C++: We get many more real world results using taint tracking.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -13,7 +13,7 @@
 
 import cpp
 import semmle.code.cpp.security.SensitiveExprs
-import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.TaintTracking
 import DataFlow::PathGraph
 
 /**
@@ -68,7 +68,7 @@ class NetworkRecv extends NetworkSendRecv {
  * Taint flow from a sensitive expression to a network operation with data
  * tainted by that expression.
  */
-class SensitiveSendRecvConfiguration extends DataFlow::Configuration {
+class SensitiveSendRecvConfiguration extends TaintTracking::Configuration {
   SensitiveSendRecvConfiguration() { this = "SensitiveSendRecvConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected

@@ -7,6 +7,7 @@ edges
 | test3.cpp:132:21:132:22 | call to id | test3.cpp:134:15:134:17 | ptr |
 | test3.cpp:132:24:132:32 | password1 | test3.cpp:132:21:132:22 | call to id |
 | test3.cpp:138:16:138:29 | call to get_global_str | test3.cpp:140:15:140:18 | data |
+| test3.cpp:151:19:151:26 | password | test3.cpp:153:15:153:20 | buffer |
 nodes
 | test3.cpp:20:15:20:23 | password1 | semmle.label | password1 |
 | test3.cpp:24:15:24:23 | password2 | semmle.label | password2 |
@@ -26,6 +27,8 @@ nodes
 | test3.cpp:134:15:134:17 | ptr | semmle.label | ptr |
 | test3.cpp:138:16:138:29 | call to get_global_str | semmle.label | call to get_global_str |
 | test3.cpp:140:15:140:18 | data | semmle.label | data |
+| test3.cpp:151:19:151:26 | password | semmle.label | password |
+| test3.cpp:153:15:153:20 | buffer | semmle.label | buffer |
 #select
 | test3.cpp:20:3:20:6 | call to send | test3.cpp:20:15:20:23 | password1 | test3.cpp:20:15:20:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@ | test3.cpp:20:15:20:23 | password1 | password1 |
 | test3.cpp:24:3:24:6 | call to send | test3.cpp:24:15:24:23 | password2 | test3.cpp:24:15:24:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@ | test3.cpp:24:15:24:23 | password2 | password2 |
@@ -37,3 +40,4 @@ nodes
 | test3.cpp:108:2:108:5 | call to recv | test3.cpp:128:11:128:18 | password | test3.cpp:108:14:108:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@ | test3.cpp:128:11:128:18 | password | password |
 | test3.cpp:134:3:134:6 | call to send | test3.cpp:132:24:132:32 | password1 | test3.cpp:134:15:134:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:132:24:132:32 | password1 | password1 |
 | test3.cpp:140:3:140:6 | call to send | test3.cpp:120:9:120:23 | global_password | test3.cpp:140:15:140:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:120:9:120:23 | global_password | global_password |
+| test3.cpp:153:3:153:6 | call to send | test3.cpp:151:19:151:26 | password | test3.cpp:153:15:153:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:151:19:151:26 | password | password |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

@@ -150,6 +150,6 @@ void test_taint(const char *password)
 
 		strncpy(buffer, password, 16);
 		buffer[15] = 0;
-		send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext [NOT DETECTED]
+		send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext
 	}
 }