- The
cpp/dangerous-function-overflowno longer produces a false positive alert when thegetsfunction does not have exactly one parameter.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
- The "Use of unique pointer after lifetime ends" query (
cpp/use-of-unique-pointer-after-lifetime-ends) no longer reports an alert when the pointer is converted to a boolean - The "Variable not initialized before use" query (
cpp/not-initialised) no longer reports an alert on static variables.
- Added a new query,
cpp/iterator-to-expired-container, to detect the creation of iterators owned by a temporary objects that are about to be destroyed.
- The "Uncontrolled data used in path expression" query (
cpp/path-injection) query produces fewer near-duplicate results. - The "Global variable may be used before initialization" query (
cpp/global-use-before-init) no longer raises an alert on global variables that are initialized when they are declared. - The "Inconsistent null check of pointer" query (
cpp/inconsistent-nullness-testing) query no longer raises an alert when the guarded check is in a macro expansion.
No user-facing changes.
- Added a new query,
cpp/type-confusion, to detect casts to invalid types.
@precision mediummetadata was added to thecpp/boost/tls-settings-misconfigurationandcpp/boost/use-of-deprecated-hardcoded-security-protocolqueries, and these queries are now included in the security-extended suite. The@namemetadata of these queries were also updated.
- The "Missing return-value check for a 'scanf'-like function" query (
cpp/missing-check-scanf) has been converted to apath-problemquery. - The "Potentially uninitialized local variable" query (
cpp/uninitialized-local) has been converted to apath-problemquery. - Added models for
GLiballocation and deallocation functions.
No user-facing changes.
No user-facing changes.
- The "non-constant format string" query (
cpp/non-constant-format) has been converted to apath-problemquery. - The new C/C++ dataflow and taint-tracking libraries (
semmle.code.cpp.dataflow.new.DataFlowandsemmle.code.cpp.dataflow.new.TaintTracking) now implicitly assume that dataflow and taint modelled viaDataFlowFunctionandTaintFunctionalways fully overwrite their buffers and thus act as flow barriers. As a result, many dataflow and taint-tracking queries now produce fewer false positives. To remove this assumption and go back to the previous behavior for a given model, one can override the newisPartialWritepredicate.
- The "non-constant format string" query (
cpp/non-constant-format) has been updated to produce fewer false positives. - Added dataflow models for the
gettextfunction variants.
- Corrected 2 false positive with
cpp/incorrect-string-type-conversion: conversion of byte arrays to wchar and new array allocations converted to wchar. - The "Incorrect return-value check for a 'scanf'-like function" query (
cpp/incorrectly-checked-scanf) no longer reports an alert when an explicit check for EOF is added. - The "Incorrect return-value check for a 'scanf'-like function" query (
cpp/incorrectly-checked-scanf) now recognizes more EOF checks. - The "Potentially uninitialized local variable" query (
cpp/uninitialized-local) no longer reports an alert when the local variable is used as a qualifier to a static member function call. - The diagnostic query
cpp/diagnostics/successfully-extracted-filesnow considers any C/C++ file seen during extraction, even one with some errors, to be extracted / scanned. This affects the Code Scanning UI measure of scanned C/C++ files.
- The
cpp/include-non-headerstyle query will now ignore the.defextension for textual header inclusions.
- Added a new query,
cpp/use-of-unique-pointer-after-lifetime-ends, to detect uses of the contents unique pointers that will be destroyed immediately. - The
cpp/incorrectly-checked-scanfquery has been added. This finds results where the return value of scanf is not checked correctly. Some of these were previously found bycpp/missing-check-scanfand will no longer be reported there.
- The
cpp/badly-bounded-writequery could report false positives when a pointer was first initialized with a literal and later assigned a dynamically allocated array. These false positives now no longer occur.
No user-facing changes.
- The
cpp/tainted-format-string-through-globalquery has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts fromcpp/tainted-format-string.
- Added a new query,
cpp/use-of-string-after-lifetime-ends, to detect calls toc_stron strings that will be destroyed immediately.
- The
cpp/uninitialized-localquery has been improved to produce fewer false positives.
No user-facing changes.
-
The query
cpp/redundant-null-check-simplehas been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.
- The
cpp/double-freequery has been further improved to reduce false positives and its precision has been increased frommediumtohigh. - The
cpp/use-after-freequery has been further improved to reduce false positives and its precision has been increased frommediumtohigh.
- The queries
cpp/double-freeandcpp/use-after-freefind fewer false positives in cases where a non-returning function is called. - The number of duplicated dataflow paths reported by queries has been significantly reduced.
No user-facing changes.
- Added a new query,
cpp/invalid-pointer-deref, to detect out-of-bounds pointer reads and writes.
- The "Comparison where assignment was intended" query (
cpp/compare-where-assign-meant) no longer reports comparisons that appear in macro expansions. - Some queries that had repeated results corresponding to different levels of indirection for
argvnow only have a single result. - The
cpp/non-constant-formatquery no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
No user-facing changes.
No user-facing changes.
- The
cpp/uninitialized-localquery now excludes uninitialized uses that are explicitly cast to void and are expression statements. As a result, the query will report less false positives.
- The
cpp/comparison-with-wider-typequery now correctly handles relational operations on signed operators. As a result the query may find more results.
No user-facing changes.
- Added a new query,
cpp/overrun-write, to detect buffer overflows in C-style functions that manipulate buffers.
No user-facing changes.
- A new query
cpp/double-freehas been added. The query finds possible cases of deallocating the same pointer twice. The precision of the query has been set to "medium". - The query
cpp/use-after-freehas been modernized and assigned the precision "medium". The query finds cases of where a pointer is dereferenced after its memory has been deallocated.
- The query
cpp/redundant-null-check-simplehas been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
- The query
cpp/tainted-arithmeticnow also flags possible overflows in arithmetic assignment operations.
No user-facing changes.
- The
NetworkToBufferSizeConfigurationandUntrustedDataToExternalApiConfigdataflow configurations have been deprecated. Please useNetworkToBufferSizeFlowandUntrustedDataToExternalApiFlow. - The
LeapYearCheckConfiguration,FiletimeYearArithmeticOperationCheckConfiguration, andPossibleYearArithmeticOperationCheckConfigurationdataflow configurations have been deprecated. Please useLeapYearCheckFlow,FiletimeYearArithmeticOperationCheckFlowandPossibleYearArithmeticOperationCheckFlow.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The
cpp/no-space-for-terminatorandcpp/uncontrolled-allocation-sizequeries have been enhanced with heuristic detection of allocations. These queries now find more results.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The
cpp/missing-check-scanfquery no longer reports the free'ing ofscanfoutput variables as potential reads.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Fixed a bug in
cpp/jsf/av-rule-76that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
- Added a new medium-precision query,
cpp/comma-before-misleading-indentation, which detects instances of whitespace that have readability issues.
- The "Unterminated variadic call" (
cpp/unterminated-variadic-call) query has been tuned to produce fewer false positive results. - Fixed false positives from the "Unused static function" (
cpp/unused-static-function) query in files that had errors during compilation.
- The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
- Added a new medium-precision query,
cpp/missing-check-scanf, which detectsscanfoutput variables that are used without a proper return-value check to see that they were actually written. A variation of this query was originally contributed as an experimental query by @ihsinme.
- Modernizations from "Cleartext storage of sensitive information in buffer" (
cpp/cleartext-storage-buffer) have been ported to the "Cleartext storage of sensitive information in file" (cpp/cleartext-storage-file), "Cleartext transmission of sensitive information" (cpp/cleartext-transmission) and "Cleartext storage of sensitive information in an SQLite database" (cpp/cleartext-storage-database) queries. These changes may result in more correct results and fewer false positive results from these queries. - The alert message of many queries have been changed to make the message consistent with other languages.
- The "Cleartext storage of sensitive information in buffer" (
cpp/cleartext-storage-buffer) query has been improved to produce fewer false positives.
- The query
cpp/bad-strncpy-sizenow covers morestrncpy-like functions than before, includingstrxfrm(_l),wcsxfrm(_l), andstpncpy. Users of this query may see an increase in results.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/cpp-allpackage.
- The "XML external entity expansion" (
cpp/external-entity-expansion) query precision has been increased tohigh. - The
cpp/unused-local-variableno longer ignores functions that includeifandswitchstatements with C++17-style initializers.
- The "XML external entity expansion" (
cpp/external-entity-expansion) query has been extended to support a broader selection of XML libraries and interfaces.
- An new query
cpp/external-entity-expansionhas been added. The query detects XML objects that are vulnerable to external entity expansion (XXE) attacks.
- The
cpp/cleartext-transmissionquery now recognizes additional sources, for sensitive private data such as e-mail addresses and credit card numbers. - The
cpp/unused-local-variableno longer ignores functions that include lambda expressions capturing trivially copyable objects. - The
cpp/command-line-injectionquery now takes into account calling contexts across string concatenations. This removes false positives due to mismatched calling contexts before and after string concatenations. - A new query, "Potential exposure of sensitive system data to an unauthorized control sphere" (
cpp/potential-system-data-exposure) has been added. This query is focused on exposure of information that is highly likely to be sensitive, whereas the similar query "Exposure of system data to an unauthorized control sphere" (cpp/system-data-exposure) is focused on exposure of information on a channel that is more likely to be intercepted by an attacker.
- The
cpp/overflow-destination,cpp/unclear-array-index-validation, andcpp/uncontrolled-allocation-sizequeries have been modernized and converted topath-problemqueries and provide more true positive results. - The
cpp/system-data-exposurequery has been increased frommediumtohighprecision, following a number of improvements to the query logic.
- The deprecated queries
cpp/duplicate-block,cpp/duplicate-function,cpp/duplicate-class,cpp/duplicate-file,cpp/mostly-duplicate-function,cpp/similar-file,cpp/duplicated-lines-in-fileshave been removed.
- The predicates and classes in the
CodeDuplicationlibrary have been deprecated.
- A new query titled "Use of expired stack-address" (
cpp/using-expired-stack-address) has been added. This query finds accesses to expired stack-allocated memory that escaped via a global variable. - A new
cpp/insufficient-key-sizequery has been added to the default query suite for C/C++. The query finds uses of certain cryptographic algorithms where the key size is too small to provide adequate encryption strength.
- The "Failure to use HTTPS URLs" (
cpp/non-https-url) has been improved reducing false positive results, and its precision has been increased to 'high'. - The
cpp/system-data-exposurequery has been modernized and has converted to apath-problemquery. There are now fewer false positive results.
- The
CodeDuplication.Copy,CodeDuplication.DuplicateBlock, andCodeDuplication.SimilarBlockclasses have been deprecated.
- Added a new query,
cpp/open-call-with-mode-argument, to detect whenopenoropenatis called with theO_CREATorO_TMPFILEflag but when themodeargument is omitted.
- The "Cleartext transmission of sensitive information" (
cpp/cleartext-transmission) query has been further improved to reduce false positive results, and upgraded frommediumtohighprecision. - The "Cleartext transmission of sensitive information" (
cpp/cleartext-transmission) query now finds more results, where a password is stored in a struct field or class member variable. - The
cpp/cleartext-storage-filequery has been improved, removing false positives where data is written to a standard output stream. - The
cpp/cleartext-storage-bufferquery has been updated to use thesemmle.code.cpp.dataflow.TaintTrackinglibrary. - The
cpp/world-writable-file-creationquery now only detectsopenandopenatcalls with theO_CREATorO_TMPFILEflag.
- The
securitytag has been added to thecpp/return-stack-allocated-memoryquery. As a result, its results will now appear by default. - The "Uncontrolled data in arithmetic expression" (cpp/uncontrolled-arithmetic) query has been enhanced to reduce false positive results and its @precision increased to high.
- A new
cpp/very-likely-overrunning-writequery has been added to the default query suite for C/C++. The query reports some results that were formerly flagged bycpp/overrunning-write.
- Fix an issue with the
cpp/declaration-hides-variablequery where it would report variables that are unnamed in a database. - The
cpp/cleartext-storage-filequery has been upgraded with non-local taint flow and has been converted to apath-problemquery. - The
cpp/return-stack-allocated-memoryquery has been improved to produce fewer false positives. The query has also been converted to apath-problemquery. - The "Cleartext transmission of sensitive information" (
cpp/cleartext-transmission) query has been improved in several ways to reduce false positive results. - The "Potential improper null termination" (
cpp/improper-null-termination) query now produces fewer false positive results around control flow branches and loops. - Added exception for GLib's gboolean to cpp/ambiguously-signed-bit-field. This change reduces the number of false positives in the query.
- A new query
cpp/certificate-not-checkedhas been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries. - A new query
cpp/certificate-result-conflationhas been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.
- A new query
cpp/non-https-urlhas been added for C/C++. The query flags uses ofhttpURLs that might be better replaced withhttps.