Skip to content

analysis-cpp.md

Latest commit

 

History

History
46 lines (35 loc) · 2.05 KB

analysis-cpp.md

File metadata and controls

46 lines (35 loc) · 2.05 KB

Improvements to C/C++ analysis

The following changes in version 1.25 affect C/C++ analysis in all applications.

General improvements

New queries

Query Tags Purpose

Changes to existing queries

Query Expected impact Change
Uncontrolled format string (cpp/tainted-format-string) This query is now displayed by default on LGTM.
Uncontrolled format string (through global variable) (cpp/tainted-format-string-through-global) This query is now displayed by default on LGTM.

Changes to libraries

  • The library VCS.qll and all queries that imported it have been removed.
  • The data-flow library has been improved, which affects most security queries by potentially adding more results. Flow through functions now takes nested field reads/writes into account. For example, the library is able to track flow from taint() to sink() via the method getf2f1() in 
    struct C {
    int f1;
};

struct C2
{
    C f2;

    int getf2f1() {
        return f2.f1; // Nested field read
    }

    void m() {
        f2.f1 = taint();
        sink(getf2f1()); // NEW: taint() reaches here
    }
};
  • The security pack taint tracking library (semmle.code.cpp.security.TaintTracking) now considers that equality checks may block the flow of taint. This results in fewer false positive results from queries that use this library.
  • The length of a tainted string (such as the return value of a call to strlen or strftime with tainted parameters) is no longer itself considered tainted by the models library. This leads to fewer false positive results in queries that use any of our taint libraries.