github · RasmusWL · Apr 27, 2023 · Apr 30, 2023 · Apr 30, 2023
@@ -3158,6 +3158,8 @@ module Impl<FullStateConfigSig Config> {
       key = "semmle.label" and val = n.toString()
     }
 
+    additional query predicate example(string s) { none() }
+
     /**
      * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
      * a subpath between `par` and `ret` with the connecting edges `arg -> par` and

@@ -3158,6 +3158,8 @@ module Impl<FullStateConfigSig Config> {
       key = "semmle.label" and val = n.toString()
     }
 
+    additional query predicate example(string s) { none() }
+
     /**
      * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
      * a subpath between `par` and `ret` with the connecting edges `arg -> par` and

@@ -8,6 +8,7 @@ nodes
 | test.cpp:22:27:22:30 | argv indirection | semmle.label | argv indirection |
 | test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
 | test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
+example
 subpaths
 #select
 | test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |

@@ -374,6 +374,7 @@ nodes
 | test.cpp:207:17:207:19 | str indirection [string] | semmle.label | str indirection [string] |
 | test.cpp:207:22:207:27 | string | semmle.label | string |
 | test.cpp:207:22:207:27 | string indirection | semmle.label | string indirection |
+example
 subpaths
 #select
 | test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string |

@@ -33,6 +33,7 @@ nodes
 | test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
 | test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
 | test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
+example
 subpaths
 #select
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |

@@ -96,6 +96,7 @@ nodes
 | test.cpp:93:14:93:14 | p | semmle.label | p |
 | test.cpp:93:14:93:14 | p indirection | semmle.label | p indirection |
 | test.cpp:98:18:98:27 | call to mk_array_p indirection [p] | semmle.label | call to mk_array_p indirection [p] |
+example
 subpaths
 #select
 | test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |

@@ -21,6 +21,7 @@ nodes
 | test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
 | test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
 | test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
+example
 subpaths
 #select
 | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |

@@ -41,6 +41,7 @@ nodes
 | test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode |
+example
 subpaths
 | test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | func indirection | test.cpp:81:17:81:20 | call to func |
 #select

@@ -1732,6 +1732,7 @@ nodes
 | struct_init.c:46:10:46:14 | outer indirection [pointerAB indirection, a] | semmle.label | outer indirection [pointerAB indirection, a] |
 | struct_init.c:46:16:46:24 | pointerAB indirection [a] | semmle.label | pointerAB indirection [a] |
 | struct_init.c:46:16:46:24 | pointerAB indirection [a] | semmle.label | pointerAB indirection [a] |
+example
 subpaths
 | A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c | A.cpp:25:13:25:13 | this indirection [post update] [c] | A.cpp:31:14:31:21 | call to B [c] |
 | A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c | A.cpp:29:15:29:18 | make indirection [c] | A.cpp:48:12:48:18 | call to make indirection [c] |

@@ -1417,6 +1417,7 @@ nodes
 | struct_init.c:43:5:43:7 | & ... [a] | semmle.label | & ... [a] |
 | struct_init.c:46:10:46:14 | outer [pointerAB, a] | semmle.label | outer [pointerAB, a] |
 | struct_init.c:46:16:46:24 | pointerAB [a] | semmle.label | pointerAB [a] |
+example
 subpaths
 | A.cpp:31:20:31:20 | c | A.cpp:23:10:23:10 | c | A.cpp:25:7:25:10 | this [post update] [c] | A.cpp:31:14:31:21 | call to B [c] |
 | A.cpp:48:20:48:20 | c | A.cpp:29:23:29:23 | c | A.cpp:31:14:31:21 | new [c] | A.cpp:48:12:48:18 | call to make [c] |

@@ -63,6 +63,7 @@ nodes
 | test_free.cpp:207:10:207:10 | a | semmle.label | a |
 | test_free.cpp:209:10:209:10 | a | semmle.label | a |
 | test_free.cpp:209:10:209:10 | a | semmle.label | a |
+example
 subpaths
 #select
 | test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:14:10:14:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |

@@ -66,6 +66,7 @@ nodes
 | test_free.cpp:245:10:245:11 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
 | test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
+example
 subpaths
 #select
 | test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |

@@ -99,6 +99,7 @@ nodes
 | test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
 | test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
 | test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
+example
 subpaths
 #select
 | test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast |

@@ -3,6 +3,7 @@ edges
 nodes
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
+example
 subpaths
 #select
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) |
@@ -19,6 +19,7 @@ nodes
 | test.c:43:17:43:24 | scanf output argument | semmle.label | scanf output argument |
 | test.c:44:11:44:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:57:10:57:16 | access to array indirection | semmle.label | access to array indirection |
+example
 subpaths
 #select
 | test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv | user input (a command-line argument) |

@@ -23,6 +23,7 @@ nodes
 | tests.cpp:51:22:51:25 | badSource output argument | semmle.label | badSource output argument |
 | tests.cpp:51:22:51:25 | data indirection | semmle.label | data indirection |
 | tests.cpp:53:16:53:19 | data indirection | semmle.label | data indirection |
+example
 subpaths
 | tests.cpp:51:22:51:25 | data indirection | tests.cpp:26:32:26:35 | data indirection | tests.cpp:26:15:26:23 | badSource indirection | tests.cpp:51:12:51:20 | call to badSource indirection |
 #select

@@ -132,6 +132,7 @@ nodes
 | test.cpp:220:19:220:26 | filename indirection | semmle.label | filename indirection |
 | test.cpp:222:32:222:38 | command indirection | semmle.label | command indirection |
 | test.cpp:222:32:222:38 | command indirection | semmle.label | command indirection |
+example
 subpaths
 | test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | filename indirection | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
 | test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | filename indirection | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |

@@ -1,4 +1,5 @@
 edges
 nodes
+example
 subpaths
 #select
@@ -36,6 +36,7 @@ nodes
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
 | overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:76:30:76:32 | src indirection | semmle.label | src indirection |
+example
 subpaths
 #select
 | overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |

@@ -3,6 +3,7 @@ edges
 nodes
 | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | semmle.label | fgets output argument |
 | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | semmle.label | data |
+example
 subpaths
 #select
 | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | An array indexing expression depends on $@ that might be outside the bounds of the array. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | string read by fgets |
@@ -27,6 +27,7 @@ nodes
 | test1.c:33:11:33:11 | i | semmle.label | i |
 | test1.c:48:16:48:16 | i | semmle.label | i |
 | test1.c:53:15:53:15 | j | semmle.label | j |
+example
 subpaths
 #select
 | test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |

@@ -50,6 +50,7 @@ nodes
 | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
 | examples.cpp:38:9:38:12 | data | semmle.label | data |
+example
 subpaths
 #select
 | examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value |

@@ -88,6 +88,7 @@ nodes
 | test.cpp:208:7:208:7 | y | semmle.label | y |
 | test.cpp:215:11:215:14 | call to rand | semmle.label | call to rand |
 | test.cpp:219:8:219:8 | x | semmle.label | x |
+example
 subpaths
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value |

@@ -90,6 +90,7 @@ nodes
 | test.cpp:353:18:353:31 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:355:35:355:38 | size | semmle.label | size |
 | test.cpp:356:35:356:38 | size | semmle.label | size |
+example
 subpaths
 #select
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |

@@ -9,6 +9,7 @@ nodes
 | test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
+example
 subpaths
 #select
 | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets indirection | test2.cpp:110:3:110:6 | call to gets indirection | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets indirection | user input (string read by gets) |

@@ -45,6 +45,7 @@ nodes
 | test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword |
 | test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword |
 | test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword |
+example
 subpaths
 #select
 | test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:43:36:43:43 | password | this source. |

@@ -118,6 +118,7 @@ nodes
 | test3.cpp:572:14:572:16 | str | semmle.label | str |
 | test3.cpp:577:8:577:23 | call to get_home_address | semmle.label | call to get_home_address |
 | test3.cpp:578:14:578:16 | str | semmle.label | str |
+example
 subpaths
 | test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | id indirection | test3.cpp:138:21:138:22 | call to id |
 #select

@@ -43,6 +43,7 @@ nodes
 | test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:121:11:121:13 | ptr indirection | semmle.label | ptr indirection |
+example
 subpaths
 #select
 | test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |

@@ -3,6 +3,7 @@ nodes
 | test.cpp:34:45:34:48 | 1024 | semmle.label | 1024 |
 | test.cpp:35:49:35:52 | 1024 | semmle.label | 1024 |
 | test.cpp:37:43:37:46 | 1024 | semmle.label | 1024 |
+example
 subpaths
 #select
 | test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 |

@@ -50,6 +50,7 @@ nodes
 | test.cpp:207:8:207:11 | data | semmle.label | data |
 | test.cpp:209:6:209:9 | data | semmle.label | data |
 | test.cpp:209:6:209:9 | data | semmle.label | data |
+example
 subpaths
 #select
 | test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | data | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free |

@@ -1,4 +1,5 @@
 edges
 nodes
+example
 subpaths
 #select
@@ -7,6 +7,7 @@ nodes
 | tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
 | tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
 | tests.c:70:70:70:77 | password indirection | semmle.label | password indirection |
+example
 subpaths
 #select
 | tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |

@@ -84,6 +84,7 @@ nodes
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
+example
 subpaths
 #select
 | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv indirection | call to getenv indirection |

@@ -84,6 +84,7 @@ nodes
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
+example
 subpaths
 #select
 | tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv indirection | call to getenv indirection |

@@ -149,6 +149,7 @@ nodes
 | tests.cpp:122:23:122:43 | call to XercesDOMParser | semmle.label | call to XercesDOMParser |
 | tests.cpp:126:18:126:18 | q indirection | semmle.label | q indirection |
 | tests.cpp:128:18:128:18 | q indirection | semmle.label | q indirection |
+example
 subpaths
 #select
 | tests2.cpp:22:2:22:2 | p indirection | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | p indirection | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser |

@@ -3158,6 +3158,8 @@ module Impl<FullStateConfigSig Config> {
       key = "semmle.label" and val = n.toString()
     }
 
+    additional query predicate example(string s) { none() }
+
     /**
      * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
      * a subpath between `par` and `ret` with the connecting edges `arg -> par` and

@@ -3,6 +3,7 @@ edges
 nodes
 | RequestForgery.cs:14:52:14:54 | url : String | semmle.label | url : String |
 | RequestForgery.cs:16:66:16:68 | access to parameter url | semmle.label | access to parameter url |
+example
 subpaths
 #select
 | RequestForgery.cs:16:66:16:68 | access to parameter url | RequestForgery.cs:14:52:14:54 | url : String | RequestForgery.cs:16:66:16:68 | access to parameter url | The URL of this request depends on a $@. | RequestForgery.cs:14:52:14:54 | url | user-provided value |
@@ -13,6 +13,7 @@ nodes
 | HashWithoutSalt.cs:70:28:70:72 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
 | HashWithoutSalt.cs:70:64:70:71 | access to parameter password : String | semmle.label | access to parameter password : String |
 | HashWithoutSalt.cs:71:48:71:56 | access to local variable passBytes | semmle.label | access to local variable passBytes |
+example
 subpaths
 #select
 | HashWithoutSalt.cs:20:49:20:56 | access to local variable passBuff | HashWithoutSalt.cs:18:70:18:77 | access to parameter password : String | HashWithoutSalt.cs:20:49:20:56 | access to local variable passBuff | $@ is hashed without a salt. | HashWithoutSalt.cs:18:70:18:77 | access to parameter password | The password |

@@ -1,4 +1,5 @@
 edges
 nodes
+example
 subpaths
 #select
@@ -51,6 +51,7 @@ nodes
 | CSharp7.cs:181:23:181:25 | access to local variable src : String | semmle.label | access to local variable src : String |
 | CSharp7.cs:182:21:182:26 | call to local function h | semmle.label | call to local function h |
 | CSharp7.cs:182:23:182:25 | access to local variable src : String | semmle.label | access to local variable src : String |
+example
 subpaths
 | CSharp7.cs:55:11:55:19 | "tainted" : String | CSharp7.cs:42:19:42:19 | x : String | CSharp7.cs:44:9:44:13 | SSA def(y) : String | CSharp7.cs:55:30:55:31 | SSA def(t4) : String |
 | CSharp7.cs:90:20:90:27 | access to field Item1 : String | CSharp7.cs:80:21:80:21 | x : String | CSharp7.cs:82:16:82:26 | access to field Item1 : String | CSharp7.cs:90:18:90:28 | call to method I |