C++: Exclude array initializers.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

@@ -48,7 +48,9 @@ class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
     exists(this.getAGeneratedElement().(ControlFlowNode)) and
     // exclude expressions controlling ifs/switches (as they may not be used).
     not any(IfStmt c).getCondition().getAChild*() = this.getAGeneratedElement() and
-    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement()
+    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement() and
+    // exclude expressions in array initializers (as they may not be used).
+    not any(AggregateLiteral i).getAChild*() = this.getAGeneratedElement() 
   }
 
   override string description() { result = "macro invocation" }

cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected

@@ -1,4 +1,3 @@
-| test2.cpp:25:2:25:9 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |

cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp

@@ -22,7 +22,7 @@ typedef void (*implementation_fn_ptr)(char *data, size_t amount, keytype key);
 #define ALGO_AES (2)
 
 int all_algos[] = {
-	ALGO_DES, // [FALSE POSITIVE]
+	ALGO_DES,
 	ALGO_AES
 };