C++: Fix some easy FPs.

geoffw0 · geoffw0 · commit 7500d75b5b64 · 2021-07-13T17:36:41.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll b/cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll
@@ -19,9 +19,10 @@ private predicate suspicious(string s) {
     s.matches("%trusted%")
   ) and
   not (
-    s.matches("%hashed%") or
-    s.matches("%encrypted%") or
-    s.matches("%crypt%")
+    s.matches("%hash%") or
+    s.matches("%crypt%") or
+    s.matches("%file%") or
+    s.matches("%conf%")
   )
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,9 +1,6 @@
 | test2.cpp:28:2:28:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:28:36:28:43 | password | this source. |
 | test2.cpp:29:2:29:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:29:37:29:45 | thepasswd | this source. |
 | test2.cpp:30:2:30:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:30:38:30:47 | accountkey | this source. |
-| test2.cpp:31:2:31:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:31:41:31:53 | password_hash | this source. |
-| test2.cpp:33:2:33:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:33:41:33:53 | password_file | this source. |
-| test2.cpp:34:2:34:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:34:41:34:53 | passwd_config | this source. |
 | test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp
@@ -37,18 +37,17 @@ void tests(FILE *log, myStruct &s)
 		char *cpy1 = s.password;
 		char *cpy2 = crypt(s.password);
 
-		fprintf(log, "cpy1 = %s\n", cpy1); // BAD
+		fprintf(log, "cpy1 = %s\n", cpy1); // BAD [NOT DETECTED]
 		fprintf(log, "cpy2 = %s\n", cpy2); // GOOD
 	}
 
 	{
 		char buf[1024];
 
 		strcpy(buf, s.password);
-		fprintf(log, "buf = %s\n", buf); // BAD
+		fprintf(log, "buf = %s\n", buf); // BAD [NOT DETECTED]
 		
 		strcpy(buf, s.password_hash);
 		fprintf(log, "buf = %s\n", buf); // GOOD
 	}
 }
-

Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,10 @@ private predicate suspicious(string s) {`
`19`	`19`	`s.matches("%trusted%")`
`20`	`20`	`) and`
`21`	`21`	`not (`
`22`		`- s.matches("%hashed%") or`
`23`		`- s.matches("%encrypted%") or`
`24`		`- s.matches("%crypt%")`
	`22`	`+ s.matches("%hash%") or`
	`23`	`+ s.matches("%crypt%") or`
	`24`	`+ s.matches("%file%") or`
	`25`	`+ s.matches("%conf%")`
`25`	`26`	`)`
`26`	`27`	`}`
`27`	`28`
Original file line number	Diff line number	Diff line change
`@@ -37,18 +37,17 @@ void tests(FILE *log, myStruct &s)`
`37`	`37`	`char *cpy1 = s.password;`
`38`	`38`	`char *cpy2 = crypt(s.password);`
`39`	`39`
`40`		`- fprintf(log, "cpy1 = %s\n", cpy1); // BAD`
	`40`	`+ fprintf(log, "cpy1 = %s\n", cpy1); // BAD [NOT DETECTED]`
`41`	`41`	`fprintf(log, "cpy2 = %s\n", cpy2); // GOOD`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`{`
`45`	`45`	`char buf[1024];`
`46`	`46`
`47`	`47`	`strcpy(buf, s.password);`
`48`		`- fprintf(log, "buf = %s\n", buf); // BAD`
	`48`	`+ fprintf(log, "buf = %s\n", buf); // BAD [NOT DETECTED]`
`49`	`49`
`50`	`50`	`strcpy(buf, s.password_hash);`
`51`	`51`	`fprintf(log, "buf = %s\n", buf); // GOOD`
`52`	`52`	`}`
`53`	`53`	`}`
`54`		`-`