Merge branch 'main' into next

Author: jketema

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -35,7 +35,7 @@ jobs:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: matrix-test
-          client-payload: '{"pr": "${{ github.event.number  }}"}'
+          client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}

README.md

@@ -9,8 +9,8 @@ _Carnegie Mellon and CERT are registered trademarks of Carnegie Mellon Universit
 This repository contains CodeQL queries and libraries which support various Coding Standards for the [C++14](https://www.iso.org/standard/64029.html) programming language.
 
 The following coding standards are supported:
-- [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems Release 20-11](https://www.autosar.org/fileadmin/standards/adaptive/20-11/AUTOSAR_RS_CPP14Guidelines.pdf)
-- [MISRA C++:2008](https://www.misra.org.uk) (support limited to the rules specified in AUTOSAR 20-11).
+- [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems (Releases R22-11, R20-11, R19-11 and R19-03)](https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_RS_CPP14Guidelines.pdf). 
+- [MISRA C++:2008](https://www.misra.org.uk) (support limited to the rules specified in AUTOSAR).
 - [SEI CERT C++ Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=494932)
 
 In addition, the following Coding Standards for the C programming language are under development:
@@ -50,3 +50,5 @@ All header files in [c/common/test/includes/standard-library](./c/common/test/in
 ---
 
 <sup>1</sup>This repository incorporates portions of the SEI CERT® Coding Standards available at https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards; however, such use does not necessarily constitute or imply an endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
+
+

c/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.18.0-dev
+version: 2.19.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT

c/cert/src/rules/ENV32-C/ExitHandlersMustReturnNormally.ql

@@ -14,14 +14,26 @@
 import cpp
 import codingstandards.c.cert
 
-class ExitFunction extends Function {
-  ExitFunction() { this.hasGlobalName(["_Exit", "exit", "quick_exit", "longjmp"]) }
+/**
+ * Exit function or macro.
+ */
+class Exit extends Locatable {
+  Exit() {
+    ["_Exit", "exit", "quick_exit", "longjmp"] = [this.(Function).getName(), this.(Macro).getName()]
+  }
 }
 
-class ExitFunctionCall extends FunctionCall {
-  ExitFunctionCall() { this.getTarget() instanceof ExitFunction }
+class ExitExpr extends Expr {
+  ExitExpr() {
+    this.(FunctionCall).getTarget() instanceof Exit
+    or
+    any(MacroInvocation m | this = m.getExpr()).getMacro() instanceof Exit
+  }
 }
 
+/**
+ * Functions that are registered as exit handlers.
+ */
 class RegisteredAtexit extends FunctionAccess {
   RegisteredAtexit() {
     exists(FunctionCall ae |
@@ -32,24 +44,26 @@ class RegisteredAtexit extends FunctionAccess {
 }
 
 /**
- * Nodes of type Function, FunctionCall or FunctionAccess that \
- * are reachable from a redistered atexit handler and
+ * Nodes of type Function, FunctionCall, FunctionAccess or ExitExpr
+ * that are reachable from a registered atexit handler and
  * can reach an exit function.
  */
 class InterestingNode extends ControlFlowNode {
   InterestingNode() {
     exists(Function f |
       (
         this = f and
-        // exit functions are not part of edges
-        not this = any(ExitFunction ec)
+        // exit is not part of edges
+        not this instanceof Exit
         or
         this.(FunctionCall).getTarget() = f
         or
         this.(FunctionAccess).getTarget() = f
+        or
+        this.(ExitExpr).getEnclosingFunction() = f
       ) and
-      // reaches an exit function
-      f.calls*(any(ExitFunction e)) and
+      // reaches an `ExitExpr`
+      f.calls*(any(ExitExpr ee).getEnclosingFunction()) and
       // is reachable from a registered atexit function
       exists(RegisteredAtexit re | re.getTarget().calls*(f))
     )
@@ -62,14 +76,12 @@ class InterestingNode extends ControlFlowNode {
  * `Function` and `FunctionCall` in their body.
  */
 query predicate edges(InterestingNode a, InterestingNode b) {
-  a.(FunctionAccess).getTarget() = b
-  or
-  a.(FunctionCall).getTarget() = b
-  or
+  a.(FunctionAccess).getTarget() = b or
+  a.(FunctionCall).getTarget() = b or
   a.(Function).calls(_, b)
 }
 
-from RegisteredAtexit hr, Function f, ExitFunctionCall e
+from RegisteredAtexit hr, Function f, ExitExpr e
 where edges(hr, f) and edges+(f, e)
 select f, hr, e, "The function is $@ and $@. It must instead terminate by returning.", hr,
   "registered as `exit handler`", e, "calls an `exit function`"

c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql

@@ -441,7 +441,7 @@ ControlFlowNode ferrorNotchecked(FileWriteFunctionCall write) {
     not isShortCircuitedEdge(mid, result) and
     result = mid.getASuccessor() and
     //Stop recursion on call to ferror on the correct file
-    not accessSameTarget(result.(FerrorCall).getArgument(0), write.getFileExpr())
+    not sameFileSource(result.(FerrorCall), write)
   )
 }
 

c/cert/src/rules/EXP43-C/DoNotPassAliasedPointerToRestrictQualifiedParam.ql

@@ -25,9 +25,26 @@ class FunctionWithRestrictParameters extends Function {
   Parameter restrictPtrParam;
 
   FunctionWithRestrictParameters() {
-    restrictPtrParam = this.getAParameter() and
     restrictPtrParam.getUnspecifiedType() instanceof PointerOrArrayType and
-    restrictPtrParam.getType().hasSpecifier("restrict")
+    (
+      restrictPtrParam.getType().hasSpecifier(["restrict"]) and
+      restrictPtrParam = this.getAParameter()
+      or
+      this.hasGlobalName(["strcpy", "strncpy", "strcat", "strncat", "memcpy"]) and
+      restrictPtrParam = this.getParameter([0, 1])
+      or
+      this.hasGlobalName(["strcpy_s", "strncpy_s", "strcat_s", "strncat_s", "memcpy_s"]) and
+      restrictPtrParam = this.getParameter([0, 2])
+      or
+      this.hasGlobalName(["strtok_s"]) and
+      restrictPtrParam = this.getAParameter()
+      or
+      this.hasGlobalName(["printf", "printf_s", "scanf", "scanf_s"]) and
+      restrictPtrParam = this.getParameter(0)
+      or
+      this.hasGlobalName(["sprintf", "sprintf_s", "snprintf", "snprintf_s"]) and
+      restrictPtrParam = this.getParameter(3)
+    )
   }
 
   Parameter getARestrictPtrParam() { result = restrictPtrParam }

c/cert/src/rules/STR32-C/NonNullTerminatedToFunctionThatExpectsAString.md

@@ -271,7 +271,7 @@ CWE-123 – STR31-C =
 
 ## Implementation notes
 
-None
+Wide character types are not handled correctly on the `aarch64le` architecture. This can lead to false negative alerts.
 
 ## References
 

c/cert/src/rules/STR38-C/DoNotConfuseNarrowAndWideFunctions.md

@@ -131,7 +131,7 @@ Search for vulnerabilities resulting from the violation of this rule on the [CER
 
 ## Implementation notes
 
-None
+Wide character types are not handled correctly on the `aarch64le` architecture. This can lead to false negative alerts.
 
 ## References
 

c/cert/src/rules/STR38-C/DoNotConfuseNarrowAndWideFunctions.ql

@@ -63,6 +63,5 @@ where
     c instanceof WideToNarrowCast and actual = "wide" and expected = "narrow"
   )
 select call,
-  "Call to function $@ with a " + actual + " character string $@ where a " + expected +
-    " character string $@ is expected.", call.getTarget(), call.getTarget().getName(), arg,
-  "argument", p, "parameter"
+  "Call to function `" + call.getTarget().getName() + "` with a " + actual +
+    " character string $@ where a " + expected + " character string is expected.", arg, "argument"

c/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.18.0-dev
+version: 2.19.0-dev
 extractor: cpp
 license: MIT
 dependencies: