From b3f4c68a1d140eee63b9c9b5b288ab85f0683b8d Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Thu, 11 Sep 2025 11:14:26 +0100 Subject: [PATCH 1/3] C++: Remove the BMN filter from some queries, but reduce precision to medium Remove the `not any(Compilation c).buildModeNone() and` clause from: cpp/wrong-type-format-argument cpp/comparison-with-wider-type cpp/integer-multiplication-cast-to-long cpp/implicit-function-declaration cpp/suspicious-add-sizeof but reduce their precision to `medium`. --- cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql | 3 +-- cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql | 3 +-- .../Underspecified Functions/ImplicitFunctionDeclaration.ql | 3 +-- cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql | 3 +-- cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql | 3 +-- 5 files changed, 5 insertions(+), 10 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql index 7eb465d35a92..a54ac9020c8c 100644 --- a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql +++ b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql @@ -5,7 +5,7 @@ * @kind problem * @problem.severity warning * @security-severity 8.1 - * @precision high + * @precision medium * @id cpp/integer-multiplication-cast-to-long * @tags reliability * security @@ -179,7 +179,6 @@ predicate overflows(MulExpr me, Type t) { from MulExpr me, Type t1, Type t2 where - not any(Compilation c).buildModeNone() and t1 = me.getType().getUnderlyingType() and t2 = me.getConversion().getType().getUnderlyingType() and t1.getSize() < t2.getSize() and diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql index 02975d2bdcab..33fe3a0b7a15 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql @@ -5,7 +5,7 @@ * @kind problem * @problem.severity error * @security-severity 7.5 - * @precision high + * @precision medium * @id cpp/wrong-type-format-argument * @tags reliability * correctness @@ -154,7 +154,6 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) } from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual where - not any(Compilation c).buildModeNone() and ( formattingFunctionCallExpectedType(ffc, n, expected) and formattingFunctionCallActualType(ffc, n, arg, actual) and diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql index aa9d5d43c738..6a55557cf70b 100644 --- a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql +++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql @@ -5,7 +5,7 @@ * may lead to unpredictable behavior. * @kind problem * @problem.severity warning - * @precision high + * @precision medium * @id cpp/implicit-function-declaration * @tags correctness * maintainability @@ -38,7 +38,6 @@ predicate isCompiledAsC(File f) { from FunctionDeclarationEntry fdeIm, FunctionCall fc where - not any(Compilation c).buildModeNone() and isCompiledAsC(fdeIm.getFile()) and not isFromMacroDefinition(fc) and fdeIm.isImplicit() and diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql index 021be5d091b3..3f330807304f 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql @@ -6,7 +6,7 @@ * @kind problem * @problem.severity warning * @security-severity 7.8 - * @precision high + * @precision medium * @tags reliability * security * external/cwe/cwe-190 @@ -51,7 +51,6 @@ int getComparisonSizeAdjustment(Expr e) { from Loop l, RelationalOperation rel, VariableAccess small, Expr large where - not any(Compilation c).buildModeNone() and small = rel.getLesserOperand() and large = rel.getGreaterOperand() and rel = l.getCondition().getAChild*() and diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql index da92c792432c..d9c9df4fd918 100644 --- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql +++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql @@ -6,7 +6,7 @@ * @kind problem * @problem.severity warning * @security-severity 8.8 - * @precision high + * @precision medium * @id cpp/suspicious-add-sizeof * @tags security * external/cwe/cwe-468 @@ -24,7 +24,6 @@ private predicate isCharSzPtrExpr(Expr e) { from Expr sizeofExpr, Expr e where - not any(Compilation c).buildModeNone() and // If we see an addWithSizeof then we expect the type of // the pointer expression to be `char*` or `void*`. Otherwise it // is probably a mistake. From cc131a09a16670a476629814e51156247a16c646 Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Thu, 11 Sep 2025 15:01:04 +0100 Subject: [PATCH 2/3] C++: Accept changes to cpp/ql/integration-tests/query-suite --- .../query-suite/cpp-code-scanning.qls.expected | 4 ---- 1 file changed, 4 deletions(-) diff --git a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected index c307f26d3dbf..33c02079fff8 100644 --- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected +++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected @@ -7,12 +7,10 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql -ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql -ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql @@ -30,7 +28,6 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql -ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql @@ -43,7 +40,6 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql -ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql From 050a9e155fdc490e61dc7067b6e8d00a6f7a99bc Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Thu, 11 Sep 2025 15:56:41 +0100 Subject: [PATCH 3/3] C++: Add changenote for changes to some queries Queries affected: cpp/wrong-type-format-argument cpp/comparison-with-wider-type cpp/integer-multiplication-cast-to-long cpp/implicit-function-declaration cpp/suspicious-add-sizeof --- cpp/ql/src/change-notes/2025-09-11-queries-demoted.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 cpp/ql/src/change-notes/2025-09-11-queries-demoted.md diff --git a/cpp/ql/src/change-notes/2025-09-11-queries-demoted.md b/cpp/ql/src/change-notes/2025-09-11-queries-demoted.md new file mode 100644 index 000000000000..7150c08206b3 --- /dev/null +++ b/cpp/ql/src/change-notes/2025-09-11-queries-demoted.md @@ -0,0 +1,5 @@ +--- +category: majorAnalysis +--- +* The queries `cpp/wrong-type-format-argument`, `cpp/comparison-with-wider-type`, `cpp/integer-multiplication-cast-to-long`, `cpp/implicit-function-declaration` and `cpp/suspicious-add-sizeof` have had their precisions reduced from `high` to `medium`. They will also now give alerts for projects built with `build-mode: none`. +* The queries `cpp/wrong-type-format-argument`, `cpp/comparison-with-wider-type`, `cpp/integer-multiplication-cast-to-long` and `cpp/suspicious-add-sizeof` are no longer included in the `code-scanning` suite.