From nobody Fri Oct 18 08:35:28 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+101032+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+101032+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.microsoft.com
ARC-Seal: i=1; a=rsa-sha256; t=1678473955; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YTXPiIe9tDB3gcFPMbKK9EGDxQi3GVDQQiS4wLKa8mcwz56xxlHcyJpdTpS8tyEVuVeFeNJz0iBtJwZX4mFovwO1RmW1WXJGL1lK8ZkDb4R+7Z279F3Cac+LAcSJHBTYu9t3x0v2ZakqgznfTlmV4APynHD6rQSZPzoSxOtt86c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1678473955;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=w4aEQlJ46J0/hkGwtJKRqYn1+96b1ODxxZO3N8Zl1Kk=;
	b=D1eyk81e2oL/VbmxerQMJTbstHX54iTT6zygEDN0+5WgISXzqxrfmh8xCi82nJXviAejzAc2CWt8MIpmY69mSILPgtQTeYiDcJsCe8Dqf6q4WSuKayanqVgFh7gVsH0xFiY0VFCOVHkcyLvsUloOM5wYb8+bEtctkRBI3PQl1TM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+101032+1787277+3901457@groups.io;
	dmarc=fail header.from=<mikuback@linux.microsoft.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 167847395510940.683074036704284;
 Fri, 10 Mar 2023 10:45:55 -0800 (PST)
Return-Path: <bounce+27952+101032+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id G2KlYY1788612xwngbb0BTCK;
 Fri, 10 Mar 2023 10:45:54 -0800
X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web10.27829.1678473954307392714
 for <devel@edk2.groups.io>;
 Fri, 10 Mar 2023 10:45:54 -0800
X-Received: from localhost.localdomain (unknown [47.201.8.94])
	by linux.microsoft.com (Postfix) with ESMTPSA id 71FF320C14D5;
	Fri, 10 Mar 2023 10:45:53 -0800 (PST)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 71FF320C14D5
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Sean Brogan <sean.brogan@microsoft.com>,
	Michael Kubacki <mikuback@linux.microsoft.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [edk2-devel] [PATCH v4 12/12] .github/codeql/edk2.qls: Enable CWE
 120, 787, and 805 queries
Date: Fri, 10 Mar 2023 13:42:38 -0500
Message-Id: <20230310184238.2999-13-mikuback@linux.microsoft.com>
In-Reply-To: <20230310184238.2999-1-mikuback@linux.microsoft.com>
References: <20230310184238.2999-1-mikuback@linux.microsoft.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com
X-Gm-Message-State: C8pbDKZdrC2MT9EqCxA0J7cSx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1678473954;
 bh=HtcaVCtXtqeQ7tMnZA56MgIF2+qhgHREe7BWKs6AcsA=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=jcVoHo5bX6JlL8Kdbmbxrfnhy/5n74tILwrC4gGowcl410ViXqHvoQs7YD+sjxoevCF
 2Q6PEvd5iqqcKY2LNzx0V3pAj9E3ewyv2kJcR/a44T/DCRHdn/c5c0O5Srgz15zk5FeLz
 Ht4maAf9aDtbi5M0Qilo8AVww2k+Ml3it3A=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1678473956234100005
Content-Type: text/plain; charset="utf-8"

From: Michael Kubacki <michael.kubacki@microsoft.com>

As recommended by CodeQL this change replaces
cpp/potential-buffer-overflow with cpp/overrunning-write-with-float
and cpp/overrunning-write.

Enables:

1. cpp/overrunning-write
   - @name Likely overrunning write
   - @description Buffer write operations that do not control the length
                  data written may overflow
   - @kind problem
   - @problem.severity error
   - @security-severity 9.3
   - @precision high
   - @id cpp/very-likely-overrunning-write
   - @tags reliability
     - security
     - external/cwe/cwe-120
     - external/cwe/cwe-787
     - external/cwe/cwe-805
2. cpp/overrunning-write-with-float
   - @name Potentially overrunning write with float to string conversion
   - @description Buffer write operations that do not control the length
                  of data written may overflow when floating point inputs
                  take extreme values.
   - @kind problem
   - @problem.severity error
   - @security-severity 9.3
   - @precision medium
   - @id cpp/overrunning-write-with-float
   - @tags reliability
     - security
     - external/cwe/cwe-120
     - external/cwe/cwe-787
     - external/cwe/cwe-805
3. cpp/very-likely-overrunning-write
   - @name Likely overrunning write
   - @description Buffer write operations that do not control the length
                  of data written may overflow
   - @kind problem
   - @problem.severity error
   - @security-severity 9.3
   - @precision high
   - @id cpp/very-likely-overrunning-write
   - @tags reliability
     - security
     - external/cwe/cwe-120
     - external/cwe/cwe-787
     - external/cwe/cwe-805

- CWEs:
  - https://cwe.mitre.org/data/definitions/120.html
  - https://cwe.mitre.org/data/definitions/787.html
  - https://cwe.mitre.org/data/definitions/805.html

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Kubacki <mikuback@linux.microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
---
 .github/codeql/edk2.qls | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
index dc2d87764e93..9bea9ba01f24 100644
--- a/.github/codeql/edk2.qls
+++ b/.github/codeql/edk2.qls
@@ -14,8 +14,11 @@
     id: cpp/infinite-loop-with-unsatisfiable-exit-condition
 - include:
     id: cpp/overflow-buffer
+- include:
+    id: cpp/overrunning-write
+- include:
+    id: cpp/overrunning-write-with-float
 - include:
     id: cpp/pointer-overflow-check
 - include:
-    id: cpp/potential-buffer-overflow
-
+    id: cpp/very-likely-overrunning-write
--=20
2.39.2.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101032): https://edk2.groups.io/g/devel/message/101032
Mute This Topic: https://groups.io/mt/97526813/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-