Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• STR32-C - NonNullTerminatedToFunctionThatExpectsAString.ql:
  • Fixes #31. Realloc was not modelled previously.
• A2-10-1, RULE-5-3 - IdentifierHiding.ql, IdentifierHidingC.ql:
  • Revert some changes previously made in PR #546 (addressing issue #118). Revert expansion to function identifiers.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• A2-10-1, RULE-5-3 - IdentifierHiding.ql, IdentifierHidingC.ql:
  • Address FN reported in #118. Rule was missing detection of functions. Additionally omitted class template instantiations.
  • Fix FP for identifiers in nested namespaces.
    M9-3-3: MemberFunctionConstIfPossible.ql:
    • Fix FP reported in 381. Omit member functions that return nonconst reference types.
• A13-2-2 - BinaryOperatorAndBitwiseOperatorReturnAPrvalue.ql:
  • Replaced the usage of getIdentityString() with toString() to avoid expensive computation to display the Operator names which were causing crashes on production code.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Release summary

• No new queries were added for this release
• Add precompiled queries

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• A3-3-1 - ExternalLinkageNotDeclaredInHeaderFile.ql:
  • Adjust the alert message to comply with the style guide.
• CTR55-CPP - DoNotUseAnAdditiveOperatorOnAnIterator.ql:
  • Address reported FP in #374. Improve logic on valid end checks and size checks on iterators.
• RULE-6-1 - BitFieldsShallOnlyBeDeclaredWithAnAppropriateType.ql:
  • Address FP reported in #318. Add support for implementation specific bitfield types for Clang and Gcc.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  A0-4-1 - FloatingPointImplementationShallComplyWithIeeeStandard.ql:
  • May return more results due to improvements to underlying getATypeUse.
• A12-4-1 - DestructorOfABaseClassNotPublicVirtual.ql:
  • Fix FP reported in #392. Improve base class detection for template classes.
  • Update the alert message to prevent duplicate alerts for base classes that are both derived and abstract.
• A12-8-6 - CopyAndMoveNotDeclaredProtected.ql:
  • Fix FP reported in #392. Improve base class detection for template classes.
  • Update the alert message to prevent duplicate alerts for base classes that are both derived and abstract.
• A8-4-7 - InParametersForCheapToCopyTypesNotPassedByValue.ql, InParametersForCheapToCopyTypesNotPassedByReference.ql:
  • Fixes #89. Accidental floor rounding was applying to type size calculations.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Release summary

• New queries added for the following rule packages: Declarations, OrderOfEvaluation

• The following changes have been made for this release:
  M8-5-2 - AggregateLiteralEnhancements.qll:

  • recognise aggregate literals initialized with parameters from variadic templates.
  • A7-1-5 - exclude auto variables initialized with an expression of non-fundamental type. Typically this occurs when using range based for loops with arrays of non-fundamental types. For example:

    void iterate(Foo values[]) {
       for (auto value : values) { // COMPLIANT (previously false positive)
          // ...
       }
    }
    

  • A0-1-1 - address a number of false positive issues:
    • Exclude compiler-generated variables, such as those generated for range-based for loops.
    • Exclude variables in uninstantiated templates, for which we have no precise data on uses.
    • Deviations should now be applied to the useless assignment instead of the variable itself.
  • A15-4-4: remove false positives reported on uninsantiated templates.
  • A2-10-1, RULE-5-3:
    • Reduce false positives by considering point of declaration for local variables.
    • Reduce false negatives by considering catch block parameters to be in scope in the catch block.
  • M6-5-5:
    • Reduce false positives by no longer considering the taking of a const reference as a modification.
    • Improve detection of non-local modification of loop iteration variables to reduce false positives.
  • A7-1-1 - no longer report parameters as contravening this rule. This is inline with the rule intent as described in the referenced C++ Core Guidelines rule CON.1, which states "To avoid confusion and lots of false positives, don’t enforce this rule for function parameters."
  • A2-7-3 - UndocumentedUserDefinedType.ql:
    • Excluding declarations in function scope. The rationale is that these declarations are not exposed outside the scope of the function.
  • M16-1-1 - DefinedPreProcessorOperatorGeneratedFromExpansionFound.ql:
    • Optimize query to improve performance
    • Improve detection of macros whose body contains the defined operator after the start of the macro (e.g. #define X Y || defined(Z)).
    • Enable exclusions to be applied for this rule.
  • The following queries have been updated to address issues with applying deviations:
    • A18-5-11, A23-0-1, A9-3-1, M0-1-2, M3-1-2, M3-2-1, M3-2-3, M3-9-1, M4-5-3, M5-0-2, M5-2-10, A23-0-2, CTR51-CPP, STR52-CPP

• A3-9-1 - VariableWidthIntegerTypesUsed.ql:

  • Exclude the plain char type. Still includes signed char and unsigned char.
  • Include CV-qualified variable width integer types.

• A3-9-1 - VariableWidthPlainCharTypeUsed.ql:

  • New query to support fine grained deviation support for the plain char type.
    M5-3-3 - UnaryOperatorOverloaded.ql:
  • Exclude binary user defined operator& from this rule.
    M5-2-10 - IncrementAndDecrementOperatorsMixedWithOtherOperatorsInExpression.ql:
  • only report use of the increment and decrement operations in conjunction with arithmetic operators, as specified by the rule. Notably we no longer report the expressions of the form *p++, which combine increment and dereferencing operations.

• A4-7-1 - exclude pointer increment and decrement operators from this rule.
  A2-3-1: cpp/autosar/invalid-character-in-string-literal
  • Fixes #311. Exclude wide string literals and utf8 string literal.
    RULE-7-3: c/misra/lowercase-character-l-used-in-literal-suffix
  • Exclude non integer literals. This removes a false positive triggered when analyzing C++ code containing the false literal.
• Exceptions are no longer propagated from calls to noexcept functions, or calls functions with dynamic exception specifications where the exception is not permitted. This is consistent with the default behaviour specified in [expect.spec] which indicates that std::terminate is called. This has the following impact:
  • A15-4-2, ERR55-CPP - reduce false positives for noexcept functions which call other noexcept function which may throw.
  • A15-2-2 - reduce false positives for constructors which call noexcept functions.
  • A15-4-5 - reduce false positives for checked exceptions that are thrown from noexcept functions called by the original function.
  • DCL57-CPP - do not report exceptions thrown from noexcept functions called by deallocation functions or destructors.
  • A15-5-1, M15-3-1 - do not report exceptions thrown from noexcept functions called by special functions.
    M9-3-3 - MemberFunctionConstIfPossible.ql, MemberFunctionStaticIfPossible.ql:
  • Fixes #413. Exclude deleted member functions.
    A8-4-7 - InParametersForCheapToCopyTypesNotPassedByValue.ql, InParametersForNotCheapToCopyTypesNotPassedByReference.ql:
  • Fixes #397. Exclude user defined operators and move constructors.`
  • Exclude parameters for instantiated templates because the declaration location of the function does not contain enough information about the type used in the instantiation to make an actionable alert.
    A5-0-2 - NonBooleanIfStmt.qll, NonBooleanIterationStmt.qll:
  • Exclude compiler generated conditions.
    A13-3-1 - FunctionThatContainsForwardingReferenceAsItsArgumentOverloaded.ql:
  • Fixes #399. Exclude functions that have different number of parameters.
    A4-7-1: IntegerExpressionLeadToDataLoss.ql

• Fix #368: Incorrectly reporting /= as a cause for data loss.
• A8-4-8 - OutParametersUsed.ql
  • Fixes #370 - Non-member user-defined assignment operator and stream insertion/extraction parameters that are required to be out parameters are excluded.
  • Broadens the definition of out parameter by considering assignment and crement operators as modifications to an out parameter candidate.
• FIO51-CPP - CloseFilesWhenTheyAreNoLongerNeeded.ql:
  • Broadened definition of IStream and OStream types may result in reduced false negatives.
• A5-1-1 - LiteralValueUsedOutsideTypeInit.ql:
  • Broadened definition of IStream types may result in reduced false positives because more file stream function calls may be detected as logging operations that will be excluded from the results.
    A16-0-1 - PreProcessorShallOnlyBeUsedForCertainDirectivesPatterns.ql:
    • Exclude all preprocessor elses and also consider elifs separately (ie do not affect valid ifs) but not valid if not meeting the same criteria as an ifdef etc.
      A4-5-1: EnumUsedInArithmeticContexts.ql:
    • Address incorrect exclusion of the binary operator &.
    • Address incorrect inclusion of the unary operator &.
    • Fix FP reported in #366.
      A7-1-2 - VariableMissingConstexpr.ql:
    • Fix FP reported in #466. Addresses incorrect assumption that calls to constexpr functions are always compile-time evaluated.
      M9-3-3: MemberFunctionConstIfPossible.ql:
    • Fix FP reported in 467. Excluding candidates in uninstantiated templates.
      A7-1-1 - DeclarationUnmodifiedObjectMissingConstSpecifier.ql
    • Fix FP reported in #372. Exclude compiler generated variables.
• A2-10-4 - IdentifierNameOfStaticNonMemberObjectReusedInNamespace.ql:
  • Fix FP reported in #385. Addresses incorrect detection of partially specialized template variables as conflicting reuses.
• A18-0-1 - CLibraryFacilitiesNotAccessedThroughCPPLibraryHeaders.ql:
  • Fix issue #7 - improve query logic to only match on exact standard library names (e.g., now excludes sys/header.h type headers from the results as those are not C standard libraries).
• M7-3-6 - UsingDeclarationsUsedInHeaderFiles.ql:
  • Address FN reported in #400. Only using-declarations are exempted from class- and function-scope.
    -A15-4-4 - MissingNoExcept.ql:
    • Fix FP reported in #424. Exclude functions calling std::string::reserve or std::string::append that may throw even if their signatures don't specify it.
• M0-1-4 - SingleUseMemberPODVariable.ql:
  • Address FP reported in #388. Include aggregrate initialization as a use of a member.
  • Include indirect initialization of members. For example, casting a pointer to a buffer to a struct pointer.
  • Reformat the alert message to adhere to the style-guide.
• M0-1-3 - UnusedMemberVariable.ql, UnusedGlobalOrNamespaceVariable.ql:
  • Address FP reported in #384. Exclude variables with compile time values that may have been used as a template argument.
  • Exclude uninstantiated template members.
  • Reformat the alert message to adhere to the style-guide.
• A5-1-1 - LiteralValueUsedOutsideTypeInit.ql:
  • Address FP reported in #371. Exclude literals generated by uses of constexpr variables.
  • Exclude literals used in class template instantiations.
  • Update the alert message to adhere to the style-guide.
  • Exclude boolean literals used as template arguments.
  • Exclude u and U prefixed char literals.
  • Exclude literals part of a class aggregate literal.
• A4-7-1 - IntegerExpressionLeadToDataLoss.ql:
  • Address reported FP in #396. Exclude shift operations guarded to prevent undefined behavior that could lead to dataloss.
• INT34-C - ExprShiftedbyNegativeOrGreaterPrecisionOperand.ql:
  • Format the alert message according to the style-guide.
• A5-0-2 - NonBooleanIterationCondition.ql:
  • Address FP reported in #10. Exclude conditions in uninstantiated templates.
• M5-3-1 - EachOperandOfTheOperatorTheLogicalAndOrTheLogicalOperatorsShallHaveTypeBool.ql:
  • Adjust the alert message to comply with the style guide.
• M5-14-1 - RightHandOperandOfALogicalAndOperatorsContainSideEffects.ql:
  • Fix FP reported in #375. Addresses incorrect detection of side effects in unevaluated contexts.
• A16-2-2 - UnusedIncludeDirectives.ql:
  • Address FP reported in #453. Exclude reporting of redundant include directives indirectly included by included files.
• A8-4-7 - InParametersForNotCheapToCopyTypesNotPassedByReference.ql, InParametersForCheapToCopyTypesNotPassedByValue.ql:
  • Improve coverage of the query by additionally alerting to non-trivially-copyable types being passed by value.
  • Non-trivially-copyable types not passed by value will no longer be incorrectly reported.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Appendix: AUTOSAR new queries

New queries added to cover the following rules:

• A3-9-1 - VariableWidthPlainCharTypeUsed.ql
• M5-0-2 - InsufficientUseOfParentheses.ql

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  • A7-3-1 - HiddenInheritedNonOverridableMemberFunction.ql:
    • Reduce duplication by reporting only a single location for each declaration of a problematic element.
    • Reduce duplication when reporting the hidden function by reporting only one declaration entry.
    • Improve performance by eliminating a number of bad join orders.
    • Fix false positives where the using declaration occurred after the function declaration.
    • Exclude special member functions, which cannot be inherited.
    • Exclude private member functions, which cannot be inherited.
  • M5-0-20, M5-0-21, RULE-10-1 - exclude pointer assignment operators as bitwise operators.
• The release artifacts now include a certification kit used for ISO26262 certification.
• M5-0-20 - BitwiseOperatorOperandsHaveDifferentUnderlyingType.ql:
  • Use the Misra definition of underlying type.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  • A7-3-1 - HiddenInheritedNonOverridableMemberFunction.ql:
    • Reduce duplication by reporting only a single location for each declaration of a problematic element.
    • Reduce duplication when reporting the hidden function by reporting only one declaration entry.
    • Improve performance by eliminating a number of bad join orders.
    • Fix false positives where the using declaration occurred after the function declaration.
    • Exclude special member functions, which cannot be inherited.
    • Exclude private member functions, which cannot be inherited.
  • M5-0-20, M5-0-21, RULE-10-1 - exclude pointer assignment operators as bitwise operators.
• The release artifacts now include a certification kit used for ISO26262 certification.
• M5-0-20 - BitwiseOperatorOperandsHaveDifferentUnderlyingType.ql:
  • Use the Misra definition of underlying type.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.14.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.14.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.14.6.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• A0-1-3 - Considered the following additional use cases while reporting a local function as "unused".
  • The address of a function is taken
  • The operand of an expression in an unevaluated context
  • Functions marked with [[maybe_unused]]
  • Explicitly deleted functions e.g. =delete
  • Use of any overload of a function in an overload set constitute a use of all members of the set. An overload set is a set of functions with the same name that differ in the number, type and/or qualifiers of their parameters, and, for the purpose of this query, are limited to functions which are declared in the same scope (namespace or class).

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.13.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.13.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.13.5.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  • FIO32-C - DoNotPerformFileOperationsOnDevices.ql:
    • The query was updated to work with the latest version of the dataflow library.
  • A5-1-3 - Only consider lambdas that have zero arguments, since any lambda with non-zero arguments will have an explicit argument list.
  • M0-1-3 - Consider constexpr variables used in template instantiations as "used".
  • A8-4-13
  • Address false positives caused by missing modelling of modifying operations for smart pointers for some standard libraries (such as libstdc++).
  • A20-8-1/MEM56-CPP
    • Address false negatives caused by lack of modelling of flow through smart pointers.
    • Reduce flow paths through standard library headers to simplify results.
  • A18-1-4
    • Address false positives caused by missing modelling of modifying operations for smart pointers for some standard libraries (such as libstdc++).
  • STR51-CPP
    • Address false negatives caused by incomplete modelling of the std::string::replace() function.
  • A15-5-1
    • Rephrase alert message for noalert(false) special functions to clarify that this permits exceptions.
    • Additional results for implicit noexcept(true) special functions highlighting that the specification should be made explicit.
  • Updated the supported CodeQL version to 2.12.7.
  • A15-2-2 - all results now include an associated exception flow path to avoid a CodeQL CLI bug in 2.12.7. This includes results where an exception is thrown directly in the constructor.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.12.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.12.7.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20230418.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• FIO32-C - DoNotPerformFileOperationsOnDevices.ql:
• The query was rewritten to no longer depend of the DefaultTaintTracking library, which will be deprecated.

• A7-1-5 - exclude compiler generated variables, such as those generated by for loops.
• M8-0-1 - exclude compiler generated variables, such as those generated by for loops.

• Updated the supported CodeQL version to 2.11.6.

• A number of rules had the wrong query ids attached for deviation purposes. This means they could not be deviated against using the correct ID, but could be incidentally suppressed when deviating a different rule. We have fixed this behavior for the following rules:

• RULE-11-4
• DIR-4-12
• RULE-21-6
• RULE-21-9
• MEM51-CPP

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.11.6 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.11.6.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20221211.

Release summary

• No new queries were added for this release

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.10.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.10.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220908.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  • A16-0-1 - reduce unneeded results related to #pragma, as it's already reported by A16-7-1.
  • DCL51-CPP - reduce false positives related to use of __func__
  • A2-10-1 - reduce false positives for identifiers in same scope and relating to template variables
  • RULE-5-3- reduce false positives for identifiers in same scope
  • A5-1-1 - reduce false positives by omitting literals written into file streams and wrappers around log and stream calls
  • A14-7-2 - alert messages have been slightly adjusted to refer only to the base name of a file, not the full relative path.
  • DCL56-CPP - performance has been improved for databases with complex initializers.
  • Exclude the use of __func__ from certain queries, as it is the proscribed way to return the name of the current function:
    • A27-0-4 - Use of the value returned by __func__ is no longer flagged as a use of C-style strings.
    • A18-1-1 - __func__ is no longer flagged as a declaration of a variable using C-style arrays.
  • DCL51-CPP - cpp/cert/use-of-single-underscore-reserved-prefix - remove false positives which were compiler generated, such as the function _FUN generated by the compiler for lambdas converted to function pointers.
    Fix issues emerged running the test suite when compiled with qcc:
• Fix False Negatives issues
  • A1-1-1: restrict alerts to mentioned types
  • A5-2-5: get type for value_type
  • A18-1-2 A18-1-3 A18-9-1: support std inline namespaces (std::__1)
  • A23-0-1 A23-0-2: functions in std might be defined in inline namespaces
  • M0-1-4: removed test case
  • M6-5-2: equality operator alternative implementations
  • M17-0-5: longjmp might be a macro
  • CTR51-CPP CTR53-CPP ERR50-CPP ERR52-CPP STR52-CPP: fixed by library changes
  • MSC51-CPP: time can be in the global scope
  • STR51-CPP: String constructor might have 1 parameter.
• Fix False Positives issues
  • STR53-CPP: compute initial container size for copy constructor
  • A0-4-1: numeric limits might be defined in __libcpp_numeric_limits
  • A0-4-3: the rule now only checks the last -std compilation flag
• Fix exclusion criteria using the isExcluded() predicate
  • A2-13-3 A8-4-4

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.10.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.10.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220908.

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• A15-4-4 - MissingNoExcept.ql
  • Exclude call operators embedded in a lambda expression from functions to be declared noexcept or noexcept(false).
• A2-7-3 - UndocumentedUserDefinedType.ql:
  • Exclude lambda functions from program elements to be documented.

• Fix compatibility issues with the qcc compiler and standard headers:
  • RULE-21-4: longjmp can be implmented as macro
  • ENV32-C: exit functions can be implmented as macro
  • ERR33-C FIO34-C FIO46-C RULE-22-6: the library files ReadErrorsAndEOF.qll DoNotAccessAClosedFile.qll FileAccess.qll have been updated to support different definitions of IO related functions and macros
  • RULE-10-6: Fix output string format
  • STR37-C: add support for a different tolower/toupper macro implementation
  • EXP43-C: add explicit support for library functions that are mentioned in the rule description
  • RULE-11-1 RULE-11-2 RULE-11-5: support for a different NULL pointer definition
  • STR38-C: removed links to library internals in the output message

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.10.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.10.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220908.

Release summary

• New queries added for the following rule packages: OutOfBounds

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.10.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.10.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220908.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• RULE-21-17 - StringFunctionPointerArgumentOutOfBounds.ql
• RULE-21-18 - StringLibrarySizeArgumentOutOfBounds.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

• ARR30-C - DoNotFormOutOfBoundsPointersOrArraySubscripts.ql
• ARR38-C - LibraryFunctionArgumentOutOfBounds.ql

Release summary

• New queries added for the following rule packages: Contracts7, FloatingTypes, IntegerOverflow, InvalidMemory2, Language3, Memory2, Memory3, SideEffects3, SideEffects4, SignalHandlers, StandardLibraryFunctionTypes, Statements1, Statements2, Statements3, Statements4, Statements5, Statements6, Static, Types1
• The following changes have been made for this release:
  • Rule 20.12 - the performance of this rule has been improved.
  • The performance of the following identifier related rules has been improved:
    • MISRA C 2012 Rule 5.8
    • MISRA C 2012 Rule 8.7
  • M6-6-2: Changed formatting of the alert message.
  • M6-4-2: Changed formatting of alert message.
  • FIO42-C - CloseFilesWhenTheyAreNoLongerNeeded.ql:
    • Parentheses have been added to a resolve previously lacking parentheses in the where clause, such that the exclusion mechanism only functioned for a certain subset of results.
    • The query implementation has been moved to a shared implementation.
  • M5-19-1:
    • Reduce false negatives by fixing a bug where a constant expression was immediately casted to a signed type.
  • M6-4-4 - alert message updated for clarity.
  • A4-7-1 - IntegerExpressionLeadToDataLoss.ql - reduce false positives and false negatives by:
    • Identifying additional categories of valid guard.
    • Excluding guards which were not proven to prevent overflow or underflow.
    • Expand coverage to include unary operations and arithmetic assignment operations.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.10.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.10.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220908.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• DIR-4-6 - PlainNumericalTypeUsedOverExplicitTypedef.ql
• RULE-1-2 - LanguageExtensionsShouldNotBeUsed.ql
• RULE-1-3 - OccurrenceOfUndefinedBehavior.ql
• RULE-7-4 - StringLiteralAssignedToNonConstChar.ql
• RULE-12-2 - RightHandOperandOfAShiftRange.ql
• RULE-12-4 - ConstantUnsignedIntegerExpressionsWrapAround.ql
• RULE-12-5 - SizeofOperatorUsedOnArrayTypeParam.ql
• RULE-13-2 - UnsequencedSideEffects.ql
• RULE-14-2 - ForLoopNotWellFormed.ql
• RULE-14-3 - ControllingExprInvariant.ql
• RULE-14-4 - NonBooleanIfCondition.ql, NonBooleanIterationCondition.ql
• RULE-15-1 - GotoStatementUsed.ql
• RULE-15-2 - GotoLabelLocationCondition.ql
• RULE-15-3 - GotoLabelBlockCondition.ql
• RULE-15-4 - LoopIterationCondition.ql
• RULE-15-5 - FunctionReturnCondition.ql
• RULE-15-6 - SwitchCompoundCondition.ql, LoopCompoundCondition.ql, SelectionCompoundCondition.ql
• RULE-15-7 - IfElseEndCondition.ql
• RULE-16-1 - SwitchCaseStartCondition.ql, SwitchStmtNotWellFormed.ql
• RULE-16-2 - NestSwitchLabelInSwitchStatement.ql
• RULE-16-3 - BreakShallTerminateSwitchClause.ql
• RULE-16-4 - EverySwitchShallHaveDefaultLabel.ql
• RULE-16-5 - DefaultNotFirstOrLastOfSwitch.ql
• RULE-16-6 - SwitchClauseNumberCondition.ql
• RULE-16-7 - SwitchExpressionBoolCondition.ql
• RULE-17-2 - RecursiveFunctionCondition.ql
• RULE-17-4 - NonVoidFunctionReturnCondition.ql
• RULE-17-6 - UseOfArrayStatic.ql
• RULE-19-1 - ObjectAssignedToAnOverlappingObject.ql, ObjectCopiedToAnOverlappingObject.ql
• RULE-21-13 - CtypeFunctionArgNotUnsignedCharOrEof.ql
• RULE-21-15 - MemcpyMemmoveMemcmpArgNotPointersToCompatibleTypes.ql
• RULE-22-1 - FreeMemoryWhenNoLongerNeededMisra.ql, CloseFileHandleWhenNoLongerNeededMisra.ql
• RULE-22-2 - OnlyFreeMemoryAllocatedDynamicallyMisra.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

• ARR32-C - VariableLengthArraySizeNotInValidRange.ql
• ARR36-C - DoNotSubtractPointersThatDoNotReferToTheSameArray.ql, DoNotRelatePointersThatDoNotReferToTheSameArray.ql
• ARR37-C - DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql
• EXP35-C - DoNotModifyObjectsWithTemporaryLifetime.ql
• EXP42-C - DoNotComparePaddingData.ql
• FLP30-C - FloatingPointLoopCounters.ql
• FLP32-C - UncheckedRangeDomainPoleErrors.ql
• FLP34-C - UncheckedFloatingPointConversion.ql
• FLP36-C - IntToFloatPreservePrecision.ql
• FLP37-C - MemcmpUsedToCompareFloats.ql
• INT30-C - UnsignedIntegerOperationsWrapAround.ql
• INT31-C - IntegerConversionCausesDataLoss.ql
• INT32-C - SignedIntegerOverflow.ql
• INT33-C - DivOrRemByZero.ql
• INT34-C - ExprShiftedbyNegativeOrGreaterPrecisionOperand.ql
• INT35-C - UseCorrectIntegerPrecisions.ql
• INT36-C - ConvertingAPointerToIntegerOrIntegerToPointer.ql
• MEM31-C - FreeMemoryWhenNoLongerNeededCert.ql
• MEM33-C - AllocStructsWithAFlexibleArrayMemberDynamically.ql, CopyStructsWithAFlexibleArrayMemberDynamically.ql
• MEM34-C - OnlyFreeMemoryAllocatedDynamicallyCert.ql
• MEM35-C - InsufficientMemoryAllocatedForObject.ql
• MEM36-C - DoNotModifyAlignmentOfMemoryWithRealloc.ql
• MSC33-C - DoNotPassInvalidDataToTheAsctimeFunction.ql
• MSC39-C - DoNotCallVaArgOnAVaListThatHasAnIndeterminateValue.ql
• PRE31-C - SideEffectsInArgumentsToUnsafeMacros.ql
• SIG30-C - CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql
• SIG31-C - DoNotAccessSharedObjectsInSignalHandlers.ql
• SIG34-C - DoNotCallSignalFromInterruptibleSignalHandlers.ql
• SIG35-C - DoNotReturnFromAComputationalExceptionHandler.ql

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  • The performance of the following queries related to essential types have been improved:
    • Rule 10.1
    • Rule 10.2
    • Rule 10.3
    • Rule 10.4
    • Rule 10.5
    • Rule 10.6
    • Rule 10.7
    • Rule 10.8
    • Rule 14.1
    • Rule 21.14
    • Rule 21.16

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.10.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.10.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220908.

Release summary

• New queries added for the following rule packages: EssentialTypes, Memory1
• The following changes have been made for this release:
• A13-5-2 - address a false positive where lambda expressions with empty captures were being flagged as having a non-compliant conversion operator.
• A0-1-2
  • Addressed false positives where the return values are cast to void in C-style or assigned to std::ignore.
• A0-1-4
  • Addressed false positives where the parameters are marked with attribute [[maybe_unused]], or either cast to void in C-style or assigned to std::ignore in the function body.
• RULE-8-4 - CompatibleDeclarationObjectDefined.ql
  • Update rule implementation based on changes in the CodeQL libraries.
• Updated the CodeQL version to 2.10.5.
• A2-10-4 - IdentifierNameOfStaticFunctionReusedInNamespace.ql:
  • Reuse of an identifier name of a static function in a namespace is now detected.
• A2-10-4 - IdentifierNameOfStaticNonMemberObjectReusedInNamespace.ql:
  • Reuse of an identifier name of a static non-member object in a namespace is now detected.
• A2-10-5 - IdentifierNameOfStaticNonMemberObjectWithExternalOrInternalLinkageIsReused.ql:
  • Reuse of an identifier name of a static non-member object with internal linkage in a namespace is now detected.
• A5-2-2
  • CStyleCasts.ql - exclude template parameters to avoid false positives when using the "functional notation" syntax. In addition, provide a greater explanation on limitations of this query.

• Improved alert message to avoid reporting locations in standard header files, which cannot be viewed in Code Scanning, in the following queries:
  - Rule 21.4
  - Rule 21.5
  - Rule 21.6
  - Rule 21.7
  - Rule 21.8
  - Rule 21.9
  - Rule 21.10
  - Rule 21.11
  - Rule 21.12
  - Rule 21.21

• A13-2-2 - BinaryOperatorAndBitwiseOperatorReturnAPrvalue.ql
  • The formatting of the query output message has been changed and operators are now displayed starting with the return type instead of ending with it.
• CON41-C: Refactored to address compiler compatibility issues. More accurate
  modeling of cases where macros are modeled against other macros such as
  atomic_compare_exchange_weak and atomic_store.
• CON40-C: Refactored to address compiler compatibility issues. More accurate
  modeling of cases where macros are modeled against other macros such as
  atomic_compare_exchange_weak and atomic_store.

• STR37-C - reduce false negatives by improving detection when the <ctype> functions are implemented using macros.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.10.5 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.10.5.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220908.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• RULE-9-2 - InitializerForAggregateOrUnionNotEnclosedInBraces.ql
• RULE-9-3 - PartiallyInitializedArrayWithExplicitInitializers.ql
• RULE-9-4 - RepeatedInitializationOfAggregateObjectElement.ql
• RULE-10-1 - OperandsOfAnInappropriateEssentialType.ql, PointerTypeOnLogicalOperator.ql
• RULE-10-2 - AdditionSubtractionOnEssentiallyCharType.ql
• RULE-10-3 - AssignmentOfIncompatibleEssentialType.ql
• RULE-10-4 - OperandsWithMismatchedEssentialTypeCategory.ql
• RULE-10-5 - InappropriateEssentialTypeCast.ql
• RULE-10-6 - AssignmentToWiderEssentialType.ql
• RULE-10-7 - ImplicitConversionOfCompositeExpression.ql
• RULE-10-8 - InappropriateCastOfCompositeExpression.ql
• RULE-14-1 - LoopOverEssentiallyFloatType.ql
• RULE-21-14 - MemcmpUsedToCompareNullTerminatedStrings.ql
• RULE-21-16 - MemcmpOnInappropriateEssentialTypeArgs.ql

Release summary

• New queries added for the following rule packages: BitfieldTypes, Contracts6, Declarations7, Declarations8, InvalidMemory1, Pointers3
• The following changes have been made for this release:
  • RULE-11-7 - CastBetweenPointerToObjectAndNonIntArithmeticType.ql
    • Corrected the query output message to describe a cast involving a pointer to an object rather than a void pointer.
  • A1-1-2: Refactored this test case to support better cross-compiler testing.
  • A1-1-3: Added support for alternate spelling of compiler flag.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.9.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.9.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• RULE-6-1 - BitFieldsShallOnlyBeDeclaredWithAnAppropriateType.ql
• RULE-6-2 - SingleBitNamedBitFieldsOfASignedType.ql
• RULE-8-12 - ValueImplicitEnumerationConstantNotUnique.ql
• RULE-9-1 - ObjectWithAutoStorageDurationReadBeforeInit.ql
• RULE-17-5 - ArrayFunctionArgumentNumberOfElements.ql
• RULE-17-7 - ValueReturnedByAFunctionNotUsed.ql
• RULE-18-8 - VariableLengthArrayTypesUsed.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

• DCL30-C - AppropriateStorageDurationsStackAdressEscape.ql, AppropriateStorageDurationsFunctionReturn.ql
• DCL39-C - InformationLeakageAcrossTrustBoundariesC.ql
• EXP32-C - DoNotAccessVolatileObjectWithNonVolatileReference.ql
• EXP33-C - DoNotReadUninitializedMemory.ql
• EXP34-C - DoNotDereferenceNullPointers.ql
• EXP36-C - DoNotCastPointerToMoreStrictlyAlignedPointerType.ql
• EXP39-C - DoNotAccessVariableViaPointerOfIncompatibleType.ql
• EXP40-C - DoNotModifyConstantObjects.ql
• EXP43-C - DoNotPassAliasedPointerToRestrictQualifiedParam.ql, RestrictPointerReferencesOverlappingObject.ql
• MEM30-C - DoNotAccessFreedMemory.ql

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.9.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.9.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.

Release summary

• New queries added for the following rule packages: Contracts5, DeadCode, Declarations4, Declarations5, Declarations6
• The following changes have been made for this release:
  • M0-1-9: This query previously excluded all results which were affected by a macro expansion. This is because a macro may be expanded multiple times with code that is dead in one expansion but live in another. This query has been modified to exclude results only where the entirety of a statement is generated by a macro. This reduces false negatives where the statements liveness is not affected by the macro expansion.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.9.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.9.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-20220615.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• RULE-2-1 - UnreachableCode.ql
• RULE-2-2 - DeadCode.ql
• RULE-2-3 - UnusedTypeDeclarations.ql
• RULE-2-4 - UnusedTagDeclaration.ql
• RULE-2-5 - UnusedMacroDeclaration.ql
• RULE-2-6 - UnusedLabelDeclaration.ql
• RULE-2-7 - UnusedParameter.ql
• RULE-5-2 - IdentifiersDeclaredInTheSameScopeNotDistinct.ql
• RULE-5-8 - IdentifiersWithExternalLinkageNotUnique.ql
• RULE-5-9 - IdentifiersWithInternalLinkageNotUnique.ql
• RULE-8-2 - FunctionTypesNotInPrototypeForm.ql
• RULE-8-3 - DeclarationsOfAnObjectSameNameAndType.ql, DeclarationsOfAFunctionSameNameAndType.ql
• RULE-8-4 - CompatibleDeclarationObjectDefined.ql, CompatibleDeclarationFunctionDefined.ql
• RULE-8-5 - ExternalObjectOrFunctionNotDeclaredInOneFile.ql
• RULE-8-6 - IdentifierWithExternalLinkageOneDefinition.ql
• RULE-8-7 - ShouldNotBeDefinedWithExternalLinkage.ql
• RULE-8-8 - MissingStaticSpecifierFunctionRedeclarationC.ql, MissingStaticSpecifierObjectRedeclarationC.ql
• RULE-8-9 - UnnecessaryExposedIdentifierDeclarationC.ql
• RULE-8-10 - InlineFunctionNotDeclaredStaticStorage.ql
• RULE-8-11 - ArrayExternalLinkageSizeExplicitlySpecified.ql
• RULE-17-3 - FunctionDeclaredImplicitly.ql
• RULE-18-7 - FlexibleArrayMembersDeclared.ql

Appendix: CERT-C new queries

New queries added to cover the following rules:

• ERR32-C - DoNotRelyOnIndeterminateValuesOfErrno.ql
• ERR33-C - DetectAndHandleStandardLibraryErrors.ql