Skip to content

Want way to audit C/C++ code against CERT-PRE01-C #15430

New issue
New issue
Open
Open
Want way to audit C/C++ code against CERT-PRE01-C#15430
Labels
questionFurther information is requested
@ryao

Description

@ryao
ryao
opened on Jan 25, 2024

I do not see any way to use the macro library to write a query that finds violations of CERT-PRE01-C:

https://wiki.sei.cmu.edu/confluence/display/c/PRE01-C.+Use+parentheses+within+macros+around+parameter+names

https://codeql.github.com/codeql-standard-libraries/cpp/semmle/code/cpp/Macro.qll/module.Macro.html

An example of a violation would be #define DOUBLE(x) 2 * x, which does not parenthesize x, such that DOUBLE(1 + 1) would be 3 rather than 4.

CodeQL is powerful enough to check for the analog in functions, although doing so is pointless:

/**
 * @name Unparenthesized function parameter usage
 * @description Finds instances where function parameters are used without parentheses in the function body.
 * @kind problem
 * @severity recommendation
 * @id cpp/unparenthesized-function-parameter-usage
 */

import cpp

from Parameter param, VariableAccess va, Function f
where
  f = param.getFunction() and
  va.getTarget() = param and
  va.getEnclosingFunction() = f and
  not va.getParent() instanceof ParenthesisExpr
select va, "The parameter '" + param.getName() + "' is used without parentheses in the function '" + f.getName() + "'."

I cannot figure out how to do the equivalent for macros. Is there is no way or did I miss something?

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions