codeql/change-notes/1.24/analysis-cpp.md

Improvements to C/C++ analysis

The following changes in version 1.24 affect C/C++ analysis in all applications.

General improvements

New queries

Query	Tags	Purpose
Implicit function declarations (cpp/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql)	correctness, maintainability	This query finds calls to undeclared functions that are compiled by a C compiler. Results are shown on LGTM by default.

Changes to existing queries

Query	Expected impact	Change
Buffer not sufficient for string (cpp/overflow-calculated)	More true positive results	This query now identifies a wider variety of buffer allocations using the semmle.code.cpp.models.interfaces.Allocation library.
No space for zero terminator (cpp/no-space-for-terminator)	More true positive results	This query now identifies a wider variety of buffer allocations using the semmle.code.cpp.models.interfaces.Allocation library.
Memory is never freed (cpp/memory-never-freed)	More true positive results	This query now identifies a wider variety of buffer allocations using the semmle.code.cpp.models.interfaces.Allocation library.
Memory may not be freed (cpp/memory-may-not-be-freed)	More true positive results	This query now identifies a wider variety of buffer allocations using the semmle.code.cpp.models.interfaces.Allocation library.
Missing return statement (cpp/missing-return)	Fewer false positive results	Functions containing asm statements are no longer highlighted by this query.
Hard-coded Japanese era start date (cpp/japanese-era/exact-era-date)		This query is no longer run on LGTM.
No space for zero terminator (cpp/no-space-for-terminator)	Fewer false positive results	This query has been modified to be more conservative when identifying which pointers point to null-terminated strings. This approach produces fewer, more accurate results.
Overloaded assignment does not return 'this' (cpp/assignment-does-not-return-this)	Fewer false positive results	This query no longer reports incorrect results in template classes.
Unsafe array for days of the year (cpp/leap-year/unsafe-array-for-days-of-the-year)		This query is no longer run on LGTM.

Changes to libraries

• The data-flow library has been improved when flow through functions needs to be combined with both taint tracking and flow through fields allowing more flow to be tracked. This affects and improves some security queries, which may report additional results.
• Created the semmle.code.cpp.models.interfaces.Allocation library to model allocation such as new expressions and calls to malloc. This in intended to replace the functionality in semmle.code.cpp.commons.Alloc with a more consistent and useful interface.
• Created the semmle.code.cpp.models.interfaces.Deallocation library to model deallocation such as delete expressions and calls to free. This in intended to replace the functionality in semmle.code.cpp.commons.Alloc with a more consistent and useful interface.
• The new class StackVariable should be used in place of LocalScopeVariable in most cases. The difference is that StackVariable does not include variables declared with static or thread_local.
  • As a rule of thumb, custom queries about the values of variables should be changed from LocalScopeVariable to StackVariable, while queries about the name or scope of variables should remain unchanged.
  • The LocalScopeVariableReachability library is deprecated in favor of StackVariableReachability. The functionality is the same.
• The models library models strlen in more detail, and includes common variations such as wcslen.
• The taint tracking library (semmle.code.cpp.dataflow.TaintTracking) has had the following improvements:
  • The library now models data flow through strdup and similar functions.
  • The library now models data flow through formatting functions such as sprintf.