False positive fix for cpp/uninitialized-local

bdrodes · bdrodes · commit 13cf555cee91 · 2024-01-29T13:21:05.000-05:00
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
@@ -86,5 +86,10 @@ from
 where
   conf.hasFlowPath(source, sink) and
   isSinkImpl(sink.getInstruction(), va) and
-  v = va.getTarget()
+  v = va.getTarget() and
+  (
+    exists(Call c | c.getQualifier() = va)
+    implies
+    exists(Call c | c.getQualifier() = va and not c.getTarget().isStatic())
+  )
 select va, "The variable $@ may not be initialized at this access.", v, v.getName()
diff --git a/cpp/ql/src/change-notes/2024-01-29-uninitialized-local-false-positive.md b/cpp/ql/src/change-notes/2024-01-29-uninitialized-local-false-positive.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Corrected a false positive with `cpp/uninitialized-local`: `a->func()` is a false positive if `func` is static regardless of if `a` is initializeed.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp
@@ -532,4 +532,16 @@ int non_exhaustive_switch_2(State s) {
 		return y; // GOOD (y is not initialized when s = StateC, but if s = StateC we won't reach this point)
 	}
 	return 0;
+}
+
+class StaticMethodClass{
+    public:
+    static int get(){
+        return 1;
+    }
+};
+
+int static_method_false_positive(){
+    StaticMethodClass *t;
+	int i = t->get(); // GOOD: the `get` method is static and this is equivalent to StaticMethodClass::get()
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Corrected a false positive with `cpp/uninitialized-local`: `a->func()` is a false positive if `func` is static regardless of if `a` is initializeed.