Merge branch 'main' into dependabot/pip/scripts/gitpython-3.1.35

Author: lcartey

.github/workflows/upgrade_codeql_dependencies.yml

@@ -12,7 +12,7 @@ env:
   XARGS_MAX_PROCS: 4
 
 jobs:
-  say_hello:
+  upgrade_codeql_dependencies:
     env:
       CODEQL_CLI_VERSION: ${{ github.event.inputs.codeql_cli_version }}
     runs-on: ubuntu-22.04
@@ -33,26 +33,29 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
           CODEQL_CLI_VERSION: ${{ github.event.inputs.codeql_cli_version }}
         run: |
-          scripts/upgrade-codeql-dependencies/upgrade_codeql_dependencies.py --cli-version "$CODEQL_CLI_VERSION"
+          python3 scripts/upgrade-codeql-dependencies/upgrade-codeql-dependencies.py --cli-version "$CODEQL_CLI_VERSION"
 
       - name: Fetch CodeQL
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          RUNNER_TEMP: ${{ runner.temp }}
         run: |
+          cd $RUNNER_TEMP
           gh release download "v${CODEQL_CLI_VERSION}" --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip
           unzip -q codeql-linux64.zip
 
       - name: Update CodeQL formatting based on new CLI version
+        env:
+          RUNNER_TEMP: ${{ runner.temp }}
         run: |
-          find cpp -name '*.ql' -or -name '*.qll' | xargs --max-procs "$XARGS_MAX_PROCS" --max-args 1 codeql/codeql query format --in-place
-          find c -name '*.ql' -or -name '*.qll' | xargs --max-procs "$XARGS_MAX_PROCS" --max-args 1 codeql/codeql query format --in-place
+          find cpp \( -name '*.ql' -or -name '*.qll' \) -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" $RUNNER_TEMP/codeql/codeql query format --in-place
+          find c \( -name '*.ql' -or -name '*.qll' \) -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" $RUNNER_TEMP/codeql/codeql query format --in-place
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v3
         with:
-          title: "Upgrading `github/codeql` dependency to ${{ github.event.inputs.codeql_standard_library_commit }}"
-          body: "This PR upgrades the CodeQL CLI version to ${{ github.event.inputs.codeql_cli_version }} and the `github/codeql` version to ${{ github.event.inputs.codeql_standard_library_commit }}."
-          commit-message: "Upgrading `github/codeql` dependency to ${{ github.event.inputs.codeql_standard_library_commit }}"
-          team-reviewers: github/codeql-coding-standards
+          title: "Upgrading `github/codeql` dependency to ${{ github.event.inputs.codeql_cli_version }}"
+          body: "This PR upgrades the CodeQL CLI version to ${{ github.event.inputs.codeql_cli_version }}."
+          commit-message: "Upgrading `github/codeql` dependency to ${{ github.event.inputs.codeql_cli_version }}"
           delete-branch: true
           branch: "codeql/upgrade-to-${{ github.event.inputs.codeql_cli_version }}"

c/cert/src/codeql-pack.lock.yml

@@ -2,9 +2,11 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.6.1
+    version: 0.7.4
   codeql/ssa:
-    version: 0.0.14
+    version: 0.0.19
   codeql/tutorial:
-    version: 0.0.7
+    version: 0.0.12
+  codeql/util:
+    version: 0.0.12
 compiled: false

c/cert/src/qlpack.yml

@@ -5,4 +5,4 @@ suites: codeql-suites
 license: MIT
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.6.1
+  codeql/cpp-all: 0.7.4

c/cert/src/rules/ARR30-C/DoNotFormOutOfBoundsPointersOrArraySubscripts.ql

@@ -12,41 +12,42 @@
  *       external/cert/obligation/rule
  */
 
- import cpp
- import codingstandards.c.cert
- import codingstandards.c.OutOfBounds
- 
- from
-   OOB::BufferAccess ba, Expr bufferArg, Expr sizeArg, OOB::PointerToObjectSource bufferSource,
-   string message
- where
-   not isExcluded(ba, OutOfBoundsPackage::doNotFormOutOfBoundsPointersOrArraySubscriptsQuery()) and
-   // exclude loops
-   not exists(Loop loop | loop.getStmt().getChildStmt*() = ba.getEnclosingStmt()) and
-   // exclude size arguments that are of type ssize_t
-   not sizeArg.getAChild*().(VariableAccess).getTarget().getType() instanceof Ssize_t and
-   // exclude size arguments that are assigned the result of a function call e.g. ftell
-   not sizeArg.getAChild*().(VariableAccess).getTarget().getAnAssignedValue() instanceof FunctionCall and
-   // exclude field or array accesses for the size arguments
-   not sizeArg.getAChild*() instanceof FieldAccess and
-   not sizeArg.getAChild*() instanceof ArrayExpr and
-   (
-     exists(int sizeArgValue, int bufferArgSize |
-      OOB::isSizeArgGreaterThanBufferSize(bufferArg, sizeArg, bufferSource, bufferArgSize, sizeArgValue, ba) and
-       message =
-         "Buffer accesses offset " + sizeArgValue + 
-         " which is greater than the fixed size " + bufferArgSize + " of the $@."
-     )
-     or
-     exists(int sizeArgUpperBound, int sizeMult, int bufferArgSize |
-       OOB::isSizeArgNotCheckedLessThanFixedBufferSize(bufferArg, sizeArg, bufferSource,
-         bufferArgSize, ba, sizeArgUpperBound, sizeMult) and
-       message =
-         "Buffer may access up to offset " + sizeArgUpperBound + "*" + sizeMult +
-           " which is greater than the fixed size " + bufferArgSize + " of the $@."
-     )
-     or
-     OOB::isSizeArgNotCheckedGreaterThanZero(bufferArg, sizeArg, bufferSource, ba) and
-     message = "Buffer access may be to a negative index in the buffer."
-   )
- select ba, message, bufferSource, "buffer"
+import cpp
+import codingstandards.c.cert
+import codingstandards.c.OutOfBounds
+
+from
+  OOB::BufferAccess ba, Expr bufferArg, Expr sizeArg, OOB::PointerToObjectSource bufferSource,
+  string message
+where
+  not isExcluded(ba, OutOfBoundsPackage::doNotFormOutOfBoundsPointersOrArraySubscriptsQuery()) and
+  // exclude loops
+  not exists(Loop loop | loop.getStmt().getChildStmt*() = ba.getEnclosingStmt()) and
+  // exclude size arguments that are of type ssize_t
+  not sizeArg.getAChild*().(VariableAccess).getTarget().getType() instanceof Ssize_t and
+  // exclude size arguments that are assigned the result of a function call e.g. ftell
+  not sizeArg.getAChild*().(VariableAccess).getTarget().getAnAssignedValue() instanceof FunctionCall and
+  // exclude field or array accesses for the size arguments
+  not sizeArg.getAChild*() instanceof FieldAccess and
+  not sizeArg.getAChild*() instanceof ArrayExpr and
+  (
+    exists(int sizeArgValue, int bufferArgSize |
+      OOB::isSizeArgGreaterThanBufferSize(bufferArg, sizeArg, bufferSource, bufferArgSize,
+        sizeArgValue, ba) and
+      message =
+        "Buffer accesses offset " + sizeArgValue + " which is greater than the fixed size " +
+          bufferArgSize + " of the $@."
+    )
+    or
+    exists(int sizeArgUpperBound, int sizeMult, int bufferArgSize |
+      OOB::isSizeArgNotCheckedLessThanFixedBufferSize(bufferArg, sizeArg, bufferSource,
+        bufferArgSize, ba, sizeArgUpperBound, sizeMult) and
+      message =
+        "Buffer may access up to offset " + sizeArgUpperBound + "*" + sizeMult +
+          " which is greater than the fixed size " + bufferArgSize + " of the $@."
+    )
+    or
+    OOB::isSizeArgNotCheckedGreaterThanZero(bufferArg, sizeArg, bufferSource, ba) and
+    message = "Buffer access may be to a negative index in the buffer."
+  )
+select ba, message, bufferSource, "buffer"

c/cert/src/rules/ARR36-C/DoNotRelatePointersThatDoNotReferToTheSameArray.ql

@@ -15,7 +15,8 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.rules.donotuserelationaloperatorswithdifferingarrays.DoNotUseRelationalOperatorsWithDifferingArrays
 
-class DoNotRelatePointersThatDoNotReferToTheSameArrayQuery extends DoNotUseRelationalOperatorsWithDifferingArraysSharedQuery {
+class DoNotRelatePointersThatDoNotReferToTheSameArrayQuery extends DoNotUseRelationalOperatorsWithDifferingArraysSharedQuery
+{
   DoNotRelatePointersThatDoNotReferToTheSameArrayQuery() {
     this = Memory2Package::doNotRelatePointersThatDoNotReferToTheSameArrayQuery()
   }

c/cert/src/rules/ARR36-C/DoNotSubtractPointersThatDoNotReferToTheSameArray.ql

@@ -15,7 +15,8 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.rules.donotsubtractpointersaddressingdifferentarrays.DoNotSubtractPointersAddressingDifferentArrays
 
-class DoNotSubtractPointersThatDoNotReferToTheSameArrayQuery extends DoNotSubtractPointersAddressingDifferentArraysSharedQuery {
+class DoNotSubtractPointersThatDoNotReferToTheSameArrayQuery extends DoNotSubtractPointersAddressingDifferentArraysSharedQuery
+{
   DoNotSubtractPointersThatDoNotReferToTheSameArrayQuery() {
     this = Memory2Package::doNotSubtractPointersThatDoNotReferToTheSameArrayQuery()
   }

c/cert/src/rules/ARR38-C/LibraryFunctionArgumentOutOfBounds.ql

@@ -22,4 +22,4 @@ from
 where
   not isExcluded(fc, OutOfBoundsPackage::libraryFunctionArgumentOutOfBoundsQuery()) and
   OOB::problems(fc, message, bufferArg, bufferArgStr, sizeOrOtherBufferArg, otherStr)
-select fc, message, bufferArg, bufferArgStr, sizeOrOtherBufferArg, otherStr
+select fc, message, bufferArg, bufferArgStr, sizeOrOtherBufferArg, otherStr

c/cert/src/rules/CON31-C/DoNotAllowAMutexToGoOutOfScopeWhileLocked.ql

@@ -16,7 +16,8 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.rules.donotallowamutextogooutofscopewhilelocked.DoNotAllowAMutexToGoOutOfScopeWhileLocked
 
-class DoNotAllowAMutexToGoOutOfScopeWhileLockedQuery extends DoNotAllowAMutexToGoOutOfScopeWhileLockedSharedQuery {
+class DoNotAllowAMutexToGoOutOfScopeWhileLockedQuery extends DoNotAllowAMutexToGoOutOfScopeWhileLockedSharedQuery
+{
   DoNotAllowAMutexToGoOutOfScopeWhileLockedQuery() {
     this = Concurrency3Package::doNotAllowAMutexToGoOutOfScopeWhileLockedQuery()
   }

c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql

@@ -24,5 +24,5 @@ where
       "setlocale", "atomic_init", "ATOMIC_VAR_INIT", "tmpnam", "mbrtoc16", "c16rtomb", "mbrtoc32",
       "c32rtomb"
     ]
-select node,
-  "Concurrent call to non-reeantrant function $@.", node.(FunctionCall).getTarget(), node.(FunctionCall).getTarget().getName()
+select node, "Concurrent call to non-reeantrant function $@.", node.(FunctionCall).getTarget(),
+  node.(FunctionCall).getTarget().getName()

c/cert/src/rules/CON35-C/DeadlockByLockingInPredefinedOrder.ql

@@ -16,7 +16,8 @@ import cpp
 import codingstandards.c.cert
 import codingstandards.cpp.rules.preventdeadlockbylockinginpredefinedorder.PreventDeadlockByLockingInPredefinedOrder
 
-class DeadlockByLockingInPredefinedOrderQuery extends PreventDeadlockByLockingInPredefinedOrderSharedQuery {
+class DeadlockByLockingInPredefinedOrderQuery extends PreventDeadlockByLockingInPredefinedOrderSharedQuery
+{
   DeadlockByLockingInPredefinedOrderQuery() {
     this = Concurrency2Package::deadlockByLockingInPredefinedOrderQuery()
   }