Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
104 commits
Select commit Hold shift + click to select a range
57661d5
Update expected test results after frontend update
jketema Mar 6, 2025
6abda06
Update MISRA queries and tests after merging location tables
jketema Jun 27, 2025
57c4180
C++: accept new test results after QL changes
IdrissRio Jun 30, 2025
a3d85dd
Comvert ARR37-C to use the new dataflow library
jketema Jul 7, 2025
3f2ae9e
Conver ARR39-C to the new dataflow library
jketema Jul 7, 2025
46af73d
Convert ERR30-C to use the new dataflow library
jketema Jul 7, 2025
e2ac35d
Convert FIO45-C to use the new dataflow library
jketema Jul 7, 2025
43d5bf8
Convert EXP36-C to the new datafow library
jketema Jul 7, 2025
10b9266
Convert MSC33-C to the new dataflow library
jketema Jul 7, 2025
e0b7924
Convert MSC51-CPP to the new dataflow library
jketema Jul 7, 2025
b6c26ee
Convert CTR56-CPP to the new dataflow library
jketema Jul 7, 2025
c478ead
Conver M3-9-3 to use the new dataflow library
jketema Jul 7, 2025
0817197
Convert A9-3-1 to use the new dataflow library
jketema Jul 7, 2025
51295f1
Convert A27-0-4 to use the new dataflow library
jketema Jul 7, 2025
8933de9
Convert A5-0-4 to use the new dataflow library
jketema Jul 7, 2025
aa7d827
Update expected test results for MSC33-C
jketema Jul 7, 2025
f737a94
Create temporary copies of parts of the concurrency library
jketema Jul 7, 2025
f6c3c4c
Convert CON30-C to use the new dataflow library
jketema Jul 7, 2025
9e12e5e
Convert CON34-C to the new dataflow library
jketema Jul 8, 2025
ef96540
Move queries not depending on dataflow over to `ConcurrencyNew`
jketema Jul 8, 2025
cb6ab90
Convert UseOnlyArrayIndexingForPointerArithmetic to use the new dataf…
jketema Jul 8, 2025
30a3635
Convert StringNumberConversionMissingErrorCheck to use the new datafl…
jketema Jul 8, 2025
ce08d1e
Convert FgetsErrorManagement to use the new dataflow library
jketema Jul 8, 2025
88ef34f
Convert RULE-22-3 to use the new dataflow library
jketema Jul 8, 2025
fdf1923
Convert RULE-22-4 to use the new dataflow library
jketema Jul 8, 2025
8ea39d8
Convert A7-5-1 to use the new dataflow library
jketema Jul 8, 2025
b3cffdb
Convert DoNotSubtractPointersAddressingDifferentArrays to use new dat…
jketema Jul 8, 2025
0afdf32
Remove unused dataflow import from IOFstreamMissingPositioning
jketema Jul 8, 2025
241ec63
Convert DanglingCaptureWhenReturningLambdaObject to use new dataflow …
jketema Jul 8, 2025
5887113
Revert "Convert DanglingCaptureWhenReturningLambdaObject to use new d…
jketema Jul 8, 2025
5e3f1dc
Fix FIO40-C regression after incorrectly solving a merge conflict
jketema Jul 10, 2025
d997db1
Conver ARR32-C to use the new dataflow library
jketema Jul 10, 2025
fbb5d04
Convert DCL30-C to the new dataflow library
jketema Jul 10, 2025
6b8b5f5
Convert ERR32-C to use the new dataflow library
jketema Jul 10, 2025
9830abc
Convert ERR33-C to use the new dataflow library
jketema Jul 10, 2025
135cb7a
Convert EXP37-C to the new dataflow library
jketema Jul 10, 2025
bb5e033
Convert EXP40-C to the new dataflow library
jketema Jul 10, 2025
a5a1865
Convert FIO44-C to the new dataflow library
jketema Jul 10, 2025
3e69bf6
Convert MEM35-C to the new dataflow library
jketema Jul 10, 2025
ba281e2
Convert MEM36-C to the new dataflow library
jketema Jul 10, 2025
d385a76
Convert SIG30-C to the new dataflow library
jketema Jul 10, 2025
099f358
Convert SIG35-C to the new dataflow library
jketema Jul 10, 2025
2a8277c
Convert Signal library to the new data flow library
jketema Jul 10, 2025
69c6bf7
Convert RULE-13-2 to the new dataflow library
jketema Jul 11, 2025
9e8e429
Convert RULE-21-14 to the new dataflow library
jketema Jul 11, 2025
cee7cef
Convert RULE-22-7 to the new dataflow library
jketema Jul 11, 2025
fcbb620
Convert A13-1-3 to the new dataflow library
jketema Jul 11, 2025
def97cc
Convert A13-2-1 to the new dataflow library
jketema Jul 11, 2025
3b6a124
Convert A15-1-3 to the new dataflow library
jketema Jul 11, 2025
c06f22a
Address review comment
jketema Jul 11, 2025
1d15367
C++: Accept path changes caused by codeql#20040.
MathiasVP Jul 14, 2025
de0357a
Convert RULE-17-5 to the new dataflow library
jketema Jul 15, 2025
8a2f016
Convert A15-2-2 to use the new dataflow library
jketema Jul 15, 2025
bebac73
Convert A18-9-4 to use the new dataflow library
jketema Jul 15, 2025
c12d294
Convert A20-8-4 to use the new dataflow library
jketema Jul 15, 2025
2c4414d
Convert A5-1-7 to use the new dataflow library
jketema Jul 15, 2025
8dc6dcf
Convert A8-4-12 to use the new dataflow library
jketema Jul 15, 2025
447a3bb
Convert CTR52-CPP to the new dataflow library
jketema Jul 15, 2025
04da91f
Convert CTR53-CPP to the new dataflow library
jketema Jul 15, 2025
cc0d1c8
C++: Block flow into thread-specific storage creating functions (i.e.…
MathiasVP Jul 25, 2025
3a7a99b
C++: Accept test changes to another query.
MathiasVP Jul 25, 2025
88d909e
Convert `ThrowingOperatorNewReturnsNull` to the new dataflow library
jketema Aug 15, 2025
65cf74d
Convert `PredicateFunctionObjectsShouldNotBeMutable` to the new dataf…
jketema Aug 15, 2025
01841f3
Remove redundant dataflow import
jketema Aug 15, 2025
15eef22
Convert `OnlyFreeMemoryAllocatedDynamicallyShared` to the new dataflo…
jketema Aug 15, 2025
68956c9
Convert `InvalidatedEnvStringPointers` to the new dataflow library
jketema Aug 15, 2025
635eca0
Convert `FunctionErroneousReturnValueNotTested` to the new dataflow l…
jketema Aug 18, 2025
76642a8
Update `DoNotPassAliasedPointerToRestrictQualifiedParamShared` to the…
jketema Aug 18, 2025
6edece6
Convert M9-3-1 to the new dataflow library
jketema Aug 19, 2025
5b03559
Convert A8-4-9 to the new dataflow library
jketema Aug 19, 2025
aa1c3af
Conver A8-4-11 to the new dataflow library
jketema Aug 19, 2025
0ae0087
Convert STR31-C to the new dataflow library
jketema Aug 19, 2025
d3dbc96
Convert `FileStreams.qll` to the new dataflow library
jketema Aug 19, 2025
404692b
Convert `DoNotAccessAClosedFile` to the new dataflow library
jketema Aug 19, 2025
8d8cedc
Update `OwnedPointerValueStoredInUnrelatedSmartPointer` to the new da…
jketema Aug 21, 2025
75c5263
Update `MovedFromObjectsUnspecifiedState` to the new dataflow library
jketema Aug 21, 2025
6fc0b5e
Update `DoNotUseRelationalOperatorsWithDifferingArrays` to the new da…
jketema Aug 21, 2025
b6d3b33
Convert `DanglingCaptureWhenReturningLambdaObject` to the new dataflo…
jketema Aug 21, 2025
890ee51
Update `DanglingCaptureWhenMovingLambdaObject` to the new dataflow li…
jketema Aug 21, 2025
318498a
Update `ConstLikeReturnValue` to the new dataflow library
jketema Aug 21, 2025
35fbfad
Remove redundant dataflow import
jketema Aug 21, 2025
90496ba
Convert `BasicStringMayNotBeNullTerminated` to the new dataflow library
jketema Aug 21, 2025
a9c527a
C++: Fix up queries after github/codeql#20485.
MathiasVP Sep 18, 2025
e30f5e7
C++: Fix queries I forgot after merging github/codeql#20485.
MathiasVP Oct 2, 2025
164d2f4
C++: Accept line number changes in .expected file.
MathiasVP Oct 2, 2025
01898e9
Update expected test results
jketema Nov 8, 2025
bee8bd0
Update expected test results after frontend update
jketema Nov 27, 2025
22438a2
Fix test formatting
jketema Jan 8, 2026
cad5be0
Floating point decimal support has been removed from CodeQL
jketema Jan 6, 2026
e92d9c5
C++: Accept test changes after github/codeql#21313.
MathiasVP Feb 11, 2026
7f71c7b
C++: Fix Copilot comments.
MathiasVP Feb 11, 2026
d77616e
Revert "C++: Accept test changes after github/codeql#21313."
paldepind Feb 16, 2026
a79c12d
Update test expectations after switch to SoftFloat library in the ext…
jketema Feb 17, 2026
e116488
Revert "Merge pull request #1042 from jketema/jketema/softfloat"
jketema Feb 24, 2026
b318aa6
Update expected test results
jketema Mar 30, 2026
d483765
Reapply "Merge pull request #1042 from jketema/jketema/softfloat"
jketema Apr 24, 2026
aab3b2d
Update expected test results
jketema May 19, 2026
e2495c8
Update references to deprecated classes
jketema May 19, 2026
a42dd07
Update references to deprecated classes
jketema May 26, 2026
d66ec8d
Use the new dataflow module without affecting any tested behavior (#1…
mbaluda Jun 30, 2026
5f61284
Update CodeQL dependencies and fix various issues
mbaluda Jun 30, 2026
051c56e
Revert "Create temporary copies of parts of the concurrency library"
mbaluda Jun 30, 2026
4b07e11
PossibleDataRaceBetweenThreads.ql fix
mbaluda Jun 30, 2026
b5970a4
Refactor concurrency imports
mbaluda Jun 30, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions c/cert/src/codeql-pack.lock.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,26 +3,28 @@ lockVersion: 1.0.0
dependencies:
advanced-security/qtil:
version: 0.0.3
codeql/controlflow:
version: 2.0.17
codeql/cpp-all:
version: 5.0.0
version: 6.0.0
codeql/dataflow:
version: 2.0.8
version: 2.0.17
codeql/mad:
version: 1.0.24
version: 1.0.33
codeql/quantum:
version: 0.0.2
version: 0.0.11
codeql/rangeanalysis:
version: 1.0.24
version: 1.0.33
codeql/ssa:
version: 2.0.0
version: 2.0.9
codeql/tutorial:
version: 1.0.24
version: 1.0.33
codeql/typeflow:
version: 1.0.24
version: 1.0.33
codeql/typetracking:
version: 2.0.8
version: 2.0.17
codeql/util:
version: 2.0.11
version: 2.0.20
codeql/xml:
version: 1.0.24
version: 1.0.33
compiled: false
2 changes: 1 addition & 1 deletion c/cert/src/qlpack.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ license: MIT
default-suite-file: codeql-suites/cert-c-default.qls
dependencies:
codeql/common-c-coding-standards: '*'
codeql/cpp-all: 5.0.0
codeql/cpp-all: 6.0.0
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import NonArrayPointerToArrayIndexingExprFlow::PathGraph

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.types.Pointers
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.dataflow.new.TaintTracking
import ScaledIntegerPointerArithmeticFlow::PathGraph

/**
Expand Down Expand Up @@ -61,9 +61,11 @@ class ScaledIntegerExpr extends Expr {
ScaledIntegerExpr() {
not this.getParent*() instanceof ArrayCountOfExpr and
(
this.(SizeofExprOperator).getExprOperand().getType().getSize() > 1
exists(this.getValue()) and
this.getAChild*().(SizeofExprOperator).getExprOperand().getType().getSize() > 1
or
this.(SizeofTypeOperator).getTypeOperand().getSize() > 1
exists(this.getValue()) and
this.getAChild*().(SizeofTypeOperator).getTypeOperand().getSize() > 1
or
this instanceof OffsetOfExpr
)
Expand Down
30 changes: 21 additions & 9 deletions c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,29 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.Concurrency
import semmle.code.cpp.dataflow.DataFlow

newtype Direction =
Incoming() or
Outgoing()

predicate isSource(DataFlow::Node node, Direction d) {
exists(TSSCreateFunctionCall tsc, Expr e |
// the only requirement of the source is that at some point
// it refers to the key of a create statement
e.getParent*() = tsc.getKey()
|
d = Outgoing() and
e = [node.asExpr(), node.asDefiningArgument()]
or
d = Incoming() and
e = [node.asExpr(), node.asIndirectArgument()]
)
}

module TssCreateToTssDeleteConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
exists(TSSCreateFunctionCall tsc, Expr e |
// the only requirement of the source is that at some point
// it refers to the key of a create statement
e.getParent*() = tsc.getKey() and
(e = node.asDefiningArgument() or e = node.asExpr())
)
}
predicate isSource(DataFlow::Node node) { isSource(node, Outgoing()) }

predicate isBarrierIn(DataFlow::Node node) { isSource(node, Incoming()) }

predicate isSink(DataFlow::Node node) {
exists(TSSDeleteFunctionCall tsd, Expr e |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import cpp
import codingstandards.c.cert
import codingstandards.c.Objects
import codingstandards.cpp.Concurrency
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.commons.Alloc

from C11ThreadCreateCall tcc, Expr arg
Expand Down Expand Up @@ -53,6 +52,7 @@ where
not exists(TSSSetFunctionCall tss, DataFlow::Node src |
// there should be dataflow from somewhere (the same somewhere)
// into each of the first arguments
exists(Expr e | e = src.asDefinition() or e = src.asDefiningArgument()) and
DataFlow::localFlow(src, DataFlow::exprNode(tsg.getArgument(0))) and
DataFlow::localFlow(src, DataFlow::exprNode(tss.getArgument(0)))
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.Concurrency
import semmle.code.cpp.dataflow.DataFlow

from TSSGetFunctionCall tsg, ThreadedFunction tf
where
Expand All @@ -31,7 +30,8 @@ where
// however, there does not exist a proper sequencing.
not exists(TSSSetFunctionCall tss, DataFlow::Node src |
// there should be dataflow from somewhere (the same somewhere)
// into each of the first arguments
// into each of the first argument
exists(Expr e | e = src.asDefinition() or e = src.asDefiningArgument()) and
DataFlow::localFlow(src, DataFlow::exprNode(tsg.getArgument(0))) and
DataFlow::localFlow(src, DataFlow::exprNode(tss.getArgument(0)))
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.c.Objects
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

class Source extends Expr {
ObjectIdentity rootObject;
Expand All @@ -34,7 +34,7 @@ class Sink extends DataFlow::Node {
Sink() {
//output parameter
exists(Parameter f |
f.getAnAccess() = this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
this.isFinalValueOfParameter(f) and
f.getUnderlyingType() instanceof PointerType
)
or
Expand Down
2 changes: 1 addition & 1 deletion c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.c.Errno
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/**
* A call to an `OutOfBandErrnoSettingFunction`
Expand Down
2 changes: 1 addition & 1 deletion c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.c.Errno
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

class SetlocaleFunctionCall extends FunctionCall {
SetlocaleFunctionCall() { this.getTarget().hasGlobalName("setlocale") }
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import codingstandards.c.cert
import codingstandards.c.Errno
import codingstandards.c.Signal
import semmle.code.cpp.controlflow.Guards
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/**
* A check on `signal` call return value
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import cpp
import codingstandards.c.cert
import semmle.code.cpp.commons.NULL
import codingstandards.cpp.ReadErrorsAndEOF
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

ComparisonOperation getAValidComparison(string spec) {
spec = "=0" and result.(EqualityOperation).getAnOperand().getValue() = "0"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,11 @@ class ExplicitComparison extends EffectivelyComparison, FinalComparisonOperation
override FunctionExpr getFunctionExpr() { result = funcExpr }
}

class ImplicitComparison extends EffectivelyComparison, GuardCondition {
class ImplicitComparison extends EffectivelyComparison, GuardCondition instanceof Expr {
ImplicitComparison() {
this.valueControlsEdge(_, _, _) and
this instanceof FunctionExpr and
not getParent() instanceof ComparisonOperation
not super.getParent() instanceof ComparisonOperation
}
Comment thread
mbaluda marked this conversation as resolved.

override string getExplanation() { result = "$@ undergoes implicit constant comparison." }
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.SideEffect
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.dataflow.new.TaintTracking
import semmle.code.cpp.valuenumbering.GlobalValueNumbering

/** Holds if the function's return value is derived from the `AliasParamter` p. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.Alignment
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import ExprWithAlignmentToCStyleCastFlow::PathGraph

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import SuspectFunctionPointerToCallFlow::PathGraph

/**
Expand Down Expand Up @@ -61,7 +61,8 @@ where
not isExcluded(src.getNode().asExpr(),
ExpressionsPackage::doNotCallFunctionPointerWithIncompatibleTypeQuery()) and
access = src.getNode().asExpr() and
SuspectFunctionPointerToCallFlow::flowPath(src, sink)
SuspectFunctionPointerToCallFlow::flowPath(src, sink) and
not access.getType() = sink.getNode().asExpr().getFullyConverted().getType()
select src, src, sink,
"Incompatible function $@ assigned to function pointer is eventually called through the pointer.",
access.getTarget(), access.getTarget().getName()
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,5 @@ where
complexArgumentPassedToRealParameter(fc, f, p)
)
select fc,
"Argument $@ in call to " + f.toString() + " is incompatible with parameter " + p.getTypedName() +
".", fc.getArgument(p.getIndex()) as arg, arg.toString()
"Argument $@ in call to " + f.toString() + " is incompatible with the function parameter type.",
fc.getArgument(p.getIndex()) as arg, arg.toString()
2 changes: 1 addition & 1 deletion c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import CastFlow::PathGraph
import codingstandards.cpp.SideEffect

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import cpp
import codingstandards.c.cert
import codingstandards.cpp.FgetsErrorManagement
import codingstandards.cpp.Dereferenced
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/*
* CFG nodes that follows a successful call to `fgets`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import cpp
import codingstandards.cpp.FgetsErrorManagement
import codingstandards.cpp.Dereferenced
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/*
* Models calls to `memcpy` `strcpy` `strncpy` and their wrappers
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

class FgetposCall extends FunctionCall {
FgetposCall() { this.getTarget().hasGlobalOrStdName("fgetpos") }
Expand All @@ -30,12 +30,12 @@ class FsetposCall extends FunctionCall {
module FposDFConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// source must be the second parameter of a FgetposCall call
source = DataFlow::definitionByReferenceNodeFromArgument(any(FgetposCall c).getArgument(1))
source.asDefiningArgument() = any(FgetposCall c).getArgument(1)
}

predicate isSink(DataFlow::Node sink) {
// sink must be the second parameter of a FsetposCall call
sink.asExpr() = any(FsetposCall c).getArgument(1)
sink.asIndirectExpr() = any(FsetposCall c).getArgument(1)
}
}

Expand All @@ -45,6 +45,6 @@ from FsetposCall fsetpos
where
not isExcluded(fsetpos.getArgument(1),
IO2Package::onlyUseValuesForFsetposThatAreReturnedFromFgetposQuery()) and
not FposDFFlow::flowToExpr(fsetpos.getArgument(1))
not exists(DataFlow::Node n | n.asIndirectExpr() = fsetpos.getArgument(1) | FposDFFlow::flowTo(n))
select fsetpos.getArgument(1),
"The position argument of a call to `fsetpos()` should be obtained from a call to `fgetpos()`."
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.standardlibrary.FileAccess
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.valuenumbering.GlobalValueNumbering

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import cpp
import codingstandards.c.cert
import codingstandards.cpp.Overflow
import semmle.code.cpp.controlflow.Guards
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.models.Models

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.Alignment
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import AlignedAllocToReallocFlow::PathGraph

int getStatedValue(Expr e) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/**
* The argument of a call to `asctime`
Expand All @@ -29,6 +29,8 @@ class AsctimeArg extends Expr {
this =
any(FunctionCall f | f.getTarget().hasGlobalName(["asctime", "asctime_r"])).getArgument(0)
}

DataFlow::Node asSink() { this = result.asIndirectExpr() }
}

/**
Expand All @@ -37,20 +39,20 @@ class AsctimeArg extends Expr {
*/
module TmStructSafeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) {
src.asExpr()
src.asIndirectExpr()
.(FunctionCall)
.getTarget()
.hasGlobalName(["localtime", "localtime_r", "localtime_s", "gmtime", "gmtime_r", "gmtime_s"])
}

predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof AsctimeArg }
predicate isSink(DataFlow::Node sink) { exists(AsctimeArg arg | arg.asSink() = sink) }
}

module TmStructSafeFlow = DataFlow::Global<TmStructSafeConfig>;

from AsctimeArg fc
where
not isExcluded(fc, Contracts7Package::doNotPassInvalidDataToTheAsctimeFunctionQuery()) and
not TmStructSafeFlow::flowToExpr(fc)
not TmStructSafeFlow::flowTo(fc.asSink())
select fc,
"The function `asctime` and `asctime_r` should be discouraged. Unsanitized input can overflow the output buffer."
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.c.Signal
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/**
* Does not access an external variable except
Expand Down
Loading
Loading