From f0d46940e090beb226fb9919d3b4eea0d2fae665 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 15 Aug 2025 16:41:41 +0200 Subject: [PATCH 01/21] Convert `ThrowingOperatorNewReturnsNull` to the new dataflow library --- .../ThrowingOperatorNewReturnsNull.qll | 2 +- .../ThrowingOperatorNewReturnsNull.expected | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll b/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll index e28ef7ab07..827bfc7c7e 100644 --- a/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll +++ b/cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll @@ -4,7 +4,7 @@ */ import cpp -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import codingstandards.cpp.allocations.CustomOperatorNewDelete import codingstandards.cpp.exceptions.ExceptionSpecifications import codingstandards.cpp.Customizations diff --git a/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected b/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected index 5e047a77da..5b77245dbd 100644 --- a/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected +++ b/cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected @@ -3,10 +3,16 @@ problems | test.cpp:12:5:12:19 | return ... | test.cpp:12:12:12:18 | 0 | test.cpp:12:12:12:18 | 0 | operator new(size_t) may return null instead of throwing a std::bad_alloc exception. | | test.cpp:14:5:14:33 | return ... | test.cpp:4:10:4:23 | call to operator new | test.cpp:14:12:14:26 | call to can_return_null | operator new(size_t) may return null instead of throwing a std::bad_alloc exception. | edges -| test.cpp:4:10:4:23 | call to operator new | test.cpp:14:12:14:26 | call to can_return_null | provenance | | +| test.cpp:3:7:3:21 | *can_return_null | test.cpp:14:12:14:26 | call to can_return_null | provenance | | +| test.cpp:4:10:4:23 | call to operator new | test.cpp:3:7:3:21 | *can_return_null | provenance | | +| test.cpp:4:10:4:23 | call to operator new | test.cpp:4:10:4:23 | call to operator new | provenance | | +| test.cpp:8:23:8:23 | 0 | test.cpp:8:23:8:23 | 0 | provenance | | | test.cpp:8:23:8:23 | 0 | test.cpp:10:12:10:24 | localVariable | provenance | | nodes +| test.cpp:3:7:3:21 | *can_return_null | semmle.label | *can_return_null | | test.cpp:4:10:4:23 | call to operator new | semmle.label | call to operator new | +| test.cpp:4:10:4:23 | call to operator new | semmle.label | call to operator new | +| test.cpp:8:23:8:23 | 0 | semmle.label | 0 | | test.cpp:8:23:8:23 | 0 | semmle.label | 0 | | test.cpp:10:12:10:24 | localVariable | semmle.label | localVariable | | test.cpp:12:12:12:18 | 0 | semmle.label | 0 | From b6a4ae9d8188b15a300b8a6421a8b4b662da00e2 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 15 Aug 2025 16:43:04 +0200 Subject: [PATCH 02/21] Convert `PredicateFunctionObjectsShouldNotBeMutable` to the new dataflow library --- .../PredicateFunctionObjectsShouldNotBeMutable.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll b/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll index ba2f6ed82a..7e3732fab0 100644 --- a/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll +++ b/cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll @@ -9,7 +9,7 @@ import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import codingstandards.cpp.SideEffect import codingstandards.cpp.sideeffect.DefaultEffects -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow abstract class PredicateFunctionObjectsShouldNotBeMutableSharedQuery extends Query { } From ca1667f16396a64dcf6c7635555da111dc06f993 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 15 Aug 2025 16:43:45 +0200 Subject: [PATCH 03/21] Remove redundant dataflow import --- .../PlacementNewInsufficientStorage.qll | 1 - .../PlacementNewNotProperlyAligned.qll | 1 - 2 files changed, 2 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll b/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll index 6b2c6c87c9..6eda89ed0b 100644 --- a/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll +++ b/cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll @@ -7,7 +7,6 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import codingstandards.cpp.allocations.PlacementNew -import semmle.code.cpp.dataflow.DataFlow import PlacementNewOriginFlow::PathGraph abstract class PlacementNewInsufficientStorageSharedQuery extends Query { } diff --git a/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll b/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll index d250061a23..edbb5b8979 100644 --- a/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll +++ b/cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll @@ -7,7 +7,6 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import codingstandards.cpp.allocations.PlacementNew -import semmle.code.cpp.dataflow.DataFlow import PlacementNewOriginFlow::PathGraph abstract class PlacementNewNotProperlyAlignedSharedQuery extends Query { } From e643526184c5439d85a3c100965386257732a198 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 15 Aug 2025 16:44:54 +0200 Subject: [PATCH 04/21] Convert `OnlyFreeMemoryAllocatedDynamicallyShared` to the new dataflow library --- .../OnlyFreeMemoryAllocatedDynamicallyShared.expected | 6 +++++- .../OnlyFreeMemoryAllocatedDynamicallyShared.qll | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected b/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected index a6c41a6d75..cdfabea26c 100644 --- a/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected +++ b/c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected @@ -7,8 +7,10 @@ problems | test.c:26:8:26:8 | p | test.c:25:13:25:14 | & ... | test.c:26:8:26:8 | p | Free expression frees memory which was not dynamically allocated. | edges | test.c:18:24:18:26 | ptr | test.c:18:36:18:38 | ptr | provenance | | +| test.c:25:13:25:14 | & ... | test.c:25:13:25:14 | & ... | provenance | | | test.c:25:13:25:14 | & ... | test.c:26:8:26:8 | p | provenance | | -| test.c:27:7:27:8 | & ... | test.c:28:15:28:15 | p | provenance | | +| test.c:27:3:27:8 | ... = ... | test.c:28:15:28:15 | p | provenance | | +| test.c:27:7:27:8 | & ... | test.c:27:3:27:8 | ... = ... | provenance | | | test.c:28:15:28:15 | p | test.c:18:24:18:26 | ptr | provenance | | nodes | test.c:8:8:8:10 | g_p | semmle.label | g_p | @@ -18,7 +20,9 @@ nodes | test.c:18:24:18:26 | ptr | semmle.label | ptr | | test.c:18:36:18:38 | ptr | semmle.label | ptr | | test.c:25:13:25:14 | & ... | semmle.label | & ... | +| test.c:25:13:25:14 | & ... | semmle.label | & ... | | test.c:26:8:26:8 | p | semmle.label | p | +| test.c:27:3:27:8 | ... = ... | semmle.label | ... = ... | | test.c:27:7:27:8 | & ... | semmle.label | & ... | | test.c:28:15:28:15 | p | semmle.label | p | subpaths diff --git a/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll b/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll index 89c732ff5a..d89755c999 100644 --- a/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll +++ b/cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll @@ -7,7 +7,7 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import codingstandards.cpp.Allocations -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import NonDynamicPointerToFreeFlow::PathGraph /** From 0f50470feabd73615dc2a00a9f06bc55143a9d11 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 15 Aug 2025 16:45:40 +0200 Subject: [PATCH 05/21] Convert `InvalidatedEnvStringPointers` to the new dataflow library --- .../InvalidatedEnvStringPointers.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll b/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll index 50b27d819d..38215c602f 100644 --- a/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll +++ b/cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll @@ -6,7 +6,7 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow abstract class InvalidatedEnvStringPointersSharedQuery extends Query { } From 493a4c152065e1c92685a9c4fab99d7f4a65d57c Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Mon, 18 Aug 2025 11:20:34 +0200 Subject: [PATCH 06/21] Convert `FunctionErroneousReturnValueNotTested` to the new dataflow library --- .../FunctionErroneousReturnValueNotTested.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll index 93177e4f46..e7e25cf7b0 100644 --- a/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll +++ b/cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll @@ -4,7 +4,7 @@ import cpp import codingstandards.cpp.Customizations -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import semmle.code.cpp.controlflow.Guards import codingstandards.cpp.Exclusions From 8a672b1978a3acf7f4ae5976a832df20d9cc6baa Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Mon, 18 Aug 2025 11:33:39 +0200 Subject: [PATCH 07/21] Update `DoNotPassAliasedPointerToRestrictQualifiedParamShared` to the new dataflow library --- .../DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll b/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll index 79eda7714d..edd3e8305e 100644 --- a/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll +++ b/cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll @@ -7,7 +7,7 @@ import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import codingstandards.cpp.types.Pointers import codingstandards.cpp.Variable -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import semmle.code.cpp.pointsto.PointsTo import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis From 3bfaf5b9733572bb55bf5f753372063d61a2a7b0 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 19 Aug 2025 11:42:36 +0200 Subject: [PATCH 08/21] Convert M9-3-1 to the new dataflow library --- .../ConstMemberFunctionReturnsNonConstPointer.ql | 14 ++++++++------ ...stMemberFunctionReturnsNonConstPointer.expected | 2 -- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql b/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql index 559b41527c..322430fa5b 100644 --- a/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql +++ b/cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql @@ -18,7 +18,7 @@ import cpp import codingstandards.cpp.autosar -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow class ReferenceTypeWithNonConstBaseType extends ReferenceType { ReferenceTypeWithNonConstBaseType() { not this.getBaseType().isConst() } @@ -46,14 +46,16 @@ class ConstMemberFunctionWithRetNonConst extends ConstMemberFunction { from ConstMemberFunctionWithRetNonConst fun, Locatable f where not isExcluded(fun, ConstPackage::constMemberFunctionReturnsNonConstPointerQuery()) and - exists(ReturnStmt ret | + exists(ReturnStmt ret, DataFlow::Node vaNode, DataFlow::Node retNode | ret.getEnclosingFunction() = fun and + retNode.asIndirectExpr() = ret.getExpr() and ( - f.(MemberVariable).getDeclaringType() = fun.getDeclaringType() and - DataFlow::localExprFlow(f.(MemberVariable).getAnAccess(), ret.getExpr()) + vaNode.asIndirectExpr() = f.(MemberVariable).getAnAccess() and + f.(MemberVariable).getDeclaringType() = fun.getDeclaringType() or - DataFlow::localExprFlow(f.(ThisExpr), ret.getExpr()) - ) + vaNode.asIndirectExpr() = f.(ThisExpr) + ) and + DataFlow::localFlow(vaNode, retNode) ) select fun, "Const member function returns a " + fun.getReturnTypeCategory() + " to class data $@.", f, f.toString() diff --git a/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected b/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected index af7e9efc36..ee9652f505 100644 --- a/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected +++ b/cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected @@ -1,5 +1,3 @@ -WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstMemberFunctionReturnsNonConstPointer.ql:53,7-15) -WARNING: module 'DataFlow' has been deprecated and may be removed in future (ConstMemberFunctionReturnsNonConstPointer.ql:55,7-15) | test.cpp:8:8:8:11 | getA | Const member function returns a pointer to class data $@. | test.cpp:3:8:3:8 | a | a | | test.cpp:9:8:9:11 | getB | Const member function returns a pointer to class data $@. | test.cpp:4:8:4:8 | b | b | | test.cpp:11:6:11:12 | getThis | Const member function returns a pointer to class data $@. | test.cpp:11:36:11:39 | this | this | From 56cc4553da1bc4e20c9cdc026d501f33dfc473d6 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 19 Aug 2025 11:46:25 +0200 Subject: [PATCH 09/21] Convert A8-4-9 to the new dataflow library --- .../src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql | 2 +- .../rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql b/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql index 3b30eb676a..a6df2fd5e5 100644 --- a/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql +++ b/cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql @@ -21,7 +21,7 @@ import codingstandards.cpp.autosar import codingstandards.cpp.FunctionParameter import codingstandards.cpp.ConstHelpers import codingstandards.cpp.Operator -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow /** * Non-const T& `Parameter`s to `Function`s diff --git a/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected b/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected index 25fe77d9a5..e3cfa71bb7 100644 --- a/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected +++ b/cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected @@ -1,5 +1,3 @@ -WARNING: module 'DataFlow' has been deprecated and may be removed in future (InOutParametersDeclaredAsTNotModified.ql:50,7-15) -WARNING: module 'DataFlow' has been deprecated and may be removed in future (InOutParametersDeclaredAsTNotModified.ql:64,7-15) | test.cpp:4:13:4:13 | i | In-out parameter i that is not written to. | | test.cpp:7:22:7:24 | str | In-out parameter str that is not read from. | | test.cpp:18:14:18:14 | i | In-out parameter i that is not read from. | From 6384dbd64783d86cf0e9c0997f474881c6c8c403 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 19 Aug 2025 11:50:04 +0200 Subject: [PATCH 10/21] Conver A8-4-11 to the new dataflow library --- .../A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql | 2 +- .../SmartPointerAsParameterWithoutLifetimeSemantics.expected | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql b/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql index 0bf42ce4ca..83c73902db 100644 --- a/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql +++ b/cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql @@ -16,7 +16,7 @@ import cpp import codingstandards.cpp.autosar import codingstandards.cpp.SmartPointers -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import codingstandards.cpp.standardlibrary.Utility Expr lifetimeAffectingSmartPointerExpr(Function f) { diff --git a/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected b/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected index 2ce56fdce9..b751d81835 100644 --- a/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected +++ b/cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected @@ -1,5 +1,3 @@ -WARNING: module 'DataFlow' has been deprecated and may be removed in future (SmartPointerAsParameterWithoutLifetimeSemantics.ql:47,3-11) -WARNING: module 'DataFlow' has been deprecated and may be removed in future (SmartPointerAsParameterWithoutLifetimeSemantics.ql:56,5-13) | test.cpp:7:41:7:43 | up1 | Function $@ takes smart pointer parameter 'up1' but does not implement any lifetime-affecting operations. | test.cpp:7:6:7:18 | smart_ptr_get | smart_ptr_get | | test.cpp:16:53:16:55 | sp1 | Function $@ takes smart pointer parameter 'sp1' but does not implement any lifetime-affecting operations. | test.cpp:16:6:16:29 | smart_ptr_ref_assign_ref | smart_ptr_ref_assign_ref | | test.cpp:28:55:28:57 | sp1 | Function $@ takes smart pointer parameter 'sp1' but does not implement any lifetime-affecting operations. | test.cpp:28:6:28:31 | smart_ptr_ref_noncompliant | smart_ptr_ref_noncompliant | From 113c121660dbd44f04e3298680a9f36143f5d567 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 19 Aug 2025 13:41:50 +0200 Subject: [PATCH 11/21] Convert STR31-C to the new dataflow library --- .../StringsHasSufficientSpaceForTheNullTerminator.ql | 2 +- .../StringsHasSufficientSpaceForTheNullTerminator.expected | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql b/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql index 437b13f7f9..15d895c1f0 100644 --- a/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql +++ b/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql @@ -20,7 +20,7 @@ import cpp import codingstandards.c.cert -import semmle.code.cpp.dataflow.TaintTracking +import semmle.code.cpp.dataflow.new.TaintTracking import codingstandards.cpp.PossiblyUnsafeStringOperation /** diff --git a/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected b/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected index 9a87a6775b..71e713d120 100644 --- a/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected +++ b/c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected @@ -1,9 +1,3 @@ -WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:62,31-39) -WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:62,55-63) -WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:68,31-39) -WARNING: module 'DataFlow' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:68,54-62) -WARNING: module 'TaintTracking' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:62,5-18) -WARNING: module 'TaintTracking' has been deprecated and may be removed in future (StringsHasSufficientSpaceForTheNullTerminator.ql:68,5-18) | test.c:10:20:10:24 | Cod | Expression produces or consumes a string that may not have sufficient space for a null-terminator. | | test.c:16:3:16:9 | call to strncpy | Expression produces or consumes a string that may not have sufficient space for a null-terminator. | | test.c:26:3:26:10 | call to snprintf | Expression produces or consumes a string that may not have sufficient space for a null-terminator. | From f265690c83a97734dbdedfb4781bca0040302f4d Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 19 Aug 2025 19:59:53 +0200 Subject: [PATCH 12/21] Convert `FileStreams.qll` to the new dataflow library --- .../src/codingstandards/cpp/standardlibrary/FileStreams.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll b/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll index 99eec1f5e0..4714fde6a2 100644 --- a/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll +++ b/cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll @@ -10,8 +10,8 @@ */ import cpp -private import semmle.code.cpp.dataflow.DataFlow -private import semmle.code.cpp.dataflow.TaintTracking +private import semmle.code.cpp.dataflow.new.DataFlow +private import semmle.code.cpp.dataflow.new.TaintTracking private import codingstandards.cpp.Operator /** From 146d85a95b44d094e7c886cae802d55cf8d0f517 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 19 Aug 2025 20:00:30 +0200 Subject: [PATCH 13/21] Convert `DoNotAccessAClosedFile` to the new dataflow library --- .../donotaccessaclosedfile/DoNotAccessAClosedFile.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll b/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll index 83266ed524..86f50c7538 100644 --- a/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll +++ b/cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll @@ -6,7 +6,7 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import codingstandards.cpp.standardlibrary.FileAccess import semmle.code.cpp.controlflow.SubBasicBlocks @@ -40,9 +40,10 @@ SubBasicBlock followsFileClose(SubBasicBlock source, Expr closedFile) { // the argument of a call to function `fclose(FILE*)` is subsequently accessed predicate closedFileAccess(Expr closedFile, Expr fileAccess) { - exists(DataFlow::DefinitionByReferenceNode def | + exists(DataFlow::DefinitionByReferenceNode def, DataFlow::Node va | + va.asIndirectExpr() = fileAccess.(VariableAccess) and def.asDefiningArgument() = closedFile and - DataFlow::localFlow(def, DataFlow::exprNode(fileAccess.(VariableAccess))) + DataFlow::localFlow(def, va) ) } From 4d16b3b90813cd38be12c794962e7092cd44de8f Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 11:36:51 +0200 Subject: [PATCH 14/21] Update `OwnedPointerValueStoredInUnrelatedSmartPointer` to the new dataflow library Note this introduces some new results. This seems to be correct, as before the update the query seemed to have missed problems with code like the following: ```cpp void f3(int *v1) { int *v2 = v1; std::shared_ptr p1(v1); // NON_COMPLIANT new std::shared_ptr(p1.get()); // NON_COMPLIANT new std::shared_ptr(v2); // NON_COMPLIANT } void f4() { f3(new int(0)); } ``` --- ...nterValueStoredInUnrelatedSmartPointer.qll | 2 +- ...alueStoredInUnrelatedSmartPointer.expected | 42 ++++++++++++++----- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll b/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll index 2ee92b1611..677271db44 100644 --- a/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll +++ b/cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll @@ -8,7 +8,7 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import codingstandards.cpp.SmartPointers -import semmle.code.cpp.dataflow.TaintTracking +import semmle.code.cpp.dataflow.new.TaintTracking import PointerToSmartPointerConstructorFlowFlow::PathGraph abstract class OwnedPointerValueStoredInUnrelatedSmartPointerSharedQuery extends Query { } diff --git a/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected b/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected index 7790582443..00f3128a8b 100644 --- a/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected +++ b/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected @@ -1,44 +1,64 @@ problems +| test.cpp:5:27:5:28 | v1 | test.cpp:4:13:4:14 | v1 | test.cpp:5:27:5:28 | v1 | Raw pointer flows to initialize multiple unrelated smart pointers. | | test.cpp:5:27:5:28 | v1 | test.cpp:16:13:16:22 | new | test.cpp:5:27:5:28 | v1 | Raw pointer flows to initialize multiple unrelated smart pointers. | +| test.cpp:6:31:6:33 | call to get | test.cpp:4:13:4:14 | v1 | test.cpp:6:31:6:33 | call to get | Raw pointer flows to initialize multiple unrelated smart pointers. | | test.cpp:6:31:6:33 | call to get | test.cpp:16:13:16:22 | new | test.cpp:6:31:6:33 | call to get | Raw pointer flows to initialize multiple unrelated smart pointers. | +| test.cpp:7:28:7:29 | v2 | test.cpp:4:13:4:14 | v1 | test.cpp:7:28:7:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. | | test.cpp:7:28:7:29 | v2 | test.cpp:16:13:16:22 | new | test.cpp:7:28:7:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. | | test.cpp:11:28:11:29 | v2 | test.cpp:10:8:10:17 | new | test.cpp:11:28:11:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. | | test.cpp:12:28:12:29 | v2 | test.cpp:10:8:10:17 | new | test.cpp:12:28:12:29 | v2 | Raw pointer flows to initialize multiple unrelated smart pointers. | | test.cpp:17:27:17:28 | v1 | test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 | Raw pointer flows to initialize multiple unrelated smart pointers. | edges +| test.cpp:3:14:3:15 | v1 | test.cpp:4:13:4:14 | v1 | provenance | | | test.cpp:3:14:3:15 | v1 | test.cpp:5:27:5:28 | v1 | provenance | | | test.cpp:3:14:3:15 | v1 | test.cpp:5:27:5:28 | v1 | provenance | | -| test.cpp:3:14:3:15 | v1 | test.cpp:7:28:7:29 | v2 | provenance | | +| test.cpp:4:13:4:14 | v1 | test.cpp:4:13:4:14 | v1 | provenance | | +| test.cpp:4:13:4:14 | v1 | test.cpp:5:27:5:28 | v1 | provenance | | +| test.cpp:4:13:4:14 | v1 | test.cpp:5:27:5:28 | v1 | provenance | | | test.cpp:4:13:4:14 | v1 | test.cpp:7:28:7:29 | v2 | provenance | | -| test.cpp:5:27:5:28 | v1 | test.cpp:5:27:5:29 | call to shared_ptr | provenance | | -| test.cpp:5:27:5:28 | v1 | test.cpp:5:27:5:29 | call to shared_ptr | provenance | Config | -| test.cpp:5:27:5:29 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance | | -| test.cpp:5:27:5:29 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance | | +| test.cpp:4:13:4:14 | v1 | test.cpp:7:28:7:29 | v2 | provenance | | +| test.cpp:5:24:5:25 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance | | +| test.cpp:5:24:5:25 | call to shared_ptr | test.cpp:6:28:6:29 | p1 | provenance | | +| test.cpp:5:27:5:28 | v1 | test.cpp:5:24:5:25 | call to shared_ptr | provenance | Config | +| test.cpp:5:27:5:28 | v1 | test.cpp:5:24:5:25 | call to shared_ptr | provenance | Config | | test.cpp:6:28:6:29 | p1 | test.cpp:6:31:6:33 | call to get | provenance | Config | | test.cpp:6:28:6:29 | p1 | test.cpp:6:31:6:33 | call to get | provenance | Config | -| test.cpp:8:8:8:14 | 0 | test.cpp:9:28:9:29 | v2 | provenance | | -| test.cpp:10:8:10:17 | new | test.cpp:11:28:11:29 | v2 | provenance | | -| test.cpp:10:8:10:17 | new | test.cpp:12:28:12:29 | v2 | provenance | | +| test.cpp:8:3:8:14 | ... = ... | test.cpp:9:28:9:29 | v2 | provenance | | +| test.cpp:8:8:8:14 | 0 | test.cpp:8:3:8:14 | ... = ... | provenance | | +| test.cpp:10:3:10:17 | ... = ... | test.cpp:11:28:11:29 | v2 | provenance | | +| test.cpp:10:3:10:17 | ... = ... | test.cpp:11:28:11:29 | v2 | provenance | | +| test.cpp:10:8:10:17 | new | test.cpp:10:3:10:17 | ... = ... | provenance | | +| test.cpp:11:28:11:29 | v2 | test.cpp:12:28:12:29 | v2 | provenance | | +| test.cpp:16:13:16:22 | new | test.cpp:16:13:16:22 | new | provenance | | +| test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 | provenance | | | test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 | provenance | | -| test.cpp:16:13:16:22 | new | test.cpp:19:6:19:7 | v1 | provenance | | +| test.cpp:17:27:17:28 | v1 | test.cpp:19:6:19:7 | v1 | provenance | | | test.cpp:19:6:19:7 | v1 | test.cpp:3:14:3:15 | v1 | provenance | | nodes | test.cpp:3:14:3:15 | v1 | semmle.label | v1 | | test.cpp:4:13:4:14 | v1 | semmle.label | v1 | +| test.cpp:4:13:4:14 | v1 | semmle.label | v1 | +| test.cpp:4:13:4:14 | v1 | semmle.label | v1 | +| test.cpp:5:24:5:25 | call to shared_ptr | semmle.label | call to shared_ptr | +| test.cpp:5:24:5:25 | call to shared_ptr | semmle.label | call to shared_ptr | +| test.cpp:5:27:5:28 | v1 | semmle.label | v1 | | test.cpp:5:27:5:28 | v1 | semmle.label | v1 | | test.cpp:5:27:5:28 | v1 | semmle.label | v1 | -| test.cpp:5:27:5:29 | call to shared_ptr | semmle.label | call to shared_ptr | -| test.cpp:5:27:5:29 | call to shared_ptr | semmle.label | call to shared_ptr | | test.cpp:6:28:6:29 | p1 | semmle.label | p1 | | test.cpp:6:28:6:29 | p1 | semmle.label | p1 | | test.cpp:6:31:6:33 | call to get | semmle.label | call to get | | test.cpp:7:28:7:29 | v2 | semmle.label | v2 | +| test.cpp:8:3:8:14 | ... = ... | semmle.label | ... = ... | | test.cpp:8:8:8:14 | 0 | semmle.label | 0 | | test.cpp:9:28:9:29 | v2 | semmle.label | v2 | +| test.cpp:10:3:10:17 | ... = ... | semmle.label | ... = ... | | test.cpp:10:8:10:17 | new | semmle.label | new | | test.cpp:11:28:11:29 | v2 | semmle.label | v2 | +| test.cpp:11:28:11:29 | v2 | semmle.label | v2 | | test.cpp:12:28:12:29 | v2 | semmle.label | v2 | | test.cpp:16:13:16:22 | new | semmle.label | new | +| test.cpp:16:13:16:22 | new | semmle.label | new | +| test.cpp:17:27:17:28 | v1 | semmle.label | v1 | | test.cpp:17:27:17:28 | v1 | semmle.label | v1 | | test.cpp:19:6:19:7 | v1 | semmle.label | v1 | subpaths From 3b05adcb15a67e3a31f964989afbc1006860107a Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 13:44:22 +0200 Subject: [PATCH 15/21] Update `MovedFromObjectsUnspecifiedState` to the new dataflow library --- .../MovedFromObjectsUnspecifiedState.qll | 9 +++++---- .../MovedFromObjectsUnspecifiedState.expected | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll b/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll index f17da7e457..ad1d9f009f 100644 --- a/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll +++ b/cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll @@ -4,7 +4,7 @@ */ import cpp -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import codingstandards.cpp.Exclusions import codingstandards.cpp.standardlibrary.Utility @@ -75,9 +75,10 @@ query predicate problems(Expr e, string message, StdMoveCall f, string argDesc) not e instanceof ReassignedExpression and // object moved to safe functions are preserved not exists(SafeRead safe | f = safe.getArgument(0)) and - exists(DataFlow::DefinitionByReferenceNode def | - def.asDefiningArgument() = f and - DataFlow::localFlow(def, DataFlow::exprNode(e)) + exists(DataFlow::DefinitionByReferenceNode def, DataFlow::Node n | + f.getArgument(0) = def.getArgument() and + n.asIndirectExpr() = e and + DataFlow::localFlow(def, n) ) and message = "The argument of the $@ may be indeterminate when accessed at this location." and argDesc = f.toString() diff --git a/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected b/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected index 7f8c6b9a50..48cce53ea6 100644 --- a/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected +++ b/cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected @@ -1,5 +1,5 @@ | test.cpp:9:16:9:17 | s1 | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:7:18:7:26 | call to move | call to move | | test.cpp:30:5:30:5 | s | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move | -| test.cpp:31:11:31:22 | call to basic_string | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move | +| test.cpp:31:11:31:19 | call to move | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move | | test.cpp:31:21:31:21 | s | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:31:11:31:19 | call to move | call to move | | test.cpp:79:16:79:23 | s_global | The argument of the $@ may be indeterminate when accessed at this location. | test.cpp:78:18:78:26 | call to move | call to move | From ab5a471496e2eb7471cc4a6729b7ae67cfa84d87 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 13:54:43 +0200 Subject: [PATCH 16/21] Update `DoNotUseRelationalOperatorsWithDifferingArrays` to the new dataflow library --- ...ionalOperatorsWithDifferingArrays.expected | 38 +++++++++++-------- ...RelationalOperatorsWithDifferingArrays.qll | 4 +- ...ionalOperatorsWithDifferingArrays.expected | 38 +++++++++++-------- 3 files changed, 49 insertions(+), 31 deletions(-) diff --git a/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected b/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected index bda6c7ad05..8625b9793d 100644 --- a/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected +++ b/c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected @@ -10,27 +10,35 @@ problems | test.c:25:7:25:14 | ... >= ... | test.c:7:14:7:15 | l1 | test.c:25:7:25:8 | p1 | Compare operation >= comparing left operand pointing to array $@ and other operand pointing to array $@. | test.c:2:7:2:8 | l1 | l1 | test.c:4:7:4:8 | l3 | l3 | | test.c:25:7:25:14 | ... >= ... | test.c:25:13:25:14 | l3 | test.c:25:13:25:14 | l3 | Compare operation >= comparing right operand pointing to array $@ and other operand pointing to array $@. | test.c:4:7:4:8 | l3 | l3 | test.c:2:7:2:8 | l1 | l1 | edges +| test.c:6:13:6:14 | l1 | test.c:6:13:6:14 | l1 | provenance | | | test.c:6:13:6:14 | l1 | test.c:13:12:13:13 | p0 | provenance | | -| test.c:7:14:7:15 | l1 | test.c:7:14:7:18 | access to array | provenance | Config | -| test.c:7:14:7:18 | access to array | test.c:11:7:11:8 | p1 | provenance | | -| test.c:7:14:7:18 | access to array | test.c:13:7:13:8 | p1 | provenance | | -| test.c:7:14:7:18 | access to array | test.c:15:13:15:14 | p1 | provenance | | -| test.c:7:14:7:18 | access to array | test.c:17:7:17:8 | p1 | provenance | | -| test.c:7:14:7:18 | access to array | test.c:23:13:23:14 | p1 | provenance | | -| test.c:7:14:7:18 | access to array | test.c:25:7:25:8 | p1 | provenance | | -| test.c:8:14:8:15 | l1 | test.c:8:14:8:18 | access to array | provenance | Config | -| test.c:8:14:8:18 | access to array | test.c:11:12:11:13 | p2 | provenance | | -| test.c:8:14:8:18 | access to array | test.c:21:7:21:8 | p2 | provenance | | -| test.c:9:14:9:15 | l2 | test.c:9:14:9:18 | access to array | provenance | Config | -| test.c:9:14:9:18 | access to array | test.c:21:12:21:13 | p3 | provenance | | +| test.c:7:13:7:18 | & ... | test.c:7:13:7:18 | & ... | provenance | | +| test.c:7:13:7:18 | & ... | test.c:11:7:11:8 | p1 | provenance | | +| test.c:7:13:7:18 | & ... | test.c:13:7:13:8 | p1 | provenance | | +| test.c:7:13:7:18 | & ... | test.c:15:13:15:14 | p1 | provenance | | +| test.c:7:13:7:18 | & ... | test.c:17:7:17:8 | p1 | provenance | | +| test.c:7:13:7:18 | & ... | test.c:23:13:23:14 | p1 | provenance | | +| test.c:7:13:7:18 | & ... | test.c:25:7:25:8 | p1 | provenance | | +| test.c:7:14:7:15 | l1 | test.c:7:13:7:18 | & ... | provenance | Config | +| test.c:8:13:8:18 | & ... | test.c:8:13:8:18 | & ... | provenance | | +| test.c:8:13:8:18 | & ... | test.c:11:12:11:13 | p2 | provenance | | +| test.c:8:13:8:18 | & ... | test.c:21:7:21:8 | p2 | provenance | | +| test.c:8:14:8:15 | l1 | test.c:8:13:8:18 | & ... | provenance | Config | +| test.c:9:13:9:18 | & ... | test.c:9:13:9:18 | & ... | provenance | | +| test.c:9:13:9:18 | & ... | test.c:21:12:21:13 | p3 | provenance | | +| test.c:9:14:9:15 | l2 | test.c:9:13:9:18 | & ... | provenance | Config | nodes | test.c:6:13:6:14 | l1 | semmle.label | l1 | +| test.c:6:13:6:14 | l1 | semmle.label | l1 | +| test.c:7:13:7:18 | & ... | semmle.label | & ... | +| test.c:7:13:7:18 | & ... | semmle.label | & ... | | test.c:7:14:7:15 | l1 | semmle.label | l1 | -| test.c:7:14:7:18 | access to array | semmle.label | access to array | +| test.c:8:13:8:18 | & ... | semmle.label | & ... | +| test.c:8:13:8:18 | & ... | semmle.label | & ... | | test.c:8:14:8:15 | l1 | semmle.label | l1 | -| test.c:8:14:8:18 | access to array | semmle.label | access to array | +| test.c:9:13:9:18 | & ... | semmle.label | & ... | +| test.c:9:13:9:18 | & ... | semmle.label | & ... | | test.c:9:14:9:15 | l2 | semmle.label | l2 | -| test.c:9:14:9:18 | access to array | semmle.label | access to array | | test.c:11:7:11:8 | p1 | semmle.label | p1 | | test.c:11:12:11:13 | p2 | semmle.label | p2 | | test.c:13:7:13:8 | p1 | semmle.label | p1 | diff --git a/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll b/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll index aa8fa29bfd..ca0aeb8618 100644 --- a/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll +++ b/cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll @@ -7,7 +7,7 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import ArrayToRelationalOperationOperandFlow::PathGraph abstract class DoNotUseRelationalOperatorsWithDifferingArraysSharedQuery extends Query { } @@ -43,6 +43,8 @@ module ArrayToRelationalOperationOperandConfig implements DataFlow::ConfigSig { // Add a flow step from the base to the array expression to track pointers to elements of the array. exists(ArrayExpr e | e.getArrayBase() = pred.asExpr() and e = succ.asExpr()) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } module ArrayToRelationalOperationOperandFlow = diff --git a/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected b/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected index cab80e0fe0..94210200fc 100644 --- a/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected +++ b/cpp/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected @@ -10,27 +10,35 @@ problems | test.cpp:25:7:25:14 | ... >= ... | test.cpp:7:14:7:15 | l1 | test.cpp:25:7:25:8 | p1 | Compare operation >= comparing left operand pointing to array $@ and other operand pointing to array $@. | test.cpp:2:7:2:8 | l1 | l1 | test.cpp:4:7:4:8 | l3 | l3 | | test.cpp:25:7:25:14 | ... >= ... | test.cpp:25:13:25:14 | l3 | test.cpp:25:13:25:14 | l3 | Compare operation >= comparing right operand pointing to array $@ and other operand pointing to array $@. | test.cpp:4:7:4:8 | l3 | l3 | test.cpp:2:7:2:8 | l1 | l1 | edges +| test.cpp:6:13:6:14 | l1 | test.cpp:6:13:6:14 | l1 | provenance | | | test.cpp:6:13:6:14 | l1 | test.cpp:13:12:13:13 | p0 | provenance | | -| test.cpp:7:14:7:15 | l1 | test.cpp:7:14:7:18 | access to array | provenance | Config | -| test.cpp:7:14:7:18 | access to array | test.cpp:11:7:11:8 | p1 | provenance | | -| test.cpp:7:14:7:18 | access to array | test.cpp:13:7:13:8 | p1 | provenance | | -| test.cpp:7:14:7:18 | access to array | test.cpp:15:13:15:14 | p1 | provenance | | -| test.cpp:7:14:7:18 | access to array | test.cpp:17:7:17:8 | p1 | provenance | | -| test.cpp:7:14:7:18 | access to array | test.cpp:23:13:23:14 | p1 | provenance | | -| test.cpp:7:14:7:18 | access to array | test.cpp:25:7:25:8 | p1 | provenance | | -| test.cpp:8:14:8:15 | l1 | test.cpp:8:14:8:18 | access to array | provenance | Config | -| test.cpp:8:14:8:18 | access to array | test.cpp:11:12:11:13 | p2 | provenance | | -| test.cpp:8:14:8:18 | access to array | test.cpp:21:7:21:8 | p2 | provenance | | -| test.cpp:9:14:9:15 | l2 | test.cpp:9:14:9:18 | access to array | provenance | Config | -| test.cpp:9:14:9:18 | access to array | test.cpp:21:12:21:13 | p3 | provenance | | +| test.cpp:7:13:7:18 | & ... | test.cpp:7:13:7:18 | & ... | provenance | | +| test.cpp:7:13:7:18 | & ... | test.cpp:11:7:11:8 | p1 | provenance | | +| test.cpp:7:13:7:18 | & ... | test.cpp:13:7:13:8 | p1 | provenance | | +| test.cpp:7:13:7:18 | & ... | test.cpp:15:13:15:14 | p1 | provenance | | +| test.cpp:7:13:7:18 | & ... | test.cpp:17:7:17:8 | p1 | provenance | | +| test.cpp:7:13:7:18 | & ... | test.cpp:23:13:23:14 | p1 | provenance | | +| test.cpp:7:13:7:18 | & ... | test.cpp:25:7:25:8 | p1 | provenance | | +| test.cpp:7:14:7:15 | l1 | test.cpp:7:13:7:18 | & ... | provenance | Config | +| test.cpp:8:13:8:18 | & ... | test.cpp:8:13:8:18 | & ... | provenance | | +| test.cpp:8:13:8:18 | & ... | test.cpp:11:12:11:13 | p2 | provenance | | +| test.cpp:8:13:8:18 | & ... | test.cpp:21:7:21:8 | p2 | provenance | | +| test.cpp:8:14:8:15 | l1 | test.cpp:8:13:8:18 | & ... | provenance | Config | +| test.cpp:9:13:9:18 | & ... | test.cpp:9:13:9:18 | & ... | provenance | | +| test.cpp:9:13:9:18 | & ... | test.cpp:21:12:21:13 | p3 | provenance | | +| test.cpp:9:14:9:15 | l2 | test.cpp:9:13:9:18 | & ... | provenance | Config | nodes | test.cpp:6:13:6:14 | l1 | semmle.label | l1 | +| test.cpp:6:13:6:14 | l1 | semmle.label | l1 | +| test.cpp:7:13:7:18 | & ... | semmle.label | & ... | +| test.cpp:7:13:7:18 | & ... | semmle.label | & ... | | test.cpp:7:14:7:15 | l1 | semmle.label | l1 | -| test.cpp:7:14:7:18 | access to array | semmle.label | access to array | +| test.cpp:8:13:8:18 | & ... | semmle.label | & ... | +| test.cpp:8:13:8:18 | & ... | semmle.label | & ... | | test.cpp:8:14:8:15 | l1 | semmle.label | l1 | -| test.cpp:8:14:8:18 | access to array | semmle.label | access to array | +| test.cpp:9:13:9:18 | & ... | semmle.label | & ... | +| test.cpp:9:13:9:18 | & ... | semmle.label | & ... | | test.cpp:9:14:9:15 | l2 | semmle.label | l2 | -| test.cpp:9:14:9:18 | access to array | semmle.label | access to array | | test.cpp:11:7:11:8 | p1 | semmle.label | p1 | | test.cpp:11:12:11:13 | p2 | semmle.label | p2 | | test.cpp:13:7:13:8 | p1 | semmle.label | p1 | From 590cd5adc03f536a761fdd328dd2fb2de4c5f2ec Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 15:19:27 +0200 Subject: [PATCH 17/21] Convert `DanglingCaptureWhenReturningLambdaObject` to the new dataflow library Note that this removes - what seems to be - a duplicated test result. --- .../DanglingCaptureWhenReturningLambdaObject.qll | 11 +++++++++-- .../DanglingCaptureWhenReturningLambdaObject.expected | 1 - 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll index 4ab01520f6..85fc15c565 100644 --- a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll +++ b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll @@ -5,7 +5,7 @@ */ import cpp -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions @@ -48,7 +48,14 @@ query predicate problems( not isExcluded(returnStmt, getQuery()) and lambda.getACapture() = danglingCapture and ( - DataFlow::localExprFlow(lambda, returnStmt.getExpr()) + returnStmt.getExpr() = lambda + or + exists(DataFlow::Node lambdaNode, DataFlow::Node returnNode | + lambdaNode.asExpr() = lambda and + returnNode.asIndirectExpr() = returnStmt.getExpr() + | + DataFlow::localFlow(lambdaNode, returnNode) + ) or // implement a rough heuristic to catch the results of constructors (such as std::function's) // which take an argument that has a dangling capture and flow to a return statement diff --git a/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected b/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected index 15fe8afa2f..a85d60399f 100644 --- a/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected +++ b/cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected @@ -1,7 +1,6 @@ | test.cpp:6:3:6:12 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:5:12:5:27 | [...](...){...} | object | test.cpp:5:21:5:21 | l1 | l1 | | test.cpp:17:5:17:36 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:17:5:17:36 | [...](...){...} | object | test.cpp:17:27:17:27 | (captured this) | this | | test.cpp:27:5:27:17 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:26:17:26:42 | [...](...){...} | object | test.cpp:26:33:26:33 | val | val | -| test.cpp:27:5:27:17 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:26:18:26:42 | [...](...){...} | object | test.cpp:26:33:26:33 | val | val | | test.cpp:33:3:33:33 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:33:3:33:33 | [...](...){...} | object | test.cpp:33:25:33:25 | i | i | | test.cpp:37:3:37:33 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:37:3:37:33 | [...](...){...} | object | test.cpp:37:25:37:25 | i | i | | test.cpp:46:3:46:45 | return ... | Returning lambda $@ with potentially dangling capture $@. | test.cpp:46:11:46:43 | [...](...){...} | object | test.cpp:46:13:46:16 | data | data | From 42838bf6c81dbecc9c998812107e0ba9daeb5412 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 15:36:33 +0200 Subject: [PATCH 18/21] Update `DanglingCaptureWhenMovingLambdaObject` to the new dataflow library --- .../DanglingCaptureWhenMovingLambdaObject.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll index 902d0ecf1f..b81e41f256 100644 --- a/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll +++ b/cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll @@ -5,7 +5,7 @@ */ import cpp -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import codingstandards.cpp.Expr From a11320c1287d727eae7b059386355f1a3cbec33b Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 20:36:03 +0200 Subject: [PATCH 19/21] Update `ConstLikeReturnValue` to the new dataflow library Note that there's a small issue here where the dataflow library causes one of the results to get duplicated. --- .../ConstLikeReturnValue.expected | 19 ++++++++++++++----- .../ConstLikeReturnValue.qll | 2 +- .../ConstLikeReturnValue.expected | 19 ++++++++++++++----- 3 files changed, 29 insertions(+), 11 deletions(-) diff --git a/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected b/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected index d7dfc6c13f..afbb275c6c 100644 --- a/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected +++ b/c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected @@ -1,20 +1,29 @@ problems -| test.c:11:8:11:12 | c_str | test.c:18:16:18:21 | call to getenv | test.c:11:8:11:12 | c_str | The object returned by the function getenv should not be modified. | +| test.c:11:7:11:12 | * ... | test.c:18:16:18:21 | call to getenv | test.c:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. | +| test.c:11:8:11:12 | c_str | test.c:18:16:18:21 | call to getenv | test.c:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. | | test.c:67:5:67:9 | conv4 | test.c:64:11:64:20 | call to localeconv | test.c:67:5:67:9 | conv4 | The object returned by the function localeconv should not be modified. | | test.c:76:5:76:8 | conv | test.c:72:25:72:34 | call to localeconv | test.c:76:5:76:8 | conv | The object returned by the function localeconv should not be modified. | edges -| test.c:8:18:8:22 | c_str | test.c:11:8:11:12 | c_str | provenance | | +| test.c:8:18:8:22 | c_str | test.c:11:7:11:12 | * ... | provenance | | +| test.c:18:16:18:21 | call to getenv | test.c:18:16:18:21 | call to getenv | provenance | | | test.c:18:16:18:21 | call to getenv | test.c:24:9:24:12 | env1 | provenance | | | test.c:24:9:24:12 | env1 | test.c:8:18:8:22 | c_str | provenance | | -| test.c:64:11:64:20 | call to localeconv | test.c:67:5:67:9 | conv4 | provenance | | -| test.c:72:25:72:34 | call to localeconv | test.c:76:5:76:8 | conv | provenance | | +| test.c:64:3:64:22 | ... = ... | test.c:67:5:67:9 | conv4 | provenance | | +| test.c:64:11:64:20 | call to localeconv | test.c:64:3:64:22 | ... = ... | provenance | | +| test.c:72:25:72:34 | call to localeconv | test.c:72:25:72:34 | call to localeconv | provenance | | +| test.c:72:25:72:34 | call to localeconv | test.c:73:24:73:28 | conv4 | provenance | | +| test.c:73:24:73:28 | conv4 | test.c:76:5:76:8 | conv | provenance | | nodes | test.c:8:18:8:22 | c_str | semmle.label | c_str | -| test.c:11:8:11:12 | c_str | semmle.label | c_str | +| test.c:11:7:11:12 | * ... | semmle.label | * ... | +| test.c:18:16:18:21 | call to getenv | semmle.label | call to getenv | | test.c:18:16:18:21 | call to getenv | semmle.label | call to getenv | | test.c:24:9:24:12 | env1 | semmle.label | env1 | +| test.c:64:3:64:22 | ... = ... | semmle.label | ... = ... | | test.c:64:11:64:20 | call to localeconv | semmle.label | call to localeconv | | test.c:67:5:67:9 | conv4 | semmle.label | conv4 | | test.c:72:25:72:34 | call to localeconv | semmle.label | call to localeconv | +| test.c:72:25:72:34 | call to localeconv | semmle.label | call to localeconv | +| test.c:73:24:73:28 | conv4 | semmle.label | conv4 | | test.c:76:5:76:8 | conv | semmle.label | conv | subpaths diff --git a/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll b/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll index a366991714..d17cd560bb 100644 --- a/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll +++ b/cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll @@ -8,7 +8,7 @@ import cpp import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.new.DataFlow import DFFlow::PathGraph abstract class ConstLikeReturnValueSharedQuery extends Query { } diff --git a/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected b/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected index 2caa0d197c..dbbff59c9f 100644 --- a/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected +++ b/cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected @@ -1,20 +1,29 @@ problems -| test.cpp:11:8:11:12 | c_str | test.cpp:18:16:18:21 | call to getenv | test.cpp:11:8:11:12 | c_str | The object returned by the function getenv should not be modified. | +| test.cpp:11:7:11:12 | * ... | test.cpp:18:16:18:21 | call to getenv | test.cpp:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. | +| test.cpp:11:8:11:12 | c_str | test.cpp:18:16:18:21 | call to getenv | test.cpp:11:7:11:12 | * ... | The object returned by the function getenv should not be modified. | | test.cpp:67:5:67:9 | conv4 | test.cpp:64:11:64:20 | call to localeconv | test.cpp:67:5:67:9 | conv4 | The object returned by the function localeconv should not be modified. | | test.cpp:76:5:76:8 | conv | test.cpp:72:25:72:34 | call to localeconv | test.cpp:76:5:76:8 | conv | The object returned by the function localeconv should not be modified. | edges -| test.cpp:8:18:8:22 | c_str | test.cpp:11:8:11:12 | c_str | provenance | | +| test.cpp:8:18:8:22 | c_str | test.cpp:11:7:11:12 | * ... | provenance | | +| test.cpp:18:16:18:21 | call to getenv | test.cpp:18:16:18:21 | call to getenv | provenance | | | test.cpp:18:16:18:21 | call to getenv | test.cpp:24:9:24:12 | env1 | provenance | | | test.cpp:24:9:24:12 | env1 | test.cpp:8:18:8:22 | c_str | provenance | | -| test.cpp:64:11:64:20 | call to localeconv | test.cpp:67:5:67:9 | conv4 | provenance | | -| test.cpp:72:25:72:34 | call to localeconv | test.cpp:76:5:76:8 | conv | provenance | | +| test.cpp:64:3:64:22 | ... = ... | test.cpp:67:5:67:9 | conv4 | provenance | | +| test.cpp:64:11:64:20 | call to localeconv | test.cpp:64:3:64:22 | ... = ... | provenance | | +| test.cpp:72:25:72:34 | call to localeconv | test.cpp:72:25:72:34 | call to localeconv | provenance | | +| test.cpp:72:25:72:34 | call to localeconv | test.cpp:73:24:73:28 | conv4 | provenance | | +| test.cpp:73:24:73:28 | conv4 | test.cpp:76:5:76:8 | conv | provenance | | nodes | test.cpp:8:18:8:22 | c_str | semmle.label | c_str | -| test.cpp:11:8:11:12 | c_str | semmle.label | c_str | +| test.cpp:11:7:11:12 | * ... | semmle.label | * ... | +| test.cpp:18:16:18:21 | call to getenv | semmle.label | call to getenv | | test.cpp:18:16:18:21 | call to getenv | semmle.label | call to getenv | | test.cpp:24:9:24:12 | env1 | semmle.label | env1 | +| test.cpp:64:3:64:22 | ... = ... | semmle.label | ... = ... | | test.cpp:64:11:64:20 | call to localeconv | semmle.label | call to localeconv | | test.cpp:67:5:67:9 | conv4 | semmle.label | conv4 | | test.cpp:72:25:72:34 | call to localeconv | semmle.label | call to localeconv | +| test.cpp:72:25:72:34 | call to localeconv | semmle.label | call to localeconv | +| test.cpp:73:24:73:28 | conv4 | semmle.label | conv4 | | test.cpp:76:5:76:8 | conv | semmle.label | conv | subpaths From 99b45ad8a2f51190719ad8dcfe37f014672448e2 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 20:45:26 +0200 Subject: [PATCH 20/21] Remove redundant dataflow import --- .../BasicStringMayNotBeNullTerminated.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll index e27f09fd98..c73e77ef2a 100644 --- a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll +++ b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll @@ -8,7 +8,6 @@ import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import semmle.code.cpp.security.BufferWrite import semmle.code.cpp.commons.Buffer -import semmle.code.cpp.dataflow.DataFlow import semmle.code.cpp.dataflow.TaintTracking import codingstandards.cpp.PossiblyUnsafeStringOperation From 5e701b5921f812b2e77dd736cdb292825c187108 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Thu, 21 Aug 2025 22:47:05 +0200 Subject: [PATCH 21/21] Convert `BasicStringMayNotBeNullTerminated` to the new dataflow library --- .../BasicStringMayNotBeNullTerminated.qll | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll index c73e77ef2a..ad24101379 100644 --- a/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll +++ b/cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll @@ -8,7 +8,7 @@ import codingstandards.cpp.Customizations import codingstandards.cpp.Exclusions import semmle.code.cpp.security.BufferWrite import semmle.code.cpp.commons.Buffer -import semmle.code.cpp.dataflow.TaintTracking +import semmle.code.cpp.dataflow.new.TaintTracking import codingstandards.cpp.PossiblyUnsafeStringOperation abstract class BasicStringMayNotBeNullTerminatedSharedQuery extends Query { } @@ -39,8 +39,13 @@ query predicate problems(BasicStringConstructorCall cc, string message) { // a) is not a string literal not arg instanceof StringLiteral and // b) may exist in a dataflow from an unsafe usage of a string function - exists(PossiblyUnsafeStringOperation op | - TaintTracking::localTaint(DataFlow::exprNode(op.getAnArgument()), DataFlow::exprNode(arg)) + exists( + PossiblyUnsafeStringOperation op, DataFlow::DefinitionByReferenceNode opNode, + DataFlow::Node argNode + | + opNode.asDefiningArgument() = op.getAnArgument() and argNode.asIndirectExpr() = arg + | + TaintTracking::localTaint(opNode, argNode) ) and message = "Construction of string object with possibly non-null terminated C-style string." )