github · xiaoxinz-cisco · Jul 15, 2021 · Jul 15, 2021 · Jul 15, 2021 · Jul 15, 2021
@@ -30,6 +30,6 @@ where
   n > 3 and
   complexStmt = b.getAStmt()
 select b,
-  "Block with too many statements (" + n.toString() +
+  "Test works. Block with too many statements (" + n.toString() +
     " complex statements in the block). Complex statements at: $@", complexStmt,
-  complexStmt.toString()
+  complexStmt.getEnclosingFunction().toString()
@@ -0,0 +1,21 @@
+/**
+ * @name Name: Analyze syslog
+ * @description Description: test
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/analyze-syslog
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+
+
+import cpp
+import semmle.code.cpp.models.interfaces.FormattingFunction
+
+from string format, FormattingFunctionCall fc
+where format = fc.getFormat().getValue() and format.regexpMatch(".*")
+and fc.getTarget().hasName("syslog")
+select fc, "This log message format does not meet the requirements."
@@ -0,0 +1,44 @@
+/**
+ * @name Name: Check macros
+ * @description Description: Ensure that macros like __FUNCTION__, __FILE__ and __LINE__ are part of only debug logs, and not others.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/check-macros
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+import cpp
+import semmle.code.cpp.commons.Printf
+import semmle.code.cpp.models.interfaces.FormattingFunction
+
+// Find the syslog calls that meet two conditions
+
+// 1. First parameter is not "LOG_DEBUG". Such as LOG_ERR.
+
+// 2. Macros in log messages.
+
+// Example: syslog(LOG_ERR, "%s: Failed init_producer", __FUNCTION__);
+
+/*
+Holds if the log macro is debug.
+*/
+predicate isLogDebug(Expr mie) {
+    exists(MacroInvocation mi |
+        mi.getExpr() = mie and
+        (
+          mi.getMacroName() = "LOG_DEBUG"
+        )
+      )
+}
+
+from string format, FormattingFunctionCall fc, int n, string name
+where
+    format = fc.getFormat().getValue() and // format: "%s: Failed init_producer"
+    fc.getTarget().hasName("syslog") and
+    not isLogDebug(fc.getArgument(0)) and
+    name = fc.getConversionArgument(n).toString() and 
+    name in ["__FUNCTION__", "__FILE__", "__LINE__"]
+select fc, "Argument " + n + " of " + fc.toString() + " is " + name
@@ -0,0 +1,49 @@
+/**
+ * @name Discovering program input
+ * @description https://securitylab.github.com/research/bug-hunting-codeql-rsyslog/
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/discover-input
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+import cpp
+
+
+// FunctionCall predicates:
+// getTarget() : Gets the function called by this call.
+
+// inheritated predicate:
+// getFile() : Gets the primary file where this element occurs. 
+
+// getName() : Gets the name of this declaration.
+
+
+class ReadFunctionCall extends FunctionCall {
+	ReadFunctionCall() {
+		this.getTarget().getName() = "pread" or
+		this.getTarget().getName() = "read" or
+		this.getTarget().getName() = "readv" or
+		this.getTarget().getName() = "recvfrom" or
+		this.getTarget().getName() = "recvmsg" or
+		this.getTarget().getName() = "recv"
+	}
+}
+
+from ReadFunctionCall call
+select call.getFile(), call.getEnclosingFunction().toString(), call, "placeholder"
+
+// Notes
+// run this query on rsyslog/rsyslog in LGTM
+// result: https://lgtm.com/query/6984839753043321725/
+// one result example:
+// 	col: /opt/src/action.c 			<--- call.getFile(), https://github.com/rsyslog/rsyslog/blob/master/action.c 
+// 	col1: checkExternalStateFile 	<--- call.getEnclosingFunction()
+// 	call: call to read 				<--- call
+// 		checkExternalStateFile(...):
+// 			...
+// 			r = read(fd, filebuf, sizeof(filebuf) - 1);
+// 			...
@@ -0,0 +1,18 @@
+/**
+ * @name Name: Find ios_*msg
+ * @description Description: Finding all functions with name "ios_*msg"
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/check-macros
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+import cpp
+
+from Function f
+where
+    f.getName().regexpMatch("ios_.*msg")
+select f.getACallToThisFunction(), "Function name is: "+f.getName()
@@ -0,0 +1,18 @@
+/**
+ * @name Name: Find ios_debugmsg
+ * @description Description: Finding all functions with name "ios_debugmsg"
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/ios-msg
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+import cpp
+
+from Function f
+where
+    f.getName().regexpMatch("ios_debugmsg.*")
+select f.getACallToThisFunction(), "Function name is: "+f.getName()
@@ -0,0 +1,18 @@
+/**
+ * @name Name: Find ios_errmsg
+ * @description Description: Finding all functions with name "ios_errmsg"
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/ios-msg
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+import cpp
+
+from Function f
+where
+    f.getName().regexpMatch("ios_errmsg")
+select f.getACallToThisFunction(), "Function name is: "+f.getName()
@@ -0,0 +1,18 @@
+/**
+ * @name Name: Find ios_msg_*
+ * @description Description: Finding all functions with name "ios_msg_*"
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/ios-msg
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+import cpp
+
+from Function f
+where
+    f.getName().regexpMatch("ios_msg_.*")
+select f.getACallToThisFunction(), "Function name is: "+f.getName()
@@ -0,0 +1,37 @@
+/**
+ * @name Name: Contextual language check.
+ * @description Description: Find out the logs that not properly use contextual language.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id cpp/contextual-lang
+ * @tags testability
+ *       readability
+ *       maintainability
+ */
+
+import cpp
+
+// Example:
+// There are "Interface Ethernet1/1 is DOWN"-like logs. 
+// The expected format is "Interface=Ethernet1/1 State=DOWN"
+
+// Examples in xr:
+// 1. 
+// https://gh-xr.scm.engit.cisco.com/xr/iosxr/blob/main/infra/autonomic-networking/common/src/an_event_mgr.c#L270 
+//     DEBUG_AN_LOG(AN_LOG_CD_EVENT, AN_DEBUG_INFO, NULL,
+// "\n%sInterface %s is UP", an_cd_event, an_if_info->if_name); <------------------- 
+
+// 2. 
+// https://gh-xr.scm.engit.cisco.com/xr/iosxr/blob/main/ip/bfd/src/bfd_api_server.c#L11078
+// BFD_DEBUG_TRACE("Filtering scn for session %s" 
+// " Session state is Unknown, SCN state is DOWN"  <------------------- 
+// " and session is not bundle member",
+// bfd_session_key_str(&session->session_key));
+
+from FunctionCall fc, int i
+where
+    fc.getArgument(i).getValue().regexpMatch(".*Interface.*")
+    // fc.getTarget().hasName("DEBUG_AN_LOG")
+    // format.regexpMatch(".*Interface [a-zA-Z0-9/%]+ is (DOWN|UP)")
+select fc, "Function: "+fc.getTarget().getName()+" Log: "+fc.getArgument(i).getValue()