C++: Add FP tests.

cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected

@@ -52,6 +52,9 @@ edges
 | test.cpp:541:39:541:40 | sscanf output argument | test.cpp:549:8:549:8 | e | provenance |  |
 | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | provenance |  |
 | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:550:8:550:8 | f | provenance |  |
+| test.cpp:559:30:559:31 | scanf output argument | test.cpp:561:9:561:9 | i | provenance |  |
+| test.cpp:567:35:567:36 | scanf output argument | test.cpp:569:9:569:9 | i | provenance |  |
+| test.cpp:575:30:575:31 | scanf output argument | test.cpp:577:9:577:9 | i | provenance |  |
 nodes
 | test.cpp:34:15:34:16 | scanf output argument | semmle.label | scanf output argument |
 | test.cpp:35:7:35:7 | i | semmle.label | i |
@@ -154,6 +157,12 @@ nodes
 | test.cpp:548:8:548:8 | d | semmle.label | d |
 | test.cpp:549:8:549:8 | e | semmle.label | e |
 | test.cpp:550:8:550:8 | f | semmle.label | f |
+| test.cpp:559:30:559:31 | scanf output argument | semmle.label | scanf output argument |
+| test.cpp:561:9:561:9 | i | semmle.label | i |
+| test.cpp:567:35:567:36 | scanf output argument | semmle.label | scanf output argument |
+| test.cpp:569:9:569:9 | i | semmle.label | i |
+| test.cpp:575:30:575:31 | scanf output argument | semmle.label | scanf output argument |
+| test.cpp:577:9:577:9 | i | semmle.label | i |
 subpaths
 #select
 | test.cpp:35:7:35:7 | i | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf |
@@ -177,3 +186,6 @@ subpaths
 | test.cpp:484:9:484:9 | i | test.cpp:480:25:480:26 | scanf output argument | test.cpp:484:9:484:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:480:13:480:17 | call to scanf | call to scanf |
 | test.cpp:495:8:495:8 | i | test.cpp:491:25:491:26 | scanf output argument | test.cpp:495:8:495:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:491:13:491:17 | call to scanf | call to scanf |
 | test.cpp:545:8:545:8 | f | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 3. | test.cpp:541:10:541:15 | call to sscanf | call to sscanf |
+| test.cpp:561:9:561:9 | i | test.cpp:559:30:559:31 | scanf output argument | test.cpp:561:9:561:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:559:18:559:22 | call to scanf | call to scanf |
+| test.cpp:569:9:569:9 | i | test.cpp:567:35:567:36 | scanf output argument | test.cpp:569:9:569:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:567:23:567:27 | call to scanf | call to scanf |
+| test.cpp:577:9:577:9 | i | test.cpp:575:30:575:31 | scanf output argument | test.cpp:577:9:577:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:575:18:575:22 | call to scanf | call to scanf |

cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp

@@ -553,3 +553,27 @@ void switch_cases(const char *data) {
 			break;
 	}
 }
+
+void test_scanf_compared_right_away() {
+  int i;
+  bool success = scanf("%d", &i) == 1;
+  if(success) {
+    use(i); // GOOD [FALSE POSITIVE]
+  }
+}
+
+void test_scanf_compared_in_conjunct_right(bool b) {
+  int i;
+  bool success = b && scanf("%d", &i) == 1;
+  if(success) {
+    use(i); // GOOD [FALSE POSITIVE]
+  }
+}
+
+void test_scanf_compared_in_conjunct_left(bool b) {
+  int i;
+  bool success = scanf("%d", &i) == 1 && b;
+  if(success) {
+    use(i); // GOOD [FALSE POSITIVE]
+  }
+}