Merge branch 'main' into next

Author: jketema

.github/workflows/bump-version.yml

@@ -99,8 +99,8 @@ jobs:
         run: |
           PATH=$PATH:$CODEQL_HOME/codeql
 
-          codeql query compile --threads 0 cpp
-          codeql query compile --threads 0 c
+          codeql query compile --precompile --threads 0 cpp
+          codeql query compile --precompile --threads 0 c
 
           cd ..
           zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/schemas

.github/workflows/code-scanning-pack-gen.yml

@@ -9,8 +9,12 @@ on:
     inputs:
       ref:
         description: |
-          The release branch to finalize.
+          The ref of release to finalize (e.g., 'rc/MAJOR.MINOR.PATCH').
         required: true
+      tool-ref:
+        description: |
+          The ref to the tooling to use for the finalize (e.g., 'rc/MAJOR.MINOR.PATCH').
+        required: false 
 
 jobs:
   finalize-release:
@@ -20,34 +24,56 @@ jobs:
       - name: Determine ref
         env:
           REF_FROM_INPUT: ${{ inputs.ref }}
+          TOOL_REF_FROM_INPUT: ${{ inputs.tool-ref }}
           REF_FROM_PR: ${{ github.event.pull_request.merge_commit_sha  }}
           BASE_REF_FROM_PR: ${{ github.event.pull_request.base.ref }}
         run: |
           if [[ $GITHUB_EVENT_NAME == "workflow_dispatch" ]]; then
             echo "REF=$REF_FROM_INPUT" >> "$GITHUB_ENV"
+            echo "TOOL_REF=$TOOL_REF_FROM_INPUT" >> "$GITHUB_ENV"
             echo "BASE_REF=$REF_FROM_INPUT" >> "$GITHUB_ENV"
           else
             echo "REF=$REF_FROM_PR" >> "$GITHUB_ENV"
+            echo "TOOL_REF=$REF_FROM_PR" >> "$GITHUB_ENV"
             echo "BASE_REF=$BASE_REF_FROM_PR" >> "$GITHUB_ENV"
           fi
 
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ env.REF }}
+          fetch-depth: 0
+          path: release 
+      
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.TOOL_REF }}
+          path: tooling 
+      
+      - name: Install Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: pip install -r scripts/release/requirements.txt
+        working-directory: tooling
 
       - name: Configure git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+        working-directory: release 
 
       - name: Update release tag
         run: |
           version=${BASE_REF#rc/}
           echo "Creating release tag v$version"
 
-          git tag -a v$version -m "Release v$version"
-          git push -f origin v$version
+          git tag -f -a v$version -m "Release v$version"
+          git push --force origin v$version
+        working-directory: release 
 
       - name: Finalize release
         env:
@@ -57,30 +83,51 @@ jobs:
           echo "Finalizing release v$version"
 
           gh release edit "v$version" --draft=false --tag=v$version
+        working-directory: release 
 
       - name: Determine if release was a hotfix release
         run: |
           version=${BASE_REF#rc/}
-          echo "HOTFIX_RELEASE=$(python scripts/release/is-hotfix.py $version)" >> "$GITHUB_ENV"
+          # We are running the script in the tooling directory with the release directory as the working directory
+          echo "HOTFIX_RELEASE=$(python ../tooling/scripts/release/is-hotfix-release.py $version)" >> "$GITHUB_ENV"
+        working-directory: release 
+      
+      - name: Determine next release version
+        if: env.HOTFIX_RELEASE == 'false'
+        run: |
+          version=${BASE_REF#rc/}
+          next_version=$(python scripts/release/next-version.py --component minor --pre-release dev -- $version)
+          echo "NEXT_VERSION=$next_version" >> "$GITHUB_ENV"
+        working-directory: tooling 
+      
+      - name: Generate token
+        if: env.HOTFIX_RELEASE == 'false'
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards"
 
       - name: Bump main version
         if: env.HOTFIX_RELEASE == 'false'
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
-          version=${BASE_REF#rc/}
-          next_version="$version-dev"
-          echo "Bumping main version to $next_version"
+          echo "Bumping main version to $NEXT_VERSION"
 
           git switch main
           git pull --ff-only origin main
 
-          git switch -c release-automation/bump-version
+          git switch -c "release-automation/bump-version-to-$NEXT_VERSION"
 
-          ./scripts/release/bump-version.sh "$next_version"
+          # We are running the script in the tooling directory with the release directory as the working directory
+          ../tooling/scripts/release/bump-version.sh "$NEXT_VERSION"
 
           git add -u .
-          git commit -m "Bump version to $next_version"
-          git push --set-upstream origin release-automation/bump-version
+          git commit -m "Bump version to $NEXT_VERSION"
+          git push --set-upstream origin "release-automation/bump-version-to-$NEXT_VERSION"
 
-          gh pr create --repo $GITHUB_REPOSITORY --base main --head release-automation/bump-version --body "Bump the version of main to the dev label of the just released version $next_version" --title "Bump version to $next_version"
+          gh pr create --repo $GITHUB_REPOSITORY --base main --head "release-automation/bump-version-to-$NEXT_VERSION" --body "Bump the version of main to $NEXT_VERSION" --title "Bump version to $NEXT_VERSION"
+        working-directory: release 

.github/workflows/finalize-release.yml

@@ -31,6 +31,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # We need the full history to compute the changelog
+          ref: ${{ inputs.head-sha }}
 
       - name: Install Python
         uses: actions/setup-python@v4
@@ -59,7 +60,7 @@ jobs:
             --layout scripts/release/release-layout.yml \
             --repo "$GITHUB_REPOSITORY" \
             --github-token "$GITHUB_REPOSITORY:$GITHUB_TOKEN" "github/codeql-coding-standards-release-engineering:$RELEASE_ENGINEERING_TOKEN" \
-            --skip-checkrun "release-status"
+            --skip-checkrun "release-status" "Update Release"
 
       - name: Update release notes
         env:

.github/workflows/update-release.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.22.0-dev
+version: 2.29.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT

c/cert/src/qlpack.yml

@@ -17,6 +17,7 @@ import codingstandards.c.cert
 import codingstandards.cpp.Naming
 import semmle.code.cpp.dataflow.TaintTracking
 import codingstandards.cpp.PossiblyUnsafeStringOperation
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 /**
  * Models a function that is part of the standard library that expects a
@@ -43,32 +44,90 @@ class ExpectsNullTerminatedStringAsArgumentFunctionCall extends FunctionCall {
   Expr getAnExpectingExpr() { result = e }
 }
 
-from ExpectsNullTerminatedStringAsArgumentFunctionCall fc, Expr e, Expr target
-where
-  target = fc.getAnExpectingExpr() and
-  not isExcluded(fc, Strings1Package::nonNullTerminatedToFunctionThatExpectsAStringQuery()) and
-  (
-    exists(PossiblyUnsafeStringOperation op |
-      // don't report violations of the same function call.
-      not op = fc and
-      e = op and
-      TaintTracking::localTaint(DataFlow::exprNode(op.getAnArgument()), DataFlow::exprNode(target))
+class PossiblyUnsafeStringOperationSource extends Source {
+  PossiblyUnsafeStringOperation op;
+
+  PossiblyUnsafeStringOperationSource() { this.asExpr() = op.getAnArgument() }
+
+  PossiblyUnsafeStringOperation getOp() { result = op }
+}
+
+class CharArraySource extends Source {
+  CharArrayInitializedWithStringLiteral op;
+
+  CharArraySource() {
+    op.getContainerLength() <= op.getStringLiteralLength() and
+    this.asExpr() = op
+  }
+}
+
+abstract class Source extends DataFlow::Node { }
+
+class Sink extends DataFlow::Node {
+  Sink() {
+    exists(ExpectsNullTerminatedStringAsArgumentFunctionCall fc |
+      fc.getAnExpectingExpr() = this.asExpr()
     )
-    or
-    exists(CharArrayInitializedWithStringLiteral op |
-      e = op and
-      op.getContainerLength() <= op.getStringLiteralLength() and
-      TaintTracking::localTaint(DataFlow::exprNode(op), DataFlow::exprNode(target))
+  }
+}
+
+module MyFlowConfiguration implements DataFlow::ConfigSig {
+  predicate isSink(DataFlow::Node sink) {
+    sink instanceof Sink and
+    //don't report violations of the same function call
+    not sink instanceof Source
+  }
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isAdditionalFlowStep(DataFlow::Node innode, DataFlow::Node outnode) {
+    exists(FunctionCall realloc, ReallocFunction fn |
+      fn.getACallToThisFunction() = realloc and
+      realloc.getArgument(0) = innode.asExpr() and
+      realloc = outnode.asExpr()
     )
-  ) and
-  // don't report cases flowing to this node where there is a flow from a
-  // literal assignment of a null terminator
-  not exists(AssignExpr aexp |
+  }
+}
+
+class ReallocFunction extends AllocationFunction {
+  ReallocFunction() { exists(this.getReallocPtrArg()) }
+}
+
+/**
+ * Determines if the string is acceptably null terminated
+ * The only condition we accept as a guarantee to null terminate is:
+ * `str[size_expr] = '\0';`
+ * where we do not check the value of the `size_expr` used
+ */
+predicate isGuarded(Expr guarded, Expr source) {
+  exists(AssignExpr aexp |
     aexp.getLValue() instanceof ArrayExpr and
     aexp.getRValue() instanceof Zero and
-    TaintTracking::localTaint(DataFlow::exprNode(aexp.getRValue()), DataFlow::exprNode(target)) and
-    // this must be AFTER the operation causing the non-null termination to be valid.
-    aexp.getAPredecessor*() = e
+    // this must be AFTER the operation causing the non-null termination
+    aexp.getAPredecessor+() = source and
+    //this guards anything after it
+    aexp.getASuccessor+() = guarded and
+    // no reallocs exist after this because they will be conservatively assumed to make the buffer smaller and remove the likliehood of this properly terminating
+    not exists(ReallocFunction realloc, FunctionCall fn |
+      fn = realloc.getACallToThisFunction() and
+      globalValueNumber(aexp.getLValue().(ArrayExpr).getArrayBase()) =
+        globalValueNumber(fn.getArgument(0)) and
+      aexp.getASuccessor+() = fn
+    )
   )
+}
+
+module MyFlow = TaintTracking::Global<MyFlowConfiguration>;
+
+from
+  DataFlow::Node source, DataFlow::Node sink, ExpectsNullTerminatedStringAsArgumentFunctionCall fc,
+  Expr e
+where
+  MyFlow::flow(source, sink) and
+  sink.asExpr() = fc.getAnExpectingExpr() and
+  not isGuarded(sink.asExpr(), source.asExpr()) and
+  if source instanceof PossiblyUnsafeStringOperationSource
+  then e = source.(PossiblyUnsafeStringOperationSource).getOp()
+  else e = source.asExpr()
 select fc, "String modified by $@ is passed to function expecting a null-terminated string.", e,
   "this expression"

c/cert/src/rules/STR32-C/NonNullTerminatedToFunctionThatExpectsAString.ql

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.22.0-dev
+version: 2.29.0-dev
 extractor: cpp
 license: MIT
 dependencies: