You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| All CWE-specific queries using taint tracking (`cpp/path-injection`, `cpp/cgi-xss`, `cpp/sql-injection`, `cpp/uncontrolled-process-operation`, `cpp/unbounded-write`, `cpp/tainted-format-string`, `cpp/tainted-format-string-through-global`, `cpp/uncontrolled-arithmetic`, `cpp/uncontrolled-allocation-size`, `cpp/user-controlled-bypass`, `cpp/cleartext-storage-buffer`, `cpp/tainted-permissions-check`) | More correct results | A new taint-tracking library is used, giving more precise results and offering _path explanations_ for results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
18
-
| Boost\_asio TLS Settings Misconfiguration (`cpp/boost/tls-settings-misconfiguration`) | Query id change | Query id renamed from `cpp/boost/tls_settings_misconfiguration` (underscores to dashes) |
27
+
| Boost\_asio TLS Settings Misconfiguration (`cpp/boost/tls-settings-misconfiguration`) | Query id change | The identifier was updated to use dashes in place of underscores (previous identifier `cpp/boost/tls_settings_misconfiguration`). |
19
28
| Buffer not sufficient for string (`cpp/overflow-calculated`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
20
29
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) || This query is no longer run on LGTM. |
21
30
| Memory is never freed (`cpp/memory-never-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
22
31
| Memory may not be freed (`cpp/memory-may-not-be-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
23
-
| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed false positive results in template code. |
24
-
| Missing return statement (`cpp/missing-return`) | Fewer false positive results | Functions containing `asm` statements are no longer highlighted by this query. |
25
-
| Missing return statement (`cpp/missing-return`) | More accurate locations | Locations reported by this query are now more accurate in some cases. |
26
-
| No space for zero terminator (`cpp/no-space-for-terminator`) | More correct results | String arguments to formatting functions are now (usually) expected to be null terminated strings. |
27
-
| No space for zero terminator (`cpp/no-space-for-terminator`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
28
-
| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings. This approach produces fewer, more accurate results. |
| Missing return statement (`cpp/missing-return`) | Fewer false positive results and more accurate locations | Functions containing `asm` statements are no longer highlighted by this query. The locations reported by this query are now more accurate in some cases. |
34
+
| No space for zero terminator (`cpp/no-space-for-terminator`) | More results with greater precision | The query gives more precise results for a wider variety of buffer allocations. String arguments to formatting functions are now (usually) expected to be null terminated strings. Use of the `semmle.code.cpp.models.interfaces.Allocation` library identifies problems with a wider variety of buffer allocations. This query is also more conservative when identifying which pointers point to null-terminated strings. |
29
35
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. Cases where the tainted allocation size is range checked are more reliably excluded. |
30
36
| Overloaded assignment does not return 'this' (`cpp/assignment-does-not-return-this`) | Fewer false positive results | This query no longer reports incorrect results in template classes. |
31
-
|Signed overflow check (`cpp/signed-overflow-check`), Pointer overflow check (`cpp/pointer-overflow-check`), Possibly wrong buffer size in string copy (`cpp/bad-strncpy-size`) | More correct results | A new library is used for determining which expressions have identical value, giving more precise results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
37
+
| Pointer overflow check (`cpp/pointer-overflow-check`),</br> Possibly wrong buffer size in string copy (`cpp/bad-strncpy-size`),</br> Signed overflow check (`cpp/signed-overflow-check`) | More correct results | A new library is used for determining which expressions have identical value, giving more precise results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
32
38
| Unsafe array for days of the year (`cpp/leap-year/unsafe-array-for-days-of-the-year`) || This query is no longer run on LGTM. |
33
39
| Unsigned comparison to zero (`cpp/unsigned-comparison-zero`) | More correct results | This query now also looks for comparisons of the form `0 <= x`. |
34
40
@@ -40,9 +46,9 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
40
46
* The data-flow library (`semmle.code.cpp.dataflow.DataFlow` and
41
47
`semmle.code.cpp.dataflow.TaintTracking`) has been improved, which affects
42
48
and improves some security queries. The improvements are:
43
-
- Track flow through functions that combine taint tracking with flow through fields.
44
-
- Track flow through clone-like functions, that is, functions that read contents of a field from a
45
-
parameter and stores the value in the field of a returned object.
49
+
- Track flow through functions that combine taint tracking with flow through fields.
50
+
- Track flow through clone-like functions, that is, functions that read contents of a field from a
51
+
parameter and stores the value in the field of a returned object.
46
52
* The security pack taint tracking library
47
53
(`semmle.code.cpp.security.TaintTracking`) uses a new intermediate
48
54
representation. This provides a more precise analysis of flow through
@@ -52,28 +58,27 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
52
58
(`semmle.code.cpp.valuenumbering.GlobalValueNumbering`) uses a new
53
59
intermediate representation to provide a more precise analysis of
54
60
heap-allocated memory and pointers to stack variables.
55
-
* Created the `semmle.code.cpp.models.interfaces.Allocation` library to model
56
-
allocation such as `new` expressions and calls to `malloc`. This in intended
57
-
to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more
58
-
consistent and useful interface.
59
-
* The predicate `freeCall` in `semmle.code.cpp.commons.Alloc` has been
60
-
deprecated. The`Allocation` and `Deallocation` models in
61
-
`semmle.code.cpp.models.interfaces` should be used instead.
62
-
* Created the `semmle.code.cpp.models.interfaces.Deallocation` library to
63
-
model deallocation such as `delete` expressions and calls to `free`. This
64
-
in intended to replace the functionality in `semmle.code.cpp.commons.Alloc`
65
-
with a more consistent and useful interface.
61
+
* New libraries have been created to provide a more consistent and useful interface
62
+
for modeling allocation and deallocation. These replace the old
63
+
`semmle.code.cpp.commons.Alloc` library.
64
+
* The new `semmle.code.cpp.models.interfaces.Allocation` library models
65
+
allocations, such as `new` expressions and calls to `malloc`.
66
+
* The new `semmle.code.cpp.models.interfaces.Deallocation` library
67
+
models deallocations, such as `delete` expressions and calls to `free`.
68
+
* The predicate `freeCall` in `semmle.code.cpp.commons.Alloc` has been
69
+
deprecated. The `Allocation` and `Deallocation` models in
70
+
`semmle.code.cpp.models.interfaces` should be used instead.
66
71
* The new class `StackVariable` should be used in place of `LocalScopeVariable`
67
72
in most cases. The difference is that `StackVariable` does not include
68
73
variables declared with `static` or `thread_local`.
69
-
* As a rule of thumb, custom queries about the _values_ of variables should
70
-
be changed from `LocalScopeVariable` to `StackVariable`, while queries
71
-
about the _name or scope_ of variables should remain unchanged.
72
-
* The `LocalScopeVariableReachability` library is deprecated in favor of
73
-
`StackVariableReachability`. The functionality is the same.
74
+
* As a rule of thumb, custom queries about the _values_ of variables should
75
+
be changed from `LocalScopeVariable` to `StackVariable`, while queries
76
+
about the _name or scope_ of variables should remain unchanged.
77
+
* The `LocalScopeVariableReachability` library is deprecated in favor of
78
+
`StackVariableReachability`. The functionality is the same.
74
79
* Taint tracking and data flow now features better modeling of commonly-used
0 commit comments