mirror of
https://github.com/github/codeql.git
synced 2026-07-06 12:05:31 +02:00
Compare commits
51 Commits
security-s
...
query-help
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
5924b6cf61 | ||
|
|
74f25c1b5a | ||
|
|
133d6beb3e | ||
|
|
036c5f9459 | ||
|
|
d3abcfe074 | ||
|
|
78fcf7ad21 | ||
|
|
bd1ea03ec2 | ||
|
|
4f55559de3 | ||
|
|
21adcec48b | ||
|
|
920b29bd68 | ||
|
|
04ace750c2 | ||
|
|
5ad3459042 | ||
|
|
d7c928a7ee | ||
|
|
d09126333f | ||
|
|
3e52b7bf4e | ||
|
|
b5730ed374 | ||
|
|
042dc712d4 | ||
|
|
325436b133 | ||
|
|
4759eb7b10 | ||
|
|
93771957ec | ||
|
|
1dd5f6d044 | ||
|
|
f950550e5f | ||
|
|
9828bcccb4 | ||
|
|
e9cb9e58d2 | ||
|
|
b1ff08427c | ||
|
|
64b096fbf6 | ||
|
|
df5270f454 | ||
|
|
55c006529b | ||
|
|
d9ee086f01 | ||
|
|
9b601ab93f | ||
|
|
5ef014c973 | ||
|
|
f562bde588 | ||
|
|
0a439e0d55 | ||
|
|
b44683c7c8 | ||
|
|
819698b51c | ||
|
|
68b3e8ee38 | ||
|
|
7ffa539f5d | ||
|
|
cdca212c75 | ||
|
|
7e4d6e8bbd | ||
|
|
ace6f5aa0a | ||
|
|
45c033dd73 | ||
|
|
21fdf0a82b | ||
|
|
3434fea8e7 | ||
|
|
f3271f5b4d | ||
|
|
6e4b2ab77f | ||
|
|
09469ae47a | ||
|
|
0ba56bf41f | ||
|
|
a2de5118ed | ||
|
|
c4b7a129e8 | ||
|
|
94f954e724 | ||
|
|
282ff99dac |
23
.github/workflows/check-change-note.yml
vendored
23
.github/workflows/check-change-note.yml
vendored
@@ -1,23 +0,0 @@
|
|||||||
name: Check change note
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
|
|
||||||
paths:
|
|
||||||
- "*/ql/src/**/*.ql"
|
|
||||||
- "*/ql/src/**/*.qll"
|
|
||||||
- "!**/experimental/**"
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check-change-note:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
|
|
||||||
if: |
|
|
||||||
github.event.pull_request.draft == false &&
|
|
||||||
!contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
run: |
|
|
||||||
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
|
|
||||||
jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
|
|
||||||
30
.github/workflows/close-stale.yml
vendored
30
.github/workflows/close-stale.yml
vendored
@@ -1,30 +0,0 @@
|
|||||||
name: Mark stale issues
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
- cron: "30 1 * * *"
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
stale:
|
|
||||||
if: github.repository == 'github/codeql'
|
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/stale@v3
|
|
||||||
with:
|
|
||||||
repo-token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
|
|
||||||
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
|
|
||||||
days-before-stale: 14
|
|
||||||
days-before-close: 7
|
|
||||||
only-labels: awaiting-response
|
|
||||||
|
|
||||||
# do not mark PRs as stale
|
|
||||||
days-before-pr-stale: -1
|
|
||||||
days-before-pr-close: -1
|
|
||||||
|
|
||||||
# Uncomment for dry-run
|
|
||||||
# debug-only: true
|
|
||||||
# operations-per-run: 1000
|
|
||||||
17
.github/workflows/codeql-analysis.yml
vendored
17
.github/workflows/codeql-analysis.yml
vendored
@@ -2,15 +2,7 @@ name: "Code scanning - action"
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'rc/*'
|
|
||||||
pull_request:
|
pull_request:
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'rc/*'
|
|
||||||
paths:
|
|
||||||
- 'csharp/**'
|
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 9 * * 1'
|
- cron: '0 9 * * 1'
|
||||||
|
|
||||||
@@ -22,6 +14,15 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
|
with:
|
||||||
|
# We must fetch at least the immediate parents so that if this is
|
||||||
|
# a pull request then we can checkout the head.
|
||||||
|
fetch-depth: 2
|
||||||
|
|
||||||
|
# If this run was triggered by a pull request event, then checkout
|
||||||
|
# the head of the pull request instead of the merge commit.
|
||||||
|
- run: git checkout HEAD^2
|
||||||
|
if: ${{ github.event_name == 'pull_request' }}
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
|
|||||||
59
.github/workflows/generate-query-help-docs.yml
vendored
Normal file
59
.github/workflows/generate-query-help-docs.yml
vendored
Normal file
@@ -0,0 +1,59 @@
|
|||||||
|
name: Generate CodeQL query help documentation using Sphinx
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
description:
|
||||||
|
description: A description of the purpose of this job. For human consumption.
|
||||||
|
required: false
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- 'lgtm.com'
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- 'docs/codeql/query-help/**'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Clone github/codeql
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
with:
|
||||||
|
path: codeql
|
||||||
|
- name: Clone github/codeql-go
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
with:
|
||||||
|
repository: 'github/codeql-go'
|
||||||
|
path: codeql-go
|
||||||
|
- name: Set up Python 3.8
|
||||||
|
uses: actions/setup-python@v2
|
||||||
|
with:
|
||||||
|
python-version: 3.8
|
||||||
|
- name: Download CodeQL CLI
|
||||||
|
uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
|
||||||
|
with:
|
||||||
|
repo: "github/codeql-cli-binaries"
|
||||||
|
version: "latest"
|
||||||
|
file: "codeql-linux64.zip"
|
||||||
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Unzip CodeQL CLI
|
||||||
|
run: unzip -d codeql-cli codeql-linux64.zip
|
||||||
|
- name: Set up query help docs folder
|
||||||
|
run: |
|
||||||
|
cp -r codeql/docs/codeql/** .
|
||||||
|
- name: Query help to markdown
|
||||||
|
run: |
|
||||||
|
PATH="$PATH:codeql-cli/codeql" python codeql/docs/codeql/query-help-markdown.py
|
||||||
|
- name: Run Sphinx for query help
|
||||||
|
uses: ammaraskar/sphinx-action@master
|
||||||
|
with:
|
||||||
|
docs-folder: "query-help/"
|
||||||
|
pre-build-command: "python -m pip install --upgrade recommonmark"
|
||||||
|
build-command: "sphinx-build -b dirhtml . _build"
|
||||||
|
- name: Upload HTML artifacts
|
||||||
|
uses: actions/upload-artifact@v2
|
||||||
|
with:
|
||||||
|
name: query-help-html
|
||||||
|
path: query-help/_build
|
||||||
|
|
||||||
3
.gitignore
vendored
3
.gitignore
vendored
@@ -17,9 +17,6 @@
|
|||||||
# Byte-compiled python files
|
# Byte-compiled python files
|
||||||
*.pyc
|
*.pyc
|
||||||
|
|
||||||
# python virtual environment folder
|
|
||||||
.venv/
|
|
||||||
|
|
||||||
# It's useful (though not required) to be able to unpack codeql in the ql checkout itself
|
# It's useful (though not required) to be able to unpack codeql in the ql checkout itself
|
||||||
/codeql/
|
/codeql/
|
||||||
|
|
||||||
|
|||||||
25
CODEOWNERS
25
CODEOWNERS
@@ -4,16 +4,17 @@
|
|||||||
/javascript/ @github/codeql-javascript
|
/javascript/ @github/codeql-javascript
|
||||||
/python/ @github/codeql-python
|
/python/ @github/codeql-python
|
||||||
|
|
||||||
# Make @xcorail (GitHub Security Lab) a code owner for experimental queries so he gets pinged when we promote a query out of experimental
|
# Assign query help for docs review
|
||||||
/cpp/**/experimental/**/* @github/codeql-c-analysis @xcorail
|
/cpp/**/*.qhelp @hubwriter
|
||||||
/csharp/**/experimental/**/* @github/codeql-csharp @xcorail
|
/csharp/**/*.qhelp @jf205
|
||||||
/java/**/experimental/**/* @github/codeql-java @xcorail
|
/java/**/*.qhelp @felicitymay
|
||||||
/javascript/**/experimental/**/* @github/codeql-javascript @xcorail
|
/javascript/**/*.qhelp @mchammer01
|
||||||
/python/**/experimental/**/* @github/codeql-python @xcorail
|
/python/**/*.qhelp @felicitymay
|
||||||
|
/docs/language/ @shati-patel @jf205
|
||||||
|
|
||||||
# Notify members of codeql-go about PRs to the shared data-flow library files
|
# Exclude help for experimental queries from docs review
|
||||||
/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @github/codeql-java @github/codeql-go
|
/cpp/**/experimental/**/*.qhelp @github/codeql-c-analysis
|
||||||
/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @github/codeql-java @github/codeql-go
|
/csharp/**/experimental/**/*.qhelp @github/codeql-csharp
|
||||||
/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
|
/java/**/experimental/**/*.qhelp @github/codeql-java
|
||||||
/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
|
/javascript/**/experimental/**/*.qhelp @github/codeql-javascript
|
||||||
/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
|
/python/**/experimental/**/*.qhelp @github/codeql-python
|
||||||
|
|||||||
@@ -38,8 +38,6 @@ If you have an idea for a query that you would like to share with other CodeQL u
|
|||||||
|
|
||||||
- The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html).
|
- The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html).
|
||||||
|
|
||||||
If you prefer, you can use this [pre-commit hook](misc/scripts/pre-commit) that automatically checks whether your files are correctly formatted. See the [pre-commit hook installation guide](docs/pre-commit-hook-setup.md) for instructions on how to install the hook.
|
|
||||||
|
|
||||||
4. **Compilation**
|
4. **Compilation**
|
||||||
|
|
||||||
- Compilation of the query and any associated libraries and tests must be resilient to future development of the [supported](docs/supported-queries.md) libraries. This means that the functionality cannot use internal libraries, cannot depend on the output of `getAQlClass`, and cannot make use of regexp matching on `toString`.
|
- Compilation of the query and any associated libraries and tests must be resilient to future development of the [supported](docs/supported-queries.md) libraries. This means that the functionality cannot use internal libraries, cannot depend on the output of `getAQlClass`, and cannot make use of regexp matching on `toString`.
|
||||||
@@ -49,11 +47,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
|
|||||||
|
|
||||||
- The query must have at least one true positive result on some revision of a real project.
|
- The query must have at least one true positive result on some revision of a real project.
|
||||||
|
|
||||||
6. **Query help files and unit tests**
|
Experimental queries and libraries may not be actively maintained as the [supported](docs/supported-queries.md) libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
|
||||||
|
|
||||||
- Query help (`.qhelp`) files and unit tests are optional (but strongly encouraged!) for queries in the `experimental` directories. For more information about contributing query help files and unit tests, see [Supported CodeQL queries and libraries](docs/supported-queries.md).
|
|
||||||
|
|
||||||
Experimental queries and libraries may not be actively maintained as the supported libraries evolve. They may also be changed in backwards-incompatible ways or may be removed entirely in the future without deprecation warnings.
|
|
||||||
|
|
||||||
After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
|
After the experimental query is merged, we welcome pull requests to improve it. Before a query can be moved out of the `experimental` subdirectory, it must satisfy [the requirements for being a supported query](docs/supported-queries.md).
|
||||||
|
|
||||||
|
|||||||
@@ -4,34 +4,19 @@ The following changes in version 1.26 affect Python analysis in all applications
|
|||||||
|
|
||||||
## General improvements
|
## General improvements
|
||||||
|
|
||||||
|
|
||||||
|
## New queries
|
||||||
|
|
||||||
|
| **Query** | **Tags** | **Purpose** |
|
||||||
|
|-----------------------------|-----------|--------------------------------------------------------------------|
|
||||||
|
|
||||||
|
|
||||||
## Changes to existing queries
|
## Changes to existing queries
|
||||||
|
|
||||||
| **Query** | **Expected impact** | **Change** |
|
| **Query** | **Expected impact** | **Change** |
|
||||||
|----------------------------|------------------------|------------------------------------------------------------------|
|
|----------------------------|------------------------|------------------------------------------------------------------|
|
||||||
|`py/unsafe-deserialization` | Different results. | The underlying data flow library has been changed. See below for more details. |
|
|
||||||
|`py/path-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
|
|
||||||
|`py/command-line-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
|
|
||||||
|`py/reflective-xss` | Different results. | The underlying data flow library has been changed. See below for more details. |
|
|
||||||
|`py/sql-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
|
|
||||||
|`py/code-injection` | Different results. | The underlying data flow library has been changed. See below for more details. |
|
|
||||||
## Changes to libraries
|
## Changes to libraries
|
||||||
* Some of the security queries now use the shared data flow library for data flow and taint tracking. This has resulted in an overall more robust and accurate analysis. The libraries mentioned below have been modelled in this new framework. Other libraries (e.g. the web framework `CherryPy`) have not been modelled yet, and this may lead to a temporary loss of results for these frameworks.
|
|
||||||
* Improved modelling of the following serialization libraries:
|
|
||||||
- `PyYAML`
|
|
||||||
- `dill`
|
|
||||||
- `pickle`
|
|
||||||
- `marshal`
|
|
||||||
* Improved modelling of the following web frameworks:
|
|
||||||
- `Django` (Note that modelling of class-based response handlers is currently incomplete.)
|
|
||||||
- `Flask`
|
|
||||||
* Support for Werkzeug `MultiDict`.
|
|
||||||
* Support for the [Python Database API Specification v2.0 (PEP-249)](https://www.python.org/dev/peps/pep-0249/), including the following libraries:
|
|
||||||
- `MySQLdb`
|
|
||||||
- `mysql-connector-python`
|
|
||||||
- `django.db`
|
|
||||||
* Improved modelling of the following command execution libraries:
|
|
||||||
- `Fabric`
|
|
||||||
- `Invoke`
|
|
||||||
* Improved modelling of security-related standard library modules, such as `os`, `popen2`, `platform`, and `base64`.
|
|
||||||
* The original versions of the updated queries have been preserved [here](https://github.com/github/codeql/tree/main/python/ql/src/experimental/Security-old-dataflow).
|
|
||||||
* Added taint tracking support for string formatting through f-strings.
|
* Added taint tracking support for string formatting through f-strings.
|
||||||
|
|||||||
@@ -36,7 +36,6 @@
|
|||||||
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
|
||||||
@@ -56,10 +55,6 @@
|
|||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
|
||||||
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
|
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
|
||||||
],
|
],
|
||||||
"DataFlow Java/C# Flow Summaries": [
|
|
||||||
"java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
|
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
|
|
||||||
],
|
|
||||||
"SsaReadPosition Java/C#": [
|
"SsaReadPosition Java/C#": [
|
||||||
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
|
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
|
||||||
@@ -361,17 +356,8 @@
|
|||||||
],
|
],
|
||||||
"Inline Test Expectations": [
|
"Inline Test Expectations": [
|
||||||
"cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
"cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
||||||
"java/ql/test/TestUtilities/InlineExpectationsTest.qll",
|
|
||||||
"python/ql/test/TestUtilities/InlineExpectationsTest.qll"
|
"python/ql/test/TestUtilities/InlineExpectationsTest.qll"
|
||||||
],
|
],
|
||||||
"C++ ExternalAPIs": [
|
|
||||||
"cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
|
|
||||||
"cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
|
|
||||||
],
|
|
||||||
"C++ SafeExternalAPIFunction": [
|
|
||||||
"cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll",
|
|
||||||
"cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
|
|
||||||
],
|
|
||||||
"XML": [
|
"XML": [
|
||||||
"cpp/ql/src/semmle/code/cpp/XML.qll",
|
"cpp/ql/src/semmle/code/cpp/XML.qll",
|
||||||
"csharp/ql/src/semmle/code/csharp/XML.qll",
|
"csharp/ql/src/semmle/code/csharp/XML.qll",
|
||||||
@@ -379,49 +365,50 @@
|
|||||||
"javascript/ql/src/semmle/javascript/XML.qll",
|
"javascript/ql/src/semmle/javascript/XML.qll",
|
||||||
"python/ql/src/semmle/python/xml/XML.qll"
|
"python/ql/src/semmle/python/xml/XML.qll"
|
||||||
],
|
],
|
||||||
"DuplicationProblems.inc.qhelp": [
|
"DuplicationProblems.qhelp": [
|
||||||
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
|
"cpp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
|
||||||
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
|
"csharp/ql/src/Metrics/Files/DuplicationProblems.qhelp",
|
||||||
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
|
"javascript/ql/src/Metrics/DuplicationProblems.qhelp",
|
||||||
|
"python/ql/src/Metrics/DuplicationProblems.qhelp"
|
||||||
],
|
],
|
||||||
"CommentedOutCodeQuery.inc.qhelp": [
|
"CommentedOutCodeQuery.qhelp": [
|
||||||
"cpp/ql/src/Documentation/CommentedOutCodeQuery.inc.qhelp",
|
"cpp/ql/src/Documentation/CommentedOutCodeQuery.qhelp",
|
||||||
"python/ql/src/Lexical/CommentedOutCodeQuery.inc.qhelp",
|
"python/ql/src/Lexical/CommentedOutCodeQuery.qhelp",
|
||||||
"csharp/ql/src/Bad Practices/Comments/CommentedOutCodeQuery.inc.qhelp",
|
"csharp/ql/src/Bad Practices/Comments/CommentedOutCodeQuery.qhelp",
|
||||||
"java/ql/src/Violations of Best Practice/Comments/CommentedOutCodeQuery.inc.qhelp",
|
"java/ql/src/Violations of Best Practice/Comments/CommentedOutCodeQuery.qhelp",
|
||||||
"javascript/ql/src/Comments/CommentedOutCodeQuery.inc.qhelp"
|
"javascript/ql/src/Comments/CommentedOutCodeQuery.qhelp"
|
||||||
],
|
],
|
||||||
"FLinesOfCodeReferences.inc.qhelp": [
|
"FLinesOfCodeReferences.qhelp": [
|
||||||
"java/ql/src/Metrics/Files/FLinesOfCodeReferences.inc.qhelp",
|
"java/ql/src/Metrics/Files/FLinesOfCodeReferences.qhelp",
|
||||||
"javascript/ql/src/Metrics/FLinesOfCodeReferences.inc.qhelp"
|
"javascript/ql/src/Metrics/FLinesOfCodeReferences.qhelp"
|
||||||
],
|
],
|
||||||
"FCommentRatioCommon.inc.qhelp": [
|
"FCommentRatioCommon.qhelp": [
|
||||||
"java/ql/src/Metrics/Files/FCommentRatioCommon.inc.qhelp",
|
"java/ql/src/Metrics/Files/FCommentRatioCommon.qhelp",
|
||||||
"javascript/ql/src/Metrics/FCommentRatioCommon.inc.qhelp"
|
"javascript/ql/src/Metrics/FCommentRatioCommon.qhelp"
|
||||||
],
|
],
|
||||||
"FLinesOfCodeOverview.inc.qhelp": [
|
"FLinesOfCodeOverview.qhelp": [
|
||||||
"java/ql/src/Metrics/Files/FLinesOfCodeOverview.inc.qhelp",
|
"java/ql/src/Metrics/Files/FLinesOfCodeOverview.qhelp",
|
||||||
"javascript/ql/src/Metrics/FLinesOfCodeOverview.inc.qhelp"
|
"javascript/ql/src/Metrics/FLinesOfCodeOverview.qhelp"
|
||||||
],
|
],
|
||||||
"CommentedOutCodeMetricOverview.inc.qhelp": [
|
"CommentedOutCodeMetricOverview.qhelp": [
|
||||||
"cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
|
"cpp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
|
||||||
"csharp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
|
"csharp/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
|
||||||
"java/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.inc.qhelp",
|
"java/ql/src/Metrics/Files/CommentedOutCodeMetricOverview.qhelp",
|
||||||
"javascript/ql/src/Comments/CommentedOutCodeMetricOverview.inc.qhelp",
|
"javascript/ql/src/Comments/CommentedOutCodeMetricOverview.qhelp",
|
||||||
"python/ql/src/Lexical/CommentedOutCodeMetricOverview.inc.qhelp"
|
"python/ql/src/Lexical/CommentedOutCodeMetricOverview.qhelp"
|
||||||
],
|
],
|
||||||
"FLinesOfDuplicatedCodeCommon.inc.qhelp": [
|
"FLinesOfDuplicatedCodeCommon.qhelp": [
|
||||||
"cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.inc.qhelp",
|
"cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
|
||||||
"java/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.inc.qhelp",
|
"java/ql/src/Metrics/Files/FLinesOfDuplicatedCodeCommon.qhelp",
|
||||||
"javascript/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.inc.qhelp",
|
"javascript/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp",
|
||||||
"python/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.inc.qhelp"
|
"python/ql/src/Metrics/FLinesOfDuplicatedCodeCommon.qhelp"
|
||||||
],
|
],
|
||||||
"CommentedOutCodeReferences.inc.qhelp": [
|
"CommentedOutCodeReferences.qhelp": [
|
||||||
"cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
|
"cpp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
|
||||||
"csharp/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
|
"csharp/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
|
||||||
"java/ql/src/Metrics/Files/CommentedOutCodeReferences.inc.qhelp",
|
"java/ql/src/Metrics/Files/CommentedOutCodeReferences.qhelp",
|
||||||
"javascript/ql/src/Comments/CommentedOutCodeReferences.inc.qhelp",
|
"javascript/ql/src/Comments/CommentedOutCodeReferences.qhelp",
|
||||||
"python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
|
"python/ql/src/Lexical/CommentedOutCodeReferences.qhelp"
|
||||||
],
|
],
|
||||||
"IDE Contextual Queries": [
|
"IDE Contextual Queries": [
|
||||||
"cpp/ql/src/IDEContextual.qll",
|
"cpp/ql/src/IDEContextual.qll",
|
||||||
@@ -429,15 +416,5 @@
|
|||||||
"java/ql/src/IDEContextual.qll",
|
"java/ql/src/IDEContextual.qll",
|
||||||
"javascript/ql/src/IDEContextual.qll",
|
"javascript/ql/src/IDEContextual.qll",
|
||||||
"python/ql/src/analysis/IDEContextual.qll"
|
"python/ql/src/analysis/IDEContextual.qll"
|
||||||
],
|
|
||||||
"SSA C#": [
|
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
|
|
||||||
"csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
|
|
||||||
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
|
|
||||||
"csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
|
|
||||||
],
|
|
||||||
"CryptoAlgorithms Python/JS": [
|
|
||||||
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
|
||||||
"python/ql/src/semmle/crypto/Crypto.qll"
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@@ -5,7 +5,6 @@ using System;
|
|||||||
using System.Linq;
|
using System.Linq;
|
||||||
using Microsoft.Build.Construction;
|
using Microsoft.Build.Construction;
|
||||||
using System.Xml;
|
using System.Xml;
|
||||||
using System.IO;
|
|
||||||
|
|
||||||
namespace Semmle.Autobuild.Cpp.Tests
|
namespace Semmle.Autobuild.Cpp.Tests
|
||||||
{
|
{
|
||||||
@@ -44,8 +43,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
|
public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
|
||||||
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
|
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
|
||||||
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
|
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
|
||||||
public HashSet<string> CreateDirectories { get; } = new HashSet<string>();
|
|
||||||
public HashSet<(string, string)> DownloadFiles { get; } = new HashSet<(string, string)>();
|
|
||||||
|
|
||||||
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
|
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
|
||||||
{
|
{
|
||||||
@@ -138,14 +135,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
|
|
||||||
string IBuildActions.GetFullPath(string path) => path;
|
string IBuildActions.GetFullPath(string path) => path;
|
||||||
|
|
||||||
string? IBuildActions.GetFileName(string? path) => Path.GetFileName(path?.Replace('\\', '/'));
|
|
||||||
|
|
||||||
public string? GetDirectoryName(string? path)
|
|
||||||
{
|
|
||||||
var dir = Path.GetDirectoryName(path?.Replace('\\', '/'));
|
|
||||||
return dir is null ? path : path?.Substring(0, dir.Length);
|
|
||||||
}
|
|
||||||
|
|
||||||
void IBuildActions.WriteAllText(string filename, string contents)
|
void IBuildActions.WriteAllText(string filename, string contents)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
@@ -164,18 +153,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
s = s.Replace($"%{kvp.Key}%", kvp.Value);
|
s = s.Replace($"%{kvp.Key}%", kvp.Value);
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void CreateDirectory(string path)
|
|
||||||
{
|
|
||||||
if (!CreateDirectories.Contains(path))
|
|
||||||
throw new ArgumentException($"Missing CreateDirectory, {path}");
|
|
||||||
}
|
|
||||||
|
|
||||||
public void DownloadFile(string address, string fileName)
|
|
||||||
{
|
|
||||||
if (!DownloadFiles.Contains((address, fileName)))
|
|
||||||
throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
@@ -236,7 +213,6 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
|
||||||
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
|
||||||
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
|
||||||
Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
|
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
|
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
|
||||||
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
|
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
|
||||||
@@ -297,8 +273,7 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
[Fact]
|
[Fact]
|
||||||
public void TestCppAutobuilderSuccess()
|
public void TestCppAutobuilderSuccess()
|
||||||
{
|
{
|
||||||
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
|
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test.sln"] = 1;
|
||||||
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
|
|
||||||
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
|
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
|
||||||
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
|
||||||
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
|
||||||
@@ -311,13 +286,11 @@ namespace Semmle.Autobuild.Cpp.Tests
|
|||||||
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
|
||||||
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
|
||||||
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
Actions.EnumerateDirectories[@"C:\Project"] = "";
|
||||||
Actions.CreateDirectories.Add(@"C:\Project\.nuget");
|
|
||||||
Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
|
|
||||||
|
|
||||||
var autobuilder = CreateAutoBuilder(true);
|
var autobuilder = CreateAutoBuilder(true);
|
||||||
var solution = new TestSolution(@"C:\Project\test.sln");
|
var solution = new TestSolution(@"C:\Project\test.sln");
|
||||||
autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
|
autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
|
||||||
TestAutobuilderScript(autobuilder, 0, 3);
|
TestAutobuilderScript(autobuilder, 0, 2);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<OutputType>Exe</OutputType>
|
<OutputType>Exe</OutputType>
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>netcoreapp3.1</TargetFramework>
|
||||||
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
<GenerateAssemblyInfo>false</GenerateAssemblyInfo>
|
||||||
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
<RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers>
|
||||||
<Nullable>enable</Nullable>
|
<Nullable>enable</Nullable>
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
<Project Sdk="Microsoft.NET.Sdk">
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<TargetFramework>net5.0</TargetFramework>
|
<TargetFramework>netcoreapp3.1</TargetFramework>
|
||||||
<AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
|
<AssemblyName>Semmle.Autobuild.Cpp</AssemblyName>
|
||||||
<RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
|
<RootNamespace>Semmle.Autobuild.Cpp</RootNamespace>
|
||||||
<ApplicationIcon />
|
<ApplicationIcon />
|
||||||
@@ -17,7 +17,7 @@
|
|||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<PackageReference Include="Microsoft.Build" Version="16.9.0" />
|
<PackageReference Include="Microsoft.Build" Version="16.0.461" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* `FormattingFunction.getOutputParameterIndex` now has a parameter identifying whether the output at that index is a buffer or a stream.
|
|
||||||
* `FormattingFunction` now has a predicate `isOutputGlobal` indicating when the output is to a global stream.
|
|
||||||
* The `primitiveVariadicFormatter` and `variadicFormatter` predicates have more parameters exposing information about the function.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* Various classes in `semmle.code.cpp.models.implementations` have been made private. Users should not depend on library implementation details.
|
|
||||||
* The `OperatorNewAllocationFunction`, `OperatorDeleteDeallocationFunction`, `Iterator` and `Snprintf` classes now have interfaces in `semmle.code.cpp.models.interfaces`.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* A new query (`cpp/unsafe-use-of-this`) has been added. The query finds pure virtual function calls whose qualifier is an object under construction.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The queries `cpp/local-variable-hides-global-variable` and `cpp/missing-header-guard` now have severity `recommendation` instead of `warning`.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* A new query (`cpp/unsigned-difference-expression-compared-zero`) is run but not yet displayed on LGTM. The query finds unsigned subtractions used in relational comparisons with the value 0. This query was originally submitted as an experimental query by @ihsinme in https://github.com/github/codeql/pull/4745.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* A new query (`cpp/memset-may-be-deleted`) is added to the default query suite. The query finds calls to `memset` that may be removed by the compiler. This behavior can make information-leak vulnerabilities easier to exploit. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/4953).
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The data-flow library now recognises more side-effects of method chaining (e.g. `someObject.setX(clean).setY(tainted).setZ...` having a side-effect on `someObject`), as well as other related circumstances where a function input is directly passed to its output. All queries that use data-flow analysis, including most security queries, may return more results accordingly.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
codescanning
|
|
||||||
* Added cpp/diagnostics/failed-extractions. This query gives information about which extractions did not run to completion.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The 'Resource not released in destructor' (cpp/resource-not-released-in-destructor) query has been improved to recognize more releases of resources.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm,codescanning
|
|
||||||
* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
lgtm
|
|
||||||
* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.
|
|
||||||
@@ -9,8 +9,6 @@
|
|||||||
+ semmlecode-cpp-queries/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql: /Correctness/Dangerous Conversions
|
+ semmlecode-cpp-queries/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql: /Correctness/Dangerous Conversions
|
||||||
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql: /Correctness/Dangerous Conversions
|
+ semmlecode-cpp-queries/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql: /Correctness/Dangerous Conversions
|
||||||
+ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
|
+ semmlecode-cpp-queries/Security/CWE/CWE-253/HResultBooleanConversion.ql: /Correctness/Dangerous Conversions
|
||||||
+ semmlecode-cpp-queries/Likely Bugs/OO/UnsafeUseOfThis.ql: /Correctness/Dangerous Conversions
|
|
||||||
+ semmlecode-cpp-queries/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql: /Correctness/Dangerous Conversions
|
|
||||||
# Consistent Use
|
# Consistent Use
|
||||||
+ semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
|
+ semmlecode-cpp-queries/Critical/ReturnValueIgnored.ql: /Correctness/Consistent Use
|
||||||
+ semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
|
+ semmlecode-cpp-queries/Likely Bugs/InconsistentCheckReturnNull.ql: /Correctness/Consistent Use
|
||||||
|
|||||||
@@ -4,6 +4,9 @@
|
|||||||
* @kind graph
|
* @kind graph
|
||||||
* @id cpp/architecture/class-hierarchies
|
* @id cpp/architecture/class-hierarchies
|
||||||
* @graph.layout organic
|
* @graph.layout organic
|
||||||
|
* @workingset jhotdraw
|
||||||
|
* @result succeed 48
|
||||||
|
* @result_ondemand succeed 48
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -4,6 +4,9 @@
|
|||||||
* @kind chart
|
* @kind chart
|
||||||
* @id cpp/architecture/inheritance-depth-distribution
|
* @id cpp/architecture/inheritance-depth-distribution
|
||||||
* @chart.type line
|
* @chart.type line
|
||||||
|
* @workingset jhotdraw
|
||||||
|
* @result succeed 48
|
||||||
|
* @result_ondemand succeed 48
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
/**
|
/**
|
||||||
* @name Global namespace classes
|
* @name Global namespace classes
|
||||||
* @description Finds classes that belong to no namespace.
|
* @description Finds classes that belong to no namespace.
|
||||||
* @kind problem
|
* @kind table
|
||||||
* @problem.severity recommendation
|
|
||||||
* @id cpp/architecture/global-namespace-classes
|
* @id cpp/architecture/global-namespace-classes
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* modularity
|
* modularity
|
||||||
|
|||||||
@@ -4,6 +4,9 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/architecture/classes-with-many-dependencies
|
* @id cpp/architecture/classes-with-many-dependencies
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
|
* @workingset jhotdraw
|
||||||
|
* @result succeed 20
|
||||||
|
* @result_ondemand succeed 20
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
* statistical
|
* statistical
|
||||||
* non-attributable
|
* non-attributable
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* @name Local variable hides global variable
|
* @name Local variable hides global variable
|
||||||
* @description A local variable or parameter that hides a global variable of the same name. This may be confusing. Consider renaming one of the variables.
|
* @description A local variable or parameter that hides a global variable of the same name. This may be confusing. Consider renaming one of the variables.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity recommendation
|
* @problem.severity warning
|
||||||
* @precision very-high
|
* @precision very-high
|
||||||
* @id cpp/local-variable-hides-global-variable
|
* @id cpp/local-variable-hides-global-variable
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/offset-use-before-range-check
|
* @id cpp/offset-use-before-range-check
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.1
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -8,41 +8,168 @@ import semmle.code.cpp.AutogeneratedFile
|
|||||||
predicate trivialPositiveIntValue(string s) {
|
predicate trivialPositiveIntValue(string s) {
|
||||||
// Small numbers
|
// Small numbers
|
||||||
s = [0 .. 20].toString() or
|
s = [0 .. 20].toString() or
|
||||||
s =
|
// Popular powers of two (decimal)
|
||||||
[
|
s = "16" or
|
||||||
// Popular powers of two (decimal)
|
s = "24" or
|
||||||
"16", "24", "32", "64", "128", "256", "512", "1024", "2048", "4096", "16384", "32768",
|
s = "32" or
|
||||||
"65536", "1048576", "2147483648", "4294967296",
|
s = "64" or
|
||||||
// Popular powers of two, minus one (decimal)
|
s = "128" or
|
||||||
"15", "31", "63", "127", "255", "511", "1023", "2047", "4095", "16383", "32767", "65535",
|
s = "256" or
|
||||||
"1048577", "2147483647", "4294967295",
|
s = "512" or
|
||||||
// Popular powers of two (32-bit hex)
|
s = "1024" or
|
||||||
"0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010", "0x00000020",
|
s = "2048" or
|
||||||
"0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400", "0x00000800",
|
s = "4096" or
|
||||||
"0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000", "0x00020000",
|
s = "16384" or
|
||||||
"0x00040000", "0x00080000", "0x00100000", "0x00200000", "0x00400000", "0x00800000",
|
s = "32768" or
|
||||||
"0x01000000", "0x02000000", "0x04000000", "0x08000000", "0x10000000", "0x20000000",
|
s = "65536" or
|
||||||
"0x40000000", "0x80000000",
|
s = "1048576" or
|
||||||
// Popular powers of two, minus one (32-bit hex)
|
s = "2147483648" or
|
||||||
"0x00000001", "0x00000003", "0x00000007", "0x0000000f", "0x0000001f", "0x0000003f",
|
s = "4294967296" or
|
||||||
"0x0000007f", "0x000000ff", "0x000001ff", "0x000003ff", "0x000007ff", "0x00000fff",
|
// Popular powers of two, minus one (decimal)
|
||||||
"0x00001fff", "0x00003fff", "0x00007fff", "0x0000ffff", "0x0001ffff", "0x0003ffff",
|
s = "15" or
|
||||||
"0x0007ffff", "0x000fffff", "0x001fffff", "0x003fffff", "0x007fffff", "0x00ffffff",
|
s = "31" or
|
||||||
"0x01ffffff", "0x03ffffff", "0x07ffffff", "0x0fffffff", "0x1fffffff", "0x3fffffff",
|
s = "63" or
|
||||||
"0x7fffffff", "0xffffffff",
|
s = "127" or
|
||||||
// Popular powers of two (16-bit hex)
|
s = "255" or
|
||||||
"0x0001", "0x0002", "0x0004", "0x0008", "0x0010", "0x0020", "0x0040", "0x0080", "0x0100",
|
s = "511" or
|
||||||
"0x0200", "0x0400", "0x0800", "0x1000", "0x2000", "0x4000", "0x8000",
|
s = "1023" or
|
||||||
// Popular powers of two, minus one (16-bit hex)
|
s = "2047" or
|
||||||
"0x0001", "0x0003", "0x0007", "0x000f", "0x001f", "0x003f", "0x007f", "0x00ff", "0x01ff",
|
s = "4095" or
|
||||||
"0x03ff", "0x07ff", "0x0fff", "0x1fff", "0x3fff", "0x7fff", "0xffff",
|
s = "16383" or
|
||||||
// Popular powers of two (8-bit hex)
|
s = "32767" or
|
||||||
"0x01", "0x02", "0x04", "0x08", "0x10", "0x20", "0x40", "0x80",
|
s = "65535" or
|
||||||
// Popular powers of two, minus one (8-bit hex)
|
s = "1048577" or
|
||||||
"0x01", "0x03", "0x07", "0x0f", "0x1f", "0x3f", "0x7f", "0xff", "0x00",
|
s = "2147483647" or
|
||||||
// Powers of ten
|
s = "4294967295" or
|
||||||
"10", "100", "1000", "10000", "100000", "1000000", "10000000", "100000000", "1000000000"
|
// Popular powers of two (32-bit hex)
|
||||||
]
|
s = "0x00000001" or
|
||||||
|
s = "0x00000002" or
|
||||||
|
s = "0x00000004" or
|
||||||
|
s = "0x00000008" or
|
||||||
|
s = "0x00000010" or
|
||||||
|
s = "0x00000020" or
|
||||||
|
s = "0x00000040" or
|
||||||
|
s = "0x00000080" or
|
||||||
|
s = "0x00000100" or
|
||||||
|
s = "0x00000200" or
|
||||||
|
s = "0x00000400" or
|
||||||
|
s = "0x00000800" or
|
||||||
|
s = "0x00001000" or
|
||||||
|
s = "0x00002000" or
|
||||||
|
s = "0x00004000" or
|
||||||
|
s = "0x00008000" or
|
||||||
|
s = "0x00010000" or
|
||||||
|
s = "0x00020000" or
|
||||||
|
s = "0x00040000" or
|
||||||
|
s = "0x00080000" or
|
||||||
|
s = "0x00100000" or
|
||||||
|
s = "0x00200000" or
|
||||||
|
s = "0x00400000" or
|
||||||
|
s = "0x00800000" or
|
||||||
|
s = "0x01000000" or
|
||||||
|
s = "0x02000000" or
|
||||||
|
s = "0x04000000" or
|
||||||
|
s = "0x08000000" or
|
||||||
|
s = "0x10000000" or
|
||||||
|
s = "0x20000000" or
|
||||||
|
s = "0x40000000" or
|
||||||
|
s = "0x80000000" or
|
||||||
|
// Popular powers of two, minus one (32-bit hex)
|
||||||
|
s = "0x00000001" or
|
||||||
|
s = "0x00000003" or
|
||||||
|
s = "0x00000007" or
|
||||||
|
s = "0x0000000f" or
|
||||||
|
s = "0x0000001f" or
|
||||||
|
s = "0x0000003f" or
|
||||||
|
s = "0x0000007f" or
|
||||||
|
s = "0x000000ff" or
|
||||||
|
s = "0x000001ff" or
|
||||||
|
s = "0x000003ff" or
|
||||||
|
s = "0x000007ff" or
|
||||||
|
s = "0x00000fff" or
|
||||||
|
s = "0x00001fff" or
|
||||||
|
s = "0x00003fff" or
|
||||||
|
s = "0x00007fff" or
|
||||||
|
s = "0x0000ffff" or
|
||||||
|
s = "0x0001ffff" or
|
||||||
|
s = "0x0003ffff" or
|
||||||
|
s = "0x0007ffff" or
|
||||||
|
s = "0x000fffff" or
|
||||||
|
s = "0x001fffff" or
|
||||||
|
s = "0x003fffff" or
|
||||||
|
s = "0x007fffff" or
|
||||||
|
s = "0x00ffffff" or
|
||||||
|
s = "0x01ffffff" or
|
||||||
|
s = "0x03ffffff" or
|
||||||
|
s = "0x07ffffff" or
|
||||||
|
s = "0x0fffffff" or
|
||||||
|
s = "0x1fffffff" or
|
||||||
|
s = "0x3fffffff" or
|
||||||
|
s = "0x7fffffff" or
|
||||||
|
s = "0xffffffff" or
|
||||||
|
// Popular powers of two (16-bit hex)
|
||||||
|
s = "0x0001" or
|
||||||
|
s = "0x0002" or
|
||||||
|
s = "0x0004" or
|
||||||
|
s = "0x0008" or
|
||||||
|
s = "0x0010" or
|
||||||
|
s = "0x0020" or
|
||||||
|
s = "0x0040" or
|
||||||
|
s = "0x0080" or
|
||||||
|
s = "0x0100" or
|
||||||
|
s = "0x0200" or
|
||||||
|
s = "0x0400" or
|
||||||
|
s = "0x0800" or
|
||||||
|
s = "0x1000" or
|
||||||
|
s = "0x2000" or
|
||||||
|
s = "0x4000" or
|
||||||
|
s = "0x8000" or
|
||||||
|
// Popular powers of two, minus one (16-bit hex)
|
||||||
|
s = "0x0001" or
|
||||||
|
s = "0x0003" or
|
||||||
|
s = "0x0007" or
|
||||||
|
s = "0x000f" or
|
||||||
|
s = "0x001f" or
|
||||||
|
s = "0x003f" or
|
||||||
|
s = "0x007f" or
|
||||||
|
s = "0x00ff" or
|
||||||
|
s = "0x01ff" or
|
||||||
|
s = "0x03ff" or
|
||||||
|
s = "0x07ff" or
|
||||||
|
s = "0x0fff" or
|
||||||
|
s = "0x1fff" or
|
||||||
|
s = "0x3fff" or
|
||||||
|
s = "0x7fff" or
|
||||||
|
s = "0xffff" or
|
||||||
|
// Popular powers of two (8-bit hex)
|
||||||
|
s = "0x01" or
|
||||||
|
s = "0x02" or
|
||||||
|
s = "0x04" or
|
||||||
|
s = "0x08" or
|
||||||
|
s = "0x10" or
|
||||||
|
s = "0x20" or
|
||||||
|
s = "0x40" or
|
||||||
|
s = "0x80" or
|
||||||
|
// Popular powers of two, minus one (8-bit hex)
|
||||||
|
s = "0x01" or
|
||||||
|
s = "0x03" or
|
||||||
|
s = "0x07" or
|
||||||
|
s = "0x0f" or
|
||||||
|
s = "0x1f" or
|
||||||
|
s = "0x3f" or
|
||||||
|
s = "0x7f" or
|
||||||
|
s = "0xff" or
|
||||||
|
s = "0x00" or
|
||||||
|
// Powers of ten
|
||||||
|
s = "10" or
|
||||||
|
s = "100" or
|
||||||
|
s = "1000" or
|
||||||
|
s = "10000" or
|
||||||
|
s = "100000" or
|
||||||
|
s = "1000000" or
|
||||||
|
s = "10000000" or
|
||||||
|
s = "100000000" or
|
||||||
|
s = "1000000000"
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate trivialIntValue(string s) {
|
predicate trivialIntValue(string s) {
|
||||||
@@ -108,7 +235,10 @@ predicate joiningStringTrivial(Literal lit) {
|
|||||||
// understand (which is against the spirit of these queries).
|
// understand (which is against the spirit of these queries).
|
||||||
stringLiteral(lit) and
|
stringLiteral(lit) and
|
||||||
exists(FunctionCall fc |
|
exists(FunctionCall fc |
|
||||||
fc.getTarget().getName() = ["operator+", "operator<<"] and
|
(
|
||||||
|
fc.getTarget().getName() = "operator+" or
|
||||||
|
fc.getTarget().getName() = "operator<<"
|
||||||
|
) and
|
||||||
fc.getAnArgument().getAChild*() = lit
|
fc.getAnArgument().getAChild*() = lit
|
||||||
) and
|
) and
|
||||||
lit.getValue().length() < 16
|
lit.getValue().length() < 16
|
||||||
@@ -161,7 +291,8 @@ predicate arrayInitializerChild(AggregateLiteral parent, Expr e) {
|
|||||||
|
|
||||||
// i.e. not a constant folded expression
|
// i.e. not a constant folded expression
|
||||||
predicate literallyLiteral(Literal lit) {
|
predicate literallyLiteral(Literal lit) {
|
||||||
lit.getValueText()
|
lit
|
||||||
|
.getValueText()
|
||||||
.regexpMatch(".*\".*|\\s*+[-+]?+\\s*+(0[xob][0-9a-fA-F]|[0-9])[0-9a-fA-F,._]*+([eE][-+]?+[0-9,._]*+)?+\\s*+[a-zA-Z]*+\\s*+")
|
.regexpMatch(".*\".*|\\s*+[-+]?+\\s*+(0[xob][0-9a-fA-F]|[0-9])[0-9a-fA-F,._]*+([eE][-+]?+[0-9,._]*+)?+\\s*+[a-zA-Z]*+\\s*+")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
It is likely that these conditions indicate an error in the branching condition.
|
It is likely that these conditions indicate an error in the branching condition.
|
||||||
Alternatively, the conditions may have been left behind after debugging.</p>
|
Alternatively, the conditions may have been left behind after debugging.</p>
|
||||||
|
|
||||||
<include src="aliasAnalysisWarning.inc.qhelp" />
|
<include src="aliasAnalysisWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ If left in the code base they increase object code size, decrease code comprehen
|
|||||||
This type of function may be part of the program's API and could be used by external programs.
|
This type of function may be part of the program's API and could be used by external programs.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="callGraphWarning.inc.qhelp" />
|
<include src="callGraphWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ This query looks at functions that return file or socket descriptors, but may re
|
|||||||
This can occur when an operation performed on the open descriptor fails, and the function returns with an error before it closes the open resource. An improperly handled error could cause the function to leak resource descriptors. Failing to close resources in the function that opened them also makes it more difficult to detect leaks.
|
This can occur when an operation performed on the open descriptor fails, and the function returns with an error before it closes the open resource. An improperly handled error could cause the function to leak resource descriptors. Failing to close resources in the function that opened them also makes it more difficult to detect leaks.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="dataFlowWarning.inc.qhelp" />
|
<include src="dataFlowWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/descriptor-may-not-be-closed
|
* @id cpp/descriptor-may-not-be-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ This rule finds calls to <code>socket</code> where there is no corresponding <co
|
|||||||
Leaving descriptors open will cause a resource leak that will persist even after the program terminates.
|
Leaving descriptors open will cause a resource leak that will persist even after the program terminates.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="aliasAnalysisWarning.inc.qhelp" />
|
<include src="aliasAnalysisWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/descriptor-never-closed
|
* @id cpp/descriptor-never-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ This rule looks at functions that return a <code>FILE*</code>, but may return an
|
|||||||
This can occur when an operation performed on the open descriptor fails, and the function returns with an error before closing the open resource. An improperly handled error may cause the function to leak file descriptors.
|
This can occur when an operation performed on the open descriptor fails, and the function returns with an error before closing the open resource. An improperly handled error may cause the function to leak file descriptors.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="dataFlowWarning.inc.qhelp" />
|
<include src="dataFlowWarning.qhelp" />
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/file-may-not-be-closed
|
* @id cpp/file-may-not-be-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ This rule finds calls to <code>fopen</code> with no corresponding <code>fclose</
|
|||||||
Leaving files open will cause a resource leak that will persist even after the program terminates.
|
Leaving files open will cause a resource leak that will persist even after the program terminates.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="aliasAnalysisWarning.inc.qhelp" />
|
<include src="aliasAnalysisWarning.qhelp" />
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/file-never-closed
|
* @id cpp/file-never-closed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.8
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-775
|
* external/cwe/cwe-775
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ Not all compilers generate code that zero-out memory, especially when optimizati
|
|||||||
is not compliant with the latest language standards. Accessing uninitialized memory will lead to undefined results.
|
is not compliant with the latest language standards. Accessing uninitialized memory will lead to undefined results.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="dataFlowWarning.inc.qhelp" />
|
<include src="dataFlowWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ Dereferencing a null pointer and attempting to modify its contents can lead to a
|
|||||||
important system data (including the interrupt table in some architectures).
|
important system data (including the interrupt table in some architectures).
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="pointsToWarning.inc.qhelp" />
|
<include src="pointsToWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/inconsistent-nullness-testing
|
* @id cpp/inconsistent-nullness-testing
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.5
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-476
|
* external/cwe/cwe-476
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ Uninitialized variables may contain any value, as not all compilers generate cod
|
|||||||
optimizations are enabled or the compiler is not compliant with the latest language standards.
|
optimizations are enabled or the compiler is not compliant with the latest language standards.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="callGraphWarning.inc.qhelp" />
|
<include src="callGraphWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ after. Otherwise, if the value is negative then the program will have failed
|
|||||||
before performing the test.
|
before performing the test.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="dataFlowWarning.inc.qhelp" />
|
<include src="dataFlowWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
This rule looks for functions that allocate memory, but may return without freeing it. This can occur when an operation performed on the memory block fails, and the function returns with an error before freeing the allocated block. This causes the function to leak memory and may eventually lead to software failure.
|
This rule looks for functions that allocate memory, but may return without freeing it. This can occur when an operation performed on the memory block fails, and the function returns with an error before freeing the allocated block. This causes the function to leak memory and may eventually lead to software failure.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="dataFlowWarning.inc.qhelp" />
|
<include src="dataFlowWarning.qhelp" />
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memory-may-not-be-freed
|
* @id cpp/memory-may-not-be-freed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.5
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-401
|
* external/cwe/cwe-401
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ This rule finds calls to the <code>alloc</code> family of functions without a co
|
|||||||
This leads to memory leaks.
|
This leads to memory leaks.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="aliasAnalysisWarning.inc.qhelp" />
|
<include src="aliasAnalysisWarning.qhelp" />
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/memory-never-freed
|
* @id cpp/memory-never-freed
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.5
|
|
||||||
* @tags efficiency
|
* @tags efficiency
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-401
|
* external/cwe/cwe-401
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ buffer overruns.
|
|||||||
The query looks only at the return values of functions that may return a negative value (not all functions).
|
The query looks only at the return values of functions that may return a negative value (not all functions).
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="dataFlowWarning.inc.qhelp" />
|
<include src="dataFlowWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/missing-null-test
|
* @id cpp/missing-null-test
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
* @problem.security-severity 7.5
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-476
|
* external/cwe/cwe-476
|
||||||
|
|||||||
@@ -63,7 +63,7 @@ destructors likely not be called (as previously noted), but the pointer will als
|
|||||||
potentially less of a serious issue than that posed by the first approach, but it should still be avoided.</li>
|
potentially less of a serious issue than that posed by the first approach, but it should still be avoided.</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<include src="pointsToWarning.inc.qhelp" />
|
<include src="pointsToWarning.qhelp" />
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -5,6 +5,8 @@
|
|||||||
import cpp
|
import cpp
|
||||||
import semmle.code.cpp.controlflow.SSA
|
import semmle.code.cpp.controlflow.SSA
|
||||||
import semmle.code.cpp.dataflow.DataFlow
|
import semmle.code.cpp.dataflow.DataFlow
|
||||||
|
import semmle.code.cpp.models.implementations.Allocation
|
||||||
|
import semmle.code.cpp.models.implementations.Deallocation
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if `alloc` is a use of `malloc` or `new`. `kind` is
|
* Holds if `alloc` is a use of `malloc` or `new`. `kind` is
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ an array (which could have header data specifying the length of the array) and w
|
|||||||
element of the 'array', which would likely lead to a segfault due to the invalid header data.
|
element of the 'array', which would likely lead to a segfault due to the invalid header data.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="pointsToWarning.inc.qhelp" />
|
<include src="pointsToWarning.qhelp" />
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -3,7 +3,6 @@
|
|||||||
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
|
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.5
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/new-free-mismatch
|
* @id cpp/new-free-mismatch
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ the data being copied. Buffer overflows can result to anything from a segmentati
|
|||||||
if the array is on stack-allocated memory).
|
if the array is on stack-allocated memory).
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="aliasAnalysisWarning.inc.qhelp" />
|
<include src="aliasAnalysisWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-calculated
|
* @id cpp/overflow-calculated
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 9.8
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-131
|
* external/cwe/cwe-131
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ Buffer overflows can lead to anything from a segmentation fault to a security vu
|
|||||||
Ensure that the size parameter is derived from the size of the destination buffer, and
|
Ensure that the size parameter is derived from the size of the destination buffer, and
|
||||||
not the source buffer.</p>
|
not the source buffer.</p>
|
||||||
|
|
||||||
<include src="aliasAnalysisWarning.inc.qhelp" />
|
<include src="aliasAnalysisWarning.qhelp" />
|
||||||
</recommendation>
|
</recommendation>
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/overflow-destination
|
* @id cpp/overflow-destination
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.8
|
|
||||||
* @precision low
|
* @precision low
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* may result in a buffer overflow.
|
* may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.8
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/static-buffer-overflow
|
* @id cpp/static-buffer-overflow
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ the contents of that memory become undefined after that. Clearly, using a pointe
|
|||||||
memory after the function has already returned will have undefined results.
|
memory after the function has already returned will have undefined results.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="pointsToWarning.inc.qhelp" />
|
<include src="pointsToWarning.qhelp" />
|
||||||
</overview>
|
</overview>
|
||||||
|
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* an instance of the type of the pointer may result in a buffer overflow
|
* an instance of the type of the pointer may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.1
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/allocation-too-small
|
* @id cpp/allocation-too-small
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* multiple instances of the type of the pointer may result in a buffer overflow
|
* multiple instances of the type of the pointer may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.1
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/suspicious-allocation-size
|
* @id cpp/suspicious-allocation-size
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ from a segfault to memory corruption that would cause subsequent calls to the dy
|
|||||||
erratically, to a possible security vulnerability.
|
erratically, to a possible security vulnerability.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<include src="pointsToWarning.inc.qhelp" />
|
<include src="pointsToWarning.qhelp" />
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/use-after-free
|
* @id cpp/use-after-free
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.8
|
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
* security
|
* security
|
||||||
* external/cwe/cwe-416
|
* external/cwe/cwe-416
|
||||||
|
|||||||
@@ -59,9 +59,14 @@ class Options extends string {
|
|||||||
predicate exits(Function f) {
|
predicate exits(Function f) {
|
||||||
f.getAnAttribute().hasName("noreturn")
|
f.getAnAttribute().hasName("noreturn")
|
||||||
or
|
or
|
||||||
f.hasGlobalOrStdName([
|
exists(string name | f.hasGlobalOrStdName(name) |
|
||||||
"exit", "_exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
|
name = "exit" or
|
||||||
])
|
name = "_exit" or
|
||||||
|
name = "abort" or
|
||||||
|
name = "__assert_fail" or
|
||||||
|
name = "longjmp" or
|
||||||
|
name = "__builtin_unreachable"
|
||||||
|
)
|
||||||
or
|
or
|
||||||
CustomOptions::exits(f) // old Options.qll
|
CustomOptions::exits(f) // old Options.qll
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,16 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Extraction errors
|
|
||||||
* @description List all extraction errors for files in the source code directory.
|
|
||||||
* @kind diagnostic
|
|
||||||
* @id cpp/diagnostics/extraction-errors
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import ExtractionErrors
|
|
||||||
|
|
||||||
from ExtractionError error
|
|
||||||
where
|
|
||||||
error instanceof ExtractionUnknownError or
|
|
||||||
exists(error.getFile().getRelativePath())
|
|
||||||
select error, "Extraction failed in " + error.getFile() + " with error " + error.getErrorMessage(),
|
|
||||||
error.getSeverity()
|
|
||||||
@@ -1,137 +0,0 @@
|
|||||||
/**
|
|
||||||
* Provides a common hierarchy of all types of errors that can occur during extraction.
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
|
|
||||||
/*
|
|
||||||
* A note about how the C/C++ extractor emits diagnostics:
|
|
||||||
* When the extractor frontend encounters an error, it emits a diagnostic message,
|
|
||||||
* that includes a message, location and severity.
|
|
||||||
* However, that process is best-effort and may fail (e.g. due to lack of memory).
|
|
||||||
* Thus, if the extractor emitted at least one diagnostic of severity discretionary
|
|
||||||
* error (or higher), it *also* emits a simple "There was an error during this compilation"
|
|
||||||
* error diagnostic, without location information.
|
|
||||||
* In the common case, this means that a compilation during which one or more errors happened also gets
|
|
||||||
* the catch-all diagnostic.
|
|
||||||
* This diagnostic has the empty string as file path.
|
|
||||||
* We filter out these useless diagnostics if there is at least one error-level diagnostic
|
|
||||||
* for the affected compilation in the database.
|
|
||||||
* Otherwise, we show it to indicate that something went wrong and that we
|
|
||||||
* don't know what exactly happened.
|
|
||||||
*/
|
|
||||||
|
|
||||||
/**
|
|
||||||
* An error that, if present, leads to a file being marked as non-successfully extracted.
|
|
||||||
*/
|
|
||||||
class ReportableError extends Diagnostic {
|
|
||||||
ReportableError() {
|
|
||||||
(
|
|
||||||
this instanceof CompilerDiscretionaryError or
|
|
||||||
this instanceof CompilerError or
|
|
||||||
this instanceof CompilerCatastrophe
|
|
||||||
) and
|
|
||||||
// Filter for the catch-all diagnostic, see note above.
|
|
||||||
not this.getFile().getAbsolutePath() = ""
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private newtype TExtractionError =
|
|
||||||
TReportableError(ReportableError err) or
|
|
||||||
TCompilationFailed(Compilation c, File f) {
|
|
||||||
f = c.getAFileCompiled() and not c.normalTermination()
|
|
||||||
} or
|
|
||||||
// Show the catch-all diagnostic (see note above) only if we haven't seen any other error-level diagnostic
|
|
||||||
// for that compilation
|
|
||||||
TUnknownError(CompilerError err) {
|
|
||||||
not exists(ReportableError e | e.getCompilation() = err.getCompilation())
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Superclass for the extraction error hierarchy.
|
|
||||||
*/
|
|
||||||
class ExtractionError extends TExtractionError {
|
|
||||||
/** Gets the string representation of the error. */
|
|
||||||
string toString() { none() }
|
|
||||||
|
|
||||||
/** Gets the error message for this error. */
|
|
||||||
string getErrorMessage() { none() }
|
|
||||||
|
|
||||||
/** Gets the file this error occured in. */
|
|
||||||
File getFile() { none() }
|
|
||||||
|
|
||||||
/** Gets the location this error occured in. */
|
|
||||||
Location getLocation() { none() }
|
|
||||||
|
|
||||||
/** Gets the SARIF severity of this error. */
|
|
||||||
int getSeverity() {
|
|
||||||
// Unfortunately, we can't distinguish between errors and fatal errors in SARIF,
|
|
||||||
// so all errors have severity 2.
|
|
||||||
result = 2
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* An unrecoverable extraction error, where extraction was unable to finish.
|
|
||||||
* This can be caused by a multitude of reasons, for example:
|
|
||||||
* - hitting a frontend assertion
|
|
||||||
* - crashing due to dereferencing an invalid pointer
|
|
||||||
* - stack overflow
|
|
||||||
* - out of memory
|
|
||||||
*/
|
|
||||||
class ExtractionUnrecoverableError extends ExtractionError, TCompilationFailed {
|
|
||||||
Compilation c;
|
|
||||||
File f;
|
|
||||||
|
|
||||||
ExtractionUnrecoverableError() { this = TCompilationFailed(c, f) }
|
|
||||||
|
|
||||||
override string toString() {
|
|
||||||
result = "Unrecoverable extraction error while compiling " + f.toString()
|
|
||||||
}
|
|
||||||
|
|
||||||
override string getErrorMessage() { result = "unrecoverable compilation failure." }
|
|
||||||
|
|
||||||
override File getFile() { result = f }
|
|
||||||
|
|
||||||
override Location getLocation() { result = f.getLocation() }
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* A recoverable extraction error.
|
|
||||||
* These are compiler errors from the frontend.
|
|
||||||
* Upon encountering one of these, we still continue extraction, but the
|
|
||||||
* database will be incomplete for that file.
|
|
||||||
*/
|
|
||||||
class ExtractionRecoverableError extends ExtractionError, TReportableError {
|
|
||||||
ReportableError err;
|
|
||||||
|
|
||||||
ExtractionRecoverableError() { this = TReportableError(err) }
|
|
||||||
|
|
||||||
override string toString() { result = "Recoverable extraction error: " + err }
|
|
||||||
|
|
||||||
override string getErrorMessage() { result = err.getFullMessage() }
|
|
||||||
|
|
||||||
override File getFile() { result = err.getFile() }
|
|
||||||
|
|
||||||
override Location getLocation() { result = err.getLocation() }
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* An unknown error happened during extraction.
|
|
||||||
* These are only displayed if we know that we encountered an error during extraction,
|
|
||||||
* but, for some reason, failed to emit a proper diagnostic with location information
|
|
||||||
* and error message.
|
|
||||||
*/
|
|
||||||
class ExtractionUnknownError extends ExtractionError, TUnknownError {
|
|
||||||
CompilerError err;
|
|
||||||
|
|
||||||
ExtractionUnknownError() { this = TUnknownError(err) }
|
|
||||||
|
|
||||||
override string toString() { result = "Unknown extraction error: " + err }
|
|
||||||
|
|
||||||
override string getErrorMessage() { result = err.getFullMessage() }
|
|
||||||
|
|
||||||
override File getFile() { result = err.getFile() }
|
|
||||||
|
|
||||||
override Location getLocation() { result = err.getLocation() }
|
|
||||||
}
|
|
||||||
@@ -1,22 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Failed extractor invocations
|
|
||||||
* @description Gives the command line of compilations for which extraction did not run to completion.
|
|
||||||
* @kind diagnostic
|
|
||||||
* @id cpp/diagnostics/failed-extractor-invocations
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
|
|
||||||
class AnonymousCompilation extends Compilation {
|
|
||||||
override string toString() { result = "<compilation>" }
|
|
||||||
}
|
|
||||||
|
|
||||||
string describe(Compilation c) {
|
|
||||||
if c.getArgument(1) = "--mimic"
|
|
||||||
then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
|
|
||||||
else result = "extractor invocation " + concat(int i | | c.getArgument(i), " " order by i)
|
|
||||||
}
|
|
||||||
|
|
||||||
from Compilation c
|
|
||||||
where not c.normalTermination()
|
|
||||||
select c, "Extraction aborted for " + describe(c), 2
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Successfully extracted files
|
|
||||||
* @description Lists all files in the source code directory that were extracted without encountering an error in the file.
|
|
||||||
* @kind diagnostic
|
|
||||||
* @id cpp/diagnostics/successfully-extracted-files
|
|
||||||
*/
|
|
||||||
|
|
||||||
import cpp
|
|
||||||
import ExtractionErrors
|
|
||||||
|
|
||||||
from File f
|
|
||||||
where
|
|
||||||
not exists(ExtractionError e | e.getFile() = f) and
|
|
||||||
exists(f.getRelativePath())
|
|
||||||
select f, ""
|
|
||||||
@@ -2,6 +2,6 @@
|
|||||||
"-//Semmle//qhelp//EN"
|
"-//Semmle//qhelp//EN"
|
||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<include src="CommentedOutCodeQuery.inc.qhelp" />
|
<include src="CommentedOutCodeQuery.qhelp" />
|
||||||
<include src="../Metrics/Files/CommentedOutCodeReferences.inc.qhelp" />
|
<include src="../Metrics/Files/CommentedOutCodeReferences.qhelp" />
|
||||||
</qhelp>
|
</qhelp>
|
||||||
|
|||||||
@@ -21,7 +21,15 @@ class Initialization extends Function {
|
|||||||
}
|
}
|
||||||
|
|
||||||
class Allocation extends FunctionCall {
|
class Allocation extends FunctionCall {
|
||||||
Allocation() { this.getTarget().getName() = ["malloc", "calloc", "alloca", "sbrk", "valloc"] }
|
Allocation() {
|
||||||
|
exists(string name | name = this.getTarget().getName() |
|
||||||
|
name = "malloc" or
|
||||||
|
name = "calloc" or
|
||||||
|
name = "alloca" or
|
||||||
|
name = "sbrk" or
|
||||||
|
name = "valloc"
|
||||||
|
)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Function f, Allocation a
|
from Function f, Allocation a
|
||||||
|
|||||||
@@ -13,8 +13,13 @@ import cpp
|
|||||||
|
|
||||||
class ForbiddenCall extends FunctionCall {
|
class ForbiddenCall extends FunctionCall {
|
||||||
ForbiddenCall() {
|
ForbiddenCall() {
|
||||||
this.getTarget().getName() =
|
exists(string name | name = this.getTarget().getName() |
|
||||||
["task_delay", "taskDelay", "sleep", "nanosleep", "clock_nanosleep"]
|
name = "task_delay" or
|
||||||
|
name = "taskDelay" or
|
||||||
|
name = "sleep" or
|
||||||
|
name = "nanosleep" or
|
||||||
|
name = "clock_nanosleep"
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -6,7 +6,12 @@ import cpp
|
|||||||
|
|
||||||
class SemaphoreCreation extends FunctionCall {
|
class SemaphoreCreation extends FunctionCall {
|
||||||
SemaphoreCreation() {
|
SemaphoreCreation() {
|
||||||
this.getTarget().getName() = ["semBCreate", "semMCreate", "semCCreate", "semRWCreate"]
|
exists(string name | name = this.getTarget().getName() |
|
||||||
|
name = "semBCreate" or
|
||||||
|
name = "semMCreate" or
|
||||||
|
name = "semCCreate" or
|
||||||
|
name = "semRWCreate"
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
Variable getSemaphore() { result.getAnAccess() = this.getParent().(Assignment).getLValue() }
|
Variable getSemaphore() { result.getAnAccess() = this.getParent().(Assignment).getLValue() }
|
||||||
@@ -67,7 +72,11 @@ class SemaphoreGive extends UnlockOperation {
|
|||||||
}
|
}
|
||||||
|
|
||||||
class LockingPrimitive extends FunctionCall, LockOperation {
|
class LockingPrimitive extends FunctionCall, LockOperation {
|
||||||
LockingPrimitive() { this.getTarget().getName() = ["taskLock", "intLock", "taskRtpLock"] }
|
LockingPrimitive() {
|
||||||
|
exists(string name | name = this.getTarget().getName() |
|
||||||
|
name = "taskLock" or name = "intLock" or name = "taskRtpLock"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
override Function getLocked() { result = this.getTarget() }
|
override Function getLocked() { result = this.getTarget() }
|
||||||
|
|
||||||
@@ -80,7 +89,11 @@ class LockingPrimitive extends FunctionCall, LockOperation {
|
|||||||
}
|
}
|
||||||
|
|
||||||
class UnlockingPrimitive extends FunctionCall, UnlockOperation {
|
class UnlockingPrimitive extends FunctionCall, UnlockOperation {
|
||||||
UnlockingPrimitive() { this.getTarget().getName() = ["taskUnlock", "intUnlock", "taskRtpUnlock"] }
|
UnlockingPrimitive() {
|
||||||
|
exists(string name | name = this.getTarget().getName() |
|
||||||
|
name = "taskUnlock" or name = "intUnlock" or name = "taskRtpUnlock"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
Function getLocked() { result = getMatchingLock().getLocked() }
|
Function getLocked() { result = getMatchingLock().getLocked() }
|
||||||
|
|
||||||
|
|||||||
@@ -12,7 +12,18 @@
|
|||||||
import cpp
|
import cpp
|
||||||
|
|
||||||
predicate allowedTypedefs(TypedefType t) {
|
predicate allowedTypedefs(TypedefType t) {
|
||||||
t.getName() = ["I64", "U64", "I32", "U32", "I16", "U16", "I8", "U8", "F64", "F32"]
|
exists(string name | name = t.getName() |
|
||||||
|
name = "I64" or
|
||||||
|
name = "U64" or
|
||||||
|
name = "I32" or
|
||||||
|
name = "U32" or
|
||||||
|
name = "I16" or
|
||||||
|
name = "U16" or
|
||||||
|
name = "I8" or
|
||||||
|
name = "U8" or
|
||||||
|
name = "F64" or
|
||||||
|
name = "F32"
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -5,8 +5,8 @@ import cpp
|
|||||||
*/
|
*/
|
||||||
class Task extends Function {
|
class Task extends Function {
|
||||||
Task() {
|
Task() {
|
||||||
exists(FunctionCall taskCreate |
|
exists(FunctionCall taskCreate, string name | name = "taskCreate" or name = "taskSpawn" |
|
||||||
taskCreate.getTarget().getName() = ["taskCreate", "taskSpawn"] and
|
name = taskCreate.getTarget().getName() and
|
||||||
this = taskCreate.getArgument(4).(AddressOfExpr).getAddressable()
|
this = taskCreate.getArgument(4).(AddressOfExpr).getAddressable()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,7 +6,6 @@
|
|||||||
* to a larger type.
|
* to a larger type.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity error
|
* @problem.severity error
|
||||||
* @problem.security-severity 8.1
|
|
||||||
* @precision very-high
|
* @precision very-high
|
||||||
* @id cpp/bad-addition-overflow-check
|
* @id cpp/bad-addition-overflow-check
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* be a sign that the result can overflow the type converted from.
|
* be a sign that the result can overflow the type converted from.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.1
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/integer-multiplication-cast-to-long
|
* @id cpp/integer-multiplication-cast-to-long
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -6,7 +6,6 @@
|
|||||||
* use the width of the base type, leading to misaligned reads.
|
* use the width of the base type, leading to misaligned reads.
|
||||||
* @kind path-problem
|
* @kind path-problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.8
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @tags correctness
|
* @tags correctness
|
||||||
* reliability
|
* reliability
|
||||||
|
|||||||
@@ -13,17 +13,38 @@ import cpp
|
|||||||
import semmle.code.cpp.dataflow.DataFlow
|
import semmle.code.cpp.dataflow.DataFlow
|
||||||
|
|
||||||
predicate whitelist(Function f) {
|
predicate whitelist(Function f) {
|
||||||
f.getName() =
|
exists(string fName |
|
||||||
[
|
fName = f.getName() and
|
||||||
"ceil", "ceilf", "ceill", "floor", "floorf", "floorl", "nearbyint", "nearbyintf",
|
(
|
||||||
"nearbyintl", "rint", "rintf", "rintl", "round", "roundf", "roundl", "trunc", "truncf",
|
fName = "ceil" or
|
||||||
"truncl"
|
fName = "ceilf" or
|
||||||
] or
|
fName = "ceill" or
|
||||||
f.getName().matches("__builtin_%")
|
fName = "floor" or
|
||||||
|
fName = "floorf" or
|
||||||
|
fName = "floorl" or
|
||||||
|
fName = "nearbyint" or
|
||||||
|
fName = "nearbyintf" or
|
||||||
|
fName = "nearbyintl" or
|
||||||
|
fName = "rint" or
|
||||||
|
fName = "rintf" or
|
||||||
|
fName = "rintl" or
|
||||||
|
fName = "round" or
|
||||||
|
fName = "roundf" or
|
||||||
|
fName = "roundl" or
|
||||||
|
fName = "trunc" or
|
||||||
|
fName = "truncf" or
|
||||||
|
fName = "truncl" or
|
||||||
|
fName.matches("__builtin_%")
|
||||||
|
)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate whitelistPow(FunctionCall fc) {
|
predicate whitelistPow(FunctionCall fc) {
|
||||||
fc.getTarget().getName() = ["pow", "powf", "powl"] and
|
(
|
||||||
|
fc.getTarget().getName() = "pow" or
|
||||||
|
fc.getTarget().getName() = "powf" or
|
||||||
|
fc.getTarget().getName() = "powl"
|
||||||
|
) and
|
||||||
exists(float value |
|
exists(float value |
|
||||||
value = fc.getArgument(0).getValue().toFloat() and
|
value = fc.getArgument(0).getValue().toFloat() and
|
||||||
(value.floor() - value).abs() < 0.001
|
(value.floor() - value).abs() < 0.001
|
||||||
|
|||||||
@@ -6,7 +6,6 @@
|
|||||||
* from an untrusted source, this can be used for exploits.
|
* from an untrusted source, this can be used for exploits.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity recommendation
|
* @problem.severity recommendation
|
||||||
* @problem.security-severity 9.8
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/non-constant-format
|
* @id cpp/non-constant-format
|
||||||
* @tags maintainability
|
* @tags maintainability
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<include src="LeapYear.inc.qhelp" />
|
<include src="LeapYear.qhelp" />
|
||||||
|
|
||||||
<p>When performing arithmetic operations on a variable that represents a date, leap years must be taken into account.
|
<p>When performing arithmetic operations on a variable that represents a date, leap years must be taken into account.
|
||||||
It is not safe to assume that a year is 365 days long.</p>
|
It is not safe to assume that a year is 365 days long.</p>
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<include src="LeapYear.inc.qhelp" />
|
<include src="LeapYear.qhelp" />
|
||||||
|
|
||||||
<p>When performing arithmetic operations on a variable that represents a year, it is important to consider that the resulting value may not be a valid date.</p>
|
<p>When performing arithmetic operations on a variable that represents a year, it is important to consider that the resulting value may not be a valid date.</p>
|
||||||
<p>The typical example is doing simple year arithmetic (i.e. <code>date.year++</code>) without considering if the resulting value will be a valid date or not.</p>
|
<p>The typical example is doing simple year arithmetic (i.e. <code>date.year++</code>) without considering if the resulting value will be a valid date or not.</p>
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<include src="LeapYear.inc.qhelp" />
|
<include src="LeapYear.qhelp" />
|
||||||
|
|
||||||
<p>When using a function that transforms a date structure, and the year on the input argument for the API has been manipulated, it is important to check for the return value of the function to make sure it succeeded.</p>
|
<p>When using a function that transforms a date structure, and the year on the input argument for the API has been manipulated, it is important to check for the return value of the function to make sure it succeeded.</p>
|
||||||
<p>Otherwise, the function may have failed, and the output parameter may contain invalid data that can cause any number of problems on the affected system.</p>
|
<p>Otherwise, the function may have failed, and the output parameter may contain invalid data that can cause any number of problems on the affected system.</p>
|
||||||
|
|||||||
@@ -3,7 +3,7 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<include src="LeapYear.inc.qhelp" />
|
<include src="LeapYear.qhelp" />
|
||||||
|
|
||||||
<p>This query helps to detect when a developer allocates an array or other fixed-length data structure such as <code>std::vector</code> with 365 elements – one for each day of the year.</p>
|
<p>This query helps to detect when a developer allocates an array or other fixed-length data structure such as <code>std::vector</code> with 365 elements – one for each day of the year.</p>
|
||||||
<p>Since leap years have 366 days, there will be no allocated element on December 31st at the end of a leap year; which will lead to a buffer overflow on a leap year.</p>
|
<p>Since leap years have 366 days, there will be no allocated element on December 31st at the end of a leap year; which will lead to a buffer overflow on a leap year.</p>
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
|
|||||||
override predicate isWhitelisted() {
|
override predicate isWhitelisted() {
|
||||||
this.getConversion().(ParenthesisExpr).isParenthesised()
|
this.getConversion().(ParenthesisExpr).isParenthesised()
|
||||||
or
|
or
|
||||||
// Allow this assignment if all comparison operations in the expression that this
|
// whitelist this assignment if all comparison operations in the expression that this
|
||||||
// assignment is part of, are not parenthesized. In that case it seems like programmer
|
// assignment is part of, are not parenthesized. In that case it seems like programmer
|
||||||
// is fine with unparenthesized comparison operands to binary logical operators, and
|
// is fine with unparenthesized comparison operands to binary logical operators, and
|
||||||
// the parenthesis around this assignment was used to call it out as an assignment.
|
// the parenthesis around this assignment was used to call it out as an assignment.
|
||||||
@@ -62,21 +62,6 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
|
|||||||
forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
|
forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
|
||||||
not op.isParenthesised()
|
not op.isParenthesised()
|
||||||
)
|
)
|
||||||
or
|
|
||||||
// Match a pattern like:
|
|
||||||
// ```
|
|
||||||
// if((a = b) && use_value(a)) { ... }
|
|
||||||
// ```
|
|
||||||
// where the assignment is meant to update the value of `a` before it's used in some other boolean
|
|
||||||
// subexpression that is guarenteed to be evaluate _after_ the assignment.
|
|
||||||
this.isParenthesised() and
|
|
||||||
exists(LogicalAndExpr parent, Variable var, VariableAccess access |
|
|
||||||
var = this.getLValue().(VariableAccess).getTarget() and
|
|
||||||
access = var.getAnAccess() and
|
|
||||||
not access.isUsedAsLValue() and
|
|
||||||
parent.getRightOperand() = access.getParent*() and
|
|
||||||
parent.getLeftOperand() = this.getParent*()
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -3,7 +3,6 @@
|
|||||||
* @description Using alloca in a loop can lead to a stack overflow
|
* @description Using alloca in a loop can lead to a stack overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.5
|
|
||||||
* @precision high
|
* @precision high
|
||||||
* @id cpp/alloca-in-loop
|
* @id cpp/alloca-in-loop
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/improper-null-termination
|
* @id cpp/improper-null-termination
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.8
|
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-170
|
* external/cwe/cwe-170
|
||||||
* external/cwe/cwe-665
|
* external/cwe/cwe-665
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* as the third argument may result in a buffer overflow.
|
* as the third argument may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.8
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/bad-strncpy-size
|
* @id cpp/bad-strncpy-size
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* as the third argument may result in a buffer overflow.
|
* as the third argument may result in a buffer overflow.
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 8.8
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unsafe-strncat
|
* @id cpp/unsafe-strncat
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -5,7 +5,6 @@
|
|||||||
* @kind problem
|
* @kind problem
|
||||||
* @id cpp/uninitialized-local
|
* @id cpp/uninitialized-local
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 7.8
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @tags security
|
* @tags security
|
||||||
* external/cwe/cwe-665
|
* external/cwe/cwe-665
|
||||||
|
|||||||
@@ -4,7 +4,6 @@
|
|||||||
* may result in a buffer overflow
|
* may result in a buffer overflow
|
||||||
* @kind problem
|
* @kind problem
|
||||||
* @problem.severity warning
|
* @problem.severity warning
|
||||||
* @problem.security-severity 9.8
|
|
||||||
* @precision medium
|
* @precision medium
|
||||||
* @id cpp/unsafe-strcat
|
* @id cpp/unsafe-strcat
|
||||||
* @tags reliability
|
* @tags reliability
|
||||||
|
|||||||
@@ -1,20 +0,0 @@
|
|||||||
class Base {
|
|
||||||
private:
|
|
||||||
// pure virtual member function used for initialization of derived classes.
|
|
||||||
virtual void construct() = 0;
|
|
||||||
public:
|
|
||||||
Base() {
|
|
||||||
// wrong: the virtual table of `Derived` has not been initialized yet. So this
|
|
||||||
// call will resolve to `Base::construct`, which cannot be called as it is a pure
|
|
||||||
// virtual function.
|
|
||||||
construct();
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
class Derived : public Base {
|
|
||||||
int field;
|
|
||||||
|
|
||||||
void construct() override {
|
|
||||||
field = 1;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user