Skip to content

C++: Set cpp/command-line-injection precision=low #1024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
geoffw0 merged 1 commit into from
Mar 4, 2019
Merged

C++: Set cpp/command-line-injection precision=low #1024

geoffw0 merged 1 commit into from
Mar 4, 2019

Conversation

@jbj
Copy link
Contributor

@jbj jbj commented Mar 4, 2019

This query is only appropriate for setuid programs. Since such programs are at most 0.1% of all code we analyse, I would say this query has a precision of at most 0.1%.

We can talk about raising the precision to medium if someone can find at least one true positive on https://lgtm.com/rules/2152620561/alerts/.

@jbj
C++: Set cpp/command-line-injection precision=low
4f9ffb3 
This query is only appropriate for setuid programs. Since such programs
are at most 0.1% of all code we analyse, I would say this query has a
precision of at most 0.1%.
@jbj jbj added the C++ label Mar 4, 2019
@jbj jbj requested a review from geoffw0 March 4, 2019 08:53
@jbj jbj requested a review from a team as a code owner March 4, 2019 08:53
geoffw0
geoffw0 reviewed Mar 4, 2019
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the issue here really the query, or our choices of taint source?

This query is part of the samate suite. It's important it stays there, but I don't have strong feelings about it remaining on LGTM.

@jbj
Copy link
Contributor Author

jbj commented Mar 4, 2019

The issue is that the query can't configure its taint sources to be essentially only network data. We're tracking that in https://jira.semmle.com/browse/ODASA-6209. This PR doesn't fix that underlying problem but makes sure it isn't visible on LGTM.

geoffw0
geoffw0 approved these changes Mar 4, 2019
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good enough for now.

@geoffw0 geoffw0 merged commit a3f452b into github:master Mar 4, 2019
@jbj jbj mentioned this pull request Mar 4, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geoffw0 geoffw0 geoffw0 approved these changes

Assignees

No one assigned

Labels

C++

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbj @geoffw0