mirror of
https://github.com/github/codeql.git
synced 2025-12-16 08:43:11 +01:00
e0ba23d2c7
I think these queries have excellent results on lgtm.com. Many of the
results come from projects that use `sprintf` like it's a templating
engine, trusting that values from `argv` or `getenv` contain the correct
number of `%s`. I think we want to flag that.
The structure of the change note is modeled after 91af51cf46.
2.1 KiB
2.1 KiB
Improvements to C/C++ analysis
The following changes in version 1.25 affect C/C++ analysis in all applications.
General improvements
New queries
| Query | Tags | Purpose |
|---|
Changes to existing queries
| Query | Expected impact | Change |
|---|---|---|
Uncontrolled format string (cpp/tainted-format-string) |
This query is now displayed by default on LGTM. | |
Uncontrolled format string (through global variable) (cpp/tainted-format-string-through-global) |
This query is now displayed by default on LGTM. |
Changes to libraries
- The library
VCS.qlland all queries that imported it have been removed. - The data-flow library has been improved, which affects most security queries by potentially
adding more results. Flow through functions now takes nested field reads/writes into account.
For example, the library is able to track flow from
taint()tosink()via the methodgetf2f1()instruct C { int f1; }; struct C2 { C f2; int getf2f1() { return f2.f1; // Nested field read } void m() { f2.f1 = taint(); sink(getf2f1()); // NEW: taint() reaches here } }; - The security pack taint tracking library (
semmle.code.cpp.security.TaintTracking) now considers that equality checks may block the flow of taint. This results in fewer false positive results from queries that use this library. - The length of a tainted string (such as the return value of a call to
strlenorstrftimewith tainted parameters) is no longer itself considered tainted by themodelslibrary. This leads to fewer false positive results in queries that use any of our taint libraries.