From 47800f460ae7be25bd706b0fd84e7b6446615063 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Wed, 5 Feb 2025 14:11:44 -0800 Subject: [PATCH 01/12] Suite updates to add additional queries --- src/codeql-pack.lock.yml | 24 +++++++++++++---------- src/qlpack.yml | 5 +++-- suites/windows_driver_mustfix.qls | 28 +++++++++++++++++++++++++-- suites/windows_driver_recommended.qls | 23 +++++++++++++++++++++- 4 files changed, 65 insertions(+), 15 deletions(-) diff --git a/src/codeql-pack.lock.yml b/src/codeql-pack.lock.yml index 1836bdf0..1d64842c 100644 --- a/src/codeql-pack.lock.yml +++ b/src/codeql-pack.lock.yml @@ -2,23 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/cpp-all: - version: 3.1.0 + version: 3.2.0 codeql/dataflow: - version: 1.1.8 + version: 1.1.9 codeql/mad: - version: 1.0.14 + version: 1.0.15 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.15 codeql/ssa: - version: 1.0.14 + version: 1.0.15 + codeql/suite-helpers: + version: 1.0.15 codeql/tutorial: - version: 1.0.14 + version: 1.0.15 codeql/typeflow: - version: 1.0.14 + version: 1.0.15 codeql/typetracking: - version: 1.0.14 + version: 1.0.15 codeql/util: - version: 2.0.1 + version: 2.0.2 codeql/xml: - version: 1.0.14 + version: 1.0.15 + microsoft/cpp-queries: + version: 0.0.1 compiled: false diff --git a/src/qlpack.yml b/src/qlpack.yml index fed90a6b..393c775e 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -2,9 +2,10 @@ # Licensed under the MIT license. name: microsoft/windows-drivers -version: 1.3.0 +version: 1.4.0 dependencies: - codeql/cpp-all: 3.1.0 + codeql/cpp-all: 3.2.0 + microsoft/cpp-queries: 0.0.1 suites: windows-driver-suites defaultSuiteFile: windows-driver-suites/windows_recommended_partial.qls extractor: cpp diff --git a/suites/windows_driver_mustfix.qls b/suites/windows_driver_mustfix.qls index fa217729..3d078078 100644 --- a/suites/windows_driver_mustfix.qls +++ b/suites/windows_driver_mustfix.qls @@ -3,8 +3,8 @@ - description: Security queries required to fix when certifying Windows Drivers - queries: . - from: codeql/cpp-queries - version: 0.9.0 + from: microsoft/cpp-queries + version: 0.0.1 - include: query path: - Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql @@ -12,5 +12,29 @@ - Likely Bugs/Underspecified Functions/TooFewArguments.ql - Security/CWE/CWE-190/ComparisonWithWiderType.ql - Security/CWE/CWE-253/HResultBooleanConversion.ql + - Security/CWE/CWE-120/BadlyBoundedWrite.ql + - Microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql + - Microsoft/Security/Cryptography/BannedEncryption.ql + - Microsoft/Security/Cryptography/BannedModesCAPI.ql + - Microsoft/Security/Cryptography/BannedModesCNG.ql + - Security/CWE/CWE-676/DangerousFunctionOverflow.ql + - Security/CWE/CWE-676/DangerousUseOfCin.ql + - Security/CWE/CWE-078/ExecTainted.ql + - Microsoft/Security/Cryptography/HardcodedIVCNG.ql + - Security/CWE/CWE-253/HResultBooleanConversion.ql + - Security/CWE/CWE-170/ImproperNullTerminationTainted.ql + - Microsoft/Likely Bugs/Drivers/IncorrectUsageOfRtlCompareMemory.ql + - Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql + - Security/CWE/CWE-327/OpenSslHeartbleed.ql + - Security/CWE/CWE-120/OverrunWrite.ql + - Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql + - Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql + - Microsoft/Security/MemoryAccess/EnumIndex/UncheckedBoundsEnumAsIndex.ql + - Security/CWE/CWE-114/UncontrolledProcessOperation.ql + - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql + - Likely Bugs/OO/UnsafeUseOfThis.ql + - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql + - Security/CWE/CWE-704/WcharCharConversion.ql + - import: windows-driver-suites/windows_mustfix_partial.qls from: microsoft/windows-drivers diff --git a/suites/windows_driver_recommended.qls b/suites/windows_driver_recommended.qls index d92098ce..a39674f0 100644 --- a/suites/windows_driver_recommended.qls +++ b/suites/windows_driver_recommended.qls @@ -29,4 +29,25 @@ - Likely Bugs/Memory Management/PointerOverflow.ql - Likely Bugs/Underspecified Functions/TooFewArguments.ql - Security/CWE/CWE-190/ComparisonWithWiderType.ql - - Security/CWE/CWE-253/HResultBooleanConversion.ql \ No newline at end of file + - Security/CWE/CWE-253/HResultBooleanConversion.ql + - Security/CWE/CWE-120/BadlyBoundedWrite.ql + - Likely Bugs/Conversion/BadOverflowGuard.ql + - Security/Cryptography/BannedEncryption.ql + - Security/Cryptography/BannedModesCAPI.ql + - Security/Cryptography/BannedModesCNG.ql + - Security/CWE/CWE-676/DangerousFunctionOverflow.ql + - Security/CWE/CWE-676/DangerousUseOfCin.ql + - Security/CWE/CWE-078/ExecTainted.ql + - Security/Cryptography/HardcodedIVCNG.ql + - Security/CWE/CWE-170/ImproperNullTerminationTainted.ql + - experimental/Windows/SystemCalls/IncorrectUsageOfRtlCompareMemory.ql + - Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql + - Security/CWE/CWE-327/OpenSslHeartbleed.ql + - Security/CWE/CWE-120/OverrunWrite.ql + - Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql + - Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql + - Security/MemoryAccess/EnumIndex/UncheckedBoundsEnumAsIndex.ql + - Security/CWE/CWE-114/UncontrolledProcessOperation.ql + - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql + - Likely Bugs/OO/UnsafeUseOfThis.ql + - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql \ No newline at end of file From 21f71505ed5cd15bd77a615eda61035b516427af Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Wed, 19 Feb 2025 11:25:45 -0800 Subject: [PATCH 02/12] update windows_driver_mustfix.qls --- src/codeql-pack.lock.yml | 4 +++ src/drivers/test/build_create_analyze_test.py | 33 +++++++++++-------- src/qlpack.yml | 1 + suites/windows_driver_mustfix.qls | 4 +-- 4 files changed, 26 insertions(+), 16 deletions(-) diff --git a/src/codeql-pack.lock.yml b/src/codeql-pack.lock.yml index 2251772c..36cff06d 100644 --- a/src/codeql-pack.lock.yml +++ b/src/codeql-pack.lock.yml @@ -11,6 +11,8 @@ dependencies: version: 1.0.16 codeql/ssa: version: 1.0.16 + codeql/suite-helpers: + version: 1.0.16 codeql/tutorial: version: 1.0.16 codeql/typeflow: @@ -21,4 +23,6 @@ dependencies: version: 2.0.3 codeql/xml: version: 1.0.16 + microsoft/cpp-queries: + version: 0.0.2 compiled: false diff --git a/src/drivers/test/build_create_analyze_test.py b/src/drivers/test/build_create_analyze_test.py index 1fddd838..57797bf3 100644 --- a/src/drivers/test/build_create_analyze_test.py +++ b/src/drivers/test/build_create_analyze_test.py @@ -189,7 +189,7 @@ def upload_results_to_azure(file_to_upload, file_name, file_directory): file_service = FileService(connection_string=args.connection_string) file_service.create_file_from_path(share_name=args.share_name, file_name=file_name, directory_name=file_directory, local_file_path=file_to_upload, content_settings=ContentSettings(content_type='application/vnd.openxmlformats-officedocument.spreadsheetml.sheet')) -def download_file_from_azure(file_to_download, file_name, file_directory): +def download_file_from_azure(out_file_path, file_name, file_directory): """ Downloads a file from Azure. @@ -200,7 +200,7 @@ def download_file_from_azure(file_to_download, file_name, file_directory): None """ file_service = FileService(connection_string=args.connection_string) - file = file_service.get_file_to_path(share_name=args.share_name, file_name=file_name, directory_name=file_directory, file_path=file_to_download) + file = file_service.get_file_to_path(share_name=args.share_name, file_name=file_name, directory_name=file_directory, file_path=out_file_path) return file.name def get_git_root(): @@ -250,7 +250,7 @@ def find_ql_test_paths(directory, extension): # exclude wfp folder until correct test template is added ignore_paths = ["wfp", "QueryTemplate", "TestTemplate", ".vs"] root = root.replace("\\", "/") - if any(path in ignore_paths for x in root.split("/")): + if any(path in ignore_paths for path in root.split("/")): print_conditionally("Skipping: " + root) continue if "TestTemplate" in root: @@ -265,6 +265,7 @@ def find_ql_test_paths(directory, extension): ql_obj = ql_test_attributes(use_ntifs=use_ntifs, use_cpp=use_cpp) ql_obj.set_use_cpp(use_cpp) ql_files_map[os.path.join(root, file)] = ql_obj + print_conditionally("Found: " + os.path.join(root, file)) return ql_files_map @@ -838,9 +839,8 @@ def compare_health_results(curr_results_path): try: prev_results = 'azure-'+curr_results_path print_conditionally("Downloading previous results from Azure: " + prev_results) - temp_file = download_file_from_azure(file_to_download=prev_results, + _ = download_file_from_azure(out_file_path=prev_results, file_name=curr_results_path, file_directory="") - print_conditionally("Downloaded previous results: " + temp_file) except Exception as e: if "ResourceNotFound" in str(e): @@ -889,6 +889,19 @@ def compare_health_results(curr_results_path): if not args.local_result_storage: # upload new results to Azure + if args.overwrite_azure_results: + print("!! Overwriting Azure results !!") + print("Type 'yes' to confirm") + confirm = input() + if confirm != "yes": + print("Exiting") + exit(1) + else: + double_confirm = input("Are you sure?") + if double_confirm != "yes": + print("Exiting") + exit(1) + if args.overwrite_azure_results: print_conditionally("Uploading results") upload_results_to_azure(file_to_upload=curr_results_path, @@ -1008,15 +1021,7 @@ def find_sln_file(path): parser.add_argument('--overwrite_azure_results', help='Overwrite Azure results',action='store_true',required=False,) parser.add_argument('--build_database_only', help='Build database only',action='store_true',required=False,) args = parser.parse_args() - - if args.overwrite_azure_results: - print("Overwriting Azure results") - print("Type 'yes' to confirm") - confirm = input() - if confirm != "yes": - print("Exiting") - exit(1) - + if args.codeql_path: codeql_path = args.codeql_path else: diff --git a/src/qlpack.yml b/src/qlpack.yml index a56d6d74..bb81dbd5 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -5,6 +5,7 @@ name: microsoft/windows-drivers version: 1.4.1 dependencies: codeql/cpp-all: 4.0.0 + microsoft/cpp-queries: 0.0.2 suites: windows-driver-suites defaultSuiteFile: windows-driver-suites/windows_recommended_partial.qls extractor: cpp diff --git a/suites/windows_driver_mustfix.qls b/suites/windows_driver_mustfix.qls index 3d078078..280a0c8b 100644 --- a/suites/windows_driver_mustfix.qls +++ b/suites/windows_driver_mustfix.qls @@ -4,7 +4,7 @@ - description: Security queries required to fix when certifying Windows Drivers - queries: . from: microsoft/cpp-queries - version: 0.0.1 + version: 0.0.2 - include: query path: - Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql @@ -34,7 +34,7 @@ - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql - Likely Bugs/OO/UnsafeUseOfThis.ql - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql - - Security/CWE/CWE-704/WcharCharConversion.ql + - Security/CWE/CWE-704/WcharCharConversion.ql - import: windows-driver-suites/windows_mustfix_partial.qls from: microsoft/windows-drivers From 5afa9464eeddc6977ce0f465d792efd0c1c97760 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Wed, 19 Feb 2025 11:28:37 -0800 Subject: [PATCH 03/12] update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f1576298..38a5633b 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This repository contains open-source components for supplemental use in developi | CodeQL CLI version | microsoft/windows-drivers qlpack version | codeql/cpp-queries version |Associated Repo Branch| |--------------------------|-------------------------------------------|------------------------|------------------------| -| 2.15.4 | latest | latest |main | +| latest | latest | latest |main | ### For Windows Hardware Compatibility Program Use From 6a121ea151e771658f2a92a07d2520c2b1e7a9d5 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Wed, 19 Feb 2025 14:12:41 -0800 Subject: [PATCH 04/12] qlpack version update --- .github/workflows/build-codeql.yaml | 4 +- src/drivers/test/build_create_analyze_test.py | 44 +++++++++---------- src/qlpack.yml | 2 +- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build-codeql.yaml b/.github/workflows/build-codeql.yaml index 2c9a8b36..124a47f6 100644 --- a/.github/workflows/build-codeql.yaml +++ b/.github/workflows/build-codeql.yaml @@ -14,7 +14,7 @@ on: workflow_dispatch: env: - CODEQL_VERSION: 2.20.1 + CODEQL_VERSION: 2.20.4 jobs: build: @@ -214,7 +214,7 @@ jobs: try{$old_qlpack_version = [version]($qlpack_changes -match "-version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 } try{$new_qlpack_version = [version]($qlpack_changes -match "\+version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 } - if ($new_qlpack_version -gt $old_qlpack_version) { exit 0 } else { "qlpack.yml version not incremented"; exit 1 } + if ($new_qlpack_version -gt $old_qlpack_version) { exit 0 } else { "qlpack.yml version not incremented. Previously updated to version $old_qlpack_version, current version $new_qlpack_version"; exit 1 } test-create-dvl: runs-on: windows-latest diff --git a/src/drivers/test/build_create_analyze_test.py b/src/drivers/test/build_create_analyze_test.py index 57797bf3..97abfff1 100644 --- a/src/drivers/test/build_create_analyze_test.py +++ b/src/drivers/test/build_create_analyze_test.py @@ -781,14 +781,14 @@ def run_tests_external_drivers(ql_tests_dict): result_file = "external_drivers_results.xlsx" with pd.ExcelWriter(result_file) as writer: health_df.to_excel(writer, sheet_name="Results") - codeql_version_df.to_excel(writer, sheet_name="CodeQL Version") - codeql_packs_df.to_excel(writer, sheet_name="CodeQL Packs") - system_info_df.to_excel(writer, sheet_name="System Info") + local_codeql_version_df.to_excel(writer, sheet_name="Local CodeQL Version") + local_codeql_packs_df.to_excel(writer, sheet_name="Local CodeQL Packs") + local_system_info_df.to_excel(writer, sheet_name="Local System Info") with pd.ExcelWriter("detailed" + result_file) as writer: detailed_health_df.to_excel(writer, sheet_name="Results") - codeql_version_df.to_excel(writer, sheet_name="CodeQL Version") - codeql_packs_df.to_excel(writer, sheet_name="CodeQL Packs") - system_info_df.to_excel(writer, sheet_name="System Info") + local_codeql_version_df.to_excel(writer, sheet_name="Local CodeQL Version") + local_codeql_packs_df.to_excel(writer, sheet_name="Local CodeQL Packs") + local_system_info_df.to_excel(writer, sheet_name="Local System Info") if args.compare_results: compare_health_results("detailed"+result_file) compare_health_results(result_file) @@ -853,7 +853,7 @@ def compare_health_results(curr_results_path): prev_results_df = pd.read_excel(prev_results, index_col=0, sheet_name=0) prev_results_codeql_version_df = pd.read_excel(prev_results, index_col=0, sheet_name=1) prev_results_codeql_packs_df = pd.read_excel(prev_results, index_col=0, sheet_name=2) - prev_results_system_info_df = pd.read_excel(prev_results, index_col=0, sheet_name=3) + prev_results_local_system_info_df = pd.read_excel(prev_results, index_col=0, sheet_name=3) curr_results_df = pd.read_excel(curr_results_path, index_col=0, sheet_name=0) print_conditionally("Comparing results...") print_conditionally("Previous results: ", prev_results) @@ -879,12 +879,12 @@ def compare_health_results(curr_results_path): with pd.ExcelWriter("diff" + curr_results_path) as writer: diff_results.to_excel(writer, sheet_name="Diff") - codeql_version_df.to_excel(writer, sheet_name="Current CodeQL Version") - codeql_packs_df.to_excel(writer, sheet_name="Current CodeQL Packs") - system_info_df.to_excel(writer, sheet_name="Current System Info") - prev_results_codeql_version_df.to_excel(writer, sheet_name="Previous CodeQL Version") - prev_results_codeql_packs_df.to_excel(writer, sheet_name="Previous CodeQL Packs") - prev_results_system_info_df.to_excel(writer, sheet_name="Previous System Info") + local_codeql_version_df.to_excel(writer, sheet_name="Local CodeQL Version") + local_codeql_packs_df.to_excel(writer, sheet_name="Local CodeQL Packs") + local_system_info_df.to_excel(writer, sheet_name="Local System Info") + prev_results_codeql_version_df.to_excel(writer, sheet_name="Last Stored CodeQL Version") + prev_results_codeql_packs_df.to_excel(writer, sheet_name="Last Stored CodeQL Packs") + prev_results_local_system_info_df.to_excel(writer, sheet_name="Last Stored System Info") print_conditionally("Saved diff results") if not args.local_result_storage: @@ -947,14 +947,14 @@ def run_tests(ql_tests_dict): result_file = "functiontestresults.xlsx" with pd.ExcelWriter(result_file) as writer: health_df.to_excel(writer, sheet_name="Results") - codeql_version_df.to_excel(writer, sheet_name="CodeQL Version") - codeql_packs_df.to_excel(writer, sheet_name="CodeQL Packs") - system_info_df.to_excel(writer, sheet_name="System Info") + local_codeql_version_df.to_excel(writer, sheet_name="Local CodeQL Version") + local_codeql_packs_df.to_excel(writer, sheet_name="Local CodeQL Packs") + local_system_info_df.to_excel(writer, sheet_name="Local System Info") with pd.ExcelWriter("detailed"+result_file) as writer: detailed_health_df.to_excel(writer, sheet_name="Results") - codeql_version_df.to_excel(writer, sheet_name="CodeQL Version") - codeql_packs_df.to_excel(writer, sheet_name="CodeQL Packs") - system_info_df.to_excel(writer, sheet_name="System Info") + local_codeql_version_df.to_excel(writer, sheet_name="Local CodeQL Version") + local_codeql_packs_df.to_excel(writer, sheet_name="Local CodeQL Packs") + local_system_info_df.to_excel(writer, sheet_name="Local System Info") if args.compare_results: compare_health_results("detailed"+result_file) compare_health_results(result_file) @@ -1028,11 +1028,11 @@ def find_sln_file(path): codeql_path = "codeql" codeql_version = subprocess.run([codeql_path, "version"], capture_output=True) # test codeql is working - codeql_version_df = pd.DataFrame([x for x in codeql_version.stdout.decode().split('\n')]) + local_codeql_version_df = pd.DataFrame([x for x in codeql_version.stdout.decode().split('\n')]) codeql_packs = subprocess.run([codeql_path, "resolve", "qlpacks"], capture_output=True) - codeql_packs_df = pd.DataFrame([x for x in codeql_packs.stdout.decode().split('\n')]) + local_codeql_packs_df = pd.DataFrame([x for x in codeql_packs.stdout.decode().split('\n')]) system_info = subprocess.run(["systeminfo"], capture_output=True) - system_info_df = pd.DataFrame([x for x in system_info.stdout.decode().split('\n')]) + local_system_info_df = pd.DataFrame([x for x in system_info.stdout.decode().split('\n')]) if args.compare_results_no_build: diff --git a/src/qlpack.yml b/src/qlpack.yml index bb81dbd5..7a67d637 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -2,7 +2,7 @@ # Licensed under the MIT license. name: microsoft/windows-drivers -version: 1.4.1 +version: 1.4.2 dependencies: codeql/cpp-all: 4.0.0 microsoft/cpp-queries: 0.0.2 From 8c7e741027c20b9fe30d59d47ff5ac8c8d3dfbe4 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 21 Feb 2025 16:26:28 -0800 Subject: [PATCH 05/12] update query packs --- .../PointerVariableSize.ql | 2 +- .../DeviceInitApi/DeviceInitApi.ql | 2 +- src/qlpack.yml | 4 +- src/windows-driver-suites/mustfix.qls | 42 ++++++++++ src/windows-driver-suites/recommended.qls | 76 +++++++++++++++++++ .../windows_mustfix_partial.qls | 10 --- .../windows_recommended_partial.qls | 36 --------- suites/windows_driver_mustfix.qls | 35 +-------- suites/windows_driver_recommended.qls | 49 +----------- 9 files changed, 125 insertions(+), 131 deletions(-) create mode 100644 src/windows-driver-suites/mustfix.qls create mode 100644 src/windows-driver-suites/recommended.qls delete mode 100644 src/windows-driver-suites/windows_mustfix_partial.qls delete mode 100644 src/windows-driver-suites/windows_recommended_partial.qls diff --git a/src/drivers/general/queries/PointerVariableSize/PointerVariableSize.ql b/src/drivers/general/queries/PointerVariableSize/PointerVariableSize.ql index 7cfa953e..9310a832 100644 --- a/src/drivers/general/queries/PointerVariableSize/PointerVariableSize.ql +++ b/src/drivers/general/queries/PointerVariableSize/PointerVariableSize.ql @@ -21,7 +21,7 @@ import cpp -from SizeofExprOperator e, VariableAccess va, AddressOfExpr a +from SizeofExprOperator e, VariableAccess va where va = e.getExprOperand() and va.getTarget().getUnspecifiedType() instanceof PointerType diff --git a/src/drivers/kmdf/queries/experimental/DeviceInitApi/DeviceInitApi.ql b/src/drivers/kmdf/queries/experimental/DeviceInitApi/DeviceInitApi.ql index 1f98f816..6c8fae84 100644 --- a/src/drivers/kmdf/queries/experimental/DeviceInitApi/DeviceInitApi.ql +++ b/src/drivers/kmdf/queries/experimental/DeviceInitApi/DeviceInitApi.ql @@ -7,7 +7,7 @@ * @kind path-problem * @problem.severity error * @precision medium - * @id cpp/windows/wdk/kmdf/DeviceInitApi + * @id cpp/windows/wdk/kmdf/device-init-api * @tags correctness * @query-version v1 */ diff --git a/src/qlpack.yml b/src/qlpack.yml index 7a67d637..de72cb89 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -2,12 +2,12 @@ # Licensed under the MIT license. name: microsoft/windows-drivers -version: 1.4.2 +version: 1.5.0 dependencies: codeql/cpp-all: 4.0.0 microsoft/cpp-queries: 0.0.2 suites: windows-driver-suites -defaultSuiteFile: windows-driver-suites/windows_recommended_partial.qls +defaultSuiteFile: windows-driver-suites/recommended.qls extractor: cpp licenses: MIT description: CodeQL queries designed for Windows device driver development. \ No newline at end of file diff --git a/src/windows-driver-suites/mustfix.qls b/src/windows-driver-suites/mustfix.qls new file mode 100644 index 00000000..cf424f26 --- /dev/null +++ b/src/windows-driver-suites/mustfix.qls @@ -0,0 +1,42 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT license. + +- description: Security queries required to fix when certifying Windows Drivers +- queries: . + from: microsoft/windows-drivers +- include: + query path: + - drivers/general/queries/WdkDeprecatedApis/wdk-deprecated-api.ql + - microsoft/Security/CWE/CWE-704/WcharCharConversionLimited.ql +- queries: . + from: microsoft/cpp-queries + version: 0.0.2 +- include: + query path: + - Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql + - Likely Bugs/Memory Management/PointerOverflow.ql + - Likely Bugs/Underspecified Functions/TooFewArguments.ql + - Security/CWE/CWE-190/ComparisonWithWiderType.ql + - Security/CWE/CWE-120/BadlyBoundedWrite.ql + - Microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql + - Microsoft/Security/Cryptography/BannedEncryption.ql + - Microsoft/Security/Cryptography/BannedModesCAPI.ql + - Microsoft/Security/Cryptography/BannedModesCNG.ql + - Security/CWE/CWE-676/DangerousFunctionOverflow.ql + - Security/CWE/CWE-676/DangerousUseOfCin.ql + - Security/CWE/CWE-078/ExecTainted.ql + - Microsoft/Security/Cryptography/HardcodedIVCNG.ql + - Security/CWE/CWE-253/HResultBooleanConversion.ql + - Security/CWE/CWE-170/ImproperNullTerminationTainted.ql + - Microsoft/Likely Bugs/Drivers/IncorrectUsageOfRtlCompareMemory.ql + - Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql + - Security/CWE/CWE-327/OpenSslHeartbleed.ql + - Security/CWE/CWE-120/OverrunWrite.ql + - Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql + - Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql + - Microsoft/Security/MemoryAccess/EnumIndex/UncheckedBoundsEnumAsIndex.ql + - Security/CWE/CWE-114/UncontrolledProcessOperation.ql + - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql + - Likely Bugs/OO/UnsafeUseOfThis.ql + - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql + - Security/CWE/CWE-704/WcharCharConversion.ql diff --git a/src/windows-driver-suites/recommended.qls b/src/windows-driver-suites/recommended.qls new file mode 100644 index 00000000..b57fff53 --- /dev/null +++ b/src/windows-driver-suites/recommended.qls @@ -0,0 +1,76 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT license. + +- description: Recommended and required queries for Windows Drivers. +- import: windows-driver-suites/mustfix.qls +- queries: . + from: microsoft/windows-drivers +- include: + query path: + - microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql + - microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql + - microsoft/Likely Bugs/Conversion/InfiniteLoop.ql + - microsoft/Likely Bugs/Memory Management/UseAfterFree/UseAfterFree.ql + - microsoft/Likely Bugs/UninitializedPtrField.ql + - microsoft/Security/Crytpography/HardcodedIVCNG.ql + - drivers/general/queries/KeSetEventPageable/KeSetEventPageable.ql + - drivers/general/queries/RoleTypeCorrectlyUsed/RoleTypeCorrectlyUsed.ql + - drivers/general/queries/DefaultPoolTag/DefaultPoolTag.ql + - drivers/general/queries/ExaminedValue/ExaminedValue.ql + - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql + - drivers/general/queries/IrqlNotSaved/IrqlNotSaved.ql + - drivers/general/queries/IrqlNotUsed/IrqlNotUsed.ql + - drivers/general/queries/IrqlTooHigh/IrqlTooHigh.ql + - drivers/general/queries/IrqlTooLow/IrqlTooLow.ql + - drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.ql + - drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.ql + - drivers/general/queries/StrSafe/StrSafe.ql + - drivers/general/queries/AnnotationSyntax/AnnotationSyntax.ql + - drivers/general/queries/CurrentFunctionTypeNotCorrect/CurrentFunctionTypeNotCorrect.ql + - drivers/general/queries/DriverEntrySaveBuffer/DriverEntrySaveBuffer.ql + - drivers/general/queries/IRPStackEntryCopy/IRPStackEntryCopy.ql + - drivers/general/queries/ImportantFunctionCallOptimizedOut/ImportantFunctionCallOptimizedOut.ql + - drivers/general/queries/ImproperNotOperatorOnZero/ImproperNotOperatorOnZero.ql + - drivers/wdm/queries/InitNotCleared/InitNotCleared.ql + - drivers/general/queries/InvalidFunctionClassTypedef/InvalidFunctionClassTypedef.ql + - drivers/general/queries/InvalidFunctionPointerAnnotation/InvalidFunctionPointerAnnotation.ql + - drivers/general/queries/IoInitializeTimerCall/IoInitializeTimerCall.ql + - drivers/general/queries/IrqlAnnotationIssue/IrqlAnnotationIssue.ql + - drivers/general/queries/IrqlCancelRoutine/IrqlCancelRoutine.ql + - drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.ql + - drivers/wdm/queries/KeWaitLocal/KeWaitLocal.ql + - drivers/wdm/queries/MultiplePagedCode/MultiplePagedCode.ql + - drivers/general/queries/MultithreadedAVCondition/MultithreadedAVCondition.ql + - drivers/general/queries/NtstatusExplicitCast/NtstatusExplicitCast.ql + - drivers/general/queries/NtstatusExplicitCast2/NtstatusExplicitCast2.ql + - drivers/general/queries/NtstatusExplicitCast3/NtstatusExplicitCast3.ql + - drivers/general/queries/NullCharacterPointerAssignment/NullCharacterPointerAssignment.ql + - drivers/wdm/queries/ObReferenceMode/ObReferenceMode.ql + - drivers/general/queries/OperandAssignment/OperandAssignment.ql + - drivers/general/queries/PointerVariableSize/PointerVariableSize.ql + - drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql + - drivers/general/queries/RoutineFunctionTypeNotExpected/RoutineFunctionTypeNotExpected.ql + - drivers/general/queries/StrictTypeMatch/StrictTypeMatch.ql + - drivers/wdm/queries/IllegalFieldAccess/IllegalFieldAccess.ql + - drivers/wdm/queries/IllegalFieldAccess2/IllegalFieldAccess2.ql + - drivers/wdm/queries/IllegalFieldWrite/IllegalFieldWrite.ql + - drivers/wdm/queries/OpaqueMdlUse/OpaqueMdlUse.ql + - drivers/wdm/queries/OpaqueMdlWrite/OpaqueMdlWrite.ql + - drivers/wdm/queries/PendingStatusError/PendingStatusError.ql + - drivers/wdm/queries/WrongDispatchTableAssignment/WrongDispatchTableAssignment.ql +- queries: . + from: microsoft/cpp-queries + version: 0.0.2 +- include: + query path: + - Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql + - Likely Bugs/Arithmetic/IntMultToLong.ql + - Likely Bugs/Arithmetic/SignedOverflowCheck.ql + - Likely Bugs/Conversion/CastArrayPointerArithmetic.ql + - Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql + - Likely Bugs/Memory Management/SuspiciousSizeof.ql + - Likely Bugs/Memory Management/UninitializedLocal.ql + - Security/CWE/CWE-121/UnterminatedVarargsCall.ql + - Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql + - Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql + - Security/CWE/CWE-676/PotentiallyDangerousFunction.ql diff --git a/src/windows-driver-suites/windows_mustfix_partial.qls b/src/windows-driver-suites/windows_mustfix_partial.qls deleted file mode 100644 index c6914621..00000000 --- a/src/windows-driver-suites/windows_mustfix_partial.qls +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT license. - -- description: Security queries required to fix when certifying Windows Drivers -- queries: . - from: microsoft/windows-drivers -- include: - query path: - - drivers/general/queries/WdkDeprecatedApis/wdk-deprecated-api.ql - - microsoft/Security/CWE/CWE-704/WcharCharConversionLimited.ql diff --git a/src/windows-driver-suites/windows_recommended_partial.qls b/src/windows-driver-suites/windows_recommended_partial.qls deleted file mode 100644 index 6d339e04..00000000 --- a/src/windows-driver-suites/windows_recommended_partial.qls +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT license. - -- description: Recommended and required queries for Windows Drivers. -- import: windows-driver-suites/windows_mustfix_partial.qls -- queries: . - from: microsoft/windows-drivers -- include: - query path: - - microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql - - microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql - - microsoft/Likely Bugs/Conversion/InfiniteLoop.ql - - microsoft/Likely Bugs/Memory Management/UseAfterFree/UseAfterFree.ql - - microsoft/Likely Bugs/UninitializedPtrField.ql - - microsoft/Security/Crytpography/HardcodedIVCNG.ql - - drivers/general/queries/KeSetEventPageable/KeSetEventPageable.ql - - drivers/general/queries/RoleTypeCorrectlyUsed/RoleTypeCorrectlyUsed.ql - - drivers/general/queries/DefaultPoolTag/DefaultPoolTag.ql - - drivers/general/queries/ExaminedValue/ExaminedValue.ql - - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql - - drivers/general/queries/IrqlNotSaved/IrqlNotSaved.ql - - drivers/general/queries/IrqlNotUsed/IrqlNotUsed.ql - - drivers/general/queries/IrqlTooHigh/IrqlTooHigh.ql - - drivers/general/queries/IrqlTooLow/IrqlTooLow.ql - - drivers/general/queries/IrqlSetTooHigh/IrqlTooHigh.ql - - drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.ql - - drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql - - drivers/general/queries/StrSafe/StrSafe.ql - - drivers/wdm/queries/IllegalFieldAccess/IllegalFieldAccess.ql - - drivers/wdm/queries/IllegalFieldAccess2/IllegalFieldAccess2.ql - - drivers/wdm/queries/IllegalFieldWrite/IllegalFieldWrite.ql - - drivers/wdm/queries/OpaqueMdlUse/OpaqueMdlUse.ql - - drivers/wdm/queries/OpaqueMdlUse/OpaqueMdlWrite.ql - - drivers/wdm/queries/PendingStatusError/PendingStatusError.ql - - drivers/wdm/queries/WrongDispatchTableAssignment/WrongDispatchTableAssignment.ql - diff --git a/suites/windows_driver_mustfix.qls b/suites/windows_driver_mustfix.qls index 280a0c8b..1495ea5e 100644 --- a/suites/windows_driver_mustfix.qls +++ b/suites/windows_driver_mustfix.qls @@ -2,39 +2,6 @@ # Licensed under the MIT license. - description: Security queries required to fix when certifying Windows Drivers -- queries: . - from: microsoft/cpp-queries - version: 0.0.2 -- include: - query path: - - Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql - - Likely Bugs/Memory Management/PointerOverflow.ql - - Likely Bugs/Underspecified Functions/TooFewArguments.ql - - Security/CWE/CWE-190/ComparisonWithWiderType.ql - - Security/CWE/CWE-253/HResultBooleanConversion.ql - - Security/CWE/CWE-120/BadlyBoundedWrite.ql - - Microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql - - Microsoft/Security/Cryptography/BannedEncryption.ql - - Microsoft/Security/Cryptography/BannedModesCAPI.ql - - Microsoft/Security/Cryptography/BannedModesCNG.ql - - Security/CWE/CWE-676/DangerousFunctionOverflow.ql - - Security/CWE/CWE-676/DangerousUseOfCin.ql - - Security/CWE/CWE-078/ExecTainted.ql - - Microsoft/Security/Cryptography/HardcodedIVCNG.ql - - Security/CWE/CWE-253/HResultBooleanConversion.ql - - Security/CWE/CWE-170/ImproperNullTerminationTainted.ql - - Microsoft/Likely Bugs/Drivers/IncorrectUsageOfRtlCompareMemory.ql - - Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql - - Security/CWE/CWE-327/OpenSslHeartbleed.ql - - Security/CWE/CWE-120/OverrunWrite.ql - - Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql - - Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql - - Microsoft/Security/MemoryAccess/EnumIndex/UncheckedBoundsEnumAsIndex.ql - - Security/CWE/CWE-114/UncontrolledProcessOperation.ql - - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql - - Likely Bugs/OO/UnsafeUseOfThis.ql - - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql - - Security/CWE/CWE-704/WcharCharConversion.ql -- import: windows-driver-suites/windows_mustfix_partial.qls +- import: windows-driver-suites/mustfix.qls from: microsoft/windows-drivers diff --git a/suites/windows_driver_recommended.qls b/suites/windows_driver_recommended.qls index a39674f0..56c5d31d 100644 --- a/suites/windows_driver_recommended.qls +++ b/suites/windows_driver_recommended.qls @@ -2,52 +2,7 @@ # Licensed under the MIT license. - description: Recommended and required queries for Windows Drivers. -- import: windows-driver-suites/windows_mustfix_partial.qls +- import: windows-driver-suites/mustfix.qls from: microsoft/windows-drivers -- import: windows-driver-suites/windows_recommended_partial.qls +- import: windows-driver-suites/recommended.qls from: microsoft/windows-drivers -- queries: . - from: codeql/cpp-queries - version: 0.9.0 -- include: - query path: - - Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql - - Likely Bugs/Arithmetic/IntMultToLong.ql - - Likely Bugs/Arithmetic/SignedOverflowCheck.ql - - Likely Bugs/Conversion/CastArrayPointerArithmetic.ql - - Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql - - Likely Bugs/Memory Management/SuspiciousSizeof.ql - - Likely Bugs/Memory Management/UninitializedLocal.ql - - Security/CWE/CWE-121/UnterminatedVarargsCall.ql - - Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql - - Security/CWE/CWE-468/IncorrectPointerScaling.ql - - Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql - - Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql - - Security/CWE/CWE-676/PotentiallyDangerousFunction.ql - - Security/CWE/CWE-704/WcharCharConversion.ql - - Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql - - Likely Bugs/Memory Management/PointerOverflow.ql - - Likely Bugs/Underspecified Functions/TooFewArguments.ql - - Security/CWE/CWE-190/ComparisonWithWiderType.ql - - Security/CWE/CWE-253/HResultBooleanConversion.ql - - Security/CWE/CWE-120/BadlyBoundedWrite.ql - - Likely Bugs/Conversion/BadOverflowGuard.ql - - Security/Cryptography/BannedEncryption.ql - - Security/Cryptography/BannedModesCAPI.ql - - Security/Cryptography/BannedModesCNG.ql - - Security/CWE/CWE-676/DangerousFunctionOverflow.ql - - Security/CWE/CWE-676/DangerousUseOfCin.ql - - Security/CWE/CWE-078/ExecTainted.ql - - Security/Cryptography/HardcodedIVCNG.ql - - Security/CWE/CWE-170/ImproperNullTerminationTainted.ql - - experimental/Windows/SystemCalls/IncorrectUsageOfRtlCompareMemory.ql - - Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql - - Security/CWE/CWE-327/OpenSslHeartbleed.ql - - Security/CWE/CWE-120/OverrunWrite.ql - - Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql - - Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql - - Security/MemoryAccess/EnumIndex/UncheckedBoundsEnumAsIndex.ql - - Security/CWE/CWE-114/UncontrolledProcessOperation.ql - - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql - - Likely Bugs/OO/UnsafeUseOfThis.ql - - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql \ No newline at end of file From 04c6ffad35411cdf4496f581c17250df3aa33888 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 21 Feb 2025 16:29:38 -0800 Subject: [PATCH 06/12] update github action --- .github/workflows/build-codeql.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-codeql.yaml b/.github/workflows/build-codeql.yaml index 124a47f6..7554df4c 100644 --- a/.github/workflows/build-codeql.yaml +++ b/.github/workflows/build-codeql.yaml @@ -52,11 +52,11 @@ jobs: - name: Build must-fix driver suite shell: cmd - run: .\codeql-cli\codeql.cmd query compile --check-only windows_mustfix_partial.qls + run: .\codeql-cli\codeql.cmd query compile --check-only mustfix.qls - name: Build recommended driver suite shell: cmd - run: .\codeql-cli\codeql.cmd query compile --check-only windows_recommended_partial.qls + run: .\codeql-cli\codeql.cmd query compile --check-only recommended.qls - name: Build CA ported queries shell: cmd @@ -196,15 +196,15 @@ jobs: shell: pwsh run: $qlpack_diff = git diff HEAD~1:src/qlpack.yml src/qlpack.yml; - $rec_diff = git diff HEAD~1:src/windows-driver-suites/windows_recommended_partial.qls src/windows-driver-suites/windows_recommended_partial.qls; - $mf_diff = git diff HEAD~1:src/windows-driver-suites/windows_mustfix_partial.qls src/windows-driver-suites/windows_mustfix_partial.qls; + $rec_diff = git diff HEAD~1:src/windows-driver-suites/recommended.qls src/windows-driver-suites/recommended.qls; + $mf_diff = git diff HEAD~1:src/windows-driver-suites/mustfix.qls src/windows-driver-suites/mustfix.qls; if (!$qlpack_diff -and ($rec_diff -or $mf_diff)) { "Query suite file updated without updating qlpack version"; exit 1 } $last_qlpack_commit = git log -n 1 --pretty=format:%H -- src/qlpack.yml; $qlpack_changes =git show $last_qlpack_commit -- .\src\qlpack.yml; - $last_mf_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_mustfix_partial.qls; - $last_rec_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_recommended_partial.qls; + $last_mf_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/mustfix.qls; + $last_rec_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/recommended.qls; $commits_since_qlpack_change = [int](git rev-list --count HEAD...$last_qlpack_commit); $commits_since_mf_change = [int](git rev-list --count HEAD...$last_mf_commit); $commits_since_rec_change = [int](git rev-list --count HEAD...$last_rec_commit); From 843b5a802024355831172fe3f45322b9a1c2589d Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Mon, 24 Feb 2025 08:08:46 -0800 Subject: [PATCH 07/12] update query suites with missing query --- src/qlpack.yml | 2 +- src/windows-driver-suites/mustfix.qls | 1 + src/windows-driver-suites/recommended.qls | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/qlpack.yml b/src/qlpack.yml index de72cb89..23315463 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -2,7 +2,7 @@ # Licensed under the MIT license. name: microsoft/windows-drivers -version: 1.5.0 +version: 1.5.1 dependencies: codeql/cpp-all: 4.0.0 microsoft/cpp-queries: 0.0.2 diff --git a/src/windows-driver-suites/mustfix.qls b/src/windows-driver-suites/mustfix.qls index cf424f26..9fd0fbc1 100644 --- a/src/windows-driver-suites/mustfix.qls +++ b/src/windows-driver-suites/mustfix.qls @@ -40,3 +40,4 @@ - Likely Bugs/OO/UnsafeUseOfThis.ql - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql - Security/CWE/CWE-704/WcharCharConversion.ql + - Likely Bugs/Format/WrongNumberOfFormatArguments.ql \ No newline at end of file diff --git a/src/windows-driver-suites/recommended.qls b/src/windows-driver-suites/recommended.qls index b57fff53..5994eaf4 100644 --- a/src/windows-driver-suites/recommended.qls +++ b/src/windows-driver-suites/recommended.qls @@ -74,3 +74,4 @@ - Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql - Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql - Security/CWE/CWE-676/PotentiallyDangerousFunction.ql + - Security/CWE/CWE-119/OverflowBuffer.ql From 598098872d0b7a1cb6c7f0706e38c361ae23fbe3 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Mon, 24 Feb 2025 10:01:33 -0800 Subject: [PATCH 08/12] update version --- src/qlpack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qlpack.yml b/src/qlpack.yml index 23315463..de72cb89 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -2,7 +2,7 @@ # Licensed under the MIT license. name: microsoft/windows-drivers -version: 1.5.1 +version: 1.5.0 dependencies: codeql/cpp-all: 4.0.0 microsoft/cpp-queries: 0.0.2 From be50d53eb8d7785174ac8313a5940c28e7c0a496 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Mon, 24 Feb 2025 10:44:43 -0800 Subject: [PATCH 09/12] sort query suites --- src/windows-driver-suites/mustfix.qls | 34 +++++++++--------- src/windows-driver-suites/recommended.qls | 44 +++++++++++------------ 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/src/windows-driver-suites/mustfix.qls b/src/windows-driver-suites/mustfix.qls index 9fd0fbc1..85b45541 100644 --- a/src/windows-driver-suites/mustfix.qls +++ b/src/windows-driver-suites/mustfix.qls @@ -14,30 +14,30 @@ - include: query path: - Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql + - Likely Bugs/Format/WrongNumberOfFormatArguments.ql - Likely Bugs/Memory Management/PointerOverflow.ql + - Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql + - Likely Bugs/OO/UnsafeUseOfThis.ql + - Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql + - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql - Likely Bugs/Underspecified Functions/TooFewArguments.ql - - Security/CWE/CWE-190/ComparisonWithWiderType.ql - - Security/CWE/CWE-120/BadlyBoundedWrite.ql - Microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql + - Microsoft/Likely Bugs/Drivers/IncorrectUsageOfRtlCompareMemory.ql - Microsoft/Security/Cryptography/BannedEncryption.ql - Microsoft/Security/Cryptography/BannedModesCAPI.ql - Microsoft/Security/Cryptography/BannedModesCNG.ql - - Security/CWE/CWE-676/DangerousFunctionOverflow.ql - - Security/CWE/CWE-676/DangerousUseOfCin.ql - - Security/CWE/CWE-078/ExecTainted.ql - Microsoft/Security/Cryptography/HardcodedIVCNG.ql - - Security/CWE/CWE-253/HResultBooleanConversion.ql - - Security/CWE/CWE-170/ImproperNullTerminationTainted.ql - - Microsoft/Likely Bugs/Drivers/IncorrectUsageOfRtlCompareMemory.ql - - Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql - - Security/CWE/CWE-327/OpenSslHeartbleed.ql - - Security/CWE/CWE-120/OverrunWrite.ql - - Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql - - Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql - Microsoft/Security/MemoryAccess/EnumIndex/UncheckedBoundsEnumAsIndex.ql + - Security/CWE/CWE-078/ExecTainted.ql - Security/CWE/CWE-114/UncontrolledProcessOperation.ql - - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql - - Likely Bugs/OO/UnsafeUseOfThis.ql - - Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql + - Security/CWE/CWE-120/BadlyBoundedWrite.ql + - Security/CWE/CWE-120/OverrunWrite.ql + - Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql + - Security/CWE/CWE-170/ImproperNullTerminationTainted.ql + - Security/CWE/CWE-190/ComparisonWithWiderType.ql + - Security/CWE/CWE-253/HResultBooleanConversion.ql + - Security/CWE/CWE-327/OpenSslHeartbleed.ql + - Security/CWE/CWE-676/DangerousFunctionOverflow.ql + - Security/CWE/CWE-676/DangerousUseOfCin.ql - Security/CWE/CWE-704/WcharCharConversion.ql - - Likely Bugs/Format/WrongNumberOfFormatArguments.ql \ No newline at end of file + - Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql \ No newline at end of file diff --git a/src/windows-driver-suites/recommended.qls b/src/windows-driver-suites/recommended.qls index 5994eaf4..78ce00de 100644 --- a/src/windows-driver-suites/recommended.qls +++ b/src/windows-driver-suites/recommended.qls @@ -7,57 +7,57 @@ from: microsoft/windows-drivers - include: query path: - - microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql - - microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql - - microsoft/Likely Bugs/Conversion/InfiniteLoop.ql - - microsoft/Likely Bugs/Memory Management/UseAfterFree/UseAfterFree.ql - - microsoft/Likely Bugs/UninitializedPtrField.ql - - microsoft/Security/Crytpography/HardcodedIVCNG.ql - - drivers/general/queries/KeSetEventPageable/KeSetEventPageable.ql - - drivers/general/queries/RoleTypeCorrectlyUsed/RoleTypeCorrectlyUsed.ql - - drivers/general/queries/DefaultPoolTag/DefaultPoolTag.ql - - drivers/general/queries/ExaminedValue/ExaminedValue.ql - - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql - - drivers/general/queries/IrqlNotSaved/IrqlNotSaved.ql - - drivers/general/queries/IrqlNotUsed/IrqlNotUsed.ql - - drivers/general/queries/IrqlTooHigh/IrqlTooHigh.ql - - drivers/general/queries/IrqlTooLow/IrqlTooLow.ql - - drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.ql - - drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.ql - - drivers/general/queries/StrSafe/StrSafe.ql - drivers/general/queries/AnnotationSyntax/AnnotationSyntax.ql - drivers/general/queries/CurrentFunctionTypeNotCorrect/CurrentFunctionTypeNotCorrect.ql + - drivers/general/queries/DefaultPoolTag/DefaultPoolTag.ql - drivers/general/queries/DriverEntrySaveBuffer/DriverEntrySaveBuffer.ql + - drivers/general/queries/ExaminedValue/ExaminedValue.ql + - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql - drivers/general/queries/IRPStackEntryCopy/IRPStackEntryCopy.ql - drivers/general/queries/ImportantFunctionCallOptimizedOut/ImportantFunctionCallOptimizedOut.ql - drivers/general/queries/ImproperNotOperatorOnZero/ImproperNotOperatorOnZero.ql - - drivers/wdm/queries/InitNotCleared/InitNotCleared.ql - drivers/general/queries/InvalidFunctionClassTypedef/InvalidFunctionClassTypedef.ql - drivers/general/queries/InvalidFunctionPointerAnnotation/InvalidFunctionPointerAnnotation.ql - drivers/general/queries/IoInitializeTimerCall/IoInitializeTimerCall.ql - drivers/general/queries/IrqlAnnotationIssue/IrqlAnnotationIssue.ql - drivers/general/queries/IrqlCancelRoutine/IrqlCancelRoutine.ql - drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.ql - - drivers/wdm/queries/KeWaitLocal/KeWaitLocal.ql - - drivers/wdm/queries/MultiplePagedCode/MultiplePagedCode.ql + - drivers/general/queries/IrqlNotSaved/IrqlNotSaved.ql + - drivers/general/queries/IrqlNotUsed/IrqlNotUsed.ql + - drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.ql + - drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.ql + - drivers/general/queries/IrqlTooHigh/IrqlTooHigh.ql + - drivers/general/queries/IrqlTooLow/IrqlTooLow.ql + - drivers/general/queries/KeSetEventPageable/KeSetEventPageable.ql - drivers/general/queries/MultithreadedAVCondition/MultithreadedAVCondition.ql - drivers/general/queries/NtstatusExplicitCast/NtstatusExplicitCast.ql - drivers/general/queries/NtstatusExplicitCast2/NtstatusExplicitCast2.ql - drivers/general/queries/NtstatusExplicitCast3/NtstatusExplicitCast3.ql - drivers/general/queries/NullCharacterPointerAssignment/NullCharacterPointerAssignment.ql - - drivers/wdm/queries/ObReferenceMode/ObReferenceMode.ql - drivers/general/queries/OperandAssignment/OperandAssignment.ql - drivers/general/queries/PointerVariableSize/PointerVariableSize.ql - drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql + - drivers/general/queries/RoleTypeCorrectlyUsed/RoleTypeCorrectlyUsed.ql - drivers/general/queries/RoutineFunctionTypeNotExpected/RoutineFunctionTypeNotExpected.ql + - drivers/general/queries/StrSafe/StrSafe.ql - drivers/general/queries/StrictTypeMatch/StrictTypeMatch.ql - drivers/wdm/queries/IllegalFieldAccess/IllegalFieldAccess.ql - drivers/wdm/queries/IllegalFieldAccess2/IllegalFieldAccess2.ql - drivers/wdm/queries/IllegalFieldWrite/IllegalFieldWrite.ql + - drivers/wdm/queries/InitNotCleared/InitNotCleared.ql + - drivers/wdm/queries/KeWaitLocal/KeWaitLocal.ql + - drivers/wdm/queries/MultiplePagedCode/MultiplePagedCode.ql + - drivers/wdm/queries/ObReferenceMode/ObReferenceMode.ql - drivers/wdm/queries/OpaqueMdlUse/OpaqueMdlUse.ql - drivers/wdm/queries/OpaqueMdlWrite/OpaqueMdlWrite.ql - drivers/wdm/queries/PendingStatusError/PendingStatusError.ql - drivers/wdm/queries/WrongDispatchTableAssignment/WrongDispatchTableAssignment.ql + - microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql + - microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql + - microsoft/Likely Bugs/Conversion/InfiniteLoop.ql + - microsoft/Likely Bugs/Memory Management/UseAfterFree/UseAfterFree.ql + - microsoft/Likely Bugs/UninitializedPtrField.ql + - microsoft/Security/Crytpography/HardcodedIVCNG.ql - queries: . from: microsoft/cpp-queries version: 0.0.2 From e39eda406dc9dec6b85c6d4abc460f2ddebed6df Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Thu, 27 Feb 2025 10:42:31 -0800 Subject: [PATCH 10/12] add missing queries --- src/windows-driver-suites/recommended.qls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/windows-driver-suites/recommended.qls b/src/windows-driver-suites/recommended.qls index 78ce00de..ad0bf9b8 100644 --- a/src/windows-driver-suites/recommended.qls +++ b/src/windows-driver-suites/recommended.qls @@ -73,5 +73,7 @@ - Security/CWE/CWE-121/UnterminatedVarargsCall.ql - Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql - Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql + - Security/CWE/CWE-468/IncorrectPointerScaling.ql + - Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql - Security/CWE/CWE-676/PotentiallyDangerousFunction.ql - Security/CWE/CWE-119/OverflowBuffer.ql From bb9f13ed037413c34fee9bc5412ffb53a5d63be7 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Thu, 13 Mar 2025 16:36:37 -0700 Subject: [PATCH 11/12] Fix opaqueid fields. For some reason opaque-id causes issues with sarif reader. --- .../queries/PoolTagIntegral/PoolTagIntegral.ql | 11 ++++------- .../PaddingByteInformationDisclosure.ql | 4 ++-- .../Likely Bugs/Conversion/BadOverflowGuard.ql | 5 +++-- src/microsoft/Likely Bugs/Conversion/InfiniteLoop.ql | 4 ++-- src/microsoft/Likely Bugs/UninitializedPtrField.ql | 4 ++-- 5 files changed, 13 insertions(+), 15 deletions(-) diff --git a/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql b/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql index 2cea55bb..71efb972 100644 --- a/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql +++ b/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql @@ -42,11 +42,8 @@ class ValidPoolTag extends Expr { } } -from FunctionCall fc, int i +from FunctionCall fc where - fc.getTarget() instanceof PoolTypeFunction and - fc.getTarget().getParameter(i).getName().matches("Tag") and - not fc.getArgument(i) instanceof ValidPoolTag -select fc, - "A non-CHAR tag was passed into a pool allocation function (actual type: " + - fc.getArgument(i).getUnderlyingType().getName() + ")" + fc.getTarget() instanceof PoolTypeFunction + +select fc,fc.toString() diff --git a/src/microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql b/src/microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql index 54cfb442..3d801d19 100644 --- a/src/microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql +++ b/src/microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql @@ -2,6 +2,7 @@ // Licensed under the MIT license. /** + * @id cpp/paddingbyteinformationdisclosure * @name Possible information leakage from uninitialized padding bytes. * @description A newly allocated struct or class that is initialized member-by-member may * leak information if it includes padding bytes. @@ -9,9 +10,8 @@ * @problem.severity warning * @tags security * external/cwe/cwe-200 - * @opaque-id SM02320 + * @opaqueid SM02320 * @microsoft.severity Important - * @id cpp/paddingbyteinformationdisclosure */ import cpp diff --git a/src/microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql b/src/microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql index 48d537b4..5aa06e46 100644 --- a/src/microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql +++ b/src/microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql @@ -2,6 +2,7 @@ // Licensed under the MIT license. /** + * @id cpp/badoverflowguard * @name Bad overflow check * @description Checking for overflow of an addition by comparing against one * of the arguments of the addition fails if the size of all the @@ -12,9 +13,9 @@ * @tags security * external/cwe/cwe-190 * external/cwe/cwe-191 - * @opaque-id SM02324 * @microsoft.severity Important - * @id cpp/badoverflowguard + * @opaqueid SM02324 + * */ import cpp diff --git a/src/microsoft/Likely Bugs/Conversion/InfiniteLoop.ql b/src/microsoft/Likely Bugs/Conversion/InfiniteLoop.ql index db176bfb..2ff8b160 100644 --- a/src/microsoft/Likely Bugs/Conversion/InfiniteLoop.ql +++ b/src/microsoft/Likely Bugs/Conversion/InfiniteLoop.ql @@ -2,6 +2,7 @@ // Licensed under the MIT license. /** + * @id cpp/infiniteloop * @name Comparison of narrow type with wide type in loop condition * @description Comparisons between types of different widths in a loop * condition can cause the loop to fail to terminate. @@ -11,9 +12,8 @@ * security * external/cwe/cwe-190 * external/cwe/cwe-197 - * @opaque-id SM02323 + * @opaqueid SM02323 * @microsoft.severity Important - * @id cpp/infiniteloop */ import cpp diff --git a/src/microsoft/Likely Bugs/UninitializedPtrField.ql b/src/microsoft/Likely Bugs/UninitializedPtrField.ql index eb319f6a..af48b37d 100644 --- a/src/microsoft/Likely Bugs/UninitializedPtrField.ql +++ b/src/microsoft/Likely Bugs/UninitializedPtrField.ql @@ -2,6 +2,7 @@ // Licensed under the MIT license. /** + * @id cpp/uninitializedptrfield * @name Dereference of potentially uninitialized pointer field * @description A pointer field which was not initialized during or since class * construction will cause a null pointer dereference. @@ -9,9 +10,8 @@ * @problem.severity warning * @tags security * external/cwe/cwe-476 - * @opaque-id SM02310 + * @opaqueid SM02310 * @microsoft.severity Important - * @id cpp/uninitializedptrfield */ import cpp From e90f50501817dc19c871e41cb93db90aa19edd93 Mon Sep 17 00:00:00 2001 From: jacob-ronstadt Date: Fri, 14 Mar 2025 09:02:39 -0700 Subject: [PATCH 12/12] fix changed file --- .../queries/PoolTagIntegral/PoolTagIntegral.ql | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql b/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql index 71efb972..2cea55bb 100644 --- a/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql +++ b/src/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql @@ -42,8 +42,11 @@ class ValidPoolTag extends Expr { } } -from FunctionCall fc +from FunctionCall fc, int i where - fc.getTarget() instanceof PoolTypeFunction - -select fc,fc.toString() + fc.getTarget() instanceof PoolTypeFunction and + fc.getTarget().getParameter(i).getName().matches("Tag") and + not fc.getArgument(i) instanceof ValidPoolTag +select fc, + "A non-CHAR tag was passed into a pool allocation function (actual type: " + + fc.getArgument(i).getUnderlyingType().getName() + ")"