From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"mikuback@linux.microsoft.com" <mikuback@linux.microsoft.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Subject: Re: [edk2-devel] [PATCH v1 11/12] .github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queries
Date: Thu, 24 Nov 2022 02:05:49 +0000 [thread overview]
Message-ID: <SA2PR11MB4938637837B6AABB12E140E8D20F9@SA2PR11MB4938.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20221109173246.174-12-mikuback@linux.microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael Kubacki
> Sent: Wednesday, November 9, 2022 9:33 AM
> To: devel@edk2.groups.io
> Cc: Sean Brogan <sean.brogan@microsoft.com>; Michael Kubacki <mikuback@linux.microsoft.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Subject: [edk2-devel] [PATCH v1 11/12] .github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queries
>
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>
> The previous commits fixed issues with these queries across various
> packages. Now that those are resolved, enable the queries in the
> edk2 query set so regressions can be found in the future.
>
> Enables:
>
> 1. cpp/conditionallyuninitializedvariable
> - CWE: https://cwe.mitre.org/data/definitions/457.html
> - @name Conditionally uninitialized variable
> - @description An initialization function is used to initialize a
> local variable, but the returned status code is
> not checked. The variable may be left in an
> uninitialized state, and reading the variable may
> result in undefined behavior.
> - @kind problem
> - @problem.severity warning
> - @security-severity 7.8
> - @id cpp/conditionally-uninitialized-variable
> - @tags security
> - external/cwe/cwe-457
> 2. cpp/pointer-overflow-check
> - CWE: https://cwe.mitre.org/data/definitions/758.html
> - @name Pointer overflow check
> - @description Adding a value to a pointer to check if it
> overflows relies on undefined behavior and
> may lead to memory corruption.
> - @kind problem
> - @problem.severity error
> - @security-severity 2.1
> - @precision high
> - @id cpp/pointer-overflow-check
> - @tags reliability
> - security
> - external/cwe/cwe-758
> 3. cpp/potential-buffer-overflow
> - CWE: https://cwe.mitre.org/data/definitions/676.html
> - @name Potential buffer overflow
> - @description Using a library function that does not check
> buffer bounds requires the surrounding program
> to be very carefully written to avoid buffer
> overflows.
> - @kind problem
> - @id cpp/potential-buffer-overflow
> - @problem.severity warning
> - @security-severity 10.0
> - @tags reliability
> - security
> - external/cwe/cwe-676
> - @deprecated This query is deprecated, use
> Potentially overrunning write
> (`cpp/overrunning-write`) and
> Potentially overrunning write with float to string
> conversion
> (`cpp/overrunning-write-with-float`) instead.
>
> Note that cpp/potential-buffer-overflow is deprecated. This query
> will be updated to the succeeding queries in the next commit. The
> query is used in this commit to show that we considered and tested
> the query in history.
>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Michael Kubacki <mikuback@linux.microsoft.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
> .github/codeql/edk2.qls | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
> index ef9aae790f5f..dc2d87764e93 100644
> --- a/.github/codeql/edk2.qls
> +++ b/.github/codeql/edk2.qls
> @@ -8,7 +8,14 @@
>
> # Enable individual queries below.
>
> +- include:
> + id: cpp/conditionallyuninitializedvariable
> - include:
> id: cpp/infinite-loop-with-unsatisfiable-exit-condition
> - include:
> id: cpp/overflow-buffer
> +- include:
> + id: cpp/pointer-overflow-check
> +- include:
> + id: cpp/potential-buffer-overflow
> +
> --
> 2.28.0.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#96157): https://edk2.groups.io/g/devel/message/96157
> Mute This Topic: https://groups.io/mt/94918106/1643496
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [michael.d.kinney@intel.com]
> -=-=-=-=-=-=
>
next prev parent reply other threads:[~2022-11-24 2:06 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-09 17:32 [PATCH v1 00/12] Enable New CodeQL Queries Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 01/12] MdeModulePkg/SmbiosDxe: Fix pointer and buffer overflow CodeQL alerts Michael Kubacki
2022-11-24 1:28 ` [edk2-devel] " Michael D Kinney
2022-11-24 1:46 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 02/12] BaseTools/PatchCheck.py: Add PCCTS to tab exemption list Michael Kubacki
2022-11-24 1:30 ` Michael D Kinney
2022-11-09 17:32 ` [PATCH v1 03/12] BaseTools/VfrCompile: Fix potential buffer overwrites Michael Kubacki
2022-11-24 1:32 ` [edk2-devel] " Michael D Kinney
2022-11-09 17:32 ` [PATCH v1 04/12] CryptoPkg: Fix conditionally uninitialized variable Michael Kubacki
2022-11-24 1:37 ` [edk2-devel] " Michael D Kinney
2022-11-24 1:47 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 05/12] MdeModulePkg: Fix conditionally uninitialized variables Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 06/12] MdePkg: " Michael Kubacki
2022-11-24 1:53 ` Michael D Kinney
2022-11-24 1:59 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 07/12] NetworkPkg: " Michael Kubacki
2022-11-24 1:59 ` Michael D Kinney
2022-11-09 17:32 ` [PATCH v1 08/12] PcAtChipsetPkg: " Michael Kubacki
2022-11-24 2:00 ` Michael D Kinney
2022-11-24 5:01 ` Ni, Ray
2022-11-09 17:32 ` [PATCH v1 09/12] ShellPkg: " Michael Kubacki
2022-11-24 2:19 ` Gao, Zhichao
2022-11-24 2:36 ` [edk2-devel] " Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 10/12] UefiCpuPkg: " Michael Kubacki
2022-11-24 2:04 ` [edk2-devel] " Michael D Kinney
2022-11-24 2:14 ` Michael Kubacki
2022-11-24 2:31 ` Michael D Kinney
2022-11-24 5:12 ` Ni, Ray
2022-11-28 22:50 ` Michael Kubacki
2022-11-09 17:32 ` [PATCH v1 11/12] .github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queries Michael Kubacki
2022-11-24 2:05 ` Michael D Kinney [this message]
2022-11-09 17:32 ` [PATCH v1 12/12] .github/codeql/edk2.qls: Enable CWE 120, 787, and 805 queries Michael Kubacki
2022-11-24 2:06 ` Michael D Kinney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SA2PR11MB4938637837B6AABB12E140E8D20F9@SA2PR11MB4938.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox