CodeQL library for C/C++

Module TaintTrackingUtil

Provides classes for performing local (intra-procedural) and global (inter-procedural) taint-tracking analyses.

We define taint propagation informally to mean that a substantial part of the information from the source is preserved at the sink. For example, taint propagates from x to x + 100, but it does not propagate from x to x > 100 since we consider a single bit of information to be too little.

Import path

import semmle.code.cpp.dataflow.internal.TaintTrackingUtil



Holds if the additional step from src to sink should be included in all global taint flow configurations.


Holds if node should be a sanitizer in all global taint flow configurations but not in local taint.


Holds if taint can flow in one local step from nodeFrom to nodeTo excluding local data flow steps. That is, nodeFrom and nodeTo are likely to represent different objects.


Holds if taint can flow from e1 to e2 in zero or more local (intra-procedural) steps.


Holds if taint may propagate from source to sink in zero or more local (intra-procedural) steps.


Holds if taint propagates from nodeFrom to nodeTo in exactly one local (intra-procedural) step.