Merge branch 'main' into mbaluda/updateql2.10.5

Author: mbaluda

.github/workflows/bump-version.yml

@@ -27,6 +27,5 @@ jobs:
             title: "Release Engineering: Version bump to ${{ github.event.inputs.new_version }}."
             body: "This PR updates codeql-coding-standards to version ${{ github.event.inputs.new_version }}."
             commit-message: "Version bump to ${{ github.event.inputs.new_version }}."
-            team-reviewers: github/codeql-coding-standards
             delete-branch: true
             branch: "automation/version-bump-${{ github.event.inputs.new_version }}"

.github/workflows/code-scanning-pack-gen.yml

@@ -1,6 +1,7 @@
 name: Code Scanning Query Pack Generation
 
 on:
+  merge_group:
   pull_request:
     branches:
       - main

.github/workflows/codeql_unit_tests.yml

@@ -1,6 +1,7 @@
 name: CodeQL Unit Testing
 
 on:
+  merge_group:
   push:
     branches:
       - main

.github/workflows/create-draft-release.yml

@@ -5,7 +5,7 @@ on:
     inputs:
       release_version_tag:
         description: |
-          The tag for the new draft release, e.g. v0.5.1.
+          The tag for the new draft release, e.g. 0.5.1 - do not include the `v`.
         required: true
       codeql_analysis_threads:
         description: |

.github/workflows/extra-rule-validation.yml

@@ -1,6 +1,7 @@
 name: ⚙️ Extra Rule Validation
 
 on:
+  merge_group:
   push:
     branches:
       - main

.github/workflows/generate-html-docs.yml

@@ -1,6 +1,7 @@
 name: Generate HTML documentation
 
 on:
+  merge_group:
   push:
     branches:
       - main

.github/workflows/tooling-unit-tests.yml

@@ -1,6 +1,7 @@
 name: 🧰 Tooling unit tests
 
 on:
+  merge_group:
   push:
     branches:
       - main

.github/workflows/validate-coding-standards.yml

@@ -1,6 +1,7 @@
 name: Validating Coding Standards
 
 on:
+  merge_group:
   push:
     branches:
       - main

.github/workflows/verify-standard-library-dependencies.yml

@@ -2,6 +2,7 @@ name: Verify Standard Library Dependencies
 
 # Run this workflow every time the "supported_codeql_configs.json" file or a "qlpack.yml" file is changed
 on:
+  merge_group:
   pull_request:
     branches:
       - main

c/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.14.0-dev
+version: 2.15.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT

c/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.14.0-dev
+version: 2.15.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected.clang

@@ -0,0 +1,23 @@
+edges
+| test.c:7:13:7:14 | p1 | test.c:9:9:9:10 | p1 |
+| test.c:16:19:16:41 | __builtin_offsetof | test.c:18:26:18:31 | offset |
+| test.c:16:19:16:41 | __builtin_offsetof | test.c:29:6:29:11 | offset |
+| test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size |
+| test.c:29:6:29:11 | offset | test.c:7:13:7:14 | p1 |
+nodes
+| test.c:7:13:7:14 | p1 | semmle.label | p1 |
+| test.c:9:9:9:10 | p1 | semmle.label | p1 |
+| test.c:16:19:16:41 | __builtin_offsetof | semmle.label | __builtin_offsetof |
+| test.c:17:17:17:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
+| test.c:18:26:18:31 | offset | semmle.label | offset |
+| test.c:23:9:23:12 | size | semmle.label | size |
+| test.c:25:9:25:18 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
+| test.c:27:17:27:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
+| test.c:29:6:29:11 | offset | semmle.label | offset |
+subpaths
+#select
+| test.c:9:9:9:10 | p1 | test.c:16:19:16:41 | __builtin_offsetof | test.c:9:9:9:10 | p1 | Scaled integer used in pointer arithmetic. |
+| test.c:18:26:18:31 | offset | test.c:16:19:16:41 | __builtin_offsetof | test.c:18:26:18:31 | offset | Scaled integer used in pointer arithmetic. |
+| test.c:23:9:23:12 | size | test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size | Scaled integer used in pointer arithmetic. |
+| test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |
+| test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |

c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected.gcc

@@ -0,0 +1,23 @@
+edges
+| test.c:7:13:7:14 | p1 | test.c:9:9:9:10 | p1 |
+| test.c:16:19:16:41 | __builtin_offsetof | test.c:18:26:18:31 | offset |
+| test.c:16:19:16:41 | __builtin_offsetof | test.c:29:6:29:11 | offset |
+| test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size |
+| test.c:29:6:29:11 | offset | test.c:7:13:7:14 | p1 |
+nodes
+| test.c:7:13:7:14 | p1 | semmle.label | p1 |
+| test.c:9:9:9:10 | p1 | semmle.label | p1 |
+| test.c:16:19:16:41 | __builtin_offsetof | semmle.label | __builtin_offsetof |
+| test.c:17:17:17:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
+| test.c:18:26:18:31 | offset | semmle.label | offset |
+| test.c:23:9:23:12 | size | semmle.label | size |
+| test.c:25:9:25:18 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
+| test.c:27:17:27:26 | sizeof(<expr>) | semmle.label | sizeof(<expr>) |
+| test.c:29:6:29:11 | offset | semmle.label | offset |
+subpaths
+#select
+| test.c:9:9:9:10 | p1 | test.c:16:19:16:41 | __builtin_offsetof | test.c:9:9:9:10 | p1 | Scaled integer used in pointer arithmetic. |
+| test.c:18:26:18:31 | offset | test.c:16:19:16:41 | __builtin_offsetof | test.c:18:26:18:31 | offset | Scaled integer used in pointer arithmetic. |
+| test.c:23:9:23:12 | size | test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size | Scaled integer used in pointer arithmetic. |
+| test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | test.c:25:9:25:18 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |
+| test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | test.c:27:17:27:26 | sizeof(<expr>) | Scaled integer used in pointer arithmetic. |

c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected.clang

@@ -0,0 +1,40 @@
+edges
+| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | (const char *)... |
+| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | file_name |
+| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | file_name indirection |
+| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | (const char *)... |
+| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name |
+| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection |
+| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | (const char *)... |
+| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name |
+| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name indirection |
+| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | (LPCTSTR)... |
+| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | file_name |
+| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | file_name indirection |
+| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | (LPCTSTR)... |
+| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name |
+| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection |
+| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | (LPCTSTR)... |
+| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name |
+| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name indirection |
+subpaths
+nodes
+| test.c:20:15:20:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.c:20:15:20:23 | file_name | semmle.label | file_name |
+| test.c:20:15:20:23 | scanf output argument | semmle.label | scanf output argument |
+| test.c:21:8:21:16 | (const char *)... | semmle.label | (const char *)... |
+| test.c:21:8:21:16 | (const char *)... | semmle.label | (const char *)... |
+| test.c:21:8:21:16 | file_name | semmle.label | file_name |
+| test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
+| test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
+| test.c:45:15:45:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.c:45:15:45:23 | file_name | semmle.label | file_name |
+| test.c:45:15:45:23 | scanf output argument | semmle.label | scanf output argument |
+| test.c:46:29:46:37 | (LPCTSTR)... | semmle.label | (LPCTSTR)... |
+| test.c:46:29:46:37 | (LPCTSTR)... | semmle.label | (LPCTSTR)... |
+| test.c:46:29:46:37 | file_name | semmle.label | file_name |
+| test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
+| test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
+#select
+| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen(__filename) | test.c:20:15:20:23 | file_name | user input (scanf) |
+| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName) | test.c:45:15:45:23 | file_name | user input (scanf) |

c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected.gcc

@@ -0,0 +1,40 @@
+edges
+| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | (const char *)... |
+| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | file_name |
+| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | file_name indirection |
+| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | (const char *)... |
+| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name |
+| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection |
+| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | (const char *)... |
+| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name |
+| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name indirection |
+| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | (LPCTSTR)... |
+| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | file_name |
+| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | file_name indirection |
+| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | (LPCTSTR)... |
+| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name |
+| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection |
+| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | (LPCTSTR)... |
+| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name |
+| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name indirection |
+subpaths
+nodes
+| test.c:20:15:20:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.c:20:15:20:23 | file_name | semmle.label | file_name |
+| test.c:20:15:20:23 | scanf output argument | semmle.label | scanf output argument |
+| test.c:21:8:21:16 | (const char *)... | semmle.label | (const char *)... |
+| test.c:21:8:21:16 | (const char *)... | semmle.label | (const char *)... |
+| test.c:21:8:21:16 | file_name | semmle.label | file_name |
+| test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
+| test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
+| test.c:45:15:45:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| test.c:45:15:45:23 | file_name | semmle.label | file_name |
+| test.c:45:15:45:23 | scanf output argument | semmle.label | scanf output argument |
+| test.c:46:29:46:37 | (LPCTSTR)... | semmle.label | (LPCTSTR)... |
+| test.c:46:29:46:37 | (LPCTSTR)... | semmle.label | (LPCTSTR)... |
+| test.c:46:29:46:37 | file_name | semmle.label | file_name |
+| test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
+| test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
+#select
+| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen(__filename) | test.c:20:15:20:23 | file_name | user input (scanf) |
+| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName) | test.c:45:15:45:23 | file_name | user input (scanf) |

c/cert/test/rules/FIO38-C/DoNotCopyAFileObject.expected

@@ -1,5 +1,5 @@
-| test.c:10:20:10:26 | * ... | A FILE object is being copied. |
-| test.c:17:21:17:30 | * ... | A FILE object is being copied. |
-| test.c:23:21:23:31 | * ... | A FILE object is being copied. |
-| test.c:29:15:29:21 | * ... | A FILE object is being copied. |
-| test.c:42:19:42:28 | * ... | A FILE object is being copied. |
+| test.c:11:20:11:26 | * ... | A FILE object is being copied. |
+| test.c:18:21:18:30 | * ... | A FILE object is being copied. |
+| test.c:24:21:24:31 | * ... | A FILE object is being copied. |
+| test.c:30:15:30:21 | * ... | A FILE object is being copied. |
+| test.c:43:19:43:28 | * ... | A FILE object is being copied. |

c/cert/test/rules/FIO38-C/DoNotCopyAFileObject.expected.clang

@@ -0,0 +1,5 @@
+| test.c:4:20:4:26 | * ... | A FILE object is being copied. |
+| test.c:11:21:11:30 | * ... | A FILE object is being copied. |
+| test.c:17:21:17:31 | * ... | A FILE object is being copied. |
+| test.c:23:15:23:21 | * ... | A FILE object is being copied. |
+| test.c:36:19:36:28 | * ... | A FILE object is being copied. |

c/cert/test/rules/FIO38-C/DoNotCopyAFileObject.expected.gcc

@@ -0,0 +1,5 @@
+| test.c:4:20:4:26 | * ... | A FILE object is being copied. |
+| test.c:11:21:11:30 | * ... | A FILE object is being copied. |
+| test.c:17:21:17:31 | * ... | A FILE object is being copied. |
+| test.c:23:15:23:21 | * ... | A FILE object is being copied. |
+| test.c:36:19:36:28 | * ... | A FILE object is being copied. |

c/cert/test/rules/FIO38-C/test.c

@@ -1,4 +1,5 @@
 #include <stdio.h>
+// Workaround for the Musl implementing FILE as an incomplete type.
 #if !defined(__DEFINED_struct__IO_FILE)
 struct _IO_FILE {
   char __x;

c/cert/test/rules/FIO38-C/test.c.clang

@@ -0,0 +1,43 @@
+#include <stdio.h>
+
+int f1(void) {
+  FILE my_stdout = *stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", &my_stdout);
+}
+
+int f2(void) {
+  FILE *my_stdout;
+  my_stdout = stdout;           // COMPLIANT
+  FILE my_stdout2 = *my_stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", my_stdout);
+}
+int f2b(void) {
+  FILE *const *my_stdout;
+  my_stdout = &stdout;           // COMPLIANT
+  FILE my_stdout2 = **my_stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", *my_stdout);
+}
+
+int f3(void) {
+  FILE my_stdout;
+  my_stdout = *stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", &my_stdout);
+}
+
+int f4(void) {
+  FILE *my_stdout;
+  my_stdout = fopen("file.txt", "w"); // COMPLIANT
+  return fputs("Hello, World!\n", my_stdout);
+}
+
+int f5helper(FILE my_stdout) { return fputs("Hello, World!\n", &my_stdout); }
+int f5(void) {
+  FILE *my_stdout = fopen("file.txt", "w"); // COMPLIANT
+  return f5helper(*my_stdout);              // NON_COMPLIANT
+}
+
+int f6helper(FILE *my_stdout) { return fputs("Hello, World!\n", my_stdout); }
+int f6(void) {
+  FILE *my_stdout = fopen("file.txt", "w"); // COMPLIANT
+  return f6helper(my_stdout);               // COMPLIANT
+}

c/cert/test/rules/FIO38-C/test.c.gcc

@@ -0,0 +1,43 @@
+#include <stdio.h>
+
+int f1(void) {
+  FILE my_stdout = *stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", &my_stdout);
+}
+
+int f2(void) {
+  FILE *my_stdout;
+  my_stdout = stdout;           // COMPLIANT
+  FILE my_stdout2 = *my_stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", my_stdout);
+}
+int f2b(void) {
+  FILE *const *my_stdout;
+  my_stdout = &stdout;           // COMPLIANT
+  FILE my_stdout2 = **my_stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", *my_stdout);
+}
+
+int f3(void) {
+  FILE my_stdout;
+  my_stdout = *stdout; // NON_COMPLIANT
+  return fputs("Hello, World!\n", &my_stdout);
+}
+
+int f4(void) {
+  FILE *my_stdout;
+  my_stdout = fopen("file.txt", "w"); // COMPLIANT
+  return fputs("Hello, World!\n", my_stdout);
+}
+
+int f5helper(FILE my_stdout) { return fputs("Hello, World!\n", &my_stdout); }
+int f5(void) {
+  FILE *my_stdout = fopen("file.txt", "w"); // COMPLIANT
+  return f5helper(*my_stdout);              // NON_COMPLIANT
+}
+
+int f6helper(FILE *my_stdout) { return fputs("Hello, World!\n", my_stdout); }
+int f6(void) {
+  FILE *my_stdout = fopen("file.txt", "w"); // COMPLIANT
+  return f6helper(my_stdout);               // COMPLIANT
+}

c/cert/test/rules/FIO42-C/test.c

@@ -1,8 +1,8 @@
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/stat.h>
 #include <unistd.h>
-
 int f1a(const char *filename) {
   FILE *f = fopen(filename, "r"); // NON_COMPLIANT
   if (NULL == f) {