Merge pull request github#7782 from geoffw0/clrtxt7

MathiasVP · web-flow · commit 0f239e315c03 · 2022-01-28T17:24:05.000Z
C++: Fix FPs for cpp/cleartext-storage-file
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -65,6 +65,7 @@ where
   midNode.getNode().asExpr() = mid and
   mid = w.getASource() and
   dest = w.getDest() and
+  not dest.(VariableAccess).getTarget().getName() = ["stdin", "stdout", "stderr"] and // exclude calls with standard streams
   not isFileName(globalValueNumber(source)) and // file names are not passwords
   not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
 select w, sourceNode, midNode,
diff --git a/cpp/ql/src/change-notes/2022-01-28-cleartext-storage-file.md b/cpp/ql/src/change-notes/2022-01-28-cleartext-storage-file.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/cleartext-storage-file` query has been improved, removing false positives where data is written to a standard output stream.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The `cpp/cleartext-storage-file` query has been improved, removing false positives where data is written to a standard output stream.