C++: Fix false positive.

geoffw0 · geoffw0 · commit 89bea604d99a · 2020-06-25T11:32:25.000+01:00
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql b/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
@@ -15,6 +15,18 @@ import cpp
 import semmle.code.cpp.models.implementations.Strcpy
 import semmle.code.cpp.dataflow.DataFlow
 
+/**
+ * A string copy function that returns a string, rather than an error code (for
+ * example, `strcpy` returns a string, whereas `strcpy_s` returns an error
+ * code).
+ */
+class InterestingStrcpyFunction extends StrcpyFunction {
+  InterestingStrcpyFunction()
+  {
+    getType().getUnspecifiedType() instanceof PointerType
+  }
+}
+
 predicate isBoolean(Expr e1) {
   exists(Type t1 |
     t1 = e1.getType() and
@@ -25,12 +37,12 @@ predicate isBoolean(Expr e1) {
 predicate isStringCopyCastedAsBoolean(FunctionCall func, Expr expr1, string msg) {
   DataFlow::localExprFlow(func, expr1) and
   isBoolean(expr1.getConversion*()) and
-  func.getTarget() instanceof StrcpyFunction and
+  func.getTarget() instanceof InterestingStrcpyFunction and
   msg = "Return value of " + func.getTarget().getName() + " used as a Boolean."
 }
 
 predicate isStringCopyUsedInLogicalOperationOrCondition(FunctionCall func, Expr expr1, string msg) {
-  func.getTarget() instanceof StrcpyFunction and
+  func.getTarget() instanceof InterestingStrcpyFunction and
   (
     (
       // it is being used in an equality or logical operation
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected
@@ -29,4 +29,3 @@
 | test.cpp:135:14:135:40 | ... && ... | Return value of strcpy used in a logical operation. |
 | test.cpp:137:14:137:40 | ... == ... | Return value of strcpy used in a logical operation. |
 | test.cpp:139:14:139:40 | ... != ... | Return value of strcpy used in a logical operation. |
-| test.cpp:159:9:159:16 | call to strcpy_s | Return value of strcpy_s used directly in a conditional expression. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp
@@ -156,7 +156,7 @@ void NegativeCases()
     {
     }
 
-    if (strcpy_s(szbuf1, 100, "test")) // [FALSE POSITIVE]
+    if (strcpy_s(szbuf1, 100, "test"))
     {
     }
 

Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,7 @@ void NegativeCases()`
`156`	`156`	`{`
`157`	`157`	`}`
`158`	`158`
`159`		`- if (strcpy_s(szbuf1, 100, "test")) // [FALSE POSITIVE]`
	`159`	`+ if (strcpy_s(szbuf1, 100, "test"))`
`160`	`160`	`{`
`161`	`161`	`}`
`162`	`162`