Merge branch 'main' into next

Author: jketema

.codeqlmanifest.json

@@ -1 +1,9 @@
-{ "provide": [ "cpp/*/src/qlpack.yml", "cpp/*/test/qlpack.yml", "c/*/src/qlpack.yml", "c/*/test/qlpack.yml", "scripts/generate_modules/queries/qlpack.yml" ] }
+{
+  "provide": [
+    "cpp/*/src/qlpack.yml",
+    "cpp/*/test/qlpack.yml",
+    "c/*/src/qlpack.yml",
+    "c/*/test/qlpack.yml",
+    "scripts/generate_modules/queries/qlpack.yml"
+  ]
+}

c/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT

c/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.19.0-dev
+version: 2.21.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/common/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'

c/common/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards-tests
-version: 2.19.0-dev
+version: 2.21.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/misra/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-c-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 description: MISRA C 2012
 suites: codeql-suites
 license: MIT

c/misra/src/rules/DIR-4-12/StdLibDynamicMemoryAllocationUsed.ql

@@ -23,7 +23,7 @@ import semmle.code.cpp.models.interfaces.Deallocation
 
 from Expr e, string type
 where
-  not isExcluded(e, BannedPackage::memoryAllocDeallocFunctionsOfStdlibhUsedQuery()) and
+  not isExcluded(e, BannedPackage::stdLibDynamicMemoryAllocationUsedQuery()) and
   (
     e.(FunctionCall).getTarget().(AllocationFunction).requiresDealloc() and
     type = "allocation"

c/misra/src/rules/RULE-11-4/ConversionBetweenPointerToObjectAndIntegerType.ql

@@ -17,11 +17,10 @@ import codingstandards.c.Pointers
 
 from CStyleCast cast, Type typeFrom, Type typeTo
 where
-  not isExcluded(cast, Pointers1Package::castBetweenObjectPointerAndDifferentObjectTypeQuery()) and
+  not isExcluded(cast, Pointers1Package::conversionBetweenPointerToObjectAndIntegerTypeQuery()) and
   typeFrom = cast.getExpr().getUnderlyingType() and
   typeTo = cast.getUnderlyingType() and
   [typeFrom, typeTo] instanceof IntegralType and
   [typeFrom, typeTo] instanceof PointerToObjectType and
   not isNullPointerConstant(cast.getExpr())
-select cast,
-  "Cast performed between a pointer to object type and a pointer to an integer type."
+select cast, "Cast performed between a pointer to object type and a pointer to an integer type."

c/misra/src/rules/RULE-21-6/StandardLibraryInputoutputFunctionsUsed.ql

@@ -40,7 +40,7 @@ private string wcharInputOutput() {
 
 from FunctionCall fc, Function f
 where
-  not isExcluded(fc, BannedPackage::standardHeaderFileUsedSignalhQuery()) and
+  not isExcluded(fc, BannedPackage::standardLibraryInputoutputFunctionsUsedQuery()) and
   fc.getTarget() = f and
   (
     f.getName() = stdInputOutput() and

c/misra/src/rules/RULE-21-9/BsearchAndQsortOfStdlibhUsed.ql

@@ -17,7 +17,7 @@ import codingstandards.c.misra
 
 from FunctionCall fc, Function f
 where
-  not isExcluded(fc, BannedPackage::terminationFunctionsOfStdlibhUsedQuery()) and
+  not isExcluded(fc, BannedPackage::bsearchAndQsortOfStdlibhUsedQuery()) and
   f = fc.getTarget() and
   f.getName() = ["qsort", "bsearch"] and
   f.getFile().getBaseName() = "stdlib.h"

c/misra/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-c-coding-standards-tests
-version: 2.19.0-dev
+version: 2.21.0-dev
 extractor: cpp
 license: MIT
 dependencies:

change_notes/2023-07-04-remove-compiler-generated-vars.md

@@ -0,0 +1,2 @@
+ * `A7-1-5` - exclude compiler generated variables, such as those generated by for loops.
+ * `M8-0-1` - exclude compiler generated variables, such as those generated by for loops.

change_notes/2023-07-30-update-to-2.11.6.md

@@ -0,0 +1 @@
+ - Updated the supported CodeQL version to `2.11.6`.

change_notes/2023-07-5-fix-suppression-ids.md

@@ -0,0 +1,6 @@
+ * A number of rules had the wrong query ids attached for deviation purposes. This means they could not be deviated against using the correct ID, but could be incidentally suppressed when deviating a different rule. We have fixed this behavior for the following rules:
+    - `RULE-11-4`
+    - `DIR-4-12`
+    - `RULE-21-6`
+    - `RULE-21-9`
+    - `MEM51-CPP`

cpp/autosar/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/autosar-cpp-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 description: AUTOSAR C++14 Guidelines R22-11, R21-11, R20-11, R19-11 and R19-03
 suites: codeql-suites
 license: MIT

cpp/autosar/src/rules/A7-1-5/AutoSpecifierNotUsedAppropriatelyInVariableDefinition.ql

@@ -34,6 +34,8 @@ where
     v.getInitializer().getExpr() instanceof LambdaExpression
     or
     v.getInitializer().getExpr() instanceof ClassAggregateLiteral
-  )
+  ) and
+  // Exclude compiler generated variables
+  not v.isCompilerGenerated()
 select v,
   "Use of auto in variable definition is not the result of a function call, lambda expression, or non-fundamental type initializer."

cpp/autosar/src/rules/M8-0-1/MultipleLocalDeclarators.ql

@@ -20,5 +20,7 @@ import codingstandards.cpp.autosar
 from DeclStmt ds
 where
   not isExcluded(ds, InitializationPackage::multipleLocalDeclaratorsQuery()) and
-  count(ds.getADeclaration()) > 1
+  count(Declaration d | d = ds.getADeclaration()) > 1 and
+  // Not a compiler generated `DeclStmt`, such as in the range-based for loop
+  not ds.isCompilerGenerated()
 select ds, "Declaration list contains more than one declaration."

cpp/autosar/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/autosar-cpp-coding-standards-tests
-version: 2.19.0-dev
+version: 2.21.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/autosar/test/rules/A7-1-5/AutoSpecifierNotUsedAppropriatelyInVariableDefinition.expected

@@ -4,3 +4,4 @@
 | test.cpp:27:8:27:8 | a | Use of auto in variable definition is not the result of a function call, lambda expression, or non-fundamental type initializer. |
 | test.cpp:28:8:28:8 | b | Use of auto in variable definition is not the result of a function call, lambda expression, or non-fundamental type initializer. |
 | test.cpp:81:10:81:10 | a | Use of auto in variable definition is not the result of a function call, lambda expression, or non-fundamental type initializer. |
+| test.cpp:111:19:111:19 | a | Use of auto in variable definition is not the result of a function call, lambda expression, or non-fundamental type initializer. |

cpp/autosar/test/rules/A7-1-5/test.cpp

@@ -105,4 +105,10 @@ void instantiate() {
   Test_381<int> t381;
   t381.test_381_1();
   t381.test_381_2();
+}
+
+void test_loop() {
+  for (const auto a : {8, 9, 10}) {
+    a;
+  }
 }

cpp/autosar/test/rules/M8-0-1/test.cpp

@@ -15,3 +15,10 @@ class ClassA {
   int m1, m2; // NON_COMPLIANT
   int m3;     // COMPLIANT
 };
+
+#include <vector>
+void test_loop(std::vector<ClassA> v) {
+  for (const auto b : v) { // COMPLIANT - DeclStmt is compiler generated
+    b;
+  }
+}

cpp/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-cpp-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 description: CERT C++ 2016
 suites: codeql-suites
 license: MIT

cpp/cert/src/rules/MEM51-CPP/ProperlyDeallocateDynamicallyAllocatedResources.ql

@@ -26,7 +26,7 @@ predicate matching(string allocKind, string deleteKind) {
 
 from Expr alloc, Expr free, Expr freed, string allocKind, string deleteKind
 where
-  not isExcluded(freed, FreedPackage::newDeleteArrayMismatchQuery()) and
+  not isExcluded(freed, AllocationsPackage::properlyDeallocateDynamicallyAllocatedResourcesQuery()) and
   allocReaches(freed, alloc, allocKind) and
   freeExprOrIndirect(free, freed, deleteKind) and
   not matching(allocKind, deleteKind)

cpp/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-cpp-coding-standards-tests
-version: 2.19.0-dev
+version: 2.21.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/common/src/codingstandards/cpp/lifetimes/lifetimeprofile/LifetimeProfile.qll

@@ -198,7 +198,7 @@ newtype TPSetEntry =
   PSetNull(NullReason nr) or
   /** An invalid pointer, for the given reason. */
   PSetInvalid(InvalidReason ir) or
-  /** An unkown pointer. */
+  /** An unknown pointer. */
   PSetUnknown()
 
 /**

cpp/common/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-cpp-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 license: MIT
 dependencies:
-  codeql/cpp-all: 0.4.6
+  codeql/cpp-all: 0.4.6

cpp/common/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-cpp-coding-standards-tests
-version: 2.19.0-dev
+version: 2.21.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/misra/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-cpp-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 description: MISRA C++ 2008
 suites: codeql-suites
 license: MIT

cpp/misra/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-cpp-coding-standards-tests
-version: 2.19.0-dev
+version: 2.21.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/report/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/report-cpp-coding-standards
-version: 2.19.0-dev
+version: 2.21.0-dev
 license: MIT
 dependencies:
   codeql/cpp-all: 0.4.6

docs/user_manual.md

@@ -24,13 +24,13 @@
 
 ## Release information
 
-This user manual documents release `2.19.0-dev` of the coding standards located at [https://github.com/github/codeql-coding-standards](https://github.com/github/codeql-coding-standards).
+This user manual documents release `2.21.0-dev` of the coding standards located at [https://github.com/github/codeql-coding-standards](https://github.com/github/codeql-coding-standards).
 The release page documents the release notes and contains the following artifacts part of the release:
 
-- `code-scanning-cpp-query-pack-anon-2.19.0-dev.zip`: coding standard queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_.
-- `supported_rules_list_2.19.0-dev.csv`: A Comma Separated File (CSV) containing the supported rules per standard and the queries that implement the rule.
+- `code-scanning-cpp-query-pack-anon-2.21.0-dev.zip`: coding standard queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_.
+- `supported_rules_list_2.21.0-dev.csv`: A Comma Separated File (CSV) containing the supported rules per standard and the queries that implement the rule.
 - `upported_rules_list_2.18.0-dev.md`: A Markdown formatted file with a table containing the supported rules per standard and the queries that implement the rule.
-- `user_manual_2.19.0-dev.md`: This user manual.
+- `user_manual_2.21.0-dev.md`: This user manual.
 - `Source Code (zip)`: A zip archive containing the contents of https://github.com/github/codeql-coding-standards
 - `Source Code (tar.gz)`: A GZip compressed tar archive containing the contents of https://github.com/github/codeql-coding-standards
 - `checksums.txt`: A text file containing sha256 checksums for the aforementioned artifacts. 
@@ -460,7 +460,7 @@ This section describes known failure modes for "CodeQL Coding Standards" and des
 |                              | Ouf of space                                                                                                                                                       | Less output. Some files may be only be partially analyzed, or not analyzed at all.                                                                        | Error reported on the command line.                                                                                                                                                                                                                                                                                                  | Increase space. If it remains an issue report space consumption issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                            |
 |                              | False positives                                                                                                                                                    | More output. Results are reported which are not violations of the guidelines.                                                                             | All reported results must be reviewed.                                                                                                                                                                                                                                                                                               | Report false positive issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                                                                      |
 |                              | False negatives                                                                                                                                                    | Less output. Violations of the guidelines are not reported.                                                                                               | Other validation and verification processes during software development should be used to complement the analysis performed by CodeQL Coding Standards.                                                                                                                                                                              | Report false negative issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                                                                      |
-|                              | Modifying coding standard suite                                                                                                                                    | More or less output. If queries are added to the query set more result can be reported. If queries are removed less results might be reported.            | All queries supported by the CodeQL Coding Standards are listed in the release artifacts `supported_rules_list_2.19.0-dev.csv` where VERSION is replaced with the used release. The rules in the resulting Sarif file must be cross-referenced with the expected rules in this list to determine the validity of the used CodeQL suite. | Ensure that the CodeQL Coding Standards are not modified in ways that are not documented as supported modifications.                                                                                                                                                                                                                                                       |
+|                              | Modifying coding standard suite                                                                                                                                    | More or less output. If queries are added to the query set more result can be reported. If queries are removed less results might be reported.            | All queries supported by the CodeQL Coding Standards are listed in the release artifacts `supported_rules_list_2.21.0-dev.csv` where VERSION is replaced with the used release. The rules in the resulting Sarif file must be cross-referenced with the expected rules in this list to determine the validity of the used CodeQL suite. | Ensure that the CodeQL Coding Standards are not modified in ways that are not documented as supported modifications.                                                                                                                                                                                                                                                       |
 |                              | Incorrect deviation record specification                                                                                                                           | More output. Results are reported for guidelines for which a deviation is assigned.                                                                       | Analysis integrity report lists all deviations and incorrectly specified deviation records with a reason. Ensure that all deviation records are correctly specified.                                                                                                                                                                 | Ensure that the deviation record is specified according to the specification in the user manual.                                                                                                                                                                                                                                                                           |
 |                              | Incorrect deviation permit specification                                                                                                                           | More output. Results are reported for guidelines for which a deviation is assigned.                                                                       | Analysis integrity report lists all deviations and incorrectly specified deviation permits with a reason. Ensure that all deviation permits are correctly specified.                                                                                                                                                                 | Ensure that the deviation record is specified according to the specification in the user manual.                                                                                                                                                                                                                                                                           |
 |                              | Unapproved use of a deviation record                                                                                                                               | Less output. Results for guideline violations are not reported.                                                                                           | Validate that the deviation record use is approved by verifying the approved-by attribute of the deviation record specification.                                                                                                                                                                                                     | Ensure that each raised deviation record is approved by an independent approver through an auditable process.                                                                                                                                                                                                                                                              |

scripts/install-packs.py

@@ -18,6 +18,6 @@
 for pack in packs:
     pack_path = os.path.join(root, pack)
     # Run `codeql pack install` to install dependencies.
-    command = [args.codeql, 'pack', 'install', '--mode', args.mode, pack_path]
+    command = [args.codeql, 'pack', 'install', '--allow-prerelease', '--mode', args.mode, pack_path]
     print(f'Running `{" ".join(command)}`')
     subprocess.check_call(command)

scripts/requirements.txt

@@ -1,12 +1,12 @@
 beautifulsoup4==4.9.3
-certifi==2022.12.7
+certifi==2023.7.22
 chardet==3.0.4
 gitdb==4.0.5
 GitPython==3.1.30
 idna==2.10
 Jinja2==2.11.3
 MarkupSafe==1.1.1
-requests==2.25.0
+requests==2.31.0
 smmap==3.0.5
 soupsieve==2.0.1
 urllib3==1.26.5

supported_codeql_configs.json

@@ -5,13 +5,13 @@
       "codeql_standard_library": "codeql-cli/v2.11.6",
       "codeql_cli_bundle": "codeql-bundle-20221211"
     }
-  ], 
-  "supported_language" : [
+  ],
+  "supported_language": [
     {
-      "language" : "cpp"
+      "language": "cpp"
     },
     {
-      "language" : "c"
+      "language": "c"
     }
   ]
-}
+}