Merge branch 'main' into jsinglet/matrix-testing

Author: jsinglet

.github/pull_request_template.md

@@ -32,6 +32,12 @@ _**Author:**_ Is a change note required?
   - [ ] Yes
   - [ ] No
 
+🚨🚨🚨
+_**Reviewer:**_ Confirm that format of *shared* queries (not the .qll file, the
+.ql file that imports it) is valid by running them within VS Code. 
+  - [ ] Confirmed
+
+
 _**Reviewer:**_ Confirm that either a change note is not required or the change note is required and has been added.
   - [ ] Confirmed
 

.github/touch

@@ -86,7 +86,7 @@ jobs:
           codeql query compile --search-path c --search-path cpp --threads 0 c
 
           cd ..
-          zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/deviations codeql-coding-standards/scripts/reports
+          zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/schemas
 
       - name: Upload GHAS Query Pack
         uses: actions/upload-artifact@v2

.github/workflows/code-scanning-pack-gen.yml

@@ -0,0 +1,58 @@
+name: ⚙️ Extra Rule Validation
+
+on:
+  push:
+    branches:
+      - main
+      - "rc/**"
+      - next
+  pull_request:
+    branches:
+      - main
+      - "rc/**"
+      - next
+
+
+jobs:
+  validate-rules-csv:
+    name: Validate Rules CSV 
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Check Rules 
+        shell: pwsh
+        run: scripts/util/Get-DuplicateRules.ps1 -Language 'all' -CIMode
+
+
+  validate-shared-rules-test-structure:
+    name: Validate Rules Test Structure 
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Ensure CPP Shared Rules Have Valid Structure  
+        shell: pwsh
+        run: scripts/util/Test-SharedImplementationsHaveTestCases.ps1 -Language cpp -CIMode
+
+      - name: Ensure C Shared Rules Have Valid Structure  
+        shell: pwsh
+        run: scripts/util/Test-SharedImplementationsHaveTestCases.ps1 -Language c -CIMode
+
+        
+      - uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: missing-test-report.csv
+          path: MissingTestReport*.csv
+
+      - uses: actions/upload-artifact@v3
+        if: failure()
+        with:
+          name: test-report.csv
+          path: TestReport*.csv
+          if-no-files-found: error 
+     
+

.github/workflows/extra-rule-validation.yml

@@ -0,0 +1,91 @@
+name: 🧰 Tooling unit tests
+
+on:
+  push:
+    branches:
+      - main
+      - "rc/**"
+      - next
+  pull_request:
+    branches:
+      - main
+      - "rc/**"
+      - next
+
+jobs:
+  prepare-supported-codeql-env-matrix:
+    name: Prepare supported CodeQL environment matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.export-supported-codeql-env-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Export supported CodeQL environment matrix
+        id: export-supported-codeql-env-matrix
+        run: |
+          echo "::set-output name=matrix::$(
+            jq --compact-output '.supported_environment | {include: .}' supported_codeql_configs.json
+          )"
+
+  analysis-report-tests:
+    name: Run analysis report tests
+    needs: prepare-supported-codeql-env-matrix
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.prepare-supported-codeql-env-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
+
+      - name: Install Python dependencies
+        run: pip install -r scripts/reports/requirements.txt
+
+      - name: Cache CodeQL
+        id: cache-codeql
+        uses: actions/cache@v2.1.3
+        with:
+          path: ${{ github.workspace }}/codeql_home
+          key: codeql-home-${{ matrix.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library }}
+
+      - name: Install CodeQL
+        if: steps.cache-codeql.outputs.cache-hit != 'true'
+        uses: ./.github/actions/install-codeql
+        with:
+          codeql-cli-version: ${{ matrix.codeql_cli }}
+          codeql-stdlib-version: ${{ matrix.codeql_standard_library }}
+          codeql-home: ${{ github.workspace }}/codeql_home
+          add-to-path: false
+
+      - name: Run PyTest
+        env:
+          CODEQL_HOME: ${{ github.workspace }}/codeql_home
+        run: |
+          PATH=$PATH:$CODEQL_HOME/codeql
+          pytest scripts/reports/analysis_report_test.py
+
+  recategorization-tests:
+    name: Run Guideline Recategorization tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
+
+      - name: Install Python dependencies
+        run: pip install -r scripts/guideline_recategorization/requirements.txt
+
+      - name: Run PyTest
+        run: |
+          pytest scripts/guideline_recategorization/recategorize_test.py

.github/workflows/tooling-unit-tests.yml

@@ -28,6 +28,15 @@ jobs:
         with:
           python-version: "3.9"
 
+      - name: Install CodeQL
+        run: |
+          VERSION="v$( jq -r '.supported_environment | .[0] | .codeql_cli' supported_codeql_configs.json)"
+          gh extensions install github/gh-codeql
+          gh codeql set-version "$VERSION"
+          gh codeql install-stub
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
       - name: Install generate_package_files.py dependencies
         run: pip install -r scripts/requirements.txt
 
@@ -49,14 +58,14 @@ jobs:
 
       - name: Validate Package Files (CPP)
         run: |
-          find rule_packages/cpp -name \*.json -exec basename {} .json \; | xargs --max-procs "$XARGS_MAX_PROCS" --max-args 1 python scripts/generate_rules/generate_package_files.py cpp
+          find rule_packages/cpp -name \*.json -exec basename {} .json \; | xargs python scripts/generate_rules/generate_package_files.py cpp
           git diff
           git diff --compact-summary
           git diff --quiet
 
       - name: Validate Package Files (C)
         run: |
-          find rule_packages/c -name \*.json -exec basename {} .json \; | xargs --max-procs "$XARGS_MAX_PROCS" --max-args 1 python scripts/generate_rules/generate_package_files.py c
+          find rule_packages/c -name \*.json -exec basename {} .json \; | xargs python scripts/generate_rules/generate_package_files.py c
           git diff
           git diff --compact-summary
           git diff --quiet
@@ -68,25 +77,26 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
-      - name: Fetch CodeQL
+      - name: Install CodeQL
         run: |
-          TAG="v$( jq -r '.supported_environment | .[0] | .codeql_cli' supported_codeql_configs.json)"
-          gh release download $TAG --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip
-          unzip -q codeql-linux64.zip
+          VERSION="v$( jq -r '.supported_environment | .[0] | .codeql_cli' supported_codeql_configs.json)"
+          gh extensions install github/gh-codeql
+          gh codeql set-version "$VERSION"
+          gh codeql install-stub
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
       - name: Validate CodeQL Format (CPP)
         run: |
-          find cpp -name \*.ql -or -name \*.qll -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" codeql/codeql query format --in-place
+          find cpp -name \*.ql -or -name \*.qll -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" codeql query format --in-place
 
           git diff
           git diff --compact-summary
           git diff --quiet
 
       - name: Validate CodeQL Format (C)
         run: |
-          find c -name \*.ql -or -name \*.qll -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" codeql/codeql query format --in-place
+          find c -name \*.ql -or -name \*.qll -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" codeql query format --in-place
 
           git diff
           git diff --compact-summary

.github/workflows/validate-coding-standards.yml

@@ -185,6 +185,7 @@
             "type": "pickString",
             "options": [
                 "Allocations",
+                "Banned",
                 "BannedFunctions",
                 "BannedLibraries",
                 "BannedSyntax",
@@ -205,6 +206,10 @@
                 "Declarations",
                 "Declarations1",
                 "Declarations2",
+                "Declarations3",
+                "Declarations4",
+                "Declarations5",
+                "Declarations6",
                 "Exceptions1",
                 "Exceptions2",
                 "Expressions",
@@ -221,6 +226,7 @@
                 "Iterators",
                 "Lambdas",
                 "Language1",
+                "Language2",
                 "Literals",
                 "Loops",
                 "Macros",
@@ -252,6 +258,7 @@
                 "Preprocessor3",
                 "Preprocessor4",
                 "Preprocessor5",
+                "Preprocessor6",
                 "IntegerConversion",
                 "Expressions",
                 "DeadCode",

.vscode/tasks.json

@@ -1,4 +1,4 @@
 name: cert-c-coding-standards
-version: 2.11.0-dev
+version: 2.13.0-dev
 suites: codeql-suites
 libraryPathDependencies: common-c-coding-standards

c/cert/src/qlpack.yml

@@ -15,29 +15,12 @@
 
 import cpp
 import codingstandards.c.cert
-
-/**
- * A member with the type array that is last in a struct
- * includes any sized array (either specified or not)
- */
-class FlexibleArrayMember extends MemberVariable {
-  Struct s;
-
-  FlexibleArrayMember() {
-    this.getType() instanceof ArrayType and
-    this.getDeclaringType() = s and
-    not exists(int i, int j |
-      s.getAMember(i) = this and
-      exists(s.getAMember(j)) and
-      j > i
-    )
-  }
-}
+import codingstandards.c.Variable
 
 from VariableDeclarationEntry m, ArrayType a
 where
   not isExcluded(m, Declarations2Package::declaringAFlexibleArrayMemberQuery()) and
   m.getType() = a and
-  m.getVariable() instanceof FlexibleArrayMember and
+  m.getVariable() instanceof FlexibleArrayMemberCandidate and
   a.getArraySize() = 1
 select m, "Incorrect syntax used for declaring this flexible array member."

c/cert/src/rules/DCL38-C/DeclaringAFlexibleArrayMember.ql

@@ -23,14 +23,6 @@ class ErrnoSettingFunctionCall extends FunctionCall {
   ErrnoSettingFunctionCall() { this.getTarget() instanceof InBandErrnoSettingFunction }
 }
 
-class ErrnoCheck extends Expr {
-  ErrnoCheck() {
-    this = any(MacroInvocation ma | ma.getMacroName() = "errno").getAnExpandedElement()
-    or
-    this.(FunctionCall).getTarget().hasName(["perror", "strerror"])
-  }
-}
-
 /**
  * A successor of an ErrnoSettingFunctionCall appearing
  * before a check of errno
@@ -42,7 +34,7 @@ ControlFlowNode errnoNotCheckedAfter(ErrnoSettingFunctionCall errnoSet) {
     result = mid.getASuccessor() and
     mid = errnoNotCheckedAfter(errnoSet) and
     // stop recursion on an error check
-    not result instanceof ErrnoCheck
+    not result instanceof ErrnoRead
   )
 }