Module TaintedWithPath

Provides definitions for augmenting source/sink pairs with data-flow paths between them. From a @kind path-problem query, import this module in the global scope, extend TaintTrackingConfiguration, and use taintedWithPath in place of tainted.

Importing this module will also import the query predicates that contain the taint paths.

Import path

import semmle.code.cpp.ir.dataflow.DefaultTaintTracking

Predicates

edges	Holds if `(a,b)` is an edge in the graph of data flow path explanations.
nodes	Holds if `n` is a node in the graph of data flow path explanations.
subpaths	Holds if there is flow from `arg` to `out` across a call that can by summarized by the flow from `par` to `ret` within it, in the graph of data flow path explanations.
taintedWithPath	Holds if `tainted` may contain taint from `source`, where `sourceNode` and `sinkNode` are the corresponding `PathNode`s that can be used in a query to provide path explanations. Extend `TaintTrackingConfiguration` to use this predicate.
taintedWithoutGlobals	Holds if `tainted` can be reached from a taint source without passing through a global variable.

Classes

PathNode	An opaque type used for the nodes of a data-flow path.
TaintTrackingConfiguration	A taint-tracking configuration that matches sources and sinks in the same way as the `tainted` predicate.

Modules

Private

INTERNAL: Do not use.