Skip to content

Comments

C++: Simplify cpp/certificate-not-checked#20382

Merged
MathiasVP merged 3 commits intogithub:mainfrom
MathiasVP:simplify-ssl-result-not-checked
Sep 9, 2025
Merged

C++: Simplify cpp/certificate-not-checked#20382
MathiasVP merged 3 commits intogithub:mainfrom
MathiasVP:simplify-ssl-result-not-checked

Conversation

@MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented Sep 8, 2025
edited
Loading

The cpp/certificate-not-checked query had two unnecessary complications:

  1. It was reinventing the ensuresEqEdge predicate (which existed on the IRGuardCondition, but not in GuardCondition)
  2. It had explicit handling of ! and implicit int-to-bool conversions.

This PR fixes both of these problems. (1) is fixed by lifting those ensures*Edge from IRGuardConditions to GuardConditions and use those new predicates in the query. (2) can just be removed because of the earlier work we've done on unary guards.

DCA was uneventful

@MathiasVP MathiasVP added the no-change-note-required This PR does not need a change note label Sep 8, 2025
@github-actions github-actions bot added C++ and removed no-change-note-required This PR does not need a change note labels Sep 8, 2025
@MathiasVP MathiasVP marked this pull request as ready for review September 8, 2025 15:17
@MathiasVP MathiasVP requested a review from a team as a code owner September 8, 2025 15:17
Copilot AI review requested due to automatic review settings September 8, 2025 15:17
Copilot AI reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR simplifies the cpp/certificate-not-checked query by refactoring guard condition handling and removing unnecessary complexity. The changes improve code reuse by lifting predicate functionality from IR-level to AST-level guards and eliminate manual handling of boolean conversions.

  • Refactors the certIsZero predicate to use the new ensuresEqEdge predicate instead of manual guard condition logic
  • Adds ensures*Edge predicates to GuardCondition class, lifting functionality from IRGuardCondition
  • Removes explicit handling of negation operators and implicit int-to-bool conversions

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql Simplifies the certIsZero predicate by replacing complex manual guard logic with a single call to ensuresEqEdge
cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll Adds new ensures*Edge predicates and valueControlsEdge methods to provide edge-based guard condition analysis at the AST level

@MathiasVP
Update cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
702d6d8 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@MathiasVP MathiasVP added the no-change-note-required This PR does not need a change note label Sep 8, 2025
@MathiasVP MathiasVP merged commit 417e79c into github:main Sep 9, 2025
17 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jketema jketema jketema approved these changes

Assignees

No one assigned

Labels

C++ no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MathiasVP @jketema