github
diff --git a/‎cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.qhelp‎
Lines changed: 17 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.qhelp‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql‎
Lines changed: 17 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.qhelp‎
Lines changed: 16 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.qhelp‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql‎
Lines changed: 20 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Leap Year/Adding365daysPerYear.ql‎
Lines changed: 21 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Leap Year/Adding365daysPerYear.ql‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qhelp‎
Lines changed: 15 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qhelp‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll‎
Lines changed: 277 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll‎
Lines changed: 277 additions & 0 deletions
@@ -0,0 +1,17 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+  <p>
+    When eras change, date and time conversions that rely on hard-coded era start date need to be reviewed. Conversions relying on Japanese dates in the current era can produce an ambiguous date. 
+  </p>
+</overview>
+
+<references>
+  <li>
+    <a href="https://blogs.msdn.microsoft.com/shawnste/2018/04/12/the-japanese-calendars-y2k-moment/">The Japanese Calendar’s Y2K Moment</a>.
+  </li>
+</references>
+</qhelp>
+
@@ -0,0 +1,17 @@
+/**
+ * @name ConstructingJapaneseEraStartDate
+ * @description Japanese era changes can lead to code behaving differently. Aviod hard-coding Japanese era start dates. The values should be read from registry.
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/JapaneseEra/Constructor-Or-Method-With-Exact-Era-Date
+ * @precision medium
+ * @tags reliability
+ *       japanese-era
+ */
+
+import cpp
+from Call cc, int i
+where cc.getArgument(i).getValue().toInt() = 1989 and
+      cc.getArgument(i+1).getValue().toInt() = 1 and
+      cc.getArgument(i+2).getValue().toInt() = 8
+select cc, "Call that appears to have hard-coded Japanese era start date as parameter" 
@@ -0,0 +1,16 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+  <p>
+    When eras change, date and time conversions that rely on hard-coded era start date need to be reviewed. Conversions relying on Japanese dates in the current era can produce an ambiguous date. 
+  </p>
+</overview>
+
+<references>
+  <li>
+    <a href="https://blogs.msdn.microsoft.com/shawnste/2018/04/12/the-japanese-calendars-y2k-moment/">The Japanese Calendar’s Y2K Moment</a>.
+  </li>
+</references>
+</qhelp>
@@ -0,0 +1,20 @@
+/**
+ * @name StructWithJapaneseEraStartDate
+ * @description Japanese era changes can lead to code behaving differently. Aviod hard-coding Japanese era start dates. The values should be read from registry.
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/JapaneseEra/Struct-With-Exact-Era-Date
+ * @precision medium
+ * @tags reliability
+ *       japanese-era
+ */
+
+import cpp
+
+import semmle.code.cpp.commons.DateTime
+
+from StructLikeClass s, YearFieldAccess year, MonthFieldAccess month, DayFieldAccess day, Operation yearAssignment, Operation monthAssignment, Operation dayAssignment
+where s.getAField().getAnAccess () = year and yearAssignment.getAnOperand() = year and yearAssignment.getAnOperand().getValue().toInt() = 1989 and
+      s.getAField().getAnAccess () = month and monthAssignment.getAnOperand() = month and monthAssignment.getAnOperand().getValue().toInt() = 1 and 
+      s.getAField().getAnAccess () = day and dayAssignment.getAnOperand() = day and dayAssignment.getAnOperand().getValue().toInt() = 8
+select year, "A time struct that is initialized with exact Japanese calendar era start date"
@@ -0,0 +1,21 @@
+/**
+ * @name Year field changed using an arithmetic operation is used on an unchekced time conversion function
+ * @description A year field changed using an arithmetic operation is used on a time conversion function, but the return value of the function is not check for success or failure
+ * @kind problem
+ * @problem.severity error
+ * @id cpp/leap-year/adding-365-days-per-year
+ * @precision high
+ * @tags security
+ *       leap-year
+ */
+
+import cpp
+import LeapYear
+import semmle.code.cpp.dataflow.DataFlow
+
+
+from Expr source, Expr sink, PossibleYearArithmeticOperationCheckConfiguration config
+where config.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink))
+select sink, "This arithmetic operation $@ uses a constant value of 365 ends up modifying the date/time located at $@, without considering leap year scenarios."
+    , source, source.toString()
+    , sink, sink.toString()
@@ -0,0 +1,15 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The Gregorian Calendar, which has become the internationally accepted civil calendar, the leap year rule is: Every year that is exactly divisible by four is a leap year, except for years that are exactly divisible by 100, but these centurial years are leap years if they are exactly divisible by 400.</p>
+<p>A leap year bug occurs when software (in any language) is written without consideration of leap year logic, or with flawed logic to calculate leap years; which typically results in incorrect results.</p>
+<p>The impact of these bugs may range from almost unnoticeable bugs such as an incorrect date, to severe bugs that affect reliability, availability or even the security of the affected system.</p>
+</overview>
+
+<references>
+<li>U.S. Naval Observatory Website - <a href="https://aa.usno.navy.mil/faq/docs/calendars.php"> Introduction to Calendars</a></li>
+<li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
+<li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
+</references>
@@ -0,0 +1,277 @@
+/**
+ * Provides a library for helping create leap year realted queries
+ */
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.commons.DateTime
+
+/**
+ * Get the top-level BinaryOperation enclosing the expression e
+ * Not 
+ */
+BinaryOperation getATopLevelBinaryOperationExpression(Expr e)
+{
+  result = e.getEnclosingElement().(BinaryOperation)
+  or
+  result = getATopLevelBinaryOperationExpression( e.getEnclosingElement())
+}
+
+/**
+ * Holds if the top-level binary operation for expression `e` includes the operator specified in `operator` with an operand specified by `valueToCheck`
+ */
+predicate additionalLogicalCheck( Expr e, string operation, int valueToCheck) {
+  exists(BinaryLogicalOperation bo |
+    bo = getATopLevelBinaryOperationExpression(e) |
+    exists( BinaryArithmeticOperation bao | 
+      bao = bo.getAChild*() |
+      bao.getAnOperand().getValue().toInt() = valueToCheck
+      and bao.getOperator() = operation
+      )
+   )
+}
+
+/**
+ * Operation that seems to be checking for leap year 
+ */
+class CheckForLeapYearOperation extends Operation {
+  CheckForLeapYearOperation() {
+    exists( BinaryArithmeticOperation bo |
+        bo = this |
+        bo.getAnOperand().getValue().toInt() = 4
+        and bo.getOperator().toString() = "%"
+        and additionalLogicalCheck( this.getEnclosingElement(), "%", 100)
+        and additionalLogicalCheck( this.getEnclosingElement(), "%", 400)
+    )
+  }
+  
+  override string getOperator() { result = "LeapYearCheck" }
+}
+
+/**
+ * abstract class of type YearFieldAccess that would represent an access to a year field on a struct and is used for arguing about leap year calculations
+ */
+abstract class LeapYearFieldAccess extends YearFieldAccess {
+  /**
+   * Holds if the field access is a modification, 
+   * and it involves an arithmetic operation  
+   */
+  predicate isModifiedByArithmeticOperation() {
+    this.isModified()
+    and exists( Operation op |
+      op.getAnOperand() = this
+      and ( op instanceof AssignArithmeticOperation
+        or exists( BinaryArithmeticOperation bao |
+        bao = op.getAnOperand())
+      or op instanceof PostfixCrementOperation
+      or op instanceof PrefixCrementOperation
+      )
+    )
+  }
+  
+  /**
+   * Holds if the field access is a modification, 
+   * and it involves an arithmetic operation. 
+   * In order to avoid false positives, the operation does not includes values that are normal for year normalization.
+   *     
+   * 1900 - struct tm counts years since 1900
+   * 1980/80 -  FAT32 epoch
+   */
+  predicate isModifiedByArithmeticOperationNotForNormalization() {
+    this.isModified()
+    and exists( Operation op |
+      op.getAnOperand() = this
+      and ( (op instanceof AssignArithmeticOperation
+        and not ( op.getAChild().getValue().toInt() = 1900
+          or op.getAChild().getValue().toInt() = 2000
+          or op.getAChild().getValue().toInt() = 1980 
+          or op.getAChild().getValue().toInt() = 80 
+          // Special case for transforming marshaled 2-digit year date: 
+          // theTime.wYear += 100*value;
+          or exists( MulExpr mulBy100 | mulBy100 = op.getAChild() |
+            mulBy100.getAChild().getValue().toInt() = 100 )))
+        or exists( BinaryArithmeticOperation bao |
+          bao = op.getAnOperand()
+          and not ( bao.getAChild().getValue().toInt() = 1900
+            or bao.getAChild().getValue().toInt() = 2000
+            or bao.getAChild().getValue().toInt() = 1980 
+            or bao.getAChild().getValue().toInt() = 80 
+            // Special case for transforming marshaled 2-digit year date: 
+            // theTime.wYear += 100*value;
+            or exists( MulExpr mulBy100 | mulBy100 = op.getAChild() |
+              mulBy100.getAChild().getValue().toInt() = 100 ))
+        )
+        or op instanceof PostfixCrementOperation
+        or op instanceof PrefixCrementOperation
+      )
+    )
+  }
+
+
+  /**
+   * Holds if the top-level binary operation includes a modulus operator with an operand specified by `valueToCheck`
+   */
+  predicate additionalModulusCheckForLeapYear( int valueToCheck) {
+    additionalLogicalCheck(this, "%", valueToCheck)
+  }
+
+  /**
+   * Holds if the top-level binary operation includes an addition or subtraction operator with an operand specified by `valueToCheck`
+   */
+  predicate additionalAdditionOrSubstractionCheckForLeapYear( int valueToCheck) {
+    additionalLogicalCheck(this, "+", valueToCheck)
+    or additionalLogicalCheck(this, "-", valueToCheck)
+  }
+
+  /**
+   * Holds true if this object is used on a modulus 4 operation, which would likely indicate the start of a leap year check
+   */
+  predicate isUsedInMod4Operation()
+  {
+    not this.isModified() and
+    exists( BinaryArithmeticOperation bo |
+      bo.getAnOperand() = this
+      and bo.getAnOperand().getValue().toInt() = 4
+      and bo.getOperator().toString() = "%"
+    )
+  }
+  
+  /**
+   * Holds true if this object seems to be used in a valid gregorian calendar leap year check
+   */
+  predicate isUsedInCorrectLeapYearCheck()
+  {
+    // The Gregorian leap year rule is: 
+    // Every year that is exactly divisible by four is a leap year, 
+    // except for years that are exactly divisible by 100, 
+    // but these centurial years are leap years if they are exactly divisible by 400
+    //
+    // https://aa.usno.navy.mil/faq/docs/calendars.php
+    this.isUsedInMod4Operation()
+    and additionalModulusCheckForLeapYear(400)
+    and additionalModulusCheckForLeapYear(100)
+  }
+}
+
+/**
+ * YearFieldAccess for SYSTEMTIME struct
+ */
+class StructSystemTimeLeapYearFieldAccess extends LeapYearFieldAccess {
+  StructSystemTimeLeapYearFieldAccess() {
+    this.toString().matches("wYear") 
+  }
+}
+/**
+ * YearFieldAccess for struct tm
+ */
+class StructTmLeapYearFieldAccess extends LeapYearFieldAccess {
+  StructTmLeapYearFieldAccess() {
+    this.toString().matches("tm_year") 
+  }
+
+  override predicate isUsedInCorrectLeapYearCheck()
+  {
+    this.isUsedInMod4Operation()
+    and additionalModulusCheckForLeapYear(400)
+    and additionalModulusCheckForLeapYear(100)
+    // tm_year represents years since 1900
+    and ( additionalAdditionOrSubstractionCheckForLeapYear(1900)
+          // some systems may use 2000 for 2-digit year conversions
+          or additionalAdditionOrSubstractionCheckForLeapYear(2000)
+          // converting from/to Unix epoch
+          or additionalAdditionOrSubstractionCheckForLeapYear(1970)
+        )
+  }
+}
+
+/**
+ * FunctionCall that includes an operation that is checking for leap year
+ */
+class ChecksForLeapYearFunctionCall extends FunctionCall {
+  ChecksForLeapYearFunctionCall() {
+    exists( Function f, CheckForLeapYearOperation clyo |
+      f.getACallToThisFunction() = this |
+      clyo.getEnclosingFunction() = f
+    )
+  }
+}
+
+/**
+ * DataFlow::Configuration for finding a variable access that would flow into 
+ * a function call that includes an operation to check for leap year
+ */
+class LeapYearCheckConfiguration extends DataFlow::Configuration {
+  LeapYearCheckConfiguration() {
+    this = "LeapYearCheckConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists( VariableAccess va |
+    va = source.asExpr()     
+       )
+  }
+ 
+  override predicate isSink(DataFlow::Node sink) {
+    exists( ChecksForLeapYearFunctionCall fc |
+       sink.asExpr() = fc.getAnArgument()
+    )
+  }
+}
+
+
+/**
+ * DataFlow::Configuration for finding an operation w/hardcoded 365 that will flow into a FILEINFO field
+ */
+class FiletimeYearArithmeticOperationCheckConfiguration extends DataFlow::Configuration {
+  FiletimeYearArithmeticOperationCheckConfiguration() {
+    this = "FiletimeYearArithmeticOperationCheckConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists( Expr e, Operation op |
+      e = source.asExpr() |
+      op.getAChild*().getValue().toInt()=365
+      and op.getAChild*() = e
+       )
+  }
+ 
+  override predicate isSink(DataFlow::Node sink) {
+    exists( StructLikeClass dds, FieldAccess fa, AssignExpr aexpr, Expr e |
+       e = sink.asExpr() |
+         dds instanceof FileTimeStruct
+        and fa.getQualifier().getUnderlyingType() = dds
+        and fa.isModified()
+        and aexpr.getAChild() = fa
+        and aexpr.getChild(1).getAChild*() = e
+    )
+  }
+}
+
+/**
+ * DataFlow::Configuration for finding an operation w/hardcoded 365 that will flow into any known date/time field
+ */
+class PossibleYearArithmeticOperationCheckConfiguration extends DataFlow::Configuration {
+  PossibleYearArithmeticOperationCheckConfiguration() {
+    this = "PossibleYearArithmeticOperationCheckConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists( Expr e, Operation op |
+      e = source.asExpr() |
+      op.getAChild*().getValue().toInt()=365
+      and op.getAChild*() = e
+       )
+  }
+ 
+  override predicate isSink(DataFlow::Node sink) {
+    exists( StructLikeClass dds, FieldAccess fa, AssignExpr aexpr, Expr e |
+       e = sink.asExpr() |
+         (dds instanceof FileTimeStruct
+           or dds instanceof DateDataStruct)
+        and fa.getQualifier().getUnderlyingType() = dds
+        and fa.isModified()
+        and aexpr.getAChild() = fa
+        and aexpr.getChild(1).getAChild*() = e
+    )
+  }
+}