Release summary

• New queries added for the following rule packages: Declarations9, SideEffects3
• The following changes have been made for this release:
  • RULE-11-3 -CastBetweenObjectPointerAndDifferentObjectType.ql
    • Constrain exception that pointer types to may be cast to char types, so that it does not apply to atomic pointer types, in compliance with MISRA-C 2012 Amendment 4.
  • RULE-11-8 -CastRemovesConstOrVolatileQualification.ql
    • Query expanded to detect cases of removing_Atomic qualification, in compliance with MISRA-C 2012 Amendment 4.
  • EXP33-C,RULE-9-1,A8-5-0,EXP53-CPP -DoNotReadUninitializedMemory.ql,ObjectWithAutoStorageDurationReadBeforeInit.ql,MemoryNotInitializedBeforeItIsRead.ql,DoNotReadUninitializedMemory.ql
    • Atomic local variables excluded from query results, in compliance with MISRA-C 2012 Amendment 4, and to reduce false positives in the other standards.
  • RULE-13-2 -UnsequencedAtomicReads.ql
    • New query to find expressions which read an atomic variable more than once between sequence points, to address new case from MISRA-C 2012 Amendment 4.
  • RULE-3-1 -CharacterSequencesAndUsedWithinAComment.ql
    • Add exception allowing URLs inside of cpp-style/* ... */ comments, in compliance with MISRA-C 2012 Amendment 4.
    • No longer report cases of//*some comment in this rule.
  • A new in code deviation format has been introduced, using the C/C++ attribute syntax:

    [[codeql::<standard>_deviation("<code-identifier>")]]

    This can be applied to functions, statements and variables to apply a deviation from the Coding Standards configuration file. The user manual has been updated to describe the new format.
  • For those codebases that cannot use standard attributes, we have also introduced a comment based syntax

    // codeql::<standard>_deviation(<code-identifier>)// codeql::<standard>_deviation_next_line(<code-identifier>)// codeql::<standard>_deviation_begin(<code-identifier>)// codeql::<standard>_deviation_end(<code-identifier>)

    Further information is available in the user manual.
  • RULE-8-7 -ShouldNotBeDefinedWithExternalLinkage.ql:
    • Remove false positives where the declaration is not defined in the database.
    • Remove false positives where the definition and reference are in different translation units.
    • Remove false positives where the reference occurs in a header file.
  • RULE-8-3 -DeclarationsOfAFunctionSameNameAndType.ql:
    • Implement new exception, unnamed parameters are not covered by this rule.
  • RULE-10-2 -AdditionSubtractionOnEssentiallyCharType.ql:
    • Disallow+ and- operations with an essentially char type and other types larger than int type.
    • Note, this change affects the essential type of such expressions, which may affect other essential types rules.
  • RULE-18-1,M5-0-16 -PointerAndDerivedPointerMustAddressSameArray.ql,PointerAndDerivedPointerAccessDifferentArray.ql:
    • Treat casts to byte pointers as pointers to arrays of the size of the pointed-to type.
    • Fix typo in report message, "passed" replaced with "past."
    • Suppress results where range analysis appears potentially unreliable.
  • RULE-21-10,RULE-25-5-3,ENV34-C -CallToSetlocaleInvalidatesOldPointers.ql,CallToSetlocaleInvalidatesOldPointersMisra.ql,DoNotStorePointersReturnedByEnvFunctions.ql:
    • Report usage of returned pointers fromasctime,ctime, during a call to either of the former.
    • Report usage of returned pointers fromgmtime,localtime, during a call to either of the former.

Supported versions

• The LGTM pack is not supported on any released version of LGTM without support from GitHub Professional Services.
• The Code Scanning pack is supported when:
  • Using the CodeQL CLI version2.19.4 in conjunction with a copy of the CodeQL standard library for C++ (github/codeql) set to the tagcodeql-cli/v2.19.4.
  • Using the CodeQL Action or CodeQL runner with thecodeql-bundle-v2.19.4.

Appendix: MISRA-C-2012 new queries

New queries added to cover the following rules:

• RULE-11-10 -AtomicQualifierAppliedToVoid.ql
• RULE-13-2 -UnsequencedAtomicReads.ql