Skip to content

Releases: github/codeql-coding-standards

v2.11.0

17 Nov 18:53
b1074c6
Compare
Choose a tag to compare
v2.11.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Contracts2, Contracts4, Banned, Pointers1, Preprocessor2, Syntax
  • The following changes have been made for this release:
    • A5-2-2 - TraditionalCStyleCastsUsed.ql
      • Reduced false positives by excluding casts generated by library macros (i.e. macros defined outside the source location)
      • Improved the message to cite the macro which generated the c-style cast, if any.
      • Improved the message to cite the type being casted to, to aid with identification and remediation.
    • M0-1-4 - SingleUseMemberPODVariable.ql
      • Reduce false positives by excluding any constexpr variable whose constant value is used as an argument to a template.
  • The following rules have been renamed:
    • RULE-4-4 has been renamed to DIR-4-4 to reflect correct naming as per
      MISRA C:2012 standard.
    • RULE-4-8 has been renamed to DIR-4-8 to reflect correct naming as per
      MISRA C:2012 standard.
    • RULE-4-10 has been renamed to DIR-4-10 to reflect correct naming as per
      MISRA C:2012 standard.
    • RULE-4-12 has been renamed to DIR-4-12 to reflect correct naming as per
      MISRA C:2012 standard.

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.9.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.9.4.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • DIR-4-4 - SectionsOfCodeShallNotBeCommentedOut.ql
  • DIR-4-8 - ObjectWithNoPointerDereferenceShouldBeOpaque.ql
  • DIR-4-10 - PrecautionIncludeGuardsNotProvided.ql
  • DIR-4-12 - StdLibDynamicMemoryAllocationUsed.ql
  • RULE-21-19 - ValuesReturnedByLocaleSettingUsedAsPtrToConst.ql
  • RULE-21-20 - CallToSetlocaleInvalidatesOldPointers.ql, CallToSetlocaleInvalidatesOldPointersWarn.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • ENV32-C - ExitHandlersMustReturnNormally.ql
  • ENV34-C - DoNotStorePointersReturnedByEnvFunctions.ql, DoNotStorePointersReturnedByEnvironmentFunWarn.ql
  • ERR30-C - SetlocaleMightSetErrno.ql, ErrnoReadBeforeReturn.ql, FunctionCallBeforeErrnoCheck.ql, ErrnoNotSetToZero.ql

v2.10.0

21 Oct 19:28
3f53a36
Compare
Choose a tag to compare
v2.10.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Concurrency5, Contracts3, Declarations3, Language1
  • The following changes have been made for this release:
    • M0-1-9 - DeadCode.ql:
      • More compiler generated statements are now excluded from being reported as dead code, including compiler generated statements for static_assert calls.
    • A2-10-5 - IdentifierNameOfANonMemberObjectWithExternalOrInternalLinkageIsReused.ql
      • Reduce false positives by excluding variable template instantiations.
    • M3-2-1 - DeclarationsOfAnObjectShallHaveCompatibleTypes.ql
      • Reduced false positives by excluding non-object variables (for example, member variables).
      • Reduced false positives by excluding variable templates and template instantiations.
      • Improved the reported error message by including the conflicting type names.

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.9.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.9.4.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • DIR-4-3 - LanguageNotEncapsulatedAndIsolated.ql
  • RULE-5-3 - IdentifierHidingC.ql
  • RULE-5-5 - IdentifiersNotDistinctFromMacroNames.ql
  • RULE-5-6 - TypedefNameNotUnique.ql
  • RULE-5-7 - TagNameNotUnique.ql
  • RULE-8-1 - ExplicitlyDeclareTypes.ql
  • RULE-22-8 - ErrnoSetToZeroPriorToCall.ql
  • RULE-22-9 - ErrnoSetToZeroAfterCall.ql
  • RULE-22-10 - OnlyTestErrnoRightAfterErrnoSettingFunction.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • CON39-C - ThreadWasPreviouslyJoinedOrDetached.ql
  • CON40-C - AtomicVariableTwiceInExpression.ql

v2.9.0

03 Oct 15:53
6437440
Compare
Choose a tag to compare
v2.9.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Concurrency4, Declarations2
  • The following changes have been made for this release:
  • M0-1-4 - SingleUsePODVariable.ql
    • This rule no longer considers compiler-generated access to a variable when determining if the variable has a single use.
  • A8-5-3 - AvoidAutoWithBracedInitialization.ql:
    • Fix regression where auto x{0} was no longer detected as a braced initialization with type auto with the latest CodeQL versions.
    • No longer falsely detect cases where braced initialization was not used, but where the inferred type would be std::initializer_list.
  • A7-3-1 - DefinitionNotConsideredForUnqualifiedLookup.ql
    • The locations reported for names occurring in using-declarations has improved in the latest CodeQL versions.
  • Updated the CodeQL version to 2.9.4.

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.9.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.9.4.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • CON30-C - CleanUpThreadSpecificStorage.ql
  • CON34-C - AppropriateThreadObjectStorageDurations.ql, ThreadObjectStorageDurationsNotInitialized.ql
  • DCL38-C - DeclaringAFlexibleArrayMember.ql
  • DCL40-C - ExcessLengthNamesIdentifiersNotDistinct.ql, IncompatibleObjectDeclarations.ql, IncompatibleFunctionDeclarations.ql
  • DCL41-C - VariablesInsideSwitchStatement.ql

v2.8.0

01 Sep 21:15
4c75033
Compare
Choose a tag to compare
v2.8.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Concurrency3, Contracts1, Declarations1, Expressions, IO4, Pointers2, Concurrency
  • The following changes have been made for this release:
  • A0-1-6: alias templates are now appropriately handled, with alias templates considered used if there exists an instantiation that is used.
  • CON50-CPP - DoNotAllowAMutexToGoOutOfScopeWhileLocked.ql
    • Improvements to detection of mutexes shared across threads and expanded test coverage.
  • CON50-CPP - DoNotDestroyAMutexWhileItIsLocked.ql
    • Improvements to detection of mutexes shared across threads and expanded test coverage.
  • RULE-11-1 - ConversionBetweenFunctionPointerAndOtherType.ql:
    • A result is now reported for an implicit conversion of a pointer to a function into a pointer to a function with an incompatible type.
    • Modified the test to reflect the fixed coverage.
  • Added the autosar-single-translation-unit.qls and cert-single-translation-unit.qls query suites for C++.
    • These include a subset of queries which are suitable for running over databases including only a single translation unit.
    • The initial version includes rules from the "Banned*" C++ packages. Future updates will add additional queries into this suite as they are identified as suitable.
  • A13-2-2 - BinaryOperatorAndBitwiseOperatorReturnAPrvalue.ql:
    • Remove findings related to stream operators.
  • A7-1-1 - DeclarationUnmodifiedObjectMissingConstSpecifier.ql:
    • Remove findings in uninstantiated Templates.

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.7.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.7.6.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.

Appendix: CERT-C++ new queries

New queries added to cover the following rules:

  • CON55-CPP - PreserveSafetyWhenUsingConditionVariables.ql

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • RULE-5-1 - ExternalIdentifiersNotDistinct.ql
  • RULE-5-4 - MacroIdentifiersNotDistinct.ql, MacroIdentifierNotDistinctFromParameter.ql
  • RULE-21-2 - DoNotDeclareAReservedIdentifier.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • ARR39-C - DoNotAddOrSubtractAScaledIntegerToAPointer.ql
  • CON31-C - DoNotAllowAMutexToGoOutOfScopeWhileLocked.ql, DoNotDestroyAMutexWhileItIsLocked.ql
  • CON38-C - PreserveSafetyWhenUsingConditionVariables.ql
  • CON41-C - WrapFunctionsThatCanFailSpuriouslyInLoop.ql
  • DCL31-C - DeclareIdentifiersBeforeUsingThem.ql
  • DCL37-C - DoNotDeclareOrDefineAReservedIdentifier.ql
  • ENV30-C - DoNotModifyTheReturnValueOfCertainFunctions.ql
  • ENV31-C - EnvPointerIsInvalidAfterCertainOperations.ql
  • EXP37-C - DoNotCallFunctionPointerWithIncompatibleType.ql, DoNotCallFunctionsWithIncompatibleArguments.ql, CallPOSIXOpenWithCorrectArgumentCount.ql
  • EXP46-C - DoNotUseABitwiseOperatorWithABooleanLikeOperand.ql
  • FIO45-C - ToctouRaceConditionsWhileAccessingFiles.ql
  • FIO47-C - UseValidSpecifiers.ql, WrongNumberOfFormatArguments.ql, WrongTypeFormatArguments.ql

v2.7.0

17 Aug 19:04
d65045d
Compare
Choose a tag to compare
v2.7.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Preprocessor5

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.7.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.7.6.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • RULE-20-7 - MacroParameterNotEnclosedInParenthesesCQuery.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • MSC38-C - DoNotTreatAPredefinedIdentifierAsObject.ql
  • PRE32-C - MacroOrFunctionArgsContainHashToken.ql

v2.6.0

21 Jul 20:04
f8700ba
Compare
Choose a tag to compare
v2.6.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Banned, Concurrency2, Preprocessor4
  • The following changes have been made for this release:
    • A3-8-1, A5-3-2, EXP54-CPP, STR51-CPP
      • All queries for these rules are now enabled by default. They previously disabled due to performance concerns.
  • Address a false positive flagged by cpp/autosar/using-directives-used for anonymous namespaces.
  • A10-2-1 - NonVirtualPublicOrProtectedFunctionsRedefinedQuery:
    • Fixed a typo that caused the derived class not to be displayed in the alert message
  • A10-3-3 - VirtualFunctionsIntroducedInFinalClassQuery
    • Fixed a typo that caused the introducing class not to be displayed in the alert message
  • Address a false positive flagged by cpp/autosar/external-linkage-not-declared-in-header-file for declarations that actually were in header files
  • Update the create_release.sh script to include query artifacts with Markdown help files
  • M3-2-1 - DeclarationsOfAnObjectShallHaveCompatibleTypes.ql
    • Use the type of the variable declaration entries instead of the variables, as variables may exist that have multiple entries with different types.
  • CON53-CPP - DeadlockByLockingInPredefinedOrder.ql
    • Optimized performance and expanded coverage to include cases where locking
      order is not serialized
  • CON52-CPP - PreventBitFieldAccessFromMultipleThreads.ql
    • Fixed an issue with RAII-style locks and scope causing locks to not be
      correctly identified.
  • Remove support for the anonymized pack because it is no longer necessary. The code scanning pack is superseding this pack.
  • Remove support for the LGTM pack because LGTM is EOL.
  • M5-18-1: Update the alert message to conform with our query style-guide.
  • CON53-CPP - DeadlockByLockingInPredefinedOrder.ql
    • Optimized performance by removing unneeded conditionals.
  • CON35-C - DeadlockByLockingInPredefinedOrder.ql
    • Optimized performance by removing unneeded conditionals.

Supported versions

  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.7.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.7.6.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • RULE-4-12 - StdLibDynamicMemoryAllocationUsed.ql
  • RULE-7-1 - OctalConstantsUsed.ql
  • RULE-8-14 - RestrictTypeQualifierUsed.ql
  • RULE-12-3 - CommaOperatorShouldNotBeUsed.ql
  • RULE-17-1 - FeaturesOfStdarghUsed.ql
  • RULE-19-2 - UnionKeywordShouldNotBeUsed.ql
  • RULE-20-4 - MacroDefinedWithTheSameNameAsKeyword.ql
  • RULE-20-6 - FunctionLikeMacroArgsContainHashTokenCQuery.ql
  • RULE-21-1 - DefineAndUndefUsedOnReservedIdentifierOrMacroName.ql
  • RULE-21-3 - MemoryAllocDeallocFunctionsOfStdlibhUsed.ql
  • RULE-21-4 - StandardHeaderFileUsedSetjmph.ql
  • RULE-21-5 - StandardHeaderFileUsedSignalh.ql
  • RULE-21-6 - StandardLibraryInputoutputFunctionsUsed.ql
  • RULE-21-7 - AtofAtoiAtolAndAtollOfStdlibhUsed.ql
  • RULE-21-8 - TerminationFunctionsOfStdlibhUsed.ql, TerminationMacrosOfStdlibhUsed.ql
  • RULE-21-9 - BsearchAndQsortOfStdlibhUsed.ql
  • RULE-21-10 - StandardLibraryTimeAndDateFunctionsUsed.ql
  • RULE-21-11 - StandardHeaderFileTgmathhUsed.ql
  • RULE-21-12 - ExceptionHandlingFeaturesOfFenvhUsed.ql
  • RULE-21-21 - SystemOfStdlibhUsed.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • CON35-C - DeadlockByLockingInPredefinedOrder.ql
  • CON36-C - WrapFunctionsThatCanSpuriouslyWakeUpInLoop.ql
  • ENV33-C - DoNotCallSystem.ql

v1.1.0 [Certified]

12 Jul 15:23
Compare
Choose a tag to compare

This release of CodeQL Coding Standards is certified as a software tool suitable for use in safety-related development projects according to ISO26262:2018 for any ASIL.

Release summary

  • No new queries were added for this release
  • The following changes have been made for this release:
    • A3-8-1, A5-3-2, EXP54-CPP, STR51-CPP
      • All queries for these rules are now enabled by default. They previously disabled due to performance concerns.
  • Address a false positive flagged by cpp/autosar/using-directives-used for anonymous namespaces.
  • A10-2-1 - NonVirtualPublicOrProtectedFunctionsRedefinedQuery:
    • Fixed a typo that caused the derived class not to be displayed in the alert message
  • A10-3-3 - VirtualFunctionsIntroducedInFinalClassQuery
    • Fixed a typo that caused the introducing class not to be displayed in the alert message
  • Address a false positive flagged by cpp/autosar/external-linkage-not-declared-in-header-file for declarations that actually were in header files
  • Updated release artifacts naming convention to include the explicit tag in the filename and updated the user manual.

Supported versions

  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.7.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.7.6.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.

v2.5.0

13 Jul 09:11
Compare
Choose a tag to compare
v2.5.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Concurrency1, Pointers1, Preprocessor3, Strings3, Concurrency

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.7.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.7.6.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.

Appendix: CERT-C++ new queries

New queries added to cover the following rules:

  • CON52-CPP - PreventBitFieldAccessFromMultipleThreads.ql

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • RULE-4-8 - ObjectWithNoPointerDereferenceShouldBeOpaque.ql
  • RULE-8-13 - PointerShouldPointToConstTypeWhenPossible.ql
  • RULE-11-1 - ConversionBetweenFunctionPointerAndOtherType.ql
  • RULE-11-2 - ConversionBetweenIncompleteTypePointerAndOtherType.ql
  • RULE-11-3 - CastBetweenObjectPointerAndDifferentObjectType.ql
  • RULE-11-4 - ConversionBetweenPointerToObjectAndIntegerType.ql
  • RULE-11-5 - ConversionFromPointerToVoidIntoPointerToObject.ql
  • RULE-11-6 - CastBetweenPointerToVoidAndArithmeticType.ql
  • RULE-11-7 - CastBetweenPointerToObjectAndNonIntArithmeticType.ql
  • RULE-11-8 - CastRemovesConstOrVolatileQualification.ql
  • RULE-11-9 - MacroNullNotUsedAsIntegerNullPointerConstant.ql
  • RULE-18-1 - PointerAndDerivedPointerMustAddressSameArray.ql
  • RULE-18-2 - SubtractionBetweenPointersMustAddressSameArray.ql
  • RULE-18-3 - RelationalOperatorComparesPointerToDifferentArray.ql
  • RULE-18-4 - DoNotUseAdditionOrSubtractionOperatorsOnPointers.ql
  • RULE-18-5 - NoMoreThanTwoLevelsOfPointerNestingInDeclarations.ql
  • RULE-18-6 - AutomaticStorageObjectAddressCopiedToOtherObject.ql
  • RULE-20-8 - ControllingExpressionIfDirective.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • CON32-C - PreventDataRacesWithMultipleThreads.ql
  • CON33-C - RaceConditionsWhenUsingLibraryFunctions.ql
  • CON37-C - DoNotCallSignalInMultithreadedProgram.ql
  • STR34-C - CastCharBeforeConvertingToLargerSizes.ql
  • STR38-C - DoNotConfuseNarrowAndWideFunctions.ql

v2.4.0

13 Jul 09:09
Compare
Choose a tag to compare
v2.4.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: IO3, Preprocessor2, Strings2
  • The following changes have been made for this release:
  • M16-3-1 - MoreThanOneOccurrenceHashOperatorInMacroDefinition.ql:
    • Removes detection of more than one occurrence in non function like Macros.

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.7.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.7.6.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • RULE-4-10 - PrecautionIncludeGuardsNotProvided.ql
  • RULE-20-5 - UndefShouldNotBeUsed.ql
  • RULE-20-11 - MoreThanOneHashOperatorInMacroDefinition.ql
  • RULE-20-12 - MacroParameterUsedAsHashOperand.ql
  • RULE-22-3 - FileOpenForReadAndWriteOnDifferentStreams.ql
  • RULE-22-4 - AttemptToWriteToAReadOnlyStream.ql
  • RULE-22-5 - PointerToAFileObjectDereferenced.ql
  • RULE-22-7 - EofShallBeComparedWithUnmodifiedReturnValues.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • FIO32-C - DoNotPerformFileOperationsOnDevices.ql
  • FIO37-C - SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql
  • STR37-C - ToCharacterHandlingFunctionsRepresentableAsUChar.ql

v2.3.0

13 Jul 09:07
Compare
Choose a tag to compare
v2.3.0 Pre-release
Pre-release

Release summary

  • New queries added for the following rule packages: Misc, SideEffects2, Strings1
  • The following changes have been made for this release:
  • Refactored A26-5-1 and MSC50-CPP to share the same query with MSC30-C.

Supported versions

  • The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
  • The Code Scanning pack is supported when:
    • Using the CodeQL CLI version 2.7.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.7.6.
    • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

  • RULE-13-3 - SideEffectAndCrementInFullExpression.ql
  • RULE-17-8 - ModificationOfFunctionParameter.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

  • MSC30-C - RandUsedForGeneratingPseudorandomNumbers.ql
  • MSC32-C - ProperlySeedPseudorandomNumberGenerators.ql
  • MSC37-C - ControlFlowReachesTheEndOfANonVoidFunction.ql
  • STR30-C - DoNotAttemptToModifyStringLiterals.ql
  • STR31-C - StringsHasSufficientSpaceForTheNullTerminator.ql
  • STR32-C - NonNullTerminatedToFunctionThatExpectsAString.ql