From 34c1ec73c2693f0d5a03a4af2bd83169684d4613 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 22 Jul 2025 11:28:54 +0100 Subject: [PATCH 1/3] C++: Add tests with missing flow through globals. --- .../dataflow-consistency.expected | 8 ++ .../dataflow-tests/test-source-sink.expected | 12 +++ .../dataflow/dataflow-tests/test.cpp | 99 ++++++++++++++++++- .../dataflow/fields/aliasing.cpp | 61 ++++++++++++ .../fields/dataflow-consistency.expected | 8 ++ .../fields/partial-definition-diff.expected | 14 +++ .../fields/partial-definition-ir.expected | 16 +++ .../fields/partial-definition.expected | 14 +++ 8 files changed, 231 insertions(+), 1 deletion(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected index 9abcd6eeee78..cb25f1a21e39 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected @@ -43,6 +43,10 @@ argHasPostUpdate | test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. | | test.cpp:848:23:848:25 | rpx | ArgumentNode is missing PostUpdateNode. | | test.cpp:1093:19:1093:21 | * ... | ArgumentNode is missing PostUpdateNode. | +| test.cpp:1206:19:1206:37 | * ... | ArgumentNode is missing PostUpdateNode. | +| test.cpp:1207:10:1207:28 | * ... | ArgumentNode is missing PostUpdateNode. | +| test.cpp:1224:19:1224:37 | * ... | ArgumentNode is missing PostUpdateNode. | +| test.cpp:1225:10:1225:28 | * ... | ArgumentNode is missing PostUpdateNode. | postWithInFlow | BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. | | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. | @@ -193,6 +197,10 @@ postWithInFlow | test.cpp:1139:4:1139:7 | data [inner post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:1153:5:1153:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:1153:6:1153:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1165:5:1165:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1165:6:1165:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1195:5:1195:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:1195:6:1195:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. | viableImplInCallContextTooLarge uniqueParameterNodeAtPosition uniqueParameterNodePosition diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 323ce2a43121..ccb8c8f448f3 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -134,6 +134,11 @@ astFlow | test.cpp:1086:12:1086:12 | a | test.cpp:1088:8:1088:9 | & ... | | test.cpp:1137:7:1137:10 | data | test.cpp:1140:8:1140:18 | * ... | | test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1170:19:1170:32 | global_int_ptr | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1234:19:1234:34 | global_int_array | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1239:10:1239:26 | * ... | +| test.cpp:1195:10:1195:24 | call to indirect_source | test.cpp:1200:19:1200:36 | global_int_ptr_ptr | +| test.cpp:1195:10:1195:24 | call to indirect_source | test.cpp:1201:10:1201:27 | global_int_ptr_ptr | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x | @@ -327,6 +332,13 @@ irFlow | test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source | | test.cpp:1132:11:1132:16 | call to source | test.cpp:1121:8:1121:8 | x | | test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1170:19:1170:32 | *global_int_ptr | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1175:10:1175:24 | * ... | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1234:19:1234:34 | *global_int_array | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1239:10:1239:26 | * ... | +| test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1200:19:1200:36 | **global_int_ptr_ptr | +| test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1206:19:1206:37 | ** ... | +| test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1209:10:1209:29 | * ... | | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index b804159d8583..5c9e6002e881 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -1155,4 +1155,101 @@ namespace conflation_regression { } } -int recursion = (sink(recursion), source()); // clean \ No newline at end of file +int recursion = (sink(recursion), source()); // clean + + +namespace globals_without_explicit_def { + int* global_int_ptr; + + void set(int* p) { // $ ast-def=p ir-def=*p + *p = source(); + } + + void test1() { + set(global_int_ptr); + indirect_sink(global_int_ptr); // $ ir,ast + } + + void test2() { + set(global_int_ptr); + sink(*global_int_ptr); // $ ir MISSING: ast + } + + void calls_set() { + set(global_int_ptr); + } + + void test3() { + calls_set(); + indirect_sink(global_int_ptr); // $ MISSING: ast,ir + } + + void test4() { + calls_set(); + sink(*global_int_ptr); // $ MISSING: ast,ir + } + + int** global_int_ptr_ptr; + + void set_indirect(int** p) { // $ ast-def=p ir-def=*p ir-def=**p + *p = indirect_source(); + } + + void test5() { + set_indirect(global_int_ptr_ptr); + indirect_sink(global_int_ptr_ptr); // $ ir,ast + sink(global_int_ptr_ptr); // $ SPURIOUS: ast + } + + void test6() { + set_indirect(global_int_ptr_ptr); + indirect_sink(*global_int_ptr_ptr); // $ ir MISSING: ast + sink(*global_int_ptr_ptr); + indirect_sink(**global_int_ptr_ptr); + sink(**global_int_ptr_ptr); // $ ir + } + + void calls_set_indirect() { + set_indirect(global_int_ptr_ptr); + } + + void test7() { + calls_set_indirect(); + indirect_sink(global_int_ptr_ptr); // $ MISSING: ast,ir + sink(global_int_ptr_ptr); // $ MISSING: ast + } + + void test8() { + calls_set_indirect(); + indirect_sink(*global_int_ptr_ptr); // $ MISSING: ast,ir + sink(*global_int_ptr_ptr); + indirect_sink(**global_int_ptr_ptr); + sink(**global_int_ptr_ptr); // $ MISSING: ast,ir + } + + int global_int_array[10]; + + void test9() { + set(global_int_array); + indirect_sink(global_int_array); // $ ir,ast + } + + void test10() { + set(global_int_array); + sink(*global_int_array); // $ ir,ast + } + + void calls_set_array() { + set(global_int_array); + } + + void test11() { + calls_set_array(); + indirect_sink(global_int_array); // $ MISSING: ast,ir + } + + void test12() { + calls_set_array(); + sink(*global_int_array); // $ MISSING: ast,ir + } +} \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp index 71bfc62b3ba2..adb058325e89 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp +++ b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp @@ -204,4 +204,65 @@ void deep_member_field_arrow(S2 *ps2) { void deep_member_field_arrow_different_fields(S2 *ps2) { taint_a_ptr(&ps2->s.m1); sink(ps2->s.m2); +} + + +namespace GlobalFieldFlow { + S global_s; + S2 global_s2; + + void set_field() { + global_s.m1 = user_input(); + } + + void read_field() { + sink(global_s.m1); // $ MISSING: ast,ir + } + + void set_nested_field() { + global_s2.s.m1 = user_input(); + } + + void read_nested_field() { + sink(global_s2.s.m1); // $ MISSING: ast,ir + } + + S* global_s_ptr; + S2* global_s2_ptr; + + void set_field_ptr() { + global_s_ptr->m1 = user_input(); + } + + void read_field_ptr() { + sink(global_s_ptr->m1); // $ MISSING: ast,ir + } + + void set_nested_field_ptr() { + global_s2_ptr->s.m1 = user_input(); + } + + void read_nested_field_ptr() { + sink(global_s2_ptr->s.m1); // $ MISSING: ast,ir + } + + S_with_pointer global_s_with_pointer; + + void set_field_indirect() { + *global_s_with_pointer.data = user_input(); + } + + void read_field_indirect() { + sink(*global_s_with_pointer.data); // $ MISSING: ast,ir + } + + S_with_array global_s_with_array; + + void set_field_array() { + *global_s_with_array.data = user_input(); + } + + void read_field_array() { + sink(*global_s_with_array.data); // $ MISSING: ast,ir + } } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected index 29daff363033..88dd9751f27e 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected @@ -95,6 +95,14 @@ postWithInFlow | aliasing.cpp:194:21:194:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. | | aliasing.cpp:200:23:200:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. | | aliasing.cpp:205:23:205:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:215:14:215:15 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:223:17:223:18 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:234:19:234:20 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:242:22:242:23 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:252:5:252:31 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:252:28:252:31 | data [inner post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:262:5:262:29 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:262:26:262:29 | data [inner post update] | PostUpdateNode should not be the target of local flow. | | arrays.cpp:6:3:6:5 | arr [inner post update] | PostUpdateNode should not be the target of local flow. | | arrays.cpp:6:3:6:8 | access to array [post update] | PostUpdateNode should not be the target of local flow. | | arrays.cpp:15:3:15:10 | * ... [post update] | PostUpdateNode should not be the target of local flow. | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected index 91b22f8d13ad..8137e350d853 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected @@ -141,6 +141,20 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par | aliasing.cpp:201:13:201:13 | s | IR only | | aliasing.cpp:206:8:206:10 | ps2 | IR only | | aliasing.cpp:206:13:206:13 | s | IR only | +| aliasing.cpp:215:14:215:15 | m1 | AST only | +| aliasing.cpp:219:10:219:17 | global_s | IR only | +| aliasing.cpp:223:17:223:18 | m1 | AST only | +| aliasing.cpp:227:10:227:18 | global_s2 | IR only | +| aliasing.cpp:227:20:227:20 | s | IR only | +| aliasing.cpp:234:19:234:20 | m1 | AST only | +| aliasing.cpp:238:10:238:21 | global_s_ptr | IR only | +| aliasing.cpp:242:22:242:23 | m1 | AST only | +| aliasing.cpp:246:10:246:22 | global_s2_ptr | IR only | +| aliasing.cpp:246:25:246:25 | s | IR only | +| aliasing.cpp:252:5:252:31 | * ... | AST only | +| aliasing.cpp:256:11:256:31 | global_s_with_pointer | IR only | +| aliasing.cpp:262:5:262:29 | * ... | AST only | +| aliasing.cpp:266:11:266:29 | global_s_with_array | IR only | | arrays.cpp:6:3:6:8 | access to array | AST only | | arrays.cpp:7:8:7:13 | access to array | IR only | | arrays.cpp:7:8:7:13 | access to array | IR only | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected index c12cc3c3c0f4..8df575d8e167 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected @@ -285,6 +285,22 @@ | aliasing.cpp:205:21:205:21 | s | | aliasing.cpp:206:8:206:10 | ps2 | | aliasing.cpp:206:13:206:13 | s | +| aliasing.cpp:215:5:215:12 | global_s | +| aliasing.cpp:219:10:219:17 | global_s | +| aliasing.cpp:223:5:223:13 | global_s2 | +| aliasing.cpp:223:15:223:15 | s | +| aliasing.cpp:227:10:227:18 | global_s2 | +| aliasing.cpp:227:20:227:20 | s | +| aliasing.cpp:234:5:234:16 | global_s_ptr | +| aliasing.cpp:238:10:238:21 | global_s_ptr | +| aliasing.cpp:242:5:242:17 | global_s2_ptr | +| aliasing.cpp:242:20:242:20 | s | +| aliasing.cpp:246:10:246:22 | global_s2_ptr | +| aliasing.cpp:246:25:246:25 | s | +| aliasing.cpp:252:6:252:26 | global_s_with_pointer | +| aliasing.cpp:256:11:256:31 | global_s_with_pointer | +| aliasing.cpp:262:6:262:24 | global_s_with_array | +| aliasing.cpp:266:11:266:29 | global_s_with_array | | arrays.cpp:7:8:7:13 | access to array | | arrays.cpp:8:8:8:13 | access to array | | arrays.cpp:9:8:9:11 | * ... | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected index 00e84906b6cc..397e069c1669 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected @@ -225,6 +225,20 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par | aliasing.cpp:205:15:205:24 | & ... | | aliasing.cpp:205:16:205:18 | ps2 | | aliasing.cpp:205:21:205:21 | s | +| aliasing.cpp:215:5:215:12 | global_s | +| aliasing.cpp:215:14:215:15 | m1 | +| aliasing.cpp:223:5:223:13 | global_s2 | +| aliasing.cpp:223:15:223:15 | s | +| aliasing.cpp:223:17:223:18 | m1 | +| aliasing.cpp:234:5:234:16 | global_s_ptr | +| aliasing.cpp:234:19:234:20 | m1 | +| aliasing.cpp:242:5:242:17 | global_s2_ptr | +| aliasing.cpp:242:20:242:20 | s | +| aliasing.cpp:242:22:242:23 | m1 | +| aliasing.cpp:252:5:252:31 | * ... | +| aliasing.cpp:252:6:252:26 | global_s_with_pointer | +| aliasing.cpp:262:5:262:29 | * ... | +| aliasing.cpp:262:6:262:24 | global_s_with_array | | arrays.cpp:6:3:6:8 | access to array | | arrays.cpp:15:3:15:10 | * ... | | arrays.cpp:36:3:36:3 | o | From 73e4bfdd3e572471cf4e67493472de3bf01c6a6a Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 22 Jul 2025 11:29:23 +0100 Subject: [PATCH 2/3] C++: Fix missing flow by also generating final global uses for functions that have a post-update node for the global variable. --- .../code/cpp/ir/dataflow/internal/DataFlowPrivate.qll | 7 +++++++ .../code/cpp/ir/dataflow/internal/DataFlowUtil.qll | 6 +----- .../lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll | 9 ++++++++- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index f308ee190e7a..a03042a77ff0 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -332,6 +332,13 @@ private module IndirectInstructions { import IndirectInstructions +predicate isPostUpdateNodeImpl(Operand operand, int indirectionIndex) { + operand = any(FieldAddress fa).getObjectAddressOperand() and + indirectionIndex = [0 .. Ssa::countIndirectionsForCppType(Ssa::getLanguageType(operand))] + or + Ssa::isModifiableByCall(operand, indirectionIndex) +} + /** Gets the callable in which this node occurs. */ DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index bc3dda5fd345..a0a99711552c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -42,11 +42,7 @@ private newtype TIRDataFlowNode = [getMinIndirectionsForType(var.getUnspecifiedType()) .. SsaImpl::getMaxIndirectionsForType(var.getUnspecifiedType())] } or TPostUpdateNodeImpl(Operand operand, int indirectionIndex) { - operand = any(FieldAddress fa).getObjectAddressOperand() and - indirectionIndex = - [0 .. SsaImpl::countIndirectionsForCppType(SsaImpl::getLanguageType(operand))] - or - SsaImpl::isModifiableByCall(operand, indirectionIndex) + isPostUpdateNodeImpl(operand, indirectionIndex) } or TSsaSynthNode(SsaImpl::SynthNode n) or TSsaIteratorNode(IteratorFlow::IteratorFlowNode n) or diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll index 3af2ea38a641..b9f320e57b23 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll @@ -143,7 +143,14 @@ private predicate isGlobalUse( min(int cand, VariableAddressInstruction vai | vai.getEnclosingIRFunction() = f and vai.getAstVariable() = v and - isDef(_, _, _, vai, cand, indirectionIndex) + ( + isDef(_, _, _, vai, cand, indirectionIndex) + or + exists(Operand operand | + isUse(_, operand, vai, cand, indirectionIndex) and + isPostUpdateNodeImpl(operand, indirectionIndex) + ) + ) | cand ) From fca49dde929b80ac026acebe1480b27cee08acfa Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 22 Jul 2025 11:21:52 +0100 Subject: [PATCH 3/3] C++: Accept test changes. --- .../dataflow-tests/test-source-sink.expected | 7 ++ .../dataflow/dataflow-tests/test.cpp | 14 +-- .../dataflow/fields/aliasing.cpp | 12 +-- .../dataflow/fields/ir-path-flow.expected | 86 +++++++++++++++++++ .../UncontrolledFormatString.expected | 10 +++ .../PotentiallyExposedSystemData.expected | 1 + .../Security/CWE/CWE-611/XXE.expected | 3 + 7 files changed, 120 insertions(+), 13 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index ccb8c8f448f3..6e0b03be9c61 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -334,11 +334,18 @@ irFlow | test.cpp:1138:17:1138:22 | call to source | test.cpp:1140:8:1140:18 | * ... | | test.cpp:1165:10:1165:15 | call to source | test.cpp:1170:19:1170:32 | *global_int_ptr | | test.cpp:1165:10:1165:15 | call to source | test.cpp:1175:10:1175:24 | * ... | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1184:19:1184:32 | *global_int_ptr | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1189:10:1189:24 | * ... | | test.cpp:1165:10:1165:15 | call to source | test.cpp:1234:19:1234:34 | *global_int_array | | test.cpp:1165:10:1165:15 | call to source | test.cpp:1239:10:1239:26 | * ... | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1248:19:1248:34 | *global_int_array | +| test.cpp:1165:10:1165:15 | call to source | test.cpp:1253:10:1253:26 | * ... | | test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1200:19:1200:36 | **global_int_ptr_ptr | | test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1206:19:1206:37 | ** ... | | test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1209:10:1209:29 | * ... | +| test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1218:19:1218:36 | **global_int_ptr_ptr | +| test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1224:19:1224:37 | ** ... | +| test.cpp:1195:10:1195:24 | *call to indirect_source | test.cpp:1227:10:1227:29 | * ... | | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index 5c9e6002e881..35e6a074cfd0 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -1181,12 +1181,12 @@ namespace globals_without_explicit_def { void test3() { calls_set(); - indirect_sink(global_int_ptr); // $ MISSING: ast,ir + indirect_sink(global_int_ptr); // $ ir MISSING: ast } void test4() { calls_set(); - sink(*global_int_ptr); // $ MISSING: ast,ir + sink(*global_int_ptr); // $ ir MISSING: ast } int** global_int_ptr_ptr; @@ -1215,16 +1215,16 @@ namespace globals_without_explicit_def { void test7() { calls_set_indirect(); - indirect_sink(global_int_ptr_ptr); // $ MISSING: ast,ir + indirect_sink(global_int_ptr_ptr); // $ ir MISSING: ast sink(global_int_ptr_ptr); // $ MISSING: ast } void test8() { calls_set_indirect(); - indirect_sink(*global_int_ptr_ptr); // $ MISSING: ast,ir + indirect_sink(*global_int_ptr_ptr); // $ ir MISSING: ast sink(*global_int_ptr_ptr); indirect_sink(**global_int_ptr_ptr); - sink(**global_int_ptr_ptr); // $ MISSING: ast,ir + sink(**global_int_ptr_ptr); // $ ir MISSING: ast } int global_int_array[10]; @@ -1245,11 +1245,11 @@ namespace globals_without_explicit_def { void test11() { calls_set_array(); - indirect_sink(global_int_array); // $ MISSING: ast,ir + indirect_sink(global_int_array); // $ ir MISSING: ast } void test12() { calls_set_array(); - sink(*global_int_array); // $ MISSING: ast,ir + sink(*global_int_array); // $ ir MISSING: ast } } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp index adb058325e89..bf5e941cc3bb 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp +++ b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp @@ -216,7 +216,7 @@ namespace GlobalFieldFlow { } void read_field() { - sink(global_s.m1); // $ MISSING: ast,ir + sink(global_s.m1); // $ ir MISSING: ast } void set_nested_field() { @@ -224,7 +224,7 @@ namespace GlobalFieldFlow { } void read_nested_field() { - sink(global_s2.s.m1); // $ MISSING: ast,ir + sink(global_s2.s.m1); // $ ir MISSING: ast } S* global_s_ptr; @@ -235,7 +235,7 @@ namespace GlobalFieldFlow { } void read_field_ptr() { - sink(global_s_ptr->m1); // $ MISSING: ast,ir + sink(global_s_ptr->m1); // $ ir MISSING: ast } void set_nested_field_ptr() { @@ -243,7 +243,7 @@ namespace GlobalFieldFlow { } void read_nested_field_ptr() { - sink(global_s2_ptr->s.m1); // $ MISSING: ast,ir + sink(global_s2_ptr->s.m1); // $ ir MISSING: ast } S_with_pointer global_s_with_pointer; @@ -253,7 +253,7 @@ namespace GlobalFieldFlow { } void read_field_indirect() { - sink(*global_s_with_pointer.data); // $ MISSING: ast,ir + sink(*global_s_with_pointer.data); // $ ir MISSING: ast } S_with_array global_s_with_array; @@ -263,6 +263,6 @@ namespace GlobalFieldFlow { } void read_field_array() { - sink(*global_s_with_array.data); // $ MISSING: ast,ir + sink(*global_s_with_array.data); // $ ir MISSING: ast } } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index 6852a5dd3cd4..bf725830b323 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -346,6 +346,46 @@ edges | aliasing.cpp:200:21:200:21 | *s [post update] [m1] | aliasing.cpp:200:16:200:18 | *ps2 [post update] [s, m1] | provenance | | | aliasing.cpp:201:8:201:10 | *ps2 [s, m1] | aliasing.cpp:201:13:201:13 | *s [m1] | provenance | | | aliasing.cpp:201:13:201:13 | *s [m1] | aliasing.cpp:201:15:201:16 | m1 | provenance | | +| aliasing.cpp:211:5:211:12 | *global_s [m1] | aliasing.cpp:211:5:211:12 | *global_s [m1] | provenance | | +| aliasing.cpp:211:5:211:12 | *global_s [m1] | aliasing.cpp:219:10:219:17 | *global_s [m1] | provenance | | +| aliasing.cpp:212:6:212:14 | *global_s2 [s, m1] | aliasing.cpp:212:6:212:14 | *global_s2 [s, m1] | provenance | | +| aliasing.cpp:212:6:212:14 | *global_s2 [s, m1] | aliasing.cpp:227:10:227:18 | *global_s2 [s, m1] | provenance | | +| aliasing.cpp:215:5:215:12 | *global_s [post update] [m1] | aliasing.cpp:211:5:211:12 | *global_s [m1] | provenance | | +| aliasing.cpp:215:5:215:30 | ... = ... | aliasing.cpp:215:5:215:12 | *global_s [post update] [m1] | provenance | | +| aliasing.cpp:215:19:215:28 | call to user_input | aliasing.cpp:215:5:215:30 | ... = ... | provenance | | +| aliasing.cpp:219:10:219:17 | *global_s [m1] | aliasing.cpp:219:19:219:20 | m1 | provenance | | +| aliasing.cpp:223:5:223:13 | *global_s2 [post update] [s, m1] | aliasing.cpp:212:6:212:14 | *global_s2 [s, m1] | provenance | | +| aliasing.cpp:223:5:223:33 | ... = ... | aliasing.cpp:223:15:223:15 | *s [post update] [m1] | provenance | | +| aliasing.cpp:223:15:223:15 | *s [post update] [m1] | aliasing.cpp:223:5:223:13 | *global_s2 [post update] [s, m1] | provenance | | +| aliasing.cpp:223:22:223:31 | call to user_input | aliasing.cpp:223:5:223:33 | ... = ... | provenance | | +| aliasing.cpp:227:10:227:18 | *global_s2 [s, m1] | aliasing.cpp:227:20:227:20 | *s [m1] | provenance | | +| aliasing.cpp:227:20:227:20 | *s [m1] | aliasing.cpp:227:22:227:23 | m1 | provenance | | +| aliasing.cpp:230:6:230:17 | **global_s_ptr [m1] | aliasing.cpp:230:6:230:17 | **global_s_ptr [m1] | provenance | | +| aliasing.cpp:230:6:230:17 | **global_s_ptr [m1] | aliasing.cpp:238:10:238:21 | *global_s_ptr [m1] | provenance | | +| aliasing.cpp:231:7:231:19 | **global_s2_ptr [s, m1] | aliasing.cpp:231:7:231:19 | **global_s2_ptr [s, m1] | provenance | | +| aliasing.cpp:231:7:231:19 | **global_s2_ptr [s, m1] | aliasing.cpp:246:10:246:22 | *global_s2_ptr [s, m1] | provenance | | +| aliasing.cpp:234:5:234:16 | *global_s_ptr [post update] [m1] | aliasing.cpp:230:6:230:17 | **global_s_ptr [m1] | provenance | | +| aliasing.cpp:234:5:234:35 | ... = ... | aliasing.cpp:234:5:234:16 | *global_s_ptr [post update] [m1] | provenance | | +| aliasing.cpp:234:24:234:33 | call to user_input | aliasing.cpp:234:5:234:35 | ... = ... | provenance | | +| aliasing.cpp:238:10:238:21 | *global_s_ptr [m1] | aliasing.cpp:238:24:238:25 | m1 | provenance | | +| aliasing.cpp:242:5:242:17 | *global_s2_ptr [post update] [s, m1] | aliasing.cpp:231:7:231:19 | **global_s2_ptr [s, m1] | provenance | | +| aliasing.cpp:242:5:242:38 | ... = ... | aliasing.cpp:242:20:242:20 | *s [post update] [m1] | provenance | | +| aliasing.cpp:242:20:242:20 | *s [post update] [m1] | aliasing.cpp:242:5:242:17 | *global_s2_ptr [post update] [s, m1] | provenance | | +| aliasing.cpp:242:27:242:36 | call to user_input | aliasing.cpp:242:5:242:38 | ... = ... | provenance | | +| aliasing.cpp:246:10:246:22 | *global_s2_ptr [s, m1] | aliasing.cpp:246:25:246:25 | *s [m1] | provenance | | +| aliasing.cpp:246:25:246:25 | *s [m1] | aliasing.cpp:246:27:246:28 | m1 | provenance | | +| aliasing.cpp:249:18:249:38 | *global_s_with_pointer [*data] | aliasing.cpp:249:18:249:38 | *global_s_with_pointer [*data] | provenance | | +| aliasing.cpp:249:18:249:38 | *global_s_with_pointer [*data] | aliasing.cpp:256:11:256:31 | *global_s_with_pointer [*data] | provenance | | +| aliasing.cpp:252:5:252:46 | ... = ... | aliasing.cpp:252:6:252:26 | *global_s_with_pointer [post update] [*data] | provenance | | +| aliasing.cpp:252:6:252:26 | *global_s_with_pointer [post update] [*data] | aliasing.cpp:249:18:249:38 | *global_s_with_pointer [*data] | provenance | | +| aliasing.cpp:252:35:252:44 | call to user_input | aliasing.cpp:252:5:252:46 | ... = ... | provenance | | +| aliasing.cpp:256:11:256:31 | *global_s_with_pointer [*data] | aliasing.cpp:256:10:256:36 | * ... | provenance | | +| aliasing.cpp:259:16:259:34 | *global_s_with_array [data] | aliasing.cpp:259:16:259:34 | *global_s_with_array [data] | provenance | | +| aliasing.cpp:259:16:259:34 | *global_s_with_array [data] | aliasing.cpp:266:11:266:29 | *global_s_with_array [data] | provenance | | +| aliasing.cpp:262:5:262:44 | ... = ... | aliasing.cpp:262:6:262:24 | *global_s_with_array [post update] [data] | provenance | | +| aliasing.cpp:262:6:262:24 | *global_s_with_array [post update] [data] | aliasing.cpp:259:16:259:34 | *global_s_with_array [data] | provenance | | +| aliasing.cpp:262:33:262:42 | call to user_input | aliasing.cpp:262:5:262:44 | ... = ... | provenance | | +| aliasing.cpp:266:11:266:29 | *global_s_with_array [data] | aliasing.cpp:266:10:266:34 | * ... | provenance | | | arrays.cpp:6:3:6:23 | ... = ... | arrays.cpp:7:8:7:13 | access to array | provenance | | | arrays.cpp:6:3:6:23 | ... = ... | arrays.cpp:8:8:8:13 | access to array | provenance | | | arrays.cpp:6:3:6:23 | ... = ... | arrays.cpp:9:8:9:11 | * ... | provenance | | @@ -1244,6 +1284,46 @@ nodes | aliasing.cpp:201:8:201:10 | *ps2 [s, m1] | semmle.label | *ps2 [s, m1] | | aliasing.cpp:201:13:201:13 | *s [m1] | semmle.label | *s [m1] | | aliasing.cpp:201:15:201:16 | m1 | semmle.label | m1 | +| aliasing.cpp:211:5:211:12 | *global_s [m1] | semmle.label | *global_s [m1] | +| aliasing.cpp:212:6:212:14 | *global_s2 [s, m1] | semmle.label | *global_s2 [s, m1] | +| aliasing.cpp:215:5:215:12 | *global_s [post update] [m1] | semmle.label | *global_s [post update] [m1] | +| aliasing.cpp:215:5:215:30 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:215:19:215:28 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:219:10:219:17 | *global_s [m1] | semmle.label | *global_s [m1] | +| aliasing.cpp:219:19:219:20 | m1 | semmle.label | m1 | +| aliasing.cpp:223:5:223:13 | *global_s2 [post update] [s, m1] | semmle.label | *global_s2 [post update] [s, m1] | +| aliasing.cpp:223:5:223:33 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:223:15:223:15 | *s [post update] [m1] | semmle.label | *s [post update] [m1] | +| aliasing.cpp:223:22:223:31 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:227:10:227:18 | *global_s2 [s, m1] | semmle.label | *global_s2 [s, m1] | +| aliasing.cpp:227:20:227:20 | *s [m1] | semmle.label | *s [m1] | +| aliasing.cpp:227:22:227:23 | m1 | semmle.label | m1 | +| aliasing.cpp:230:6:230:17 | **global_s_ptr [m1] | semmle.label | **global_s_ptr [m1] | +| aliasing.cpp:231:7:231:19 | **global_s2_ptr [s, m1] | semmle.label | **global_s2_ptr [s, m1] | +| aliasing.cpp:234:5:234:16 | *global_s_ptr [post update] [m1] | semmle.label | *global_s_ptr [post update] [m1] | +| aliasing.cpp:234:5:234:35 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:234:24:234:33 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:238:10:238:21 | *global_s_ptr [m1] | semmle.label | *global_s_ptr [m1] | +| aliasing.cpp:238:24:238:25 | m1 | semmle.label | m1 | +| aliasing.cpp:242:5:242:17 | *global_s2_ptr [post update] [s, m1] | semmle.label | *global_s2_ptr [post update] [s, m1] | +| aliasing.cpp:242:5:242:38 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:242:20:242:20 | *s [post update] [m1] | semmle.label | *s [post update] [m1] | +| aliasing.cpp:242:27:242:36 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:246:10:246:22 | *global_s2_ptr [s, m1] | semmle.label | *global_s2_ptr [s, m1] | +| aliasing.cpp:246:25:246:25 | *s [m1] | semmle.label | *s [m1] | +| aliasing.cpp:246:27:246:28 | m1 | semmle.label | m1 | +| aliasing.cpp:249:18:249:38 | *global_s_with_pointer [*data] | semmle.label | *global_s_with_pointer [*data] | +| aliasing.cpp:252:5:252:46 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:252:6:252:26 | *global_s_with_pointer [post update] [*data] | semmle.label | *global_s_with_pointer [post update] [*data] | +| aliasing.cpp:252:35:252:44 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:256:10:256:36 | * ... | semmle.label | * ... | +| aliasing.cpp:256:11:256:31 | *global_s_with_pointer [*data] | semmle.label | *global_s_with_pointer [*data] | +| aliasing.cpp:259:16:259:34 | *global_s_with_array [data] | semmle.label | *global_s_with_array [data] | +| aliasing.cpp:262:5:262:44 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:262:6:262:24 | *global_s_with_array [post update] [data] | semmle.label | *global_s_with_array [post update] [data] | +| aliasing.cpp:262:33:262:42 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:266:10:266:34 | * ... | semmle.label | * ... | +| aliasing.cpp:266:11:266:29 | *global_s_with_array [data] | semmle.label | *global_s_with_array [data] | | arrays.cpp:6:3:6:23 | ... = ... | semmle.label | ... = ... | | arrays.cpp:6:12:6:21 | call to user_input | semmle.label | call to user_input | | arrays.cpp:7:8:7:13 | access to array | semmle.label | access to array | @@ -1902,6 +1982,12 @@ subpaths | aliasing.cpp:176:13:176:14 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:176:13:176:14 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input | | aliasing.cpp:189:15:189:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:189:15:189:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input | | aliasing.cpp:201:15:201:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:201:15:201:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input | +| aliasing.cpp:219:19:219:20 | m1 | aliasing.cpp:215:19:215:28 | call to user_input | aliasing.cpp:219:19:219:20 | m1 | m1 flows from $@ | aliasing.cpp:215:19:215:28 | call to user_input | call to user_input | +| aliasing.cpp:227:22:227:23 | m1 | aliasing.cpp:223:22:223:31 | call to user_input | aliasing.cpp:227:22:227:23 | m1 | m1 flows from $@ | aliasing.cpp:223:22:223:31 | call to user_input | call to user_input | +| aliasing.cpp:238:24:238:25 | m1 | aliasing.cpp:234:24:234:33 | call to user_input | aliasing.cpp:238:24:238:25 | m1 | m1 flows from $@ | aliasing.cpp:234:24:234:33 | call to user_input | call to user_input | +| aliasing.cpp:246:27:246:28 | m1 | aliasing.cpp:242:27:242:36 | call to user_input | aliasing.cpp:246:27:246:28 | m1 | m1 flows from $@ | aliasing.cpp:242:27:242:36 | call to user_input | call to user_input | +| aliasing.cpp:256:10:256:36 | * ... | aliasing.cpp:252:35:252:44 | call to user_input | aliasing.cpp:256:10:256:36 | * ... | * ... flows from $@ | aliasing.cpp:252:35:252:44 | call to user_input | call to user_input | +| aliasing.cpp:266:10:266:34 | * ... | aliasing.cpp:262:33:262:42 | call to user_input | aliasing.cpp:266:10:266:34 | * ... | * ... flows from $@ | aliasing.cpp:262:33:262:42 | call to user_input | call to user_input | | arrays.cpp:7:8:7:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input | | arrays.cpp:8:8:8:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:8:8:8:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input | | arrays.cpp:9:8:9:11 | * ... | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... | * ... flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 40ffd8d4bdde..7408d8360ef5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -1,14 +1,17 @@ edges +| globalVars.c:8:7:8:10 | **copy | globalVars.c:8:7:8:10 | **copy | provenance | | | globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance | | | globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance | | | globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | provenance | | | globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy | provenance | | +| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:9:7:9:11 | **copy2 | provenance | | | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 | provenance | | | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance | | | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | provenance | | | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 | provenance | | | globalVars.c:11:22:11:25 | **argv | globalVars.c:12:2:12:15 | *... = ... | provenance | | | globalVars.c:12:2:12:15 | *... = ... | globalVars.c:8:7:8:10 | **copy | provenance | | +| globalVars.c:15:21:15:23 | *val | globalVars.c:15:21:15:23 | *val | provenance | | | globalVars.c:15:21:15:23 | *val | globalVars.c:16:2:16:12 | *... = ... | provenance | | | globalVars.c:16:2:16:12 | *... = ... | globalVars.c:9:7:9:11 | **copy2 | provenance | | | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | provenance | | @@ -16,10 +19,14 @@ edges | globalVars.c:24:11:24:14 | **argv | globalVars.c:11:22:11:25 | **argv | provenance | | | globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | provenance | | | globalVars.c:30:15:30:18 | *copy | globalVars.c:30:15:30:18 | printWrapper output argument | provenance | | +| globalVars.c:30:15:30:18 | printWrapper output argument | globalVars.c:8:7:8:10 | **copy | provenance | | | globalVars.c:30:15:30:18 | printWrapper output argument | globalVars.c:35:11:35:14 | *copy | provenance | | | globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | provenance | | +| globalVars.c:35:11:35:14 | *copy | globalVars.c:35:11:35:14 | setCopy2 output argument | provenance | | +| globalVars.c:35:11:35:14 | setCopy2 output argument | globalVars.c:8:7:8:10 | **copy | provenance | | | globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | provenance | | | globalVars.c:41:15:41:19 | *copy2 | globalVars.c:41:15:41:19 | printWrapper output argument | provenance | | +| globalVars.c:41:15:41:19 | printWrapper output argument | globalVars.c:9:7:9:11 | **copy2 | provenance | | | globalVars.c:41:15:41:19 | printWrapper output argument | globalVars.c:50:9:50:13 | *copy2 | provenance | | nodes | globalVars.c:8:7:8:10 | **copy | semmle.label | **copy | @@ -27,6 +34,7 @@ nodes | globalVars.c:11:22:11:25 | **argv | semmle.label | **argv | | globalVars.c:12:2:12:15 | *... = ... | semmle.label | *... = ... | | globalVars.c:15:21:15:23 | *val | semmle.label | *val | +| globalVars.c:15:21:15:23 | *val | semmle.label | *val | | globalVars.c:16:2:16:12 | *... = ... | semmle.label | *... = ... | | globalVars.c:19:25:19:27 | *str | semmle.label | *str | | globalVars.c:19:25:19:27 | *str | semmle.label | *str | @@ -37,6 +45,7 @@ nodes | globalVars.c:30:15:30:18 | *copy | semmle.label | *copy | | globalVars.c:30:15:30:18 | printWrapper output argument | semmle.label | printWrapper output argument | | globalVars.c:35:11:35:14 | *copy | semmle.label | *copy | +| globalVars.c:35:11:35:14 | setCopy2 output argument | semmle.label | setCopy2 output argument | | globalVars.c:38:9:38:13 | *copy2 | semmle.label | *copy2 | | globalVars.c:41:15:41:19 | *copy2 | semmle.label | *copy2 | | globalVars.c:41:15:41:19 | *copy2 | semmle.label | *copy2 | @@ -44,6 +53,7 @@ nodes | globalVars.c:50:9:50:13 | *copy2 | semmle.label | *copy2 | subpaths | globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:30:15:30:18 | printWrapper output argument | +| globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | globalVars.c:15:21:15:23 | *val | globalVars.c:35:11:35:14 | setCopy2 output argument | | globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:41:15:41:19 | printWrapper output argument | #select | globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected index 53be20ab7ac8..9756dde70dd3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected @@ -1,4 +1,5 @@ edges +| tests.cpp:62:7:62:18 | **global_token | tests.cpp:62:7:62:18 | **global_token | provenance | | | tests.cpp:62:7:62:18 | **global_token | tests.cpp:69:2:69:43 | *... = ... | provenance | | | tests.cpp:62:7:62:18 | **global_token | tests.cpp:71:27:71:38 | *global_token | provenance | | | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:62:7:62:18 | **global_token | provenance | | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 28f2b8335320..1376a03ce889 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -7,9 +7,11 @@ edges | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | provenance | | | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:23:21:23:53 | *call to createXMLReader | provenance | | | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | provenance | | +| tests3.cpp:35:16:35:20 | **p_3_3 | tests3.cpp:35:16:35:20 | **p_3_3 | provenance | | | tests3.cpp:35:16:35:20 | **p_3_3 | tests3.cpp:38:2:38:6 | *p_3_3 | provenance | | | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:35:16:35:20 | **p_3_3 | provenance | | | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:35:24:35:56 | *call to createXMLReader | provenance | | +| tests3.cpp:48:16:48:20 | **p_3_5 | tests3.cpp:48:16:48:20 | **p_3_5 | provenance | | | tests3.cpp:48:16:48:20 | **p_3_5 | tests3.cpp:56:2:56:6 | *p_3_5 | provenance | | | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:48:16:48:20 | **p_3_5 | provenance | | | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:48:24:48:56 | *call to createXMLReader | provenance | | @@ -26,6 +28,7 @@ edges | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:55:25:55:38 | *call to createLSParser | provenance | | | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | provenance | | | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | provenance | Config | +| tests5.cpp:63:21:63:24 | **g_p2 | tests5.cpp:63:21:63:24 | **g_p2 | provenance | | | tests5.cpp:63:21:63:24 | **g_p2 | tests5.cpp:77:2:77:5 | *g_p2 | provenance | | | tests5.cpp:70:2:70:32 | *... = ... | tests5.cpp:63:21:63:24 | **g_p2 | provenance | | | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:70:2:70:32 | *... = ... | provenance | |