From 9f8c9615fc0389e1a145a2eedeb0986fd805625a Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 18 Apr 2024 12:33:20 +0100 Subject: [PATCH 1/2] C++: Use the unconverted expression available for a non-'ExprNode' when one exists. --- .../dataflow/internal/NormalNode0ToString.qll | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll index ef2681104cb2..a7f11c805b90 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/NormalNode0ToString.qll @@ -3,12 +3,26 @@ * `toString` for `Instruction` and `Operand` dataflow nodes. */ +private import cpp private import semmle.code.cpp.ir.IR private import codeql.util.Unit private import Node0ToString private import DataFlowUtil private import DataFlowPrivate +/** + * Gets the string representation of the unconverted expression `loc` if + * `loc` is an `Expression`. + * + * Otherwise, this gets the string representation of `loc`. + */ +private string unconvertedAstToString(Locatable loc) { + result = loc.(Expr).getUnconverted().toString() + or + not loc instanceof Expr and + result = loc.toString() +} + private class NormalNode0ToString extends Node0ToString { NormalNode0ToString() { // Silence warning about `this` not being bound. @@ -18,14 +32,10 @@ private class NormalNode0ToString extends Node0ToString { override string instructionToString(Instruction i) { if i.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable then result = "this" - else result = i.getAst().toString() + else result = unconvertedAstToString(i.getAst()) } - override string operandToString(Operand op) { - if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable - then result = "this" - else result = op.getDef().getAst().toString() - } + override string operandToString(Operand op) { result = this.instructionToString(op.getDef()) } override string toExprString(Node n) { result = n.asExpr(0).toString() From 58832a546a97c4f9d260372c84c34c2415d899ca Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 18 Apr 2024 12:33:27 +0100 Subject: [PATCH 2/2] C++: Accept test changes. --- .../AllocMultiplicationOverflow.expected | 6 +- .../ConstantSizeArrayOffByOne.expected | 24 +++---- .../IteratorToExpiredContainer.expected | 12 ++-- .../dataflow-tests/localFlow-ir.expected | 8 +-- .../dataflow-tests/type-bugs.expected | 4 +- .../dataflow/fields/ir-path-flow.expected | 18 ++--- .../NonConstantFormat.expected | 56 ++++++++-------- .../UncontrolledProcessOperation.expected | 18 ++--- .../SAMATE/OverrunWriteProductFlow.expected | 30 ++++----- .../CWE-134/semmle/argv/argvLocal.expected | 28 ++++---- .../semmle/consts/NonConstantFormat.expected | 26 ++++---- .../ArithmeticUncontrolled.expected | 28 ++++---- .../TaintedAllocationSize.expected | 10 +-- .../semmle/tainted/ArithmeticTainted.expected | 6 +- .../CWE/CWE-193/InvalidPointerDeref.expected | 54 +++++++-------- .../AuthenticationBypass.expected | 28 ++++---- .../tests/CleartextTransmission.expected | 6 +- .../CWE/CWE-319/UseOfHttp/UseOfHttp.expected | 26 ++++---- .../Security/CWE/CWE-611/XXE.expected | 12 ++-- .../TaintedCondition.expected | 6 +- .../CWE/CWE-843/TypeConfusion.expected | 66 +++++++++---------- 21 files changed, 236 insertions(+), 236 deletions(-) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected index 9f378875e98a..c55008f6550c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected @@ -1,13 +1,13 @@ edges -| test.cpp:22:17:22:21 | (size_t)... | test.cpp:23:33:23:37 | size1 | provenance | | -| test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | (size_t)... | provenance | | +| test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | ... * ... | provenance | | +| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance | | | test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size | provenance | | | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size | provenance | | nodes | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... | | test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... | | test.cpp:19:34:19:38 | ... * ... | semmle.label | ... * ... | -| test.cpp:22:17:22:21 | (size_t)... | semmle.label | (size_t)... | +| test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... | | test.cpp:22:17:22:21 | ... * ... | semmle.label | ... * ... | | test.cpp:23:33:23:37 | size1 | semmle.label | size1 | | test.cpp:30:18:30:32 | ... * ... | semmle.label | ... * ... | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected index c3cde9f30330..805d87c96458 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected @@ -18,9 +18,9 @@ edges | test.cpp:77:32:77:34 | buf | test.cpp:77:26:77:44 | & ... | provenance | | | test.cpp:79:27:79:34 | buf | test.cpp:70:33:70:33 | p | provenance | | | test.cpp:79:32:79:34 | buf | test.cpp:79:27:79:34 | buf | provenance | | -| test.cpp:85:21:85:36 | (char *)... | test.cpp:87:5:87:31 | access to array | provenance | | -| test.cpp:85:21:85:36 | (char *)... | test.cpp:88:5:88:27 | access to array | provenance | | -| test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | (char *)... | provenance | | +| test.cpp:85:21:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance | | +| test.cpp:85:21:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance | | +| test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | buf | provenance | | | test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance | | | test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | | | test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | | @@ -42,12 +42,12 @@ edges | test.cpp:156:12:156:18 | ... + ... | test.cpp:156:12:156:18 | ... + ... | provenance | | | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance | | | test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance | | -| test.cpp:218:16:218:28 | (int *)... | test.cpp:220:5:220:11 | access to array | provenance | | -| test.cpp:218:16:218:28 | (int *)... | test.cpp:221:5:221:11 | access to array | provenance | | -| test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | (int *)... | provenance | | -| test.cpp:229:17:229:29 | (vec2 *)... | test.cpp:231:5:231:10 | access to array | provenance | | -| test.cpp:229:17:229:29 | (vec2 *)... | test.cpp:232:5:232:10 | access to array | provenance | | -| test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | (vec2 *)... | provenance | | +| test.cpp:218:16:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance | | +| test.cpp:218:16:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance | | +| test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | buffer | provenance | | +| test.cpp:229:17:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance | | +| test.cpp:229:17:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance | | +| test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | array | provenance | | | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | | | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | | | test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance | | @@ -111,7 +111,7 @@ nodes | test.cpp:77:32:77:34 | buf | semmle.label | buf | | test.cpp:79:27:79:34 | buf | semmle.label | buf | | test.cpp:79:32:79:34 | buf | semmle.label | buf | -| test.cpp:85:21:85:36 | (char *)... | semmle.label | (char *)... | +| test.cpp:85:21:85:36 | buf | semmle.label | buf | | test.cpp:85:34:85:36 | buf | semmle.label | buf | | test.cpp:87:5:87:31 | access to array | semmle.label | access to array | | test.cpp:88:5:88:27 | access to array | semmle.label | access to array | @@ -137,11 +137,11 @@ nodes | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... | | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... | | test.cpp:158:17:158:18 | *& ... | semmle.label | *& ... | -| test.cpp:218:16:218:28 | (int *)... | semmle.label | (int *)... | +| test.cpp:218:16:218:28 | buffer | semmle.label | buffer | | test.cpp:218:23:218:28 | buffer | semmle.label | buffer | | test.cpp:220:5:220:11 | access to array | semmle.label | access to array | | test.cpp:221:5:221:11 | access to array | semmle.label | access to array | -| test.cpp:229:17:229:29 | (vec2 *)... | semmle.label | (vec2 *)... | +| test.cpp:229:17:229:29 | array | semmle.label | array | | test.cpp:229:25:229:29 | array | semmle.label | array | | test.cpp:231:5:231:10 | access to array | semmle.label | access to array | | test.cpp:232:5:232:10 | access to array | semmle.label | access to array | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-416/IteratorToExpiredContainer.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-416/IteratorToExpiredContainer.expected index 2063838f1070..0c1ec8a10f5b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-416/IteratorToExpiredContainer.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-416/IteratorToExpiredContainer.expected @@ -2,15 +2,15 @@ | test.cpp:680:30:680:30 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:680:17:680:17 | call to end | call to end | | test.cpp:683:31:683:32 | call to at | This object is destroyed before $@ is called. | test.cpp:683:17:683:17 | call to begin | call to begin | | test.cpp:683:31:683:32 | call to at | This object is destroyed before $@ is called. | test.cpp:683:17:683:17 | call to end | call to end | -| test.cpp:689:17:689:29 | temporary object | This object is destroyed before $@ is called. | test.cpp:689:31:689:35 | call to begin | call to begin | -| test.cpp:689:46:689:58 | temporary object | This object is destroyed before $@ is called. | test.cpp:689:60:689:62 | call to end | call to end | +| test.cpp:689:17:689:29 | call to returnValue | This object is destroyed before $@ is called. | test.cpp:689:31:689:35 | call to begin | call to begin | +| test.cpp:689:46:689:58 | call to returnValue | This object is destroyed before $@ is called. | test.cpp:689:60:689:62 | call to end | call to end | | test.cpp:702:27:702:27 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:703:19:703:23 | call to begin | call to begin | | test.cpp:702:27:702:27 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:703:36:703:38 | call to end | call to end | -| test.cpp:716:36:716:48 | temporary object | This object is destroyed before $@ is called. | test.cpp:716:17:716:17 | call to begin | call to begin | -| test.cpp:716:36:716:48 | temporary object | This object is destroyed before $@ is called. | test.cpp:716:17:716:17 | call to end | call to end | +| test.cpp:716:36:716:48 | call to returnValue | This object is destroyed before $@ is called. | test.cpp:716:17:716:17 | call to begin | call to begin | +| test.cpp:716:36:716:48 | call to returnValue | This object is destroyed before $@ is called. | test.cpp:716:17:716:17 | call to end | call to end | | test.cpp:727:23:727:23 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:750:17:750:17 | call to begin | call to begin | | test.cpp:727:23:727:23 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:750:17:750:17 | call to end | call to end | | test.cpp:735:23:735:23 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:759:17:759:17 | call to begin | call to begin | | test.cpp:735:23:735:23 | call to operator[] | This object is destroyed before $@ is called. | test.cpp:759:17:759:17 | call to end | call to end | -| test.cpp:771:44:771:56 | temporary object | This object is destroyed before $@ is called. | test.cpp:772:35:772:35 | call to begin | call to begin | -| test.cpp:771:44:771:56 | temporary object | This object is destroyed before $@ is called. | test.cpp:772:35:772:35 | call to end | call to end | +| test.cpp:771:44:771:56 | call to returnValue | This object is destroyed before $@ is called. | test.cpp:772:35:772:35 | call to begin | call to begin | +| test.cpp:771:44:771:56 | call to returnValue | This object is destroyed before $@ is called. | test.cpp:772:35:772:35 | call to end | call to end | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected index 0e33430cde79..00e6b03b9319 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected @@ -125,8 +125,8 @@ | test.cpp:384:16:384:23 | *& ... | test.cpp:384:3:384:8 | *call to memcpy | | test.cpp:384:16:384:23 | *& ... | test.cpp:384:10:384:13 | memcpy output argument | | test.cpp:384:16:384:23 | *& ... | test.cpp:384:16:384:23 | *& ... | -| test.cpp:384:16:384:23 | **(const void *)... | test.cpp:384:3:384:8 | **call to memcpy | -| test.cpp:384:16:384:23 | **(const void *)... | test.cpp:384:10:384:13 | memcpy output argument | +| test.cpp:384:16:384:23 | **& ... | test.cpp:384:3:384:8 | **call to memcpy | +| test.cpp:384:16:384:23 | **& ... | test.cpp:384:10:384:13 | memcpy output argument | | test.cpp:384:17:384:23 | *source1 | test.cpp:384:16:384:23 | *& ... | | test.cpp:384:17:384:23 | source1 | test.cpp:384:16:384:23 | & ... | | test.cpp:388:53:388:59 | source1 | test.cpp:391:16:391:23 | *& ... | @@ -152,8 +152,8 @@ | test.cpp:391:16:391:23 | *& ... | test.cpp:391:3:391:8 | *call to memcpy | | test.cpp:391:16:391:23 | *& ... | test.cpp:391:10:391:13 | memcpy output argument | | test.cpp:391:16:391:23 | *& ... | test.cpp:391:16:391:23 | *& ... | -| test.cpp:391:16:391:23 | **(const void *)... | test.cpp:391:3:391:8 | **call to memcpy | -| test.cpp:391:16:391:23 | **(const void *)... | test.cpp:391:10:391:13 | memcpy output argument | +| test.cpp:391:16:391:23 | **& ... | test.cpp:391:3:391:8 | **call to memcpy | +| test.cpp:391:16:391:23 | **& ... | test.cpp:391:10:391:13 | memcpy output argument | | test.cpp:391:17:391:23 | *source1 | test.cpp:391:16:391:23 | *& ... | | test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... | | test.cpp:392:8:392:10 | tmp | test.cpp:394:10:394:12 | tmp | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected index 4d87c2da534a..05488e91ea41 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/type-bugs.expected @@ -7,12 +7,12 @@ incorrectBaseType | flowOut.cpp:84:9:84:10 | *& ... | Expected 'Node.getType()' to be int, but it was int * | | flowOut.cpp:101:13:101:14 | *& ... | Expected 'Node.getType()' to be int, but it was int * | | self_parameter_flow.cpp:8:8:8:9 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * | -| test.cpp:67:28:67:37 | (reference dereference) | Expected 'Node.getType()' to be const int, but it was int * | +| test.cpp:67:28:67:37 | call to move | Expected 'Node.getType()' to be const int, but it was int * | | test.cpp:531:39:531:40 | *& ... | Expected 'Node.getType()' to be int, but it was const int * | | test.cpp:615:13:615:21 | *& ... | Expected 'Node.getType()' to be int, but it was void | | test.cpp:704:22:704:25 | *& ... | Expected 'Node.getType()' to be int, but it was int * | | test.cpp:715:24:715:25 | *& ... | Expected 'Node.getType()' to be unsigned char, but it was unsigned char * | -| test.cpp:848:23:848:25 | (reference dereference) | Expected 'Node.getType()' to be int, but it was int * | +| test.cpp:848:23:848:25 | rpx | Expected 'Node.getType()' to be int, but it was int * | | test.cpp:854:10:854:36 | * ... | Expected 'Node.getType()' to be const int, but it was int | | test.cpp:867:10:867:30 | * ... | Expected 'Node.getType()' to be const int, but it was int | | test.cpp:1062:52:1062:53 | *& ... | Expected 'Node.getType()' to be char, but it was char * | diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index f703a208e230..66439f38754f 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -58,13 +58,13 @@ edges | A.cpp:100:5:100:6 | *c1 [post update] [a] | A.cpp:101:8:101:9 | *c1 [a] | provenance | | | A.cpp:100:5:100:13 | ... = ... | A.cpp:100:5:100:6 | *c1 [post update] [a] | provenance | | | A.cpp:101:8:101:9 | *c1 [a] | A.cpp:103:14:103:14 | *c [a] | provenance | | -| A.cpp:103:14:103:14 | *c [a] | A.cpp:105:18:105:38 | *dynamic_cast... [a] | provenance | | -| A.cpp:103:14:103:14 | *c [a] | A.cpp:110:18:110:38 | *dynamic_cast... [a] | provenance | | -| A.cpp:105:18:105:38 | *dynamic_cast... [a] | A.cpp:107:12:107:13 | *c1 [a] | provenance | | +| A.cpp:103:14:103:14 | *c [a] | A.cpp:105:18:105:38 | *c [a] | provenance | | +| A.cpp:103:14:103:14 | *c [a] | A.cpp:110:18:110:38 | *c [a] | provenance | | +| A.cpp:105:18:105:38 | *c [a] | A.cpp:107:12:107:13 | *c1 [a] | provenance | | | A.cpp:107:12:107:13 | *c1 [a] | A.cpp:107:12:107:16 | a | provenance | | -| A.cpp:110:18:110:38 | *dynamic_cast... [a] | A.cpp:112:7:112:13 | *... = ... [a] | provenance | | -| A.cpp:112:7:112:13 | *... = ... [a] | A.cpp:118:18:118:39 | *dynamic_cast... [a] | provenance | | -| A.cpp:118:18:118:39 | *dynamic_cast... [a] | A.cpp:120:12:120:13 | *c1 [a] | provenance | | +| A.cpp:110:18:110:38 | *c [a] | A.cpp:112:7:112:13 | *... = ... [a] | provenance | | +| A.cpp:112:7:112:13 | *... = ... [a] | A.cpp:118:18:118:39 | *cc [a] | provenance | | +| A.cpp:118:18:118:39 | *cc [a] | A.cpp:120:12:120:13 | *c1 [a] | provenance | | | A.cpp:120:12:120:13 | *c1 [a] | A.cpp:120:12:120:16 | a | provenance | | | A.cpp:124:14:124:14 | *b [c] | A.cpp:131:8:131:8 | f7 output argument [c] | provenance | | | A.cpp:126:5:126:5 | set output argument [c] | A.cpp:124:14:124:14 | *b [c] | provenance | | @@ -906,12 +906,12 @@ nodes | A.cpp:100:5:100:13 | ... = ... | semmle.label | ... = ... | | A.cpp:101:8:101:9 | *c1 [a] | semmle.label | *c1 [a] | | A.cpp:103:14:103:14 | *c [a] | semmle.label | *c [a] | -| A.cpp:105:18:105:38 | *dynamic_cast... [a] | semmle.label | *dynamic_cast... [a] | +| A.cpp:105:18:105:38 | *c [a] | semmle.label | *c [a] | | A.cpp:107:12:107:13 | *c1 [a] | semmle.label | *c1 [a] | | A.cpp:107:12:107:16 | a | semmle.label | a | -| A.cpp:110:18:110:38 | *dynamic_cast... [a] | semmle.label | *dynamic_cast... [a] | +| A.cpp:110:18:110:38 | *c [a] | semmle.label | *c [a] | | A.cpp:112:7:112:13 | *... = ... [a] | semmle.label | *... = ... [a] | -| A.cpp:118:18:118:39 | *dynamic_cast... [a] | semmle.label | *dynamic_cast... [a] | +| A.cpp:118:18:118:39 | *cc [a] | semmle.label | *cc [a] | | A.cpp:120:12:120:13 | *c1 [a] | semmle.label | *c1 [a] | | A.cpp:120:12:120:16 | a | semmle.label | a | | A.cpp:124:14:124:14 | *b [c] | semmle.label | *b [c] | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected index 1ccf4b0dab39..9424c731765e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected @@ -7,33 +7,33 @@ edges | nested.cpp:34:37:34:39 | *fmt | nested.cpp:35:19:35:21 | *fmt | provenance | | | nested.cpp:35:19:35:21 | *fmt | nested.cpp:27:32:27:34 | *fmt | provenance | | | nested.cpp:42:24:42:34 | *call to ext_fmt_str | nested.cpp:34:37:34:39 | *fmt | provenance | | -| nested.cpp:86:19:86:46 | *(char *)... | nested.cpp:87:18:87:20 | *fmt | provenance | | -| nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:86:19:86:46 | *(char *)... | provenance | | +| nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:86:19:86:46 | *call to __builtin_alloca | provenance | | +| nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | provenance | | | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | provenance | | | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | provenance | DataFlowFunction | | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | provenance | | | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | provenance | TaintFunction | -| test.cpp:204:25:204:36 | *(const char *)... | test.cpp:205:12:205:20 | *... + ... | provenance | | -| test.cpp:204:25:204:36 | *(const char *)... | test.cpp:206:12:206:16 | *hello | provenance | | -| test.cpp:204:25:204:36 | *call to get_string | test.cpp:204:25:204:36 | *(const char *)... | provenance | | -| test.cpp:209:25:209:36 | *(const char *)... | test.cpp:210:5:210:14 | *... += ... | provenance | | -| test.cpp:209:25:209:36 | *call to get_string | test.cpp:209:25:209:36 | *(const char *)... | provenance | | +| test.cpp:204:25:204:36 | *call to get_string | test.cpp:204:25:204:36 | *call to get_string | provenance | | +| test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | provenance | | +| test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | provenance | | +| test.cpp:209:25:209:36 | *call to get_string | test.cpp:209:25:209:36 | *call to get_string | provenance | | +| test.cpp:209:25:209:36 | *call to get_string | test.cpp:210:5:210:14 | *... += ... | provenance | | | test.cpp:210:5:210:14 | *... += ... | test.cpp:211:12:211:16 | *hello | provenance | | -| test.cpp:215:25:215:36 | *(const char *)... | test.cpp:216:5:216:21 | *... = ... | provenance | | -| test.cpp:215:25:215:36 | *call to get_string | test.cpp:215:25:215:36 | *(const char *)... | provenance | | +| test.cpp:215:25:215:36 | *call to get_string | test.cpp:215:25:215:36 | *call to get_string | provenance | | +| test.cpp:215:25:215:36 | *call to get_string | test.cpp:216:5:216:21 | *... = ... | provenance | | | test.cpp:216:5:216:21 | *... = ... | test.cpp:217:12:217:16 | *hello | provenance | | -| test.cpp:221:25:221:36 | *(const char *)... | test.cpp:222:5:222:11 | *... ++ | provenance | | -| test.cpp:221:25:221:36 | *call to get_string | test.cpp:221:25:221:36 | *(const char *)... | provenance | | +| test.cpp:221:25:221:36 | *call to get_string | test.cpp:221:25:221:36 | *call to get_string | provenance | | +| test.cpp:221:25:221:36 | *call to get_string | test.cpp:222:5:222:11 | *... ++ | provenance | | | test.cpp:222:5:222:11 | *... ++ | test.cpp:223:12:223:16 | *hello | provenance | | -| test.cpp:227:25:227:36 | *(const char *)... | test.cpp:228:12:228:18 | *++ ... | provenance | | -| test.cpp:227:25:227:36 | *call to get_string | test.cpp:227:25:227:36 | *(const char *)... | provenance | | +| test.cpp:227:25:227:36 | *call to get_string | test.cpp:227:25:227:36 | *call to get_string | provenance | | +| test.cpp:227:25:227:36 | *call to get_string | test.cpp:228:12:228:18 | *++ ... | provenance | | | test.cpp:228:12:228:18 | *++ ... | test.cpp:228:12:228:18 | *++ ... | provenance | | -| test.cpp:232:25:232:36 | *(const char *)... | test.cpp:235:12:235:16 | *hello | provenance | | -| test.cpp:232:25:232:36 | *call to get_string | test.cpp:232:25:232:36 | *(const char *)... | provenance | | -| test.cpp:239:25:239:36 | *(const char *)... | test.cpp:242:12:242:16 | *hello | provenance | | -| test.cpp:239:25:239:36 | *call to get_string | test.cpp:239:25:239:36 | *(const char *)... | provenance | | -| test.cpp:245:25:245:36 | *(const char *)... | test.cpp:247:12:247:16 | *hello | provenance | | -| test.cpp:245:25:245:36 | *call to get_string | test.cpp:245:25:245:36 | *(const char *)... | provenance | | +| test.cpp:232:25:232:36 | *call to get_string | test.cpp:232:25:232:36 | *call to get_string | provenance | | +| test.cpp:232:25:232:36 | *call to get_string | test.cpp:235:12:235:16 | *hello | provenance | | +| test.cpp:239:25:239:36 | *call to get_string | test.cpp:239:25:239:36 | *call to get_string | provenance | | +| test.cpp:239:25:239:36 | *call to get_string | test.cpp:242:12:242:16 | *hello | provenance | | +| test.cpp:245:25:245:36 | *call to get_string | test.cpp:245:25:245:36 | *call to get_string | provenance | | +| test.cpp:245:25:245:36 | *call to get_string | test.cpp:247:12:247:16 | *hello | provenance | | nodes | NonConstantFormat.c:28:27:28:30 | **argv | semmle.label | **argv | | NonConstantFormat.c:30:10:30:16 | *access to array | semmle.label | *access to array | @@ -48,7 +48,7 @@ nodes | nested.cpp:35:19:35:21 | *fmt | semmle.label | *fmt | | nested.cpp:42:24:42:34 | *call to ext_fmt_str | semmle.label | *call to ext_fmt_str | | nested.cpp:79:32:79:38 | *call to get_fmt | semmle.label | *call to get_fmt | -| nested.cpp:86:19:86:46 | *(char *)... | semmle.label | *(char *)... | +| nested.cpp:86:19:86:46 | *call to __builtin_alloca | semmle.label | *call to __builtin_alloca | | nested.cpp:86:19:86:46 | *call to __builtin_alloca | semmle.label | *call to __builtin_alloca | | nested.cpp:87:18:87:20 | *fmt | semmle.label | *fmt | | test.cpp:46:27:46:30 | **argv | semmle.label | **argv | @@ -58,33 +58,33 @@ nodes | test.cpp:193:32:193:34 | *str | semmle.label | *str | | test.cpp:195:31:195:33 | *str | semmle.label | *str | | test.cpp:197:11:197:14 | *wstr | semmle.label | *wstr | -| test.cpp:204:25:204:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:204:25:204:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:204:25:204:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:205:12:205:20 | *... + ... | semmle.label | *... + ... | | test.cpp:206:12:206:16 | *hello | semmle.label | *hello | -| test.cpp:209:25:209:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:209:25:209:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:209:25:209:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:210:5:210:14 | *... += ... | semmle.label | *... += ... | | test.cpp:211:12:211:16 | *hello | semmle.label | *hello | -| test.cpp:215:25:215:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:215:25:215:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:215:25:215:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:216:5:216:21 | *... = ... | semmle.label | *... = ... | | test.cpp:217:12:217:16 | *hello | semmle.label | *hello | -| test.cpp:221:25:221:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:221:25:221:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:221:25:221:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:222:5:222:11 | *... ++ | semmle.label | *... ++ | | test.cpp:223:12:223:16 | *hello | semmle.label | *hello | -| test.cpp:227:25:227:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:227:25:227:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:227:25:227:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:228:12:228:18 | *++ ... | semmle.label | *++ ... | | test.cpp:228:12:228:18 | *++ ... | semmle.label | *++ ... | -| test.cpp:232:25:232:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:232:25:232:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:232:25:232:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:235:12:235:16 | *hello | semmle.label | *hello | -| test.cpp:239:25:239:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:239:25:239:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:239:25:239:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:242:12:242:16 | *hello | semmle.label | *hello | -| test.cpp:245:25:245:36 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:245:25:245:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:245:25:245:36 | *call to get_string | semmle.label | *call to get_string | | test.cpp:247:12:247:16 | *hello | semmle.label | *hello | subpaths diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected index 42d14e9d8d4f..ca24075c2c34 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected @@ -3,13 +3,13 @@ edges | test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command | provenance | | | test.cpp:42:18:42:34 | *call to getenv | test.cpp:24:30:24:36 | *command | provenance | | | test.cpp:43:18:43:34 | *call to getenv | test.cpp:29:30:29:36 | *command | provenance | | -| test.cpp:56:12:56:17 | fgets output argument | test.cpp:58:16:58:21 | *array to pointer conversion | provenance | | +| test.cpp:56:12:56:17 | fgets output argument | test.cpp:58:16:58:21 | *buffer | provenance | | | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | provenance | | -| test.cpp:58:16:58:21 | *array to pointer conversion | test.cpp:59:20:59:23 | **(reference to) | provenance | | -| test.cpp:58:16:58:21 | *array to pointer conversion | test.cpp:63:10:63:13 | *data | provenance | | -| test.cpp:59:20:59:23 | **(reference to) | test.cpp:60:17:60:23 | *(reference dereference) | provenance | | -| test.cpp:59:20:59:23 | **(reference to) | test.cpp:64:10:64:16 | *dataref | provenance | | -| test.cpp:60:17:60:23 | *(reference dereference) | test.cpp:65:10:65:14 | *data2 | provenance | | +| test.cpp:58:16:58:21 | *buffer | test.cpp:59:20:59:23 | **data | provenance | | +| test.cpp:58:16:58:21 | *buffer | test.cpp:63:10:63:13 | *data | provenance | | +| test.cpp:59:20:59:23 | **data | test.cpp:60:17:60:23 | *dataref | provenance | | +| test.cpp:59:20:59:23 | **data | test.cpp:64:10:64:16 | *dataref | provenance | | +| test.cpp:60:17:60:23 | *dataref | test.cpp:65:10:65:14 | *data2 | provenance | | | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | provenance | | | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | provenance | | | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | provenance | | @@ -23,9 +23,9 @@ nodes | test.cpp:42:18:42:34 | *call to getenv | semmle.label | *call to getenv | | test.cpp:43:18:43:34 | *call to getenv | semmle.label | *call to getenv | | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument | -| test.cpp:58:16:58:21 | *array to pointer conversion | semmle.label | *array to pointer conversion | -| test.cpp:59:20:59:23 | **(reference to) | semmle.label | **(reference to) | -| test.cpp:60:17:60:23 | *(reference dereference) | semmle.label | *(reference dereference) | +| test.cpp:58:16:58:21 | *buffer | semmle.label | *buffer | +| test.cpp:59:20:59:23 | **data | semmle.label | **data | +| test.cpp:60:17:60:23 | *dataref | semmle.label | *dataref | | test.cpp:62:10:62:15 | *buffer | semmle.label | *buffer | | test.cpp:63:10:63:13 | *data | semmle.label | *data | | test.cpp:64:10:64:16 | *dataref | semmle.label | *dataref | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected index 280fcefae2b5..433a3293ffd3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected @@ -47,26 +47,26 @@ edges | test.cpp:203:17:203:19 | *str [string] | test.cpp:203:22:203:27 | string | provenance | | | test.cpp:207:17:207:19 | *str [string] | test.cpp:207:22:207:27 | string | provenance | | | test.cpp:214:24:214:24 | p | test.cpp:216:10:216:10 | p | provenance | | -| test.cpp:220:27:220:54 | (unsigned char *)... | test.cpp:222:15:222:20 | buffer | provenance | | -| test.cpp:220:27:220:54 | call to malloc | test.cpp:220:27:220:54 | (unsigned char *)... | provenance | | +| test.cpp:220:27:220:54 | call to malloc | test.cpp:220:27:220:54 | call to malloc | provenance | | +| test.cpp:220:27:220:54 | call to malloc | test.cpp:222:15:222:20 | buffer | provenance | | | test.cpp:222:15:222:20 | buffer | test.cpp:214:24:214:24 | p | provenance | | -| test.cpp:228:27:228:54 | (unsigned char *)... | test.cpp:232:10:232:15 | buffer | provenance | | -| test.cpp:228:27:228:54 | call to malloc | test.cpp:228:27:228:54 | (unsigned char *)... | provenance | | +| test.cpp:228:27:228:54 | call to malloc | test.cpp:228:27:228:54 | call to malloc | provenance | | +| test.cpp:228:27:228:54 | call to malloc | test.cpp:232:10:232:15 | buffer | provenance | | | test.cpp:235:40:235:45 | buffer | test.cpp:236:5:236:26 | ... = ... | provenance | | | test.cpp:236:5:236:9 | *p_str [post update] [string] | test.cpp:235:27:235:31 | *p_str [string] | provenance | | | test.cpp:236:5:236:26 | ... = ... | test.cpp:236:5:236:9 | *p_str [post update] [string] | provenance | | -| test.cpp:241:20:241:38 | (char *)... | test.cpp:242:22:242:27 | buffer | provenance | | -| test.cpp:241:20:241:38 | call to malloc | test.cpp:241:20:241:38 | (char *)... | provenance | | +| test.cpp:241:20:241:38 | call to malloc | test.cpp:241:20:241:38 | call to malloc | provenance | | +| test.cpp:241:20:241:38 | call to malloc | test.cpp:242:22:242:27 | buffer | provenance | | | test.cpp:242:16:242:19 | set_string output argument [string] | test.cpp:243:12:243:14 | *str [string] | provenance | | | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | provenance | | | test.cpp:242:22:242:27 | buffer | test.cpp:242:16:242:19 | set_string output argument [string] | provenance | | | test.cpp:243:12:243:14 | *str [string] | test.cpp:243:12:243:21 | string | provenance | | -| test.cpp:249:14:249:33 | (int *)... | test.cpp:250:12:250:12 | p | provenance | | -| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:249:14:249:33 | (int *)... | provenance | | +| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:249:14:249:33 | call to my_alloc | provenance | | +| test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | provenance | | | test.cpp:256:5:256:25 | ... = ... | test.cpp:257:12:257:12 | p | provenance | | | test.cpp:256:9:256:25 | call to malloc | test.cpp:256:5:256:25 | ... = ... | provenance | | -| test.cpp:262:15:262:30 | (char *)... | test.cpp:266:12:266:12 | p | provenance | | -| test.cpp:262:15:262:30 | call to malloc | test.cpp:262:15:262:30 | (char *)... | provenance | | +| test.cpp:262:15:262:30 | call to malloc | test.cpp:262:15:262:30 | call to malloc | provenance | | +| test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | provenance | | | test.cpp:264:9:264:30 | ... = ... | test.cpp:266:12:266:12 | p | provenance | | | test.cpp:264:13:264:30 | call to malloc | test.cpp:264:9:264:30 | ... = ... | provenance | | nodes @@ -122,29 +122,29 @@ nodes | test.cpp:207:22:207:27 | string | semmle.label | string | | test.cpp:214:24:214:24 | p | semmle.label | p | | test.cpp:216:10:216:10 | p | semmle.label | p | -| test.cpp:220:27:220:54 | (unsigned char *)... | semmle.label | (unsigned char *)... | +| test.cpp:220:27:220:54 | call to malloc | semmle.label | call to malloc | | test.cpp:220:27:220:54 | call to malloc | semmle.label | call to malloc | | test.cpp:222:15:222:20 | buffer | semmle.label | buffer | -| test.cpp:228:27:228:54 | (unsigned char *)... | semmle.label | (unsigned char *)... | +| test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc | | test.cpp:228:27:228:54 | call to malloc | semmle.label | call to malloc | | test.cpp:232:10:232:15 | buffer | semmle.label | buffer | | test.cpp:235:27:235:31 | *p_str [string] | semmle.label | *p_str [string] | | test.cpp:235:40:235:45 | buffer | semmle.label | buffer | | test.cpp:236:5:236:9 | *p_str [post update] [string] | semmle.label | *p_str [post update] [string] | | test.cpp:236:5:236:26 | ... = ... | semmle.label | ... = ... | -| test.cpp:241:20:241:38 | (char *)... | semmle.label | (char *)... | +| test.cpp:241:20:241:38 | call to malloc | semmle.label | call to malloc | | test.cpp:241:20:241:38 | call to malloc | semmle.label | call to malloc | | test.cpp:242:16:242:19 | set_string output argument [string] | semmle.label | set_string output argument [string] | | test.cpp:242:22:242:27 | buffer | semmle.label | buffer | | test.cpp:243:12:243:14 | *str [string] | semmle.label | *str [string] | | test.cpp:243:12:243:21 | string | semmle.label | string | -| test.cpp:249:14:249:33 | (int *)... | semmle.label | (int *)... | +| test.cpp:249:14:249:33 | call to my_alloc | semmle.label | call to my_alloc | | test.cpp:249:14:249:33 | call to my_alloc | semmle.label | call to my_alloc | | test.cpp:250:12:250:12 | p | semmle.label | p | | test.cpp:256:5:256:25 | ... = ... | semmle.label | ... = ... | | test.cpp:256:9:256:25 | call to malloc | semmle.label | call to malloc | | test.cpp:257:12:257:12 | p | semmle.label | p | -| test.cpp:262:15:262:30 | (char *)... | semmle.label | (char *)... | +| test.cpp:262:15:262:30 | call to malloc | semmle.label | call to malloc | | test.cpp:262:15:262:30 | call to malloc | semmle.label | call to malloc | | test.cpp:264:9:264:30 | ... = ... | semmle.label | ... = ... | | test.cpp:264:13:264:30 | call to malloc | semmle.label | call to malloc | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index 60ec46b23630..7b87c3ff440a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -8,7 +8,7 @@ edges | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | provenance | DataFlowFunction | | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction | | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction | -| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:120:13:120:14 | *array to pointer conversion | provenance | DataFlowFunction | +| argvLocal.c:13:27:13:30 | **argv | argvLocal.c:120:13:120:14 | *i3 | provenance | DataFlowFunction | | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:126:2:126:19 | ... = ... | provenance | | | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:149:2:149:17 | *... = ... | provenance | | | argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:9:25:9:31 | *correct | provenance | | @@ -18,16 +18,16 @@ edges | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:116:9:116:10 | *i3 | provenance | DataFlowFunction | | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction | | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:117:15:117:16 | *i3 | provenance | DataFlowFunction | -| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:120:13:120:14 | *array to pointer conversion | provenance | DataFlowFunction | +| argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:120:13:120:14 | *i3 | provenance | DataFlowFunction | | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:126:2:126:19 | ... = ... | provenance | | | argvLocal.c:96:15:96:21 | printWrapper output argument | argvLocal.c:149:2:149:17 | *... = ... | provenance | | | argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:101:9:101:10 | *i1 | provenance | | | argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:102:15:102:16 | *i1 | provenance | | | argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:102:15:102:16 | *i1 | provenance | | -| argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:143:13:143:26 | *(...) | provenance | | +| argvLocal.c:100:2:100:13 | *... = ... | argvLocal.c:143:13:143:26 | *... , ... | provenance | | | argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:9:25:9:31 | *correct | provenance | | | argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:102:15:102:16 | printWrapper output argument | provenance | | -| argvLocal.c:102:15:102:16 | printWrapper output argument | argvLocal.c:143:13:143:26 | *(...) | provenance | | +| argvLocal.c:102:15:102:16 | printWrapper output argument | argvLocal.c:143:13:143:26 | *... , ... | provenance | | | argvLocal.c:105:14:105:17 | **argv | argvLocal.c:106:9:106:13 | *access to array | provenance | | | argvLocal.c:105:14:105:17 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance | | | argvLocal.c:105:14:105:17 | **argv | argvLocal.c:107:15:107:19 | *access to array | provenance | | @@ -39,12 +39,12 @@ edges | argvLocal.c:107:15:107:19 | printWrapper output argument | argvLocal.c:111:15:111:17 | ** ... | provenance | | | argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:9:25:9:31 | *correct | provenance | | | argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:117:15:117:16 | printWrapper output argument | provenance | | -| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:120:13:120:14 | *array to pointer conversion | provenance | | -| argvLocal.c:120:13:120:14 | *array to pointer conversion | argvLocal.c:121:9:121:10 | *i4 | provenance | | -| argvLocal.c:120:13:120:14 | *array to pointer conversion | argvLocal.c:122:15:122:16 | *i4 | provenance | | -| argvLocal.c:120:13:120:14 | *array to pointer conversion | argvLocal.c:122:15:122:16 | *i4 | provenance | | -| argvLocal.c:120:13:120:14 | *array to pointer conversion | argvLocal.c:135:9:135:12 | *... ++ | provenance | | -| argvLocal.c:120:13:120:14 | *array to pointer conversion | argvLocal.c:135:9:135:12 | *... ++ | provenance | | +| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:120:13:120:14 | *i3 | provenance | | +| argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:121:9:121:10 | *i4 | provenance | | +| argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:122:15:122:16 | *i4 | provenance | | +| argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:122:15:122:16 | *i4 | provenance | | +| argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:135:9:135:12 | *... ++ | provenance | | +| argvLocal.c:120:13:120:14 | *i3 | argvLocal.c:135:9:135:12 | *... ++ | provenance | | | argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:9:25:9:31 | *correct | provenance | | | argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:122:15:122:16 | printWrapper output argument | provenance | | | argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | *... ++ | provenance | | @@ -70,8 +70,8 @@ edges | argvLocal.c:132:15:132:20 | printWrapper output argument | argvLocal.c:140:15:140:32 | *... ? ... : ... | provenance | | | argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:136:15:136:18 | *-- ... | provenance | | | argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:136:15:136:18 | *-- ... | provenance | | -| argvLocal.c:143:13:143:26 | *(...) | argvLocal.c:144:9:144:10 | *i7 | provenance | | -| argvLocal.c:143:13:143:26 | *(...) | argvLocal.c:145:15:145:16 | *i7 | provenance | | +| argvLocal.c:143:13:143:26 | *... , ... | argvLocal.c:144:9:144:10 | *i7 | provenance | | +| argvLocal.c:143:13:143:26 | *... , ... | argvLocal.c:145:15:145:16 | *i7 | provenance | | | argvLocal.c:149:2:149:17 | *... = ... | argvLocal.c:150:9:150:10 | *i8 | provenance | | | argvLocal.c:149:2:149:17 | *... = ... | argvLocal.c:151:15:151:16 | *i8 | provenance | | nodes @@ -98,7 +98,7 @@ nodes | argvLocal.c:117:15:117:16 | *i3 | semmle.label | *i3 | | argvLocal.c:117:15:117:16 | *i3 | semmle.label | *i3 | | argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument | -| argvLocal.c:120:13:120:14 | *array to pointer conversion | semmle.label | *array to pointer conversion | +| argvLocal.c:120:13:120:14 | *i3 | semmle.label | *i3 | | argvLocal.c:121:9:121:10 | *i4 | semmle.label | *i4 | | argvLocal.c:122:15:122:16 | *i4 | semmle.label | *i4 | | argvLocal.c:122:15:122:16 | *i4 | semmle.label | *i4 | @@ -118,7 +118,7 @@ nodes | argvLocal.c:136:15:136:18 | *-- ... | semmle.label | *-- ... | | argvLocal.c:139:9:139:26 | *... ? ... : ... | semmle.label | *... ? ... : ... | | argvLocal.c:140:15:140:32 | *... ? ... : ... | semmle.label | *... ? ... : ... | -| argvLocal.c:143:13:143:26 | *(...) | semmle.label | *(...) | +| argvLocal.c:143:13:143:26 | *... , ... | semmle.label | *... , ... | | argvLocal.c:144:9:144:10 | *i7 | semmle.label | *i7 | | argvLocal.c:145:15:145:16 | *i7 | semmle.label | *i7 | | argvLocal.c:149:2:149:17 | *... = ... | semmle.label | *... = ... | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected index 684ae70cfd77..e59c3e893a4f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected @@ -4,34 +4,34 @@ edges | consts.cpp:29:7:29:25 | **nonConstFuncToArray | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | provenance | | | consts.cpp:30:9:30:14 | *access to array | consts.cpp:29:7:29:25 | **nonConstFuncToArray | provenance | | | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | provenance | | -| consts.cpp:85:7:85:8 | gets output argument | consts.cpp:94:13:94:14 | *array to pointer conversion | provenance | | +| consts.cpp:85:7:85:8 | gets output argument | consts.cpp:94:13:94:14 | *v1 | provenance | | | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:99:2:99:8 | *... = ... | provenance | | -| consts.cpp:85:7:85:8 | gets output argument | consts.cpp:115:17:115:18 | *array to pointer conversion | provenance | | +| consts.cpp:85:7:85:8 | gets output argument | consts.cpp:115:17:115:18 | *v1 | provenance | | | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:123:2:123:12 | *... = ... | provenance | | -| consts.cpp:85:7:85:8 | gets output argument | consts.cpp:129:19:129:20 | *(const char *)... | provenance | | +| consts.cpp:85:7:85:8 | gets output argument | consts.cpp:129:19:129:20 | *v1 | provenance | | | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:135:9:135:11 | *v10 | provenance | TaintFunction | | consts.cpp:90:2:90:14 | *... = ... | consts.cpp:91:9:91:10 | *v2 | provenance | | | consts.cpp:90:2:90:14 | *... = ... | consts.cpp:115:21:115:22 | *v2 | provenance | | | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:90:2:90:14 | *... = ... | provenance | | -| consts.cpp:90:12:90:13 | gets output argument | consts.cpp:94:13:94:14 | *array to pointer conversion | provenance | | +| consts.cpp:90:12:90:13 | gets output argument | consts.cpp:94:13:94:14 | *v1 | provenance | | | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:99:2:99:8 | *... = ... | provenance | | -| consts.cpp:90:12:90:13 | gets output argument | consts.cpp:115:17:115:18 | *array to pointer conversion | provenance | | +| consts.cpp:90:12:90:13 | gets output argument | consts.cpp:115:17:115:18 | *v1 | provenance | | | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:123:2:123:12 | *... = ... | provenance | | -| consts.cpp:90:12:90:13 | gets output argument | consts.cpp:129:19:129:20 | *(const char *)... | provenance | | +| consts.cpp:90:12:90:13 | gets output argument | consts.cpp:129:19:129:20 | *v1 | provenance | | | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:135:9:135:11 | *v10 | provenance | TaintFunction | -| consts.cpp:94:13:94:14 | *array to pointer conversion | consts.cpp:95:9:95:10 | *v3 | provenance | | +| consts.cpp:94:13:94:14 | *v1 | consts.cpp:95:9:95:10 | *v3 | provenance | | | consts.cpp:99:2:99:8 | *... = ... | consts.cpp:100:9:100:10 | *v4 | provenance | | | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:106:13:106:19 | *call to varFunc | provenance | | | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:107:9:107:10 | *v5 | provenance | | | consts.cpp:111:2:111:15 | *... = ... | consts.cpp:112:9:112:10 | *v6 | provenance | | | consts.cpp:111:7:111:13 | *call to varFunc | consts.cpp:111:2:111:15 | *... = ... | provenance | | -| consts.cpp:115:17:115:18 | *array to pointer conversion | consts.cpp:116:9:116:13 | *access to array | provenance | | -| consts.cpp:115:17:115:18 | *array to pointer conversion | consts.cpp:120:2:120:11 | *... = ... | provenance | | +| consts.cpp:115:17:115:18 | *v1 | consts.cpp:116:9:116:13 | *access to array | provenance | | +| consts.cpp:115:17:115:18 | *v1 | consts.cpp:120:2:120:11 | *... = ... | provenance | | | consts.cpp:115:21:115:22 | *v2 | consts.cpp:116:9:116:13 | *access to array | provenance | | | consts.cpp:115:21:115:22 | *v2 | consts.cpp:120:2:120:11 | *... = ... | provenance | | | consts.cpp:120:2:120:11 | *... = ... | consts.cpp:121:9:121:10 | *v8 | provenance | | | consts.cpp:123:2:123:12 | *... = ... | consts.cpp:24:7:24:9 | **gv1 | provenance | | -| consts.cpp:129:19:129:20 | *(const char *)... | consts.cpp:130:9:130:10 | *v9 | provenance | | +| consts.cpp:129:19:129:20 | *v1 | consts.cpp:130:9:130:10 | *v9 | provenance | | | consts.cpp:139:13:139:16 | readString output argument | consts.cpp:140:9:140:11 | *v11 | provenance | | | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | provenance | | nodes @@ -44,7 +44,7 @@ nodes | consts.cpp:90:7:90:10 | *call to gets | semmle.label | *call to gets | | consts.cpp:90:12:90:13 | gets output argument | semmle.label | gets output argument | | consts.cpp:91:9:91:10 | *v2 | semmle.label | *v2 | -| consts.cpp:94:13:94:14 | *array to pointer conversion | semmle.label | *array to pointer conversion | +| consts.cpp:94:13:94:14 | *v1 | semmle.label | *v1 | | consts.cpp:95:9:95:10 | *v3 | semmle.label | *v3 | | consts.cpp:99:2:99:8 | *... = ... | semmle.label | *... = ... | | consts.cpp:100:9:100:10 | *v4 | semmle.label | *v4 | @@ -55,14 +55,14 @@ nodes | consts.cpp:111:2:111:15 | *... = ... | semmle.label | *... = ... | | consts.cpp:111:7:111:13 | *call to varFunc | semmle.label | *call to varFunc | | consts.cpp:112:9:112:10 | *v6 | semmle.label | *v6 | -| consts.cpp:115:17:115:18 | *array to pointer conversion | semmle.label | *array to pointer conversion | +| consts.cpp:115:17:115:18 | *v1 | semmle.label | *v1 | | consts.cpp:115:21:115:22 | *v2 | semmle.label | *v2 | | consts.cpp:116:9:116:13 | *access to array | semmle.label | *access to array | | consts.cpp:120:2:120:11 | *... = ... | semmle.label | *... = ... | | consts.cpp:121:9:121:10 | *v8 | semmle.label | *v8 | | consts.cpp:123:2:123:12 | *... = ... | semmle.label | *... = ... | | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | semmle.label | *call to nonConstFuncToArray | -| consts.cpp:129:19:129:20 | *(const char *)... | semmle.label | *(const char *)... | +| consts.cpp:129:19:129:20 | *v1 | semmle.label | *v1 | | consts.cpp:130:9:130:10 | *v9 | semmle.label | *v9 | | consts.cpp:135:9:135:11 | *v10 | semmle.label | *v10 | | consts.cpp:139:13:139:16 | readString output argument | semmle.label | readString output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected index 404d001470e2..c21f9c38855c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected @@ -5,20 +5,20 @@ edges | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | provenance | | | test.c:44:13:44:16 | call to rand | test.c:44:13:44:16 | call to rand | provenance | | | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | provenance | | -| test.c:75:13:75:19 | (...) | test.c:77:9:77:9 | r | provenance | | -| test.c:75:13:75:19 | call to rand | test.c:75:13:75:19 | (...) | provenance | | -| test.c:75:13:75:19 | call to rand | test.c:75:13:75:19 | (...) | provenance | | -| test.c:81:13:81:29 | (...) | test.c:83:9:83:9 | r | provenance | | -| test.c:81:14:81:17 | call to rand | test.c:81:13:81:29 | (...) | provenance | | -| test.c:81:23:81:26 | call to rand | test.c:81:13:81:29 | (...) | provenance | | +| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | provenance | | +| test.c:75:13:75:19 | call to rand | test.c:75:13:75:19 | ... ^ ... | provenance | | +| test.c:75:13:75:19 | call to rand | test.c:75:13:75:19 | ... ^ ... | provenance | | +| test.c:81:13:81:29 | ... ^ ... | test.c:83:9:83:9 | r | provenance | | +| test.c:81:14:81:17 | call to rand | test.c:81:13:81:29 | ... ^ ... | provenance | | +| test.c:81:23:81:26 | call to rand | test.c:81:13:81:29 | ... ^ ... | provenance | | | test.c:125:13:125:16 | call to rand | test.c:125:13:125:16 | call to rand | provenance | | | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | provenance | | | test.c:131:13:131:16 | call to rand | test.c:131:13:131:16 | call to rand | provenance | | | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | provenance | | | test.c:137:13:137:16 | call to rand | test.c:137:13:137:16 | call to rand | provenance | | | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | provenance | | -| test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r | provenance | | -| test.c:155:22:155:27 | call to rand | test.c:155:22:155:27 | (unsigned int)... | provenance | | +| test.c:155:22:155:27 | call to rand | test.c:155:22:155:27 | call to rand | provenance | | +| test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | provenance | | | test.cpp:6:5:6:12 | *get_rand | test.cpp:24:11:24:18 | call to get_rand | provenance | | | test.cpp:8:9:8:12 | call to rand | test.cpp:6:5:6:12 | *get_rand | provenance | | | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | call to rand | provenance | | @@ -43,8 +43,8 @@ edges | test.cpp:151:10:151:13 | call to rand | test.cpp:153:10:153:15 | ... - ... | provenance | | | test.cpp:153:10:153:15 | ... - ... | test.cpp:154:10:154:10 | b | provenance | | | test.cpp:169:11:169:14 | call to rand | test.cpp:169:11:169:14 | call to rand | provenance | | -| test.cpp:169:11:169:14 | call to rand | test.cpp:170:13:170:13 | (float)... | provenance | | -| test.cpp:170:13:170:13 | (float)... | test.cpp:171:11:171:16 | y | provenance | | +| test.cpp:169:11:169:14 | call to rand | test.cpp:170:13:170:13 | x | provenance | | +| test.cpp:170:13:170:13 | x | test.cpp:171:11:171:16 | y | provenance | | | test.cpp:189:10:189:13 | call to rand | test.cpp:189:10:189:13 | call to rand | provenance | | | test.cpp:189:10:189:13 | call to rand | test.cpp:195:3:195:11 | ... = ... | provenance | | | test.cpp:189:10:189:13 | call to rand | test.cpp:198:3:198:11 | ... = ... | provenance | | @@ -69,11 +69,11 @@ nodes | test.c:44:13:44:16 | call to rand | semmle.label | call to rand | | test.c:44:13:44:16 | call to rand | semmle.label | call to rand | | test.c:45:5:45:5 | r | semmle.label | r | -| test.c:75:13:75:19 | (...) | semmle.label | (...) | +| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... | | test.c:75:13:75:19 | call to rand | semmle.label | call to rand | | test.c:75:13:75:19 | call to rand | semmle.label | call to rand | | test.c:77:9:77:9 | r | semmle.label | r | -| test.c:81:13:81:29 | (...) | semmle.label | (...) | +| test.c:81:13:81:29 | ... ^ ... | semmle.label | ... ^ ... | | test.c:81:14:81:17 | call to rand | semmle.label | call to rand | | test.c:81:23:81:26 | call to rand | semmle.label | call to rand | | test.c:83:9:83:9 | r | semmle.label | r | @@ -86,7 +86,7 @@ nodes | test.c:137:13:137:16 | call to rand | semmle.label | call to rand | | test.c:137:13:137:16 | call to rand | semmle.label | call to rand | | test.c:139:10:139:10 | r | semmle.label | r | -| test.c:155:22:155:27 | (unsigned int)... | semmle.label | (unsigned int)... | +| test.c:155:22:155:27 | call to rand | semmle.label | call to rand | | test.c:155:22:155:27 | call to rand | semmle.label | call to rand | | test.c:157:9:157:9 | r | semmle.label | r | | test.cpp:6:5:6:12 | *get_rand | semmle.label | *get_rand | @@ -121,7 +121,7 @@ nodes | test.cpp:154:10:154:10 | b | semmle.label | b | | test.cpp:169:11:169:14 | call to rand | semmle.label | call to rand | | test.cpp:169:11:169:14 | call to rand | semmle.label | call to rand | -| test.cpp:170:13:170:13 | (float)... | semmle.label | (float)... | +| test.cpp:170:13:170:13 | x | semmle.label | x | | test.cpp:171:11:171:16 | y | semmle.label | y | | test.cpp:189:10:189:13 | call to rand | semmle.label | call to rand | | test.cpp:189:10:189:13 | call to rand | semmle.label | call to rand | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected index 4a7f889feb75..a10ef491282c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -17,10 +17,10 @@ edges | test.cpp:211:9:211:42 | ... * ... | test.cpp:209:8:209:23 | *get_tainted_size | provenance | | | test.cpp:211:14:211:27 | *call to getenv | test.cpp:211:9:211:42 | ... * ... | provenance | TaintFunction | | test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s | provenance | | -| test.cpp:237:19:237:52 | (int)... | test.cpp:239:9:239:18 | local_size | provenance | | -| test.cpp:237:19:237:52 | (int)... | test.cpp:245:11:245:20 | local_size | provenance | | -| test.cpp:237:19:237:52 | (int)... | test.cpp:247:10:247:19 | local_size | provenance | | -| test.cpp:237:24:237:37 | *call to getenv | test.cpp:237:19:237:52 | (int)... | provenance | TaintFunction | +| test.cpp:237:19:237:52 | ... * ... | test.cpp:239:9:239:18 | local_size | provenance | | +| test.cpp:237:19:237:52 | ... * ... | test.cpp:245:11:245:20 | local_size | provenance | | +| test.cpp:237:19:237:52 | ... * ... | test.cpp:247:10:247:19 | local_size | provenance | | +| test.cpp:237:24:237:37 | *call to getenv | test.cpp:237:19:237:52 | ... * ... | provenance | TaintFunction | | test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s | provenance | | | test.cpp:250:20:250:27 | *out_size | test.cpp:289:17:289:20 | get_size output argument | provenance | | | test.cpp:250:20:250:27 | *out_size | test.cpp:305:18:305:21 | get_size output argument | provenance | | @@ -57,7 +57,7 @@ nodes | test.cpp:211:14:211:27 | *call to getenv | semmle.label | *call to getenv | | test.cpp:230:21:230:21 | s | semmle.label | s | | test.cpp:231:21:231:21 | s | semmle.label | s | -| test.cpp:237:19:237:52 | (int)... | semmle.label | (int)... | +| test.cpp:237:19:237:52 | ... * ... | semmle.label | ... * ... | | test.cpp:237:24:237:37 | *call to getenv | semmle.label | *call to getenv | | test.cpp:239:9:239:18 | local_size | semmle.label | local_size | | test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected index 6da76bd8688f..b6e6310b7799 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected @@ -11,8 +11,8 @@ edges | test3.c:10:27:10:30 | **argv | test.c:51:5:51:24 | ... = ... | provenance | TaintFunction | | test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:17:6:17:18 | call to getTaintedInt | provenance | | | test5.cpp:5:5:5:17 | *getTaintedInt | test5.cpp:18:6:18:18 | call to getTaintedInt | provenance | | -| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:10:9:10:27 | (int)... | provenance | TaintFunction | -| test5.cpp:10:9:10:27 | (int)... | test5.cpp:5:5:5:17 | *getTaintedInt | provenance | | +| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:10:9:10:27 | call to strtoul | provenance | TaintFunction | +| test5.cpp:10:9:10:27 | call to strtoul | test5.cpp:5:5:5:17 | *getTaintedInt | provenance | | | test5.cpp:18:2:18:20 | ... = ... | test5.cpp:19:6:19:6 | y | provenance | | | test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:18:2:18:20 | ... = ... | provenance | | | test.c:10:27:10:30 | **argv | test.c:11:24:11:27 | call to atoi | provenance | TaintFunction | @@ -40,7 +40,7 @@ nodes | test3.c:10:27:10:30 | **argv | semmle.label | **argv | | test5.cpp:5:5:5:17 | *getTaintedInt | semmle.label | *getTaintedInt | | test5.cpp:9:7:9:9 | gets output argument | semmle.label | gets output argument | -| test5.cpp:10:9:10:27 | (int)... | semmle.label | (int)... | +| test5.cpp:10:9:10:27 | call to strtoul | semmle.label | call to strtoul | | test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt | | test5.cpp:18:2:18:20 | ... = ... | semmle.label | ... = ... | | test5.cpp:18:6:18:18 | call to getTaintedInt | semmle.label | call to getTaintedInt | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected index 8a27292ba187..2eab396a2342 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.expected @@ -1,6 +1,6 @@ edges -| test.cpp:4:15:4:33 | (char *)... | test.cpp:5:15:5:22 | ... + ... | provenance | | -| test.cpp:4:15:4:33 | call to malloc | test.cpp:4:15:4:33 | (char *)... | provenance | | +| test.cpp:4:15:4:33 | call to malloc | test.cpp:4:15:4:33 | call to malloc | provenance | | +| test.cpp:4:15:4:33 | call to malloc | test.cpp:5:15:5:22 | ... + ... | provenance | | | test.cpp:5:15:5:22 | ... + ... | test.cpp:5:15:5:22 | ... + ... | provenance | | | test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | | | test.cpp:5:15:5:22 | ... + ... | test.cpp:6:14:6:15 | * ... | provenance | | @@ -9,10 +9,10 @@ edges | test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... | provenance | | | test.cpp:5:15:5:22 | ... + ... | test.cpp:8:14:8:21 | * ... | provenance | | | test.cpp:6:14:6:15 | * ... | test.cpp:8:14:8:21 | * ... | provenance | | -| test.cpp:16:15:16:33 | (char *)... | test.cpp:20:14:20:21 | * ... | provenance | | -| test.cpp:16:15:16:33 | call to malloc | test.cpp:16:15:16:33 | (char *)... | provenance | | -| test.cpp:28:15:28:37 | (char *)... | test.cpp:29:15:29:28 | ... + ... | provenance | | -| test.cpp:28:15:28:37 | call to malloc | test.cpp:28:15:28:37 | (char *)... | provenance | | +| test.cpp:16:15:16:33 | call to malloc | test.cpp:16:15:16:33 | call to malloc | provenance | | +| test.cpp:16:15:16:33 | call to malloc | test.cpp:20:14:20:21 | * ... | provenance | | +| test.cpp:28:15:28:37 | call to malloc | test.cpp:28:15:28:37 | call to malloc | provenance | | +| test.cpp:28:15:28:37 | call to malloc | test.cpp:29:15:29:28 | ... + ... | provenance | | | test.cpp:29:15:29:28 | ... + ... | test.cpp:29:15:29:28 | ... + ... | provenance | | | test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | | | test.cpp:29:15:29:28 | ... + ... | test.cpp:30:14:30:15 | * ... | provenance | | @@ -22,13 +22,13 @@ edges | test.cpp:29:15:29:28 | ... + ... | test.cpp:32:14:32:21 | * ... | provenance | | | test.cpp:30:14:30:15 | * ... | test.cpp:32:14:32:21 | * ... | provenance | | | test.cpp:51:33:51:35 | *end | test.cpp:60:34:60:37 | mk_array output argument | provenance | | -| test.cpp:52:19:52:37 | (char *)... | test.cpp:53:12:53:23 | ... + ... | provenance | | -| test.cpp:52:19:52:37 | call to malloc | test.cpp:52:19:52:37 | (char *)... | provenance | | +| test.cpp:52:19:52:37 | call to malloc | test.cpp:52:19:52:37 | call to malloc | provenance | | +| test.cpp:52:19:52:37 | call to malloc | test.cpp:53:12:53:23 | ... + ... | provenance | | | test.cpp:53:5:53:23 | ... = ... | test.cpp:51:33:51:35 | *end | provenance | | | test.cpp:53:12:53:23 | ... + ... | test.cpp:53:5:53:23 | ... = ... | provenance | | | test.cpp:60:34:60:37 | mk_array output argument | test.cpp:67:9:67:14 | ... = ... | provenance | | -| test.cpp:205:15:205:33 | (char *)... | test.cpp:206:17:206:23 | ... + ... | provenance | | -| test.cpp:205:15:205:33 | call to malloc | test.cpp:205:15:205:33 | (char *)... | provenance | | +| test.cpp:205:15:205:33 | call to malloc | test.cpp:205:15:205:33 | call to malloc | provenance | | +| test.cpp:205:15:205:33 | call to malloc | test.cpp:206:17:206:23 | ... + ... | provenance | | | test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | ... + ... | provenance | | | test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... | provenance | | | test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | ... = ... | provenance | | @@ -119,32 +119,32 @@ edges | test.cpp:815:52:815:54 | end | test.cpp:821:7:821:12 | ... = ... | provenance | | | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | test.cpp:833:37:833:39 | end | provenance | | | test.cpp:833:37:833:39 | end | test.cpp:815:52:815:54 | end | provenance | | -| test.cpp:841:18:841:35 | (int *)... | test.cpp:842:3:842:20 | ... = ... | provenance | | -| test.cpp:841:18:841:35 | call to malloc | test.cpp:841:18:841:35 | (int *)... | provenance | | -| test.cpp:848:20:848:37 | (int *)... | test.cpp:849:5:849:22 | ... = ... | provenance | | -| test.cpp:848:20:848:37 | call to malloc | test.cpp:848:20:848:37 | (int *)... | provenance | | -| test.cpp:856:12:856:35 | (int *)... | test.cpp:857:16:857:29 | ... + ... | provenance | | -| test.cpp:856:12:856:35 | call to malloc | test.cpp:856:12:856:35 | (int *)... | provenance | | +| test.cpp:841:18:841:35 | call to malloc | test.cpp:841:18:841:35 | call to malloc | provenance | | +| test.cpp:841:18:841:35 | call to malloc | test.cpp:842:3:842:20 | ... = ... | provenance | | +| test.cpp:848:20:848:37 | call to malloc | test.cpp:848:20:848:37 | call to malloc | provenance | | +| test.cpp:848:20:848:37 | call to malloc | test.cpp:849:5:849:22 | ... = ... | provenance | | +| test.cpp:856:12:856:35 | call to malloc | test.cpp:856:12:856:35 | call to malloc | provenance | | +| test.cpp:856:12:856:35 | call to malloc | test.cpp:857:16:857:29 | ... + ... | provenance | | | test.cpp:857:16:857:29 | ... + ... | test.cpp:857:16:857:29 | ... + ... | provenance | | | test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | | | test.cpp:857:16:857:29 | ... + ... | test.cpp:860:5:860:11 | ... = ... | provenance | | -| test.cpp:868:15:868:35 | (char *)... | test.cpp:869:15:869:22 | ... + ... | provenance | | -| test.cpp:868:15:868:35 | call to g_malloc | test.cpp:868:15:868:35 | (char *)... | provenance | | +| test.cpp:868:15:868:35 | call to g_malloc | test.cpp:868:15:868:35 | call to g_malloc | provenance | | +| test.cpp:868:15:868:35 | call to g_malloc | test.cpp:869:15:869:22 | ... + ... | provenance | | | test.cpp:869:15:869:22 | ... + ... | test.cpp:869:15:869:22 | ... + ... | provenance | | | test.cpp:869:15:869:22 | ... + ... | test.cpp:870:14:870:15 | * ... | provenance | | | test.cpp:869:15:869:22 | ... + ... | test.cpp:870:14:870:15 | * ... | provenance | | nodes -| test.cpp:4:15:4:33 | (char *)... | semmle.label | (char *)... | +| test.cpp:4:15:4:33 | call to malloc | semmle.label | call to malloc | | test.cpp:4:15:4:33 | call to malloc | semmle.label | call to malloc | | test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... | | test.cpp:5:15:5:22 | ... + ... | semmle.label | ... + ... | | test.cpp:6:14:6:15 | * ... | semmle.label | * ... | | test.cpp:6:14:6:15 | * ... | semmle.label | * ... | | test.cpp:8:14:8:21 | * ... | semmle.label | * ... | -| test.cpp:16:15:16:33 | (char *)... | semmle.label | (char *)... | +| test.cpp:16:15:16:33 | call to malloc | semmle.label | call to malloc | | test.cpp:16:15:16:33 | call to malloc | semmle.label | call to malloc | | test.cpp:20:14:20:21 | * ... | semmle.label | * ... | -| test.cpp:28:15:28:37 | (char *)... | semmle.label | (char *)... | +| test.cpp:28:15:28:37 | call to malloc | semmle.label | call to malloc | | test.cpp:28:15:28:37 | call to malloc | semmle.label | call to malloc | | test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... | | test.cpp:29:15:29:28 | ... + ... | semmle.label | ... + ... | @@ -152,13 +152,13 @@ nodes | test.cpp:30:14:30:15 | * ... | semmle.label | * ... | | test.cpp:32:14:32:21 | * ... | semmle.label | * ... | | test.cpp:51:33:51:35 | *end | semmle.label | *end | -| test.cpp:52:19:52:37 | (char *)... | semmle.label | (char *)... | +| test.cpp:52:19:52:37 | call to malloc | semmle.label | call to malloc | | test.cpp:52:19:52:37 | call to malloc | semmle.label | call to malloc | | test.cpp:53:5:53:23 | ... = ... | semmle.label | ... = ... | | test.cpp:53:12:53:23 | ... + ... | semmle.label | ... + ... | | test.cpp:60:34:60:37 | mk_array output argument | semmle.label | mk_array output argument | | test.cpp:67:9:67:14 | ... = ... | semmle.label | ... = ... | -| test.cpp:205:15:205:33 | (char *)... | semmle.label | (char *)... | +| test.cpp:205:15:205:33 | call to malloc | semmle.label | call to malloc | | test.cpp:205:15:205:33 | call to malloc | semmle.label | call to malloc | | test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... | | test.cpp:206:17:206:23 | ... + ... | semmle.label | ... + ... | @@ -246,18 +246,18 @@ nodes | test.cpp:821:7:821:12 | ... = ... | semmle.label | ... = ... | | test.cpp:832:40:832:43 | mk_array_no_field_flow output argument | semmle.label | mk_array_no_field_flow output argument | | test.cpp:833:37:833:39 | end | semmle.label | end | -| test.cpp:841:18:841:35 | (int *)... | semmle.label | (int *)... | +| test.cpp:841:18:841:35 | call to malloc | semmle.label | call to malloc | | test.cpp:841:18:841:35 | call to malloc | semmle.label | call to malloc | | test.cpp:842:3:842:20 | ... = ... | semmle.label | ... = ... | -| test.cpp:848:20:848:37 | (int *)... | semmle.label | (int *)... | +| test.cpp:848:20:848:37 | call to malloc | semmle.label | call to malloc | | test.cpp:848:20:848:37 | call to malloc | semmle.label | call to malloc | | test.cpp:849:5:849:22 | ... = ... | semmle.label | ... = ... | -| test.cpp:856:12:856:35 | (int *)... | semmle.label | (int *)... | +| test.cpp:856:12:856:35 | call to malloc | semmle.label | call to malloc | | test.cpp:856:12:856:35 | call to malloc | semmle.label | call to malloc | | test.cpp:857:16:857:29 | ... + ... | semmle.label | ... + ... | | test.cpp:857:16:857:29 | ... + ... | semmle.label | ... + ... | | test.cpp:860:5:860:11 | ... = ... | semmle.label | ... = ... | -| test.cpp:868:15:868:35 | (char *)... | semmle.label | (char *)... | +| test.cpp:868:15:868:35 | call to g_malloc | semmle.label | call to g_malloc | | test.cpp:868:15:868:35 | call to g_malloc | semmle.label | call to g_malloc | | test.cpp:869:15:869:22 | ... + ... | semmle.label | ... + ... | | test.cpp:869:15:869:22 | ... + ... | semmle.label | ... + ... | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected index 274ec2b89b69..117f94cfad8a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected @@ -1,25 +1,25 @@ edges -| test.cpp:16:25:16:42 | *(const char *)... | test.cpp:20:14:20:20 | *address | provenance | | -| test.cpp:16:25:16:42 | *call to getenv | test.cpp:16:25:16:42 | *(const char *)... | provenance | | -| test.cpp:27:25:27:42 | *(const char *)... | test.cpp:31:14:31:20 | *address | provenance | | -| test.cpp:27:25:27:42 | *call to getenv | test.cpp:27:25:27:42 | *(const char *)... | provenance | | -| test.cpp:38:25:38:42 | *(const char *)... | test.cpp:42:14:42:20 | *address | provenance | | -| test.cpp:38:25:38:42 | *call to getenv | test.cpp:38:25:38:42 | *(const char *)... | provenance | | -| test.cpp:49:25:49:42 | *(const char *)... | test.cpp:52:14:52:20 | *address | provenance | | -| test.cpp:49:25:49:42 | *(const char *)... | test.cpp:56:14:56:20 | *address | provenance | | -| test.cpp:49:25:49:42 | *(const char *)... | test.cpp:60:14:60:20 | *address | provenance | | -| test.cpp:49:25:49:42 | *call to getenv | test.cpp:49:25:49:42 | *(const char *)... | provenance | | +| test.cpp:16:25:16:42 | *call to getenv | test.cpp:16:25:16:42 | *call to getenv | provenance | | +| test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | provenance | | +| test.cpp:27:25:27:42 | *call to getenv | test.cpp:27:25:27:42 | *call to getenv | provenance | | +| test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | provenance | | +| test.cpp:38:25:38:42 | *call to getenv | test.cpp:38:25:38:42 | *call to getenv | provenance | | +| test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | provenance | | +| test.cpp:49:25:49:42 | *call to getenv | test.cpp:49:25:49:42 | *call to getenv | provenance | | +| test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | provenance | | +| test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | provenance | | +| test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | provenance | | nodes -| test.cpp:16:25:16:42 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:16:25:16:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:16:25:16:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:20:14:20:20 | *address | semmle.label | *address | -| test.cpp:27:25:27:42 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:27:25:27:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:27:25:27:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:31:14:31:20 | *address | semmle.label | *address | -| test.cpp:38:25:38:42 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:38:25:38:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:38:25:38:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:42:14:42:20 | *address | semmle.label | *address | -| test.cpp:49:25:49:42 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:49:25:49:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:49:25:49:42 | *call to getenv | semmle.label | *call to getenv | | test.cpp:52:14:52:20 | *address | semmle.label | *address | | test.cpp:56:14:56:20 | *address | semmle.label | *address | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected index 759c81e05803..42718aa4a388 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected @@ -1,8 +1,8 @@ edges | test3.cpp:74:21:74:29 | password1 | test3.cpp:74:21:74:29 | password1 | provenance | | | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | provenance | | -| test3.cpp:81:15:81:22 | array to pointer conversion | test3.cpp:83:15:83:17 | ptr | provenance | | -| test3.cpp:81:15:81:22 | password | test3.cpp:81:15:81:22 | array to pointer conversion | provenance | | +| test3.cpp:81:15:81:22 | password | test3.cpp:81:15:81:22 | password | provenance | | +| test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | provenance | | | test3.cpp:112:20:112:25 | buffer | test3.cpp:114:14:114:19 | buffer | provenance | | | test3.cpp:117:28:117:33 | buffer | test3.cpp:119:9:119:14 | buffer | provenance | | | test3.cpp:119:9:119:14 | buffer | test3.cpp:117:13:117:14 | *id | provenance | | @@ -49,7 +49,7 @@ nodes | test3.cpp:74:21:74:29 | password1 | semmle.label | password1 | | test3.cpp:74:21:74:29 | password1 | semmle.label | password1 | | test3.cpp:76:15:76:17 | ptr | semmle.label | ptr | -| test3.cpp:81:15:81:22 | array to pointer conversion | semmle.label | array to pointer conversion | +| test3.cpp:81:15:81:22 | password | semmle.label | password | | test3.cpp:81:15:81:22 | password | semmle.label | password | | test3.cpp:83:15:83:17 | ptr | semmle.label | ptr | | test3.cpp:101:12:101:19 | password | semmle.label | password | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected index 82953c486e29..a978b9edd7d2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected @@ -1,21 +1,21 @@ edges | test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url | provenance | | | test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g | provenance | | -| test.cpp:24:21:24:40 | *array to pointer conversion | test.cpp:24:13:24:17 | **url_g | provenance | | -| test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:21:24:40 | *array to pointer conversion | provenance | | +| test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:13:24:17 | **url_g | provenance | | +| test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:21:24:40 | *http://example.com | provenance | | | test.cpp:28:10:28:29 | *http://example.com | test.cpp:11:26:11:28 | *url | provenance | | -| test.cpp:35:23:35:42 | *array to pointer conversion | test.cpp:39:11:39:15 | *url_l | provenance | | -| test.cpp:35:23:35:42 | *http://example.com | test.cpp:35:23:35:42 | *array to pointer conversion | provenance | | -| test.cpp:36:26:36:45 | *array to pointer conversion | test.cpp:40:11:40:17 | *access to array | provenance | | -| test.cpp:36:26:36:45 | *http://example.com | test.cpp:36:26:36:45 | *array to pointer conversion | provenance | | +| test.cpp:35:23:35:42 | *http://example.com | test.cpp:35:23:35:42 | *http://example.com | provenance | | +| test.cpp:35:23:35:42 | *http://example.com | test.cpp:39:11:39:15 | *url_l | provenance | | +| test.cpp:36:26:36:45 | *http://example.com | test.cpp:36:26:36:45 | *http://example.com | provenance | | +| test.cpp:36:26:36:45 | *http://example.com | test.cpp:40:11:40:17 | *access to array | provenance | | | test.cpp:38:11:38:15 | *url_g | test.cpp:11:26:11:28 | *url | provenance | | | test.cpp:39:11:39:15 | *url_l | test.cpp:11:26:11:28 | *url | provenance | | | test.cpp:40:11:40:17 | *access to array | test.cpp:11:26:11:28 | *url | provenance | | | test.cpp:46:18:46:26 | *http:// | test.cpp:49:11:49:16 | *buffer | provenance | DataFlowFunction | | test.cpp:49:11:49:16 | *buffer | test.cpp:11:26:11:28 | *url | provenance | | -| test.cpp:110:21:110:40 | *(char *)... | test.cpp:113:2:113:37 | *... = ... | provenance | TaintFunction | -| test.cpp:110:21:110:40 | *(char *)... | test.cpp:116:3:116:37 | *... = ... | provenance | TaintFunction | -| test.cpp:110:21:110:40 | *http://example.com | test.cpp:110:21:110:40 | *(char *)... | provenance | | +| test.cpp:110:21:110:40 | *http://example.com | test.cpp:110:21:110:40 | *http://example.com | provenance | | +| test.cpp:110:21:110:40 | *http://example.com | test.cpp:113:2:113:37 | *... = ... | provenance | TaintFunction | +| test.cpp:110:21:110:40 | *http://example.com | test.cpp:116:3:116:37 | *... = ... | provenance | TaintFunction | | test.cpp:113:2:113:37 | *... = ... | test.cpp:121:11:121:13 | *ptr | provenance | | | test.cpp:116:3:116:37 | *... = ... | test.cpp:121:11:121:13 | *ptr | provenance | | | test.cpp:121:11:121:13 | *ptr | test.cpp:11:26:11:28 | *url | provenance | | @@ -23,19 +23,19 @@ nodes | test.cpp:11:26:11:28 | *url | semmle.label | *url | | test.cpp:15:30:15:32 | *url | semmle.label | *url | | test.cpp:24:13:24:17 | **url_g | semmle.label | **url_g | -| test.cpp:24:21:24:40 | *array to pointer conversion | semmle.label | *array to pointer conversion | +| test.cpp:24:21:24:40 | *http://example.com | semmle.label | *http://example.com | | test.cpp:24:21:24:40 | *http://example.com | semmle.label | *http://example.com | | test.cpp:28:10:28:29 | *http://example.com | semmle.label | *http://example.com | -| test.cpp:35:23:35:42 | *array to pointer conversion | semmle.label | *array to pointer conversion | | test.cpp:35:23:35:42 | *http://example.com | semmle.label | *http://example.com | -| test.cpp:36:26:36:45 | *array to pointer conversion | semmle.label | *array to pointer conversion | +| test.cpp:35:23:35:42 | *http://example.com | semmle.label | *http://example.com | +| test.cpp:36:26:36:45 | *http://example.com | semmle.label | *http://example.com | | test.cpp:36:26:36:45 | *http://example.com | semmle.label | *http://example.com | | test.cpp:38:11:38:15 | *url_g | semmle.label | *url_g | | test.cpp:39:11:39:15 | *url_l | semmle.label | *url_l | | test.cpp:40:11:40:17 | *access to array | semmle.label | *access to array | | test.cpp:46:18:46:26 | *http:// | semmle.label | *http:// | | test.cpp:49:11:49:16 | *buffer | semmle.label | *buffer | -| test.cpp:110:21:110:40 | *(char *)... | semmle.label | *(char *)... | +| test.cpp:110:21:110:40 | *http://example.com | semmle.label | *http://example.com | | test.cpp:110:21:110:40 | *http://example.com | semmle.label | *http://example.com | | test.cpp:113:2:113:37 | *... = ... | semmle.label | *... = ... | | test.cpp:116:3:116:37 | *... = ... | semmle.label | *... = ... | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 671035d523e5..e9125a9ca4c0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -57,12 +57,12 @@ edges | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:66:23:66:43 | *new | provenance | | | tests.cpp:73:23:73:43 | *new | tests.cpp:80:2:80:2 | *p | provenance | | | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:73:23:73:43 | *new | provenance | | -| tests.cpp:85:24:85:44 | *new | tests.cpp:86:24:86:25 | *(reference to) | provenance | | +| tests.cpp:85:24:85:44 | *new | tests.cpp:86:24:86:25 | ** ... | provenance | | | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:85:24:85:44 | *new | provenance | | -| tests.cpp:86:24:86:25 | *(reference to) | tests.cpp:88:3:88:3 | *q | provenance | | -| tests.cpp:100:24:100:44 | *new | tests.cpp:101:24:101:25 | *(reference to) | provenance | | +| tests.cpp:86:24:86:25 | ** ... | tests.cpp:88:3:88:3 | *q | provenance | | +| tests.cpp:100:24:100:44 | *new | tests.cpp:101:24:101:25 | ** ... | provenance | | | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:100:24:100:44 | *new | provenance | | -| tests.cpp:101:24:101:25 | *(reference to) | tests.cpp:104:3:104:3 | *q | provenance | | +| tests.cpp:101:24:101:25 | ** ... | tests.cpp:104:3:104:3 | *q | provenance | | | tests.cpp:112:39:112:39 | *p | tests.cpp:112:39:112:39 | *p | provenance | | | tests.cpp:112:39:112:39 | *p | tests.cpp:113:2:113:2 | *p | provenance | | | tests.cpp:116:39:116:39 | *p | tests.cpp:117:2:117:2 | *p | provenance | | @@ -158,11 +158,11 @@ nodes | tests.cpp:80:2:80:2 | *p | semmle.label | *p | | tests.cpp:85:24:85:44 | *new | semmle.label | *new | | tests.cpp:85:24:85:44 | call to XercesDOMParser | semmle.label | call to XercesDOMParser | -| tests.cpp:86:24:86:25 | *(reference to) | semmle.label | *(reference to) | +| tests.cpp:86:24:86:25 | ** ... | semmle.label | ** ... | | tests.cpp:88:3:88:3 | *q | semmle.label | *q | | tests.cpp:100:24:100:44 | *new | semmle.label | *new | | tests.cpp:100:24:100:44 | call to XercesDOMParser | semmle.label | call to XercesDOMParser | -| tests.cpp:101:24:101:25 | *(reference to) | semmle.label | *(reference to) | +| tests.cpp:101:24:101:25 | ** ... | semmle.label | ** ... | | tests.cpp:104:3:104:3 | *q | semmle.label | *q | | tests.cpp:112:39:112:39 | *p | semmle.label | *p | | tests.cpp:112:39:112:39 | *p | semmle.label | *p | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected index 2ece8ab7582b..fc3a964b2bf3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected @@ -1,8 +1,8 @@ edges -| test.cpp:20:29:20:47 | *(const char *)... | test.cpp:24:10:24:35 | ! ... | provenance | TaintFunction | -| test.cpp:20:29:20:47 | *call to getenv | test.cpp:20:29:20:47 | *(const char *)... | provenance | | +| test.cpp:20:29:20:47 | *call to getenv | test.cpp:20:29:20:47 | *call to getenv | provenance | | +| test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | provenance | TaintFunction | nodes -| test.cpp:20:29:20:47 | *(const char *)... | semmle.label | *(const char *)... | +| test.cpp:20:29:20:47 | *call to getenv | semmle.label | *call to getenv | | test.cpp:20:29:20:47 | *call to getenv | semmle.label | *call to getenv | | test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... | subpaths diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected index 61f2b5afaa4b..6e18306bcd29 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected @@ -1,18 +1,18 @@ edges -| test.cpp:17:13:17:18 | (void *)... | test.cpp:18:21:18:47 | p | provenance | | -| test.cpp:17:13:17:18 | new | test.cpp:17:13:17:18 | (void *)... | provenance | | -| test.cpp:22:13:22:26 | (void *)... | test.cpp:23:12:23:30 | p | provenance | | -| test.cpp:22:13:22:26 | new | test.cpp:22:13:22:26 | (void *)... | provenance | | -| test.cpp:27:13:27:18 | (void *)... | test.cpp:28:25:28:55 | p | provenance | | -| test.cpp:27:13:27:18 | new | test.cpp:27:13:27:18 | (void *)... | provenance | | -| test.cpp:32:13:32:30 | (void *)... | test.cpp:33:12:33:30 | p | provenance | | -| test.cpp:32:13:32:30 | new | test.cpp:32:13:32:30 | (void *)... | provenance | | +| test.cpp:17:13:17:18 | new | test.cpp:17:13:17:18 | new | provenance | | +| test.cpp:17:13:17:18 | new | test.cpp:18:21:18:47 | p | provenance | | +| test.cpp:22:13:22:26 | new | test.cpp:22:13:22:26 | new | provenance | | +| test.cpp:22:13:22:26 | new | test.cpp:23:12:23:30 | p | provenance | | +| test.cpp:27:13:27:18 | new | test.cpp:27:13:27:18 | new | provenance | | +| test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | provenance | | +| test.cpp:32:13:32:30 | new | test.cpp:32:13:32:30 | new | provenance | | +| test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | provenance | | | test.cpp:47:21:47:36 | new | test.cpp:47:21:47:36 | new | provenance | | | test.cpp:47:21:47:36 | new | test.cpp:48:22:48:55 | p | provenance | | -| test.cpp:66:15:66:21 | (Animal *)... | test.cpp:67:12:67:31 | a | provenance | | -| test.cpp:66:15:66:21 | new | test.cpp:66:15:66:21 | (Animal *)... | provenance | | -| test.cpp:76:15:76:21 | (Animal *)... | test.cpp:77:12:77:31 | a | provenance | | -| test.cpp:76:15:76:21 | new | test.cpp:76:15:76:21 | (Animal *)... | provenance | | +| test.cpp:66:15:66:21 | new | test.cpp:66:15:66:21 | new | provenance | | +| test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | provenance | | +| test.cpp:76:15:76:21 | new | test.cpp:76:15:76:21 | new | provenance | | +| test.cpp:76:15:76:21 | new | test.cpp:77:12:77:31 | a | provenance | | | test.cpp:83:5:83:15 | ... = ... | test.cpp:88:14:88:33 | a | provenance | | | test.cpp:83:9:83:15 | new | test.cpp:83:5:83:15 | ... = ... | provenance | | | test.cpp:85:5:85:15 | ... = ... | test.cpp:88:14:88:33 | a | provenance | | @@ -31,36 +31,36 @@ edges | test.cpp:166:9:166:15 | new | test.cpp:166:5:166:15 | ... = ... | provenance | | | test.cpp:168:5:168:15 | ... = ... | test.cpp:171:14:171:33 | a | provenance | | | test.cpp:168:9:168:15 | new | test.cpp:168:5:168:15 | ... = ... | provenance | | -| test.cpp:179:15:179:24 | (void *)... | test.cpp:181:15:181:25 | u64 | provenance | | -| test.cpp:179:15:179:24 | new | test.cpp:179:15:179:24 | (void *)... | provenance | | -| test.cpp:187:15:187:24 | (void *)... | test.cpp:189:25:189:45 | u64 | provenance | | -| test.cpp:187:15:187:24 | new | test.cpp:187:15:187:24 | (void *)... | provenance | | -| test.cpp:207:14:207:26 | (void *)... | test.cpp:209:17:209:28 | si | provenance | | -| test.cpp:207:14:207:26 | new | test.cpp:207:14:207:26 | (void *)... | provenance | | -| test.cpp:217:13:217:18 | (void *)... | test.cpp:218:30:218:65 | p | provenance | | -| test.cpp:217:13:217:18 | new | test.cpp:217:13:217:18 | (void *)... | provenance | | -| test.cpp:226:13:226:18 | (void *)... | test.cpp:227:29:227:63 | p | provenance | | -| test.cpp:226:13:226:18 | new | test.cpp:226:13:226:18 | (void *)... | provenance | | +| test.cpp:179:15:179:24 | new | test.cpp:179:15:179:24 | new | provenance | | +| test.cpp:179:15:179:24 | new | test.cpp:181:15:181:25 | u64 | provenance | | +| test.cpp:187:15:187:24 | new | test.cpp:187:15:187:24 | new | provenance | | +| test.cpp:187:15:187:24 | new | test.cpp:189:25:189:45 | u64 | provenance | | +| test.cpp:207:14:207:26 | new | test.cpp:207:14:207:26 | new | provenance | | +| test.cpp:207:14:207:26 | new | test.cpp:209:17:209:28 | si | provenance | | +| test.cpp:217:13:217:18 | new | test.cpp:217:13:217:18 | new | provenance | | +| test.cpp:217:13:217:18 | new | test.cpp:218:30:218:65 | p | provenance | | +| test.cpp:226:13:226:18 | new | test.cpp:226:13:226:18 | new | provenance | | +| test.cpp:226:13:226:18 | new | test.cpp:227:29:227:63 | p | provenance | | nodes -| test.cpp:17:13:17:18 | (void *)... | semmle.label | (void *)... | +| test.cpp:17:13:17:18 | new | semmle.label | new | | test.cpp:17:13:17:18 | new | semmle.label | new | | test.cpp:18:21:18:47 | p | semmle.label | p | -| test.cpp:22:13:22:26 | (void *)... | semmle.label | (void *)... | +| test.cpp:22:13:22:26 | new | semmle.label | new | | test.cpp:22:13:22:26 | new | semmle.label | new | | test.cpp:23:12:23:30 | p | semmle.label | p | -| test.cpp:27:13:27:18 | (void *)... | semmle.label | (void *)... | +| test.cpp:27:13:27:18 | new | semmle.label | new | | test.cpp:27:13:27:18 | new | semmle.label | new | | test.cpp:28:25:28:55 | p | semmle.label | p | -| test.cpp:32:13:32:30 | (void *)... | semmle.label | (void *)... | +| test.cpp:32:13:32:30 | new | semmle.label | new | | test.cpp:32:13:32:30 | new | semmle.label | new | | test.cpp:33:12:33:30 | p | semmle.label | p | | test.cpp:47:21:47:36 | new | semmle.label | new | | test.cpp:47:21:47:36 | new | semmle.label | new | | test.cpp:48:22:48:55 | p | semmle.label | p | -| test.cpp:66:15:66:21 | (Animal *)... | semmle.label | (Animal *)... | +| test.cpp:66:15:66:21 | new | semmle.label | new | | test.cpp:66:15:66:21 | new | semmle.label | new | | test.cpp:67:12:67:31 | a | semmle.label | a | -| test.cpp:76:15:76:21 | (Animal *)... | semmle.label | (Animal *)... | +| test.cpp:76:15:76:21 | new | semmle.label | new | | test.cpp:76:15:76:21 | new | semmle.label | new | | test.cpp:77:12:77:31 | a | semmle.label | a | | test.cpp:83:5:83:15 | ... = ... | semmle.label | ... = ... | @@ -88,19 +88,19 @@ nodes | test.cpp:168:5:168:15 | ... = ... | semmle.label | ... = ... | | test.cpp:168:9:168:15 | new | semmle.label | new | | test.cpp:171:14:171:33 | a | semmle.label | a | -| test.cpp:179:15:179:24 | (void *)... | semmle.label | (void *)... | +| test.cpp:179:15:179:24 | new | semmle.label | new | | test.cpp:179:15:179:24 | new | semmle.label | new | | test.cpp:181:15:181:25 | u64 | semmle.label | u64 | -| test.cpp:187:15:187:24 | (void *)... | semmle.label | (void *)... | +| test.cpp:187:15:187:24 | new | semmle.label | new | | test.cpp:187:15:187:24 | new | semmle.label | new | | test.cpp:189:25:189:45 | u64 | semmle.label | u64 | -| test.cpp:207:14:207:26 | (void *)... | semmle.label | (void *)... | +| test.cpp:207:14:207:26 | new | semmle.label | new | | test.cpp:207:14:207:26 | new | semmle.label | new | | test.cpp:209:17:209:28 | si | semmle.label | si | -| test.cpp:217:13:217:18 | (void *)... | semmle.label | (void *)... | +| test.cpp:217:13:217:18 | new | semmle.label | new | | test.cpp:217:13:217:18 | new | semmle.label | new | | test.cpp:218:30:218:65 | p | semmle.label | p | -| test.cpp:226:13:226:18 | (void *)... | semmle.label | (void *)... | +| test.cpp:226:13:226:18 | new | semmle.label | new | | test.cpp:226:13:226:18 | new | semmle.label | new | | test.cpp:227:29:227:63 | p | semmle.label | p | subpaths