Merge pull request #21857 from MathiasVP/fix-cleartext-fp

C++: Fix FP on `cpp/cleartext-transmission`

Author: MathiasVP

cpp/ql/lib/change-notes/2026-05-15-hasSocketInput-for-fscanf.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -87,6 +87,10 @@ private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction i
     output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
     description = "value read by " + this.getName()
   }
+
+  override predicate hasSocketInput(FunctionInput input) {
+    input.isParameterDeref(super.getInputParameterIndex())
+  }
 }
 
 /**

cpp/ql/src/change-notes/2026-05-15-cleartext-transmission-fp.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

@@ -577,3 +577,10 @@ void tests3()
 	str = get_home_address();
 	send(val(), str, strlen(str), val()); // BAD
 }
+
+int fscanf(FILE* stream, const char* format, ... );
+
+void test_scanf() {
+	char password[256];
+	fscanf(stdin, "%255s", password); // GOOD: this is not a remote source
+}