github
diff --git a/‎.github/workflows/dispatch-matrix-check.yml
+8-10 b/‎.github/workflows/dispatch-matrix-check.yml
+8-10
diff --git a/‎.github/workflows/dispatch-matrix-test-on-comment.yml
+1-4 b/‎.github/workflows/dispatch-matrix-test-on-comment.yml
+1-4
diff --git a/‎.github/workflows/dispatch-release-performance-check.yml
+3-5 b/‎.github/workflows/dispatch-release-performance-check.yml
+3-5
diff --git a/‎c/cert/src/qlpack.yml
+1-1 b/‎c/cert/src/qlpack.yml
+1-1
diff --git a/‎c/cert/src/rules/INT30-C/UnsignedIntegerOperationsWrapAround.ql
+7-20 b/‎c/cert/src/rules/INT30-C/UnsignedIntegerOperationsWrapAround.ql
+7-20
diff --git a/‎c/cert/src/rules/PRE32-C/MacroOrFunctionArgsContainHashToken.ql
+32-5 b/‎c/cert/src/rules/PRE32-C/MacroOrFunctionArgsContainHashToken.ql
+32-5
diff --git a/‎c/cert/test/qlpack.yml
+1-1 b/‎c/cert/test/qlpack.yml
+1-1
diff --git a/‎c/cert/test/rules/INT30-C/UnsignedIntegerOperationsWrapAround.expected
-4 b/‎c/cert/test/rules/INT30-C/UnsignedIntegerOperationsWrapAround.expected
-4
diff --git a/‎c/cert/test/rules/INT30-C/UnsignedIntegerOperationsWrapAround.qlref
-1 b/‎c/cert/test/rules/INT30-C/UnsignedIntegerOperationsWrapAround.qlref
-1
diff --git a/‎c/cert/test/rules/INT30-C/UnsignedIntegerOperationsWrapAround.testref
+1 b/‎c/cert/test/rules/INT30-C/UnsignedIntegerOperationsWrapAround.testref
+1
diff --git a/‎c/cert/test/rules/MSC30-C/RandUsedForGeneratingPseudorandomNumbers.testref
+1-1 b/‎c/cert/test/rules/MSC30-C/RandUsedForGeneratingPseudorandomNumbers.testref
+1-1
diff --git a/‎c/cert/test/rules/PRE32-C/MacroOrFunctionArgsContainHashToken.expected
-2 b/‎c/cert/test/rules/PRE32-C/MacroOrFunctionArgsContainHashToken.expected
-2
diff --git a/‎c/cert/test/rules/PRE32-C/test.c
+3-3 b/‎c/cert/test/rules/PRE32-C/test.c
+3-3
diff --git a/‎c/common/src/codingstandards/c/Literals.qll
-4 b/‎c/common/src/codingstandards/c/Literals.qll
-4
diff --git a/‎c/common/src/qlpack.yml
+1-1 b/‎c/common/src/qlpack.yml
+1-1
@@ -1,8 +1,8 @@
-name: 🤖 Run Matrix Check 
+name: 🤖 Run Matrix Check
 
 on:
   pull_request_target:
-    types: [synchronize,opened]
+    types: [synchronize, opened]
     branches:
       - "matrix/**"
   workflow_dispatch:
@@ -11,29 +11,27 @@ jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-
       - name: Test Variables
         shell: pwsh
         run: |
-          Write-Host "Running as: ${{github.actor}}"    
-    
+          Write-Host "Running as: ${{github.actor}}"
+
       - name: Dispatch Matrix Testing Job
-        if: ${{ contains(fromJSON('["jsinglet", "mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine"]'), github.actor) }}
+        if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: matrix-test
-          client-payload: '{"pr": "${{ github.event.number  }}"}'
-
+          client-payload: '{"pr": "${{ github.event.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ contains(fromJSON('["jsinglet", "mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine"]'), github.actor) }}
+        if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
         with:
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: '🤖 Beep Boop! Matrix Testing for this PR has been initiated. Please check back later for results. <br><br> :bulb: If you do not hear back from me please check my status! **I will report even if this PR does not contain files eligible for matrix testing.**'
-            })
+            })
@@ -8,26 +8,23 @@ on:
       - "rc/**"
       - next
 
-
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-
       - name: Test Variables
         shell: pwsh
         run: |
           Write-Host "Running as: ${{github.actor}}"    
 
           $actor = "${{github.actor}}"
 
-          $acl = @("jsinglet","mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine") 
+          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
 
           if(-not ($actor -in $acl)){
             throw "Refusing to run workflow for user not in acl."
           }
 
-
       - name: Dispatch Matrix Testing Job
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
         uses: peter-evans/repository-dispatch@v2
 
@@ -12,15 +12,14 @@ jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-
       - name: Test Variables
         shell: pwsh
         run: |
           Write-Host "Running as: ${{github.actor}}"    
 
           $actor = "${{github.actor}}"
 
-          $acl = @("jsinglet","mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine") 
+          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
 
           if(-not ($actor -in $acl)){
             throw "Refusing to run workflow for user not in acl."
@@ -33,8 +32,7 @@ jobs:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: performance-test
-          client-payload: '{"pr": "${{ github.event.issue.number  }}"}'
-
+          client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
@@ -45,4 +43,4 @@ jobs:
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: '🏁 Beep Boop! Performance testing for this PR has been initiated. Please check back later for results. Note that the query package generation step must complete before testing  will start so it might be a minute. <br><br> :bulb: If you do not hear back from me please check my status! **I will report even if I fail!**'
-            })
+            })
@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.32.0-dev
+version: 2.34.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT
 
@@ -15,24 +15,11 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.cpp.Overflow
-import semmle.code.cpp.controlflow.Guards
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import codingstandards.cpp.rules.unsignedoperationwithconstantoperandswraps.UnsignedOperationWithConstantOperandsWraps
 
-from InterestingOverflowingOperation op
-where
-  not isExcluded(op, IntegerOverflowPackage::unsignedIntegerOperationsWrapAroundQuery()) and
-  op.getType().getUnderlyingType().(IntegralType).isUnsigned() and
-  // Not within a guard condition
-  not exists(GuardCondition gc | gc.getAChild*() = op) and
-  // Not guarded by a check, where the check is not an invalid overflow check
-  not op.hasValidPreCheck() and
-  // Is not checked after the operation
-  not op.hasValidPostCheck() and
-  // Permitted by exception 3
-  not op instanceof LShiftExpr and
-  // Permitted by exception 2 - zero case is handled in separate query
-  not op instanceof DivExpr and
-  not op instanceof RemExpr
-select op,
-  "Operation " + op.getOperator() + " of type " + op.getType().getUnderlyingType() + " may wrap."
+class UnsignedIntegerOperationsWrapAroundQuery extends UnsignedOperationWithConstantOperandsWrapsSharedQuery
+{
+  UnsignedIntegerOperationsWrapAroundQuery() {
+    this = IntegerOverflowPackage::unsignedIntegerOperationsWrapAroundQuery()
+  }
+}
@@ -32,11 +32,38 @@ predicate isFunctionSuccessorLocation(ControlFlowNode node, File f, int endline)
 PreprocessorDirective isLocatedInAFunctionInvocation(FunctionCall c) {
   exists(PreprocessorDirective p, File f, int startCall, int endCall |
     isFunctionInvocationLocation(c, f, startCall, endCall) and
-    exists(int startLine, int endLine | isPreprocDirectiveLine(p, f, startLine, endLine) |
-      startCall < startLine and
-      startCall < endLine and
-      endLine <= endCall and
-      endLine <= endCall
+    exists(Expr arg, int preprocStartLine, int preprocEndLine |
+      c.getAnArgument() = arg and
+      isPreprocDirectiveLine(p, f, preprocStartLine, preprocEndLine) and
+      // function call begins before preprocessor directive
+      startCall < preprocStartLine and
+      (
+        // argument's location is after the preprocessor directive
+        arg.getLocation().getStartLine() > preprocStartLine
+        or
+        // arg's location is before an endif token that is part of a
+        // preprocessor directive defined before the argument.
+        // E.g.
+        // memcpy(dest, src,
+        // #ifdef SOMEMACRO
+        // 12
+        // #else
+        // 24 // 'arg' exists here
+        // #endif // endif after 'arg', but part of a preproc. branch before 'arg'
+        // );
+        p instanceof PreprocessorEndif and
+        // exists a preprocessor branch of which this is the endif
+        // and that preprocessor directive exists before
+        // the argument and after the function call begins.
+        exists(PreprocessorBranchDirective another |
+          another.getEndIf() = p and
+          another.getLocation().getFile() = f and
+          startCall < another.getLocation().getStartLine() and
+          arg.getLocation().getStartLine() > another.getLocation().getStartLine()
+        )
+      ) and
+      // function call ends after preprocessor directive
+      endCall > preprocEndLine
     ) and
     result = p
   )
 
@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.32.0-dev
+version: 2.34.0-dev
 extractor: cpp
 license: MIT
 dependencies:
 
@@ -0,0 +1 @@
+c/common/test/rules/unsignedoperationwithconstantoperandswraps/UnsignedOperationWithConstantOperandsWraps.ql
@@ -1 +1 @@
-cpp/common/test/rules/donotuserandforgeneratingpseudorandomnumbers/DoNotUseRandForGeneratingPseudorandomNumbers.ql
+c/common/test/rules/donotuserandforgeneratingpseudorandomnumbers/DoNotUseRandForGeneratingPseudorandomNumbers.ql
@@ -4,5 +4,3 @@
 | test.c:20:1:20:16 | #ifdef SOMEMACRO | Invocation of function memcpy includes a token "#ifdef SOMEMACRO" that could be confused for an argument preprocessor directive. |
 | test.c:22:1:22:5 | #else | Invocation of function memcpy includes a token "#else" that could be confused for an argument preprocessor directive. |
 | test.c:24:1:24:6 | #endif | Invocation of function memcpy includes a token "#endif" that could be confused for an argument preprocessor directive. |
-| test.c:27:1:27:8 | #if TEST | Invocation of function memcpy includes a token "#if TEST" that could be confused for an argument preprocessor directive. |
-| test.c:28:1:28:6 | #endif | Invocation of function memcpy includes a token "#endif" that could be confused for an argument preprocessor directive. |
@@ -24,6 +24,6 @@ void func(const char *src) {
 #endif // NON_COMPLIANT
   );
 
-#if TEST // COMPLIANT[FALSE_POSITIVE]
-#endif   // COMPLIANT[FALSE_POSITIVE]
-}
+#if TEST // COMPLIANT
+#endif   // COMPLIANT
+}
@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards
-version: 2.32.0-dev
+version: 2.34.0-dev
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+c/common/test/rules/unsignedoperationwithconstantoperandswraps/UnsignedOperationWithConstantOperandsWraps.ql`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-cpp/common/test/rules/donotuserandforgeneratingpseudorandomnumbers/DoNotUseRandForGeneratingPseudorandomNumbers.ql`
	`1`	`+c/common/test/rules/donotuserandforgeneratingpseudorandomnumbers/DoNotUseRandForGeneratingPseudorandomNumbers.ql`