Added an additional test case and fixed a false positive. Also noted a new false positive scenario currently unaccounted for in a new test case.

bdrodes · bdrodes · commit a8d5357026c3 · 2026-01-29T09:26:55.000-05:00
diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
@@ -715,7 +715,12 @@ where
   not exists(DataFlow::Node dayOrMonthValSrc, DataFlow::Node dayOrMonthValSink, Assignment a |
     CandidateConstantToDayOrMonthAssignmentFlow::flow(dayOrMonthValSrc, dayOrMonthValSink) and
     a.getRValue() = dayOrMonthValSink.asExpr() and
-    dayOrMonthValSrc.getBasicBlock() = src.getNode().getBasicBlock() and
+    (
+      // The source of the day is set in the same block as the source for the year
+      // or the source for the day is set in the same block as the sink for the year
+      dayOrMonthValSrc.getBasicBlock() = src.getNode().getBasicBlock() or
+      dayOrMonthValSrc.getBasicBlock() = sink.getNode().getBasicBlock()
+    ) and
     dayOrMonthValSink.getBasicBlock() = sink.getNode().getBasicBlock() and
     (
       a.getLValue() instanceof MonthFieldAccess and
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected
@@ -16,9 +16,11 @@
 | test.cpp:1245:2:1245:28 | ... = ... | test.cpp:1245:16:1245:28 | ... + ... | test.cpp:1245:2:1245:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:1259:2:1259:28 | ... = ... | test.cpp:1259:16:1259:28 | ... + ... | test.cpp:1259:2:1259:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 | test.cpp:1293:2:1293:17 | ... = ... | test.cpp:1384:12:1384:17 | ... + ... | test.cpp:1293:2:1293:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
-| test.cpp:1435:2:1435:15 | ... = ... | test.cpp:1432:2:1432:10 | ... += ... | test.cpp:1435:2:1435:15 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
-| test.cpp:1465:2:1465:22 | ... += ... | test.cpp:1465:2:1465:22 | ... += ... | test.cpp:1465:2:1465:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
-| test.cpp:1473:2:1473:22 | ... += ... | test.cpp:1473:2:1473:22 | ... += ... | test.cpp:1473:2:1473:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1293:2:1293:17 | ... = ... | test.cpp:1398:9:1398:16 | ... + ... | test.cpp:1293:2:1293:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1293:2:1293:17 | ... = ... | test.cpp:1410:9:1410:16 | ... + ... | test.cpp:1293:2:1293:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1467:2:1467:15 | ... = ... | test.cpp:1464:2:1464:10 | ... += ... | test.cpp:1467:2:1467:15 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1497:2:1497:22 | ... += ... | test.cpp:1497:2:1497:22 | ... += ... | test.cpp:1497:2:1497:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1505:2:1505:22 | ... += ... | test.cpp:1505:2:1505:22 | ... += ... | test.cpp:1505:2:1505:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
 edges
 | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | provenance |  |
 | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | provenance |  |
@@ -53,7 +55,14 @@ edges
 | test.cpp:1372:15:1372:22 | ... + ... | test.cpp:1372:3:1372:22 | ... = ... | provenance |  |
 | test.cpp:1377:12:1377:17 | ... + ... | test.cpp:1290:20:1290:23 | year | provenance |  |
 | test.cpp:1384:12:1384:17 | ... + ... | test.cpp:1290:20:1290:23 | year | provenance |  |
-| test.cpp:1432:2:1432:10 | ... += ... | test.cpp:1435:2:1435:15 | ... = ... | provenance |  |
+| test.cpp:1398:2:1398:16 | ... = ... | test.cpp:1402:3:1402:18 | ... = ... | provenance |  |
+| test.cpp:1398:2:1398:16 | ... = ... | test.cpp:1407:12:1407:15 | year | provenance |  |
+| test.cpp:1398:9:1398:16 | ... + ... | test.cpp:1398:2:1398:16 | ... = ... | provenance |  |
+| test.cpp:1407:12:1407:15 | year | test.cpp:1290:20:1290:23 | year | provenance |  |
+| test.cpp:1410:2:1410:16 | ... = ... | test.cpp:1416:12:1416:15 | year | provenance |  |
+| test.cpp:1410:9:1410:16 | ... + ... | test.cpp:1410:2:1410:16 | ... = ... | provenance |  |
+| test.cpp:1416:12:1416:15 | year | test.cpp:1290:20:1290:23 | year | provenance |  |
+| test.cpp:1464:2:1464:10 | ... += ... | test.cpp:1467:2:1467:15 | ... = ... | provenance |  |
 nodes
 | test.cpp:422:2:422:14 | ... += ... | semmle.label | ... += ... |
 | test.cpp:440:2:440:11 | ... ++ | semmle.label | ... ++ |
@@ -130,10 +139,17 @@ nodes
 | test.cpp:1372:15:1372:22 | ... + ... | semmle.label | ... + ... |
 | test.cpp:1377:12:1377:17 | ... + ... | semmle.label | ... + ... |
 | test.cpp:1384:12:1384:17 | ... + ... | semmle.label | ... + ... |
-| test.cpp:1432:2:1432:10 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1435:2:1435:15 | ... = ... | semmle.label | ... = ... |
-| test.cpp:1465:2:1465:22 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1473:2:1473:22 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1519:2:1519:22 | ... += ... | semmle.label | ... += ... |
-| test.cpp:1530:2:1530:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1398:2:1398:16 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1398:9:1398:16 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1402:3:1402:18 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1407:12:1407:15 | year | semmle.label | year |
+| test.cpp:1410:2:1410:16 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1410:9:1410:16 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1416:12:1416:15 | year | semmle.label | year |
+| test.cpp:1464:2:1464:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1467:2:1467:15 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1497:2:1497:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1505:2:1505:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1551:2:1551:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1562:2:1562:22 | ... += ... | semmle.label | ... += ... |
 subpaths
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp
@@ -1385,6 +1385,38 @@ void constant_day_on_year_modification1(WORD year, WORD offset, WORD month){
 	}
 }
 
+void constant_day_on_year_modification2(WORD year, WORD month){
+	SYSTEMTIME tmp;
+
+	// FLASE POSITIVE SOURCE:
+	// flowing into set_time, the set time does pass a constant day
+	// but the source here and the source of that constant month don't align
+	// Current heuristics require the source of the constant day align with the
+	// source and/or the sink of the year modification.
+	// We could potentially improve this by checking the paths of both the year and day
+	// flows, but this may be more complex than is warranted for now.
+	year = year + 1; // $ SPURIOUS: Source
+
+	if(month++ > 12){
+		tmp.wDay = 1;
+		tmp.wYear = year;// OK since the year is incremented with a known non-leap year day
+	}
+
+	if(month++ > 12){
+
+		set_time(year, month, 1);// OK since the year is incremented with a known non-leap year day
+	}
+
+	year = year + 1; // $ Source
+
+	if(month++ > 12){
+
+		// BAD, year incremented, month unknown in block, and date is set to 31
+		// which is dangerous. 
+		set_time(year, month, 31);
+	}
+}
+
 
 void modification_after_conversion1(tm timeinfo){
 	// convert a tm year into a civil year, then modify after conversion
