- Calling conventions explicitly specified on function declarations (
__cdecl,__stdcall,__fastcall, etc.) are now represented as specifiers of those declarations. - A new class
CallingConventionSpecifierextending theSpecifierclass was introduced, which represents explicitly specified calling conventions.
- Added
Node.asUncertainDefinitionandNode.asCertainDefinitionto theDataFlow::Nodeclass for querying whether a definition overwrites the entire destination buffer.
No user-facing changes.
- Modified the
getBufferSizepredicate incommons/Buffer.qllto be more tolerant in some cases involving member variables in a larger struct or class. - Fixed an issue where the
getBufferSizepredicate incommons/Buffer.qllwas returning results for references insideoffsetofexpressions, which are not accesses to a buffer.
No user-facing changes.
- Deleted the deprecated
getAllocatorCallpredicate fromDeleteOrDeleteArrayExpr, usegetDeallocatorCallinstead.
- A new predicate
getOffsetInClasswas added to theFieldclass, which computes the byte offset of a field relative to a givenClass. - New classes
PreprocessorElifdefandPreprocessorElifndefwere introduced, which represents the C23/C++23#elifdefand#elifndefpreprocessor directives. - A new class
TypeLibraryImportwas introduced, which represents the#importpreprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
- Add a new predicate
getAnIndirectBarrierto the parameterized moduleInstructionBarrierGuardinsemmle.code.cpp.dataflow.new.DataFlowfor computing indirect dataflow nodes that are guarded by a given instruction. This predicate is similar to thegetAnIndirectBarrierpredicate on the parameterized moduleBarrierGuard. - A new predicate
getDecltypewas added to theProxyClassclass, which yields the decltype for the proxy class. - Template classes that are of
structtype are now also instances of theStructclass. - Template classes that are of
uniontype are now also instances of theUnionclass. - A new abstract class
ConfigurationTestFile(semmle.code.cpp.ConfigurationTestFile.ConfigurationTestFile) was introduced, which represents files created to test the build configuration. A subclassCmakeTryCompileFileofConfigurationTestFilewas also introduced, which represents files created by CMake to test the build configuration. - New predicates
getARequiresClause,getTemplateRequiresClauseandgetFunctionRequiresClausewere added to theFunctionDeclarationEntryclass, which yield the requires clauses when the entry represents a function template declaration with requires clauses. - A new predicate
getRequiresClausewas added to theTypeDeclarationEntryclass, which yields the requires clause when the entry represents a class template declaration with a requires clause. - A new predicate
getRequiresClausewas added to theVariableDeclarationEntryclass, which yields the requires clause when the entry represents a variable template declaration with a requires clause. - A new predicate
getTypeConstraintwas added to theTypeTemplateParameterclass, which yields the type constraint of the parameter if it exists. - A new class
VariableTemplateSpecializationwas introduced, which represents explicit specializations of variable templates. - A new predicate
isSpecializationwas added to theVariableclass, which holds if the variable is a template specialization. - A new class
ConceptIdExprwas introduced, which represents C++20 concept id expressions. - A new class
Conceptwas introduced, which represents C++20 concepts. - The
getTemplateArgumentTypeandgetTemplateArgumentValuepredicates of theDeclarationclass now also yield template arguments of concepts. - A new class
ConstevalIfStmtwas introduced, which represents the C++23if constevalandif ! constevalstatements.
DefaultOptions::exitsnow holds for C23 functions with the_Noreturnor___Noreturn__attribute.
- The
TemplateParameterclass, representing C++ type template parameters has been deprecated. UseTypeTemplateParameterinstead.
- New classes
SizeofPackExprOperatorandSizeofPackTypeOperatorwere introduced, which represent the C++sizeof...operator taking expressions and type arguments, respectively. - A new class
TemplateTemplateParameterInstantiationwas introduced, which represents instantiations of template template parameters. - A new predicate
getAnInstantiationwas added to theTemplateTemplateParameterclass, which yields instantiations of template template parameters. - The
getTemplateArgumentTypeandgetTemplateArgumentValuepredicates of theDeclarationclass now also yield template arguments of template template parameters. - A new class
NonTypeTemplateParameterwas introduced, which represents C++ non-type template parameters. - A new class
TemplateParameterBasewas introduced, which represents C++ non-type template parameters, type template parameters, and template template parameters.
- The
Guardslibrary (semmle.code.cpp.controlflow.Guards) has been improved to recognize more guard conditions.
- Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.
- The
NonThrowingFunctionclass (semmle.code.cpp.models.interfaces.NonThrowing.NonThrowingFunction) has been deprecated. Please use theNonCppThrowingFunctionclass instead.
No user-facing changes.
- Added a new predicate
DataFlow::getARuntimeTargetfor getting a function that may be invoked by aCallexpression. UnlikeCall.getTargetthis new predicate may also resolve function pointers. - Added the predicate
mayBeFromImplicitlyDeclaredFunction()to theCallclass to represent calls that may be the return value of an implicitly declared C function. - Added the predicate
getAnExplicitDeclarationEntry()to theFunctionclass to get aFunctionDeclarationEntrythat is not implicit. - Added classes
RequiresExpr,SimpleRequirementExpr,TypeRequirementExpr,CompoundRequirementExpr, andNestedRequirementExprto represent C++20 requires expressions and the simple, type, compound, and nested requirements that can occur inrequiresexpressions.
- The function call target resolution algorithm has been improved to resolve more calls through function pointers. As a result, dataflow queries may have more results.
- Added taint flow model for
fopenand related functions. - The
SimpleRangeAnalysislibrary (semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis) now generates more precise ranges for calls tofgetcandgetc.
No user-facing changes.
- Deleted many deprecated taint-tracking configurations based on
TaintTracking::Configuration. - Deleted many deprecated dataflow configurations based on
DataFlow::Configuration. - Deleted the deprecated
hasQualifiedNameandisDefinedpredicates from theDeclarationclass, usehasGlobalNameandhasDefinitionrespectively instead. - Deleted the
getFullSignaturepredicate from theFunctionclass, usegetIdentityString(Declaration)fromsemmle.code.cpp.Printinstead. - Deleted the deprecated
freeCallpredicate fromAlloc.qll. UseDeallocationExprinstead. - Deleted the deprecated
explorationLimitpredicate fromDataFlow::Configuration, useFlowExploration<explorationLimit>instead. - Deleted the deprecated
getFieldExprpredicate fromClassAggregateLiteral, usegetAFieldExprinstead. - Deleted the deprecated
getElementExprpredicate fromArrayOrVectorAggregateLiteral, usegetAnElementExprinstead.
- Added a class
C11GenericExprto represent C11 generic selection expressions. The generic selection is represented as aConversionon the expression that will be selected. - Added subclasses of
BuiltInOperationsfor the__is_scoped_enum,__is_trivially_equality_comparable, and__is_trivially_relocatablebuiltin operations. - Added a subclass of
Exprfor__datasizeofexpressions.
- Added a data flow model for
swapmember functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow throughswapmember functions might affect the results. - Added a data flow model for
realloc-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow throughrealloc-like functions might affect the results.
No user-facing changes.
No user-facing changes.
- A
getTemplateClasspredicate was added to theDeductionGuideclass to get the class template for which the deduction guide is a guide. - An
isExplicitpredicate was added to theFunctionclass that determines whether the function was declared as explicit. - A
getExplicitExprpredicate was added to theFunctionclass that yields the constant boolean expression (if any) that conditionally determines whether the function is explicit. - A
isDestroyingDeleteDeallocationpredicate was added to theNewOrNewArrayExprandDeleteOrDeleteArrayExprclasses to indicate whether the deallocation function is a destroying delete.
- The controlling expression of a
constexpr ifis now always recognized as an unevaluated expression. - Improved performance of alias analysis of large function bodies. In rare cases, alerts that depend on alias analysis of large function bodies may be affected.
- A
UsingEnumDeclarationEntryclass has been added for C++using enumdeclarations. As part of this, synthesizedUsingDeclarationEntrys are no longer emitted for individual enumerators of the referenced enumeration.
- Models-as-data alert provenance information has been extended to the C/C++ language. Any qltests that include the edges relation in their output (for example,
.qlrefs that reference path-problem queries) will need to be have their expected output updated accordingly. - Added subclasses of
BuiltInOperationsfor__builtin_has_attribute,__builtin_is_corresponding_member,__builtin_is_pointer_interconvertible_with_class,__is_assignable_no_precondition_check,__is_bounded_array,__is_convertible,__is_corresponding_member,__is_nothrow_convertible,__is_pointer_interconvertible_with_class,__is_referenceable,__is_same_as,__is_trivially_copy_assignable,__is_unbounded_array,__is_valid_winrt_type,_is_win_class,__is_win_interface,__reference_binds_to_temporary,__reference_constructs_from_temporary, and__reference_converts_from_temporary. - The class
NewArrayExpradds a predicategetArraySize()to allow a more convenient way to access the static size of the array when the extent is missing.
- The syntax for models-as-data rows has been extended to make it easier to select sources, sinks, and summaries that involve templated functions and classes. Additionally, the syntax has also been extended to make it easier to specify models with arbitrary levels of indirection. See
dataflow/ExternalFlow.qllfor the updated documentation and specification for the model format. - It is now possible to extend the classes
AllocationFunctionandDeallocationFunctionvia data extensions. Extensions of these classes should be added to thelib/ext/allocationandlib/ext/deallocationdirectories respectively.
- The queries "Potential double free" (
cpp/double-free) and "Potential use after free" (cpp/use-after-free) now produce fewer false positives. - The "Guards" library (
semmle.code.cpp.controlflow.Guards) now also infers guards from calls to the builtin operation__builtin_expect. As a result, some queries may produce fewer false positives.
No user-facing changes.
- Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension
.model.ymlfiles, rather than by writing classes in QL code. New models should be added in thelib/extfolder.
- A partial model for the
Boost.Asionetwork library has been added. This includes sources, sinks and summaries for certain functions inBoost.Asio, such asread_untilandwrite.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
No user-facing changes.
- Deleted the deprecated
GlobalValueNumberingImpl.qllimplementation.
- Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See
dataflow/ExternalFlow.qllfor documentation and specification of the model format, andmodels/implementations/ZMQ.qllfor a simple example of models. Importing models from.ymlis not yet supported.
- Source models have been added for the standard library function
getc(and variations). - Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
- Parameters of functions without definitions now have
ParameterNodes. - The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
No user-facing changes.
- Added a
TaintInheritingContentclass that can be extended to model taint flowing from a qualifier to a field. - Added a predicate
GuardCondition.comparesEq/4to query whether an expression is compared to a constant. - Added a predicate
GuardCondition.ensuresEq/4to query whether a basic block is guarded by an expression being equal to a constant. - Added a predicate
GuardCondition.comparesLt/4to query whether an expression is compared to a constant. - Added a predicate
GuardCondition.ensuresLt/4to query whether a basic block is guarded by an expression being less than a constant. - Added a predicate
GuardCondition.valueControlsto query whether a basic block is guarded by a particularcaseof aswitchstatement.
- Added destructors for temporary objects with extended lifetimes to the intermediate representation.
No user-facing changes.
No user-facing changes.
- Added destructors for named objects to the intermediate representation.
- A
getInitializationpredicate was added to theRangeBasedForStmtclass that yields the C++20-style initializer of the range-basedforstatement when it exists.
- Added the
PreprocBlock.qlllibrary to this repository. This library offers a view of#if,#elif,#elseand similar directives as a tree with navigable parent-child relationships. - Added a new
ThrowingFunctionabstract class that can be used to model an external function that may throw an exception.
- Deleted many deprecated predicates and classes with uppercase
XML,SSA,SAL,SQL, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
StrcatFunctionclass, usesemmle.code.cpp.models.implementations.Strcat.qllinstead.
- The
isUserInput,userInputArgument, anduserInputReturnedpredicates fromSecurityOptionshave been deprecated. UseFlowSourceinstead.
UserDefineLiteralandDeductionGuideclasses have been added, representing C++11 user defined literals and C++17 deduction guides.
- Changed the output of
Node.toStringto better reflect how many indirections a given dataflow node has. - Added a new predicate
Node.asDefinitiononDataFlow::Nodes for selecting the dataflow node corresponding to a particular definition. - The deprecated
DefaultTaintTrackinglibrary has been removed. - The
Guardslibrary has been replaced with the API-compatibleIRGuardsimplementation, which has better precision in some cases.
- Under certain circumstances a function declaration that is not also a definition could be associated with a
Functionthat did not have the definition as aFunctionDeclarationEntry. This is now fixed when only one definition exists, and a uniqueFunctionwill exist that has both the declaration and the definition as aFunctionDeclarationEntry.
No user-facing changes.
- Added an
isPrototypedpredicate toFunctionthat holds when the function has a prototype.
- The expressions
AssignPointerAddExprandAssignPointerSubExprare no longer subtypes ofAssignBitwiseOperation.
- The "Returning stack-allocated memory" (
cpp/return-stack-allocated-memory) query now also detects returning stack-allocated memory allocated by calls toalloca,strdupa, andstrndupa. - Added models for
strlcpyandstrlcat. - Added models for the
sprintfvariants from theStrSafe.hheader. - Added SQL API models for
ODBC. - Added taint models for
reallocand related functions.
- The
ContainerandFolderclasses now derive fromElementBaseinstead ofLocatable, and no longer expose thegetLocationpredicate. UsegetURLinstead.
- Added a new class
AdditionalCallTargetfor specifying additional call targets.
- More field accesses are identified as
ImplicitThisFieldAccess. - Added support for new floating-point types in C23 and C++23.
- Deleted the deprecated
AnalysedStringclass, use the new nameAnalyzedString. - Deleted the deprecated
isBarrierGuardpredicate from the dataflow library and its uses, useisBarrierand theBarrierGuardmodule instead.
- Functions that do not return due to calling functions that don't return (e.g.
exit) are now detected as non-returning in the IR and dataflow. - Treat functions that reach the end of the function as returning in the IR. They used to be treated as unreachable but it is allowed in C.
- The
DataFlow::asDefiningArgumentpredicate now takes its argument from the range starting at1instead of2. Queries that depend on the single-parameter version ofDataFlow::asDefiningArgumentshould have their arguments updated accordingly.
No user-facing changes.
getAllocatorCallonDeleteExprandDeleteArrayExprhas been deprecated.getDeallocatorCallshould be used instead.
- Added
DeleteOrDeleteArrayExpras a super type ofDeleteExprandDeleteArrayExpr
deleteanddelete[]are now modeled as calls to the relevantoperator deletein the IR. In the case of a dynamic delete call a new instructionVirtualDeleteFunctionAddressis used to represent a function that dispatches to the correct delete implementation.- Only the 2 level indirection of
argv(corresponding to**argv) is consided forFlowSource.
No user-facing changes.
- The
shouldPrintFunctionpredicate fromPrintAstConfigurationhas been replaced byshouldPrintDeclaration. Users should now overrideshouldPrintDeclarationif they want to limit the declarations that should be printed. - The
shouldPrintFunctionpredicate fromPrintIRConfigurationhas been replaced byshouldPrintDeclaration. Users should now overrideshouldPrintDeclarationif they want to limit the declarations that should be printed.
- The
PrintASTlibrary now also prints global and namespace variables and their initializers.
- The
_Float128xtype is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
- The library
semmle.code.cpp.dataflow.DataFlowhas been deprecated. Please usesemmle.code.cpp.dataflow.new.DataFlowinstead.
- The
DataFlow::StateConfigSigsignature module has gained default implementations forisBarrier/2andisAdditionalFlowStep/4. Hence it is no longer needed to providenone()implementations of these predicates if they are not needed.
- Data flow configurations can now include a predicate
neverSkip(Node node)in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations. - The
IRGuardslibrary has improved handling of pointer addition and subtraction operations.
- The
ProductFlow::StateConfigSigsignature now includes default predicates forisBarrier1,isBarrier2,isAdditionalFlowStep1, andisAdditionalFlowStep1. Hence, it is no longer needed to providenone()implementations of these predicates if they are not needed.
- Deleted the deprecated
getURLpredicate from theContainer,Folder, andFileclasses. Use thegetLocationpredicate instead.
No user-facing changes.
- Deleted the deprecated
hasCopyConstructorpredicate from theClassclass inClass.qll. - Deleted many deprecated predicates and classes with uppercase
AST,SSA,CFG,API, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
CodeDuplication.qllfile.
- Added an AST-based interface (
semmle.code.cpp.rangeanalysis.new.RangeAnalysis) for the relative range analysis library. - A new predicate
BarrierGuard::getAnIndirectBarrierNodehas been added to the new dataflow library (semmle.code.cpp.dataflow.new.DataFlow) to mark indirect expressions as barrier nodes using theBarrierGuardAPI.
- In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.
- The
StdNamespaceclass now also includes all inline namespaces that are children ofstdnamespace. - The new dataflow (
semmle.code.cpp.dataflow.new.DataFlow) and taint-tracking libraries (semmle.code.cpp.dataflow.new.TaintTracking) now support tracking flow through static local variables.
No user-facing changes.
- The internal
SsaConsistencymodule has been moved fromSSAConstructiontoSSAConsitency, and the deprecatedSSAConsistencymodule has been removed.
- The single-parameter predicates
ArrayOrVectorAggregateLiteral.getElementExprandClassAggregateLiteral.getFieldExprhave been deprecated in favor ofArrayOrVectorAggregateLiteral.getAnElementExprandClassAggregateLiteral.getAFieldExpr. - The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
- The
SslContextCallAbstractConfig,SslContextCallConfig,SslContextCallBannedProtocolConfig,SslContextCallTls12ProtocolConfig,SslContextCallTls13ProtocolConfig,SslContextCallTlsProtocolConfig,SslContextFlowsToSetOptionConfig,SslOptionConfigdataflow configurations fromBoostorgAsiohave been deprecated. Please useSslContextCallConfigSig,SslContextCallGlobal,SslContextCallFlow,SslContextCallBannedProtocolFlow,SslContextCallTls12ProtocolFlow,SslContextCallTls13ProtocolFlow,SslContextCallTlsProtocolFlow,SslContextFlowsToSetOptionFlow.
- Added overridable predicates
getSizeExprandgetSizeMultto theBufferAccessclass (semmle.code.cpp.security.BufferAccess.qll). This makes it possible to model a larger class of buffer reads and writes using the library.
- The
BufferAccesslibrary (semmle.code.cpp.security.BufferAccess) no longer matches buffer accesses inside unevaluated contexts (such as insidesizeofordecltypeexpressions). As a result, queries using this library may see fewer false positives.
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath,DataFlow::hasFlow,DataFlow::hasFlowTo, andDataFlow::hasFlowToExprwere accidentally exposed in a single version.
No user-facing changes.
- The
semmle.code.cpp.commons.Bufferandsemmle.code.cpp.commons.NullTerminationlibraries no longer exposesemmle.code.cpp.dataflow.DataFlow. Please importsemmle.code.cpp.dataflow.DataFlowdirectly.
- The
WriteConfigtaint tracking configuration has been deprecated. Please useWriteFlow.
- Added support for merging two
PathGraphs via disjoint union to allow results from multiple data flow computations in a singlepath-problemquery.
-
A new C/C++ dataflow library (
semmle.code.cpp.dataflow.new.DataFlow) has been added. The new library behaves much more like the dataflow library of other CodeQL supported languages by following use-use dataflow paths instead of def-use dataflow paths. The new library also better supports dataflow through indirections, and new predicates such asNode::asIndirectExprhave been added to facilitate working with indirections.The
semmle.code.cpp.ir.dataflow.DataFlowlibrary is now identical to the newsemmle.code.cpp.dataflow.new.DataFlowlibrary. -
The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
- Deleted the deprecated
hasGeneratedCopyConstructorandhasGeneratedCopyAssignmentOperatorpredicates from theFolderclass. - Deleted the deprecated
getPathandgetFolderpredicates from theXmlFileclass. - Deleted the deprecated
getMustlockFunction,getTrylockFunction,getLockFunction, andgetUnlockFunctionpredicates from theMutexTypeclass. - Deleted the deprecated
getPosInBasicBlockpredicate from theSubBasicBlockclass. - Deleted the deprecated
getExprpredicate from thePointerDereferenceExprclass. - Deleted the deprecated
getUseInstructionandgetDefinitionInstructionpredicates from theOperandclass. - Deleted the deprecated
isInParameter,isInParameterPointer, andisInQualifierpredicates from theFunctionInputclass. - Deleted the deprecated
isOutParameterPointer,isOutQualifier,isOutReturnValue, andisOutReturnPointerpredicate from theFunctionOutputclass. - Deleted the deprecated 3-argument
isGuardPhipredicate from theRangeSsaDefinitionclass.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
The predicates in the MustFlow::Configuration class used by the MustFlow library (semmle.code.cpp.ir.dataflow.MustFlow) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
- Deprecated
semmle.code.cpp.ir.dataflow.DefaultTaintTracking. Usesemmle.code.cpp.ir.dataflow.TaintTracking. - Deprecated
semmle.code.cpp.security.TaintTrackingImpl. Usesemmle.code.cpp.ir.dataflow.TaintTracking. - Deprecated
semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl. Usesemmle.code.cpp.valuenumbering.GlobalValueNumbering, which exposes the same API.
- The
ArgvSourceflow source now uses the second parameter ofmainas its source instead of the uses of this parameter. - The
ArgvSourceflow source has been generalized to handle cases where the argument vector ofmainis not namedargv. - The
getaddrinfofunction is now recognized as a flow source. - The
secure_getenvand_wgetenvfunctions are now recognized as local flow sources. - The
scanfandfscanffunctions and their variants are now recognized as flow sources. - Deleted the deprecated
getNameandgetShortNamepredicates from theFolderclass.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Fixed bugs in the
FormatLiteralclass that were causinggetMaxConvertedLengthand related predicates to return no results when the format literal was%e,%for%gand an explicit precision was specified.
No user-facing changes.
No user-facing changes.
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Added subclasses of
BuiltInOperationsfor__is_same,__is_function,__is_layout_compatible,__is_pointer_interconvertible_base_of,__is_array,__array_rank,__array_extent,__is_arithmetic,__is_complete_type,__is_compound,__is_const,__is_floating_point,__is_fundamental,__is_integral,__is_lvalue_reference,__is_member_function_pointer,__is_member_object_pointer,__is_member_pointer,__is_object,__is_pointer,__is_reference,__is_rvalue_reference,__is_scalar,__is_signed,__is_unsigned,__is_void, and__is_volatile.
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
- Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Added support for getting the link targets of global and namespace variables.
- Added a
BlockAssignExprclass, which models amemcpy-like operation used in compiler generated copy/move constructors and assignment operations.
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Added a predicate
getValueConstanttoAttributeArgumentthat yields the argument value as anExprwhen the value is a constant expression. - A new class predicate
MustFlowConfiguration::allowInterproceduralFlowhas been added to thesemmle.code.cpp.ir.dataflow.MustFlowlibrary. The new predicate can be overridden to disable interprocedural flow. - Added subclasses of
BuiltInOperationsfor__builtin_bit_cast,__builtin_shuffle,__has_unique_object_representations,__is_aggregate, and__is_assignable.
- The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
- Under certain circumstances a variable declaration that is not also a definition could be associated with a
Variablethat did not have the definition as aVariableDeclarationEntry. This is now fixed, and a uniqueVariablewill exist that has both the declaration and the definition as aVariableDeclarationEntry.
AnalysedExpr::isNullCheckandAnalysedExpr::isValidCheckhave been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
UserType.getADeclarationEntry()now yields all forward declarations when the user type is aclass,struct, orunion.
- An
isBracedpredicate was added to theInitializerclass which holds when a C++ braced initializer was used in the initialization.
- The
AnalysedStringclass in theStringAnalysismodule has been replaced withAnalyzedString, to follow our style guide. The old name still exists as a deprecated alias.
- A
getInitializationpredicate was added to theConstexprIfStmt,IfStmt, andSwitchStmtclasses that yields the C++17-style initializer of theiforswitchstatement when it exists.
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
- More Windows pool allocation functions are now detected as
AllocationFunctions. - The
semmle.code.cpp.commons.Bufferlibrary has been enhanced to handle array members of classes that do not specify a size.
- The recently added flow-state versions of
isBarrierIn,isBarrierOut,isSanitizerIn, andisSanitizerOutin the data flow and taint tracking libraries have been removed.
- A new library
semmle.code.cpp.security.PrivateDatahas been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
- The
semmle.code.cpp.security.SensitiveExprslibrary has been enhanced with some additional rules for detecting credentials.
- The flow state variants of
isBarrierandisAdditionalFlowStepare no longer exposed in the taint tracking library. TheisSanitizerandisAdditionalTaintSteppredicates should be used instead.
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.
DefaultOptions::exitsnow holds for C11 functions with the_Noreturnornoreturnspecifier.hasImplicitCopyConstructorandhasImplicitCopyAssignmentOperatornow correctly handle implicitly-deleted operators in templates.- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Many queries now support structured bindings, as structured bindings are now handled in the IR translation.
- Added a
isStructuredBindingpredicate to theVariableclass which holds when the variable is declared as part of a structured binding declaration.
- The
codeql/cpp-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/cpp-allCodeQL pack.
FormatLiteral::getMaxConvertedLengthnow uses range analysis to provide a more accurate length for integers formatted with%x
- The QL library
semmle.code.cpp.commons.Exclusionsnow contains a predicateisFromSystemMacroDefinitionfor identifying code that originates from a macro outside the project being analyzed.