- Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension
.model.ymlfiles, rather than by writing classes in QL code. New models should be added in thelib/extfolder.
- A partial model for the
Boost.Asionetwork library has been added. This includes sources, sinks and summaries for certain functions inBoost.Asio, such asread_untilandwrite.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
No user-facing changes.
- Deleted the deprecated
GlobalValueNumberingImpl.qllimplementation.
- Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See
dataflow/ExternalFlow.qllfor documentation and specification of the model format, andmodels/implementations/ZMQ.qllfor a simple example of models. Importing models from.ymlis not yet supported.
- Source models have been added for the standard library function
getc(and variations). - Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
- Parameters of functions without definitions now have
ParameterNodes. - The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
No user-facing changes.
- Added a
TaintInheritingContentclass that can be extended to model taint flowing from a qualifier to a field. - Added a predicate
GuardCondition.comparesEq/4to query whether an expression is compared to a constant. - Added a predicate
GuardCondition.ensuresEq/4to query whether a basic block is guarded by an expression being equal to a constant. - Added a predicate
GuardCondition.comparesLt/4to query whether an expression is compared to a constant. - Added a predicate
GuardCondition.ensuresLt/4to query whether a basic block is guarded by an expression being less than a constant. - Added a predicate
GuardCondition.valueControlsto query whether a basic block is guarded by a particularcaseof aswitchstatement.
- Added destructors for temporary objects with extended lifetimes to the intermediate representation.
No user-facing changes.
No user-facing changes.
- Added destructors for named objects to the intermediate representation.
- A
getInitializationpredicate was added to theRangeBasedForStmtclass that yields the C++20-style initializer of the range-basedforstatement when it exists.
- Added the
PreprocBlock.qlllibrary to this repository. This library offers a view of#if,#elif,#elseand similar directives as a tree with navigable parent-child relationships. - Added a new
ThrowingFunctionabstract class that can be used to model an external function that may throw an exception.
- Deleted many deprecated predicates and classes with uppercase
XML,SSA,SAL,SQL, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
StrcatFunctionclass, usesemmle.code.cpp.models.implementations.Strcat.qllinstead.
- The
isUserInput,userInputArgument, anduserInputReturnedpredicates fromSecurityOptionshave been deprecated. UseFlowSourceinstead.
UserDefineLiteralandDeductionGuideclasses have been added, representing C++11 user defined literals and C++17 deduction guides.
- Changed the output of
Node.toStringto better reflect how many indirections a given dataflow node has. - Added a new predicate
Node.asDefinitiononDataFlow::Nodes for selecting the dataflow node corresponding to a particular definition. - The deprecated
DefaultTaintTrackinglibrary has been removed. - The
Guardslibrary has been replaced with the API-compatibleIRGuardsimplementation, which has better precision in some cases.
- Under certain circumstances a function declaration that is not also a definition could be associated with a
Functionthat did not have the definition as aFunctionDeclarationEntry. This is now fixed when only one definition exists, and a uniqueFunctionwill exist that has both the declaration and the definition as aFunctionDeclarationEntry.
No user-facing changes.
- Added an
isPrototypedpredicate toFunctionthat holds when the function has a prototype.
- The expressions
AssignPointerAddExprandAssignPointerSubExprare no longer subtypes ofAssignBitwiseOperation.
- The "Returning stack-allocated memory" (
cpp/return-stack-allocated-memory) query now also detects returning stack-allocated memory allocated by calls toalloca,strdupa, andstrndupa. - Added models for
strlcpyandstrlcat. - Added models for the
sprintfvariants from theStrSafe.hheader. - Added SQL API models for
ODBC. - Added taint models for
reallocand related functions.
- The
ContainerandFolderclasses now derive fromElementBaseinstead ofLocatable, and no longer expose thegetLocationpredicate. UsegetURLinstead.
- Added a new class
AdditionalCallTargetfor specifying additional call targets.
- More field accesses are identified as
ImplicitThisFieldAccess. - Added support for new floating-point types in C23 and C++23.
- Deleted the deprecated
AnalysedStringclass, use the new nameAnalyzedString. - Deleted the deprecated
isBarrierGuardpredicate from the dataflow library and its uses, useisBarrierand theBarrierGuardmodule instead.
- Functions that do not return due to calling functions that don't return (e.g.
exit) are now detected as non-returning in the IR and dataflow. - Treat functions that reach the end of the function as returning in the IR. They used to be treated as unreachable but it is allowed in C.
- The
DataFlow::asDefiningArgumentpredicate now takes its argument from the range starting at1instead of2. Queries that depend on the single-parameter version ofDataFlow::asDefiningArgumentshould have their arguments updated accordingly.
No user-facing changes.
getAllocatorCallonDeleteExprandDeleteArrayExprhas been deprecated.getDeallocatorCallshould be used instead.
- Added
DeleteOrDeleteArrayExpras a super type ofDeleteExprandDeleteArrayExpr
deleteanddelete[]are now modeled as calls to the relevantoperator deletein the IR. In the case of a dynamic delete call a new instructionVirtualDeleteFunctionAddressis used to represent a function that dispatches to the correct delete implementation.- Only the 2 level indirection of
argv(corresponding to**argv) is consided forFlowSource.
No user-facing changes.
- The
shouldPrintFunctionpredicate fromPrintAstConfigurationhas been replaced byshouldPrintDeclaration. Users should now overrideshouldPrintDeclarationif they want to limit the declarations that should be printed. - The
shouldPrintFunctionpredicate fromPrintIRConfigurationhas been replaced byshouldPrintDeclaration. Users should now overrideshouldPrintDeclarationif they want to limit the declarations that should be printed.
- The
PrintASTlibrary now also prints global and namespace variables and their initializers.
- The
_Float128xtype is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
- The library
semmle.code.cpp.dataflow.DataFlowhas been deprecated. Please usesemmle.code.cpp.dataflow.new.DataFlowinstead.
- The
DataFlow::StateConfigSigsignature module has gained default implementations forisBarrier/2andisAdditionalFlowStep/4. Hence it is no longer needed to providenone()implementations of these predicates if they are not needed.
- Data flow configurations can now include a predicate
neverSkip(Node node)in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations. - The
IRGuardslibrary has improved handling of pointer addition and subtraction operations.
- The
ProductFlow::StateConfigSigsignature now includes default predicates forisBarrier1,isBarrier2,isAdditionalFlowStep1, andisAdditionalFlowStep1. Hence, it is no longer needed to providenone()implementations of these predicates if they are not needed.
- Deleted the deprecated
getURLpredicate from theContainer,Folder, andFileclasses. Use thegetLocationpredicate instead.
No user-facing changes.
- Deleted the deprecated
hasCopyConstructorpredicate from theClassclass inClass.qll. - Deleted many deprecated predicates and classes with uppercase
AST,SSA,CFG,API, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
CodeDuplication.qllfile.
- Added an AST-based interface (
semmle.code.cpp.rangeanalysis.new.RangeAnalysis) for the relative range analysis library. - A new predicate
BarrierGuard::getAnIndirectBarrierNodehas been added to the new dataflow library (semmle.code.cpp.dataflow.new.DataFlow) to mark indirect expressions as barrier nodes using theBarrierGuardAPI.
- In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.
- The
StdNamespaceclass now also includes all inline namespaces that are children ofstdnamespace. - The new dataflow (
semmle.code.cpp.dataflow.new.DataFlow) and taint-tracking libraries (semmle.code.cpp.dataflow.new.TaintTracking) now support tracking flow through static local variables.
No user-facing changes.
- The internal
SsaConsistencymodule has been moved fromSSAConstructiontoSSAConsitency, and the deprecatedSSAConsistencymodule has been removed.
- The single-parameter predicates
ArrayOrVectorAggregateLiteral.getElementExprandClassAggregateLiteral.getFieldExprhave been deprecated in favor ofArrayOrVectorAggregateLiteral.getAnElementExprandClassAggregateLiteral.getAFieldExpr. - The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
- The
SslContextCallAbstractConfig,SslContextCallConfig,SslContextCallBannedProtocolConfig,SslContextCallTls12ProtocolConfig,SslContextCallTls13ProtocolConfig,SslContextCallTlsProtocolConfig,SslContextFlowsToSetOptionConfig,SslOptionConfigdataflow configurations fromBoostorgAsiohave been deprecated. Please useSslContextCallConfigSig,SslContextCallGlobal,SslContextCallFlow,SslContextCallBannedProtocolFlow,SslContextCallTls12ProtocolFlow,SslContextCallTls13ProtocolFlow,SslContextCallTlsProtocolFlow,SslContextFlowsToSetOptionFlow.
- Added overridable predicates
getSizeExprandgetSizeMultto theBufferAccessclass (semmle.code.cpp.security.BufferAccess.qll). This makes it possible to model a larger class of buffer reads and writes using the library.
- The
BufferAccesslibrary (semmle.code.cpp.security.BufferAccess) no longer matches buffer accesses inside unevaluated contexts (such as insidesizeofordecltypeexpressions). As a result, queries using this library may see fewer false positives.
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath,DataFlow::hasFlow,DataFlow::hasFlowTo, andDataFlow::hasFlowToExprwere accidentally exposed in a single version.
No user-facing changes.
- The
semmle.code.cpp.commons.Bufferandsemmle.code.cpp.commons.NullTerminationlibraries no longer exposesemmle.code.cpp.dataflow.DataFlow. Please importsemmle.code.cpp.dataflow.DataFlowdirectly.
- The
WriteConfigtaint tracking configuration has been deprecated. Please useWriteFlow.
- Added support for merging two
PathGraphs via disjoint union to allow results from multiple data flow computations in a singlepath-problemquery.
-
A new C/C++ dataflow library (
semmle.code.cpp.dataflow.new.DataFlow) has been added. The new library behaves much more like the dataflow library of other CodeQL supported languages by following use-use dataflow paths instead of def-use dataflow paths. The new library also better supports dataflow through indirections, and new predicates such asNode::asIndirectExprhave been added to facilitate working with indirections.The
semmle.code.cpp.ir.dataflow.DataFlowlibrary is now identical to the newsemmle.code.cpp.dataflow.new.DataFlowlibrary. -
The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
- Deleted the deprecated
hasGeneratedCopyConstructorandhasGeneratedCopyAssignmentOperatorpredicates from theFolderclass. - Deleted the deprecated
getPathandgetFolderpredicates from theXmlFileclass. - Deleted the deprecated
getMustlockFunction,getTrylockFunction,getLockFunction, andgetUnlockFunctionpredicates from theMutexTypeclass. - Deleted the deprecated
getPosInBasicBlockpredicate from theSubBasicBlockclass. - Deleted the deprecated
getExprpredicate from thePointerDereferenceExprclass. - Deleted the deprecated
getUseInstructionandgetDefinitionInstructionpredicates from theOperandclass. - Deleted the deprecated
isInParameter,isInParameterPointer, andisInQualifierpredicates from theFunctionInputclass. - Deleted the deprecated
isOutParameterPointer,isOutQualifier,isOutReturnValue, andisOutReturnPointerpredicate from theFunctionOutputclass. - Deleted the deprecated 3-argument
isGuardPhipredicate from theRangeSsaDefinitionclass.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
The predicates in the MustFlow::Configuration class used by the MustFlow library (semmle.code.cpp.ir.dataflow.MustFlow) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
- Deprecated
semmle.code.cpp.ir.dataflow.DefaultTaintTracking. Usesemmle.code.cpp.ir.dataflow.TaintTracking. - Deprecated
semmle.code.cpp.security.TaintTrackingImpl. Usesemmle.code.cpp.ir.dataflow.TaintTracking. - Deprecated
semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl. Usesemmle.code.cpp.valuenumbering.GlobalValueNumbering, which exposes the same API.
- The
ArgvSourceflow source now uses the second parameter ofmainas its source instead of the uses of this parameter. - The
ArgvSourceflow source has been generalized to handle cases where the argument vector ofmainis not namedargv. - The
getaddrinfofunction is now recognized as a flow source. - The
secure_getenvand_wgetenvfunctions are now recognized as local flow sources. - The
scanfandfscanffunctions and their variants are now recognized as flow sources. - Deleted the deprecated
getNameandgetShortNamepredicates from theFolderclass.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Fixed bugs in the
FormatLiteralclass that were causinggetMaxConvertedLengthand related predicates to return no results when the format literal was%e,%for%gand an explicit precision was specified.
No user-facing changes.
No user-facing changes.
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Added subclasses of
BuiltInOperationsfor__is_same,__is_function,__is_layout_compatible,__is_pointer_interconvertible_base_of,__is_array,__array_rank,__array_extent,__is_arithmetic,__is_complete_type,__is_compound,__is_const,__is_floating_point,__is_fundamental,__is_integral,__is_lvalue_reference,__is_member_function_pointer,__is_member_object_pointer,__is_member_pointer,__is_object,__is_pointer,__is_reference,__is_rvalue_reference,__is_scalar,__is_signed,__is_unsigned,__is_void, and__is_volatile.
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
- Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Added support for getting the link targets of global and namespace variables.
- Added a
BlockAssignExprclass, which models amemcpy-like operation used in compiler generated copy/move constructors and assignment operations.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Added a predicate
getValueConstanttoAttributeArgumentthat yields the argument value as anExprwhen the value is a constant expression. - A new class predicate
MustFlowConfiguration::allowInterproceduralFlowhas been added to thesemmle.code.cpp.ir.dataflow.MustFlowlibrary. The new predicate can be overridden to disable interprocedural flow. - Added subclasses of
BuiltInOperationsfor__builtin_bit_cast,__builtin_shuffle,__has_unique_object_representations,__is_aggregate, and__is_assignable.
- The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
- Under certain circumstances a variable declaration that is not also a definition could be associated with a
Variablethat did not have the definition as aVariableDeclarationEntry. This is now fixed, and a uniqueVariablewill exist that has both the declaration and the definition as aVariableDeclarationEntry.
AnalysedExpr::isNullCheckandAnalysedExpr::isValidCheckhave been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
UserType.getADeclarationEntry()now yields all forward declarations when the user type is aclass,struct, orunion.
- An
isBracedpredicate was added to theInitializerclass which holds when a C++ braced initializer was used in the initialization.
- The
AnalysedStringclass in theStringAnalysismodule has been replaced withAnalyzedString, to follow our style guide. The old name still exists as a deprecated alias.
- A
getInitializationpredicate was added to theConstexprIfStmt,IfStmt, andSwitchStmtclasses that yields the C++17-style initializer of theiforswitchstatement when it exists.
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
- More Windows pool allocation functions are now detected as
AllocationFunctions. - The
semmle.code.cpp.commons.Bufferlibrary has been enhanced to handle array members of classes that do not specify a size.
- The recently added flow-state versions of
isBarrierIn,isBarrierOut,isSanitizerIn, andisSanitizerOutin the data flow and taint tracking libraries have been removed.
- A new library
semmle.code.cpp.security.PrivateDatahas been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
- The
semmle.code.cpp.security.SensitiveExprslibrary has been enhanced with some additional rules for detecting credentials.
- The flow state variants of
isBarrierandisAdditionalFlowStepare no longer exposed in the taint tracking library. TheisSanitizerandisAdditionalTaintSteppredicates should be used instead.
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.
DefaultOptions::exitsnow holds for C11 functions with the_Noreturnornoreturnspecifier.hasImplicitCopyConstructorandhasImplicitCopyAssignmentOperatornow correctly handle implicitly-deleted operators in templates.- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Many queries now support structured bindings, as structured bindings are now handled in the IR translation.
- Added a
isStructuredBindingpredicate to theVariableclass which holds when the variable is declared as part of a structured binding declaration.
- The
codeql/cpp-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/cpp-allCodeQL pack.
FormatLiteral::getMaxConvertedLengthnow uses range analysis to provide a more accurate length for integers formatted with%x
- The QL library
semmle.code.cpp.commons.Exclusionsnow contains a predicateisFromSystemMacroDefinitionfor identifying code that originates from a macro outside the project being analyzed.