`A4-7-1`: Incorporate CERT C integer data loss rules

Question

`A4-7-1`: Incorporate CERT C integer data loss rules

lcartey opened this issue 2 years ago · 0 comments

Affected rules

A4-7-1

Description

The IntegerExpressionLeadToDataLoss.ql query should be replaced by the more refined queries from CERT, specifically INT30-C (UnsignedIntegerOperationsWrapAround.ql), INT31-C (IntegerConversionCausesDataLoss.ql), INT32-C (SignedIntegerOverflow.ql) and INT34-C (ExprShiftedByNegativeOrGreaterPrecisionOperand.ql). These provide:

Additional results not covered by the original query (particularly around lossy casts and conversions).
Improved alert messages with more additional information and no inaccurate descriptions.
Additional guard and validation detection, to reduce false positives.