Merge branch 'main' into lcartey/a7-1-2

lcartey · web-flow · commit 0917493e40f1 · 2024-06-05T14:07:07.000+01:00
diff --git a/c/cert/src/qlpack.yml b/c/cert/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT
diff --git a/c/cert/test/qlpack.yml b/c/cert/test/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.29.0-dev
+version: 2.30.0-dev
 extractor: cpp
 license: MIT
 dependencies:
diff --git a/c/common/src/qlpack.yml b/c/common/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'
diff --git a/c/common/test/qlpack.yml b/c/common/test/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards-tests
-version: 2.29.0-dev
+version: 2.30.0-dev
 extractor: cpp
 license: MIT
 dependencies:
diff --git a/c/misra/src/qlpack.yml b/c/misra/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/misra-c-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 description: MISRA C 2012
 suites: codeql-suites
 license: MIT
diff --git a/c/misra/test/qlpack.yml b/c/misra/test/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/misra-c-coding-standards-tests
-version: 2.29.0-dev
+version: 2.30.0-dev
 extractor: cpp
 license: MIT
 dependencies:
diff --git a/change_notes/2024-05-22-fix-fp-rule-A18-5-8.md b/change_notes/2024-05-22-fix-fp-rule-A18-5-8.md
@@ -0,0 +1,2 @@
+- `A18-5-8` - `UnnecessaryUseOfDynamicStorage.ql`:
+  - Address FP reported in #20. Add model of flow from MakeSharedOrUnique to return expression to capture copy/move elision case NRVO.
diff --git a/cpp/autosar/src/qlpack.yml b/cpp/autosar/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/autosar-cpp-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 description: AUTOSAR C++14 Guidelines R22-11, R21-11, R20-11, R19-11 and R19-03
 suites: codeql-suites
 license: MIT
diff --git a/cpp/autosar/src/rules/A18-5-8/UnnecessaryUseOfDynamicStorage.ql b/cpp/autosar/src/rules/A18-5-8/UnnecessaryUseOfDynamicStorage.ql
@@ -53,6 +53,9 @@ class MakeSharedOrUnique extends FunctionCall, CandidateFunctionLocalHeapAllocat
     // This includes the case where a result of `make_shared` or `make_unique` is return by a function
     // because the compiler will call the appropriate constructor.
     not exists(FunctionCall fc | DataFlow::localExprFlow(this, fc.getAnArgument())) and
+    // The flow to a return statement is explicitly modelled for the case where
+    // the copy/move constructor is elided and therefore there is no actual function call in the database
+    not exists(ReturnStmt ret | DataFlow::localExprFlow(this, ret.getExpr())) and
     // Not assigned to a field
     not exists(Field f | DataFlow::localExprFlow(this, f.getAnAssignedValue()))
   }
diff --git a/cpp/autosar/test/qlpack.yml b/cpp/autosar/test/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/autosar-cpp-coding-standards-tests
-version: 2.29.0-dev
+version: 2.30.0-dev
 extractor: cpp
 license: MIT
 dependencies:
diff --git a/cpp/autosar/test/rules/A18-5-8/test.cpp b/cpp/autosar/test/rules/A18-5-8/test.cpp
@@ -68,4 +68,13 @@ StructA *test_failure() {
     a = nullptr;
   }
   return a;
+}
+
+#include <string>
+std::unique_ptr<StructA>
+test_for_fp_reported_in_20(const std::string &s) noexcept {
+  // make_unique performs heap allocation
+  // but this outlives the function due to copy elision
+  // (specifically NRVO)
+  return std::make_unique<StructA>(s); // COMPLIANT
 }
diff --git a/cpp/cert/src/qlpack.yml b/cpp/cert/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cert-cpp-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 description: CERT C++ 2016
 suites: codeql-suites
 license: MIT
diff --git a/cpp/cert/test/qlpack.yml b/cpp/cert/test/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cert-cpp-coding-standards-tests
-version: 2.29.0-dev
+version: 2.30.0-dev
 extractor: cpp
 license: MIT
 dependencies:
diff --git a/cpp/common/src/qlpack.yml b/cpp/common/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/common-cpp-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 license: MIT
 dependencies:
   codeql/cpp-all: 0.9.3
diff --git a/cpp/common/test/qlpack.yml b/cpp/common/test/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/common-cpp-coding-standards-tests
-version: 2.29.0-dev
+version: 2.30.0-dev
 extractor: cpp
 license: MIT
 dependencies:
diff --git a/cpp/misra/src/qlpack.yml b/cpp/misra/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/misra-cpp-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 description: MISRA C++ 2008
 suites: codeql-suites
 license: MIT
diff --git a/cpp/misra/test/qlpack.yml b/cpp/misra/test/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/misra-cpp-coding-standards-tests
-version: 2.29.0-dev
+version: 2.30.0-dev
 extractor: cpp
 license: MIT
 dependencies:
diff --git a/cpp/report/src/qlpack.yml b/cpp/report/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/report-cpp-coding-standards
-version: 2.29.0-dev
+version: 2.30.0-dev
 license: MIT
 dependencies:
   codeql/cpp-all: 0.9.3
diff --git a/docs/user_manual.md b/docs/user_manual.md
@@ -29,13 +29,13 @@
 
 ## Release information
 
-This user manual documents release `2.29.0-dev` of the coding standards located at [https://github.com/github/codeql-coding-standards](https://github.com/github/codeql-coding-standards).
+This user manual documents release `2.30.0-dev` of the coding standards located at [https://github.com/github/codeql-coding-standards](https://github.com/github/codeql-coding-standards).
 The release page documents the release notes and contains the following artifacts part of the release:
 
-- `code-scanning-cpp-query-pack-2.29.0-dev.zip`: coding standard queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_.
-- `supported_rules_list_2.29.0-dev.csv`: A Comma Separated File (CSV) containing the supported rules per standard and the queries that implement the rule.
-- `supported_rules_list_2.29.0-dev.md`: A Markdown formatted file with a table containing the supported rules per standard and the queries that implement the rule.
-- `user_manual_2.29.0-dev.md`: This user manual.
+- `code-scanning-cpp-query-pack-2.30.0-dev.zip`: coding standard queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_.
+- `supported_rules_list_2.30.0-dev.csv`: A Comma Separated File (CSV) containing the supported rules per standard and the queries that implement the rule.
+- `supported_rules_list_2.30.0-dev.md`: A Markdown formatted file with a table containing the supported rules per standard and the queries that implement the rule.
+- `user_manual_2.30.0-dev.md`: This user manual.
 - `Source Code (zip)`: A zip archive containing the contents of https://github.com/github/codeql-coding-standards
 - `Source Code (tar.gz)`: A GZip compressed tar archive containing the contents of https://github.com/github/codeql-coding-standards
 - `checksums.txt`: A text file containing sha256 checksums for the aforementioned artifacts.
@@ -496,7 +496,7 @@ This section describes known failure modes for "CodeQL Coding Standards" and des
 |                              | Ouf of space                                                                                                                                                       | Less output. Some files may be only be partially analyzed, or not analyzed at all.                                                                        | Error reported on the command line.                                                                                                                                                                                                                                                                                                  | Increase space. If it remains an issue report space consumption issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                            |
 |                              | False positives                                                                                                                                                    | More output. Results are reported which are not violations of the guidelines.                                                                             | All reported results must be reviewed.                                                                                                                                                                                                                                                                                               | Report false positive issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                                                                      |
 |                              | False negatives                                                                                                                                                    | Less output. Violations of the guidelines are not reported.                                                                                               | Other validation and verification processes during software development should be used to complement the analysis performed by CodeQL Coding Standards.                                                                                                                                                                              | Report false negative issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                                                                      |
-|                              | Modifying coding standard suite                                                                                                                                    | More or less output. If queries are added to the query set more result can be reported. If queries are removed less results might be reported.            | All queries supported by the CodeQL Coding Standards are listed in the release artifacts `supported_rules_list_2.29.0-dev.csv` where VERSION is replaced with the used release. The rules in the resulting Sarif file must be cross-referenced with the expected rules in this list to determine the validity of the used CodeQL suite. | Ensure that the CodeQL Coding Standards are not modified in ways that are not documented as supported modifications.                                                                                                                                                                                                                                                    |
+|                              | Modifying coding standard suite                                                                                                                                    | More or less output. If queries are added to the query set more result can be reported. If queries are removed less results might be reported.            | All queries supported by the CodeQL Coding Standards are listed in the release artifacts `supported_rules_list_2.30.0-dev.csv` where VERSION is replaced with the used release. The rules in the resulting Sarif file must be cross-referenced with the expected rules in this list to determine the validity of the used CodeQL suite. | Ensure that the CodeQL Coding Standards are not modified in ways that are not documented as supported modifications.                                                                                                                                                                                                                                                    |
 |                              | Incorrect deviation record specification                                                                                                                           | More output. Results are reported for guidelines for which a deviation is assigned.                                                                       | Analysis integrity report lists all deviations and incorrectly specified deviation records with a reason. Ensure that all deviation records are correctly specified.                                                                                                                                                                 | Ensure that the deviation record is specified according to the specification in the user manual.                                                                                                                                                                                                                                                                           |
 |                              | Incorrect deviation permit specification                                                                                                                           | More output. Results are reported for guidelines for which a deviation is assigned.                                                                       | Analysis integrity report lists all deviations and incorrectly specified deviation permits with a reason. Ensure that all deviation permits are correctly specified.                                                                                                                                                                 | Ensure that the deviation record is specified according to the specification in the user manual.                                                                                                                                                                                                                                                                           |
 |                              | Unapproved use of a deviation record                                                                                                                               | Less output. Results for guideline violations are not reported.                                                                                           | Validate that the deviation record use is approved by verifying the approved-by attribute of the deviation record specification.                                                                                                                                                                                                     | Ensure that each raised deviation record is approved by an independent approver through an auditable process.                                                                                                                                                                                                                                                              |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+- `A18-5-8` - `UnnecessaryUseOfDynamicStorage.ql`:
	`2`	`+ - Address FP reported in #20. Add model of flow from MakeSharedOrUnique to return expression to capture copy/move elision case NRVO.`