зеркало из https://github.com/github/codeql.git
CPP: make more alert messages follow the style-guide
This commit is contained in:
erik-krogh
Родитель
342c8764ce
Коммит
a30c38f38c
|
|
@ -15,4 +15,4 @@ where
|
|||
c.fromSource() and
|
||||
c.isTopLevel() and
|
||||
c.getParentScope() instanceof GlobalNamespace
|
||||
select c, "This class is not declared in any namespace"
|
||||
select c, "This class is not declared in any namespace."
|
||||
|
|
|
|||
|
|
@ -16,4 +16,4 @@ where
|
|||
t.fromSource() and
|
||||
n = t.getMetrics().getEfferentSourceCoupling() and
|
||||
n > 10
|
||||
select t as class_, "This class has too many dependencies (" + n.toString() + ")"
|
||||
select t as class_, "This class has too many dependencies (" + n.toString() + ")."
|
||||
|
|
|
|||
|
|
@ -17,4 +17,4 @@ where
|
|||
n = f.getMetrics().getNumberOfCalls() and
|
||||
n > 99 and
|
||||
not f.isMultiplyDefined()
|
||||
select f as function, "This function makes too many calls (" + n.toString() + ")"
|
||||
select f as function, "This function makes too many calls (" + n.toString() + ")."
|
||||
|
|
|
|||
|
|
@ -18,4 +18,4 @@ where
|
|||
f.getMetrics().getNumberOfParameters() > 15
|
||||
select f,
|
||||
"This function has too many parameters (" + f.getMetrics().getNumberOfParameters().toString() +
|
||||
")"
|
||||
")."
|
||||
|
|
|
|||
|
|
@ -21,5 +21,5 @@ where
|
|||
rhsType.getAMember() = m and
|
||||
not m.(VirtualFunction).isPure()
|
||||
) // add additional checks for concrete members in in-between supertypes
|
||||
select e, "This assignment expression slices from type $@ to $@", rhsType, rhsType.getName(),
|
||||
select e, "This assignment expression slices from type $@ to $@.", rhsType, rhsType.getName(),
|
||||
lhsType, lhsType.getName()
|
||||
|
|
|
|||
|
|
@ -18,4 +18,4 @@ where
|
|||
f.hasSpecifier("virtual") and
|
||||
f.getFile().fromSource() and
|
||||
not f instanceof Destructor
|
||||
select f, "Avoid having public virtual methods (NVI idiom)"
|
||||
select f, "Avoid having public virtual methods (NVI idiom)."
|
||||
|
|
|
|||
|
|
@ -23,4 +23,4 @@ where
|
|||
fclass = f.getDeclaringType() and
|
||||
hubIndex = fclass.getMetrics().getAfferentCoupling() * fclass.getMetrics().getEfferentCoupling() and
|
||||
hubIndex > 100
|
||||
select f, "Avoid having public virtual methods (NVI idiom)"
|
||||
select f, "Avoid having public virtual methods (NVI idiom)."
|
||||
|
|
|
|||
|
|
@ -38,5 +38,5 @@ where
|
|||
sc = switch.getASwitchCase() and
|
||||
tooLong(sc) and
|
||||
switchCaseLength(sc, lines)
|
||||
select switch, "Switch has at least one case that is too long: $@", sc,
|
||||
select switch, "Switch has at least one case that is too long: $@.", sc,
|
||||
sc.getExpr().toString() + " (" + lines.toString() + " lines)"
|
||||
|
|
|
|||
|
|
@ -58,4 +58,4 @@ where
|
|||
not exists(AsmStmt s | f = s.getEnclosingFunction()) and
|
||||
not v.getAnAttribute().getName() = "unused" and
|
||||
not any(ErrorExpr e).getEnclosingFunction() = f // unextracted expr may use `v`
|
||||
select v, "Variable " + v.getName() + " is not used"
|
||||
select v, "Variable " + v.getName() + " is not used."
|
||||
|
|
|
|||
|
|
@ -27,4 +27,4 @@ where
|
|||
not declarationHasSideEffects(v) and
|
||||
not v.getAnAttribute().hasName("used") and
|
||||
not v.getAnAttribute().hasName("unused")
|
||||
select v, "Static variable " + v.getName() + " is never read"
|
||||
select v, "Static variable " + v.getName() + " is never read."
|
||||
|
|
|
|||
|
|
@ -64,5 +64,5 @@ where
|
|||
) and
|
||||
(if context = test then testresult = "succeed" else testresult = "fail")
|
||||
select cond,
|
||||
"Variable '" + v.getName() + "' is always " + context + " here, this check will always " +
|
||||
testresult + "."
|
||||
"Variable '" + v.getName() + "' is always " + context + ", this check will always " + testresult +
|
||||
"."
|
||||
|
|
|
|||
|
|
@ -29,4 +29,4 @@ from Expr alloc
|
|||
where
|
||||
allocateDescriptorCall(alloc) and
|
||||
not exists(ClosedExpr closed | closed.pointsTo() = alloc)
|
||||
select alloc, "This file descriptor is never closed"
|
||||
select alloc, "This file descriptor is never closed."
|
||||
|
|
|
|||
|
|
@ -164,4 +164,4 @@ where
|
|||
fopenVariableReaches(v, def, ret) and
|
||||
ret.getAChild*() = v.getAnAccess()
|
||||
)
|
||||
select def, "The file opened here may not be closed at $@.", ret, "this exit point"
|
||||
select def, "This file open may not be closed at $@.", ret, "this exit point"
|
||||
|
|
|
|||
|
|
@ -14,4 +14,4 @@ import FileClosed
|
|||
|
||||
from Expr alloc
|
||||
where fopenCall(alloc) and not fopenCallMayBeClosed(alloc)
|
||||
select alloc, "The file is never closed"
|
||||
select alloc, "The file is never closed."
|
||||
|
|
|
|||
|
|
@ -27,4 +27,4 @@ where
|
|||
definitionUsePair(v, other, unchecked)
|
||||
)
|
||||
select unchecked,
|
||||
"This dereference is not guarded by a non-null check, whereas other dereferences are guarded"
|
||||
"This dereference is not guarded by a non-null check, whereas other dereferences are guarded."
|
||||
|
|
|
|||
|
|
@ -49,4 +49,4 @@ where
|
|||
select dangerous,
|
||||
"Variable '" + v.getName() +
|
||||
"' is used as an array-offset before it is tested for being negative (test on line " +
|
||||
check.getLocation().getStartLine().toString() + "). "
|
||||
check.getLocation().getStartLine().toString() + ")."
|
||||
|
|
|
|||
|
|
@ -190,4 +190,4 @@ where
|
|||
allocatedVariableReaches(v, def, ret) and
|
||||
ret.getAChild*() = v.getAnAccess()
|
||||
)
|
||||
select def, "The memory allocated here may not be released at $@.", ret, "this exit point"
|
||||
select def, "This memory allocation may not be released at $@.", ret, "this exit point"
|
||||
|
|
|
|||
|
|
@ -16,4 +16,4 @@ from AllocationExpr alloc
|
|||
where
|
||||
alloc.requiresDealloc() and
|
||||
not allocMayBeFreed(alloc)
|
||||
select alloc, "This memory is never freed"
|
||||
select alloc, "This memory is never freed."
|
||||
|
|
|
|||
|
|
@ -117,6 +117,7 @@ where
|
|||
output.getCall() = call and
|
||||
output.hasGuardedAccess(access, false)
|
||||
select access,
|
||||
"$@ is read here, but may not have been written. " +
|
||||
"$@, but may not have been written. " +
|
||||
"It should be guarded by a check that the $@ returns at least " +
|
||||
output.getMinimumGuardConstant() + ".", access, access.toString(), call, call.toString()
|
||||
output.getMinimumGuardConstant() + ".", access,
|
||||
"The variable " + access.toString() + " is read", call, call.toString()
|
||||
|
|
|
|||
|
|
@ -14,4 +14,4 @@ from Expr alloc, Expr free, Expr freed
|
|||
where
|
||||
allocReaches(freed, alloc, "new[]") and
|
||||
freeExprOrIndirect(free, freed, "delete")
|
||||
select free, "This memory may have been allocated with '$@', not 'new'.", alloc, "new[]"
|
||||
select free, "This memory may have been allocated with $@, not 'new'.", alloc, "new[]"
|
||||
|
|
|
|||
|
|
@ -14,4 +14,4 @@ from Expr alloc, Expr free, Expr freed
|
|||
where
|
||||
allocReaches(freed, alloc, "new") and
|
||||
freeExprOrIndirect(free, freed, "delete[]")
|
||||
select free, "This memory may have been allocated with '$@', not 'new[]'.", alloc, "new"
|
||||
select free, "This memory may have been allocated with $@, not 'new[]'.", alloc, "new"
|
||||
|
|
|
|||
|
|
@ -30,4 +30,4 @@ where
|
|||
not v.getType().getUnderlyingType() instanceof ReferenceType and
|
||||
not exists(ScopeUtilityClass util | def = util.getAUse()) and
|
||||
not def.isInMacroExpansion()
|
||||
select def, "Variable '" + v.getName() + "' is assigned a value that is never used"
|
||||
select def, "Variable '" + v.getName() + "' is assigned a value that is never used."
|
||||
|
|
|
|||
|
|
@ -62,5 +62,5 @@ class UseAfterFreeReachability extends StackVariableReachability {
|
|||
|
||||
from UseAfterFreeReachability r, StackVariable v, Expr free, Expr e
|
||||
where r.reaches(free, v, e)
|
||||
select e, "Memory pointed to by '" + v.getName().toString() + "' may have been previously freed $@",
|
||||
free, "here"
|
||||
select e, "Memory pointed to by '" + v.getName().toString() + "' may have $@.", free,
|
||||
"been previously freed"
|
||||
|
|
|
|||
|
|
@ -12,4 +12,4 @@ from File f
|
|||
where
|
||||
not exists(ExtractionProblem e | e.getFile() = f) and
|
||||
exists(f.getRelativePath())
|
||||
select f, "File successfully extracted"
|
||||
select f, "File successfully extracted."
|
||||
|
|
|
|||
|
|
@ -22,4 +22,4 @@ where
|
|||
not overflowTest(cmp) and
|
||||
not cmp.isFromTemplateInstantiation(_) and
|
||||
not isFromMacroDefinition(cmp)
|
||||
select cmp, "Self comparison."
|
||||
select cmp, "This expression compares an $@ to itself.", cmp.getLeftOperand(), "expression"
|
||||
|
|
|
|||
|
|
@ -56,4 +56,4 @@ where
|
|||
source.getNode().asExpr().getFullyConverted().getUnspecifiedType() =
|
||||
sink.getNode().asExpr().getFullyConverted().getUnspecifiedType()
|
||||
select sink, source, sink,
|
||||
"Pointer arithmetic here may be done with the wrong type because of the cast $@.", source, "here"
|
||||
"This pointer arithmetic may be done with the wrong type because of $@.", source, "this cast"
|
||||
|
|
|
|||
|
|
@ -24,4 +24,4 @@ where
|
|||
va.getExplicitlyConverted().getType().getSize() > fct.getSize() and
|
||||
va.getTarget() = fi and
|
||||
not fct.getUnspecifiedType() instanceof BoolType
|
||||
select va, "Implicit downcast of bitfield $@", fi, fi.toString()
|
||||
select va, "Implicit downcast of bitfield $@.", fi, fi.toString()
|
||||
|
|
|
|||
|
|
@ -50,4 +50,4 @@ where
|
|||
not whiteListWrapped(c)
|
||||
select c,
|
||||
"Return value of type " + t1.toString() + " is implicitly converted to " + t2.toString() +
|
||||
" here."
|
||||
"."
|
||||
|
|
|
|||
|
|
@ -173,4 +173,4 @@ where
|
|||
not actual.getUnspecifiedType() instanceof ErroneousType
|
||||
select arg,
|
||||
"This argument should be of type '" + expected.getName() + "' but is of type '" +
|
||||
actual.getUnspecifiedType().getName() + "'"
|
||||
actual.getUnspecifiedType().getName() + "'."
|
||||
|
|
|
|||
|
|
@ -13,4 +13,4 @@ import NtohlArrayNoBound
|
|||
|
||||
from NetworkToBufferSizeConfiguration bufConfig, DataFlow::Node source, DataFlow::Node sink
|
||||
where bufConfig.hasFlow(source, sink)
|
||||
select sink, "Unchecked use of data from network function $@", source, source.toString()
|
||||
select sink, "Unchecked use of data from network function $@.", source, source.toString()
|
||||
|
|
|
|||
|
|
@ -81,4 +81,4 @@ from UninitialisedLocalReachability r, LocalVariable v, VariableAccess va
|
|||
where
|
||||
r.reaches(_, v, va) and
|
||||
not va = commonException()
|
||||
select va, "The variable $@ may not be initialized here.", v, v.getName()
|
||||
select va, "The variable $@ may not be initialized at this access.", v, v.getName()
|
||||
|
|
|
|||
|
|
@ -399,5 +399,5 @@ where
|
|||
) and
|
||||
source.asStore() = store and
|
||||
sink.asSink(_) = load
|
||||
select sink, source, sink, "Stack variable $@ escapes $@ and is used after it has expired.", var,
|
||||
var.toString(), store, "here"
|
||||
select sink, source, sink, "Stack variable $@ escapes at $@ and is used after it has expired.", var,
|
||||
var.toString(), store, "this store"
|
||||
|
|
|
|||
|
|
@ -83,4 +83,4 @@ where
|
|||
c.getAMemberFunction().getAnOverriddenFunction() = call.getStaticCallTarget()
|
||||
)
|
||||
select call.getUnconvertedResultExpression(), source, sink,
|
||||
"Call to pure virtual function during " + msg
|
||||
"Call to pure virtual function during " + msg + "."
|
||||
|
|
|
|||
|
|
@ -67,5 +67,5 @@ where
|
|||
// the pointer was null. To follow this idea to its full generality, we
|
||||
// should also give an alert when `check` post-dominates `deref`.
|
||||
deref.getBlock() = dominator
|
||||
select checked, "This null check is redundant because the value is $@ in any case", deref,
|
||||
"dereferenced here"
|
||||
select checked, "This null check is redundant because $@ in any case.", deref,
|
||||
"the value is dereferenced"
|
||||
|
|
|
|||
|
|
@ -60,5 +60,5 @@ where
|
|||
taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
|
||||
isUserInput(taintSource, taintCause)
|
||||
select taintedArg, sourceNode, sinkNode,
|
||||
"This argument to a file access function is derived from $@ and then passed to " + callChain,
|
||||
"This argument to a file access function is derived from $@ and then passed to " + callChain + ".",
|
||||
taintSource, "user input (" + taintCause + ")"
|
||||
|
|
|
|||
|
|
@ -158,5 +158,5 @@ where
|
|||
concatResult = sinkNode.getState().(ExecState).getSndNode()
|
||||
select sinkAsArgumentIndirection(sinkNode.getNode()), sourceNode, sinkNode,
|
||||
"This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to "
|
||||
+ callChain, sourceNode, "user input (" + taintCause + ")", concatResult,
|
||||
+ callChain + ".", sourceNode, "user input (" + taintCause + ")", concatResult,
|
||||
concatResult.toString()
|
||||
|
|
|
|||
|
|
@ -50,5 +50,5 @@ where
|
|||
taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
|
||||
isUserInput(taintSource, taintCause)
|
||||
select taintedArg, sourceNode, sinkNode,
|
||||
"This argument to a SQL query function is derived from $@ and then passed to " + callChain,
|
||||
"This argument to a SQL query function is derived from $@ and then passed to " + callChain + ".",
|
||||
taintSource, "user input (" + taintCause + ")"
|
||||
|
|
|
|||
|
|
@ -34,5 +34,5 @@ where
|
|||
isProcessOperationExplanation(arg, processOperation) and
|
||||
taintedWithPath(source, arg, sourceNode, sinkNode)
|
||||
select arg, sourceNode, sinkNode,
|
||||
"The value of this argument may come from $@ and is being passed to " + processOperation, source,
|
||||
source.toString()
|
||||
"The value of this argument may come from $@ and is being passed to " + processOperation + ".",
|
||||
source, source.toString()
|
||||
|
|
|
|||
|
|
@ -123,5 +123,5 @@ where
|
|||
conf.hasFlowPath(source, sink) and
|
||||
isFlowSource(source.getNode(), sourceType)
|
||||
select sink.getNode(), source, sink,
|
||||
"$@ flows to here and is used in an array indexing expression, potentially causing an invalid access.",
|
||||
"An array indexing expression depends on $@, potentially causing an invalid access.",
|
||||
source.getNode(), sourceType
|
||||
|
|
|
|||
|
|
@ -34,4 +34,4 @@ where
|
|||
isUserInput(userValue, cause)
|
||||
select arg, sourceNode, sinkNode,
|
||||
"The value of this argument may come from $@ and is being used as a formatting argument to " +
|
||||
printfFunction, userValue, cause
|
||||
printfFunction + ".", userValue, cause
|
||||
|
|
|
|||
|
|
@ -37,4 +37,4 @@ where
|
|||
isUserInput(userValue, cause)
|
||||
select arg, sourceNode, sinkNode,
|
||||
"The value of this argument may come from $@ and is being used as a formatting argument to " +
|
||||
printfFunction, userValue, cause
|
||||
printfFunction + ".", userValue, cause
|
||||
|
|
|
|||
|
|
@ -86,4 +86,5 @@ class TaintSource extends VariableAccess {
|
|||
|
||||
from TaintSource source, VariableAccess sink
|
||||
where source.reaches(sink)
|
||||
select sink, "$@ flows to here and may not be null terminated.", source, "User-provided value"
|
||||
select sink, "$@ that may not be null terminated flows to a string operation.", source,
|
||||
"User-provided value"
|
||||
|
|
|
|||
|
|
@ -50,5 +50,5 @@ where
|
|||
op.getAnOperand() = e and
|
||||
missingGuard(op, e, effect)
|
||||
select e, sourceNode, sinkNode,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
|
||||
"User-provided value"
|
||||
"$@ flows to an operand of an arithmetic expression, potentially causing an " + effect + ".",
|
||||
origin, "User-provided value"
|
||||
|
|
|
|||
|
|
@ -135,5 +135,5 @@ where
|
|||
sink.getNode().asExpr() = va and
|
||||
missingGuard(va, effect)
|
||||
select sink.getNode(), source, sink,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
getExpr(source.getNode()), "Uncontrolled value"
|
||||
"Arithmetic expression depends on an $@, potentially causing an " + effect + ".",
|
||||
getExpr(source.getNode()), "uncontrolled value"
|
||||
|
|
|
|||
|
|
@ -75,5 +75,6 @@ where
|
|||
missingGuardAgainstOverflow(op, va) and effect = "overflow"
|
||||
) and
|
||||
causeEffectCorrespond(cause, effect)
|
||||
select va, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
select va,
|
||||
"$@ flows to an operand of an arithmetic expression, potentially causing an " + effect + ".",
|
||||
origin, "Extreme value"
|
||||
|
|
|
|||
|
|
@ -36,5 +36,4 @@ where
|
|||
not inSystemMacroExpansion(use) and
|
||||
// Avoid double-counting: don't include all the conversions of `use`.
|
||||
not use instanceof Conversion
|
||||
select use, "$@ flows to here and is used in an expression which might " + kind + ".", origin,
|
||||
"User-provided value"
|
||||
select use, "$@ flows an expression which might " + kind + ".", origin, "User-provided value"
|
||||
|
|
|
|||
|
|
@ -99,5 +99,5 @@ where
|
|||
isFlowSource(source.getNode(), taintCause) and
|
||||
conf.hasFlowPath(source, sink) and
|
||||
allocSink(alloc, sink.getNode())
|
||||
select alloc, source, sink, "This allocation size is derived from $@ and might overflow",
|
||||
select alloc, source, sink, "This allocation size is derived from $@ and might overflow.",
|
||||
source.getNode(), "user input (" + taintCause + ")"
|
||||
|
|
|
|||
|
|
@ -39,9 +39,13 @@ where
|
|||
isHresultBooleanConverted(e1, e2) and
|
||||
if e2.isImplicit()
|
||||
then
|
||||
msg = "Implicit conversion from " + e1.getType().toString() + " to " + e2.getType().toString()
|
||||
msg =
|
||||
"Implicit conversion from " + e1.getType().toString() + " to " + e2.getType().toString() +
|
||||
"."
|
||||
else
|
||||
msg = "Explicit conversion from " + e1.getType().toString() + " to " + e2.getType().toString()
|
||||
msg =
|
||||
"Explicit conversion from " + e1.getType().toString() + " to " + e2.getType().toString() +
|
||||
"."
|
||||
)
|
||||
or
|
||||
exists(ControlStructure ctls |
|
||||
|
|
@ -49,7 +53,7 @@ where
|
|||
e1.getType().(TypedefType).hasName("HRESULT") and
|
||||
not isHresultBooleanConverted(e1) and
|
||||
not ctls instanceof SwitchStmt and // not controlled by a boolean condition
|
||||
msg = "Direct usage of a type " + e1.getType().toString() + " as a conditional expression"
|
||||
msg = "Direct usage of a type " + e1.getType().toString() + " as a conditional expression."
|
||||
)
|
||||
or
|
||||
(
|
||||
|
|
@ -57,14 +61,14 @@ where
|
|||
e1.getType().(TypedefType).hasName("HRESULT") and
|
||||
msg =
|
||||
"Usage of a type " + e1.getType().toString() +
|
||||
" as an argument of a binary logical operation"
|
||||
" as an argument of a binary logical operation."
|
||||
)
|
||||
or
|
||||
exists(UnaryLogicalOperation ulop | ulop.getAnOperand() = e1 |
|
||||
e1.getType().(TypedefType).hasName("HRESULT") and
|
||||
msg =
|
||||
"Usage of a type " + e1.getType().toString() +
|
||||
" as an argument of a unary logical operation"
|
||||
" as an argument of a unary logical operation."
|
||||
) and
|
||||
not isHresultBooleanConverted(e1)
|
||||
)
|
||||
|
|
|
|||
|
|
@ -44,5 +44,5 @@ where
|
|||
w.getASource() = sinkNode.getNode().asExpr() and
|
||||
dest = w.getDest()
|
||||
select w, sourceNode, sinkNode,
|
||||
"This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@", source,
|
||||
"This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@.", source,
|
||||
"user input (" + source.getSourceType() + ")"
|
||||
|
|
|
|||
|
|
@ -73,5 +73,5 @@ where
|
|||
not isFileName(globalValueNumber(source)) and // file names are not passwords
|
||||
not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
|
||||
select w, sourceNode, midNode,
|
||||
"This write into file '" + dest.toString() + "' may contain unencrypted data from $@", source,
|
||||
"This write into file '" + dest.toString() + "' may contain unencrypted data from $@.", source,
|
||||
"this source."
|
||||
|
|
|
|||
|
|
@ -258,9 +258,9 @@ where
|
|||
then
|
||||
msg =
|
||||
"This operation transmits '" + sink.toString() +
|
||||
"', which may contain unencrypted sensitive data from $@"
|
||||
"', which may contain unencrypted sensitive data from $@."
|
||||
else
|
||||
msg =
|
||||
"This operation receives into '" + sink.toString() +
|
||||
"', which may put unencrypted sensitive data into $@"
|
||||
"', which may put unencrypted sensitive data into $@."
|
||||
select networkSendRecv, source, sink, msg, source, source.getNode().toString()
|
||||
|
|
|
|||
|
|
@ -74,5 +74,5 @@ where
|
|||
config.hasFlowPath(source, sink) and
|
||||
source.getNode().asExpr() = sensitive and
|
||||
sqliteCall.getASource() = sink.getNode().asExpr()
|
||||
select sqliteCall, source, sink, "This SQLite call may store $@ in a non-encrypted SQLite database",
|
||||
select sqliteCall, source, sink, "This SQLite call may store $@ in a non-encrypted SQLite database.",
|
||||
sensitive, "sensitive information"
|
||||
|
|
|
|||
|
|
@ -97,4 +97,4 @@ from
|
|||
where
|
||||
config.hasFlowPath(source, sink) and
|
||||
str = source.getNode().asExpr()
|
||||
select str, source, sink, "A URL may be constructed with the HTTP protocol."
|
||||
select str, source, sink, "This URL may be constructed with the HTTP protocol."
|
||||
|
|
|
|||
|
|
@ -44,5 +44,5 @@ where
|
|||
)
|
||||
select dest,
|
||||
"This pointer might have type $@ (size " + sourceBase.getSize() +
|
||||
"), but the pointer arithmetic here is done with type " + destType + " (size " +
|
||||
destBase.getSize() + ").", sourceLoc, sourceBase.toString()
|
||||
"), but this pointer arithmetic is done with type " + destType + " (size " + destBase.getSize() +
|
||||
").", sourceLoc, sourceBase.toString()
|
||||
|
|
|
|||
|
|
@ -51,5 +51,5 @@ where
|
|||
destBase instanceof CharType
|
||||
select dest,
|
||||
"This pointer might have type $@ (size " + sourceBase.getSize() +
|
||||
"), but the pointer arithmetic here is done with type " + destType + " (size " +
|
||||
destBase.getSize() + ").", sourceLoc, sourceBase.toString()
|
||||
"), but this pointer arithmetic is done with type " + destType + " (size " + destBase.getSize() +
|
||||
").", sourceLoc, sourceBase.toString()
|
||||
|
|
|
|||
|
|
@ -26,4 +26,4 @@ where
|
|||
destBase instanceof VoidType
|
||||
select dest,
|
||||
"This pointer might have type $@ (size " + sourceBase.getSize() +
|
||||
"), but the pointer arithmetic here is done with type void", sourceLoc, sourceBase.toString()
|
||||
"), but this pointer arithmetic is done with type void.", sourceLoc, sourceBase.toString()
|
||||
|
|
|
|||
|
|
@ -18,4 +18,4 @@ from FunctionCall call, Function target
|
|||
where
|
||||
call.getTarget() = target and
|
||||
target.hasGlobalOrStdName("gets")
|
||||
select call, "gets does not guard against buffer overflow"
|
||||
select call, "'gets' does not guard against buffer overflow."
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ import cpp
|
|||
predicate potentiallyDangerousFunction(Function f, string message) {
|
||||
exists(string name | f.hasGlobalName(name) |
|
||||
name = ["gmtime", "localtime", "ctime", "asctime"] and
|
||||
message = "Call to " + name + " is potentially dangerous"
|
||||
message = "Call to '" + name + "' is potentially dangerous."
|
||||
)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -16,4 +16,4 @@ import FilePermissions
|
|||
from FileCreationWithOptionalModeExpr fc
|
||||
where not fc.hasModeArgument()
|
||||
select fc,
|
||||
"A file is created here without providing a mode argument, which may leak bits from the stack."
|
||||
"This creates a file without providing a mode argument, which may leak bits from the stack."
|
||||
|
|
|
|||
|
|
@ -37,5 +37,5 @@ from Expr source, Expr condition, Expr raise, PathNode sourceNode, PathNode sink
|
|||
where
|
||||
taintedWithPath(source, condition, sourceNode, sinkNode) and
|
||||
sensitiveCondition(condition, raise)
|
||||
select condition, sourceNode, sinkNode, "Reliance on untrusted input $@ to raise privilege at $@",
|
||||
select condition, sourceNode, sinkNode, "Reliance on untrusted input $@ to raise privilege at $@.",
|
||||
source, source.toString(), raise, raise.toString()
|
||||
|
|
|
|||
|
|
@ -42,4 +42,4 @@ where
|
|||
ne.getLeftOperand().getFullyConverted().getUnspecifiedType() and
|
||||
nearestParent(eq) = nearestParent(ne) and
|
||||
sameExpr(eq.getLeftOperand(), ne.getLeftOperand())
|
||||
select ne, "Useless Test"
|
||||
select ne, "This boolean condition is never evaluated and can be deleted."
|
||||
|
|
|
|||
|
|
@ -52,5 +52,5 @@ where
|
|||
candidateResultChecked(check, eqop) and
|
||||
// and which has not been checked before in this code path
|
||||
candidateResultUnchecked(unchecked)
|
||||
select check, "This null check is redundant or there is a missing null check before $@ ", unchecked,
|
||||
select check, "This null check is redundant or there is a missing null check before $@.", unchecked,
|
||||
"where dereferencing happens"
|
||||
|
|
|
|||
|
|
@ -61,6 +61,5 @@ where
|
|||
dominates(ifc1, fc) and
|
||||
globalValueNumber(fc.getArgument(na)) = globalValueNumber(ifc1.getCondition().getAChild*())
|
||||
)
|
||||
select fc,
|
||||
"The value of argument '$@' appears to be checked after the call, rather than before it.",
|
||||
select fc, "The value of argument $@ appears to be checked after the call, rather than before it.",
|
||||
fc.getArgument(na), fc.getArgument(na).toString()
|
||||
|
|
|
|||
|
|
@ -87,4 +87,4 @@ class ExploitableUserModePtrParam extends SystemCallSource {
|
|||
}
|
||||
|
||||
from ExploitableUserModePtrParam p
|
||||
select p, "unsafe_put_user write user-mode pointer $@ without check.", p, p.toString()
|
||||
select p, "'unsafe_put_user' write user-mode pointer $@ without check.", p, p.toString()
|
||||
|
|
|
|||
|
|
@ -138,4 +138,4 @@ where
|
|||
fc.getEnclosingFunction() != fn and
|
||||
fc.getEnclosingFunction().getMetrics().getNumberOfCalls() > fn.getMetrics().getNumberOfCalls()
|
||||
)
|
||||
select fc, "Consider changing the call to $@", fn, fn.getName()
|
||||
select fc, "Consider changing the call to $@.", fn, fn.getName()
|
||||
|
|
|
|||
|
|
@ -16,4 +16,4 @@ from FunctionCall call, ScanfFunction sff
|
|||
where
|
||||
call.getTarget() = sff and
|
||||
call.getArgument(sff.getFormatParameterIndex()).getValue().regexpMatch(".*%l?s.*")
|
||||
select call, "Dangerous use of one of the scanf functions"
|
||||
select call, "Dangerous use of one of the scanf functions."
|
||||
|
|
|
|||
|
|
@ -18,4 +18,4 @@ from WriteConfig b, DataFlow::PathNode source, DataFlow::PathNode sink
|
|||
where b.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This write into the external location '" + sink.getNode() +
|
||||
"' may contain unencrypted data from $@", source, "this source."
|
||||
"' may contain unencrypted data from $@.", source, "this source of private data."
|
||||
|
|
|
|||
|
|
@ -58,4 +58,4 @@ class ReallocCallLeak extends FunctionCall {
|
|||
|
||||
from ReallocCallLeak rcl
|
||||
where not rcl.mayHandleByTermination()
|
||||
select rcl, "possible loss of original pointer on unsuccessful call realloc"
|
||||
select rcl, "Possible loss of original pointer on unsuccessful call realloc."
|
||||
|
|
|
|||
|
|
@ -30,4 +30,4 @@ where
|
|||
fc.getASuccessor+() = fctmp and
|
||||
fctmp.getASuccessor+() = fc1
|
||||
)
|
||||
select fc, "You need to handle the return value SSL_shutdown"
|
||||
select fc, "You need to handle the return value 'SSL_shutdown'."
|
||||
|
|
|
|||
|
|
@ -116,4 +116,4 @@ where
|
|||
exp.(UsingArithmeticInComparison).compareWithOutZero()
|
||||
or
|
||||
exists(WhileStmt wst | wst instanceof UsingWhileAfterWhile and exp = wst.getCondition())
|
||||
select exp, "this expression needs your attention"
|
||||
select exp, "This expression needs your attention."
|
||||
|
|
|
|||
|
|
@ -100,4 +100,4 @@ where
|
|||
fc.getArgument(i1).(AddressOfExpr).getOperand().(VariableAccess).getTarget()
|
||||
)
|
||||
)
|
||||
select fc, "Unchecked return value for call to '" + fc.getTarget().getName() + "'."
|
||||
select fc, "Unchecked return value for call to $@.", fc.getTarget() as target, target.getName()
|
||||
|
|
|
|||
|
|
@ -190,5 +190,5 @@ where
|
|||
exp.(BinaryBitwiseOperation).getRightOperand().(BinaryBitwiseOperation).getLeftOperand(),
|
||||
exp.(BinaryBitwiseOperation).getRightOperand().(BinaryBitwiseOperation).getRightOperand(), exp,
|
||||
exp.(BinaryBitwiseOperation).getRightOperand()) and
|
||||
msg = "specify the priority with parentheses."
|
||||
msg = "Specify the priority with parentheses."
|
||||
select exp, msg
|
||||
|
|
|
|||
|
|
@ -51,4 +51,4 @@ where
|
|||
incrementBoolType(exp) or
|
||||
revertSignBoolType(exp) or
|
||||
assignBoolType(exp)
|
||||
select exp, "this expression needs attention"
|
||||
select exp, "This expression needs attention."
|
||||
|
|
|
|||
|
|
@ -26,5 +26,5 @@ where
|
|||
DataFlow::localFlow(DataFlow::parameterNode(p), sink) and
|
||||
p.getUnspecifiedType().getSize() < 8
|
||||
select call,
|
||||
"This call: $@ passes an unsigned int to a function that requires a signed int: $@. And then used in pointer arithmetic: $@",
|
||||
"This call: $@ passes an unsigned int to a function that requires a signed int: $@. And then used in pointer arithmetic: $@.",
|
||||
call, call.toString(), f, f.toString(), sink, sink.toString()
|
||||
|
|
|
|||
|
|
@ -31,4 +31,4 @@ where
|
|||
not exptmp.getEnclosingStmt() = expr.getEnclosingStmt()
|
||||
) and
|
||||
globalValueNumber(fc.getArgument(0)) = globalValueNumber(exprarr.getArrayBase())
|
||||
select expr, "potential unsafe or redundant assignment."
|
||||
select expr, "Potential unsafe or redundant assignment."
|
||||
|
|
|
|||
|
|
@ -12,4 +12,4 @@ import cpp
|
|||
|
||||
from Macro m
|
||||
where m.getHead().matches("%(%") // Macro functions are simply macros with brackets in the head
|
||||
select m, "The #define pre-processor directive shall not be used to create inline macros"
|
||||
select m, "The #define pre-processor directive shall not be used to create inline macros."
|
||||
|
|
|
|||
|
|
@ -93,4 +93,4 @@ where
|
|||
// they are both variable names in close enough scopes for the confusion to matter
|
||||
d1 instanceof Variable and d2 instanceof Variable and compatibleScopes(d1, d2)
|
||||
)
|
||||
select d1, "AV Rule 48: this identifier is too close to another identifier (" + d2.getName() + ")"
|
||||
select d1, "AV Rule 48: this identifier is too close to another identifier (" + d2.getName() + ")."
|
||||
|
|
|
|||
|
|
@ -24,5 +24,5 @@ where
|
|||
w.isDefiniteAcronym() and
|
||||
not w.isUppercase()
|
||||
select d,
|
||||
"AV Rule 49: acronyms in identifiers will be uppercase. Incorrect case for acronym " +
|
||||
"AV Rule 49: acronyms in identifiers will be uppercase. Incorrect case for acronym " +
|
||||
w.toString() + "."
|
||||
|
|
|
|||
|
|
@ -15,4 +15,4 @@ from Include i, string name
|
|||
where
|
||||
name = i.getIncludeText() and
|
||||
name.matches(["%'%", "%\\\\%", "%/*%", "%//%", "%\"%\"%\"%", "%<%\"%>%"])
|
||||
select i, "AV Rule 53.1: Invalid character sequence in header file name '" + name + "'"
|
||||
select i, "AV Rule 53.1: Invalid character sequence in header file name '" + name + "'."
|
||||
|
|
|
|||
|
|
@ -37,4 +37,4 @@ where
|
|||
f.hasDefinition() and
|
||||
not valid(f)
|
||||
select f,
|
||||
"AV Rule 58: functions with more than two parameters will conform to style rules for declaring parameters"
|
||||
"AV Rule 58: functions with more than two parameters will conform to style rules for declaring parameters."
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@ where
|
|||
baseElement(e.getType(), cl) and // only interested in arrays with classes
|
||||
not compatible(f.getParameter(i).getUnspecifiedType(), e.getUnspecifiedType())
|
||||
)
|
||||
select e, "AV Rule 96: Arrays shall not be teated polymorphically"
|
||||
select e, "AV Rule 96: Arrays shall not be teated polymorphically."
|
||||
|
|
|
|||
|
|
@ -26,4 +26,4 @@ from Namespace ns, File rep
|
|||
where
|
||||
exists(ns.getParentNamespace().getParentNamespace().getParentNamespace()) and
|
||||
namespaceRepresentative(ns, rep)
|
||||
select rep, "AV Rule 99: namespace " + ns.toString() + " is nested more than two levels deep"
|
||||
select rep, "AV Rule 99: namespace " + ns.toString() + " is nested more than two levels deep."
|
||||
|
|
|
|||
|
|
@ -14,4 +14,4 @@ from Function f
|
|||
where
|
||||
f.fromSource() and
|
||||
f.calls+(f)
|
||||
select f, "Functions shall not call theselves, either directly or indirectly"
|
||||
select f, "Functions shall not call theselves, either directly or indirectly."
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@ where
|
|||
localShadowsParameter(v, shadowed) or
|
||||
shadowing(v, shadowed)
|
||||
)
|
||||
select v, "Identifiers in an inner scope should not hide identifiers in an outer scope"
|
||||
select v, "Identifiers in an inner scope should not hide identifiers in an outer scope."
|
||||
|
|
|
|||
|
|
@ -31,4 +31,4 @@ where
|
|||
isSignedOperand(op.getAnOperand()) and
|
||||
isUnsignedOperand(op.getAnOperand())
|
||||
select op,
|
||||
"AV Rule 162: signed and unsigned values shall not be mixed in arithmetic or comparison operations"
|
||||
"AV Rule 162: signed and unsigned values shall not be mixed in arithmetic or comparison operations."
|
||||
|
|
|
|||
|
|
@ -25,4 +25,4 @@ where
|
|||
op instanceof BinaryArithmeticOperation and
|
||||
isUnsignedOperand(op.getChild(0)) and
|
||||
isUnsignedOperand(op.getChild(1))
|
||||
select op, "AV Rule 163: unsigned arithmetic shall not be used"
|
||||
select op, "AV Rule 163: unsigned arithmetic shall not be used."
|
||||
|
|
|
|||
|
|
@ -35,4 +35,4 @@ where
|
|||
global.hasSpecifier("static")
|
||||
)
|
||||
select a,
|
||||
"AV Rule 173: The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist"
|
||||
"AV Rule 173: The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist."
|
||||
|
|
|
|||
|
|
@ -104,4 +104,4 @@ where
|
|||
not lic.getUnderlyingTargetType() instanceof BoolType
|
||||
select lic,
|
||||
"AV Rule 180: implicit conversion from " + lic.getUnderlyingSourceType().toString() + " to " +
|
||||
lic.getUnderlyingTargetType().toString() + " may lose information"
|
||||
lic.getUnderlyingTargetType().toString() + " may lose information."
|
||||
|
|
|
|||
|
|
@ -34,4 +34,4 @@ where
|
|||
not t1.(ArrayType).getBaseType() = t2.(PointerType).getBaseType()
|
||||
select e,
|
||||
"AV Rule 182: illegal cast from type " + t1.toString() + " to type " + t2.toString() +
|
||||
". Casting to or from pointers shall not be used"
|
||||
". Casting to or from pointers shall not be used."
|
||||
|
|
|
|||
|
|
@ -38,4 +38,4 @@ where
|
|||
va != e and
|
||||
not e.getParent().(AssignExpr).getLValue() = e
|
||||
select c,
|
||||
"AV Rule 204.1: The value of an expression shall be the same under any order of evaluation that the standard permits"
|
||||
"AV Rule 204.1: The value of an expression shall be the same under any order of evaluation that the standard permits."
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче