You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Boost\_asio TLS Settings Misconfiguration (`cpp/boost/tls-settings-misconfiguration`) | Query id change | The identifier was updated to use dashes in place of underscores (previous identifier `cpp/boost/tls_settings_misconfiguration`). |
17
28
| Buffer not sufficient for string (`cpp/overflow-calculated`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
18
-
|No space for zero terminator (`cpp/no-space-for-terminator`) |More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
29
+
|Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) || This query is no longer run on LGTM. |
19
30
| Memory is never freed (`cpp/memory-never-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
20
31
| Memory may not be freed (`cpp/memory-may-not-be-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
21
-
| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed false positive results in template code. |
22
-
| Missing return statement (`cpp/missing-return`) | Fewer false positive results | Functions containing `asm` statements are no longer highlighted by this query. |
23
-
| Missing return statement (`cpp/missing-return`) | More accurate locations | Locations reported by this query are now more accurate in some cases. |
24
-
| No space for zero terminator (`cpp/no-space-for-terminator`) | More correct results | String arguments to formatting functions are now (usually) expected to be null terminated strings. |
25
-
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) || This query is no longer run on LGTM. |
26
-
| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings. This approach produces fewer, more accurate results. |
27
-
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | Cases where the tainted allocation size is range checked are now more reliably excluded. |
28
-
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. |
| Missing return statement (`cpp/missing-return`) | Fewer false positive results and more accurate locations | Functions containing `asm` statements are no longer highlighted by this query. The locations reported by this query are now more accurate in some cases. |
34
+
| No space for zero terminator (`cpp/no-space-for-terminator`) | More results with greater precision | The query gives more precise results for a wider variety of buffer allocations. String arguments to formatting functions are now (usually) expected to be null terminated strings. Use of the `semmle.code.cpp.models.interfaces.Allocation` library identifies problems with a wider variety of buffer allocations. This query is also more conservative when identifying which pointers point to null-terminated strings. |
35
+
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. Cases where the tainted allocation size is range checked are more reliably excluded. |
29
36
| Overloaded assignment does not return 'this' (`cpp/assignment-does-not-return-this`) | Fewer false positive results | This query no longer reports incorrect results in template classes. |
37
+
| Pointer overflow check (`cpp/pointer-overflow-check`),<br> Possibly wrong buffer size in string copy (`cpp/bad-strncpy-size`),<br> Signed overflow check (`cpp/signed-overflow-check`) | More correct results | A new library is used for determining which expressions have identical value, giving more precise results. There is a performance cost to this, and the LGTM suite will overall run slower than before. |
30
38
| Unsafe array for days of the year (`cpp/leap-year/unsafe-array-for-days-of-the-year`) || This query is no longer run on LGTM. |
31
39
| Unsigned comparison to zero (`cpp/unsigned-comparison-zero`) | More correct results | This query now also looks for comparisons of the form `0 <= x`. |
32
40
33
41
## Changes to libraries
34
42
35
-
* The data-flow library has been improved, which affects and improves some security queries. The improvements are:
36
-
- Track flow through functions that combine taint tracking with flow through fields.
37
-
- Track flow through clone-like functions, that is, functions that read contents of a field from a
38
-
parameter and stores the value in the field of a returned object.
39
-
* Created the `semmle.code.cpp.models.interfaces.Allocation` library to model allocation such as `new` expressions and calls to `malloc`. This in intended to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more consistent and useful interface.
40
-
* Created the `semmle.code.cpp.models.interfaces.Deallocation` library to model deallocation such as `delete` expressions and calls to `free`. This in intended to replace the functionality in `semmle.code.cpp.commons.Alloc` with a more consistent and useful interface.
43
+
* The built-in C++20 "spaceship operator" (`<=>`) is now supported via the QL
44
+
class `SpaceshipExpr`. Overloaded forms are modeled as calls to functions
45
+
named `operator<=>`.
46
+
* The data-flow library (`semmle.code.cpp.dataflow.DataFlow` and
47
+
`semmle.code.cpp.dataflow.TaintTracking`) has been improved, which affects
48
+
and improves some security queries. The improvements are:
49
+
- Track flow through functions that combine taint tracking with flow through fields.
50
+
- Track flow through clone-like functions, that is, functions that read contents of a field from a
51
+
parameter and stores the value in the field of a returned object.
52
+
* The security pack taint tracking library
53
+
(`semmle.code.cpp.security.TaintTracking`) uses a new intermediate
54
+
representation. This provides a more precise analysis of flow through
55
+
parameters and pointers. For new queries, however, we continue to recommend
56
+
using `semmle.code.cpp.dataflow.TaintTracking`.
57
+
* The global value numbering library
58
+
(`semmle.code.cpp.valuenumbering.GlobalValueNumbering`) uses a new
59
+
intermediate representation to provide a more precise analysis of
60
+
heap-allocated memory and pointers to stack variables.
61
+
* New libraries have been created to provide a more consistent and useful interface
62
+
for modeling allocation and deallocation. These replace the old
63
+
`semmle.code.cpp.commons.Alloc` library.
64
+
* The new `semmle.code.cpp.models.interfaces.Allocation` library models
65
+
allocations, such as `new` expressions and calls to `malloc`.
66
+
* The new `semmle.code.cpp.models.interfaces.Deallocation` library
67
+
models deallocations, such as `delete` expressions and calls to `free`.
68
+
* The predicate `freeCall` in `semmle.code.cpp.commons.Alloc` has been
69
+
deprecated. The `Allocation` and `Deallocation` models in
70
+
`semmle.code.cpp.models.interfaces` should be used instead.
41
71
* The new class `StackVariable` should be used in place of `LocalScopeVariable`
42
72
in most cases. The difference is that `StackVariable` does not include
43
73
variables declared with `static` or `thread_local`.
44
-
* As a rule of thumb, custom queries about the _values_ of variables should
45
-
be changed from `LocalScopeVariable` to `StackVariable`, while queries
46
-
about the _name or scope_ of variables should remain unchanged.
47
-
* The `LocalScopeVariableReachability` library is deprecated in favor of
48
-
`StackVariableReachability`. The functionality is the same.
49
-
* The models library models `strlen` in more detail, and includes common variations such as `wcslen`.
50
-
* The models library models `gets` and similar functions.
51
-
* The models library now partially models `std::string`.
52
-
* The taint tracking library (`semmle.code.cpp.dataflow.TaintTracking`) has had
53
-
the following improvements:
54
-
* The library now models data flow through `strdup` and similar functions.
55
-
* The library now models data flow through formatting functions such as `sprintf`.
56
-
* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) uses a new intermediate representation. This provides a more precise analysis of pointers to stack variables and flow through parameters, improving the results of many security queries.
57
-
* The global value numbering library (`semmle.code.cpp.valuenumbering.GlobalValueNumbering`) uses a new intermediate representation to provide a more precise analysis of heap allocated memory and pointers to stack variables.
58
-
*`freeCall` in `semmle.code.cpp.commons.Alloc` has been deprecated. The`Allocation` and `Deallocation` models in `semmle.code.cpp.models.interfaces` should be used instead.
74
+
* As a rule of thumb, custom queries about the _values_ of variables should
75
+
be changed from `LocalScopeVariable` to `StackVariable`, while queries
76
+
about the _name or scope_ of variables should remain unchanged.
77
+
* The `LocalScopeVariableReachability` library is deprecated in favor of
78
+
`StackVariableReachability`. The functionality is the same.
79
+
* Taint tracking and data flow now features better modeling of commonly-used
| Assembly path injection (`cs/assembly-path-injection`) | security, external/cwe/cwe-114 | Finds user-controlled data used to load an assembly. |
10
-
| Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. |
| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could make the application less secure. |
13
-
| Serialization check bypass (`cs/serialization-check-bypass`) | security, external/cwe/cwe-20 | Finds where data is not validated in a deserialization method. |
14
-
| XML injection (`cs/xml-injection`) | security, external/cwe/cwe-091 | Finds user-controlled data that is used to write directly to an XML document. |
13
+
| Assembly path injection (`cs/assembly-path-injection`) | security, external/cwe/cwe-114 | Finds user-controlled data used to load an assembly. Results are shown on LGTM by default. |
14
+
| Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. By default, the query is not run on LGTM. |
15
+
| Insecure SQL connection (`cs/insecure-sql-connection`) | security, external/cwe/cwe-327 | Finds unencrypted SQL connection strings. Results are not shown on LGTM by default. |
16
+
| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could make the application less secure. By default, the query is not run on LGTM. |
17
+
| Serialization check bypass (`cs/serialization-check-bypass`) | security, external/cwe/cwe-20 | Finds where data is not validated in a deserialization method. Results are not shown on LGTM by default. |
18
+
| XML injection (`cs/xml-injection`) | security, external/cwe/cwe-091 | Finds user-controlled data that is used to write directly to an XML document. Results are shown on LGTM by default. |
| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the variable is named `_` in a `foreach` statement. |
21
-
| Potentially dangerous use of non-short-circuit logic (`cs/non-short-circuit`) | Fewer false positive results | Results have been removed when the expression contains an `out` parameter. |
22
24
| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
23
-
| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. |
24
-
| XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to methods on `System.Xml.XPath.XPathNavigator` objects. |
25
-
| Information exposure through transmitted data (`cs/sensitive-data-transmission`) | More results | The query now recognizes writes to cookies and writes to ASP.NET (`Inner`)`Text` properties as additional sinks. |
26
25
| Information exposure through an exception (`cs/information-exposure-through-exception`) | More results | The query now recognizes writes to cookies, writes to ASP.NET (`Inner`)`Text` properties, and email contents as additional sinks. |
27
-
28
-
## Removal of old queries
26
+
| Information exposure through transmitted data (`cs/sensitive-data-transmission`) | More results | The query now recognizes writes to cookies and writes to ASP.NET (`Inner`)`Text` properties as additional sinks. |
27
+
| Potentially dangerous use of non-short-circuit logic (`cs/non-short-circuit`) | Fewer false positive results | Results have been removed when the expression contains an `out` parameter. |
28
+
| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. Results have also been removed when the variable is named `_` in a `foreach` statement. |
29
+
| XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to methods on `System.Xml.XPath.XPathNavigator` objects. |
29
30
30
31
## Changes to code extraction
31
32
@@ -37,13 +38,11 @@ The following changes in version 1.24 affect C# analysis in all applications.
37
38
## Changes to libraries
38
39
39
40
* The data-flow library has been improved, which affects and improves most security queries. The improvements are:
40
-
- Track flow through methods that combine taint tracking with flow through fields.
41
-
- Track flow through clone-like methods, that is, methods that read contents of a field from a
42
-
parameter and stores the value in the field of a returned object.
41
+
- Track flow through methods that combine taint tracking with flow through fields.
42
+
- Track flow through clone-like methods, that is, methods that read the contents of a field from a
43
+
parameter and store the value in the field of a returned object.
43
44
* The taint tracking library now tracks flow through (implicit or explicit) conversion operator calls.
44
45
*[Code contracts](https://docs.microsoft.com/en-us/dotnet/framework/debug-trace-profile/code-contracts) are now recognized, and are treated like any other assertion methods.
45
46
* Expression nullability flow state is given by the predicates `Expr.hasNotNullFlowState()` and `Expr.hasMaybeNullFlowState()`.
46
47
*`stackalloc` array creations are now represented by the QL class `Stackalloc`. Previously they were represented by the class `ArrayCreation`.
47
-
* A new class `RemoteFlowSink` has been added to model sinks where data might be exposed to external users. Examples include web page output, e-mails, and cookies.
48
-
49
-
## Changes to autobuilder
48
+
* A new class `RemoteFlowSink` has been added to model sinks where data might be exposed to external users. Examples include web page output, emails, and cookies.
0 commit comments