v2.54.0

Release summary

• New queries added for the following rule packages: Linkage1, Scope
• The following changes have been made for this release:
• A3-1-4 - ExternalLinkageArrayWithoutExplicitSizeAutosar.ql:
  • ExternalLinkageArrayWithoutExplicitSize.ql has been renamed to ExternalLinkageArrayWithoutExplicitSizeAutosar.ql to reflect shared query implementation. Additionally the query previously only detected explicit uses of extern to determine external linkage, and now would catch other cases that are possible where it is external linkage and an array is declared without an explicit size.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.21.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.21.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.21.4.

Appendix: AUTOSAR new queries

New queries added to cover the following rules:

• A3-1-4 - ExternalLinkageArrayWithoutExplicitSizeAutosar.ql

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• RULE-6-0-2 - ExternalLinkageArrayWithoutExplicitSizeMisra.ql
• RULE-6-5-1 - ExternalLinkageNotDeclaredInHeaderFileMisra.ql

v2.53.0

Release summary

• New queries added for the following rule packages: Exceptions3, Preconditions4

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.20.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.20.7.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.20.7.

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• RULE-18-3-1 - MissingCatchAllExceptionHandlerInMain.ql
• RULE-18-3-2 - ClassExceptionCaughtByValue.ql
• RULE-18-4-1 - ExceptionUnfriendlyFunctionMustBeNoexcept.ql
• RULE-22-4-1 - InvalidAssignmentToErrno.ql

v2.52.0

Release summary

• New queries added for the following rule packages: Preconditions1, Statements
• The following changes have been made for this release:
  • CON51-CPP - EnsureActivelyHeldLocksAreReleasedOnExceptionalConditions.ql:
    • Exclude RAII-style locks from query results, as they cannot be leaked, and are recommended to avoid alerts in this rule.
  • M0-1-3 - UnusedLocalVariable.ql:
    • Improved performance of the unused local variable analysis by moving constant expression value extraction to a separate pass, eliminating certain expensive joins.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.20.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.20.7.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.20.7.

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• RULE-8-2-9 - PolymorphicClassTypeExpressionInTypeid.ql
• RULE-9-4-2 - AppropriateStructureOfSwitchStatement.ql
• RULE-9-5-1 - LegacyForStatementsShouldBeSimple.ql
• RULE-9-5-2 - ForRangeInitializerAtMostOneFunctionCall.ql

v2.51.0

Release summary

• New queries added for the following rule packages: Conversions2
• The following changes have been made for this release:
  • M5-2-2 - PointerToAVirtualBaseClassCastToAPointer.ql:
    • Report casts where the from or to types are typedefs to virtual base classes or derived classes.
    • Report casts to a reference type which is a derived type.
    • Report casts where the base class is the parent of a virtual base class.
    • The alert message has been updated to refer to the virtual base class derivation.
  • RULE-1-2, RULE-23-3, RULE-23-5, RULE-23-6:
    • Results that occur in nested macro invocations are now reported in the macro that defines the contravening code, rather than the macro which is first expanded.
    • Results the occur in arguments to macro invocations are now reported in at the macro invocation site, instead of the macro definition site.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.20.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.20.7.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.20.7.

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• RULE-8-2-1 - VirtualBaseClassCastToDerived.ql
• RULE-8-2-2 - NoCStyleOrFunctionalCasts.ql
• RULE-8-2-6 - IntToPointerCastProhibited.ql
• RULE-8-2-7 - NoPointerToIntegralCast.ql
• RULE-8-2-8 - PointerToIntegralCast.ql
• RULE-9-2-1 - NoStandaloneTypeCastExpression.ql

v2.50.0

Release summary

• New queries added for the following rule packages: BannedAPIs, Conversions
• The following changes have been made for this release:
  • A3-9-1 - VariableWidthIntegerTypesUsed.ql:
    • This query now reports the use of non-fixed width integer types in function return types, with the exception of char types and for main functions.
• ENV34-C, RULE-21-20, RULE-25-5-3: DoNotStorePointersReturnedByEnvFunctions.ql, CallToSetlocaleInvalidatesOldPointers.ql, CallToSetlocaleInvalidatesOldPointersMisra.ql
• Fixed a misspelling of "subsequent" in the alert message.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.20.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.20.7.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.20.7.

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• RULE-6-9-2 - AvoidStandardIntegerTypeNames.ql
• RULE-7-0-1 - NoConversionFromBool.ql
• RULE-7-0-2 - NoImplicitBoolConversion.ql
• RULE-7-0-3 - NoCharacterNumericalValue.ql
• RULE-7-0-4 - InappropriateBitwiseOrShiftOperands.ql
• RULE-7-0-5 - NoSignednessChangeFromPromotion.ql
• RULE-7-0-6 - NumericAssignmentTypeMismatch.ql
• RULE-7-11-3 - FunctionPointerConversionContext.ql
• RULE-18-5-2 - AvoidProgramTerminatingFunctions.ql
• RULE-21-2-2 - UnsafeStringHandlingFunctions.ql
• RULE-21-2-3 - BannedSystemFunction.ql
• RULE-21-10-1 - NoVariadicFunctionMacros.ql
• RULE-21-10-2 - NoCsetjmpHeader.ql
• RULE-23-11-1 - UseSmartPtrFactoryFunctions.ql
• RULE-24-5-1 - CharacterHandlingFunctionRestrictions.ql
• RULE-24-5-2 - NoMemoryFunctionsFromCString.ql
• RULE-25-5-1 - LocaleGlobalFunctionNotAllowed.ql

v2.49.0

Release summary

• New queries added for the following rule packages: Expressions2
• The following changes have been made for this release:
  • DCL40-C, RULE-8-4: IncompatibleFunctionDeclarations.ql, CompatibleDeclarationFunctionDefined.ql.
    • Fixed performance issues introduced when upgrading to CodeQL 2.20.7 by removing unnecessary check that matching function declarations have matching names.
  • RULE-7-5: IncorrectlySizedIntegerConstantMacroArgument.ql.
    • Added a bindingset to improve performance when checking if a literal matches the size of an integer constant macro.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.20.7 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.20.7.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.20.7.

Appendix: CERT-C new queries

New queries added to cover the following rules:

• EXP16-C - DoNotCompareFunctionPointersToConstantValues.ql

v2.48.0

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
• SIG30-C: CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql
• Fixed a misspelling of "asynchronous" in the alert message.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.19.4.

v2.47.0

Release summary

• No new queries were added for this release
• The following changes have been made for this release:
  • FIO39-C, FIO50-CPP, A27-0-3, RULE-30-0-2: IOFstreamMissingPositioning.ql, InterleavedInputOutputWithoutPosition.ql, InterleavedInputOutputWithoutFlush.ql, ReadsAndWritesOnStreamNotSeparatedByPositioning.ql.
    • Improved performance for codebases with large numbers of stream or file accesses.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.19.4.

v2.46.0

Release summary

• No new queries were added for this release

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.19.4.

v2.45.0

Release summary

• New queries added for the following rule packages: FloatingPoint
• The following changes have been made for this release:
  • RULE-1-4 - EmergentLanguageFeaturesUsed.ql:
    • Allow usage of atomics, thread.h, and _Thread_local as per Misra C 2012 Amendment 4.
  • RULE-21-22, RULE-21-23 - TgMathArgumentWithInvalidEssentialType.ql, TgMathArgumentsWithDifferingStandardType.ql
    • Change type-generic macro analysis for finding macro parameters to be compatible with gcc, by ignoring early arguments inserted by gcc.
    • Change explicit conversion logic to ignore the explicit casts inserted in macro bodies by clang, which previously overruled the argument essential type.
  • RULE-13-2 - UnsequencedAtomicReads.ql:
    • Handle statement expression implementation of atomic operations in gcc.
  • RULE-21-25 - InvalidMemoryOrderArgument.ql:
    • Handle case of where the enum memory_order is declared via a typedef as an anonymous enum.
    • Rewrite how atomically sequenced operations are found; no longer look for builtins or internal functions, instead look for macros with the exact expected name and analyze the macro bodies for the memory sequence parameter.
  • RULE-9-7 - UninitializedAtomicArgument.ql:
    • Handle gcc case where atomic_init is defined is a call to atomic_store, and take a more flexible approach to finding the initialized atomic variable.
  • DIR-4-15 - PossibleMisuseOfUndetectedInfinity.ql, PossibleMisuseOfUndetectedNaN.ql:
    • Fix issue when analyzing clang/gcc implementations of floating point classification macros, where analysis incorrectly determined that x in isinf(x) was guaranteed to be infinite at the call site itself, affecting later analysis involving x.
  • The following query suites have been added or modified for CERT C:
    • A new query suite has been created cert-c-default.qls to avoid confusion with the CERT C++ query suites. The cert-default.qls suite has been deprecated, and will be removed in a future releases, and is replaced by the cert-c-default.qls suite.
      • The cert-c-default.qls suite has been specified as the default for the pack, and will include our most up-to-date coverage for CERT C.
    • One new query suite, cert-c-recommended.qls has been added to enable running CERT recommendations (as opposed to rules) that will be added in the future.
    • The default query suite, cert-c-default.qls has been set to exclude CERT recommendations (as opposed to rules) that will be added in the future.
  • The following query suites have been added or modified for CERT C++:
    • A new query suite has been created cert-cpp-default.qls to avoid confusion with the CERT C query suites. The cert-default.qls suite has been deprecated, and will be removed in a future releases, and is replaced by the cert-cpp-default.qls suite.
      • The cert-cpp-default.qls suite has been specified as the default for the pack, and will include our most up-to-date coverage for CERT C.
    • A new query suite has been created cert-cpp-single-translation-unit.qls to avoid confusion with the CERT C query suites. The cert-single-translation-unit.qls suite has been deprecated, and will be removed in a future releases, and is replaced by the cert-cpp-single-translation-unit.qls suite.
  • DIR-4-15 - PossibleMisuseOfUndetectedInfinity.ql, PossibleMisuseOfUndetectedNaN.ql:
    • Add logic to suppress NaNs from the CodeQL extractor in the new restricted range analysis, which can have unexpected downstream effects.
    • Alter the behavior of floating point class guards (such as isinf, isfinite, isnan) to more correctly reflect the branches that have been guarded.
    • Query files have been moved/refactored to share logic across MISRA-C and MISRA-C++; no observable change in behavior from this is expected.
  • All CERT rules now include additional tags to represent the Risk Assessment properties specified on CERT rules.
    • In addition, new query suites are included which allow the selection of queries that represent CERT Rules (not Recommendations) for each of the Levels (1-3). These are called cert-<lang>-<level>.qls and can be used either directly in the CodeQL CLI, or via the CodeQL Action.
  • Support for MISRA C 2023 is now completed.
    • The default query suites for MISRA C now target MISRA C 2023.
    • The user manual has been updated to list MISRA C 2023 as completed.
    • The misra-c-2012-third-edition-with-amendment-2.qls query suite can be used to run the queries present in MISRA C 2012 (3rd Edition) and Amendment 2.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version 2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tag codeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with the codeql-bundle-v2.19.4.

Appendix: MISRA-C++-2023 new queries

New queries added to cover the following rules:

• DIR-0-3-1 - PossibleMisuseOfInfiniteFloatingPointValue.ql, PossibleMisuseOfNaNFloatingPointValue.ql