QUERIES.md

April 17, 2026 ยท View on GitHub

C and C++

Cryptography

NameDescriptionSeverityPrecision
BN_CTX_free called before BN_CTX_endDetects BN_CTX_free called before BN_CTX_end, which violates the required lifecycleerrormedium
Crypto variable initialized using static keyFinds crypto variables initialized using static keyserrorhigh
Crypto variable initialized using static passwordFinds crypto variables initialized using static passwordserrorhigh
Crypto variable initialized using weak randomnessFinds crypto variables initialized using weak randomnesserrorhigh
Invalid key sizeTests if keys passed to EVP_EncryptInit and EVP_EncryptInit_ex have the same size as the key size of the cipher usedwarningmedium
Memory leak related to custom allocatorFinds memory leaks from custom allocated memorywarningmedium
Memory use after free related to custom allocatorFinds use-after-frees related to custom allocators like BN_newwarningmedium
Missing OpenSSL engine initializationFinds created OpenSSL engines that may not be properly initializedwarningmedium
Missing error handlingChecks if returned error codes are properly checkedwarninghigh
Missing zeroization of potentially sensitive random BIGNUMDetermines if random bignums are properly zeroizedwarningmedium
Random buffer too smallFinds buffer overflows in calls to CSPRNGswarninghigh
Unbalanced BN_CTX_start and BN_CTX_end pairDetects if one call in the BN_CTX_start/BN_CTX_end pair is missingwarningmedium
Use of legacy cryptographic algorithmDetects potential instantiations of legacy cryptographic algorithmswarningmedium

Security

NameDescriptionSeverityPrecision
Async unsafe signal handlerAsync unsafe signal handler (like the one used in CVE-2024-6387)warninghigh
Decrementation overflow when comparingThis query finds unsigned integer overflows resulting from unchecked decrementation during comparison.errorhigh
Find all problematic implicit castsFind all implicit casts that may be problematic. That is, casts that may result in unexpected truncation, reinterpretation or widening of values.errorhigh
Inconsistent handling of return values from a specific functionDetects functions whose return values are compared inconsistently across call sites, which may indicate bugs.warningmedium
Invalid string size passed to string manipulation functionFinds calls to functions that take as input a string and its size as separate arguments (e.g., strncmp, strncat, ...) and the size argument is wrongerrorlow
Iterator invalidationModifying a container while iterating over it can invalidate iterators, leading to undefined behavior.warningmedium
Missing null terminatorThis query finds incorrectly initialized strings that are passed to functions expecting null-byte-terminated stringserrorhigh

Go

Cryptography

NameDescriptionSeverityPrecision
Message not hashed before signature verificationDetects calls to (EC)DSA APIs with a message that was not hashed. If the message is longer than the expected hash digest size, it is silently truncatederrormedium

Security

NameDescriptionSeverityPrecision
Invalid file permission parameterFinds non-octal (e.g., 755 vs 0o755) and unsupported (e.g., 04666) literals used as a filesystem permission parameter (FileMode)errormedium
Missing MinVersion in tls.ConfigFinds uses of tls.Config where MinVersion is not set and the project's minimum Go version (from go.mod) indicates insecure defaults: Go < 1.18 for clients or Go < 1.22 for servers. Does not mark explicitly set versions (including explicitly insecure ones).errormedium
Trim functions misuseFinds calls to string.{Trim,TrimLeft,TrimRight} with the 2nd argument not being a cutset but a continuous substring to be trimmederrorlow

Java and Kotlin

Security

NameDescriptionSeverityPrecision
Recursive functionsDetects possibly unbounded recursive callswarninglow