CodeQL: improved support for C++ memory corruption vulnerabilities (beta)

[github-product-roadmap]

Summary

CodeQL, the analysis engine that powers GitHub code scanning, is investing in improving the coverage of C/C++ memory corruption vulnerabilities.

Buffer overflows and overreads are common types of memory corruption vulnerabilities, and are common in C/C++ because the language doesn't automatically perform or enforce bounds checks. If such checks are not manually implemented, an attacker might be able to write data to memory locations that it shouldn't have access to (buffer overflows, which potentially result in remote code execution or data corruption), or read from memory that it shouldn't have access to (buffer overreads). A good example of the latter is the 2014 "Heartbleed" vulnerability in OpenSSL.

As of May 2021, the number of reported buffer overflow vulnerabilities in the CVE database has reached over 13700 (source: An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques)

Intended Outcome

To ensure that CodeQL’s false-positive rate remains low, we’re initially focusing on detecting incorrectly bounded reads and writes. All code scanning users that have configured a C++ analysis on their repository will automatically benefit from this additional coverage once released.

New users can set up code scanning on their repositories today and receive actionable code security alerts right on their pull-requests.

[ankneis]

🚢 This has shipped: https://github.blog/2023-10-19-icymi-improved-c-vulnerability-coverage-and-codeql-support-for-lombok/#support-for-lombok

Leaving open to track for GHES release.

[ankneis]

🚢 This has shipped with GHES 3.12: https://docs.github.com/en/[email protected]/admin/release-notes