ValidContainerElementAccess: Address new FPs

lcartey · lcartey · commit 585b864eccb3 · 2024-12-04T23:02:33.000Z
We had some new false positives because in 2.18.4 string taint is
tracked into the qualifier of a string operation, such as insert.
This caused us to erroneously identify the container itself as a
reference to an element of the container. This has been addressed
by excluding uses of the owning container from pointer or reference
access.
diff --git a/cpp/common/src/codingstandards/cpp/Iterators.qll b/cpp/common/src/codingstandards/cpp/Iterators.qll
@@ -37,7 +37,9 @@ class ContainerPointerOrReferenceAccess extends ContainerAccess {
       ) and
       localTaint(DataFlow::exprNode(fc), DataFlow::exprNode(this)) and
       (getUnderlyingType() instanceof ReferenceType or getUnderlyingType() instanceof PointerType) and
-      fc.getQualifier().(VariableAccess).getTarget() = owningContainer
+      fc.getQualifier().(VariableAccess).getTarget() = owningContainer and
+      // Exclude cases where we see taint into the owning container
+      not this = owningContainer.getAnAccess()
     )
   }
 
diff --git a/cpp/common/test/rules/validcontainerelementaccess/ValidContainerElementAccess.expected b/cpp/common/test/rules/validcontainerelementaccess/ValidContainerElementAccess.expected
@@ -7,6 +7,4 @@
 | test.cpp:89:15:89:16 | it | Elements of $@ not accessed with valid reference, pointer, or iterator because of a prior $@. | test.cpp:86:20:86:20 | d | container | test.cpp:92:7:92:12 | call to insert | invalidation |
 | test.cpp:91:9:91:10 | it | Elements of $@ not accessed with valid reference, pointer, or iterator because of a prior $@. | test.cpp:86:20:86:20 | d | container | test.cpp:92:7:92:12 | call to insert | invalidation |
 | test.cpp:98:56:98:58 | loc | Elements of $@ not accessed with valid reference, pointer, or iterator because of a prior $@. | test.cpp:96:44:96:46 | str | container | test.cpp:99:9:99:14 | call to insert | invalidation |
-| test.cpp:99:5:99:7 | str | Elements of $@ not accessed with valid reference, pointer, or iterator because of a prior $@. | test.cpp:96:44:96:46 | str | container | test.cpp:99:9:99:14 | call to insert | invalidation |
 | test.cpp:99:16:99:18 | loc | Elements of $@ not accessed with valid reference, pointer, or iterator because of a prior $@. | test.cpp:96:44:96:46 | str | container | test.cpp:99:9:99:14 | call to insert | invalidation |
-| test.cpp:106:11:106:13 | str | Elements of $@ not accessed with valid reference, pointer, or iterator because of a prior $@. | test.cpp:103:45:103:47 | str | container | test.cpp:106:15:106:20 | call to insert | invalidation |

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,9 @@ class ContainerPointerOrReferenceAccess extends ContainerAccess {`
`37`	`37`	`) and`
`38`	`38`	`localTaint(DataFlow::exprNode(fc), DataFlow::exprNode(this)) and`
`39`	`39`	`(getUnderlyingType() instanceof ReferenceType or getUnderlyingType() instanceof PointerType) and`
`40`		`- fc.getQualifier().(VariableAccess).getTarget() = owningContainer`
	`40`	`+ fc.getQualifier().(VariableAccess).getTarget() = owningContainer and`
	`41`	`+ // Exclude cases where we see taint into the owning container`
	`42`	`+ not this = owningContainer.getAnAccess()`
`41`	`43`	`)`
`42`	`44`	`}`
`43`	`45`