(iTo.getStaticCallTarget().getName()) and
|
||||||
|
iFrom1 = iTo.getAnArgument() and
|
||||||
private predicate operandToInstructionTaintStep(Operand fromOperand, Instruction toInstr) {
|
iFrom2 = iTo.getAnArgument() and
|
||||||
// Expressions computed from tainted data are also tainted
|
not predictableInstruction(iFrom1) and
|
||||||
exists(CallInstruction call, int argIndex | call = toInstr |
|
not predictableInstruction(iFrom2) and
|
||||||
isPureFunction(call.getStaticCallTarget().getName()) and
|
iFrom1 != iFrom2
|
||||||
fromOperand = getACallArgumentOrIndirection(call, argIndex) and
|
|
||||||
forall(Operand argOperand | argOperand = call.getAnArgumentOperand() |
|
|
||||||
argOperand = getACallArgumentOrIndirection(call, argIndex) or
|
|
||||||
predictableInstruction(argOperand.getAnyDef())
|
|
||||||
) and
|
|
||||||
// flow through `strlen` tends to cause dubious results, if the length is
|
|
||||||
// bounded.
|
|
||||||
not call.getStaticCallTarget().getName() = "strlen"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow from argument to return value
|
|
||||||
toInstr =
|
|
||||||
any(CallInstruction call |
|
|
||||||
exists(int indexIn |
|
|
||||||
modelTaintToReturnValue(call.getStaticCallTarget(), indexIn) and
|
|
||||||
fromOperand = getACallArgumentOrIndirection(call, indexIn) and
|
|
||||||
not predictableOnlyFlow(call.getStaticCallTarget().getName())
|
|
||||||
)
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow from input argument to output argument
|
|
||||||
// TODO: This won't work in practice as long as all aliased memory is tracked
|
|
||||||
// together in a single virtual variable.
|
|
||||||
// TODO: Will this work on the test for `TaintedPath.ql`, where the output arg
|
|
||||||
// is a pointer addition expression?
|
|
||||||
toInstr =
|
|
||||||
any(WriteSideEffectInstruction outInstr |
|
|
||||||
exists(CallInstruction call, int indexIn, int indexOut |
|
|
||||||
modelTaintToParameter(call.getStaticCallTarget(), indexIn, indexOut) and
|
|
||||||
fromOperand = getACallArgumentOrIndirection(call, indexIn) and
|
|
||||||
outInstr.getIndex() = indexOut and
|
|
||||||
outInstr.getPrimaryInstruction() = call
|
|
||||||
)
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow through pointer dereference
|
|
||||||
toInstr.(LoadInstruction).getSourceAddressOperand() = fromOperand
|
|
||||||
or
|
|
||||||
// Flow through partial reads of arrays and unions
|
|
||||||
toInstr.(LoadInstruction).getSourceValueOperand() = fromOperand and
|
|
||||||
exists(Instruction fromInstr | fromInstr = fromOperand.getAnyDef() |
|
|
||||||
not fromInstr.isResultConflated() and
|
|
||||||
(
|
|
||||||
fromInstr.getResultType() instanceof ArrayType or
|
|
||||||
fromInstr.getResultType() instanceof Union
|
|
||||||
)
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Unary instructions tend to preserve enough information in practice that we
|
|
||||||
// want taint to flow through.
|
|
||||||
// The exception is `FieldAddressInstruction`. Together with the rule for
|
|
||||||
// `LoadInstruction` above and for `ChiInstruction` below, flow through
|
|
||||||
// `FieldAddressInstruction` could cause flow into one field to come out an
|
|
||||||
// unrelated field. This would happen across function boundaries, where the IR
|
|
||||||
// would not be able to match loads to stores.
|
|
||||||
toInstr.(UnaryInstruction).getUnaryOperand() = fromOperand and
|
|
||||||
(
|
|
||||||
not toInstr instanceof FieldAddressInstruction
|
|
||||||
or
|
|
||||||
toInstr.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow from an element to an array or union that contains it.
|
|
||||||
toInstr.(ChiInstruction).getPartialOperand() = fromOperand and
|
|
||||||
not toInstr.isResultConflated() and
|
|
||||||
exists(Type t | toInstr.getResultLanguageType().hasType(t, false) |
|
|
||||||
t instanceof Union
|
|
||||||
or
|
|
||||||
t instanceof ArrayType
|
|
||||||
)
|
|
||||||
or
|
|
||||||
exists(BinaryInstruction bin |
|
|
||||||
bin = toInstr and
|
|
||||||
predictableInstruction(toInstr.getAnOperand().getDef()) and
|
|
||||||
fromOperand = toInstr.getAnOperand()
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// This is part of the translation of `a[i]`, where we want taint to flow
|
|
||||||
// from `a`.
|
|
||||||
toInstr.(PointerAddInstruction).getLeftOperand() = fromOperand
|
|
||||||
or
|
|
||||||
// Until we have flow through indirections across calls, we'll take flow out
|
|
||||||
// of the indirection and into the argument.
|
|
||||||
// When we get proper flow through indirections across calls, this code can be
|
|
||||||
// moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
|
|
||||||
exists(ReadSideEffectInstruction read |
|
|
||||||
read.getSideEffectOperand() = fromOperand and
|
|
||||||
read.getArgumentDef() = toInstr
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Until we have from through indirections across calls, we'll take flow out
|
|
||||||
// of the parameter and into its indirection.
|
|
||||||
// `InitializeIndirectionInstruction` only has a single operand: the address of the
|
|
||||||
// value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
|
|
||||||
// the IR looks like this:
|
|
||||||
// ```
|
|
||||||
// m1 = InitializeParameter[p] : &r1
|
|
||||||
// r2 = Load[p] : r2, m1
|
|
||||||
// m3 = InitializeIndirection[p] : &r2
|
|
||||||
// ```
|
|
||||||
// So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
|
|
||||||
// `LoadOperand`'s overlap being exact.
|
|
||||||
toInstr.(InitializeIndirectionInstruction).getAnOperand() = fromOperand
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Returns the index of the side effect instruction corresponding to the specified function output,
|
|
||||||
* if one exists.
|
|
||||||
*/
|
|
||||||
private int getWriteSideEffectIndex(FunctionOutput output) {
|
|
||||||
output.isParameterDeref(result)
|
|
||||||
or
|
|
||||||
output.isQualifierObject() and result = -1
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Get an operand that goes into argument `argumentIndex` of `call`. This
|
|
||||||
* can be either directly or through one pointer indirection.
|
|
||||||
*/
|
|
||||||
private Operand getACallArgumentOrIndirection(CallInstruction call, int argumentIndex) {
|
|
||||||
result = call.getPositionalArgumentOperand(argumentIndex)
|
|
||||||
or
|
|
||||||
exists(ReadSideEffectInstruction readSE |
|
|
||||||
// TODO: why are read side effect operands imprecise?
|
|
||||||
result = readSE.getSideEffectOperand() and
|
|
||||||
readSE.getPrimaryInstruction() = call and
|
|
||||||
readSE.getIndex() = argumentIndex
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate modelTaintToParameter(Function f, int parameterIn, int parameterOut) {
|
|
||||||
exists(FunctionInput modelIn, FunctionOutput modelOut |
|
|
||||||
(
|
|
||||||
f.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
|
|
||||||
or
|
|
||||||
f.(TaintFunction).hasTaintFlow(modelIn, modelOut)
|
|
||||||
) and
|
|
||||||
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
|
|
||||||
parameterOut = getWriteSideEffectIndex(modelOut)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate modelTaintToReturnValue(Function f, int parameterIn) {
|
|
||||||
// Taint flow from parameter to return value
|
|
||||||
exists(FunctionInput modelIn, FunctionOutput modelOut |
|
|
||||||
f.(TaintFunction).hasTaintFlow(modelIn, modelOut) and
|
|
||||||
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
|
|
||||||
(modelOut.isReturnValue() or modelOut.isReturnValueDeref())
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Data flow (not taint flow) to where the return value points. For the time
|
|
||||||
// being we will conflate pointers and objects in taint tracking.
|
|
||||||
exists(FunctionInput modelIn, FunctionOutput modelOut |
|
|
||||||
f.(DataFlowFunction).hasDataFlow(modelIn, modelOut) and
|
|
||||||
(modelIn.isParameter(parameterIn) or modelIn.isParameterDeref(parameterIn)) and
|
|
||||||
modelOut.isReturnValueDeref()
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Taint flow from one argument to another and data flow from an argument to a
|
|
||||||
// return value. This happens in functions like `strcat` and `memcpy`. We
|
|
||||||
// could model this flow in two separate steps, but that would add reverse
|
|
||||||
// flow from the write side-effect to the call instruction, which may not be
|
|
||||||
// desirable.
|
|
||||||
exists(int parameterMid, InParameter modelMid, OutReturnValue returnOut |
|
|
||||||
modelTaintToParameter(f, parameterIn, parameterMid) and
|
|
||||||
modelMid.isParameter(parameterMid) and
|
|
||||||
f.(DataFlowFunction).hasDataFlow(modelMid, returnOut)
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -440,6 +255,14 @@ private Element adjustedSink(DataFlow::Node sink) {
|
|||||||
or
|
or
|
||||||
// Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
|
// Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
|
||||||
result.(AssignOperation).getAnOperand() = sink.asExpr()
|
result.(AssignOperation).getAnOperand() = sink.asExpr()
|
||||||
|
or
|
||||||
|
result =
|
||||||
|
sink.asOperand()
|
||||||
|
.(SideEffectOperand)
|
||||||
|
.getUse()
|
||||||
|
.(ReadSideEffectInstruction)
|
||||||
|
.getArgumentDef()
|
||||||
|
.getUnconvertedResultExpression()
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -558,7 +381,7 @@ module TaintedWithPath {
|
|||||||
string toString() { result = "TaintTrackingConfiguration" }
|
string toString() { result = "TaintTrackingConfiguration" }
|
||||||
}
|
}
|
||||||
|
|
||||||
private class AdjustedConfiguration extends DataFlow3::Configuration {
|
private class AdjustedConfiguration extends TaintTracking3::Configuration {
|
||||||
AdjustedConfiguration() { this = "AdjustedConfiguration" }
|
AdjustedConfiguration() { this = "AdjustedConfiguration" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) {
|
override predicate isSource(DataFlow::Node source) {
|
||||||
@@ -571,21 +394,34 @@ module TaintedWithPath {
|
|||||||
exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
|
exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
commonTaintStep(n1, n2)
|
// Steps into and out of global variables
|
||||||
or
|
|
||||||
exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
|
exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
|
||||||
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
|
||||||
or
|
or
|
||||||
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Step to return value of a modeled function when an input taints the
|
||||||
|
// dereference of the return value
|
||||||
|
exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
|
||||||
|
n1.asOperand() = callInput(call, modelIn) and
|
||||||
|
(
|
||||||
|
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
|
||||||
|
or
|
||||||
|
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
|
||||||
|
) and
|
||||||
|
call.getStaticCallTarget() = func and
|
||||||
|
modelOut.isReturnValueDeref() and
|
||||||
|
call = n2.asInstruction()
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrier(DataFlow::Node node) {
|
override predicate isSanitizer(DataFlow::Node node) {
|
||||||
exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
|
exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
15
cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking3.qll
Normal file
15
cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking3.qll
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
/**
|
||||||
|
* Provides a `TaintTracking3` module, which is a copy of the `TaintTracking`
|
||||||
|
* module. Use this class when data-flow configurations or taint-tracking
|
||||||
|
* configurations must depend on each other. Two classes extending
|
||||||
|
* `DataFlow::Configuration` should never depend on each other, but one of them
|
||||||
|
* should instead depend on a `DataFlow2::Configuration`, a
|
||||||
|
* `DataFlow3::Configuration`, or a `DataFlow4::Configuration`. The
|
||||||
|
* `TaintTracking::Configuration` class extends `DataFlow::Configuration`, and
|
||||||
|
* `TaintTracking2::Configuration` extends `DataFlow2::Configuration`.
|
||||||
|
*
|
||||||
|
* See `semmle.code.cpp.ir.dataflow.TaintTracking` for the full documentation.
|
||||||
|
*/
|
||||||
|
module TaintTracking3 {
|
||||||
|
import semmle.code.cpp.ir.dataflow.internal.tainttracking3.TaintTrackingImpl
|
||||||
|
}
|
||||||
@@ -9,30 +9,18 @@ private import semmle.code.cpp.ir.dataflow.DataFlow
|
|||||||
/**
|
/**
|
||||||
* Gets the instruction that goes into `input` for `call`.
|
* Gets the instruction that goes into `input` for `call`.
|
||||||
*/
|
*/
|
||||||
DataFlow::Node callInput(CallInstruction call, FunctionInput input) {
|
Operand callInput(CallInstruction call, FunctionInput input) {
|
||||||
// A positional argument
|
// An argument or qualifier
|
||||||
exists(int index |
|
exists(int index |
|
||||||
result.asInstruction() = call.getPositionalArgument(index) and
|
result = call.getArgumentOperand(index) and
|
||||||
input.isParameter(index)
|
input.isParameterOrQualifierAddress(index)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
// A value pointed to by a positional argument
|
// A value pointed to by an argument or qualifier
|
||||||
exists(ReadSideEffectInstruction read |
|
exists(ReadSideEffectInstruction read |
|
||||||
result.asOperand() = read.getSideEffectOperand() and
|
result = read.getSideEffectOperand() and
|
||||||
read.getPrimaryInstruction() = call and
|
read.getPrimaryInstruction() = call and
|
||||||
input.isParameterDeref(read.getIndex())
|
input.isParameterDerefOrQualifierObject(read.getIndex())
|
||||||
)
|
|
||||||
or
|
|
||||||
// The qualifier pointer
|
|
||||||
result.asInstruction() = call.getThisArgument() and
|
|
||||||
input.isQualifierAddress()
|
|
||||||
or
|
|
||||||
// The qualifier object
|
|
||||||
exists(ReadSideEffectInstruction read |
|
|
||||||
result.asOperand() = read.getSideEffectOperand() and
|
|
||||||
read.getPrimaryInstruction() = call and
|
|
||||||
read.getIndex() = -1 and
|
|
||||||
input.isQualifierObject()
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -44,19 +32,11 @@ Instruction callOutput(CallInstruction call, FunctionOutput output) {
|
|||||||
result = call and
|
result = call and
|
||||||
output.isReturnValue()
|
output.isReturnValue()
|
||||||
or
|
or
|
||||||
// The side effect of a call on the value pointed to by a positional argument
|
// The side effect of a call on the value pointed to by an argument or qualifier
|
||||||
exists(WriteSideEffectInstruction effect |
|
exists(WriteSideEffectInstruction effect |
|
||||||
result = effect and
|
result = effect and
|
||||||
effect.getPrimaryInstruction() = call and
|
effect.getPrimaryInstruction() = call and
|
||||||
output.isParameterDeref(effect.getIndex())
|
output.isParameterDerefOrQualifierObject(effect.getIndex())
|
||||||
)
|
|
||||||
or
|
|
||||||
// The side effect of a call on the qualifier object
|
|
||||||
exists(WriteSideEffectInstruction effect |
|
|
||||||
result = effect and
|
|
||||||
effect.getPrimaryInstruction() = call and
|
|
||||||
effect.getIndex() = -1 and
|
|
||||||
output.isQualifierObject()
|
|
||||||
)
|
)
|
||||||
// TODO: return value dereference
|
// TODO: return value dereference
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -21,53 +21,104 @@ predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
|||||||
*/
|
*/
|
||||||
cached
|
cached
|
||||||
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||||
localInstructionTaintStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
|
operandToInstructionTaintStep(nodeFrom.asOperand(), nodeTo.asInstruction())
|
||||||
or
|
or
|
||||||
modeledTaintStep(nodeFrom, nodeTo)
|
instructionToOperandTaintStep(nodeFrom.asInstruction(), nodeTo.asOperand())
|
||||||
|
}
|
||||||
|
|
||||||
|
private predicate instructionToOperandTaintStep(Instruction fromInstr, Operand toOperand) {
|
||||||
|
// Propagate flow from the definition of an operand to the operand, even when the overlap is inexact.
|
||||||
|
// We only do this in certain cases:
|
||||||
|
// 1. The instruction's result must not be conflated, and
|
||||||
|
// 2. The instruction's result type is one the types where we expect element-to-object flow. Currently
|
||||||
|
// this is array types and union types. This matches the other two cases of element-to-object flow in
|
||||||
|
// `DefaultTaintTracking`.
|
||||||
|
toOperand.getAnyDef() = fromInstr and
|
||||||
|
not fromInstr.isResultConflated() and
|
||||||
|
(
|
||||||
|
fromInstr.getResultType() instanceof ArrayType or
|
||||||
|
fromInstr.getResultType() instanceof Union
|
||||||
|
)
|
||||||
|
or
|
||||||
|
exists(ReadSideEffectInstruction readInstr |
|
||||||
|
fromInstr = readInstr.getArgumentDef() and
|
||||||
|
toOperand = readInstr.getSideEffectOperand()
|
||||||
|
)
|
||||||
|
or
|
||||||
|
toOperand.(LoadOperand).getAnyDef() = fromInstr
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
|
* Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
|
||||||
* (intra-procedural) step.
|
* (intra-procedural) step.
|
||||||
*/
|
*/
|
||||||
private predicate localInstructionTaintStep(Instruction nodeFrom, Instruction nodeTo) {
|
private predicate operandToInstructionTaintStep(Operand opFrom, Instruction instrTo) {
|
||||||
// Taint can flow through expressions that alter the value but preserve
|
// Taint can flow through expressions that alter the value but preserve
|
||||||
// more than one bit of it _or_ expressions that follow data through
|
// more than one bit of it _or_ expressions that follow data through
|
||||||
// pointer indirections.
|
// pointer indirections.
|
||||||
nodeTo.getAnOperand().getAnyDef() = nodeFrom and
|
instrTo.getAnOperand() = opFrom and
|
||||||
(
|
(
|
||||||
nodeTo instanceof ArithmeticInstruction
|
instrTo instanceof ArithmeticInstruction
|
||||||
or
|
or
|
||||||
nodeTo instanceof BitwiseInstruction
|
instrTo instanceof BitwiseInstruction
|
||||||
or
|
or
|
||||||
nodeTo instanceof PointerArithmeticInstruction
|
instrTo instanceof PointerArithmeticInstruction
|
||||||
or
|
|
||||||
nodeTo instanceof FieldAddressInstruction
|
|
||||||
or
|
or
|
||||||
// The `CopyInstruction` case is also present in non-taint data flow, but
|
// The `CopyInstruction` case is also present in non-taint data flow, but
|
||||||
// that uses `getDef` rather than `getAnyDef`. For taint, we want flow
|
// that uses `getDef` rather than `getAnyDef`. For taint, we want flow
|
||||||
// from a definition of `myStruct` to a `myStruct.myField` expression.
|
// from a definition of `myStruct` to a `myStruct.myField` expression.
|
||||||
nodeTo instanceof CopyInstruction
|
instrTo instanceof CopyInstruction
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
nodeTo.(LoadInstruction).getSourceAddress() = nodeFrom
|
// Unary instructions tend to preserve enough information in practice that we
|
||||||
or
|
// want taint to flow through.
|
||||||
// Flow through partial reads of arrays and unions
|
// The exception is `FieldAddressInstruction`. Together with the rules below for
|
||||||
nodeTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = nodeFrom and
|
// `LoadInstruction`s and `ChiInstruction`s, flow through `FieldAddressInstruction`
|
||||||
not nodeFrom.isResultConflated() and
|
// could cause flow into one field to come out an unrelated field.
|
||||||
|
// This would happen across function boundaries, where the IR would not be able to
|
||||||
|
// match loads to stores.
|
||||||
|
instrTo.(UnaryInstruction).getUnaryOperand() = opFrom and
|
||||||
(
|
(
|
||||||
nodeFrom.getResultType() instanceof ArrayType or
|
not instrTo instanceof FieldAddressInstruction
|
||||||
nodeFrom.getResultType() instanceof Union
|
or
|
||||||
|
instrTo.(FieldAddressInstruction).getField().getDeclaringType() instanceof Union
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
|
instrTo.(LoadInstruction).getSourceAddressOperand() = opFrom
|
||||||
|
or
|
||||||
// Flow from an element to an array or union that contains it.
|
// Flow from an element to an array or union that contains it.
|
||||||
nodeTo.(ChiInstruction).getPartial() = nodeFrom and
|
instrTo.(ChiInstruction).getPartialOperand() = opFrom and
|
||||||
not nodeTo.isResultConflated() and
|
not instrTo.isResultConflated() and
|
||||||
exists(Type t | nodeTo.getResultLanguageType().hasType(t, false) |
|
exists(Type t | instrTo.getResultLanguageType().hasType(t, false) |
|
||||||
t instanceof Union
|
t instanceof Union
|
||||||
or
|
or
|
||||||
t instanceof ArrayType
|
t instanceof ArrayType
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Until we have flow through indirections across calls, we'll take flow out
|
||||||
|
// of the indirection and into the argument.
|
||||||
|
// When we get proper flow through indirections across calls, this code can be
|
||||||
|
// moved to `adjusedSink` or possibly into the `DataFlow::ExprNode` class.
|
||||||
|
exists(ReadSideEffectInstruction read |
|
||||||
|
read.getSideEffectOperand() = opFrom and
|
||||||
|
read.getArgumentDef() = instrTo
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Until we have from through indirections across calls, we'll take flow out
|
||||||
|
// of the parameter and into its indirection.
|
||||||
|
// `InitializeIndirectionInstruction` only has a single operand: the address of the
|
||||||
|
// value whose indirection we are initializing. When initializing an indirection of a parameter `p`,
|
||||||
|
// the IR looks like this:
|
||||||
|
// ```
|
||||||
|
// m1 = InitializeParameter[p] : &r1
|
||||||
|
// r2 = Load[p] : r2, m1
|
||||||
|
// m3 = InitializeIndirection[p] : &r2
|
||||||
|
// ```
|
||||||
|
// So by having flow from `r2` to `m3` we're enabling flow from `m1` to `m3`. This relies on the
|
||||||
|
// `LoadOperand`'s overlap being exact.
|
||||||
|
instrTo.(InitializeIndirectionInstruction).getAnOperand() = opFrom
|
||||||
|
or
|
||||||
|
modeledTaintStep(opFrom, instrTo)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -110,17 +161,19 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
|
|||||||
* Holds if taint can flow from `instrIn` to `instrOut` through a call to a
|
* Holds if taint can flow from `instrIn` to `instrOut` through a call to a
|
||||||
* modeled function.
|
* modeled function.
|
||||||
*/
|
*/
|
||||||
predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
|
predicate modeledTaintStep(Operand nodeIn, Instruction nodeOut) {
|
||||||
exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
|
exists(CallInstruction call, TaintFunction func, FunctionInput modelIn, FunctionOutput modelOut |
|
||||||
(
|
(
|
||||||
nodeIn = callInput(call, modelIn)
|
nodeIn = callInput(call, modelIn)
|
||||||
or
|
or
|
||||||
exists(int n |
|
exists(int n |
|
||||||
modelIn.isParameterDeref(n) and
|
modelIn.isParameterDerefOrQualifierObject(n) and
|
||||||
nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
|
if n = -1
|
||||||
|
then nodeIn = callInput(call, any(InQualifierObject inQualifier))
|
||||||
|
else nodeIn = callInput(call, any(InParameter inParam | inParam.getIndex() = n))
|
||||||
)
|
)
|
||||||
) and
|
) and
|
||||||
nodeOut.asInstruction() = callOutput(call, modelOut) and
|
nodeOut = callOutput(call, modelOut) and
|
||||||
call.getStaticCallTarget() = func and
|
call.getStaticCallTarget() = func and
|
||||||
func.hasTaintFlow(modelIn, modelOut)
|
func.hasTaintFlow(modelIn, modelOut)
|
||||||
)
|
)
|
||||||
@@ -135,11 +188,29 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
|
|||||||
int indexMid, InParameter modelMidIn, OutReturnValue modelOut
|
int indexMid, InParameter modelMidIn, OutReturnValue modelOut
|
||||||
|
|
|
|
||||||
nodeIn = callInput(call, modelIn) and
|
nodeIn = callInput(call, modelIn) and
|
||||||
nodeOut.asInstruction() = callOutput(call, modelOut) and
|
nodeOut = callOutput(call, modelOut) and
|
||||||
call.getStaticCallTarget() = func and
|
call.getStaticCallTarget() = func and
|
||||||
func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and
|
func.(TaintFunction).hasTaintFlow(modelIn, modelMidOut) and
|
||||||
func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and
|
func.(DataFlowFunction).hasDataFlow(modelMidIn, modelOut) and
|
||||||
modelMidOut.isParameterDeref(indexMid) and
|
modelMidOut.isParameterDeref(indexMid) and
|
||||||
modelMidIn.isParameter(indexMid)
|
modelMidIn.isParameter(indexMid)
|
||||||
)
|
)
|
||||||
|
or
|
||||||
|
// Taint flow from a pointer argument to an output, when the model specifies flow from the deref
|
||||||
|
// to that output, but the deref is not modeled in the IR for the caller.
|
||||||
|
exists(
|
||||||
|
CallInstruction call, ReadSideEffectInstruction read, Function func, FunctionInput modelIn,
|
||||||
|
FunctionOutput modelOut
|
||||||
|
|
|
||||||
|
read.getSideEffectOperand() = callInput(call, modelIn) and
|
||||||
|
read.getArgumentDef() = nodeIn.getDef() and
|
||||||
|
not read.getSideEffect().isResultModeled() and
|
||||||
|
call.getStaticCallTarget() = func and
|
||||||
|
(
|
||||||
|
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
|
||||||
|
or
|
||||||
|
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
|
||||||
|
) and
|
||||||
|
nodeOut = callOutput(call, modelOut)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,115 @@
|
|||||||
|
/**
|
||||||
|
* Provides an implementation of global (interprocedural) taint tracking.
|
||||||
|
* This file re-exports the local (intraprocedural) taint-tracking analysis
|
||||||
|
* from `TaintTrackingParameter::Public` and adds a global analysis, mainly
|
||||||
|
* exposed through the `Configuration` class. For some languages, this file
|
||||||
|
* exists in several identical copies, allowing queries to use multiple
|
||||||
|
* `Configuration` classes that depend on each other without introducing
|
||||||
|
* mutual recursion among those configurations.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import TaintTrackingParameter::Public
|
||||||
|
private import TaintTrackingParameter::Private
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A configuration of interprocedural taint tracking analysis. This defines
|
||||||
|
* sources, sinks, and any other configurable aspect of the analysis. Each
|
||||||
|
* use of the taint tracking library must define its own unique extension of
|
||||||
|
* this abstract class.
|
||||||
|
*
|
||||||
|
* A taint-tracking configuration is a special data flow configuration
|
||||||
|
* (`DataFlow::Configuration`) that allows for flow through nodes that do not
|
||||||
|
* necessarily preserve values but are still relevant from a taint tracking
|
||||||
|
* perspective. (For example, string concatenation, where one of the operands
|
||||||
|
* is tainted.)
|
||||||
|
*
|
||||||
|
* To create a configuration, extend this class with a subclass whose
|
||||||
|
* characteristic predicate is a unique singleton string. For example, write
|
||||||
|
*
|
||||||
|
* ```ql
|
||||||
|
* class MyAnalysisConfiguration extends TaintTracking::Configuration {
|
||||||
|
* MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
|
||||||
|
* // Override `isSource` and `isSink`.
|
||||||
|
* // Optionally override `isSanitizer`.
|
||||||
|
* // Optionally override `isSanitizerIn`.
|
||||||
|
* // Optionally override `isSanitizerOut`.
|
||||||
|
* // Optionally override `isSanitizerGuard`.
|
||||||
|
* // Optionally override `isAdditionalTaintStep`.
|
||||||
|
* }
|
||||||
|
* ```
|
||||||
|
*
|
||||||
|
* Then, to query whether there is flow between some `source` and `sink`,
|
||||||
|
* write
|
||||||
|
*
|
||||||
|
* ```ql
|
||||||
|
* exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
|
||||||
|
* ```
|
||||||
|
*
|
||||||
|
* Multiple configurations can coexist, but it is unsupported to depend on
|
||||||
|
* another `TaintTracking::Configuration` or a `DataFlow::Configuration` in the
|
||||||
|
* overridden predicates that define sources, sinks, or additional steps.
|
||||||
|
* Instead, the dependency should go to a `TaintTracking2::Configuration` or a
|
||||||
|
* `DataFlow2::Configuration`, `DataFlow3::Configuration`, etc.
|
||||||
|
*/
|
||||||
|
abstract class Configuration extends DataFlow::Configuration {
|
||||||
|
bindingset[this]
|
||||||
|
Configuration() { any() }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if `source` is a relevant taint source.
|
||||||
|
*
|
||||||
|
* The smaller this predicate is, the faster `hasFlow()` will converge.
|
||||||
|
*/
|
||||||
|
// overridden to provide taint-tracking specific qldoc
|
||||||
|
abstract override predicate isSource(DataFlow::Node source);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if `sink` is a relevant taint sink.
|
||||||
|
*
|
||||||
|
* The smaller this predicate is, the faster `hasFlow()` will converge.
|
||||||
|
*/
|
||||||
|
// overridden to provide taint-tracking specific qldoc
|
||||||
|
abstract override predicate isSink(DataFlow::Node sink);
|
||||||
|
|
||||||
|
/** Holds if the node `node` is a taint sanitizer. */
|
||||||
|
predicate isSanitizer(DataFlow::Node node) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrier(DataFlow::Node node) {
|
||||||
|
isSanitizer(node) or
|
||||||
|
defaultTaintSanitizer(node)
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Holds if taint propagation into `node` is prohibited. */
|
||||||
|
predicate isSanitizerIn(DataFlow::Node node) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
|
||||||
|
|
||||||
|
/** Holds if taint propagation out of `node` is prohibited. */
|
||||||
|
predicate isSanitizerOut(DataFlow::Node node) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
|
||||||
|
|
||||||
|
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
|
||||||
|
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
|
||||||
|
|
||||||
|
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if the additional taint propagation step from `node1` to `node2`
|
||||||
|
* must be taken into account in the analysis.
|
||||||
|
*/
|
||||||
|
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
|
||||||
|
|
||||||
|
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||||
|
isAdditionalTaintStep(node1, node2) or
|
||||||
|
defaultAdditionalTaintStep(node1, node2)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if taint may flow from `source` to `sink` for this configuration.
|
||||||
|
*/
|
||||||
|
// overridden to provide taint-tracking specific qldoc
|
||||||
|
override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
|
||||||
|
super.hasFlow(source, sink)
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
import semmle.code.cpp.ir.dataflow.internal.TaintTrackingUtil as Public
|
||||||
|
|
||||||
|
module Private {
|
||||||
|
import semmle.code.cpp.ir.dataflow.DataFlow3::DataFlow3 as DataFlow
|
||||||
|
}
|
||||||
@@ -15,9 +15,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
|
|||||||
private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
|
private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
|
||||||
Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
|
Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
|
||||||
|
|
||||||
override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
|
override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 1 }
|
||||||
bufParam = 1 and countParam = 2
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate hasArrayInput(int bufParam) { bufParam = 1 }
|
override predicate hasArrayInput(int bufParam) { bufParam = 1 }
|
||||||
|
|
||||||
@@ -46,8 +44,8 @@ private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEf
|
|||||||
i = 1 and buffer = false
|
i = 1 and buffer = false
|
||||||
}
|
}
|
||||||
|
|
||||||
override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
|
// NOTE: The size parameter is a pointer to the size. So we can't implement `getParameterSizeIndex` for
|
||||||
|
// this model.
|
||||||
// NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
|
// NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
|
||||||
// the structure pointed to by the file-descriptor argument.
|
// the structure pointed to by the file-descriptor argument.
|
||||||
override predicate hasOnlySpecificReadSideEffects() { none() }
|
override predicate hasOnlySpecificReadSideEffects() { none() }
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
||||||
|
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
predicate isSink(Element sink) {
|
predicate isSink(Element sink) {
|
||||||
@@ -17,7 +18,13 @@ predicate isSink(Element sink) {
|
|||||||
|
|
||||||
predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
|
predicate astTaint(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
|
||||||
|
|
||||||
predicate irTaint(Expr source, Element sink) { IRDefaultTaintTracking::tainted(source, sink) }
|
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { any() }
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate irTaint(Expr source, Element sink) {
|
||||||
|
TaintedWithPath::taintedWithPath(source, sink, _, _)
|
||||||
|
}
|
||||||
|
|
||||||
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||||
IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
|
IRDefaultTaintTrackingTest() { this = "IRDefaultTaintTrackingTest" }
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ int main() {
|
|||||||
|
|
||||||
char untainted_buf[100] = "";
|
char untainted_buf[100] = "";
|
||||||
char buf[100] = "VAR = ";
|
char buf[100] = "VAR = ";
|
||||||
sink(strcat(buf, getenv("VAR"))); // $ ast,ir
|
sink(strcat(buf, getenv("VAR"))); // $ ast MISSING: ir
|
||||||
|
|
||||||
sink(buf); // $ ast,ir
|
sink(buf); // $ ast,ir
|
||||||
sink(untainted_buf); // the two buffers would be conflated if we added flow through all partial chi inputs
|
sink(untainted_buf); // the two buffers would be conflated if we added flow through all partial chi inputs
|
||||||
@@ -250,12 +250,12 @@ void sink(iovec);
|
|||||||
int test_readv_and_writev(iovec* iovs) {
|
int test_readv_and_writev(iovec* iovs) {
|
||||||
readv(0, iovs, 16);
|
readv(0, iovs, 16);
|
||||||
sink(iovs); // $ast,ir
|
sink(iovs); // $ast,ir
|
||||||
sink(iovs[0]); // $ast MISSING: ir
|
sink(iovs[0]); // $ast,ir
|
||||||
sink(*iovs); // $ast MISSING: ir
|
sink(*iovs); // $ast,ir
|
||||||
|
|
||||||
char* p = (char*)iovs[1].iov_base;
|
char* p = (char*)iovs[1].iov_base;
|
||||||
sink(p); // $ MISSING: ast,ir
|
sink(p); // $ ir MISSING: ast
|
||||||
sink(*p); // $ MISSING: ast,ir
|
sink(*p); // $ ir MISSING: ast
|
||||||
|
|
||||||
writev(0, iovs, 16); // $ remote
|
writev(0, iovs, 16); // $ remote
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -73,7 +73,7 @@ void test_string()
|
|||||||
sink(b); // clean
|
sink(b); // clean
|
||||||
sink(c); // $ ir MISSING: ast
|
sink(c); // $ ir MISSING: ast
|
||||||
sink(b.c_str()); // clean
|
sink(b.c_str()); // clean
|
||||||
sink(c.c_str()); // $ MISSING: ast,ir
|
sink(c.c_str()); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_stringstream()
|
void test_stringstream()
|
||||||
@@ -93,10 +93,10 @@ void test_stringstream()
|
|||||||
sink(ss4); // $ ir MISSING: ast
|
sink(ss4); // $ ir MISSING: ast
|
||||||
sink(ss5); // $ ir MISSING: ast
|
sink(ss5); // $ ir MISSING: ast
|
||||||
sink(ss1.str());
|
sink(ss1.str());
|
||||||
sink(ss2.str()); // $ MISSING: ast,ir
|
sink(ss2.str()); // $ ir MISSING: ast
|
||||||
sink(ss3.str()); // $ MISSING: ast,ir
|
sink(ss3.str()); // $ MISSING: ast,ir
|
||||||
sink(ss4.str()); // $ MISSING: ast,ir
|
sink(ss4.str()); // $ ir MISSING: ast
|
||||||
sink(ss5.str()); // $ MISSING: ast,ir
|
sink(ss5.str()); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_stringstream_int(int source)
|
void test_stringstream_int(int source)
|
||||||
@@ -123,14 +123,14 @@ void sink(const char *filename, const char *mode);
|
|||||||
void test_strings2()
|
void test_strings2()
|
||||||
{
|
{
|
||||||
string path1 = user_input();
|
string path1 = user_input();
|
||||||
sink(path1.c_str(), "r"); // $ MISSING: ast,ir
|
sink(path1.c_str(), "r"); // $ ir MISSING: ast
|
||||||
|
|
||||||
string path2;
|
string path2;
|
||||||
path2 = user_input();
|
path2 = user_input();
|
||||||
sink(path2.c_str(), "r"); // $ MISSING: ast,ir
|
sink(path2.c_str(), "r"); // $ ir MISSING: ast
|
||||||
|
|
||||||
string path3(user_input());
|
string path3(user_input());
|
||||||
sink(path3.c_str(), "r"); // $ MISSING: ast,ir
|
sink(path3.c_str(), "r"); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_string3()
|
void test_string3()
|
||||||
@@ -154,6 +154,6 @@ void test_string4()
|
|||||||
// convert back std::string -> char *
|
// convert back std::string -> char *
|
||||||
cs = ss.c_str();
|
cs = ss.c_str();
|
||||||
|
|
||||||
sink(cs); // $ ast MISSING: ir
|
sink(cs); // $ ast,ir
|
||||||
sink(ss); // $ ir MISSING: ast
|
sink(ss); // $ ir MISSING: ast
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,9 +7,10 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
||||||
|
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
predicate isSink(Element sink) {
|
predicate argToSinkCall(Element sink) {
|
||||||
exists(FunctionCall call |
|
exists(FunctionCall call |
|
||||||
call.getTarget().getName() = "sink" and
|
call.getTarget().getName() = "sink" and
|
||||||
sink = call.getAnArgument()
|
sink = call.getAnArgument()
|
||||||
@@ -17,11 +18,15 @@ predicate isSink(Element sink) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
predicate astTaint(Expr source, Element sink) {
|
predicate astTaint(Expr source, Element sink) {
|
||||||
ASTTaintTracking::tainted(source, sink) and isSink(sink)
|
ASTTaintTracking::tainted(source, sink) and argToSinkCall(sink)
|
||||||
|
}
|
||||||
|
|
||||||
|
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { argToSinkCall(e) }
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate irTaint(Expr source, Element sink) {
|
predicate irTaint(Expr source, Element sink) {
|
||||||
IRDefaultTaintTracking::tainted(source, sink) and isSink(sink)
|
TaintedWithPath::taintedWithPath(source, sink, _, _)
|
||||||
}
|
}
|
||||||
|
|
||||||
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
class IRDefaultTaintTrackingTest extends InlineExpectationsTest {
|
||||||
|
|||||||
@@ -1,19 +1,42 @@
|
|||||||
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | AST only |
|
||||||
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | AST only |
|
||||||
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | AST only |
|
||||||
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only |
|
||||||
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | AST only |
|
||||||
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
||||||
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only |
|
||||||
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
|
||||||
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
|
||||||
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | AST only |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
|
||||||
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | AST only |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
|
||||||
|
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | AST only |
|
||||||
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
|
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
|
||||||
|
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | AST only |
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only |
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | AST only |
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
|
||||||
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | AST only |
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |
|
||||||
|
|||||||
@@ -2,14 +2,18 @@ import semmle.code.cpp.security.TaintTrackingImpl as AST
|
|||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IR
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IR
|
||||||
import cpp
|
import cpp
|
||||||
|
|
||||||
|
class SourceConfiguration extends IR::TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { any() }
|
||||||
|
}
|
||||||
|
|
||||||
from Expr source, Element tainted, string side
|
from Expr source, Element tainted, string side
|
||||||
where
|
where
|
||||||
AST::taintedIncludingGlobalVars(source, tainted, _) and
|
AST::taintedIncludingGlobalVars(source, tainted, _) and
|
||||||
not IR::taintedIncludingGlobalVars(source, tainted, _) and
|
not IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
|
||||||
not tainted.getLocation().getFile().getExtension() = "h" and
|
not tainted.getLocation().getFile().getExtension() = "h" and
|
||||||
side = "AST only"
|
side = "AST only"
|
||||||
or
|
or
|
||||||
IR::taintedIncludingGlobalVars(source, tainted, _) and
|
IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
|
||||||
not AST::taintedIncludingGlobalVars(source, tainted, _) and
|
not AST::taintedIncludingGlobalVars(source, tainted, _) and
|
||||||
not tainted.getLocation().getFile().getExtension() = "h" and
|
not tainted.getLocation().getFile().getExtension() = "h" and
|
||||||
side = "IR only"
|
side = "IR only"
|
||||||
|
|||||||
@@ -1,71 +1,48 @@
|
|||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp | |
|
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... | |
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv |
|
||||||
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr | |
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr |
|
||||||
| test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | |
|
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv | |
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... | |
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr | |
|
| test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... | |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp | |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... | |
|
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName |
|
||||||
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal | |
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | |
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | |
|
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... |
|
||||||
| test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | |
|
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy |
|
||||||
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName | |
|
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi | |
|
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv |
|
||||||
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | |
|
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy |
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | |
|
|
||||||
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | |
|
|
||||||
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | |
|
|
||||||
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets | |
|
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | |
|
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | |
|
|
||||||
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... | |
|
|
||||||
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy | |
|
|
||||||
|
|||||||
@@ -1,7 +1,11 @@
|
|||||||
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
|
||||||
|
|
||||||
from Expr source, Element tainted, string globalVar
|
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
|
||||||
|
override predicate isSink(Element e) { any() }
|
||||||
|
}
|
||||||
|
|
||||||
|
from Expr source, Element tainted
|
||||||
where
|
where
|
||||||
taintedIncludingGlobalVars(source, tainted, globalVar) and
|
TaintedWithPath::taintedWithPath(source, tainted, _, _) and
|
||||||
not tainted.getLocation().getFile().getExtension() = "h"
|
not tainted.getLocation().getFile().getExtension() = "h"
|
||||||
select source, tainted, globalVar
|
select source, tainted
|
||||||
|
|||||||
127
cpp/ql/test/library-tests/dataflow/smart-pointers-taint/memory.h
Normal file
127
cpp/ql/test/library-tests/dataflow/smart-pointers-taint/memory.h
Normal file
@@ -0,0 +1,127 @@
|
|||||||
|
|
||||||
|
namespace std {
|
||||||
|
namespace detail {
|
||||||
|
template<typename T>
|
||||||
|
class compressed_pair_element {
|
||||||
|
T element;
|
||||||
|
|
||||||
|
public:
|
||||||
|
compressed_pair_element() = default;
|
||||||
|
compressed_pair_element(const T& t) : element(t) {}
|
||||||
|
|
||||||
|
T& get() { return element; }
|
||||||
|
|
||||||
|
const T& get() const { return element; }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, typename U>
|
||||||
|
struct compressed_pair : private compressed_pair_element<T>, private compressed_pair_element<U> {
|
||||||
|
compressed_pair() = default;
|
||||||
|
compressed_pair(T& t) : compressed_pair_element<T>(t), compressed_pair_element<U>() {}
|
||||||
|
compressed_pair(const compressed_pair&) = delete;
|
||||||
|
compressed_pair(compressed_pair<T, U>&&) noexcept = default;
|
||||||
|
|
||||||
|
T& first() { return static_cast<compressed_pair_element<T>&>(*this).get(); }
|
||||||
|
U& second() { return static_cast<compressed_pair_element<U>&>(*this).get(); }
|
||||||
|
|
||||||
|
const T& first() const { return static_cast<const compressed_pair_element<T>&>(*this).get(); }
|
||||||
|
const U& second() const { return static_cast<const compressed_pair_element<U>&>(*this).get(); }
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
template<class T>
|
||||||
|
struct default_delete {
|
||||||
|
void operator()(T* ptr) const { delete ptr; }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<class T>
|
||||||
|
struct default_delete<T[]> {
|
||||||
|
template<class U>
|
||||||
|
void operator()(U* ptr) const { delete[] ptr; }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<class T, class Deleter = default_delete<T> >
|
||||||
|
class unique_ptr {
|
||||||
|
private:
|
||||||
|
detail::compressed_pair<T*, Deleter> data;
|
||||||
|
public:
|
||||||
|
constexpr unique_ptr() noexcept {}
|
||||||
|
explicit unique_ptr(T* ptr) noexcept : data(ptr) {}
|
||||||
|
unique_ptr(const unique_ptr& ptr) = delete;
|
||||||
|
unique_ptr(unique_ptr&& ptr) noexcept = default;
|
||||||
|
|
||||||
|
unique_ptr& operator=(unique_ptr&& ptr) noexcept = default;
|
||||||
|
|
||||||
|
T& operator*() const { return *get(); }
|
||||||
|
T* operator->() const noexcept { return get(); }
|
||||||
|
|
||||||
|
T* get() const noexcept { return data.first(); }
|
||||||
|
|
||||||
|
~unique_ptr() {
|
||||||
|
Deleter& d = data.second();
|
||||||
|
d(data.first());
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, class... Args> unique_ptr<T> make_unique(Args&&... args) {
|
||||||
|
return unique_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
|
||||||
|
}
|
||||||
|
|
||||||
|
class ctrl_block {
|
||||||
|
unsigned uses;
|
||||||
|
|
||||||
|
public:
|
||||||
|
ctrl_block() : uses(1) {}
|
||||||
|
|
||||||
|
void inc() { ++uses; }
|
||||||
|
bool dec() { return --uses == 0; }
|
||||||
|
|
||||||
|
virtual void destroy() = 0;
|
||||||
|
virtual ~ctrl_block() {}
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, class Deleter = default_delete<T> >
|
||||||
|
struct ctrl_block_impl: public ctrl_block {
|
||||||
|
T* ptr;
|
||||||
|
Deleter d;
|
||||||
|
|
||||||
|
ctrl_block_impl(T* ptr, Deleter d) : ptr(ptr), d(d) {}
|
||||||
|
virtual void destroy() override { d(ptr); }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<class T>
|
||||||
|
class shared_ptr {
|
||||||
|
private:
|
||||||
|
ctrl_block* ctrl;
|
||||||
|
T* ptr;
|
||||||
|
|
||||||
|
void dec() {
|
||||||
|
if(ctrl->dec()) {
|
||||||
|
ctrl->destroy();
|
||||||
|
delete ctrl;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void inc() {
|
||||||
|
ctrl->inc();
|
||||||
|
}
|
||||||
|
|
||||||
|
public:
|
||||||
|
constexpr shared_ptr() noexcept = default;
|
||||||
|
shared_ptr(T* ptr) : ctrl(new ctrl_block_impl<T>(ptr, default_delete<T>())) {}
|
||||||
|
shared_ptr(const shared_ptr& s) noexcept : ptr(s.ptr), ctrl(s.ctrl) {
|
||||||
|
inc();
|
||||||
|
}
|
||||||
|
shared_ptr(shared_ptr&& s) noexcept = default;
|
||||||
|
|
||||||
|
T* operator->() const { return ptr; }
|
||||||
|
|
||||||
|
T& operator*() const { return *ptr; }
|
||||||
|
|
||||||
|
~shared_ptr() { dec(); }
|
||||||
|
};
|
||||||
|
|
||||||
|
template<typename T, class... Args> shared_ptr<T> make_shared(Args&&... args) {
|
||||||
|
return shared_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
import TestUtilities.dataflow.FlowTestCommon
|
||||||
|
|
||||||
|
module ASTTest {
|
||||||
|
private import semmle.code.cpp.dataflow.TaintTracking
|
||||||
|
|
||||||
|
class ASTSmartPointerTaintConfig extends TaintTracking::Configuration {
|
||||||
|
ASTSmartPointerTaintConfig() { this = "ASTSmartPointerTaintConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
|
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||||
|
}
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
|
exists(FunctionCall call |
|
||||||
|
call.getTarget().getName() = "sink" and
|
||||||
|
sink.asExpr() = call.getAnArgument()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module IRTest {
|
||||||
|
private import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||||
|
|
||||||
|
class IRSmartPointerTaintConfig extends TaintTracking::Configuration {
|
||||||
|
IRSmartPointerTaintConfig() { this = "IRSmartPointerTaintConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
|
source.asExpr().(FunctionCall).getTarget().getName() = "source"
|
||||||
|
}
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
|
exists(FunctionCall call |
|
||||||
|
call.getTarget().getName() = "sink" and
|
||||||
|
sink.asExpr() = call.getAnArgument()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,46 @@
|
|||||||
|
#include "memory.h"
|
||||||
|
|
||||||
|
int source();
|
||||||
|
void sink(int);
|
||||||
|
|
||||||
|
void test_unique_ptr_int() {
|
||||||
|
std::unique_ptr<int> p1(new int(source()));
|
||||||
|
std::unique_ptr<int> p2 = std::make_unique<int>(source());
|
||||||
|
|
||||||
|
sink(*p1); // $ MISSING: ast,ir
|
||||||
|
sink(*p2); // $ ast ir=8:50
|
||||||
|
}
|
||||||
|
|
||||||
|
struct A {
|
||||||
|
int x, y;
|
||||||
|
|
||||||
|
A(int x, int y) : x(x), y(y) {}
|
||||||
|
};
|
||||||
|
|
||||||
|
void test_unique_ptr_struct() {
|
||||||
|
std::unique_ptr<A> p1(new A{source(), 0});
|
||||||
|
std::unique_ptr<A> p2 = std::make_unique<A>(source(), 0);
|
||||||
|
|
||||||
|
sink(p1->x); // $ MISSING: ast,ir
|
||||||
|
sink(p1->y);
|
||||||
|
sink(p2->x); // $ MISSING: ast,ir
|
||||||
|
sink(p2->y);
|
||||||
|
}
|
||||||
|
|
||||||
|
void test_shared_ptr_int() {
|
||||||
|
std::shared_ptr<int> p1(new int(source()));
|
||||||
|
std::shared_ptr<int> p2 = std::make_shared<int>(source());
|
||||||
|
|
||||||
|
sink(*p1); // $ ast
|
||||||
|
sink(*p2); // $ ast ir=32:50
|
||||||
|
}
|
||||||
|
|
||||||
|
void test_shared_ptr_struct() {
|
||||||
|
std::shared_ptr<A> p1(new A{source(), 0});
|
||||||
|
std::shared_ptr<A> p2 = std::make_shared<A>(source(), 0);
|
||||||
|
|
||||||
|
sink(p1->x); // $ MISSING: ast,ir
|
||||||
|
sink(p1->y);
|
||||||
|
sink(p2->x); // $ MISSING: ast,ir
|
||||||
|
sink(p2->y);
|
||||||
|
}
|
||||||
@@ -19,6 +19,6 @@ void test_accept() {
|
|||||||
int size = sizeof(sockaddr);
|
int size = sizeof(sockaddr);
|
||||||
int a = accept(s, &addr, &size);
|
int a = accept(s, &addr, &size);
|
||||||
|
|
||||||
sink(a); // $ ast=17:11 SPURIOUS: ast=18:12 MISSING: ir
|
sink(a); // $ ast=17:11 ir SPURIOUS: ast=18:12
|
||||||
sink(addr); // $ ast MISSING: ir
|
sink(addr); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5213,7 +5213,6 @@
|
|||||||
| swap1.cpp:14:17:14:17 | t | swap1.cpp:14:17:14:17 | t | |
|
| swap1.cpp:14:17:14:17 | t | swap1.cpp:14:17:14:17 | t | |
|
||||||
| swap1.cpp:14:17:14:17 | t | swap1.cpp:14:17:14:17 | t | |
|
| swap1.cpp:14:17:14:17 | t | swap1.cpp:14:17:14:17 | t | |
|
||||||
| swap1.cpp:14:17:14:17 | t | swap1.cpp:14:56:14:56 | t | |
|
| swap1.cpp:14:17:14:17 | t | swap1.cpp:14:56:14:56 | t | |
|
||||||
| swap1.cpp:14:17:14:17 | t | swap1.cpp:14:56:14:56 | t | |
|
|
||||||
| swap1.cpp:24:9:24:13 | this | swap1.cpp:24:31:24:34 | this | |
|
| swap1.cpp:24:9:24:13 | this | swap1.cpp:24:31:24:34 | this | |
|
||||||
| swap1.cpp:24:23:24:26 | that | swap1.cpp:24:23:24:26 | that | |
|
| swap1.cpp:24:23:24:26 | that | swap1.cpp:24:23:24:26 | that | |
|
||||||
| swap1.cpp:24:23:24:26 | that | swap1.cpp:24:36:24:39 | that | |
|
| swap1.cpp:24:23:24:26 | that | swap1.cpp:24:36:24:39 | that | |
|
||||||
@@ -5379,7 +5378,6 @@
|
|||||||
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
|
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
|
||||||
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
|
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t | |
|
||||||
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:56:14:56 | t | |
|
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:56:14:56 | t | |
|
||||||
| swap2.cpp:14:17:14:17 | t | swap2.cpp:14:56:14:56 | t | |
|
|
||||||
| swap2.cpp:24:9:24:13 | this | swap2.cpp:24:31:24:34 | this | |
|
| swap2.cpp:24:9:24:13 | this | swap2.cpp:24:31:24:34 | this | |
|
||||||
| swap2.cpp:24:23:24:26 | that | swap2.cpp:24:23:24:26 | that | |
|
| swap2.cpp:24:23:24:26 | that | swap2.cpp:24:23:24:26 | that | |
|
||||||
| swap2.cpp:24:23:24:26 | that | swap2.cpp:24:36:24:39 | that | |
|
| swap2.cpp:24:23:24:26 | that | swap2.cpp:24:36:24:39 | that | |
|
||||||
|
|||||||
@@ -152,8 +152,8 @@ void test_map()
|
|||||||
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
||||||
{
|
{
|
||||||
sink(*i2); // $ ast,ir
|
sink(*i2); // $ ast,ir
|
||||||
sink(i2->first); // $ SPURIOUS: ir
|
sink(i2->first); // clean
|
||||||
sink(i2->second); // $ ir MISSING: ast
|
sink(i2->second); // $ MISSING: ast,ir
|
||||||
}
|
}
|
||||||
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
||||||
{
|
{
|
||||||
@@ -304,8 +304,8 @@ void test_unordered_map()
|
|||||||
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
for (i2 = m2.begin(); i2 != m2.end(); i2++)
|
||||||
{
|
{
|
||||||
sink(*i2); // $ ast,ir
|
sink(*i2); // $ ast,ir
|
||||||
sink(i2->first); // $ SPURIOUS: ir
|
sink(i2->first); // clean
|
||||||
sink(i2->second); // $ ir MISSING: ast
|
sink(i2->second); // $ MISSING: ast,ir
|
||||||
}
|
}
|
||||||
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
for (i3 = m3.begin(); i3 != m3.end(); i3++)
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -39,13 +39,13 @@ public:
|
|||||||
void test_typedefs(int_iterator_by_typedefs source1) {
|
void test_typedefs(int_iterator_by_typedefs source1) {
|
||||||
sink(*source1); // $ ast,ir
|
sink(*source1); // $ ast,ir
|
||||||
sink(*(source1++)); // $ ast,ir
|
sink(*(source1++)); // $ ast,ir
|
||||||
sink(*(++source1)); // $ ast MISSING: ir
|
sink(*(++source1)); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_trait(int_iterator_by_trait source1) {
|
void test_trait(int_iterator_by_trait source1) {
|
||||||
sink(*source1); // $ ast,ir
|
sink(*source1); // $ ast,ir
|
||||||
sink(*(source1++)); // $ ast,ir
|
sink(*(source1++)); // $ ast,ir
|
||||||
sink(*(++source1)); // $ ast MISSING: ir
|
sink(*(++source1)); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_non_iterator(non_iterator source1) {
|
void test_non_iterator(non_iterator source1) {
|
||||||
|
|||||||
@@ -396,9 +396,9 @@ void test_string_iterators() {
|
|||||||
sink(*(i2+1)); // $ ast,ir
|
sink(*(i2+1)); // $ ast,ir
|
||||||
sink(*(i2-1)); // $ ast,ir
|
sink(*(i2-1)); // $ ast,ir
|
||||||
i3 = i2;
|
i3 = i2;
|
||||||
sink(*(++i3)); // $ ast MISSING: ir
|
sink(*(++i3)); // $ ast,ir
|
||||||
i4 = i2;
|
i4 = i2;
|
||||||
sink(*(--i4)); // $ ast MISSING: ir
|
sink(*(--i4)); // $ ast,ir
|
||||||
i5 = i2;
|
i5 = i2;
|
||||||
i5++;
|
i5++;
|
||||||
sink(*i5); // $ ast,ir
|
sink(*i5); // $ ast,ir
|
||||||
@@ -406,9 +406,9 @@ void test_string_iterators() {
|
|||||||
i6--;
|
i6--;
|
||||||
sink(*i6); // $ ast,ir
|
sink(*i6); // $ ast,ir
|
||||||
i7 = i2;
|
i7 = i2;
|
||||||
sink(*(i7+=1)); // $ ast MISSING: ir
|
sink(*(i7+=1)); // $ ast,ir
|
||||||
i8 = i2;
|
i8 = i2;
|
||||||
sink(*(i8-=1)); // $ ast MISSING: ir
|
sink(*(i8-=1)); // $ ast,ir
|
||||||
|
|
||||||
i9 = s2.end();
|
i9 = s2.end();
|
||||||
--i9;
|
--i9;
|
||||||
|
|||||||
@@ -32,18 +32,18 @@ void test_stringstream_string(int amount)
|
|||||||
sink(ss2 << source()); // $ ast,ir
|
sink(ss2 << source()); // $ ast,ir
|
||||||
sink(ss3 << "123" << source()); // $ ast,ir
|
sink(ss3 << "123" << source()); // $ ast,ir
|
||||||
sink(ss4 << source() << "456"); // $ ast,ir
|
sink(ss4 << source() << "456"); // $ ast,ir
|
||||||
sink(ss5 << t); // $ ast MISSING: ir
|
sink(ss5 << t); // $ ast,ir
|
||||||
|
|
||||||
sink(ss1);
|
sink(ss1);
|
||||||
sink(ss2); // $ ast,ir
|
sink(ss2); // $ ast,ir
|
||||||
sink(ss3); // $ ast MISSING: ir
|
sink(ss3); // $ ast MISSING: ir
|
||||||
sink(ss4); // $ ast,ir
|
sink(ss4); // $ ast,ir
|
||||||
sink(ss5); // $ ast MISSING: ir
|
sink(ss5); // $ ast,ir
|
||||||
sink(ss1.str());
|
sink(ss1.str());
|
||||||
sink(ss2.str()); // $ ast,ir
|
sink(ss2.str()); // $ ast,ir
|
||||||
sink(ss3.str()); // $ ast MISSING: ir
|
sink(ss3.str()); // $ ast MISSING: ir
|
||||||
sink(ss4.str()); // $ ast,ir
|
sink(ss4.str()); // $ ast,ir
|
||||||
sink(ss5.str()); // $ ast MISSING: ir
|
sink(ss5.str()); // $ ast,ir
|
||||||
|
|
||||||
ss6.str("abc");
|
ss6.str("abc");
|
||||||
ss6.str(source()); // (overwrites)
|
ss6.str(source()); // (overwrites)
|
||||||
@@ -229,7 +229,7 @@ void test_getline()
|
|||||||
|
|
||||||
sink(ss2.getline(b7, 1000).getline(b8, 1000)); // $ ast,ir
|
sink(ss2.getline(b7, 1000).getline(b8, 1000)); // $ ast,ir
|
||||||
sink(b7); // $ ast,ir
|
sink(b7); // $ ast,ir
|
||||||
sink(b8); // $ ast MISSING: ir
|
sink(b8); // $ ast,ir
|
||||||
|
|
||||||
sink(getline(ss1, s1));
|
sink(getline(ss1, s1));
|
||||||
sink(getline(ss2, s2)); // $ ast,ir
|
sink(getline(ss2, s2)); // $ ast,ir
|
||||||
@@ -261,7 +261,7 @@ void test_chaining()
|
|||||||
|
|
||||||
sink(ss1.get(b1, 100).unget().get(b2, 100)); // $ ast,ir
|
sink(ss1.get(b1, 100).unget().get(b2, 100)); // $ ast,ir
|
||||||
sink(b1); // $ ast,ir
|
sink(b1); // $ ast,ir
|
||||||
sink(b2); // $ ast MISSING: ir
|
sink(b2); // $ ast,ir
|
||||||
|
|
||||||
sink(ss2.write("abc", 3).flush().write(source(), 3).flush().write("xyz", 3)); // $ ast MISSING: ir
|
sink(ss2.write("abc", 3).flush().write(source(), 3).flush().write("xyz", 3)); // $ ast MISSING: ir
|
||||||
sink(ss2); // $ ast MISSING: ir
|
sink(ss2); // $ ast MISSING: ir
|
||||||
|
|||||||
@@ -192,7 +192,7 @@ void *memcpy(void *dest, void *src, int len);
|
|||||||
void test_memcpy(int *source) {
|
void test_memcpy(int *source) {
|
||||||
int x;
|
int x;
|
||||||
memcpy(&x, source, sizeof(int));
|
memcpy(&x, source, sizeof(int));
|
||||||
sink(x); // $ ast=192:23 MISSING: ir SPURIOUS: ast=193:6
|
sink(x); // $ ast=192:23 ir SPURIOUS: ast=193:6
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- std::swap ---
|
// --- std::swap ---
|
||||||
@@ -369,9 +369,9 @@ void test_strdup(char *source)
|
|||||||
a = strdup(source);
|
a = strdup(source);
|
||||||
b = strdup("hello, world");
|
b = strdup("hello, world");
|
||||||
c = strndup(source, 100);
|
c = strndup(source, 100);
|
||||||
sink(a); // $ ast MISSING: ir
|
sink(a); // $ ast,ir
|
||||||
sink(b);
|
sink(b);
|
||||||
sink(c); // $ ast MISSING: ir
|
sink(c); // $ ast,ir
|
||||||
}
|
}
|
||||||
|
|
||||||
void test_strndup(int source)
|
void test_strndup(int source)
|
||||||
@@ -388,7 +388,7 @@ void test_wcsdup(wchar_t *source)
|
|||||||
|
|
||||||
a = wcsdup(source);
|
a = wcsdup(source);
|
||||||
b = wcsdup(L"hello, world");
|
b = wcsdup(L"hello, world");
|
||||||
sink(a); // $ ast MISSING: ir
|
sink(a); // $ ast,ir
|
||||||
sink(b);
|
sink(b);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ void *mempcpy(void *dest, const void *src, size_t n);
|
|||||||
void test_mempcpy(int *source) {
|
void test_mempcpy(int *source) {
|
||||||
int x;
|
int x;
|
||||||
mempcpy(&x, source, sizeof(int));
|
mempcpy(&x, source, sizeof(int));
|
||||||
sink(x); // $ ast=518:24 MISSING: ir SPURIOUS: ast=519:6
|
sink(x); // $ ast=518:24 ir SPURIOUS: ast=519:6
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- memccpy ---
|
// --- memccpy ---
|
||||||
@@ -528,7 +528,7 @@ void *memccpy(void *dest, const void *src, int c, size_t n);
|
|||||||
void test_memccpy(int *source) {
|
void test_memccpy(int *source) {
|
||||||
int dest[16];
|
int dest[16];
|
||||||
memccpy(dest, source, 42, sizeof(dest));
|
memccpy(dest, source, 42, sizeof(dest));
|
||||||
sink(dest); // $ ast=528:24 MISSING: ir SPURIOUS: ast=529:6
|
sink(dest); // $ ast=528:24 ir SPURIOUS: ast=529:6
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- strcat and related functions ---
|
// --- strcat and related functions ---
|
||||||
|
|||||||
@@ -0,0 +1,7 @@
|
|||||||
|
void accept(int arg, char *buf, unsigned long* bufSize);
|
||||||
|
|
||||||
|
void testAccept(int socket1, int socket2)
|
||||||
|
{
|
||||||
|
char buffer[1024];
|
||||||
|
accept(socket2, 0, 0);
|
||||||
|
}
|
||||||
@@ -3,11 +3,15 @@ edges
|
|||||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | (const char *)... |
|
||||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
||||||
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
|
||||||
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
|
||||||
|
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
||||||
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
| test.c:9:23:9:26 | argv | semmle.label | argv |
|
||||||
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:17:11:17:18 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:17:11:17:18 | fileName | semmle.label | fileName |
|
| test.c:17:11:17:18 | fileName | semmle.label | fileName |
|
||||||
|
| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
|
||||||
|
| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
|
||||||
#select
|
#select
|
||||||
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
|
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |
|
||||||
|
|||||||
@@ -1,13 +1,17 @@
|
|||||||
edges
|
edges
|
||||||
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | (const char *)... |
|
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | (const char *)... |
|
||||||
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query |
|
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query |
|
||||||
|
| search.c:14:24:14:28 | *query | search.c:17:8:17:12 | query indirection |
|
||||||
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
|
||||||
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
||||||
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
|
||||||
|
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query indirection |
|
||||||
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
||||||
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
|
||||||
|
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query indirection |
|
||||||
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
||||||
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
|
||||||
|
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query indirection |
|
||||||
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
||||||
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
| search.c:51:21:51:26 | call to getenv | search.c:55:5:55:15 | raw_query |
|
||||||
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
|
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query indirection |
|
||||||
@@ -28,11 +32,15 @@ nodes
|
|||||||
| search.c:17:8:17:12 | query | semmle.label | query |
|
| search.c:17:8:17:12 | query | semmle.label | query |
|
||||||
| search.c:17:8:17:12 | query | semmle.label | query |
|
| search.c:17:8:17:12 | query | semmle.label | query |
|
||||||
| search.c:17:8:17:12 | query | semmle.label | query |
|
| search.c:17:8:17:12 | query | semmle.label | query |
|
||||||
|
| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
|
||||||
|
| search.c:17:8:17:12 | query indirection | semmle.label | query indirection |
|
||||||
| search.c:22:24:22:28 | *query | semmle.label | *query |
|
| search.c:22:24:22:28 | *query | semmle.label | *query |
|
||||||
| search.c:22:24:22:28 | query | semmle.label | query |
|
| search.c:22:24:22:28 | query | semmle.label | query |
|
||||||
| search.c:23:39:23:43 | query | semmle.label | query |
|
| search.c:23:39:23:43 | query | semmle.label | query |
|
||||||
| search.c:23:39:23:43 | query | semmle.label | query |
|
| search.c:23:39:23:43 | query | semmle.label | query |
|
||||||
| search.c:23:39:23:43 | query | semmle.label | query |
|
| search.c:23:39:23:43 | query | semmle.label | query |
|
||||||
|
| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
|
||||||
|
| search.c:23:39:23:43 | query indirection | semmle.label | query indirection |
|
||||||
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
||||||
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
|
||||||
| search.c:55:5:55:15 | raw_query | semmle.label | raw_query |
|
| search.c:55:5:55:15 | raw_query | semmle.label | raw_query |
|
||||||
|
|||||||
@@ -3,11 +3,15 @@ edges
|
|||||||
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
|
||||||
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
||||||
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
|
||||||
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
|
||||||
|
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
||||||
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
| test.c:15:20:15:23 | argv | semmle.label | argv |
|
||||||
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.c:21:18:21:23 | query1 | semmle.label | query1 |
|
| test.c:21:18:21:23 | query1 | semmle.label | query1 |
|
||||||
|
| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
|
||||||
|
| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
|
||||||
#select
|
#select
|
||||||
| test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
|
| test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
|
||||||
|
|||||||
@@ -1,12 +1,16 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
||||||
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command |
|
||||||
|
| test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | command indirection |
|
||||||
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
||||||
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
|
||||||
|
| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command indirection |
|
||||||
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
||||||
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command |
|
||||||
|
| test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | command indirection |
|
||||||
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
||||||
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
|
||||||
|
| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command indirection |
|
||||||
| test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command |
|
| test.cpp:42:7:42:16 | call to getenv | test.cpp:24:30:24:36 | command |
|
||||||
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv |
|
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:7:42:16 | call to getenv |
|
||||||
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection |
|
| test.cpp:42:18:42:23 | call to getenv | test.cpp:42:18:42:34 | call to getenv indirection |
|
||||||
@@ -21,31 +25,55 @@ edges
|
|||||||
| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command |
|
| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | *command |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
|
||||||
|
| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer indirection |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
|
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
|
||||||
|
| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
|
||||||
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... |
|
||||||
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
|
||||||
|
| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
|
||||||
|
| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer indirection |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | (const char *)... |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data |
|
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data |
|
||||||
|
| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data indirection |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | (const char *)... |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
|
||||||
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
|
||||||
|
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data indirection |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | (const char *)... |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer indirection |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | (const char *)... |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | (const char *)... |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer indirection |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | (const char *)... |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:24:30:24:36 | *command | semmle.label | *command |
|
| test.cpp:24:30:24:36 | *command | semmle.label | *command |
|
||||||
| test.cpp:24:30:24:36 | command | semmle.label | command |
|
| test.cpp:24:30:24:36 | command | semmle.label | command |
|
||||||
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
||||||
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
||||||
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
| test.cpp:26:10:26:16 | command | semmle.label | command |
|
||||||
|
| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
|
||||||
|
| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
|
||||||
| test.cpp:29:30:29:36 | *command | semmle.label | *command |
|
| test.cpp:29:30:29:36 | *command | semmle.label | *command |
|
||||||
| test.cpp:29:30:29:36 | command | semmle.label | command |
|
| test.cpp:29:30:29:36 | command | semmle.label | command |
|
||||||
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
||||||
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
||||||
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
| test.cpp:31:10:31:16 | command | semmle.label | command |
|
||||||
|
| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
|
||||||
|
| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
|
||||||
| test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:42:7:42:16 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -59,17 +87,39 @@ nodes
|
|||||||
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:62:10:62:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
|
| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:63:10:63:13 | data | semmle.label | data |
|
| test.cpp:63:10:63:13 | data | semmle.label | data |
|
||||||
|
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
|
||||||
|
| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
|
||||||
| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
|
| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
|
||||||
| test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
|
| test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
|
||||||
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
|
| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
|
||||||
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:79:10:79:13 | data | semmle.label | data |
|
| test.cpp:79:10:79:13 | data | semmle.label | data |
|
||||||
|
| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
|
||||||
|
| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
|
||||||
|
| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
|
||||||
|
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
|
||||||
|
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
|
||||||
#select
|
#select
|
||||||
| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
|
| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
|
||||||
| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
|
| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
|
||||||
@@ -77,3 +127,5 @@ nodes
|
|||||||
| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
|
| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
|
||||||
| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
||||||
| test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
| test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
|
||||||
|
| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:98:17:98:22 | buffer | buffer |
|
||||||
|
| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:106:17:106:22 | buffer | buffer |
|
||||||
|
|||||||
@@ -81,3 +81,29 @@ void testReferencePointer2()
|
|||||||
system(data2); // BAD [NOT DETECTED]
|
system(data2); // BAD [NOT DETECTED]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ---
|
||||||
|
|
||||||
|
typedef unsigned long size_t;
|
||||||
|
|
||||||
|
void accept(int arg, char *buf, size_t *bufSize);
|
||||||
|
void recv(int arg, char *buf, size_t bufSize);
|
||||||
|
void LoadLibrary(const char *arg);
|
||||||
|
|
||||||
|
void testAcceptRecv(int socket1, int socket2)
|
||||||
|
{
|
||||||
|
{
|
||||||
|
char buffer[1024];
|
||||||
|
|
||||||
|
recv(socket1, buffer, 1024);
|
||||||
|
LoadLibrary(buffer); // BAD: using data from recv
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
char buffer[1024];
|
||||||
|
|
||||||
|
accept(socket2, 0, 0);
|
||||||
|
recv(socket2, buffer, 1024);
|
||||||
|
LoadLibrary(buffer); // BAD: using data from recv
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -5,16 +5,50 @@ edges
|
|||||||
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
||||||
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
||||||
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
|
||||||
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
|
||||||
|
| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array indirection |
|
||||||
nodes
|
nodes
|
||||||
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
||||||
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
| tests.c:28:22:28:25 | argv | semmle.label | argv |
|
||||||
@@ -23,21 +57,30 @@ nodes
|
|||||||
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
||||||
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
||||||
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
|
||||||
|
| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| tests.c:28:22:28:28 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
||||||
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
| tests.c:29:28:29:31 | argv | semmle.label | argv |
|
||||||
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
||||||
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
||||||
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
|
||||||
|
| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
|
| tests.c:31:15:31:23 | scanf output argument | semmle.label | scanf output argument |
|
||||||
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
||||||
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
|
||||||
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
||||||
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
| tests.c:34:10:34:13 | argv | semmle.label | argv |
|
||||||
| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
|
| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -45,9 +88,16 @@ nodes
|
|||||||
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
||||||
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
||||||
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
|
||||||
|
| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| tests.c:34:10:34:16 | access to array indirection | semmle.label | access to array indirection |
|
||||||
#select
|
#select
|
||||||
| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
||||||
| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
||||||
|
| tests.c:31:15:31:23 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
||||||
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
|
| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
|
||||||
|
| tests.c:33:21:33:29 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
|
||||||
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
|
| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
|
||||||
| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
|
| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
|
||||||
|
|||||||
@@ -5,54 +5,76 @@ edges
|
|||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||||
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
|
||||||
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array indirection |
|
||||||
|
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
|
||||||
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
|
||||||
|
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:102:15:102:16 | i1 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | (const char *)... |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
|
||||||
|
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | (const char *)... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
|
||||||
|
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:2:117:13 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | array to pointer conversion |
|
||||||
@@ -61,10 +83,14 @@ edges
|
|||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:2:122:13 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
||||||
@@ -73,36 +99,50 @@ edges
|
|||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
|
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
||||||
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:2:122:13 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:2:122:13 | i4 |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
||||||
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
|
||||||
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ indirection |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
|
||||||
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:2:128:13 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | array to pointer conversion |
|
||||||
@@ -111,56 +151,80 @@ edges
|
|||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | (const char *)... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... indirection |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
|
||||||
|
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
|
||||||
| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
||||||
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
|
||||||
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... indirection |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
|
||||||
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... indirection |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 indirection |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 indirection |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
|
||||||
|
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 indirection |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 indirection |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
|
||||||
|
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 indirection |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 indirection |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
|
||||||
|
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 indirection |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | i10 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | (char *)... |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 indirection |
|
||||||
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:15:170:26 | i10 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||||
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
|
||||||
@@ -176,11 +240,15 @@ nodes
|
|||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
| argvLocal.c:95:9:95:15 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:95:9:95:15 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
| argvLocal.c:96:15:96:18 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
| argvLocal.c:96:15:96:21 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:96:15:96:21 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
| argvLocal.c:100:7:100:10 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:101:9:101:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -188,9 +256,13 @@ nodes
|
|||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
| argvLocal.c:101:9:101:10 | i1 | semmle.label | i1 |
|
||||||
|
| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| argvLocal.c:101:9:101:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||||
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
| argvLocal.c:102:15:102:16 | i1 | semmle.label | i1 |
|
||||||
|
| argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| argvLocal.c:102:15:102:16 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
| argvLocal.c:105:14:105:17 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:106:9:106:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -198,68 +270,97 @@ nodes
|
|||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
| argvLocal.c:106:9:106:13 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:106:9:106:13 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||||
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
| argvLocal.c:107:15:107:19 | access to array | semmle.label | access to array |
|
||||||
|
| argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
|
||||||
|
| argvLocal.c:107:15:107:19 | access to array indirection | semmle.label | access to array indirection |
|
||||||
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:110:9:110:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
| argvLocal.c:110:9:110:11 | * ... | semmle.label | * ... |
|
||||||
|
| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
|
||||||
|
| argvLocal.c:110:9:110:11 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||||
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
|
||||||
|
| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
|
||||||
|
| argvLocal.c:111:15:111:17 | * ... indirection | semmle.label | * ... indirection |
|
||||||
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:116:9:116:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
|
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
|
||||||
|
| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| argvLocal.c:116:9:116:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| argvLocal.c:117:2:117:13 | i3 | semmle.label | i3 |
|
| argvLocal.c:117:2:117:13 | i3 | semmle.label | i3 |
|
||||||
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:117:15:117:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
|
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
|
||||||
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
|
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| argvLocal.c:117:15:117:16 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
||||||
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:121:9:121:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
|
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
|
||||||
|
| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| argvLocal.c:121:9:121:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| argvLocal.c:122:2:122:13 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:2:122:13 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
|
||||||
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
|
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| argvLocal.c:122:15:122:16 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
||||||
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:127:9:127:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
|
| argvLocal.c:127:9:127:10 | i5 | semmle.label | i5 |
|
||||||
|
| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| argvLocal.c:127:9:127:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| argvLocal.c:128:2:128:13 | i5 | semmle.label | i5 |
|
| argvLocal.c:128:2:128:13 | i5 | semmle.label | i5 |
|
||||||
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
| argvLocal.c:128:15:128:16 | array to pointer conversion | semmle.label | array to pointer conversion |
|
||||||
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
|
| argvLocal.c:128:15:128:16 | i5 | semmle.label | i5 |
|
||||||
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
|
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| argvLocal.c:128:15:128:16 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
| argvLocal.c:128:15:128:16 | printWrapper output argument | semmle.label | printWrapper output argument |
|
||||||
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:131:9:131:14 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:131:9:131:14 | ... + ... | semmle.label | ... + ... |
|
||||||
|
| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
|
| argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||||
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
|
||||||
|
| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
|
| argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
|
||||||
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:135:9:135:12 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
|
||||||
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
|
||||||
|
| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||||
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
|
||||||
|
| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
|
||||||
|
| argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
|
||||||
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
|
||||||
|
| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
|
| argvLocal.c:144:9:144:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||||
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
| argvLocal.c:145:15:145:16 | i7 | semmle.label | i7 |
|
||||||
|
| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
|
||||||
|
| argvLocal.c:145:15:145:16 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
| argvLocal.c:149:11:149:14 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:150:9:150:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -267,36 +368,52 @@ nodes
|
|||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
| argvLocal.c:150:9:150:10 | i8 | semmle.label | i8 |
|
||||||
|
| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
|
| argvLocal.c:150:9:150:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||||
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
|
||||||
|
| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
|
||||||
|
| argvLocal.c:151:15:151:16 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:157:9:157:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
|
| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
|
||||||
|
| argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
|
| argvLocal.c:157:9:157:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||||
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
|
||||||
|
| argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
|
||||||
|
| argvLocal.c:158:15:158:16 | i9 indirection | semmle.label | i9 indirection |
|
||||||
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:164:9:164:11 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
|
| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
|
||||||
|
| argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
|
||||||
|
| argvLocal.c:164:9:164:11 | i91 indirection | semmle.label | i91 indirection |
|
||||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||||
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
|
||||||
|
| argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
|
||||||
|
| argvLocal.c:165:15:165:17 | i91 indirection | semmle.label | i91 indirection |
|
||||||
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
|
||||||
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
||||||
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
|
||||||
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
| argvLocal.c:169:9:169:20 | (const char *)... | semmle.label | (const char *)... |
|
||||||
|
| argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
|
||||||
|
| argvLocal.c:169:9:169:20 | i10 indirection | semmle.label | i10 indirection |
|
||||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
| argvLocal.c:169:18:169:20 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
||||||
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
| argvLocal.c:170:15:170:26 | (char *)... | semmle.label | (char *)... |
|
||||||
|
| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
|
||||||
|
| argvLocal.c:170:15:170:26 | i10 indirection | semmle.label | i10 indirection |
|
||||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||||
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
| argvLocal.c:170:24:170:26 | i10 | semmle.label | i10 |
|
||||||
|
|||||||
@@ -1,51 +1,71 @@
|
|||||||
edges
|
edges
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | i1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | e1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 indirection |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | (const char *)... |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 |
|
||||||
|
| funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:58:9:58:10 | e1 indirection |
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | (const char *)... |
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 |
|
||||||
|
| funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | i3 indirection |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... |
|
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | (const char *)... |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 |
|
||||||
|
| funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 indirection |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
|
| funcsLocal.c:31:13:31:17 | call to fgets | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
|
| funcsLocal.c:31:19:31:21 | fgets output argument | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
|
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | (const char *)... |
|
||||||
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
|
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 |
|
||||||
|
| funcsLocal.c:31:19:31:21 | i41 | funcsLocal.c:32:9:32:10 | i4 indirection |
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
|
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | (const char *)... |
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
|
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 |
|
||||||
|
| funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | i5 indirection |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
|
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | (const char *)... |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 |
|
||||||
|
| funcsLocal.c:36:7:36:8 | i5 | funcsLocal.c:37:9:37:10 | i5 indirection |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
|
| funcsLocal.c:41:13:41:16 | call to gets | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
|
| funcsLocal.c:41:18:41:20 | gets output argument | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
|
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | (const char *)... |
|
||||||
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
|
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 |
|
||||||
|
| funcsLocal.c:41:18:41:20 | i61 | funcsLocal.c:42:9:42:10 | i6 indirection |
|
||||||
nodes
|
nodes
|
||||||
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
|
| funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
|
||||||
| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
|
| funcsLocal.c:16:8:16:9 | i1 | semmle.label | i1 |
|
||||||
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:17:9:17:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
|
| funcsLocal.c:17:9:17:10 | i1 | semmle.label | i1 |
|
||||||
|
| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| funcsLocal.c:17:9:17:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
|
| funcsLocal.c:26:8:26:9 | fgets output argument | semmle.label | fgets output argument |
|
||||||
| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
|
| funcsLocal.c:26:8:26:9 | i3 | semmle.label | i3 |
|
||||||
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:27:9:27:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
|
| funcsLocal.c:27:9:27:10 | i3 | semmle.label | i3 |
|
||||||
|
| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| funcsLocal.c:27:9:27:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
||||||
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
| funcsLocal.c:31:13:31:17 | call to fgets | semmle.label | call to fgets |
|
||||||
| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
|
| funcsLocal.c:31:19:31:21 | fgets output argument | semmle.label | fgets output argument |
|
||||||
@@ -55,11 +75,15 @@ nodes
|
|||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||||
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
| funcsLocal.c:32:9:32:10 | i4 | semmle.label | i4 |
|
||||||
|
| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| funcsLocal.c:32:9:32:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
|
| funcsLocal.c:36:7:36:8 | gets output argument | semmle.label | gets output argument |
|
||||||
| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
|
| funcsLocal.c:36:7:36:8 | i5 | semmle.label | i5 |
|
||||||
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:37:9:37:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
|
| funcsLocal.c:37:9:37:10 | i5 | semmle.label | i5 |
|
||||||
|
| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| funcsLocal.c:37:9:37:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
||||||
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
| funcsLocal.c:41:13:41:16 | call to gets | semmle.label | call to gets |
|
||||||
| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
|
| funcsLocal.c:41:18:41:20 | gets output argument | semmle.label | gets output argument |
|
||||||
@@ -69,9 +93,13 @@ nodes
|
|||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||||
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
| funcsLocal.c:42:9:42:10 | i6 | semmle.label | i6 |
|
||||||
|
| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
|
| funcsLocal.c:42:9:42:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
| funcsLocal.c:58:9:58:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
|
| funcsLocal.c:58:9:58:10 | e1 | semmle.label | e1 |
|
||||||
|
| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
|
||||||
|
| funcsLocal.c:58:9:58:10 | e1 indirection | semmle.label | e1 indirection |
|
||||||
#select
|
#select
|
||||||
| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
|
| funcsLocal.c:17:9:17:10 | i1 | funcsLocal.c:16:8:16:9 | i1 | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
|
||||||
| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
|
| funcsLocal.c:27:9:27:10 | i3 | funcsLocal.c:26:8:26:9 | i3 | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
|
||||||
|
|||||||
@@ -29,18 +29,23 @@ edges
|
|||||||
| globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | *argv |
|
| globalVars.c:24:11:24:14 | argv indirection | globalVars.c:11:22:11:25 | *argv |
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... |
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | (const char *)... |
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy |
|
||||||
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:27:9:27:12 | copy indirection |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
|
||||||
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy indirection |
|
||||||
| globalVars.c:35:2:35:9 | copy | globalVars.c:15:21:15:23 | val |
|
| globalVars.c:35:2:35:9 | copy | globalVars.c:15:21:15:23 | val |
|
||||||
| globalVars.c:35:11:35:14 | copy | globalVars.c:35:2:35:9 | copy |
|
| globalVars.c:35:11:35:14 | copy | globalVars.c:35:2:35:9 | copy |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
|
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | (const char *)... |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 |
|
||||||
|
| globalVars.c:38:9:38:13 | copy2 | globalVars.c:38:9:38:13 | copy2 indirection |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
|
||||||
|
| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 indirection |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... |
|
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | (const char *)... |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 |
|
||||||
|
| globalVars.c:50:9:50:13 | copy2 | globalVars.c:50:9:50:13 | copy2 indirection |
|
||||||
nodes
|
nodes
|
||||||
| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
|
| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
|
||||||
| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
|
| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
|
||||||
@@ -58,9 +63,13 @@ nodes
|
|||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
||||||
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
|
||||||
|
| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
|
||||||
|
| globalVars.c:27:9:27:12 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
||||||
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
|
||||||
|
| globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
|
||||||
|
| globalVars.c:30:15:30:18 | copy indirection | semmle.label | copy indirection |
|
||||||
| globalVars.c:35:2:35:9 | copy | semmle.label | copy |
|
| globalVars.c:35:2:35:9 | copy | semmle.label | copy |
|
||||||
| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
|
| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
|
||||||
| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
|
| globalVars.c:38:9:38:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -68,14 +77,20 @@ nodes
|
|||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
|
||||||
|
| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
|
| globalVars.c:38:9:38:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
|
||||||
|
| globalVars.c:41:15:41:19 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
|
| globalVars.c:41:15:41:19 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
| globalVars.c:50:9:50:13 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
||||||
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
|
||||||
|
| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
|
| globalVars.c:50:9:50:13 | copy2 indirection | semmle.label | copy2 indirection |
|
||||||
#select
|
#select
|
||||||
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
||||||
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format) | globalVars.c:24:11:24:14 | argv | argv |
|
||||||
|
|||||||
@@ -5,66 +5,88 @@ edges
|
|||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||||
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 |
|
||||||
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 indirection |
|
||||||
|
| ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | (const char *)... |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 |
|
||||||
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 indirection |
|
||||||
|
| ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | (const char *)... |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 |
|
||||||
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 indirection |
|
||||||
|
| ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 indirection |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | (const char *)... |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 |
|
||||||
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 indirection |
|
||||||
|
| ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 indirection |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | (const char *)... |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
|
||||||
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
|
||||||
|
| ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
|
||||||
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
|
||||||
|
| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
|
||||||
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
|
||||||
|
| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
|
||||||
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 indirection |
|
||||||
|
| ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 indirection |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | (const char *)... |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 |
|
||||||
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 indirection |
|
||||||
|
| ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 indirection |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | (const char *)... |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 |
|
||||||
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 indirection |
|
||||||
|
| ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 indirection |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | (const char *)... |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 |
|
||||||
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 indirection |
|
||||||
|
| ifs.c:123:8:123:11 | argv | ifs.c:124:9:124:10 | i9 indirection |
|
||||||
nodes
|
nodes
|
||||||
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
| ifs.c:61:8:61:11 | argv | semmle.label | argv |
|
||||||
@@ -73,6 +95,8 @@ nodes
|
|||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||||
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
| ifs.c:62:9:62:10 | c7 | semmle.label | c7 |
|
||||||
|
| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
|
||||||
|
| ifs.c:62:9:62:10 | c7 indirection | semmle.label | c7 indirection |
|
||||||
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
| ifs.c:68:8:68:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:69:9:69:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -80,6 +104,8 @@ nodes
|
|||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||||
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
| ifs.c:69:9:69:10 | c8 | semmle.label | c8 |
|
||||||
|
| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
|
||||||
|
| ifs.c:69:9:69:10 | c8 indirection | semmle.label | c8 indirection |
|
||||||
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
| ifs.c:74:8:74:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:75:9:75:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -87,6 +113,8 @@ nodes
|
|||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||||
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
| ifs.c:75:9:75:10 | i1 | semmle.label | i1 |
|
||||||
|
| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
|
| ifs.c:75:9:75:10 | i1 indirection | semmle.label | i1 indirection |
|
||||||
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
| ifs.c:80:8:80:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:81:9:81:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -94,6 +122,8 @@ nodes
|
|||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||||
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
| ifs.c:81:9:81:10 | i2 | semmle.label | i2 |
|
||||||
|
| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
|
||||||
|
| ifs.c:81:9:81:10 | i2 indirection | semmle.label | i2 indirection |
|
||||||
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
| ifs.c:86:8:86:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:87:9:87:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -101,6 +131,8 @@ nodes
|
|||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||||
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
| ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
|
||||||
|
| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
|
| ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
|
||||||
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
| ifs.c:92:8:92:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -108,6 +140,8 @@ nodes
|
|||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||||
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
|
||||||
|
| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
|
| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
|
||||||
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
| ifs.c:98:8:98:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -115,6 +149,8 @@ nodes
|
|||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||||
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
|
||||||
|
| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
|
| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
|
||||||
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
| ifs.c:105:8:105:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -122,6 +158,8 @@ nodes
|
|||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||||
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
| ifs.c:106:9:106:10 | i6 | semmle.label | i6 |
|
||||||
|
| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
|
| ifs.c:106:9:106:10 | i6 indirection | semmle.label | i6 indirection |
|
||||||
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
| ifs.c:111:8:111:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:112:9:112:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -129,6 +167,8 @@ nodes
|
|||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||||
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
| ifs.c:112:9:112:10 | i7 | semmle.label | i7 |
|
||||||
|
| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
|
| ifs.c:112:9:112:10 | i7 indirection | semmle.label | i7 indirection |
|
||||||
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
| ifs.c:117:8:117:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:118:9:118:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -136,6 +176,8 @@ nodes
|
|||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||||
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
| ifs.c:118:9:118:10 | i8 | semmle.label | i8 |
|
||||||
|
| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
|
| ifs.c:118:9:118:10 | i8 indirection | semmle.label | i8 indirection |
|
||||||
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
| ifs.c:123:8:123:11 | argv | semmle.label | argv |
|
||||||
| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
|
| ifs.c:124:9:124:10 | (const char *)... | semmle.label | (const char *)... |
|
||||||
@@ -143,6 +185,8 @@ nodes
|
|||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||||
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
| ifs.c:124:9:124:10 | i9 | semmle.label | i9 |
|
||||||
|
| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
|
| ifs.c:124:9:124:10 | i9 indirection | semmle.label | i9 indirection |
|
||||||
#select
|
#select
|
||||||
| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
|
| ifs.c:62:9:62:10 | c7 | ifs.c:61:8:61:11 | argv | ifs.c:62:9:62:10 | c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:61:8:61:11 | argv | argv |
|
||||||
| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
|
| ifs.c:69:9:69:10 | c8 | ifs.c:68:8:68:11 | argv | ifs.c:69:9:69:10 | c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:68:8:68:11 | argv | argv |
|
||||||
|
|||||||
@@ -27,6 +27,24 @@ edges
|
|||||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||||
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
|
||||||
|
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:100:4:100:15 | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:100:17:100:22 | buffer indirection |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | ... + ... |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:4:100:15 | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:17:100:22 | buffer indirection |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | ... + ... |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | buffer |
|
||||||
|
| test.cpp:100:4:100:15 | buffer | test.cpp:100:17:100:22 | processData1 output argument |
|
||||||
|
| test.cpp:100:17:100:22 | buffer indirection | test.cpp:100:17:100:22 | processData1 output argument |
|
||||||
|
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | ... + ... |
|
||||||
|
| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | buffer |
|
||||||
|
| test.cpp:101:4:101:15 | ... + ... | test.cpp:75:38:75:40 | end |
|
||||||
|
| test.cpp:101:4:101:15 | buffer | test.cpp:75:25:75:29 | start |
|
||||||
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
||||||
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
|
||||||
| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
|
| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
|
||||||
@@ -106,6 +124,21 @@ nodes
|
|||||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||||
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
|
||||||
|
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
|
||||||
|
| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
|
||||||
|
| test.cpp:64:25:64:30 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:75:25:75:29 | start | semmle.label | start |
|
||||||
|
| test.cpp:75:38:75:40 | end | semmle.label | end |
|
||||||
|
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
|
||||||
|
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
|
||||||
|
| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
|
||||||
|
| test.cpp:97:18:97:23 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:97:18:97:23 | fread output argument | semmle.label | fread output argument |
|
||||||
|
| test.cpp:100:4:100:15 | buffer | semmle.label | buffer |
|
||||||
|
| test.cpp:100:17:100:22 | buffer indirection | semmle.label | buffer indirection |
|
||||||
|
| test.cpp:100:17:100:22 | processData1 output argument | semmle.label | processData1 output argument |
|
||||||
|
| test.cpp:101:4:101:15 | ... + ... | semmle.label | ... + ... |
|
||||||
|
| test.cpp:101:4:101:15 | buffer | semmle.label | buffer |
|
||||||
| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
|
| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
|
||||||
@@ -180,6 +213,7 @@ nodes
|
|||||||
| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||||
| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||||
| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
|
||||||
|
| test.cpp:79:9:79:29 | new[] | test.cpp:97:18:97:23 | buffer | test.cpp:79:18:79:28 | ... - ... | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |
|
||||||
| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
|
| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
|
||||||
| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
|
| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
|
||||||
| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
|
| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
|
||||||
|
|||||||
@@ -76,7 +76,7 @@ void processData2(char *start, char *end)
|
|||||||
{
|
{
|
||||||
char *copy;
|
char *copy;
|
||||||
|
|
||||||
copy = new char[end - start]; // GOOD
|
copy = new char[end - start]; // GOOD [FALSE POSITIVE]
|
||||||
|
|
||||||
// ...
|
// ...
|
||||||
|
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ void randomTester2()
|
|||||||
{
|
{
|
||||||
int r;
|
int r;
|
||||||
get_rand2(&r);
|
get_rand2(&r);
|
||||||
r = r + 100; // BAD [NOT DETECTED]
|
r = r + 100; // BAD
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -1,32 +1,44 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
||||||
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
|
||||||
|
| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address indirection |
|
||||||
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
||||||
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
|
||||||
|
| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address indirection |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
|
||||||
|
| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address indirection |
|
||||||
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
||||||
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
|
||||||
|
| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address indirection |
|
||||||
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
||||||
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
|
||||||
|
| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address indirection |
|
||||||
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
||||||
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
|
||||||
|
| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
||||||
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
| test.cpp:20:14:20:20 | address | semmle.label | address |
|
||||||
|
| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
|
||||||
|
| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
||||||
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
| test.cpp:31:14:31:20 | address | semmle.label | address |
|
||||||
|
| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
|
||||||
|
| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
|
||||||
| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
||||||
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
| test.cpp:42:14:42:20 | address | semmle.label | address |
|
||||||
|
| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
|
||||||
|
| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
|
||||||
#select
|
#select
|
||||||
| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
|
| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
|
||||||
| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
|
| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
|
||||||
|
|||||||
@@ -3,11 +3,15 @@ edges
|
|||||||
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
||||||
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
||||||
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
|
||||||
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
|
||||||
|
| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
||||||
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
| test.cpp:54:17:54:20 | argv | semmle.label | argv |
|
||||||
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
||||||
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
||||||
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
| test.cpp:58:25:58:29 | input | semmle.label | input |
|
||||||
|
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
|
||||||
|
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
|
||||||
#select
|
#select
|
||||||
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
|
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
|
||||||
|
|||||||
@@ -1,37 +1,21 @@
|
|||||||
edges
|
edges
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:35 | (bool)... |
|
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
|
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:38 | (bool)... |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:35 | (bool)... |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
|
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
|
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:38 | (bool)... |
|
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:10:24:35 | ! ... |
|
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:11:24:35 | (bool)... |
|
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:10:41:38 | ! ... |
|
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:11:41:38 | (bool)... |
|
|
||||||
nodes
|
nodes
|
||||||
| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
|
| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
|
||||||
| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
|
| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
|
||||||
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
|
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
|
|
||||||
| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
|
|
||||||
| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
|
| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
|
||||||
| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
|
|
||||||
| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
|
|
||||||
#select
|
#select
|
||||||
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
|
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
|
||||||
| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
|
| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
|
||||||
|
|||||||
@@ -18,9 +18,10 @@
|
|||||||
| NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
|
| NoDestructor.cpp:23:3:23:20 | ... = ... | Resource n is acquired by class MyClass5 but not released anywhere in this class. |
|
||||||
| PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
|
| PlacementNew.cpp:36:3:36:36 | ... = ... | Resource p1 is acquired by class MyTestForPlacementNew but not released anywhere in this class. |
|
||||||
| SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. |
|
| SelfRegistering.cpp:25:3:25:24 | ... = ... | Resource side is acquired by class MyOwner but not released anywhere in this class. |
|
||||||
| Variants.cpp:25:3:25:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
|
| Variants.cpp:26:3:26:13 | ... = ... | Resource f is acquired by class MyClass4 but not released anywhere in this class. |
|
||||||
| Variants.cpp:65:3:65:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
|
| Variants.cpp:69:3:69:17 | ... = ... | Resource a is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
| Variants.cpp:66:3:66:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
|
| Variants.cpp:70:3:70:36 | ... = ... | Resource b is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
| Variants.cpp:67:3:67:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
|
| Variants.cpp:71:3:71:41 | ... = ... | Resource c is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
|
| Variants.cpp:72:3:72:22 | ... = ... | Resource d is acquired by class MyClass6 but not released anywhere in this class. |
|
||||||
| Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. |
|
| Wrapped.cpp:46:3:46:22 | ... = ... | Resource ptr2 is acquired by class Wrapped2 but not released anywhere in this class. |
|
||||||
| Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. |
|
| Wrapped.cpp:59:3:59:22 | ... = ... | Resource ptr4 is acquired by class Wrapped2 but not released anywhere in this class. |
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ void *malloc(size_t size);
|
|||||||
void *calloc(size_t nmemb, size_t size);
|
void *calloc(size_t nmemb, size_t size);
|
||||||
void *realloc(void *ptr, size_t size);
|
void *realloc(void *ptr, size_t size);
|
||||||
void free(void* ptr);
|
void free(void* ptr);
|
||||||
|
char *strdup(const char *s1);
|
||||||
|
|
||||||
int *ID(int *x)
|
int *ID(int *x)
|
||||||
{
|
{
|
||||||
@@ -45,6 +46,7 @@ public:
|
|||||||
a = new int[10]; // GOOD
|
a = new int[10]; // GOOD
|
||||||
b = (int *)calloc(10, sizeof(int)); // GOOD
|
b = (int *)calloc(10, sizeof(int)); // GOOD
|
||||||
c = (int *)realloc(0, 10 * sizeof(int)); // GOOD
|
c = (int *)realloc(0, 10 * sizeof(int)); // GOOD
|
||||||
|
d = strdup("string");
|
||||||
}
|
}
|
||||||
|
|
||||||
~MyClass5()
|
~MyClass5()
|
||||||
@@ -52,9 +54,11 @@ public:
|
|||||||
delete [] a;
|
delete [] a;
|
||||||
free(b);
|
free(b);
|
||||||
free(c);
|
free(c);
|
||||||
|
free(d);
|
||||||
}
|
}
|
||||||
|
|
||||||
int *a, *b, *c;
|
int *a, *b, *c;
|
||||||
|
char *d;
|
||||||
};
|
};
|
||||||
|
|
||||||
class MyClass6
|
class MyClass6
|
||||||
@@ -65,6 +69,7 @@ public:
|
|||||||
a = new int[10]; // BAD
|
a = new int[10]; // BAD
|
||||||
b = (int *)calloc(10, sizeof(int)); // BAD
|
b = (int *)calloc(10, sizeof(int)); // BAD
|
||||||
c = (int *)realloc(0, 10 * sizeof(int)); // BAD
|
c = (int *)realloc(0, 10 * sizeof(int)); // BAD
|
||||||
|
d = strdup("string"); // BAD
|
||||||
}
|
}
|
||||||
|
|
||||||
~MyClass6()
|
~MyClass6()
|
||||||
@@ -72,6 +77,7 @@ public:
|
|||||||
}
|
}
|
||||||
|
|
||||||
int *a, *b, *c;
|
int *a, *b, *c;
|
||||||
|
char *d;
|
||||||
};
|
};
|
||||||
|
|
||||||
class MyClass7
|
class MyClass7
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>net5.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
@@ -12,10 +11,11 @@
|
|||||||
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
||||||
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
||||||
<PackageReference Include="xunit" Version="2.4.1" />
|
<PackageReference Include="xunit" Version="2.4.1" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="Microsoft.Build" Version="16.9.0" />
|
<PackageReference Include="Microsoft.Build" Version="16.9.0" />
|
||||||
<PackageReference Include="Newtonsoft.Json" Version="12.0.3" />
|
<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
2
csharp/change-notes/2021-03-24-cil-ssa.md
Normal file
2
csharp/change-notes/2021-03-24-cil-ssa.md
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* A static single assignment (SSA) library has been added to the CIL analysis library. The SSA library replaces the existing `DefUse` module, which has been deprecated.
|
||||||
2
csharp/change-notes/2021-03-24-remove-legacy-queries.md
Normal file
2
csharp/change-notes/2021-03-24-remove-legacy-queries.md
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* Legacy queries in the folders `external` and `filters` have all been removed.
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
lgtm,codescanning
|
||||||
|
* The query `VulnerablePackage.ql` has been removed.
|
||||||
@@ -4,8 +4,6 @@
|
|||||||
@_namespace com.lgtm/csharp-queries
|
@_namespace com.lgtm/csharp-queries
|
||||||
+ odasa-csharp-metrics/Files/FLinesOfCommentedCode.ql: /Metrics/Documentation
|
+ odasa-csharp-metrics/Files/FLinesOfCommentedCode.ql: /Metrics/Documentation
|
||||||
@_namespace com.lgtm/csharp-queries
|
@_namespace com.lgtm/csharp-queries
|
||||||
+ odasa-csharp-metrics/Files/FLinesOfDuplicatedCode.ql: /Metrics/Coupling
|
|
||||||
@_namespace com.lgtm/csharp-queries
|
|
||||||
+ odasa-csharp-metrics/Files/FNumberOfTests.ql: /Metrics/Size
|
+ odasa-csharp-metrics/Files/FNumberOfTests.ql: /Metrics/Size
|
||||||
@_namespace com.lgtm/csharp-queries
|
@_namespace com.lgtm/csharp-queries
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>net5.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
@@ -12,10 +11,11 @@
|
|||||||
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem" Version="4.3.0" />
|
||||||
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
<PackageReference Include="System.IO.FileSystem.Primitives" Version="4.3.0" />
|
||||||
<PackageReference Include="xunit" Version="2.4.1" />
|
<PackageReference Include="xunit" Version="2.4.1" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -16,7 +16,7 @@
|
|||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="Microsoft.CodeAnalysis" Version="3.9.0" />
|
<PackageReference Include="Microsoft.CodeAnalysis" Version="3.9.0" />
|
||||||
<PackageReference Include="GitInfo" Version="2.0.20">
|
<PackageReference Include="GitInfo" Version="2.1.2">
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>net5.0</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
@@ -10,10 +9,11 @@
|
|||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="xunit" Version="2.4.1" />
|
<PackageReference Include="xunit" Version="2.4.1" />
|
||||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.1">
|
<PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
|
||||||
<PrivateAssets>all</PrivateAssets>
|
<PrivateAssets>all</PrivateAssets>
|
||||||
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
|
||||||
</PackageReference>
|
</PackageReference>
|
||||||
|
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.1" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind treemap
|
* @kind treemap
|
||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType externalDependency
|
* @metricType externalDependency
|
||||||
* @precision medium
|
|
||||||
* @id cs/external-dependencies
|
* @id cs/external-dependencies
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -1,16 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>
|
|
||||||
Duplicated code increases overall code size, making the code base
|
|
||||||
harder to maintain and harder to understand. It also becomes harder to fix bugs,
|
|
||||||
since a programmer applying a fix to one copy has to always remember to update
|
|
||||||
other copies accordingly. Finally, code duplication is generally an indication of
|
|
||||||
a poorly designed or hastily written code base, which typically suffers from other
|
|
||||||
problems as well.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
</qhelp>
|
|
||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cs/lines-of-code-in-files
|
* @id cs/lines-of-code-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* complexity
|
* complexity
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn lowValues
|
* @treemap.warnOn lowValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision very-high
|
|
||||||
* @id cs/lines-of-comments-in-files
|
* @id cs/lines-of-comments-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* documentation
|
* documentation
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision high
|
|
||||||
* @id cs/lines-of-commented-out-code-in-files
|
* @id cs/lines-of-commented-out-code-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* documentation
|
* documentation
|
||||||
|
|||||||
@@ -1,30 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>
|
|
||||||
A file that contains many lines that are duplicated within the code base is problematic
|
|
||||||
for a number of reasons.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
<include src="DuplicationProblems.inc.qhelp" />
|
|
||||||
|
|
||||||
<recommendation>
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Refactor files with lots of duplicated code to extract the common code into
|
|
||||||
shared classes and assemblies.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</recommendation>
|
|
||||||
<references>
|
|
||||||
|
|
||||||
|
|
||||||
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Duplicate_code">Duplicate code</a>.</li>
|
|
||||||
<li>M. Fowler, <em>Refactoring</em>. Addison-Wesley, 1999.</li>
|
|
||||||
|
|
||||||
|
|
||||||
</references>
|
|
||||||
</qhelp>
|
|
||||||
@@ -1,27 +0,0 @@
|
|||||||
/**
|
|
||||||
* @deprecated
|
|
||||||
* @name Duplicated lines in files
|
|
||||||
* @description The number of lines in a file, including code, comment and whitespace lines,
|
|
||||||
* which are duplicated in at least one other place.
|
|
||||||
* @kind treemap
|
|
||||||
* @treemap.warnOn highValues
|
|
||||||
* @metricType file
|
|
||||||
* @metricAggregate avg sum max
|
|
||||||
* @precision high
|
|
||||||
* @id cs/duplicated-lines-in-files
|
|
||||||
* @tags testability
|
|
||||||
* modularity
|
|
||||||
*/
|
|
||||||
|
|
||||||
import external.CodeDuplication
|
|
||||||
|
|
||||||
from SourceFile f, int n
|
|
||||||
where
|
|
||||||
n =
|
|
||||||
count(int line |
|
|
||||||
exists(DuplicateBlock d | d.sourceFile() = f |
|
|
||||||
line in [d.sourceStartLine() .. d.sourceEndLine()] and
|
|
||||||
not whitelistedLineForDuplication(f, line)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
select f, n order by n desc
|
|
||||||
@@ -5,7 +5,6 @@
|
|||||||
* @treemap.warnOn highValues
|
* @treemap.warnOn highValues
|
||||||
* @metricType file
|
* @metricType file
|
||||||
* @metricAggregate avg sum max
|
* @metricAggregate avg sum max
|
||||||
* @precision medium
|
|
||||||
* @id cs/tests-in-files
|
* @id cs/tests-in-files
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -1,335 +0,0 @@
|
|||||||
/**
|
|
||||||
* Provides a list of NuGet packages with known vulnerabilities.
|
|
||||||
*
|
|
||||||
* To add a new vulnerability follow the existing pattern.
|
|
||||||
* Create a new class that extends the abstract class `Vulnerability`,
|
|
||||||
* supplying the name and the URL, and override one (or both) of
|
|
||||||
* `matchesRange` and `matchesVersion`.
|
|
||||||
*/
|
|
||||||
|
|
||||||
import csharp
|
|
||||||
import Vulnerability
|
|
||||||
|
|
||||||
class MicrosoftAdvisory4021279 extends Vulnerability {
|
|
||||||
MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
name = "System.Text.Encodings.Web" and
|
|
||||||
(
|
|
||||||
affected = "4.0.0" and fixed = "4.0.1"
|
|
||||||
or
|
|
||||||
affected = "4.3.0" and fixed = "4.3.1"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
name = "System.Net.Http" and
|
|
||||||
(
|
|
||||||
affected = "4.1.1" and fixed = "4.1.2"
|
|
||||||
or
|
|
||||||
affected = "4.3.1" and fixed = "4.3.2"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
name = "System.Net.Http.WinHttpHandler" and
|
|
||||||
(
|
|
||||||
affected = "4.0.1" and fixed = "4.0.2"
|
|
||||||
or
|
|
||||||
affected = "4.3.0" and fixed = "4.3.1"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
name = "System.Net.Security" and
|
|
||||||
(
|
|
||||||
affected = "4.0.0" and fixed = "4.0.1"
|
|
||||||
or
|
|
||||||
affected = "4.3.0" and fixed = "4.3.1"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
(
|
|
||||||
name = "Microsoft.AspNetCore.Mvc"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Core"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Abstractions"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.ApiExplorer"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Cors"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.DataAnnotations"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Formatters.Json"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Formatters.Xml"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Localization"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Razor.Host"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Razor"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.TagHelpers"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.ViewFeatures"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.WebApiCompatShim"
|
|
||||||
) and
|
|
||||||
(
|
|
||||||
affected = "1.0.0" and fixed = "1.0.4"
|
|
||||||
or
|
|
||||||
affected = "1.1.0" and fixed = "1.1.3"
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2017_8700 extends Vulnerability {
|
|
||||||
CVE_2017_8700() { this = "CVE-2017-8700" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/279" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
(
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Core"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Mvc.Cors"
|
|
||||||
) and
|
|
||||||
(
|
|
||||||
affected = "1.0.0" and fixed = "1.0.6"
|
|
||||||
or
|
|
||||||
affected = "1.1.0" and fixed = "1.1.6"
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2018_0765 extends Vulnerability {
|
|
||||||
CVE_2018_0765() { this = "CVE-2018-0765" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/67" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
name = "System.Security.Cryptography.Xml" and
|
|
||||||
affected = "0.0.0" and
|
|
||||||
fixed = "4.4.2"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class AspNetCore_Mar18 extends Vulnerability {
|
|
||||||
AspNetCore_Mar18() { this = "ASPNETCore-Mar18" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/300" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
(
|
|
||||||
name = "Microsoft.AspNetCore.Server.Kestrel.Core"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
|
|
||||||
) and
|
|
||||||
affected = "2.0.0" and
|
|
||||||
fixed = "2.0.3"
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.All" and
|
|
||||||
affected = "2.0.0" and
|
|
||||||
fixed = "2.0.8"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2018_8409 extends Vulnerability {
|
|
||||||
CVE_2018_8409() { this = "CVE-2018-8409" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/316" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
name = "System.IO.Pipelines" and affected = "4.5.0" and fixed = "4.5.1"
|
|
||||||
or
|
|
||||||
(name = "Microsoft.AspNetCore.All" or name = "Microsoft.AspNetCore.App") and
|
|
||||||
affected = "2.1.0" and
|
|
||||||
fixed = "2.1.4"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2018_8171 extends Vulnerability {
|
|
||||||
CVE_2018_8171() { this = "CVE-2018-8171" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/310" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
name = "Microsoft.AspNetCore.Identity" and
|
|
||||||
(
|
|
||||||
affected = "1.0.0" and fixed = "1.0.6"
|
|
||||||
or
|
|
||||||
affected = "1.1.0" and fixed = "1.1.6"
|
|
||||||
or
|
|
||||||
affected = "2.0.0" and fixed = "2.0.4"
|
|
||||||
or
|
|
||||||
affected = "2.1.0" and fixed = "2.1.2"
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2018_8356 extends Vulnerability {
|
|
||||||
CVE_2018_8356() { this = "CVE-2018-8356" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/73" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
(
|
|
||||||
name = "System.Private.ServiceModel"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.Http"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.NetTcp"
|
|
||||||
) and
|
|
||||||
(
|
|
||||||
affected = "4.0.0" and fixed = "4.1.3"
|
|
||||||
or
|
|
||||||
affected = "4.3.0" and fixed = "4.3.3"
|
|
||||||
or
|
|
||||||
affected = "4.4.0" and fixed = "4.4.4"
|
|
||||||
or
|
|
||||||
affected = "4.5.0" and fixed = "4.5.3"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
(
|
|
||||||
name = "System.ServiceModel.Duplex"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.Security"
|
|
||||||
) and
|
|
||||||
(
|
|
||||||
affected = "4.0.0" and fixed = "4.0.4"
|
|
||||||
or
|
|
||||||
affected = "4.3.0" and fixed = "4.3.3"
|
|
||||||
or
|
|
||||||
affected = "4.4.0" and fixed = "4.4.4"
|
|
||||||
or
|
|
||||||
affected = "4.5.0" and fixed = "4.5.3"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.NetTcp" and
|
|
||||||
(
|
|
||||||
affected = "4.0.0" and fixed = "4.1.3"
|
|
||||||
or
|
|
||||||
affected = "4.3.0" and fixed = "4.3.3"
|
|
||||||
or
|
|
||||||
affected = "4.4.0" and fixed = "4.4.4"
|
|
||||||
or
|
|
||||||
affected = "4.5.0" and fixed = "4.5.1"
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class ASPNETCore_Jul18 extends Vulnerability {
|
|
||||||
ASPNETCore_Jul18() { this = "ASPNETCore-July18" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/311" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
name = "Microsoft.AspNetCore.Server.Kestrel.Core" and
|
|
||||||
(
|
|
||||||
affected = "2.0.0" and fixed = "2.0.4"
|
|
||||||
or
|
|
||||||
affected = "2.1.0" and fixed = "2.1.2"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.All" and
|
|
||||||
(
|
|
||||||
affected = "2.0.0" and fixed = "2.0.9"
|
|
||||||
or
|
|
||||||
affected = "2.1.0" and fixed = "2.1.2"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
name = "Microsoft.AspNetCore.App" and
|
|
||||||
affected = "2.1.0" and
|
|
||||||
fixed = "2.1.2"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2018_8292 extends Vulnerability {
|
|
||||||
CVE_2018_8292() { this = "CVE-2018-8292" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/88" }
|
|
||||||
|
|
||||||
override predicate matchesVersion(string name, Version affected, Version fixed) {
|
|
||||||
name = "System.Net.Http" and
|
|
||||||
(
|
|
||||||
affected = "2.0" or
|
|
||||||
affected = "4.0.0" or
|
|
||||||
affected = "4.1.0" or
|
|
||||||
affected = "1.1.1" or
|
|
||||||
affected = "4.1.2" or
|
|
||||||
affected = "4.3.0" or
|
|
||||||
affected = "4.3.1" or
|
|
||||||
affected = "4.3.2" or
|
|
||||||
affected = "4.3.3"
|
|
||||||
) and
|
|
||||||
fixed = "4.3.4"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2018_0786 extends Vulnerability {
|
|
||||||
CVE_2018_0786() { this = "CVE-2018-0786" }
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/51" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
(
|
|
||||||
name = "System.ServiceModel.Primitives"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.Http"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.NetTcp"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.Duplex"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.Security"
|
|
||||||
or
|
|
||||||
name = "System.Private.ServiceModel"
|
|
||||||
) and
|
|
||||||
(
|
|
||||||
affected = "4.4.0" and fixed = "4.4.1"
|
|
||||||
or
|
|
||||||
affected = "4.3.0" and fixed = "4.3.1"
|
|
||||||
)
|
|
||||||
or
|
|
||||||
(
|
|
||||||
name = "System.ServiceModel.Primitives"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.Http"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.NetTcp"
|
|
||||||
or
|
|
||||||
name = "System.Private.ServiceModel"
|
|
||||||
) and
|
|
||||||
affected = "4.1.0" and
|
|
||||||
fixed = "4.1.1"
|
|
||||||
or
|
|
||||||
(
|
|
||||||
name = "System.ServiceModel.Duplex"
|
|
||||||
or
|
|
||||||
name = "System.ServiceModel.Security"
|
|
||||||
) and
|
|
||||||
affected = "4.0.1" and
|
|
||||||
fixed = "4.0.2"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class CVE_2019_0657 extends Vulnerability {
|
|
||||||
CVE_2019_0657() { this = "CVE-2019-0657" }
|
|
||||||
|
|
||||||
override predicate matchesRange(string name, Version affected, Version fixed) {
|
|
||||||
name = "Microsoft.NETCore.App" and
|
|
||||||
(
|
|
||||||
affected = "2.1.0" and fixed = "2.1.8"
|
|
||||||
or
|
|
||||||
affected = "2.2.0" and fixed = "2.2.2"
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate matchesVersion(string name, Version affected, Version fixed) {
|
|
||||||
name = "System.Private.Uri" and
|
|
||||||
affected = "4.3.0" and
|
|
||||||
fixed = "4.3.1"
|
|
||||||
}
|
|
||||||
|
|
||||||
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/97" }
|
|
||||||
}
|
|
||||||
@@ -1,93 +0,0 @@
|
|||||||
import csharp
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A package reference in an XML file, for example in a
|
|
||||||
* `.csproj` file, a `.props` file, or a `packages.config` file.
|
|
||||||
*/
|
|
||||||
class Package extends XMLElement {
|
|
||||||
string name;
|
|
||||||
Version version;
|
|
||||||
|
|
||||||
Package() {
|
|
||||||
(this.getName() = "PackageManagement" or this.getName() = "PackageReference") and
|
|
||||||
name = this.getAttributeValue("Include") and
|
|
||||||
version = this.getAttributeValue("Version")
|
|
||||||
or
|
|
||||||
this.getName() = "package" and
|
|
||||||
name = this.getAttributeValue("id") and
|
|
||||||
version = this.getAttributeValue("version")
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Gets the name of the package, for example `System.IO.Pipelines`. */
|
|
||||||
string getPackageName() { result = name }
|
|
||||||
|
|
||||||
/** Gets the version of the package, for example `4.5.1`. */
|
|
||||||
Version getVersion() { result = version }
|
|
||||||
|
|
||||||
override string toString() { result = name + " " + version }
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A vulnerability, where the name of the vulnerability is this string.
|
|
||||||
* One of `matchesRange` or `matchesVersion` must be overridden in order to
|
|
||||||
* specify which packages are vulnerable.
|
|
||||||
*/
|
|
||||||
abstract class Vulnerability extends string {
|
|
||||||
bindingset[this]
|
|
||||||
Vulnerability() { any() }
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if a package with name `name` is vulnerable from version `affected`
|
|
||||||
* until version `fixed`.
|
|
||||||
*/
|
|
||||||
predicate matchesRange(string name, Version affected, Version fixed) { none() }
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if a package with name `name` is vulnerable in version `affected`, and
|
|
||||||
* is fixed by version `fixed`.
|
|
||||||
*/
|
|
||||||
predicate matchesVersion(string name, Version affected, Version fixed) { none() }
|
|
||||||
|
|
||||||
/** Gets the URL describing the vulnerability. */
|
|
||||||
abstract string getUrl();
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if a package with name `name` and version `version`
|
|
||||||
* has this vulnerability. The fixed version is given by `fixed`.
|
|
||||||
*/
|
|
||||||
bindingset[name, version]
|
|
||||||
predicate isVulnerable(string name, Version version, Version fixed) {
|
|
||||||
exists(Version affected, string n | name.toLowerCase() = n.toLowerCase() |
|
|
||||||
matchesRange(n, affected, fixed) and
|
|
||||||
version.compareTo(fixed) < 0 and
|
|
||||||
version.compareTo(affected) >= 0
|
|
||||||
or
|
|
||||||
matchesVersion(n, affected, fixed) and
|
|
||||||
version.compareTo(affected) = 0
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
bindingset[name, version]
|
|
||||||
private Version getUltimateFix(string name, Version version) {
|
|
||||||
result = max(Version fix | any(Vulnerability v).isVulnerable(name, version, fix))
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A package with a vulnerability.
|
|
||||||
*/
|
|
||||||
class VulnerablePackage extends Package {
|
|
||||||
Vulnerability vuln;
|
|
||||||
|
|
||||||
VulnerablePackage() { vuln.isVulnerable(this.getPackageName(), this.getVersion(), _) }
|
|
||||||
|
|
||||||
/** Gets the vulnerability of this package. */
|
|
||||||
Vulnerability getVulnerability() { result = vuln }
|
|
||||||
|
|
||||||
/** Gets the version of this package where the vulnerability is fixed. */
|
|
||||||
Version getFixedVersion() {
|
|
||||||
// This is needed because sometimes the "fixed" version of some
|
|
||||||
// vulnerabilities are themselves vulnerable to other vulnerabilities.
|
|
||||||
result = getUltimateFix(this.getPackageName(), this.getVersion())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,43 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
|
|
||||||
<overview>
|
|
||||||
<p>
|
|
||||||
Using a package with a known vulnerability is a security risk that could leave the
|
|
||||||
software vulnerable to attack.
|
|
||||||
</p>
|
|
||||||
<p>
|
|
||||||
This query reads the packages imported by the project build files and
|
|
||||||
<code>.config</code> files, and checks them against a list of packages with known
|
|
||||||
vulnerabilities.
|
|
||||||
</p>
|
|
||||||
</overview>
|
|
||||||
|
|
||||||
<recommendation>
|
|
||||||
<p>
|
|
||||||
Upgrade the package to the recommended version using, for example, the NuGet package manager,
|
|
||||||
or by editing the project files directly.
|
|
||||||
</p>
|
|
||||||
</recommendation>
|
|
||||||
|
|
||||||
<example>
|
|
||||||
<p>
|
|
||||||
The following example shows a C# project file referencing package <code>System.Net.Http</code>
|
|
||||||
version 4.3.1, which is vulnerable to <a href="https://github.com/dotnet/announcements/issues/88">CVE-2018-8292</a>.
|
|
||||||
</p>
|
|
||||||
<sample src="VulnerablePackageBAD.csproj" />
|
|
||||||
<p>
|
|
||||||
The project file can be fixed by changing the version of the package to 4.3.4.
|
|
||||||
</p>
|
|
||||||
<sample src="VulnerablePackageGOOD.csproj" />
|
|
||||||
</example>
|
|
||||||
|
|
||||||
<references>
|
|
||||||
<li>
|
|
||||||
OWASP: <a href="https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities">A9-Using Components with Known Vulnerabilities</a>.
|
|
||||||
</li>
|
|
||||||
</references>
|
|
||||||
|
|
||||||
</qhelp>
|
|
||||||
@@ -1,20 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Using a package with a known vulnerability
|
|
||||||
* @description Using a package with a known vulnerability is a security risk.
|
|
||||||
* Upgrade the package to a version that does not contain the vulnerability.
|
|
||||||
* @kind problem
|
|
||||||
* @problem.severity error
|
|
||||||
* @precision high
|
|
||||||
* @id cs/use-of-vulnerable-package
|
|
||||||
* @tags security
|
|
||||||
* external/cwe/cwe-937
|
|
||||||
*/
|
|
||||||
|
|
||||||
import csharp
|
|
||||||
import Vulnerabilities
|
|
||||||
|
|
||||||
from Vulnerability vuln, VulnerablePackage package
|
|
||||||
where vuln = package.getVulnerability()
|
|
||||||
select package,
|
|
||||||
"Package '" + package + "' has vulnerability $@, and should be upgraded to version " +
|
|
||||||
package.getFixedVersion() + ".", vuln.getUrl(), vuln.toString()
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
|
||||||
|
|
||||||
<PropertyGroup>
|
|
||||||
<TargetFramework>netcoreapp2.0</TargetFramework>
|
|
||||||
<AssemblyName>Semmle.Autobuild</AssemblyName>
|
|
||||||
<RootNamespace>Semmle.Autobuild</RootNamespace>
|
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
</PropertyGroup>
|
|
||||||
|
|
||||||
<ItemGroup>
|
|
||||||
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
|
|
||||||
<PackageReference Include="System.Net.Http" Version="4.3.1" />
|
|
||||||
</ItemGroup>
|
|
||||||
|
|
||||||
</Project>
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
|
||||||
|
|
||||||
<PropertyGroup>
|
|
||||||
<TargetFramework>netcoreapp2.0</TargetFramework>
|
|
||||||
<AssemblyName>Semmle.Autobuild</AssemblyName>
|
|
||||||
<RootNamespace>Semmle.Autobuild</RootNamespace>
|
|
||||||
<OutputType>Exe</OutputType>
|
|
||||||
</PropertyGroup>
|
|
||||||
|
|
||||||
<ItemGroup>
|
|
||||||
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
|
|
||||||
<PackageReference Include="System.Net.Http" Version="4.3.4" />
|
|
||||||
</ItemGroup>
|
|
||||||
|
|
||||||
</Project>
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
- description: C# queries which overlap with dependency analysis
|
|
||||||
- exclude:
|
|
||||||
query path:
|
|
||||||
- Security Features/CWE-937/VulnerablePackage.ql
|
|
||||||
305
csharp/ql/src/external/CodeDuplication.qll
vendored
305
csharp/ql/src/external/CodeDuplication.qll
vendored
@@ -1,305 +0,0 @@
|
|||||||
import csharp
|
|
||||||
|
|
||||||
private string relativePath(File file) { result = file.getRelativePath().replaceAll("\\", "/") }
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if the `index`-th token of block `copy` is in file `file`, spanning
|
|
||||||
* column `sc` of line `sl` to column `ec` of line `el`.
|
|
||||||
*
|
|
||||||
* For more information, see [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
|
|
||||||
*/
|
|
||||||
pragma[nomagic]
|
|
||||||
predicate tokenLocation(File file, int sl, int sc, int ec, int el, Copy copy, int index) {
|
|
||||||
file = copy.sourceFile() and
|
|
||||||
tokens(copy, index, sl, sc, ec, el)
|
|
||||||
}
|
|
||||||
|
|
||||||
class Copy extends @duplication_or_similarity {
|
|
||||||
private int lastToken() { result = max(int i | tokens(this, i, _, _, _, _) | i) }
|
|
||||||
|
|
||||||
int tokenStartingAt(Location loc) {
|
|
||||||
tokenLocation(loc.getFile(), loc.getStartLine(), loc.getStartColumn(), _, _, this, result)
|
|
||||||
}
|
|
||||||
|
|
||||||
int tokenEndingAt(Location loc) {
|
|
||||||
tokenLocation(loc.getFile(), _, _, loc.getEndLine(), loc.getEndColumn(), this, result)
|
|
||||||
}
|
|
||||||
|
|
||||||
int sourceStartLine() { tokens(this, 0, result, _, _, _) }
|
|
||||||
|
|
||||||
int sourceStartColumn() { tokens(this, 0, _, result, _, _) }
|
|
||||||
|
|
||||||
int sourceEndLine() { tokens(this, lastToken(), _, _, result, _) }
|
|
||||||
|
|
||||||
int sourceEndColumn() { tokens(this, lastToken(), _, _, _, result) }
|
|
||||||
|
|
||||||
int sourceLines() { result = this.sourceEndLine() + 1 - this.sourceStartLine() }
|
|
||||||
|
|
||||||
int getEquivalenceClass() { duplicateCode(this, _, result) or similarCode(this, _, result) }
|
|
||||||
|
|
||||||
File sourceFile() {
|
|
||||||
exists(string name | duplicateCode(this, name, _) or similarCode(this, name, _) |
|
|
||||||
name.replaceAll("\\", "/") = relativePath(result)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate hasLocationInfo(
|
|
||||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
|
||||||
) {
|
|
||||||
sourceFile().getAbsolutePath() = filepath and
|
|
||||||
startline = sourceStartLine() and
|
|
||||||
startcolumn = sourceStartColumn() and
|
|
||||||
endline = sourceEndLine() and
|
|
||||||
endcolumn = sourceEndColumn()
|
|
||||||
}
|
|
||||||
|
|
||||||
string toString() { none() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class DuplicateBlock extends Copy, @duplication {
|
|
||||||
override string toString() { result = "Duplicate code: " + sourceLines() + " duplicated lines." }
|
|
||||||
}
|
|
||||||
|
|
||||||
class SimilarBlock extends Copy, @similarity {
|
|
||||||
override string toString() {
|
|
||||||
result = "Similar code: " + sourceLines() + " almost duplicated lines."
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private Method sourceMethod() { method_location(result, _) and numlines(result, _, _, _) }
|
|
||||||
|
|
||||||
private int numberOfSourceMethods(Class c) {
|
|
||||||
result = count(Method m | m = sourceMethod() and m.getDeclaringType() = c)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate blockCoversStatement(int equivClass, int first, int last, Stmt stmt) {
|
|
||||||
exists(DuplicateBlock b, Location loc |
|
|
||||||
stmt.getLocation() = loc and
|
|
||||||
first = b.tokenStartingAt(loc) and
|
|
||||||
last = b.tokenEndingAt(loc) and
|
|
||||||
b.getEquivalenceClass() = equivClass
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private Stmt statementInMethod(Method m) {
|
|
||||||
result.getEnclosingCallable() = m and
|
|
||||||
not result instanceof BlockStmt
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate duplicateStatement(Method m1, Method m2, Stmt s1, Stmt s2) {
|
|
||||||
exists(int equivClass, int first, int last |
|
|
||||||
s1 = statementInMethod(m1) and
|
|
||||||
s2 = statementInMethod(m2) and
|
|
||||||
blockCoversStatement(equivClass, first, last, s1) and
|
|
||||||
blockCoversStatement(equivClass, first, last, s2) and
|
|
||||||
s1 != s2 and
|
|
||||||
m1 != m2
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Holds if `duplicate` number of statements are duplicated in the methods. */
|
|
||||||
predicate duplicateStatements(Method m1, Method m2, int duplicate, int total) {
|
|
||||||
duplicate = strictcount(Stmt s | duplicateStatement(m1, m2, s, _)) and
|
|
||||||
total = strictcount(statementInMethod(m1))
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Find pairs of methods are identical
|
|
||||||
*/
|
|
||||||
predicate duplicateMethod(Method m, Method other) {
|
|
||||||
exists(int total | duplicateStatements(m, other, total, total))
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate similarLines(File f, int line) {
|
|
||||||
exists(SimilarBlock b | b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()])
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate similarLinesPerEquivalenceClass(int equivClass, int lines, File f) {
|
|
||||||
lines =
|
|
||||||
strictsum(SimilarBlock b, int toSum |
|
|
||||||
(b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
|
|
||||||
toSum = b.sourceLines()
|
|
||||||
|
|
|
||||||
toSum
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
pragma[noopt]
|
|
||||||
private predicate similarLinesCovered(File f, int coveredLines, File otherFile) {
|
|
||||||
exists(int numLines | numLines = f.getNumberOfLines() |
|
|
||||||
exists(int coveredApprox |
|
|
||||||
coveredApprox =
|
|
||||||
strictsum(int num |
|
|
||||||
exists(int equivClass |
|
|
||||||
similarLinesPerEquivalenceClass(equivClass, num, f) and
|
|
||||||
similarLinesPerEquivalenceClass(equivClass, num, otherFile) and
|
|
||||||
f != otherFile
|
|
||||||
)
|
|
||||||
) and
|
|
||||||
exists(int n, int product | product = coveredApprox * 100 and n = product / numLines | n > 75)
|
|
||||||
) and
|
|
||||||
exists(int notCovered |
|
|
||||||
notCovered =
|
|
||||||
count(int j |
|
|
||||||
j in [1 .. numLines] and
|
|
||||||
not similarLines(f, j)
|
|
||||||
) and
|
|
||||||
coveredLines = numLines - notCovered
|
|
||||||
)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate duplicateLines(File f, int line) {
|
|
||||||
exists(DuplicateBlock b |
|
|
||||||
b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()]
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate duplicateLinesPerEquivalenceClass(int equivClass, int lines, File f) {
|
|
||||||
lines =
|
|
||||||
strictsum(DuplicateBlock b, int toSum |
|
|
||||||
(b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and
|
|
||||||
toSum = b.sourceLines()
|
|
||||||
|
|
|
||||||
toSum
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
pragma[noopt]
|
|
||||||
private predicate duplicateLinesCovered(File f, int coveredLines, File otherFile) {
|
|
||||||
exists(int numLines | numLines = f.getNumberOfLines() |
|
|
||||||
exists(int coveredApprox |
|
|
||||||
coveredApprox =
|
|
||||||
strictsum(int num |
|
|
||||||
exists(int equivClass |
|
|
||||||
duplicateLinesPerEquivalenceClass(equivClass, num, f) and
|
|
||||||
duplicateLinesPerEquivalenceClass(equivClass, num, otherFile) and
|
|
||||||
f != otherFile
|
|
||||||
)
|
|
||||||
) and
|
|
||||||
exists(int n, int product | product = coveredApprox * 100 and n = product / numLines | n > 75)
|
|
||||||
) and
|
|
||||||
exists(int notCovered |
|
|
||||||
notCovered =
|
|
||||||
count(int j |
|
|
||||||
j in [1 .. numLines] and
|
|
||||||
not duplicateLines(f, j)
|
|
||||||
) and
|
|
||||||
coveredLines = numLines - notCovered
|
|
||||||
)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Holds if the two files are not duplicated but have more than 80% similar lines. */
|
|
||||||
predicate similarFiles(File f, File other, int percent) {
|
|
||||||
exists(int covered, int total |
|
|
||||||
similarLinesCovered(f, covered, other) and
|
|
||||||
total = f.getNumberOfLines() and
|
|
||||||
covered * 100 / total = percent and
|
|
||||||
percent > 80
|
|
||||||
) and
|
|
||||||
not duplicateFiles(f, other, _)
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Holds if the two files have more than 70% duplicated lines. */
|
|
||||||
predicate duplicateFiles(File f, File other, int percent) {
|
|
||||||
exists(int covered, int total |
|
|
||||||
duplicateLinesCovered(f, covered, other) and
|
|
||||||
total = f.getNumberOfLines() and
|
|
||||||
covered * 100 / total = percent and
|
|
||||||
percent > 70
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
pragma[noopt]
|
|
||||||
private predicate duplicateAnonymousClass(AnonymousClass c, AnonymousClass other) {
|
|
||||||
exists(int numDup |
|
|
||||||
numDup =
|
|
||||||
strictcount(Method m1 |
|
|
||||||
exists(Method m2 |
|
|
||||||
duplicateMethod(m1, m2) and
|
|
||||||
m1 = sourceMethod() and
|
|
||||||
m1.getDeclaringType() = c and
|
|
||||||
c instanceof AnonymousClass and
|
|
||||||
m2.getDeclaringType() = other and
|
|
||||||
other instanceof AnonymousClass and
|
|
||||||
c != other
|
|
||||||
)
|
|
||||||
) and
|
|
||||||
numDup = numberOfSourceMethods(c) and
|
|
||||||
numDup = numberOfSourceMethods(other) and
|
|
||||||
forall(Type t | c.getABaseType() = t | t = other.getABaseType())
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
pragma[noopt]
|
|
||||||
private predicate mostlyDuplicateClassBase(Class c, Class other, int numDup, int total) {
|
|
||||||
numDup =
|
|
||||||
strictcount(Method m1 |
|
|
||||||
exists(Method m2 |
|
|
||||||
duplicateMethod(m1, m2) and
|
|
||||||
m1 = sourceMethod() and
|
|
||||||
m1.getDeclaringType() = c and
|
|
||||||
m2.getDeclaringType() = other and
|
|
||||||
other instanceof Class and
|
|
||||||
c != other
|
|
||||||
)
|
|
||||||
) and
|
|
||||||
total = numberOfSourceMethods(c) and
|
|
||||||
exists(int n, int product | product = 100 * numDup and n = product / total | n > 80) and
|
|
||||||
not c instanceof AnonymousClass and
|
|
||||||
not other instanceof AnonymousClass
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Holds if the methods in the two classes are more than 80% duplicated. */
|
|
||||||
predicate mostlyDuplicateClass(Class c, Class other, string message) {
|
|
||||||
exists(int numDup, int total |
|
|
||||||
mostlyDuplicateClassBase(c, other, numDup, total) and
|
|
||||||
(
|
|
||||||
total != numDup and
|
|
||||||
exists(string s1, string s2, string s3, string name |
|
|
||||||
s1 = " out of " and
|
|
||||||
s2 = " methods in " and
|
|
||||||
s3 = " are duplicated in $@." and
|
|
||||||
name = c.getName()
|
|
||||||
|
|
|
||||||
message = numDup + s1 + total + s2 + name + s3
|
|
||||||
)
|
|
||||||
or
|
|
||||||
total = numDup and
|
|
||||||
exists(string s1, string s2, string name |
|
|
||||||
s1 = "All methods in " and s2 = " are identical in $@." and name = c.getName()
|
|
||||||
|
|
|
||||||
message = s1 + name + s2
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Holds if the two files are similar or duplicated. */
|
|
||||||
predicate fileLevelDuplication(File f, File other) {
|
|
||||||
similarFiles(f, other, _) or duplicateFiles(f, other, _)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if the two classes are duplicated anonymous classes or more than 80% of
|
|
||||||
* their methods are duplicated.
|
|
||||||
*/
|
|
||||||
predicate classLevelDuplication(Class c, Class other) {
|
|
||||||
duplicateAnonymousClass(c, other) or mostlyDuplicateClass(c, other, _)
|
|
||||||
}
|
|
||||||
|
|
||||||
private Element whitelistedDuplicateElement() {
|
|
||||||
result instanceof UsingNamespaceDirective or
|
|
||||||
result instanceof UsingStaticDirective
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if the `line` in the `file` contains an element, such as a `using`
|
|
||||||
* directive, that is not considered for code duplication.
|
|
||||||
*/
|
|
||||||
predicate whitelistedLineForDuplication(File file, int line) {
|
|
||||||
exists(Location loc | loc = whitelistedDuplicateElement().getLocation() |
|
|
||||||
line = loc.getStartLine() and file = loc.getFile()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
34
csharp/ql/src/external/DefectFilter.qll
vendored
34
csharp/ql/src/external/DefectFilter.qll
vendored
@@ -1,34 +0,0 @@
|
|||||||
import csharp
|
|
||||||
|
|
||||||
external predicate defectResults(
|
|
||||||
int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,
|
|
||||||
string message
|
|
||||||
);
|
|
||||||
|
|
||||||
class DefectResult extends int {
|
|
||||||
DefectResult() { defectResults(this, _, _, _, _, _, _, _) }
|
|
||||||
|
|
||||||
string getQueryPath() { defectResults(this, result, _, _, _, _, _, _) }
|
|
||||||
|
|
||||||
File getFile() {
|
|
||||||
exists(string path |
|
|
||||||
defectResults(this, _, path, _, _, _, _, _) and result.getAbsolutePath() = path
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
int getStartLine() { defectResults(this, _, _, result, _, _, _, _) }
|
|
||||||
|
|
||||||
int getStartColumn() { defectResults(this, _, _, _, result, _, _, _) }
|
|
||||||
|
|
||||||
int getEndLine() { defectResults(this, _, _, _, _, result, _, _) }
|
|
||||||
|
|
||||||
int getEndColumn() { defectResults(this, _, _, _, _, _, result, _) }
|
|
||||||
|
|
||||||
string getMessage() { defectResults(this, _, _, _, _, _, _, result) }
|
|
||||||
|
|
||||||
string getURL() {
|
|
||||||
result =
|
|
||||||
"file://" + getFile().getAbsolutePath() + ":" + getStartLine() + ":" + getStartColumn() + ":" +
|
|
||||||
getEndLine() + ":" + getEndColumn()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
22
csharp/ql/src/external/DuplicateMethod.cs
vendored
22
csharp/ql/src/external/DuplicateMethod.cs
vendored
@@ -1,22 +0,0 @@
|
|||||||
class Toolbox
|
|
||||||
{
|
|
||||||
private int x;
|
|
||||||
private int y;
|
|
||||||
public void move(int x, int y)
|
|
||||||
{
|
|
||||||
this.x = x;
|
|
||||||
this.y = y;
|
|
||||||
}
|
|
||||||
// ...
|
|
||||||
}
|
|
||||||
class Window
|
|
||||||
{
|
|
||||||
private int x;
|
|
||||||
private int y;
|
|
||||||
public void move(int x, int y)
|
|
||||||
{
|
|
||||||
this.x = x;
|
|
||||||
this.y = y;
|
|
||||||
}
|
|
||||||
// ...
|
|
||||||
}
|
|
||||||
35
csharp/ql/src/external/DuplicateMethod.qhelp
vendored
35
csharp/ql/src/external/DuplicateMethod.qhelp
vendored
@@ -1,35 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>Methods should not be duplicated at more than one place in the program. Duplicating code makes it harder to update
|
|
||||||
should a change need to be made. It also makes the code harder to read.</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
<recommendation>
|
|
||||||
<p>Determining how to address this issue requires some consideration. If the duplicate methods are in the same class
|
|
||||||
then it is normally possible to just remove one and replace all references to that method by references to the other
|
|
||||||
method. If the methods are in different classes then there might be a need to create a superclass that
|
|
||||||
contains the method, which both classes inherit. If it is not logical to create a superclass the method
|
|
||||||
could be moved into a separate utility class.</p>
|
|
||||||
|
|
||||||
</recommendation>
|
|
||||||
<example>
|
|
||||||
<p>In this example the Toolbox and the Window class both have the same move method. In this case it would be logical to
|
|
||||||
put this method as well as the x and y properties into a new superclass that Toolbox and Window extend.</p>
|
|
||||||
<sample src="DuplicateMethod.cs" />
|
|
||||||
|
|
||||||
</example>
|
|
||||||
<section title="Fixing Using a Superclass">
|
|
||||||
<p>The example could be easily fixed by moving the x and y properties as well as the move method to a parent class. Note
|
|
||||||
that the x and y properties have to be changed to protected if they are accessed from the Toolbox and Window classes.</p>
|
|
||||||
<sample src="DuplicateMethodFix.cs" />
|
|
||||||
|
|
||||||
</section>
|
|
||||||
<references>
|
|
||||||
|
|
||||||
<li>Elmar Juergens, Florian Deissenboeck, Benjamin Hummel and Stefan Wagner. <em>Do Code Clones Matter?</em>. 2009.</li>
|
|
||||||
|
|
||||||
</references>
|
|
||||||
</qhelp>
|
|
||||||
41
csharp/ql/src/external/DuplicateMethod.ql
vendored
41
csharp/ql/src/external/DuplicateMethod.ql
vendored
@@ -1,41 +0,0 @@
|
|||||||
/**
|
|
||||||
* @deprecated
|
|
||||||
* @name Duplicate method
|
|
||||||
* @description There is another identical implementation of this method. Extract the code to a common superclass or delegate to improve sharing.
|
|
||||||
* @kind problem
|
|
||||||
* @problem.severity recommendation
|
|
||||||
* @precision high
|
|
||||||
* @id cs/duplicate-method
|
|
||||||
* @tags testability
|
|
||||||
* maintainability
|
|
||||||
* useless-code
|
|
||||||
* duplicate-code
|
|
||||||
* statistical
|
|
||||||
* non-attributable
|
|
||||||
*/
|
|
||||||
|
|
||||||
import csharp
|
|
||||||
import CodeDuplication
|
|
||||||
|
|
||||||
predicate relevant(Method m) {
|
|
||||||
m.getNumberOfLinesOfCode() > 5 and not m.getName().matches("get%")
|
|
||||||
or
|
|
||||||
m.getNumberOfLinesOfCode() > 10
|
|
||||||
}
|
|
||||||
|
|
||||||
pragma[noopt]
|
|
||||||
predicate query(Method m, Method other) {
|
|
||||||
duplicateMethod(m, other) and
|
|
||||||
relevant(m) and
|
|
||||||
not exists(File f1, File f2 |
|
|
||||||
m.getFile() = f1 and fileLevelDuplication(f1, f2) and other.getFile() = f2
|
|
||||||
) and
|
|
||||||
not exists(Type t1, Type t2 |
|
|
||||||
m.getDeclaringType() = t1 and classLevelDuplication(t1, t2) and other.getDeclaringType() = t2
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
from Method m, Method other
|
|
||||||
where query(m, other)
|
|
||||||
select m, "Method " + m.getName() + " is duplicated in $@.", other,
|
|
||||||
other.getDeclaringType().getName() + "." + other.getName()
|
|
||||||
18
csharp/ql/src/external/DuplicateMethodFix.cs
vendored
18
csharp/ql/src/external/DuplicateMethodFix.cs
vendored
@@ -1,18 +0,0 @@
|
|||||||
class Container
|
|
||||||
{
|
|
||||||
protected int x;
|
|
||||||
protected int y;
|
|
||||||
public void move(int x, int y)
|
|
||||||
{
|
|
||||||
this.x = x;
|
|
||||||
this.y = y;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
class Toolbox : Container
|
|
||||||
{
|
|
||||||
// ...
|
|
||||||
}
|
|
||||||
class Window : Container
|
|
||||||
{
|
|
||||||
// ...
|
|
||||||
}
|
|
||||||
79
csharp/ql/src/external/ExternalArtifact.qll
vendored
79
csharp/ql/src/external/ExternalArtifact.qll
vendored
@@ -1,79 +0,0 @@
|
|||||||
import csharp
|
|
||||||
|
|
||||||
class ExternalElement extends @external_element {
|
|
||||||
/** Gets a textual representation of this element. */
|
|
||||||
string toString() { none() }
|
|
||||||
|
|
||||||
/** Gets the location of this element. */
|
|
||||||
Location getLocation() { none() }
|
|
||||||
|
|
||||||
/** Gets the file containing this element. */
|
|
||||||
File getFile() { result = getLocation().getFile() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class ExternalDefect extends ExternalElement, @externalDefect {
|
|
||||||
string getQueryPath() {
|
|
||||||
exists(string path |
|
|
||||||
externalDefects(this, path, _, _, _) and
|
|
||||||
result = path.replaceAll("\\", "/")
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
string getMessage() { externalDefects(this, _, _, result, _) }
|
|
||||||
|
|
||||||
float getSeverity() { externalDefects(this, _, _, _, result) }
|
|
||||||
|
|
||||||
override Location getLocation() { externalDefects(this, _, result, _, _) }
|
|
||||||
|
|
||||||
override string toString() {
|
|
||||||
result = getQueryPath() + ": " + getLocation() + " - " + getMessage()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class ExternalMetric extends ExternalElement, @externalMetric {
|
|
||||||
string getQueryPath() { externalMetrics(this, result, _, _) }
|
|
||||||
|
|
||||||
float getValue() { externalMetrics(this, _, _, result) }
|
|
||||||
|
|
||||||
override Location getLocation() { externalMetrics(this, _, result, _) }
|
|
||||||
|
|
||||||
override string toString() { result = getQueryPath() + ": " + getLocation() + " - " + getValue() }
|
|
||||||
}
|
|
||||||
|
|
||||||
class ExternalData extends ExternalElement, @externalDataElement {
|
|
||||||
string getDataPath() { externalData(this, result, _, _) }
|
|
||||||
|
|
||||||
string getQueryPath() { result = getDataPath().regexpReplaceAll("\\.[^.]*$", ".ql") }
|
|
||||||
|
|
||||||
int getNumFields() { result = 1 + max(int i | externalData(this, _, i, _) | i) }
|
|
||||||
|
|
||||||
string getField(int index) { externalData(this, _, index, result) }
|
|
||||||
|
|
||||||
int getFieldAsInt(int index) { result = getField(index).toInt() }
|
|
||||||
|
|
||||||
float getFieldAsFloat(int index) { result = getField(index).toFloat() }
|
|
||||||
|
|
||||||
date getFieldAsDate(int index) { result = getField(index).toDate() }
|
|
||||||
|
|
||||||
override string toString() { result = getQueryPath() + ": " + buildTupleString(0) }
|
|
||||||
|
|
||||||
private string buildTupleString(int start) {
|
|
||||||
start = getNumFields() - 1 and result = getField(start)
|
|
||||||
or
|
|
||||||
start < getNumFields() - 1 and result = getField(start) + "," + buildTupleString(start + 1)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* External data with a location, and a message, as produced by tools that used to produce QLDs.
|
|
||||||
*/
|
|
||||||
class DefectExternalData extends ExternalData {
|
|
||||||
DefectExternalData() {
|
|
||||||
this.getField(0).regexpMatch("\\w+://.*:[0-9]+:[0-9]+:[0-9]+:[0-9]+$") and
|
|
||||||
this.getNumFields() = 2
|
|
||||||
}
|
|
||||||
|
|
||||||
string getURL() { result = getField(0) }
|
|
||||||
|
|
||||||
string getMessage() { result = getField(1) }
|
|
||||||
}
|
|
||||||
44
csharp/ql/src/external/MetricFilter.qll
vendored
44
csharp/ql/src/external/MetricFilter.qll
vendored
@@ -1,44 +0,0 @@
|
|||||||
import csharp
|
|
||||||
|
|
||||||
external predicate metricResults(
|
|
||||||
int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,
|
|
||||||
float value
|
|
||||||
);
|
|
||||||
|
|
||||||
class MetricResult extends int {
|
|
||||||
MetricResult() { metricResults(this, _, _, _, _, _, _, _) }
|
|
||||||
|
|
||||||
string getQueryPath() { metricResults(this, result, _, _, _, _, _, _) }
|
|
||||||
|
|
||||||
File getFile() {
|
|
||||||
exists(string path |
|
|
||||||
metricResults(this, _, path, _, _, _, _, _) and result.getAbsolutePath() = path
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
int getStartLine() { metricResults(this, _, _, result, _, _, _, _) }
|
|
||||||
|
|
||||||
int getStartColumn() { metricResults(this, _, _, _, result, _, _, _) }
|
|
||||||
|
|
||||||
int getEndLine() { metricResults(this, _, _, _, _, result, _, _) }
|
|
||||||
|
|
||||||
int getEndColumn() { metricResults(this, _, _, _, _, _, result, _) }
|
|
||||||
|
|
||||||
predicate hasMatchingLocation() { exists(this.getMatchingLocation()) }
|
|
||||||
|
|
||||||
Location getMatchingLocation() {
|
|
||||||
result.getFile() = this.getFile() and
|
|
||||||
result.getStartLine() = this.getStartLine() and
|
|
||||||
result.getEndLine() = this.getEndLine() and
|
|
||||||
result.getStartColumn() = this.getStartColumn() and
|
|
||||||
result.getEndColumn() = this.getEndColumn()
|
|
||||||
}
|
|
||||||
|
|
||||||
float getValue() { metricResults(this, _, _, _, _, _, _, result) }
|
|
||||||
|
|
||||||
string getURL() {
|
|
||||||
result =
|
|
||||||
"file://" + getFile().getAbsolutePath() + ":" + getStartLine() + ":" + getStartColumn() + ":" +
|
|
||||||
getEndLine() + ":" + getEndColumn()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,20 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>If two classes share a lot of each other's methods then there is a lot of unnecessary code duplication.
|
|
||||||
This makes it difficult to make changes in future and makes the code harder to read.</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
<recommendation>
|
|
||||||
<p>If a duplicate class has been included by mistake then remove it. Otherwise consider making a common
|
|
||||||
superclass for both classes or even making one of the classes a superclass of the other.</p>
|
|
||||||
|
|
||||||
</recommendation>
|
|
||||||
<references>
|
|
||||||
|
|
||||||
<li>Elmar Juergens, Florian Deissenboeck, Benjamin Hummel and Stefan Wagner. <em>Do Code Clones Matter?</em>. 2009.</li>
|
|
||||||
|
|
||||||
</references>
|
|
||||||
</qhelp>
|
|
||||||
24
csharp/ql/src/external/MostlyDuplicateClass.ql
vendored
24
csharp/ql/src/external/MostlyDuplicateClass.ql
vendored
@@ -1,24 +0,0 @@
|
|||||||
/**
|
|
||||||
* @deprecated
|
|
||||||
* @name Duplicate class
|
|
||||||
* @description More than 80% of the methods in this class are duplicated in another class. Create a common supertype to improve code sharing.
|
|
||||||
* @kind problem
|
|
||||||
* @problem.severity recommendation
|
|
||||||
* @precision high
|
|
||||||
* @id cs/duplicate-class
|
|
||||||
* @tags testability
|
|
||||||
* maintainability
|
|
||||||
* useless-code
|
|
||||||
* duplicate-code
|
|
||||||
* statistical
|
|
||||||
* non-attributable
|
|
||||||
*/
|
|
||||||
|
|
||||||
import csharp
|
|
||||||
import CodeDuplication
|
|
||||||
|
|
||||||
from Class c, string message, Class link
|
|
||||||
where
|
|
||||||
mostlyDuplicateClass(c, link, message) and
|
|
||||||
not fileLevelDuplication(c.getFile(), _)
|
|
||||||
select c, message, link, link.getName()
|
|
||||||
31
csharp/ql/src/external/MostlyDuplicateFile.qhelp
vendored
31
csharp/ql/src/external/MostlyDuplicateFile.qhelp
vendored
@@ -1,31 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
<overview>
|
|
||||||
<p>If two files share a lot of each other's code then there is a lot of unnecessary code duplication.
|
|
||||||
This makes it difficult to make changes in future and makes the code harder to read.</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
<recommendation>
|
|
||||||
<p>While completely duplicated files are rare, they are usually a sign of a simple oversight.
|
|
||||||
Usually the required action is to remove all but one of them. A common exception to this rule may arise
|
|
||||||
from generated code that simply occurs in several places in the source tree; the check can be
|
|
||||||
adapted to exclude such results.</p>
|
|
||||||
|
|
||||||
<p>It is far more common to see duplication of many lines between two files, leaving just a few that
|
|
||||||
are actually different. Consider such situations carefully. Are the differences deliberate or
|
|
||||||
a result of an inconsistent update to one of the clones? If the latter, then treating the files as
|
|
||||||
completely duplicate and eliminating one (while preserving any corrections or new features that
|
|
||||||
may have been introduced) is the best course. If two files serve genuinely different purposes but almost
|
|
||||||
all of their lines are the same, that can be a sign that there is a missing level of abstraction. Look
|
|
||||||
for ways to share the functionality, either by creating a utility class for the common parts or by
|
|
||||||
encapsulating the common parts into a new super class of any classes involved.</p>
|
|
||||||
|
|
||||||
</recommendation>
|
|
||||||
<references>
|
|
||||||
|
|
||||||
<li>Elmar Juergens, Florian Deissenboeck, Benjamin Hummel and Stefan Wagner. <em>Do Code Clones Matter?</em>. 2009.</li>
|
|
||||||
|
|
||||||
</references>
|
|
||||||
</qhelp>
|
|
||||||
23
csharp/ql/src/external/MostlyDuplicateFile.ql
vendored
23
csharp/ql/src/external/MostlyDuplicateFile.ql
vendored
@@ -1,23 +0,0 @@
|
|||||||
/**
|
|
||||||
* @deprecated
|
|
||||||
* @name Mostly duplicate file
|
|
||||||
* @description There is another file that shares a lot of the code with this file. Merge the two files to improve maintainability.
|
|
||||||
* @kind problem
|
|
||||||
* @problem.severity recommendation
|
|
||||||
* @precision high
|
|
||||||
* @id cs/duplicate-file
|
|
||||||
* @tags testability
|
|
||||||
* maintainability
|
|
||||||
* useless-code
|
|
||||||
* duplicate-code
|
|
||||||
* statistical
|
|
||||||
* non-attributable
|
|
||||||
*/
|
|
||||||
|
|
||||||
import csharp
|
|
||||||
import CodeDuplication
|
|
||||||
|
|
||||||
from File f, File other, int percent
|
|
||||||
where duplicateFiles(f, other, percent)
|
|
||||||
select f, percent + "% of the lines in " + f.getBaseName() + " are copies of lines in $@.", other,
|
|
||||||
other.getBaseName()
|
|
||||||
@@ -1,48 +0,0 @@
|
|||||||
<!DOCTYPE qhelp PUBLIC
|
|
||||||
"-//Semmle//qhelp//EN"
|
|
||||||
"qhelp.dtd">
|
|
||||||
<qhelp>
|
|
||||||
|
|
||||||
<overview>
|
|
||||||
<p>When most of the lines in one method are duplicated in one or more other
|
|
||||||
methods, the methods themselves are regarded as <em>mostly duplicate</em> or <em>similar</em>.</p>
|
|
||||||
|
|
||||||
<p>Code duplication in general is highly undesirable for a range of reasons. The artificially
|
|
||||||
inflated amount of code is more difficult to understand, and sequences of similar but subtly different lines
|
|
||||||
can mask the real purpose or intention behind them. Also, there is always a risk that only one
|
|
||||||
of several copies of the code is updated to address a defect or add a feature.</p>
|
|
||||||
|
|
||||||
</overview>
|
|
||||||
<recommendation>
|
|
||||||
<p>Although completely duplicated methods are rare, they are usually a sign of a simple
|
|
||||||
oversight (or deliberate copy/paste) by a developer. Usually the required solution
|
|
||||||
is to remove all but one of them.</p>
|
|
||||||
|
|
||||||
<p>It is more common to see duplication of many lines between two methods, leaving just
|
|
||||||
a few that are actually different. Decide whether the differences are
|
|
||||||
intended or the result of an inconsistent update to one of the copies.</p>
|
|
||||||
<ul>
|
|
||||||
<li>If the two methods serve different purposes but many of their lines are duplicated, this indicates
|
|
||||||
that there is a missing level of abstraction. Look for ways of encapsulating the commonality and sharing it while
|
|
||||||
retaining the differences in functionality. Perhaps the method can be moved to a single place
|
|
||||||
and given an additional parameter, allowing it to cover all use cases. Alternatively, there
|
|
||||||
may be a common pre-processing or post-processing step that can be extracted to its own (shared)
|
|
||||||
method, leaving only the specific parts in the existing methods. Modern IDEs may provide
|
|
||||||
refactoring support for this sort of issue, usually with the names "Extract method", "Change method signature",
|
|
||||||
"Pull up" or "Extract supertype".</li>
|
|
||||||
<li>If the two methods serve the same purpose and are different only as a result of inconsistent updates
|
|
||||||
then treat the methods as completely duplicate. Determine
|
|
||||||
the most up-to-date and correct version of the code and eliminate all near duplicates. Callers of the
|
|
||||||
removed methods should be updated to call the remaining method instead. </li></ul>
|
|
||||||
|
|
||||||
</recommendation>
|
|
||||||
<references>
|
|
||||||
|
|
||||||
<li>E. Juergens, F. Deissenboeck, B. Hummel, S. Wagner.
|
|
||||||
<em>Do code clones matter?</em> Proceedings of the 31st International Conference on
|
|
||||||
Software Engineering,
|
|
||||||
485-495, 2009.</li>
|
|
||||||
|
|
||||||
|
|
||||||
</references>
|
|
||||||
</qhelp>
|
|
||||||
30
csharp/ql/src/external/MostlyDuplicateMethod.ql
vendored
30
csharp/ql/src/external/MostlyDuplicateMethod.ql
vendored
@@ -1,30 +0,0 @@
|
|||||||
/**
|
|
||||||
* @deprecated
|
|
||||||
* @name Mostly duplicate method
|
|
||||||
* @description There is another method that shares a lot of the code with this method. Extract the code to a common superclass or delegate to improve sharing.
|
|
||||||
* @kind problem
|
|
||||||
* @problem.severity recommendation
|
|
||||||
* @precision high
|
|
||||||
* @id cs/similar-method
|
|
||||||
* @tags testability
|
|
||||||
* maintainability
|
|
||||||
* useless-code
|
|
||||||
* statistical
|
|
||||||
* non-attributable
|
|
||||||
*/
|
|
||||||
|
|
||||||
import csharp
|
|
||||||
import CodeDuplication
|
|
||||||
|
|
||||||
from Method m, int covered, int total, Method other, int percent
|
|
||||||
where
|
|
||||||
duplicateStatements(m, other, covered, total) and
|
|
||||||
covered != total and
|
|
||||||
m.getNumberOfLinesOfCode() > 5 and
|
|
||||||
covered * 100 / total = percent and
|
|
||||||
percent > 80 and
|
|
||||||
not duplicateMethod(m, other) and
|
|
||||||
not classLevelDuplication(m.getDeclaringType(), other.getDeclaringType()) and
|
|
||||||
not fileLevelDuplication(m.getFile(), other.getFile())
|
|
||||||
select m, percent + "% of the statements in " + m.getName() + " are duplicated in $@.", other,
|
|
||||||
other.getDeclaringType().getName() + "." + other.getName()
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user