jorgectf
diff --git a/‎cpp/ql/src/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp
Lines changed: 0 additions & 22 deletions b/‎cpp/ql/src/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp
Lines changed: 0 additions & 22 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
Lines changed: 0 additions & 31 deletions b/‎cpp/ql/src/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
Lines changed: 0 additions & 31 deletions
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp
Lines changed: 16 additions & 0 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp
Lines changed: 16 additions & 0 deletions
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
Lines changed: 26 additions & 0 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
Lines changed: 26 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/MemoryUnsafeFunctionScan.cpp renamed to ‎cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp
Lines changed: 4 additions & 4 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/MemoryUnsafeFunctionScan.cpp renamed to ‎cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp
Lines changed: 4 additions & 4 deletions
diff --git a/‎cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.expected
Lines changed: 2 additions & 0 deletions b/‎cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.expected
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/MemoryUnsafeFunctionScan.expected
Lines changed: 0 additions & 11 deletions b/‎cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/MemoryUnsafeFunctionScan.expected
Lines changed: 0 additions & 11 deletions
diff --git a/‎cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/MemoryUnsafeFunctionScan.qlref
Lines changed: 0 additions & 1 deletion b/‎cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/MemoryUnsafeFunctionScan.qlref
Lines changed: 0 additions & 1 deletion
@@ -0,0 +1,16 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>It is bad practice to use any of the scanf functions without including a specified length within the format parameter, as it will be vulnerable to buffer overflows.</p>
+
+</overview>
+
+<references>
+<li>https://cwe.mitre.org/data/definitions/120</li>
+<!--  LocalWords:  CWE
+ -->
+</references>
+
+</qhelp>
@@ -0,0 +1,26 @@
+/**
+ * @name Scanf function without a specified length
+ * @description Use of one of the scanf functions without a specified length.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @id cpp/memory-unsafe-function-scan
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-120
+ */
+
+import cpp
+import semmle.code.cpp.commons.Scanf
+
+
+from FunctionCall call, ScanfFunction sff
+where
+  call.getTarget() = sff
+  and
+  (
+  call.getArgument(sff.getFormatParameterIndex()).toString().regexpMatch(".*%s.*")
+  or
+  call.getArgument(sff.getFormatParameterIndex()).toString() = (".*%ls.*")
+  )
+select call, "Dangerous use of one of the scanf functions"
@@ -8,15 +8,15 @@ int fscanf(const char* str, const char* format, ...);
 
 int main(int argc, char** argv) { 
 
-    // BAD, do not use scanf, use scanf_s instead
+    // BAD, do not use scanf without specifying a length first
     char buf1[10];
     scanf("%s", buf1);
 
-    // BAD, do not use sscanf, use sscanf_s instead
+    // GOOD, length is specified
     char buf2[10];
-    sscanf(buf2, "%s");
+    sscanf(buf2, "%9s");
 
-    // BAD, do not use fscanf, use fscanf_s instead
+    // BAD, do not use scanf without specifying a length first
     char file[10];
     fscanf(file, "%s", buf2);
 
 
@@ -0,0 +1,2 @@
+| MemoryUnsafeFunctionScan.cpp:13:5:13:9 | call to scanf | Dangerous use of one of the scanf functions |
+| MemoryUnsafeFunctionScan.cpp:21:5:21:10 | call to fscanf | Dangerous use of one of the scanf functions |
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| MemoryUnsafeFunctionScan.cpp:13:5:13:9 \| call to scanf \| Dangerous use of one of the scanf functions \|`
	`2`	`+\| MemoryUnsafeFunctionScan.cpp:21:5:21:10 \| call to fscanf \| Dangerous use of one of the scanf functions \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql`