Skip to content

Convert a number of queries to use the new dataflow library #920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jul 7, 2025
Merged

Convert a number of queries to use the new dataflow library #920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2089bcd
Comvert ARR37-C to use the new dataflow library
jketema Jul 7, 2025
cf1b625
Conver ARR39-C to the new dataflow library
jketema Jul 7, 2025
8d73f3b
Convert ERR30-C to use the new dataflow library
jketema Jul 7, 2025
7a1577e
Convert FIO45-C to use the new dataflow library
jketema Jul 7, 2025
c5c6c58
Convert EXP36-C to the new datafow library
jketema Jul 7, 2025
8fdea49
Convert MSC33-C to the new dataflow library
jketema Jul 7, 2025
3289621
Convert MSC51-CPP to the new dataflow library
jketema Jul 7, 2025
d20cd3a
Convert CTR56-CPP to the new dataflow library
jketema Jul 7, 2025
77e8e0e
Convert EXP51-CPP ot use the new dataflow library
jketema Jul 7, 2025
57b6091
Conver M3-9-3 to use the new dataflow library
jketema Jul 7, 2025
357ee08
Convert A9-3-1 to use the new dataflow library
jketema Jul 7, 2025
30114c5
Convert A27-0-4 to use the new dataflow library
jketema Jul 7, 2025
d313bf2
Convert A5-0-4 to use the new dataflow library
jketema Jul 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import NonArrayPointerToArrayIndexingExprFlow::PathGraph

/**
Expand Down
8 changes: 5 additions & 3 deletions c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.types.Pointers
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.dataflow.new.TaintTracking
import ScaledIntegerPointerArithmeticFlow::PathGraph

/**
Expand Down Expand Up @@ -61,9 +61,11 @@ class ScaledIntegerExpr extends Expr {
ScaledIntegerExpr() {
not this.getParent*() instanceof ArrayCountOfExpr and
(
this.(SizeofExprOperator).getExprOperand().getType().getSize() > 1
exists(this.getValue()) and
this.getAChild*().(SizeofExprOperator).getExprOperand().getType().getSize() > 1
or
this.(SizeofTypeOperator).getTypeOperand().getSize() > 1
exists(this.getValue()) and
this.getAChild*().(SizeofTypeOperator).getTypeOperand().getSize() > 1
or
this instanceof OffsetOfExpr
)
Expand Down
2 changes: 1 addition & 1 deletion c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.c.Errno
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/**
* A call to an `OutOfBandErrnoSettingFunction`
Expand Down
2 changes: 1 addition & 1 deletion c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.c.Errno
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

class SetlocaleFunctionCall extends FunctionCall {
SetlocaleFunctionCall() { this.getTarget().hasGlobalName("setlocale") }
Expand Down
2 changes: 1 addition & 1 deletion c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.Alignment
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import ExprWithAlignmentToCStyleCastFlow::PathGraph

Expand Down
2 changes: 1 addition & 1 deletion c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import cpp
import codingstandards.c.cert
import codingstandards.cpp.standardlibrary.FileAccess
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.valuenumbering.GlobalValueNumbering

/**
Expand Down
10 changes: 6 additions & 4 deletions c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.new.DataFlow

/**
* The argument of a call to `asctime`
Expand All @@ -29,6 +29,8 @@ class AsctimeArg extends Expr {
this =
any(FunctionCall f | f.getTarget().hasGlobalName(["asctime", "asctime_r"])).getArgument(0)
}

DataFlow::Node asSink() { this = result.asIndirectExpr() }
}

/**
Expand All @@ -37,20 +39,20 @@ class AsctimeArg extends Expr {
*/
module TmStructSafeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) {
src.asExpr()
src.asIndirectExpr()
.(FunctionCall)
.getTarget()
.hasGlobalName(["localtime", "localtime_r", "localtime_s", "gmtime", "gmtime_r", "gmtime_s"])
}

predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof AsctimeArg }
predicate isSink(DataFlow::Node sink) { exists(AsctimeArg arg | arg.asSink() = sink) }
}

module TmStructSafeFlow = DataFlow::Global<TmStructSafeConfig>;

from AsctimeArg fc
where
not isExcluded(fc, Contracts7Package::doNotPassInvalidDataToTheAsctimeFunctionQuery()) and
not TmStructSafeFlow::flowToExpr(fc)
not TmStructSafeFlow::flowTo(fc.asSink())
select fc,
"The function `asctime` and `asctime_r` should be discouraged. Unsanitized input can overflow the output buffer."
21 changes: 10 additions & 11 deletions c/cert/test/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,21 @@
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:28,60-68)
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:29,22-30)
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:41,20-28)
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:49,26-34)
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql:70,3-11)
edges
| test.c:14:38:14:39 | p1 | test.c:18:10:18:11 | v1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:19:10:19:11 | v2 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:16:13:16:14 | p1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:17:13:17:14 | p1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:20:10:20:11 | p1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:21:10:21:11 | p1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:22:9:22:10 | p1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:23:13:23:14 | p1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:24:9:24:10 | p1 | provenance | |
| test.c:14:38:14:39 | p1 | test.c:25:9:25:10 | p1 | provenance | |
| test.c:16:13:16:14 | p1 | test.c:18:10:18:13 | ... ++ | provenance | |
| test.c:17:13:17:14 | p1 | test.c:19:10:19:13 | ... -- | provenance | |
| test.c:51:30:51:38 | & ... | test.c:14:38:14:39 | p1 | provenance | |
nodes
| test.c:14:38:14:39 | p1 | semmle.label | p1 |
| test.c:18:10:18:11 | v1 | semmle.label | v1 |
| test.c:19:10:19:11 | v2 | semmle.label | v2 |
| test.c:16:13:16:14 | p1 | semmle.label | p1 |
| test.c:17:13:17:14 | p1 | semmle.label | p1 |
| test.c:18:10:18:13 | ... ++ | semmle.label | ... ++ |
| test.c:19:10:19:13 | ... -- | semmle.label | ... -- |
| test.c:20:10:20:11 | p1 | semmle.label | p1 |
| test.c:21:10:21:11 | p1 | semmle.label | p1 |
| test.c:22:9:22:10 | p1 | semmle.label | p1 |
Expand All @@ -32,8 +31,8 @@ nodes
| test.c:51:30:51:38 | & ... | semmle.label | & ... |
subpaths
#select
| test.c:18:10:18:11 | v1 | test.c:51:30:51:38 | & ... | test.c:18:10:18:11 | v1 | Pointer arithmetic on non-array object pointer. |
| test.c:19:10:19:11 | v2 | test.c:51:30:51:38 | & ... | test.c:19:10:19:11 | v2 | Pointer arithmetic on non-array object pointer. |
| test.c:18:10:18:13 | ... ++ | test.c:51:30:51:38 | & ... | test.c:18:10:18:13 | ... ++ | Pointer arithmetic on non-array object pointer. |
| test.c:19:10:19:13 | ... -- | test.c:51:30:51:38 | & ... | test.c:19:10:19:13 | ... -- | Pointer arithmetic on non-array object pointer. |
| test.c:20:10:20:11 | p1 | test.c:51:30:51:38 | & ... | test.c:20:10:20:11 | p1 | Pointer arithmetic on non-array object pointer. |
| test.c:21:10:21:11 | p1 | test.c:51:30:51:38 | & ... | test.c:21:10:21:11 | p1 | Pointer arithmetic on non-array object pointer. |
| test.c:22:9:22:10 | p1 | test.c:51:30:51:38 | & ... | test.c:22:9:22:10 | p1 | Pointer arithmetic on non-array object pointer. |
Expand Down
12 changes: 6 additions & 6 deletions c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,27 @@
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:77,56-64)
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:78,22-30)
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:80,20-28)
WARNING: module 'DataFlow' has been deprecated and may be removed in future (DoNotAddOrSubtractAScaledIntegerToAPointer.ql:89,45-53)
edges
| test.c:7:13:7:14 | p1 | test.c:9:9:9:10 | p1 | provenance | |
| test.c:16:19:16:41 | ... - ... | test.c:16:19:16:41 | ... - ... | provenance | |
| test.c:16:19:16:41 | ... - ... | test.c:18:26:18:31 | offset | provenance | |
| test.c:16:19:16:41 | ... - ... | test.c:29:6:29:11 | offset | provenance | |
| test.c:17:17:17:26 | sizeof(<expr>) | test.c:17:17:17:26 | sizeof(<expr>) | provenance | |
| test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size | provenance | |
| test.c:29:6:29:11 | offset | test.c:7:13:7:14 | p1 | provenance | |
nodes
| test.c:7:13:7:14 | p1 | semmle.label | p1 |
| test.c:9:9:9:10 | p1 | semmle.label | p1 |
| test.c:16:19:16:41 | ... - ... | semmle.label | ... - ... |
| test.c:16:19:16:41 | ... - ... | semmle.label | ... - ... |
| test.c:17:17:17:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
| test.c:17:17:17:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
| test.c:18:26:18:31 | offset | semmle.label | offset |
| test.c:23:9:23:12 | size | semmle.label | size |
| test.c:25:9:25:18 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
| test.c:27:17:27:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
| test.c:27:12:27:26 | ... / ... | semmle.label | ... / ... |
| test.c:29:6:29:11 | offset | semmle.label | offset |
subpaths
#select
| test.c:9:9:9:10 | p1 | test.c:16:19:16:41 | ... - ... | test.c:9:9:9:10 | p1 | Scaled integer used in pointer arithmetic. |
| test.c:18:26:18:31 | offset | test.c:16:19:16:41 | ... - ... | test.c:18:26:18:31 | offset | Scaled integer used in pointer arithmetic. |
| test.c:23:9:23:12 | size | test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size | Scaled integer used in pointer arithmetic. |
| test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |
| test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |
| test.c:27:12:27:26 | ... / ... | test.c:27:12:27:26 | ... / ... | test.c:27:12:27:26 | ... / ... | Scaled integer used in pointer arithmetic. |
1 change: 0 additions & 1 deletion c/cert/test/rules/ERR30-C/ErrnoReadBeforeReturn.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
WARNING: module 'DataFlow' has been deprecated and may be removed in future (ErrnoReadBeforeReturn.ql:46,7-15)
| test.c:69:7:69:11 | * ... | Do not read `errno` before checking the return value of function $@. | test.c:68:3:68:7 | call to ftell | call to ftell |
| test.c:69:7:69:11 | call to __errno_location | Do not read `errno` before checking the return value of function $@. | test.c:68:3:68:7 | call to ftell | call to ftell |
| test.c:70:5:70:10 | call to perror | Do not read `errno` before checking the return value of function $@. | test.c:68:3:68:7 | call to ftell | call to ftell |
1 change: 0 additions & 1 deletion c/cert/test/rules/ERR30-C/SetlocaleMightSetErrno.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
WARNING: module 'DataFlow' has been deprecated and may be removed in future (SetlocaleMightSetErrno.ql:70,7-15)
| test.c:98:3:98:11 | call to setlocale | Do not read `errno` before checking the return value of a call to `setlocale`. |
| test.c:104:7:104:15 | call to setlocale | The value of `errno` may be different than `0` when `setlocale` is called. The following `errno` check might be invalid. |
Loading
Loading