Merge branch 'main' into lcartey/produce-ql-packs

Author: lcartey

c/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.36.0-dev
+version: 2.37.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT

c/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.36.0-dev
+version: 2.37.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/common/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards
-version: 2.36.0-dev
+version: 2.37.0-dev
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'

c/common/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards-tests
-version: 2.36.0-dev
+version: 2.37.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/misra/src/codingstandards/c/misra/EssentialTypes.qll

@@ -130,12 +130,17 @@ EssentialTypeCategory getEssentialTypeCategory(Type type) {
     essentialType.(IntegralType).isSigned() and
     not essentialType instanceof PlainCharType
     or
+    // Anonymous enums are considered to be signed
+    result = EssentiallySignedType() and
+    essentialType instanceof AnonymousEnumType and
+    not essentialType instanceof MisraBoolType
+    or
     result = EssentiallyUnsignedType() and
     essentialType.(IntegralType).isUnsigned() and
     not essentialType instanceof PlainCharType
     or
     result = EssentiallyEnumType() and
-    essentialType instanceof Enum and
+    essentialType instanceof NamedEnumType and
     not essentialType instanceof MisraBoolType
     or
     result = EssentiallyFloatingType() and
@@ -348,16 +353,51 @@ class EssentialBinaryArithmeticExpr extends EssentialExpr, BinaryArithmeticOpera
   }
 }
 
+/**
+ * A named Enum type, as per D.5.
+ */
+class NamedEnumType extends Enum {
+  NamedEnumType() {
+    not isAnonymous()
+    or
+    exists(Type useOfEnum | this = useOfEnum.stripType() |
+      exists(TypedefType t | t.getBaseType() = useOfEnum)
+      or
+      exists(Function f | f.getType() = useOfEnum or f.getAParameter().getType() = useOfEnum)
+      or
+      exists(Struct s | s.getAField().getType() = useOfEnum)
+      or
+      exists(Variable v | v.getType() = useOfEnum)
+    )
+  }
+}
+
+/**
+ * An anonymous Enum type, as per D.5.
+ */
+class AnonymousEnumType extends Enum {
+  AnonymousEnumType() { not this instanceof NamedEnumType }
+}
+
+/**
+ * The EssentialType of an EnumConstantAccess, which may be essentially enum or essentially signed.
+ */
 class EssentialEnumConstantAccess extends EssentialExpr, EnumConstantAccess {
-  override Type getEssentialType() { result = getTarget().getDeclaringEnum() }
+  override Type getEssentialType() {
+    exists(Enum e | e = getTarget().getDeclaringEnum() |
+      if e instanceof NamedEnumType then result = e else result = stlr(this)
+    )
+  }
 }
 
 class EssentialLiteral extends EssentialExpr, Literal {
   override Type getEssentialType() {
     if this instanceof BooleanLiteral
-    then result instanceof MisraBoolType
+    then
+      // This returns a multitude of types - not sure if we really want that
+      result instanceof MisraBoolType
     else (
-      if this.(CharLiteral).getCharacter().length() = 1
+      if this instanceof CharLiteral
       then result instanceof PlainCharType
       else
         exists(Type underlyingStandardType |

c/misra/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-c-coding-standards
-version: 2.36.0-dev
+version: 2.37.0-dev
 description: MISRA C 2012
 suites: codeql-suites
 license: MIT

c/misra/src/rules/RULE-10-4/OperandsWithMismatchedEssentialTypeCategory.ql

@@ -38,7 +38,7 @@ where
     // be reported as non-compliant.
     leftOpTypeCategory = EssentiallyEnumType() and
     rightOpTypeCategory = EssentiallyEnumType() and
-    not leftOpEssentialType = rightOpEssentialType and
+    not leftOpEssentialType.getUnspecifiedType() = rightOpEssentialType.getUnspecifiedType() and
     message =
       "The operands of this operator with usual arithmetic conversions have mismatched essentially Enum types (left operand: "
         + leftOpEssentialType + ", right operand: " + rightOpEssentialType + ")."

c/misra/src/rules/RULE-11-5/ConversionFromPointerToVoidIntoPointerToObject.ql

@@ -19,7 +19,7 @@ import codingstandards.cpp.Pointers
 from Cast cast, VoidPointerType type, PointerToObjectType newType
 where
   not isExcluded(cast, Pointers1Package::conversionFromPointerToVoidIntoPointerToObjectQuery()) and
-  type = cast.getExpr().getUnderlyingType() and
+  type = cast.getExpr().getUnspecifiedType() and
   newType = cast.getUnderlyingType() and
   not isNullPointerConstant(cast.getExpr())
 select cast,

c/misra/src/rules/RULE-2-2/DeadCode.ql

@@ -15,8 +15,83 @@
 
 import cpp
 import codingstandards.c.misra
-import codingstandards.cpp.rules.deadcode.DeadCode
+import codingstandards.cpp.alertreporting.HoldsForAllCopies
+import codingstandards.cpp.deadcode.UselessAssignments
 
-class MisraCDeadCodeQuery extends DeadCodeSharedQuery {
-  MisraCDeadCodeQuery() { this = DeadCodePackage::deadCodeQuery() }
+/**
+ * Gets an explicit cast from `e` if one exists.
+ */
+Cast getExplicitCast(Expr e) {
+  exists(Conversion c | c = e.getExplicitlyConverted() |
+    result = c
+    or
+    result = c.(ParenthesisExpr).getExpr()
+  )
+}
+
+class ExprStmtExpr extends Expr {
+  ExprStmtExpr() { exists(ExprStmt es | es.getExpr() = this) }
+}
+
+/**
+ * An "operation" as defined by MISRA C Rule 2.2 that is dead, i.e. it's removal has no effect on
+ * the behaviour of the program.
+ */
+class DeadOperationInstance extends Expr {
+  string description;
+
+  DeadOperationInstance() {
+    // Exclude cases nested within macro expansions, because the code may be "live" in other
+    // expansions
+    isNotWithinMacroExpansion(this) and
+    exists(ExprStmtExpr e |
+      if exists(getExplicitCast(e))
+      then
+        this = getExplicitCast(e) and
+        // void conversions are permitted
+        not getExplicitCast(e) instanceof VoidConversion and
+        description = "Cast operation is unused"
+      else (
+        this = e and
+        (
+          if e instanceof Assignment
+          then
+            exists(SsaDefinition sd, LocalScopeVariable v |
+              e = sd.getDefinition() and
+              sd.getDefiningValue(v).isPure() and
+              // The definition is useless
+              isUselessSsaDefinition(sd, v) and
+              description = "Assignment to " + v.getName() + " is unused and has no side effects"
+            )
+          else (
+            e.isPure() and
+            description = "Result of operation is unused and has no side effects"
+          )
+        )
+      )
+    )
+  }
+
+  string getDescription() { result = description }
 }
+
+class DeadOperation = HoldsForAllCopies<DeadOperationInstance, Expr>::LogicalResultElement;
+
+from
+  DeadOperation deadOperation, DeadOperationInstance instance, string message, Element explainer,
+  string explainerDescription
+where
+  not isExcluded(instance, DeadCodePackage::deadCodeQuery()) and
+  instance = deadOperation.getAnElementInstance() and
+  if instance instanceof FunctionCall
+  then
+    message = instance.getDescription() + " from call to function $@" and
+    explainer = instance.(FunctionCall).getTarget() and
+    explainerDescription = explainer.(Function).getName()
+  else (
+    message = instance.getDescription() and
+    // Ignore the explainer
+    explainer = instance and
+    explainerDescription = ""
+  )
+select deadOperation, message + ".", explainer, explainerDescription

c/misra/src/rules/RULE-21-24/CallToBannedRandomFunction.ql

@@ -0,0 +1,23 @@
+/**
+ * @id c/misra/call-to-banned-random-function
+ * @name RULE-21-24: The random number generator functions of <stdlib.h> shall not be used
+ * @description The standard functions rand() and srand() will not give high quality random results
+ *              in all implementations and are therefore banned.
+ * @kind problem
+ * @precision very-high
+ * @problem.severity warning
+ * @tags external/misra/id/rule-21-24
+ *       security
+ *       external/misra/c/2012/amendment3
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codingstandards.c.misra
+
+from FunctionCall call, string name
+where
+  not isExcluded(call, Banned2Package::callToBannedRandomFunctionQuery()) and
+  name = ["rand", "srand"] and
+  call.getTarget().hasGlobalOrStdName(name)
+select call, "Call to banned random number generation function '" + name + "'."