CPP: Fix sscanf false positives in older linux repos

alexet · alexet · commit 3e9aeac004eb · 2023-11-28T12:07:05.000Z
diff --git a/cpp/ql/src/Critical/IncorrectCheckScanf.ql b/cpp/ql/src/Critical/IncorrectCheckScanf.ql
@@ -19,4 +19,4 @@ import ScanfChecks
 
 from ScanfFunctionCall call
 where incorrectlyCheckedScanf(call)
-select call, "The result of scanf is onyl checkeck against 0, but it can also return EOF."
+select call, "The result of scanf is only checked against 0, but it can also return EOF."
diff --git a/cpp/ql/src/Critical/ScanfChecks.qll b/cpp/ql/src/Critical/ScanfChecks.qll
@@ -22,7 +22,8 @@ private predicate exprInBooleanContext(Expr e) {
 }
 
 private predicate isLinuxKernel() {
-  exists(Macro macro | macro.getName() = "_LINUX_KERNEL_SPRINTF_H_")
+  // For the purpose of sscanf, we check the header guards for the files that it is defined in (which have changed)
+  exists(Macro macro | macro.getName() in ["_LINUX_KERNEL_SPRINTF_H_", "_LINUX_KERNEL_H"])
 }
 
 /**
diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.expected b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.expected
@@ -1,5 +1,5 @@
-| test.cpp:162:7:162:11 | call to scanf | The result of scanf is onyl checkeck against 0, but it can also return EOF. |
-| test.cpp:171:7:171:11 | call to scanf | The result of scanf is onyl checkeck against 0, but it can also return EOF. |
-| test.cpp:204:7:204:11 | call to scanf | The result of scanf is onyl checkeck against 0, but it can also return EOF. |
-| test.cpp:436:7:436:11 | call to scanf | The result of scanf is onyl checkeck against 0, but it can also return EOF. |
-| test.cpp:443:11:443:15 | call to scanf | The result of scanf is onyl checkeck against 0, but it can also return EOF. |
+| test.cpp:162:7:162:11 | call to scanf | The result of scanf is only checked against 0, but it can also return EOF. |
+| test.cpp:171:7:171:11 | call to scanf | The result of scanf is only checked against 0, but it can also return EOF. |
+| test.cpp:204:7:204:11 | call to scanf | The result of scanf is only checked against 0, but it can also return EOF. |
+| test.cpp:436:7:436:11 | call to scanf | The result of scanf is only checked against 0, but it can also return EOF. |
+| test.cpp:443:11:443:15 | call to scanf | The result of scanf is only checked against 0, but it can also return EOF. |

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,8 @@ private predicate exprInBooleanContext(Expr e) {`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`private predicate isLinuxKernel() {`
`25`		`- exists(Macro macro \| macro.getName() = "_LINUX_KERNEL_SPRINTF_H_")`
	`25`	`+ // For the purpose of sscanf, we check the header guards for the files that it is defined in (which have changed)`
	`26`	`+ exists(Macro macro \| macro.getName() in ["_LINUX_KERNEL_SPRINTF_H_", "_LINUX_KERNEL_H"])`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`/**`