You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Merged the two notes for `cpp/uncontrolled-allocation-size` into one.
- Added note about renaming of a query id.
- Moved the use of IR in queries from the library section to the queries
section, rephrasing the note in terms of query results/performance
rather than library implementation.
- Grouped, without text changes, the three notes about the `Allocation`
library
- Grouped all the notes about standard-library models, abbreviating them
to eliminate the common text.
- Removed the note about `strlen` (github#2647) since that should no longer
affect the results of queries or IR data flow after we started using
unsound IR for data flow.
Copy file name to clipboardExpand all lines: change-notes/1.24/analysis-cpp.md
+22-14Lines changed: 22 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,20 +24,32 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
24
24
| No space for zero terminator (`cpp/no-space-for-terminator`) | More correct results | String arguments to formatting functions are now (usually) expected to be null terminated strings. |
25
25
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) || This query is no longer run on LGTM. |
26
26
| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings. This approach produces fewer, more accurate results. |
27
-
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | Cases where the tainted allocation size is range checked are now more reliably excluded. |
28
-
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. |
27
+
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. Cases where the tainted allocation size is range checked are more reliably excluded. |
29
28
| Overloaded assignment does not return 'this' (`cpp/assignment-does-not-return-this`) | Fewer false positive results | This query no longer reports incorrect results in template classes. |
30
29
| Unsafe array for days of the year (`cpp/leap-year/unsafe-array-for-days-of-the-year`) || This query is no longer run on LGTM. |
30
+
| Boost\_asio TLS Settings Misconfiguration (`cpp/boost/tls-settings-misconfiguration`) | Query id change | Query id renamed from `cpp/boost/tls_settings_misconfiguration` (underscores to dashes) |
31
31
| Unsigned comparison to zero (`cpp/unsigned-comparison-zero`) | More correct results | This query now also looks for comparisons of the form `0 <= x`. |
32
+
| Signed overflow check (`cpp/signed-overflow-check`), Pointer overflow check (`cpp/pointer-overflow-check`), Possibly wrong buffer size in string copy (`cpp/bad-strncpy-size`) | More correct results | A new library is used for determining which expressions have identical value, giving more precise results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
33
+
| All CWE-specific queries using taint tracking (`cpp/path-injection`, `cpp/cgi-xss`, `cpp/sql-injection`, `cpp/uncontrolled-process-operation`, `cpp/unbounded-write`, `cpp/tainted-format-string`, `cpp/tainted-format-string-through-global`, `cpp/uncontrolled-arithmetic`, `cpp/uncontrolled-allocation-size`, `cpp/user-controlled-bypass`, `cpp/cleartext-storage-buffer`, `cpp/tainted-permissions-check`) | More correct results | A new taint-tracking library is used, giving more precise results and offering _path explanations_ for results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
34
+
32
35
33
36
## Changes to libraries
34
37
35
38
* The data-flow library has been improved, which affects and improves some security queries. The improvements are:
36
39
- Track flow through functions that combine taint tracking with flow through fields.
37
40
- Track flow through clone-like functions, that is, functions that read contents of a field from a
38
41
parameter and stores the value in the field of a returned object.
39
-
* Created the `semmle.code.cpp.models.interfaces.Allocation` library to model allocation such as `new` expressions and calls to `malloc`. This in intended to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more consistent and useful interface.
40
-
* Created the `semmle.code.cpp.models.interfaces.Deallocation` library to model deallocation such as `delete` expressions and calls to `free`. This in intended to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more consistent and useful interface.
42
+
* Created the `semmle.code.cpp.models.interfaces.Allocation` library to model
43
+
allocation such as `new` expressions and calls to `malloc`. This in intended
44
+
to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more
45
+
consistent and useful interface.
46
+
* The predicate `freeCall` in `semmle.code.cpp.commons.Alloc` has been
47
+
deprecated. The`Allocation` and `Deallocation` models in
48
+
`semmle.code.cpp.models.interfaces` should be used instead.
49
+
* Created the `semmle.code.cpp.models.interfaces.Deallocation` library to
50
+
model deallocation such as `delete` expressions and calls to `free`. This
51
+
in intended to replace the functionality in `semmle.code.cpp.commons.Alloc`
52
+
with a more consistent and useful interface.
41
53
* The new class `StackVariable` should be used in place of `LocalScopeVariable`
42
54
in most cases. The difference is that `StackVariable` does not include
43
55
variables declared with `static` or `thread_local`.
@@ -46,13 +58,9 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
46
58
about the _name or scope_ of variables should remain unchanged.
47
59
* The `LocalScopeVariableReachability` library is deprecated in favor of
48
60
`StackVariableReachability`. The functionality is the same.
49
-
* The models library models `strlen` in more detail, and includes common variations such as `wcslen`.
50
-
* The models library models `gets` and similar functions.
51
-
* The models library now partially models `std::string`.
52
-
* The taint tracking library (`semmle.code.cpp.dataflow.TaintTracking`) has had
53
-
the following improvements:
54
-
* The library now models data flow through `strdup` and similar functions.
55
-
* The library now models data flow through formatting functions such as `sprintf`.
56
-
* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) uses a new intermediate representation. This provides a more precise analysis of pointers to stack variables and flow through parameters, improving the results of many security queries.
57
-
* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering`) uses a new intermediate representation to provide a more precise analysis of heap allocated memory and pointers to stack variables.
58
-
*`freeCall` in `semmle.code.cpp.commons.Alloc` has been deprecated. The`Allocation` and `Deallocation` models in `semmle.code.cpp.models.interfaces` should be used instead.
61
+
* Taint tracking and data flow now features better modeling of commonly-used
0 commit comments