C++: First working. We now prefer flagging the cases where the variable was initialized, as in real world cases we haven't seen it done safely.

Author: geoffw0

cpp/ql/src/Critical/MissingCheckScanf.ql

@@ -2,13 +2,18 @@
  * @name TODO
  * @description TODO
  * @kind problem
- * @problem.severity TODO
+ * @problem.severity warning
  * @security-severity TODO
  * @precision TODO
  * @id cpp/missing-check-scanf
  * @tags TODO
  */
 
 import cpp
+import semmle.code.cpp.commons.Scanf
 
-select "TODO"
+from ScanfFunction scanf, FunctionCall fc
+where
+    fc.getTarget() = scanf and
+    fc instanceof ExprInVoidContext
+select fc, "This is a call to scanf."

cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected

@@ -0,0 +1,9 @@
+| test.cpp:23:3:23:7 | call to scanf | This is a call to scanf. |
+| test.cpp:39:3:39:7 | call to scanf | This is a call to scanf. |
+| test.cpp:48:3:48:8 | call to fscanf | This is a call to scanf. |
+| test.cpp:55:3:55:8 | call to sscanf | This is a call to scanf. |
+| test.cpp:135:3:135:7 | call to scanf | This is a call to scanf. |
+| test.cpp:143:3:143:7 | call to scanf | This is a call to scanf. |
+| test.cpp:151:3:151:7 | call to scanf | This is a call to scanf. |
+| test.cpp:163:3:163:7 | call to scanf | This is a call to scanf. |
+| test.cpp:173:3:173:7 | call to scanf | This is a call to scanf. |

cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp

@@ -36,7 +36,7 @@ int main()
 	{
 		int i = 0;
 
-		scanf("%d", &i); // GOOD: we assume the initialization of `i` is a reasonable default
+		scanf("%d", &i); // BAD
 		use(i);
 	}
 
@@ -79,7 +79,7 @@ int main()
 	{
 		int i;
 
-		if (scanf("%d", &i) != 0) // GOOD (just barely)
+		if (scanf("%d", &i) != 0) // BAD: scanf can return -1 [NOT DETECTED]
 		{
 			use(i);
 		}
@@ -88,7 +88,7 @@ int main()
 	{
 		int i;
 
-		if (scanf("%d", &i) == 0) // BAD: checks return value incorrectly
+		if (scanf("%d", &i) == 0) // BAD: checks return value incorrectly [NOT DETECTED]
 		{
 			use(i);
 		}
@@ -119,7 +119,7 @@ int main()
 	{
 		int i, j;
 
-		if (scanf("%d %d", &i) >= 1) // BAD: checks return value incorrectly
+		if (scanf("%d %d", &i, &j) >= 1) // BAD: checks return value incorrectly [NOT DETECTED]
 		{
 			use(i);
 			use(j);
@@ -132,23 +132,23 @@ int main()
 		int i;
 		i = 0;
 
-		scanf("%d", &i); // GOOD
+		scanf("%d", &i); // BAD
 		use(i);
 	}
 
 	{
 		int i;
 
 		set_by_ref(i);
-		scanf("%d", &i); // GOOD: we have to assume `i` was initialized
+		scanf("%d", &i); // BAD
 		use(i);
 	}
 
 	{
 		int i;
 
 		set_by_ptr(&i);
-		scanf("%d", &i); // GOOD: we have to assume `i` was initialized
+		scanf("%d", &i); // BAD
 		use(i);
 	}
 
@@ -164,6 +164,16 @@ int main()
 		use(i);
 	}
 
+	// --- different use ---
+	
+	{
+		int i;
+		int *ptr_i = &i;
+
+		scanf("%d", &i); // BAD: may not have written `i`
+		use(*ptr_i);
+	}
+
 	// --- weird formatting strings ---
 
 	{