Merge branch 'main' into typo-script-help-message

Author: lcartey

.github/workflows/code-scanning-pack-gen.yml

@@ -8,7 +8,6 @@ on:
       - main
       - next
       - "rc/**"
-
   push:
     branches:
       - main
@@ -98,15 +97,36 @@ jobs:
           CODEQL_HOME: ${{ github.workspace }}/codeql_home
         run: |
           PATH=$PATH:$CODEQL_HOME/codeql
-
-          codeql query compile --precompile --threads 0 cpp
-          codeql query compile --precompile --threads 0 c
+          # Precompile all queries, and use a compilation cache larger than default
+          # to ensure we cache all the queries for later steps
+          codeql query compile --precompile --threads 0 --compilation-cache-size=1024 cpp c
 
           cd ..
           zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/schemas
 
       - name: Upload GHAS Query Pack
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: code-scanning-cpp-query-pack.zip
           path: code-scanning-cpp-query-pack.zip
+
+      - name: Create qlpack bundles
+        env:
+          CODEQL_HOME: ${{ github.workspace }}/codeql_home
+        run: |
+          PATH=$PATH:$CODEQL_HOME/codeql
+
+          codeql pack bundle --output=common-cpp-coding-standards.tgz cpp/common/src
+          codeql pack bundle --output=common-c-coding-standards.tgz c/common/src
+          codeql pack bundle --output=misra-c-coding-standards.tgz c/misra/src
+          codeql pack bundle --output=cert-c-coding-standards.tgz c/cert/src
+          codeql pack bundle --output=cert-cpp-coding-standards.tgz cpp/cert/src
+          codeql pack bundle --output=autosar-cpp-coding-standards.tgz cpp/autosar/src
+          codeql pack bundle --output=misra-cpp-coding-standards.tgz cpp/misra/src
+          codeql pack bundle --output=report-coding-standards.tgz cpp/report/src
+
+      - name: Upload qlpack bundles
+        uses: actions/upload-artifact@v4
+        with:
+          name: coding-standards-codeql-packs
+          path: '*-coding-standards.tgz'

apply-configuration/action.yml

@@ -0,0 +1,24 @@
+name: Applies Coding Standard configuration files in the repository
+description: |
+  Installs Python and indexes the CodeQL Coding Standard configuration files in the repository
+
+runs:
+  using: composite
+  steps:
+    - name: Install Python
+      id: cs-install-python
+      uses: actions/setup-python@v5
+      with:
+        python-version: 3.9
+        update-environment: false
+    - name: Install dependencies and process files
+      shell: bash
+      run: |
+        install_dir=$(dirname $(dirname "${{ steps.cs-install-python.outputs.python-path }}"))
+        if [[ -z "$LD_LIBRARY_PATH" ]]; then
+          export LD_LIBRARY_PATH="$install_dir/lib"
+        else
+          export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$install_dir/lib"
+        fi
+        ${{ steps.cs-install-python.outputs.python-path }} -m pip install -r ${GITHUB_ACTION_PATH}/../scripts/configuration/requirements.txt
+        ${{ steps.cs-install-python.outputs.python-path }} ${GITHUB_ACTION_PATH}/../scripts/configuration/process_coding_standards_config.py

c/cert/src/codeql-pack.lock.yml

@@ -2,17 +2,17 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.12.2
+    version: 0.12.9
   codeql/dataflow:
-    version: 0.1.5
+    version: 0.2.3
   codeql/rangeanalysis:
-    version: 0.0.4
+    version: 0.0.11
   codeql/ssa:
-    version: 0.2.5
+    version: 0.2.12
   codeql/tutorial:
-    version: 0.2.5
+    version: 0.2.12
   codeql/typetracking:
-    version: 0.2.5
+    version: 0.2.12
   codeql/util:
-    version: 0.2.5
+    version: 0.2.12
 compiled: false

c/cert/src/qlpack.yml

@@ -1,8 +1,8 @@
 name: codeql/cert-c-coding-standards
-version: 2.36.0-dev
+version: 2.38.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.12.2
+  codeql/cpp-all: 0.12.9

c/cert/src/rules/DCL40-C/IncompatibleFunctionDeclarations.ql

@@ -16,30 +16,32 @@
 
 import cpp
 import codingstandards.c.cert
+import codingstandards.cpp.Compatible
 import ExternalIdentifiers
 
-//checks if they are incompatible based on return type, number of parameters and parameter types
-predicate checkMatchingFunction(FunctionDeclarationEntry d, FunctionDeclarationEntry d2) {
-  not d.getType() = d2.getType()
-  or
-  not d.getNumberOfParameters() = d2.getNumberOfParameters()
-  or
-  exists(ParameterDeclarationEntry p, ParameterDeclarationEntry p2, int i |
-    d.getParameterDeclarationEntry(i) = p and
-    d2.getParameterDeclarationEntry(i) = p2 and
-    not p.getType() = p2.getType()
-  )
-}
-
 from ExternalIdentifiers d, FunctionDeclarationEntry f1, FunctionDeclarationEntry f2
 where
   not isExcluded(f1, Declarations2Package::incompatibleFunctionDeclarationsQuery()) and
   not isExcluded(f2, Declarations2Package::incompatibleFunctionDeclarationsQuery()) and
-  f1 = d.getADeclarationEntry() and
-  f2 = d.getADeclarationEntry() and
   not f1 = f2 and
-  f1.getLocation().getStartLine() >= f2.getLocation().getStartLine() and
+  f1.getDeclaration() = d and
+  f2.getDeclaration() = d and
   f1.getName() = f2.getName() and
-  checkMatchingFunction(f1, f2)
+  (
+    //return type check
+    not typesCompatible(f1.getType(), f2.getType())
+    or
+    //parameter type check
+    parameterTypesIncompatible(f1, f2)
+    or
+    not f1.getNumberOfParameters() = f2.getNumberOfParameters()
+  ) and
+  // Apply ordering on start line, trying to avoid the optimiser applying this join too early
+  // in the pipeline
+  exists(int f1Line, int f2Line |
+    f1.getLocation().hasLocationInfo(_, f1Line, _, _, _) and
+    f2.getLocation().hasLocationInfo(_, f2Line, _, _, _) and
+    f1Line >= f2Line
+  )
 select f1, "The object $@ is not compatible with re-declaration $@", f1, f1.getName(), f2,
   f2.getName()

c/cert/src/rules/MSC39-C/DoNotCallVaArgOnAVaListThatHasAnIndeterminateValue.ql

@@ -71,12 +71,19 @@ predicate sameSource(VaAccess e1, VaAccess e2) {
   )
 }
 
+/**
+ * Extracted to avoid poor magic join ordering on the `isExcluded` predicate.
+ */
+predicate query(VaAccess va_acc, VaArgArg va_arg, FunctionCall fc) {
+  sameSource(va_acc, va_arg) and
+  fc = preceedsFC(va_acc) and
+  fc.getTarget().calls*(va_arg.getEnclosingFunction())
+}
+
 from VaAccess va_acc, VaArgArg va_arg, FunctionCall fc
 where
   not isExcluded(va_acc,
     Contracts7Package::doNotCallVaArgOnAVaListThatHasAnIndeterminateValueQuery()) and
-  sameSource(va_acc, va_arg) and
-  fc = preceedsFC(va_acc) and
-  fc.getTarget().calls*(va_arg.getEnclosingFunction())
+  query(va_acc, va_arg, fc)
 select va_acc, "The value of " + va_acc.toString() + " is indeterminate after the $@.", fc,
   fc.toString()

c/cert/test/codeql-pack.lock.yml

@@ -2,17 +2,17 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.12.2
+    version: 0.12.9
   codeql/dataflow:
-    version: 0.1.5
+    version: 0.2.3
   codeql/rangeanalysis:
-    version: 0.0.4
+    version: 0.0.11
   codeql/ssa:
-    version: 0.2.5
+    version: 0.2.12
   codeql/tutorial:
-    version: 0.2.5
+    version: 0.2.12
   codeql/typetracking:
-    version: 0.2.5
+    version: 0.2.12
   codeql/util:
-    version: 0.2.5
+    version: 0.2.12
 compiled: false

c/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.36.0-dev
+version: 2.38.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/cert/test/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.expected

@@ -1,13 +1,13 @@
 edges
-| test.c:14:38:14:39 | p1 | test.c:18:10:18:11 | v1 |
-| test.c:14:38:14:39 | p1 | test.c:19:10:19:11 | v2 |
-| test.c:14:38:14:39 | p1 | test.c:20:10:20:11 | p1 |
-| test.c:14:38:14:39 | p1 | test.c:21:10:21:11 | p1 |
-| test.c:14:38:14:39 | p1 | test.c:22:9:22:10 | p1 |
-| test.c:14:38:14:39 | p1 | test.c:23:13:23:14 | p1 |
-| test.c:14:38:14:39 | p1 | test.c:24:9:24:10 | p1 |
-| test.c:14:38:14:39 | p1 | test.c:25:9:25:10 | p1 |
-| test.c:51:30:51:38 | & ... | test.c:14:38:14:39 | p1 |
+| test.c:14:38:14:39 | p1 | test.c:18:10:18:11 | v1 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:19:10:19:11 | v2 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:20:10:20:11 | p1 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:21:10:21:11 | p1 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:22:9:22:10 | p1 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:23:13:23:14 | p1 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:24:9:24:10 | p1 | provenance |  |
+| test.c:14:38:14:39 | p1 | test.c:25:9:25:10 | p1 | provenance |  |
+| test.c:51:30:51:38 | & ... | test.c:14:38:14:39 | p1 | provenance |  |
 nodes
 | test.c:14:38:14:39 | p1 | semmle.label | p1 |
 | test.c:18:10:18:11 | v1 | semmle.label | v1 |

c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected

@@ -1,9 +1,9 @@
 edges
-| test.c:7:13:7:14 | p1 | test.c:9:9:9:10 | p1 |
-| test.c:16:19:16:41 | ... - ... | test.c:18:26:18:31 | offset |
-| test.c:16:19:16:41 | ... - ... | test.c:29:6:29:11 | offset |
-| test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size |
-| test.c:29:6:29:11 | offset | test.c:7:13:7:14 | p1 |
+| test.c:7:13:7:14 | p1 | test.c:9:9:9:10 | p1 | provenance |  |
+| test.c:16:19:16:41 | ... - ... | test.c:18:26:18:31 | offset | provenance |  |
+| test.c:16:19:16:41 | ... - ... | test.c:29:6:29:11 | offset | provenance |  |
+| test.c:17:17:17:26 | sizeof(<expr>) | test.c:23:9:23:12 | size | provenance |  |
+| test.c:29:6:29:11 | offset | test.c:7:13:7:14 | p1 | provenance |  |
 nodes
 | test.c:7:13:7:14 | p1 | semmle.label | p1 |
 | test.c:9:9:9:10 | p1 | semmle.label | p1 |