Releases: github/codeql-coding-standards
v2.11.0
Release summary
- New queries added for the following rule packages: Contracts2, Contracts4, Banned, Pointers1, Preprocessor2, Syntax
- The following changes have been made for this release:
A5-2-2
-TraditionalCStyleCastsUsed.ql
- Reduced false positives by excluding casts generated by library macros (i.e. macros defined outside the source location)
- Improved the message to cite the macro which generated the c-style cast, if any.
- Improved the message to cite the type being casted to, to aid with identification and remediation.
M0-1-4
-SingleUseMemberPODVariable.ql
- Reduce false positives by excluding any constexpr variable whose constant value is used as an argument to a template.
- The following rules have been renamed:
- RULE-4-4 has been renamed to DIR-4-4 to reflect correct naming as per
MISRA C:2012 standard. - RULE-4-8 has been renamed to DIR-4-8 to reflect correct naming as per
MISRA C:2012 standard. - RULE-4-10 has been renamed to DIR-4-10 to reflect correct naming as per
MISRA C:2012 standard. - RULE-4-12 has been renamed to DIR-4-12 to reflect correct naming as per
MISRA C:2012 standard.
- RULE-4-4 has been renamed to DIR-4-4 to reflect correct naming as per
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.9.4
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.9.4
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.
- Using the CodeQL CLI version
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- DIR-4-4 -
SectionsOfCodeShallNotBeCommentedOut.ql
- DIR-4-8 -
ObjectWithNoPointerDereferenceShouldBeOpaque.ql
- DIR-4-10 -
PrecautionIncludeGuardsNotProvided.ql
- DIR-4-12 -
StdLibDynamicMemoryAllocationUsed.ql
- RULE-21-19 -
ValuesReturnedByLocaleSettingUsedAsPtrToConst.ql
- RULE-21-20 -
CallToSetlocaleInvalidatesOldPointers.ql
,CallToSetlocaleInvalidatesOldPointersWarn.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- ENV32-C -
ExitHandlersMustReturnNormally.ql
- ENV34-C -
DoNotStorePointersReturnedByEnvFunctions.ql
,DoNotStorePointersReturnedByEnvironmentFunWarn.ql
- ERR30-C -
SetlocaleMightSetErrno.ql
,ErrnoReadBeforeReturn.ql
,FunctionCallBeforeErrnoCheck.ql
,ErrnoNotSetToZero.ql
v2.10.0
Release summary
- New queries added for the following rule packages: Concurrency5, Contracts3, Declarations3, Language1
- The following changes have been made for this release:
M0-1-9
-DeadCode.ql
:- More compiler generated statements are now excluded from being reported as dead code, including compiler generated statements for
static_assert
calls.
- More compiler generated statements are now excluded from being reported as dead code, including compiler generated statements for
A2-10-5
-IdentifierNameOfANonMemberObjectWithExternalOrInternalLinkageIsReused.ql
- Reduce false positives by excluding variable template instantiations.
M3-2-1
-DeclarationsOfAnObjectShallHaveCompatibleTypes.ql
- Reduced false positives by excluding non-object variables (for example, member variables).
- Reduced false positives by excluding variable templates and template instantiations.
- Improved the reported error message by including the conflicting type names.
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.9.4
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.9.4
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.
- Using the CodeQL CLI version
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- DIR-4-3 -
LanguageNotEncapsulatedAndIsolated.ql
- RULE-5-3 -
IdentifierHidingC.ql
- RULE-5-5 -
IdentifiersNotDistinctFromMacroNames.ql
- RULE-5-6 -
TypedefNameNotUnique.ql
- RULE-5-7 -
TagNameNotUnique.ql
- RULE-8-1 -
ExplicitlyDeclareTypes.ql
- RULE-22-8 -
ErrnoSetToZeroPriorToCall.ql
- RULE-22-9 -
ErrnoSetToZeroAfterCall.ql
- RULE-22-10 -
OnlyTestErrnoRightAfterErrnoSettingFunction.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- CON39-C -
ThreadWasPreviouslyJoinedOrDetached.ql
- CON40-C -
AtomicVariableTwiceInExpression.ql
v2.9.0
Release summary
- New queries added for the following rule packages: Concurrency4, Declarations2
- The following changes have been made for this release:
M0-1-4
-SingleUsePODVariable.ql
- This rule no longer considers compiler-generated access to a variable when determining if the variable has a single use.
A8-5-3
-AvoidAutoWithBracedInitialization.ql
:- Fix regression where
auto x{0}
was no longer detected as a braced initialization with typeauto
with the latest CodeQL versions. - No longer falsely detect cases where braced initialization was not used, but where the inferred type would be
std::initializer_list
.
- Fix regression where
A7-3-1
-DefinitionNotConsideredForUnqualifiedLookup.ql
- The locations reported for names occurring in using-declarations has improved in the latest CodeQL versions.
- Updated the CodeQL version to
2.9.4
.
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.9.4
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.9.4
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.
- Using the CodeQL CLI version
Appendix: CERT-C new queries
New queries added to cover the following rules:
- CON30-C -
CleanUpThreadSpecificStorage.ql
- CON34-C -
AppropriateThreadObjectStorageDurations.ql
,ThreadObjectStorageDurationsNotInitialized.ql
- DCL38-C -
DeclaringAFlexibleArrayMember.ql
- DCL40-C -
ExcessLengthNamesIdentifiersNotDistinct.ql
,IncompatibleObjectDeclarations.ql
,IncompatibleFunctionDeclarations.ql
- DCL41-C -
VariablesInsideSwitchStatement.ql
v2.8.0
Release summary
- New queries added for the following rule packages: Concurrency3, Contracts1, Declarations1, Expressions, IO4, Pointers2, Concurrency
- The following changes have been made for this release:
A0-1-6
: alias templates are now appropriately handled, with alias templates considered used if there exists an instantiation that is used.CON50-CPP
-DoNotAllowAMutexToGoOutOfScopeWhileLocked.ql
- Improvements to detection of mutexes shared across threads and expanded test coverage.
CON50-CPP
-DoNotDestroyAMutexWhileItIsLocked.ql
- Improvements to detection of mutexes shared across threads and expanded test coverage.
RULE-11-1
-ConversionBetweenFunctionPointerAndOtherType.ql
:- A result is now reported for an implicit conversion of a pointer to a function into a pointer to a function with an incompatible type.
- Modified the test to reflect the fixed coverage.
- Added the
autosar-single-translation-unit.qls
andcert-single-translation-unit.qls
query suites for C++.- These include a subset of queries which are suitable for running over databases including only a single translation unit.
- The initial version includes rules from the "Banned*" C++ packages. Future updates will add additional queries into this suite as they are identified as suitable.
A13-2-2
-BinaryOperatorAndBitwiseOperatorReturnAPrvalue.ql
:- Remove findings related to stream operators.
A7-1-1
-DeclarationUnmodifiedObjectMissingConstSpecifier.ql
:- Remove findings in uninstantiated Templates.
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.7.6
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.7.6
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.
- Using the CodeQL CLI version
Appendix: CERT-C++ new queries
New queries added to cover the following rules:
- CON55-CPP -
PreserveSafetyWhenUsingConditionVariables.ql
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- RULE-5-1 -
ExternalIdentifiersNotDistinct.ql
- RULE-5-4 -
MacroIdentifiersNotDistinct.ql
,MacroIdentifierNotDistinctFromParameter.ql
- RULE-21-2 -
DoNotDeclareAReservedIdentifier.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- ARR39-C -
DoNotAddOrSubtractAScaledIntegerToAPointer.ql
- CON31-C -
DoNotAllowAMutexToGoOutOfScopeWhileLocked.ql
,DoNotDestroyAMutexWhileItIsLocked.ql
- CON38-C -
PreserveSafetyWhenUsingConditionVariables.ql
- CON41-C -
WrapFunctionsThatCanFailSpuriouslyInLoop.ql
- DCL31-C -
DeclareIdentifiersBeforeUsingThem.ql
- DCL37-C -
DoNotDeclareOrDefineAReservedIdentifier.ql
- ENV30-C -
DoNotModifyTheReturnValueOfCertainFunctions.ql
- ENV31-C -
EnvPointerIsInvalidAfterCertainOperations.ql
- EXP37-C -
DoNotCallFunctionPointerWithIncompatibleType.ql
,DoNotCallFunctionsWithIncompatibleArguments.ql
,CallPOSIXOpenWithCorrectArgumentCount.ql
- EXP46-C -
DoNotUseABitwiseOperatorWithABooleanLikeOperand.ql
- FIO45-C -
ToctouRaceConditionsWhileAccessingFiles.ql
- FIO47-C -
UseValidSpecifiers.ql
,WrongNumberOfFormatArguments.ql
,WrongTypeFormatArguments.ql
v2.7.0
Release summary
- New queries added for the following rule packages: Preprocessor5
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.7.6
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.7.6
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.
- Using the CodeQL CLI version
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- RULE-20-7 -
MacroParameterNotEnclosedInParenthesesCQuery.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- MSC38-C -
DoNotTreatAPredefinedIdentifierAsObject.ql
- PRE32-C -
MacroOrFunctionArgsContainHashToken.ql
v2.6.0
Release summary
- New queries added for the following rule packages: Banned, Concurrency2, Preprocessor4
- The following changes have been made for this release:
A3-8-1
,A5-3-2
,EXP54-CPP
,STR51-CPP
- All queries for these rules are now enabled by default. They previously disabled due to performance concerns.
- Address a false positive flagged by
cpp/autosar/using-directives-used
for anonymous namespaces. A10-2-1
-NonVirtualPublicOrProtectedFunctionsRedefinedQuery
:- Fixed a typo that caused the derived class not to be displayed in the alert message
A10-3-3
-VirtualFunctionsIntroducedInFinalClassQuery
- Fixed a typo that caused the introducing class not to be displayed in the alert message
- Address a false positive flagged by
cpp/autosar/external-linkage-not-declared-in-header-file
for declarations that actually were in header files - Update the
create_release.sh
script to include query artifacts with Markdown help files M3-2-1
-DeclarationsOfAnObjectShallHaveCompatibleTypes.ql
- Use the type of the variable declaration entries instead of the variables, as variables may exist that have multiple entries with different types.
CON53-CPP
-DeadlockByLockingInPredefinedOrder.ql
- Optimized performance and expanded coverage to include cases where locking
order is not serialized
- Optimized performance and expanded coverage to include cases where locking
CON52-CPP
-PreventBitFieldAccessFromMultipleThreads.ql
- Fixed an issue with RAII-style locks and scope causing locks to not be
correctly identified.
- Fixed an issue with RAII-style locks and scope causing locks to not be
- Remove support for the anonymized pack because it is no longer necessary. The code scanning pack is superseding this pack.
- Remove support for the LGTM pack because LGTM is EOL.
M5-18-1
: Update the alert message to conform with our query style-guide.CON53-CPP
-DeadlockByLockingInPredefinedOrder.ql
- Optimized performance by removing unneeded conditionals.
CON35-C
-DeadlockByLockingInPredefinedOrder.ql
- Optimized performance by removing unneeded conditionals.
Supported versions
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.7.6
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.7.6
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.
- Using the CodeQL CLI version
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- RULE-4-12 -
StdLibDynamicMemoryAllocationUsed.ql
- RULE-7-1 -
OctalConstantsUsed.ql
- RULE-8-14 -
RestrictTypeQualifierUsed.ql
- RULE-12-3 -
CommaOperatorShouldNotBeUsed.ql
- RULE-17-1 -
FeaturesOfStdarghUsed.ql
- RULE-19-2 -
UnionKeywordShouldNotBeUsed.ql
- RULE-20-4 -
MacroDefinedWithTheSameNameAsKeyword.ql
- RULE-20-6 -
FunctionLikeMacroArgsContainHashTokenCQuery.ql
- RULE-21-1 -
DefineAndUndefUsedOnReservedIdentifierOrMacroName.ql
- RULE-21-3 -
MemoryAllocDeallocFunctionsOfStdlibhUsed.ql
- RULE-21-4 -
StandardHeaderFileUsedSetjmph.ql
- RULE-21-5 -
StandardHeaderFileUsedSignalh.ql
- RULE-21-6 -
StandardLibraryInputoutputFunctionsUsed.ql
- RULE-21-7 -
AtofAtoiAtolAndAtollOfStdlibhUsed.ql
- RULE-21-8 -
TerminationFunctionsOfStdlibhUsed.ql
,TerminationMacrosOfStdlibhUsed.ql
- RULE-21-9 -
BsearchAndQsortOfStdlibhUsed.ql
- RULE-21-10 -
StandardLibraryTimeAndDateFunctionsUsed.ql
- RULE-21-11 -
StandardHeaderFileTgmathhUsed.ql
- RULE-21-12 -
ExceptionHandlingFeaturesOfFenvhUsed.ql
- RULE-21-21 -
SystemOfStdlibhUsed.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- CON35-C -
DeadlockByLockingInPredefinedOrder.ql
- CON36-C -
WrapFunctionsThatCanSpuriouslyWakeUpInLoop.ql
- ENV33-C -
DoNotCallSystem.ql
v1.1.0 [Certified]
This release of CodeQL Coding Standards is certified as a software tool suitable for use in safety-related development projects according to ISO26262:2018 for any ASIL.
Release summary
- No new queries were added for this release
- The following changes have been made for this release:
A3-8-1
,A5-3-2
,EXP54-CPP
,STR51-CPP
- All queries for these rules are now enabled by default. They previously disabled due to performance concerns.
- Address a false positive flagged by
cpp/autosar/using-directives-used
for anonymous namespaces. A10-2-1
-NonVirtualPublicOrProtectedFunctionsRedefinedQuery
:- Fixed a typo that caused the derived class not to be displayed in the alert message
A10-3-3
-VirtualFunctionsIntroducedInFinalClassQuery
- Fixed a typo that caused the introducing class not to be displayed in the alert message
- Address a false positive flagged by
cpp/autosar/external-linkage-not-declared-in-header-file
for declarations that actually were in header files - Updated release artifacts naming convention to include the explicit tag in the filename and updated the user manual.
Supported versions
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.7.6
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.7.6
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.
- Using the CodeQL CLI version
v2.5.0
Release summary
- New queries added for the following rule packages: Concurrency1, Pointers1, Preprocessor3, Strings3, Concurrency
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.7.6
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.7.6
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.
- Using the CodeQL CLI version
Appendix: CERT-C++ new queries
New queries added to cover the following rules:
- CON52-CPP -
PreventBitFieldAccessFromMultipleThreads.ql
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- RULE-4-8 -
ObjectWithNoPointerDereferenceShouldBeOpaque.ql
- RULE-8-13 -
PointerShouldPointToConstTypeWhenPossible.ql
- RULE-11-1 -
ConversionBetweenFunctionPointerAndOtherType.ql
- RULE-11-2 -
ConversionBetweenIncompleteTypePointerAndOtherType.ql
- RULE-11-3 -
CastBetweenObjectPointerAndDifferentObjectType.ql
- RULE-11-4 -
ConversionBetweenPointerToObjectAndIntegerType.ql
- RULE-11-5 -
ConversionFromPointerToVoidIntoPointerToObject.ql
- RULE-11-6 -
CastBetweenPointerToVoidAndArithmeticType.ql
- RULE-11-7 -
CastBetweenPointerToObjectAndNonIntArithmeticType.ql
- RULE-11-8 -
CastRemovesConstOrVolatileQualification.ql
- RULE-11-9 -
MacroNullNotUsedAsIntegerNullPointerConstant.ql
- RULE-18-1 -
PointerAndDerivedPointerMustAddressSameArray.ql
- RULE-18-2 -
SubtractionBetweenPointersMustAddressSameArray.ql
- RULE-18-3 -
RelationalOperatorComparesPointerToDifferentArray.ql
- RULE-18-4 -
DoNotUseAdditionOrSubtractionOperatorsOnPointers.ql
- RULE-18-5 -
NoMoreThanTwoLevelsOfPointerNestingInDeclarations.ql
- RULE-18-6 -
AutomaticStorageObjectAddressCopiedToOtherObject.ql
- RULE-20-8 -
ControllingExpressionIfDirective.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- CON32-C -
PreventDataRacesWithMultipleThreads.ql
- CON33-C -
RaceConditionsWhenUsingLibraryFunctions.ql
- CON37-C -
DoNotCallSignalInMultithreadedProgram.ql
- STR34-C -
CastCharBeforeConvertingToLargerSizes.ql
- STR38-C -
DoNotConfuseNarrowAndWideFunctions.ql
v2.4.0
Release summary
- New queries added for the following rule packages: IO3, Preprocessor2, Strings2
- The following changes have been made for this release:
M16-3-1
-MoreThanOneOccurrenceHashOperatorInMacroDefinition.ql
:- Removes detection of more than one occurrence in non function like Macros.
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.7.6
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.7.6
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.
- Using the CodeQL CLI version
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- RULE-4-10 -
PrecautionIncludeGuardsNotProvided.ql
- RULE-20-5 -
UndefShouldNotBeUsed.ql
- RULE-20-11 -
MoreThanOneHashOperatorInMacroDefinition.ql
- RULE-20-12 -
MacroParameterUsedAsHashOperand.ql
- RULE-22-3 -
FileOpenForReadAndWriteOnDifferentStreams.ql
- RULE-22-4 -
AttemptToWriteToAReadOnlyStream.ql
- RULE-22-5 -
PointerToAFileObjectDereferenced.ql
- RULE-22-7 -
EofShallBeComparedWithUnmodifiedReturnValues.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- FIO32-C -
DoNotPerformFileOperationsOnDevices.ql
- FIO37-C -
SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql
- STR37-C -
ToCharacterHandlingFunctionsRepresentableAsUChar.ql
v2.3.0
Release summary
- New queries added for the following rule packages: Misc, SideEffects2, Strings1
- The following changes have been made for this release:
- Refactored
A26-5-1
andMSC50-CPP
to share the same query withMSC30-C
.
Supported versions
- The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
- The Code Scanning pack is supported when:
- Using the CodeQL CLI version
2.7.6
in conjunction with a copy of the CodeQL standard library for C++ (github/codeql
) set to the tagcodeql-cli/v2.7.6
. - Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220120.
- Using the CodeQL CLI version
Appendix: MISRA-C-2012 new queries
New queries added to cover the following rules:
- RULE-13-3 -
SideEffectAndCrementInFullExpression.ql
- RULE-17-8 -
ModificationOfFunctionParameter.ql
Appendix: CERT-C new queries
New queries added to cover the following rules:
- MSC30-C -
RandUsedForGeneratingPseudorandomNumbers.ql
- MSC32-C -
ProperlySeedPseudorandomNumberGenerators.ql
- MSC37-C -
ControlFlowReachesTheEndOfANonVoidFunction.ql
- STR30-C -
DoNotAttemptToModifyStringLiterals.ql
- STR31-C -
StringsHasSufficientSpaceForTheNullTerminator.ql
- STR32-C -
NonNullTerminatedToFunctionThatExpectsAString.ql