mirror of
https://github.com/github/codeql.git
synced 2026-07-05 03:25:31 +02:00
Compare commits
1 Commits
codeql-cli
...
security-s
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
47adf24b25 |
@@ -1,6 +1,5 @@
|
|||||||
{ "provide": [ "*/ql/src/qlpack.yml",
|
{ "provide": [ "*/ql/src/qlpack.yml",
|
||||||
"*/ql/test/qlpack.yml",
|
"*/ql/test/qlpack.yml",
|
||||||
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
|
|
||||||
"*/ql/examples/qlpack.yml",
|
"*/ql/examples/qlpack.yml",
|
||||||
"*/upgrades/qlpack.yml",
|
"*/upgrades/qlpack.yml",
|
||||||
"misc/legacy-support/*/qlpack.yml",
|
"misc/legacy-support/*/qlpack.yml",
|
||||||
|
|||||||
4
.github/workflows/check-change-note.yml
vendored
4
.github/workflows/check-change-note.yml
vendored
@@ -19,5 +19,5 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
|
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
|
||||||
grep true -c
|
jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
|
||||||
|
|||||||
4
.github/workflows/close-stale.yml
vendored
4
.github/workflows/close-stale.yml
vendored
@@ -15,11 +15,11 @@ jobs:
|
|||||||
- uses: actions/stale@v3
|
- uses: actions/stale@v3
|
||||||
with:
|
with:
|
||||||
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
|
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `stale` label in order to avoid having this issue closed in 7 days.'
|
||||||
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
|
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
|
||||||
days-before-stale: 14
|
days-before-stale: 14
|
||||||
days-before-close: 7
|
days-before-close: 7
|
||||||
only-labels: awaiting-response
|
only-labels: question
|
||||||
|
|
||||||
# do not mark PRs as stale
|
# do not mark PRs as stale
|
||||||
days-before-pr-stale: -1
|
days-before-pr-stale: -1
|
||||||
|
|||||||
11
.github/workflows/codeql-analysis.yml
vendored
11
.github/workflows/codeql-analysis.yml
vendored
@@ -19,18 +19,13 @@ jobs:
|
|||||||
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
security-events: write
|
|
||||||
pull-requests: read
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@v1
|
||||||
# Override language selection by uncommenting this and choosing your languages
|
# Override language selection by uncommenting this and choosing your languages
|
||||||
with:
|
with:
|
||||||
languages: csharp
|
languages: csharp
|
||||||
@@ -39,7 +34,7 @@ jobs:
|
|||||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||||
# If this step fails, then you should remove it and run the build manually (see below)
|
# If this step fails, then you should remove it and run the build manually (see below)
|
||||||
- name: Autobuild
|
- name: Autobuild
|
||||||
uses: github/codeql-action/autobuild@main
|
uses: github/codeql-action/autobuild@v1
|
||||||
|
|
||||||
# ℹ️ Command-line programs to run using the OS shell.
|
# ℹ️ Command-line programs to run using the OS shell.
|
||||||
# 📚 https://git.io/JvXDl
|
# 📚 https://git.io/JvXDl
|
||||||
@@ -53,4 +48,4 @@ jobs:
|
|||||||
# make release
|
# make release
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
- name: Perform CodeQL Analysis
|
||||||
uses: github/codeql-action/analyze@main
|
uses: github/codeql-action/analyze@v1
|
||||||
|
|||||||
97
.github/workflows/csv-coverage-pr-artifacts.yml
vendored
97
.github/workflows/csv-coverage-pr-artifacts.yml
vendored
@@ -1,97 +0,0 @@
|
|||||||
name: Check framework coverage changes
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- '.github/workflows/csv-coverage-pr-comment.yml'
|
|
||||||
- '*/ql/src/**/*.ql'
|
|
||||||
- '*/ql/src/**/*.qll'
|
|
||||||
- 'misc/scripts/library-coverage/*.py'
|
|
||||||
# input data files
|
|
||||||
- '*/documentation/library-coverage/cwe-sink.csv'
|
|
||||||
- '*/documentation/library-coverage/frameworks.csv'
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'rc/*'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
generate:
|
|
||||||
name: Generate framework coverage artifacts
|
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Dump GitHub context
|
|
||||||
env:
|
|
||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
|
||||||
run: echo "$GITHUB_CONTEXT"
|
|
||||||
- name: Clone self (github/codeql) - MERGE
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: merge
|
|
||||||
- name: Clone self (github/codeql) - BASE
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
fetch-depth: 2
|
|
||||||
path: base
|
|
||||||
- run: |
|
|
||||||
git checkout HEAD^1
|
|
||||||
git log -1 --format='%H'
|
|
||||||
working-directory: base
|
|
||||||
- name: Set up Python 3.8
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: 3.8
|
|
||||||
- name: Download CodeQL CLI
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
|
||||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
|
||||||
- name: Unzip CodeQL CLI
|
|
||||||
run: unzip -d codeql-cli codeql-linux64.zip
|
|
||||||
- name: Generate CSV files on merge commit of the PR
|
|
||||||
run: |
|
|
||||||
echo "Running generator on merge"
|
|
||||||
PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
|
|
||||||
mkdir out_merge
|
|
||||||
cp framework-coverage-*.csv out_merge/
|
|
||||||
cp framework-coverage-*.rst out_merge/
|
|
||||||
- name: Generate CSV files on base commit of the PR
|
|
||||||
run: |
|
|
||||||
echo "Running generator on base"
|
|
||||||
PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
|
|
||||||
mkdir out_base
|
|
||||||
cp framework-coverage-*.csv out_base/
|
|
||||||
cp framework-coverage-*.rst out_base/
|
|
||||||
- name: Generate diff of coverage reports
|
|
||||||
run: |
|
|
||||||
python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
|
|
||||||
- name: Upload CSV package list
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: csv-framework-coverage-merge
|
|
||||||
path: |
|
|
||||||
out_merge/framework-coverage-*.csv
|
|
||||||
out_merge/framework-coverage-*.rst
|
|
||||||
- name: Upload CSV package list
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: csv-framework-coverage-base
|
|
||||||
path: |
|
|
||||||
out_base/framework-coverage-*.csv
|
|
||||||
out_base/framework-coverage-*.rst
|
|
||||||
- name: Upload comparison results
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: comparison
|
|
||||||
path: |
|
|
||||||
comparison.md
|
|
||||||
- name: Save PR number
|
|
||||||
run: |
|
|
||||||
mkdir -p pr
|
|
||||||
echo ${{ github.event.pull_request.number }} > pr/NR
|
|
||||||
- name: Upload PR number
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: pr
|
|
||||||
path: pr/
|
|
||||||
34
.github/workflows/csv-coverage-pr-comment.yml
vendored
34
.github/workflows/csv-coverage-pr-comment.yml
vendored
@@ -1,34 +0,0 @@
|
|||||||
name: Comment on PR with framework coverage changes
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_run:
|
|
||||||
workflows: ["Check framework coverage changes"]
|
|
||||||
types:
|
|
||||||
- completed
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check:
|
|
||||||
name: Check framework coverage differences and comment
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: >
|
|
||||||
${{ github.event.workflow_run.event == 'pull_request' &&
|
|
||||||
github.event.workflow_run.conclusion == 'success' }}
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Dump GitHub context
|
|
||||||
env:
|
|
||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
|
||||||
run: echo "$GITHUB_CONTEXT"
|
|
||||||
- name: Clone self (github/codeql)
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
- name: Set up Python 3.8
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: 3.8
|
|
||||||
|
|
||||||
- name: Check coverage difference file and comment
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
RUN_ID: ${{ github.event.workflow_run.id }}
|
|
||||||
run: |
|
|
||||||
python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"
|
|
||||||
42
.github/workflows/csv-coverage-timeseries.yml
vendored
42
.github/workflows/csv-coverage-timeseries.yml
vendored
@@ -1,42 +0,0 @@
|
|||||||
name: Build framework coverage timeseries reports
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build:
|
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Clone self (github/codeql)
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: script
|
|
||||||
- name: Clone self (github/codeql) for analysis
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: codeqlModels
|
|
||||||
fetch-depth: 0
|
|
||||||
- name: Set up Python 3.8
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: 3.8
|
|
||||||
- name: Download CodeQL CLI
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
|
||||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
|
||||||
- name: Unzip CodeQL CLI
|
|
||||||
run: unzip -d codeql-cli codeql-linux64.zip
|
|
||||||
- name: Build modeled package list
|
|
||||||
run: |
|
|
||||||
CLI=$(realpath "codeql-cli/codeql")
|
|
||||||
echo $CLI
|
|
||||||
PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
|
|
||||||
- name: Upload timeseries CSV
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: framework-coverage-timeseries
|
|
||||||
path: framework-coverage-timeseries-*.csv
|
|
||||||
|
|
||||||
44
.github/workflows/csv-coverage-update.yml
vendored
44
.github/workflows/csv-coverage-update.yml
vendored
@@ -1,44 +0,0 @@
|
|||||||
name: Update framework coverage reports
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
- cron: "0 0 * * *"
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
update:
|
|
||||||
name: Update framework coverage report
|
|
||||||
if: github.event.repository.fork == false
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Dump GitHub context
|
|
||||||
env:
|
|
||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
|
||||||
run: echo "$GITHUB_CONTEXT"
|
|
||||||
- name: Clone self (github/codeql)
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: ql
|
|
||||||
fetch-depth: 0
|
|
||||||
- name: Set up Python 3.8
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: 3.8
|
|
||||||
- name: Download CodeQL CLI
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
|
||||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
|
||||||
- name: Unzip CodeQL CLI
|
|
||||||
run: unzip -d codeql-cli codeql-linux64.zip
|
|
||||||
|
|
||||||
- name: Generate coverage files
|
|
||||||
run: |
|
|
||||||
PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
|
|
||||||
|
|
||||||
- name: Create pull request with changes
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
|
||||||
python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"
|
|
||||||
49
.github/workflows/csv-coverage.yml
vendored
49
.github/workflows/csv-coverage.yml
vendored
@@ -1,49 +0,0 @@
|
|||||||
name: Build framework coverage reports
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
qlModelShaOverride:
|
|
||||||
description: 'github/codeql repo SHA used for looking up the CSV models'
|
|
||||||
required: false
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build:
|
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Clone self (github/codeql)
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: script
|
|
||||||
- name: Clone self (github/codeql) for analysis
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: codeqlModels
|
|
||||||
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
|
||||||
- name: Set up Python 3.8
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: 3.8
|
|
||||||
- name: Download CodeQL CLI
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
|
||||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
|
||||||
- name: Unzip CodeQL CLI
|
|
||||||
run: unzip -d codeql-cli codeql-linux64.zip
|
|
||||||
- name: Build modeled package list
|
|
||||||
run: |
|
|
||||||
PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
|
|
||||||
- name: Upload CSV package list
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: framework-coverage-csv
|
|
||||||
path: framework-coverage-*.csv
|
|
||||||
- name: Upload RST package list
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: framework-coverage-rst
|
|
||||||
path: framework-coverage-*.rst
|
|
||||||
|
|
||||||
@@ -5,7 +5,6 @@
|
|||||||
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
|
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
|
||||||
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
|
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
|
||||||
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
|
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
|
||||||
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
|
|
||||||
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
|
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
|
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
|
||||||
@@ -250,10 +249,6 @@
|
|||||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
|
||||||
"csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
|
"csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
|
||||||
],
|
],
|
||||||
"SSA PrintAliasAnalysis": [
|
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
|
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
|
|
||||||
],
|
|
||||||
"C++ SSA AliasAnalysisImports": [
|
"C++ SSA AliasAnalysisImports": [
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
|
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
|
||||||
@@ -443,22 +438,6 @@
|
|||||||
],
|
],
|
||||||
"CryptoAlgorithms Python/JS": [
|
"CryptoAlgorithms Python/JS": [
|
||||||
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
||||||
"python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
|
"python/ql/src/semmle/crypto/Crypto.qll"
|
||||||
],
|
|
||||||
"SensitiveDataHeuristics Python/JS": [
|
|
||||||
"javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
|
|
||||||
"python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
|
|
||||||
],
|
|
||||||
"ReDoS Util Python/JS": [
|
|
||||||
"javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll",
|
|
||||||
"python/ql/src/semmle/python/security/performance/ReDoSUtil.qll"
|
|
||||||
],
|
|
||||||
"ReDoS Exponential Python/JS": [
|
|
||||||
"javascript/ql/src/semmle/javascript/security/performance/ExponentialBackTracking.qll",
|
|
||||||
"python/ql/src/semmle/python/security/performance/ExponentialBackTracking.qll"
|
|
||||||
],
|
|
||||||
"ReDoS Polynomial Python/JS": [
|
|
||||||
"javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
|
|
||||||
"python/ql/src/semmle/python/security/performance/SuperlinearBackTracking.qll"
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
codescanning
|
|
||||||
* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively.
|
|
||||||
* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure.
|
|
||||||
* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms. There are now fewer false positive results.
|
|
||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description If an exception is allocated on the heap, then it should be deleted when caught.
|
* @description If an exception is allocated on the heap, then it should be deleted when caught.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/catch-missing-free
|
* @id cpp/catch-missing-free
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/offset-use-before-range-check
|
* @id cpp/offset-use-before-range-check
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.2
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -39,7 +39,7 @@ then replace all the relevant occurrences in the code.</p>
|
|||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
|
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
|
||||||
Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
|
Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
|
<a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
|
||||||
|
|||||||
@@ -38,7 +38,7 @@ constant.</p>
|
|||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
|
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
|
||||||
Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
|
Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
|
<a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ Review the purpose of the each global variable flagged by this rule and update e
|
|||||||
|
|
||||||
<li>
|
<li>
|
||||||
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
|
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
|
||||||
Chapter 1: Naming, Rec 1.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
|
Chapter 1: Naming, Rec 1.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.
|
<a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ this rule.
|
|||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
|
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
|
||||||
(<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
|
(<a href="http://mongers.org/industrial-c++/">PDF</a>).
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.
|
cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/descriptor-may-not-be-closed
|
* @id cpp/descriptor-may-not-be-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/descriptor-never-closed
|
* @id cpp/descriptor-never-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/file-may-not-be-closed
|
* @id cpp/file-may-not-be-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/file-never-closed
|
* @id cpp/file-never-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/global-use-before-init
|
* @id cpp/global-use-before-init
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-457
|
* external/cwe/cwe-457
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/inconsistent-nullness-testing
|
* @id cpp/inconsistent-nullness-testing
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
* @problem.security-severity high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-476
|
* external/cwe/cwe-476
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/initialization-not-run
|
* @id cpp/initialization-not-run
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-456
|
* external/cwe/cwe-456
|
||||||
|
|||||||
@@ -6,7 +6,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/late-negative-test
|
* @id cpp/late-negative-test
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-823
|
* external/cwe/cwe-823
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memory-may-not-be-freed
|
* @id cpp/memory-may-not-be-freed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
* @problem.security-severity high
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-401
|
* external/cwe/cwe-401
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memory-never-freed
|
* @id cpp/memory-never-freed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
* @problem.security-severity high
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-401
|
* external/cwe/cwe-401
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/missing-negativity-test
|
* @id cpp/missing-negativity-test
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-823
|
* external/cwe/cwe-823
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/missing-null-test
|
* @id cpp/missing-null-test
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
* @security-severity 7.5
|
* @problem.security-severity high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-476
|
* external/cwe/cwe-476
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
|
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/new-free-mismatch
|
* @id cpp/new-free-mismatch
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-calculated
|
* @id cpp/overflow-calculated
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.8
|
* @problem.security-severity critical
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-131
|
* external/cwe/cwe-131
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-destination
|
* @id cpp/overflow-destination
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
* @problem.security-severity high
|
||||||
* @precision low
|
* @precision low
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* may result in a buffer overflow.
|
* may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/static-buffer-overflow
|
* @id cpp/static-buffer-overflow
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
@@ -15,7 +15,6 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.commons.Buffer
|
import semmle.code.cpp.commons.Buffer
|
||||||
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
|
||||||
import LoopBounds
|
import LoopBounds
|
||||||
|
|
||||||
private predicate staticBufferBase(VariableAccess access, Variable v) {
|
private predicate staticBufferBase(VariableAccess access, Variable v) {
|
||||||
@@ -53,8 +52,6 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
|
|||||||
loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
|
loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
|
||||||
loop.limit() >= bufaccess.bufferSize() and
|
loop.limit() >= bufaccess.bufferSize() and
|
||||||
loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
|
loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
|
||||||
// Ensure that we don't have an upper bound on the array index that's less than the buffer size.
|
|
||||||
not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
|
|
||||||
msg =
|
msg =
|
||||||
"Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
|
"Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
|
||||||
loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
|
loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
|
||||||
@@ -98,22 +95,17 @@ class CallWithBufferSize extends FunctionCall {
|
|||||||
}
|
}
|
||||||
|
|
||||||
int statedSizeValue() {
|
int statedSizeValue() {
|
||||||
// `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
|
exists(Expr statedSizeSrc |
|
||||||
// result in this case we pick the minimum value obtainable from dataflow and range analysis.
|
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
|
||||||
result =
|
result = statedSizeSrc.getValue().toInt()
|
||||||
upperBound(statedSizeExpr())
|
)
|
||||||
.minimum(min(Expr statedSizeSrc |
|
|
||||||
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
|
|
||||||
|
|
|
||||||
statedSizeSrc.getValue().toInt()
|
|
||||||
))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate wrongBufferSize(Expr error, string msg) {
|
predicate wrongBufferSize(Expr error, string msg) {
|
||||||
exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
|
exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
|
||||||
staticBuffer(call.buffer(), buf, bufsize) and
|
staticBuffer(call.buffer(), buf, bufsize) and
|
||||||
statedSize = call.statedSizeValue() and
|
statedSize = min(call.statedSizeValue()) and
|
||||||
statedSize > bufsize and
|
statedSize > bufsize and
|
||||||
error = call.statedSizeExpr() and
|
error = call.statedSizeExpr() and
|
||||||
msg =
|
msg =
|
||||||
|
|||||||
@@ -4,12 +4,9 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/return-stack-allocated-object
|
* @id cpp/return-stack-allocated-object
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 2.1
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-562
|
* external/cwe/cwe-562
|
||||||
* @deprecated This query is not suitable for production use and has been deprecated. Use
|
|
||||||
* cpp/return-stack-allocated-memory instead.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import semmle.code.cpp.pointsto.PointsTo
|
import semmle.code.cpp.pointsto.PointsTo
|
||||||
|
|||||||
@@ -7,7 +7,7 @@
|
|||||||
<overview>
|
<overview>
|
||||||
<p>
|
<p>
|
||||||
This rule finds calls to a function that ignore the return value. A function call is only marked
|
This rule finds calls to a function that ignore the return value. A function call is only marked
|
||||||
as a violation if at least 90% of the total calls to that function check the return value. Not
|
as a violation if at least 80% of the total calls to that function check the return value. Not
|
||||||
checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
|
checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
|
||||||
These functions return the status information and the return values should always be checked
|
These functions return the status information and the return values should always be checked
|
||||||
to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
|
to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
|
||||||
@@ -32,7 +32,7 @@ Check the return value of functions that return status information.
|
|||||||
<references>
|
<references>
|
||||||
|
|
||||||
<li>
|
<li>
|
||||||
M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
|
M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.
|
The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.
|
||||||
|
|||||||
@@ -1,9 +1,10 @@
|
|||||||
/**
|
/**
|
||||||
* @name Return value of a function is ignored
|
* @name Return value of a function is ignored
|
||||||
* @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
|
* @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/return-value-ignored
|
* @id cpp/return-value-ignored
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* an instance of the type of the pointer may result in a buffer overflow
|
* an instance of the type of the pointer may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.1
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/allocation-too-small
|
* @id cpp/allocation-too-small
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* multiple instances of the type of the pointer may result in a buffer overflow
|
* multiple instances of the type of the pointer may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.1
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/suspicious-allocation-size
|
* @id cpp/suspicious-allocation-size
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/use-after-free
|
* @id cpp/use-after-free
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
* @problem.security-severity high
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-416
|
* external/cwe/cwe-416
|
||||||
|
|||||||
@@ -7,6 +7,10 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|
||||||
|
class AnonymousCompilation extends Compilation {
|
||||||
|
override string toString() { result = "<compilation>" }
|
||||||
|
}
|
||||||
|
|
||||||
string describe(Compilation c) {
|
string describe(Compilation c) {
|
||||||
if c.getArgument(1) = "--mimic"
|
if c.getArgument(1) = "--mimic"
|
||||||
then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
|
then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
|
||||||
@@ -15,4 +19,4 @@ string describe(Compilation c) {
|
|||||||
|
|
||||||
from Compilation c
|
from Compilation c
|
||||||
where not c.normalTermination()
|
where not c.normalTermination()
|
||||||
select "Extraction aborted for " + describe(c)
|
select c, "Extraction aborted for " + describe(c), 2
|
||||||
|
|||||||
@@ -7,6 +7,7 @@
|
|||||||
* overflow.
|
* overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/ambiguously-signed-bit-field
|
* @id cpp/ambiguously-signed-bit-field
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
* to a larger type.
|
* to a larger type.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 8.1
|
* @problem.security-severity high
|
||||||
* @precision very-high
|
* @precision very-high
|
||||||
* @id cpp/bad-addition-overflow-check
|
* @id cpp/bad-addition-overflow-check
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* be a sign that the result can overflow the type converted from.
|
* be a sign that the result can overflow the type converted from.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.1
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/integer-multiplication-cast-to-long
|
* @id cpp/integer-multiplication-cast-to-long
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,13 +5,10 @@
|
|||||||
* unsigned integer values.
|
* unsigned integer values.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.1
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/signed-overflow-check
|
* @id cpp/signed-overflow-check
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-128
|
|
||||||
* external/cwe/cwe-190
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|||||||
@@ -6,14 +6,14 @@
|
|||||||
* use the width of the base type, leading to misaligned reads.
|
* use the width of the base type, leading to misaligned reads.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/upcast-array-pointer-arithmetic
|
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* reliability
|
* reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-119
|
* external/cwe/cwe-119
|
||||||
* external/cwe/cwe-843
|
* external/cwe/cwe-843
|
||||||
|
* @id cpp/upcast-array-pointer-arithmetic
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
* from an untrusted source, this can be used for exploits.
|
* from an untrusted source, this can be used for exploits.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
* @security-severity 9.3
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/non-constant-format
|
* @id cpp/non-constant-format
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
|
|||||||
@@ -3,14 +3,11 @@
|
|||||||
* @description Using the return value from snprintf without proper checks can cause overflow.
|
* @description Using the return value from snprintf without proper checks can cause overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.1
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/overflowing-snprintf
|
* @id cpp/overflowing-snprintf
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-190
|
|
||||||
* external/cwe/cwe-253
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|||||||
@@ -4,13 +4,11 @@
|
|||||||
* a source of security issues.
|
* a source of security issues.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 5.0
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/wrong-number-format-arguments
|
* @id cpp/wrong-number-format-arguments
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-234
|
|
||||||
* external/cwe/cwe-685
|
* external/cwe/cwe-685
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* behavior.
|
* behavior.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 7.5
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/wrong-type-format-argument
|
* @id cpp/wrong-type-format-argument
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
@@ -19,32 +18,28 @@ import cpp
|
|||||||
* Holds if the argument corresponding to the `pos` conversion specifier
|
* Holds if the argument corresponding to the `pos` conversion specifier
|
||||||
* of `ffc` is expected to have type `expected`.
|
* of `ffc` is expected to have type `expected`.
|
||||||
*/
|
*/
|
||||||
|
pragma[noopt]
|
||||||
private predicate formattingFunctionCallExpectedType(
|
private predicate formattingFunctionCallExpectedType(
|
||||||
FormattingFunctionCall ffc, int pos, Type expected
|
FormattingFunctionCall ffc, int pos, Type expected
|
||||||
) {
|
) {
|
||||||
ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
|
exists(FormattingFunction f, int i, FormatLiteral fl |
|
||||||
|
ffc instanceof FormattingFunctionCall and
|
||||||
|
ffc.getTarget() = f and
|
||||||
|
f.getFormatParameterIndex() = i and
|
||||||
|
ffc.getArgument(i) = fl and
|
||||||
|
fl.getConversionType(pos) = expected
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if the argument corresponding to the `pos` conversion specifier
|
* Holds if the argument corresponding to the `pos` conversion specifier
|
||||||
* of `ffc` could alternatively have type `expected`, for example on a different
|
* of `ffc` is expected to have type `expected` and the corresponding
|
||||||
* platform.
|
* argument `arg` has type `actual`.
|
||||||
*/
|
|
||||||
private predicate formattingFunctionCallAlternateType(
|
|
||||||
FormattingFunctionCall ffc, int pos, Type expected
|
|
||||||
) {
|
|
||||||
ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if the argument corresponding to the `pos` conversion specifier
|
|
||||||
* of `ffc` is `arg` and has type `actual`.
|
|
||||||
*/
|
*/
|
||||||
pragma[noopt]
|
pragma[noopt]
|
||||||
predicate formattingFunctionCallActualType(
|
predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
|
||||||
FormattingFunctionCall ffc, int pos, Expr arg, Type actual
|
|
||||||
) {
|
|
||||||
exists(Expr argConverted |
|
exists(Expr argConverted |
|
||||||
|
formattingFunctionCallExpectedType(ffc, pos, expected) and
|
||||||
ffc.getConversionArgument(pos) = arg and
|
ffc.getConversionArgument(pos) = arg and
|
||||||
argConverted = arg.getFullyConverted() and
|
argConverted = arg.getFullyConverted() and
|
||||||
actual = argConverted.getType()
|
actual = argConverted.getType()
|
||||||
@@ -76,8 +71,7 @@ class ExpectedType extends Type {
|
|||||||
ExpectedType() {
|
ExpectedType() {
|
||||||
exists(Type t |
|
exists(Type t |
|
||||||
(
|
(
|
||||||
formattingFunctionCallExpectedType(_, _, t) or
|
formatArgType(_, _, t, _, _) or
|
||||||
formattingFunctionCallAlternateType(_, _, t) or
|
|
||||||
formatOtherArgType(_, _, t, _, _)
|
formatOtherArgType(_, _, t, _, _)
|
||||||
) and
|
) and
|
||||||
this = t.getUnspecifiedType()
|
this = t.getUnspecifiedType()
|
||||||
@@ -96,11 +90,7 @@ class ExpectedType extends Type {
|
|||||||
*/
|
*/
|
||||||
predicate trivialConversion(ExpectedType expected, Type actual) {
|
predicate trivialConversion(ExpectedType expected, Type actual) {
|
||||||
exists(Type exp, Type act |
|
exists(Type exp, Type act |
|
||||||
(
|
formatArgType(_, _, exp, _, act) and
|
||||||
formattingFunctionCallExpectedType(_, _, exp) or
|
|
||||||
formattingFunctionCallAlternateType(_, _, exp)
|
|
||||||
) and
|
|
||||||
formattingFunctionCallActualType(_, _, _, act) and
|
|
||||||
expected = exp.getUnspecifiedType() and
|
expected = exp.getUnspecifiedType() and
|
||||||
actual = act.getUnspecifiedType()
|
actual = act.getUnspecifiedType()
|
||||||
) and
|
) and
|
||||||
@@ -155,13 +145,9 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
|
|||||||
from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
|
from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
|
||||||
where
|
where
|
||||||
(
|
(
|
||||||
formattingFunctionCallExpectedType(ffc, n, expected) and
|
formatArgType(ffc, n, expected, arg, actual) and
|
||||||
formattingFunctionCallActualType(ffc, n, arg, actual) and
|
|
||||||
not exists(Type anyExpected |
|
not exists(Type anyExpected |
|
||||||
(
|
formatArgType(ffc, n, anyExpected, arg, actual) and
|
||||||
formattingFunctionCallExpectedType(ffc, n, anyExpected) or
|
|
||||||
formattingFunctionCallAlternateType(ffc, n, anyExpected)
|
|
||||||
) and
|
|
||||||
trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
|
trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description A function is called, and the same operation is usually performed on the return value - for example, free, delete, close etc. However, in some cases it is not performed. These unusual cases may indicate misuse of the API and could cause resource leaks.
|
* @description A function is called, and the same operation is usually performed on the return value - for example, free, delete, close etc. However, in some cases it is not performed. These unusual cases may indicate misuse of the API and could cause resource leaks.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/inconsistent-call-on-result
|
* @id cpp/inconsistent-call-on-result
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
* omitting the check could crash the program.
|
* omitting the check could crash the program.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/inconsistent-null-check
|
* @id cpp/inconsistent-null-check
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,7 +6,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/incorrect-not-operator-usage
|
* @id cpp/incorrect-not-operator-usage
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-480
|
* external/cwe/cwe-480
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
|
|||||||
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
|
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
|
M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -3,6 +3,7 @@
|
|||||||
* @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
|
* @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/inconsistent-loop-direction
|
* @id cpp/inconsistent-loop-direction
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
* @description Using alloca in a loop can lead to a stack overflow
|
* @description Using alloca in a loop can lead to a stack overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
* @problem.security-severity high
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/alloca-in-loop
|
* @id cpp/alloca-in-loop
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/improper-null-termination
|
* @id cpp/improper-null-termination
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
* @problem.security-severity high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-170
|
* external/cwe/cwe-170
|
||||||
* external/cwe/cwe-665
|
* external/cwe/cwe-665
|
||||||
|
|||||||
@@ -4,12 +4,10 @@
|
|||||||
* on undefined behavior and may lead to memory corruption.
|
* on undefined behavior and may lead to memory corruption.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 2.1
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/pointer-overflow-check
|
* @id cpp/pointer-overflow-check
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-758
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|||||||
@@ -6,7 +6,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/potential-buffer-overflow
|
* @id cpp/potential-buffer-overflow
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 10.0
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-676
|
* external/cwe/cwe-676
|
||||||
|
|||||||
@@ -13,7 +13,6 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.dataflow.EscapesTree
|
import semmle.code.cpp.dataflow.EscapesTree
|
||||||
import semmle.code.cpp.models.interfaces.PointerWrapper
|
|
||||||
import semmle.code.cpp.dataflow.DataFlow
|
import semmle.code.cpp.dataflow.DataFlow
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -40,10 +39,6 @@ predicate hasNontrivialConversion(Expr e) {
|
|||||||
e instanceof ParenthesisExpr
|
e instanceof ParenthesisExpr
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
// A smart pointer can be stack-allocated while the data it points to is heap-allocated.
|
|
||||||
// So we exclude such "conversions" from this predicate.
|
|
||||||
e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
|
|
||||||
or
|
|
||||||
hasNontrivialConversion(e.getConversion())
|
hasNontrivialConversion(e.getConversion())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* as the third argument may result in a buffer overflow.
|
* as the third argument may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/bad-strncpy-size
|
* @id cpp/bad-strncpy-size
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -7,7 +7,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/suspicious-call-to-memset
|
* @id cpp/suspicious-call-to-memset
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
* @security-severity 10.0
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
|
|||||||
@@ -2,7 +2,3 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
|
|||||||
|
|
||||||
strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest.
|
strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest.
|
||||||
//Also fails if dest is a pointer and not an array.
|
//Also fails if dest is a pointer and not an array.
|
||||||
|
|
||||||
strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
|
|
||||||
|
|
||||||
strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.
|
|
||||||
|
|||||||
@@ -4,17 +4,7 @@
|
|||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<p>The standard library function <code>strncat</code> appends a source string to a target string.
|
<p>The standard library function <code>strncat</code> appends a source string to a target string.
|
||||||
The third argument defines the maximum number of characters to append and should be less than or equal
|
The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
|
||||||
to the remaining space in the destination buffer.</p>
|
|
||||||
|
|
||||||
<p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
|
|
||||||
the third argument to the entire size of the destination buffer.
|
|
||||||
Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
|
|
||||||
|
|
||||||
<p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
|
|
||||||
byte to be written ouside the <code>dest</code> buffer.</p>
|
|
||||||
|
|
||||||
<p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
|
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
@@ -35,10 +25,6 @@ byte to be written ouside the <code>dest</code> buffer.</p>
|
|||||||
<li>
|
<li>
|
||||||
M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method & Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
|
M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method & Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
|
||||||
</li>
|
</li>
|
||||||
<li>
|
|
||||||
CERT C Coding Standard:
|
|
||||||
<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
|
|
||||||
</li>
|
|
||||||
|
|
||||||
|
|
||||||
</references>
|
</references>
|
||||||
|
|||||||
@@ -1,15 +1,15 @@
|
|||||||
/**
|
/**
|
||||||
* @name Potentially unsafe call to strncat
|
* @name Potentially unsafe call to strncat
|
||||||
* @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
|
* @description Calling 'strncat' with the size of the destination buffer
|
||||||
|
* as the third argument may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.3
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unsafe-strncat
|
* @id cpp/unsafe-strncat
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-788
|
|
||||||
* external/cwe/cwe-676
|
* external/cwe/cwe-676
|
||||||
* external/cwe/cwe-119
|
* external/cwe/cwe-119
|
||||||
* external/cwe/cwe-251
|
* external/cwe/cwe-251
|
||||||
@@ -17,53 +17,11 @@
|
|||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
import Buffer
|
import Buffer
|
||||||
import semmle.code.cpp.models.implementations.Strcat
|
|
||||||
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
|
|
||||||
|
|
||||||
/**
|
from FunctionCall fc, VariableAccess va1, VariableAccess va2
|
||||||
* Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
|
where
|
||||||
* destination arguments, respectively.
|
fc.getTarget().(Function).hasName("strncat") and
|
||||||
*/
|
va1 = fc.getArgument(0) and
|
||||||
predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
|
va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
|
||||||
exists(StrcatFunction strcat |
|
va1.getTarget() = va2.getTarget()
|
||||||
strcat = call.getTarget() and
|
|
||||||
sizeArg = call.getArgument(strcat.getParamSize()) and
|
|
||||||
destArg = call.getArgument(strcat.getParamDest())
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
|
|
||||||
* argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
|
|
||||||
*/
|
|
||||||
predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
|
|
||||||
interestringCallWithArgs(fc, sizeArg, destArg) and
|
|
||||||
exists(VariableAccess va |
|
|
||||||
va = sizeArg.(BufferSizeExpr).getArg() and
|
|
||||||
destArg.getTarget() = va.getTarget()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
|
|
||||||
* argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
|
|
||||||
*/
|
|
||||||
predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
|
|
||||||
interestringCallWithArgs(fc, sizeArg, destArg) and
|
|
||||||
exists(SubExpr sub, int n |
|
|
||||||
// The destination buffer is an array of size n
|
|
||||||
destArg.getUnspecifiedType().(ArrayType).getSize() = n and
|
|
||||||
// The size argument is equivalent to a subtraction
|
|
||||||
globalValueNumber(sizeArg).getAnExpr() = sub and
|
|
||||||
// ... where the left side of the subtraction is the constant n
|
|
||||||
globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
|
|
||||||
// ... and the right side of the subtraction is a call to `strlen` where the argument is the
|
|
||||||
// destination buffer.
|
|
||||||
globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
|
|
||||||
globalValueNumber(destArg).getAnExpr()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
from FunctionCall fc, Expr sizeArg, Expr destArg
|
|
||||||
where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
|
|
||||||
select fc, "Potentially unsafe call to strncat."
|
select fc, "Potentially unsafe call to strncat."
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* the machine pointer size.
|
* the machine pointer size.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.8
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/suspicious-sizeof
|
* @id cpp/suspicious-sizeof
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/uninitialized-local
|
* @id cpp/uninitialized-local
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-665
|
* external/cwe/cwe-665
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* may result in a buffer overflow
|
* may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 9.8
|
* @problem.security-severity critical
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unsafe-strcat
|
* @id cpp/unsafe-strcat
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,7 +6,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/self-assignment-check
|
* @id cpp/self-assignment-check
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.0
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-826
|
* external/cwe/cwe-826
|
||||||
|
|||||||
@@ -6,12 +6,10 @@
|
|||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @id cpp/unsafe-use-of-this
|
* @id cpp/unsafe-use-of-this
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 7.5
|
|
||||||
* @precision very-high
|
* @precision very-high
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* language-features
|
* language-features
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-670
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
* it should be moved before the dereference.
|
* it should be moved before the dereference.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
|
* @problem.security-severity high
|
||||||
* @id cpp/redundant-null-check-simple
|
* @id cpp/redundant-null-check-simple
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* correctness
|
* correctness
|
||||||
|
|||||||
@@ -7,14 +7,11 @@
|
|||||||
* undefined data.
|
* undefined data.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 5.0
|
|
||||||
* @precision very-high
|
* @precision very-high
|
||||||
* @id cpp/too-few-arguments
|
* @id cpp/too-few-arguments
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* maintainability
|
* maintainability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-234
|
|
||||||
* external/cwe/cwe-685
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import cpp
|
import cpp
|
||||||
|
|||||||
@@ -29,7 +29,7 @@ build time: the more included files, the longer the compilation time.</p>
|
|||||||
<a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
|
<a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
|
<a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
|
||||||
Designing Header Files</a>
|
Designing Header Files</a>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|||||||
@@ -35,7 +35,7 @@ they are contributing to unnecessarily long build times and creating artificial
|
|||||||
<a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
|
<a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
|
<a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
|
||||||
Designing Header Files</a>
|
Designing Header Files</a>
|
||||||
</li>
|
</li>
|
||||||
</references>
|
</references>
|
||||||
|
|||||||
@@ -6,9 +6,11 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/ignore-return-value-sal
|
* @id cpp/ignore-return-value-sal
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
|
* @problem.security-severity critical
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* external/cwe/cwe-573
|
* external/cwe/cwe-573
|
||||||
* external/cwe/cwe-252
|
* external/cwe/cwe-252
|
||||||
|
* @opaque-id SM02344
|
||||||
* @microsoft.severity Important
|
* @microsoft.severity Important
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memset-may-be-deleted
|
* @id cpp/memset-may-be-deleted
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.8
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-14
|
* external/cwe/cwe-14
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @precision low
|
* @precision low
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 7.8
|
* @problem.security-severity high
|
||||||
* @tags security external/cwe/cwe-20
|
* @tags security external/cwe/cwe-20
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @precision low
|
* @precision low
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 7.8
|
* @problem.security-severity high
|
||||||
* @tags security external/cwe/cwe-20
|
* @tags security external/cwe/cwe-20
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* attacker to access unexpected resources.
|
* attacker to access unexpected resources.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 7.5
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/path-injection
|
* @id cpp/path-injection
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* to command injection.
|
* to command injection.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 9.8
|
* @problem.security-severity critical
|
||||||
* @precision low
|
* @precision low
|
||||||
* @id cpp/command-line-injection
|
* @id cpp/command-line-injection
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
* allows for a cross-site scripting vulnerability.
|
* allows for a cross-site scripting vulnerability.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 6.1
|
* @problem.security-severity medium
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/cgi-xss
|
* @id cpp/cgi-xss
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* to SQL Injection.
|
* to SQL Injection.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @security-severity 8.8
|
* @problem.security-severity critical
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/sql-injection
|
* @id cpp/sql-injection
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
* commands.
|
* commands.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @security-severity 8.2
|
* @problem.security-severity high
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/uncontrolled-process-operation
|
* @id cpp/uncontrolled-process-operation
|
||||||
* @tags security
|
* @tags security
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-buffer
|
* @id cpp/overflow-buffer
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
* @security-severity 9.3
|
* @problem.security-severity high
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-119
|
* external/cwe/cwe-119
|
||||||
* external/cwe/cwe-121
|
* external/cwe/cwe-121
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user