github
diff --git a/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 24 additions & 0 deletions b/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎change-notes/1.26/analysis-csharp.md‎
Lines changed: 29 additions & 0 deletions b/‎change-notes/1.26/analysis-csharp.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 30 additions & 0 deletions b/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql‎
Lines changed: 6 additions & 1 deletion b/‎cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cpp/ql/src/Metrics/Files/FNumberOfTests.ql‎
Lines changed: 3 additions & 0 deletions b/‎cpp/ql/src/Metrics/Files/FNumberOfTests.ql‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cpp/ql/src/Microsoft/SAL.qll‎
Lines changed: 42 additions & 20 deletions b/‎cpp/ql/src/Microsoft/SAL.qll‎
Lines changed: 42 additions & 20 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.cpp‎
Lines changed: 25 additions & 0 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.cpp‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp‎
Lines changed: 25 additions & 0 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.qhelp‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql‎
Lines changed: 19 additions & 0 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql‎
Lines changed: 19 additions & 0 deletions
@@ -0,0 +1,24 @@
+# Improvements to C/C++ analysis
+
+The following changes in version 1.26 affect C/C++ analysis in all applications.
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
+| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
+| Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
+
+## Changes to libraries
+
+* The models library now models more taint flows through `std::string`.
+* The `SimpleRangeAnalysis` library now supports multiplications of the form
+  `e1 * e2` when `e1` and `e2` are unsigned.
@@ -0,0 +1,29 @@
+# Improvements to C# analysis
+
+The following changes in version 1.26 affect C# analysis in all applications.
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+
+## Removal of old queries
+
+## Changes to code extraction
+
+* Partial method bodies are extracted. Previously, partial method bodies were skipped completely.
+
+## Changes to libraries
+
+## Changes to autobuilder
+
+## Changes to tooling support
+
+* The Abstract Syntax Tree of C# files can be printed in Visual Studio Code.
@@ -0,0 +1,30 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Support for the following frameworks and libraries has been improved:
+  - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
+  - [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
+  - [javascript-stringify](https://www.npmjs.com/package/javascript-stringify)
+  - [js-stringify](https://www.npmjs.com/package/js-stringify)
+  - [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
+  - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
+  - [json3](https://www.npmjs.com/package/json3)
+  - [object-inspect](https://www.npmjs.com/package/object-inspect)
+  - [pretty-format](https://www.npmjs.com/package/pretty-format)
+  - [stringify-object](https://www.npmjs.com/package/stringify-object)
+
+## New queries
+
+| **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
+|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
+
+
+## Changes to libraries
@@ -50,7 +50,12 @@ predicate illDefinedDecrForStmt(
     DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and
     // `initialCondition` < `terminalCondition`
     (
-      upperBound(initialCondition) < lowerBound(terminalCondition)
+      upperBound(initialCondition) < lowerBound(terminalCondition) and
+      (
+        // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
+        v.getUnspecifiedType().(IntegralType).isSigned() or
+        initialCondition.getValue().toInt() = 0
+      )
       or
       (forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
     )
 
@@ -18,6 +18,9 @@ Expr getTest() {
   or
   // boost tests; http://www.boost.org/
   result.(FunctionCall).getTarget().hasQualifiedName("boost::unit_test", "make_test_case")
+  or
+  // googletest tests; https://github.com/google/googletest/
+  result.(FunctionCall).getTarget().hasQualifiedName("testing::internal", "MakeAndRegisterTestInfo")
 }
 
 from File f, int n
 
@@ -1,5 +1,13 @@
+/**
+ * Provides classes for identifying and reasoning about Microsoft source code
+ * annotation language (SAL) macros.
+ */
+
 import cpp
 
+/**
+ * A SAL macro defined in `sal.h` or a similar header file.
+ */
 class SALMacro extends Macro {
   SALMacro() {
     exists(string filename | filename = this.getFile().getBaseName() |
@@ -20,27 +28,34 @@ class SALMacro extends Macro {
 }
 
 pragma[noinline]
-predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
+private predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
 
+/**
+ * An invocation of a SAL macro (excluding invocations inside other macros).
+ */
 class SALAnnotation extends MacroInvocation {
   SALAnnotation() {
     this.getMacro() instanceof SALMacro and
     isTopLevelMacroAccess(this)
   }
 
-  /** Returns the `Declaration` annotated by `this`. */
+  /** Gets the `Declaration` annotated by `this`. */
   Declaration getDeclaration() {
     annotatesAt(this, result.getADeclarationEntry(), _, _) and
     not result instanceof Type // exclude typedefs
   }
 
-  /** Returns the `DeclarationEntry` annotated by `this`. */
+  /** Gets the `DeclarationEntry` annotated by `this`. */
   DeclarationEntry getDeclarationEntry() {
     annotatesAt(this, result, _, _) and
     not result instanceof TypeDeclarationEntry // exclude typedefs
   }
 }
 
+/**
+ * A SAL macro indicating that the return value of a function should always be
+ * checked.
+ */
 class SALCheckReturn extends SALAnnotation {
   SALCheckReturn() {
     exists(SALMacro m | m = this.getMacro() |
@@ -50,6 +65,10 @@ class SALCheckReturn extends SALAnnotation {
   }
 }
 
+/**
+ * A SAL macro indicating that a pointer variable or return value should not be
+ * `NULL`.
+ */
 class SALNotNull extends SALAnnotation {
   SALNotNull() {
     exists(SALMacro m | m = this.getMacro() |
@@ -69,6 +88,9 @@ class SALNotNull extends SALAnnotation {
   }
 }
 
+/**
+ * A SAL macro indicating that a value may be `NULL`.
+ */
 class SALMaybeNull extends SALAnnotation {
   SALMaybeNull() {
     exists(SALMacro m | m = this.getMacro() |
@@ -79,13 +101,29 @@ class SALMaybeNull extends SALAnnotation {
   }
 }
 
+/**
+ * A parameter annotated by one or more SAL annotations.
+ */
+class SALParameter extends Parameter {
+  /** One of this parameter's annotations. */
+  SALAnnotation a;
+
+  SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
+
+  predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
+
+  predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
+
+  predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
+}
+
 ///////////////////////////////////////////////////////////////////////////////
 // Implementation details
 /**
  * Holds if `a` annotates the declaration entry `d` and
  * its start position is the `idx`th position in `file` that holds a SAL element.
  */
-predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
+private predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
   annotatesAtPosition(a.(SALElement).getStartPosition(), d, file, idx)
 }
 
@@ -109,22 +147,6 @@ private predicate annotatesAtPosition(SALPosition pos, DeclarationEntry d, File
   )
 }
 
-/**
- * A parameter annotated by one or more SAL annotations.
- */
-class SALParameter extends Parameter {
-  /** One of this parameter's annotations. */
-  SALAnnotation a;
-
-  SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
-
-  predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
-
-  predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
-
-  predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
-}
-
 /**
  * A SAL element, that is, a SAL annotation or a declaration entry
  * that may have SAL annotations.
 
@@ -4,7 +4,7 @@
  *              user can result in integer overflow.
  * @kind path-problem
  * @problem.severity error
- * @precision high
+ * @precision medium
  * @id cpp/uncontrolled-allocation-size
  * @tags reliability
  *       security
 
@@ -0,0 +1,25 @@
+///// Library routines /////
+
+int scanf(const char *format, ...);
+int sscanf(const char *str, const char *format, ...);
+int fscanf(const char *str, const char *format, ...);
+
+///// EXAMPLES /////
+
+int main(int argc, char **argv)
+{
+
+    // BAD, do not use scanf without specifying a length first
+    char buf1[10];
+    scanf("%s", buf1);
+
+    // GOOD, length is specified. The length should be one less than the size of the buffer, since the last character is the NULL terminator.
+    char buf2[10];
+    sscanf(buf2, "%9s");
+
+    // BAD, do not use scanf without specifying a length first
+    char file[10];
+    fscanf(file, "%s", buf2);
+
+    return 0;
+}
@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>It is bad practice to use any of the <code>scanf</code> functions without including a specified length within the format parameter, as it will be vulnerable to buffer overflows.</p>
+
+</overview>
+
+<recommendation>
+
+<p>Specify a length within the format string parameter, and make this length one less than the size of the buffer, since the last character should be reserved for the NULL terminator.</p>
+
+</recommendation>
+
+<example>
+<p>The following example demonstrates safe and unsafe uses of <code>scanf</code> type functions.</p>
+<sample src="MemoryUnsafeFunctionScan.cpp" />
+
+</example>
+
+<references>
+</references>
+
+</qhelp>
@@ -0,0 +1,19 @@
+/**
+ * @name Scanf function without a specified length
+ * @description Use of one of the scanf functions without a specified length.
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/memory-unsafe-function-scan
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-120
+ */
+
+import cpp
+import semmle.code.cpp.commons.Scanf
+
+from FunctionCall call, ScanfFunction sff
+where
+  call.getTarget() = sff and
+  call.getArgument(sff.getFormatParameterIndex()).getValue().regexpMatch(".*%l?s.*")
+select call, "Dangerous use of one of the scanf functions"
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,12 @@ predicate illDefinedDecrForStmt(`
`50`	`50`	`DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and`
`51`	`51`	// `initialCondition` < `terminalCondition`
`52`	`52`	`(`
`53`		`- upperBound(initialCondition) < lowerBound(terminalCondition)`
	`53`	`+ upperBound(initialCondition) < lowerBound(terminalCondition) and`
	`54`	`+ (`
	`55`	+ // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
	`56`	`+ v.getUnspecifiedType().(IntegralType).isSigned() or`
	`57`	`+ initialCondition.getValue().toInt() = 0`
	`58`	`+ )`
`54`	`59`	`or`
`55`	`60`	`(forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())`
`56`	`61`	`)`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@ Expr getTest() {`
`18`	`18`	`or`
`19`	`19`	`// boost tests; http://www.boost.org/`
`20`	`20`	`result.(FunctionCall).getTarget().hasQualifiedName("boost::unit_test", "make_test_case")`
	`21`	`+ or`
	`22`	`+ // googletest tests; https://github.com/google/googletest/`
	`23`	`+ result.(FunctionCall).getTarget().hasQualifiedName("testing::internal", "MakeAndRegisterTestInfo")`
`21`	`24`	`}`
`22`	`25`
`23`	`26`	`from File f, int n`