Skip to content

Mbaluda next#1149

Draft
mbaluda wants to merge 144 commits into
mainfrom
mbaluda-next
Draft

Mbaluda next#1149
mbaluda wants to merge 144 commits into
mainfrom
mbaluda-next

Conversation

@mbaluda

@mbaluda mbaluda commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Description

please enter the description of your change here

Change request type

  • Release or process automation (GitHub workflows, internal scripts)
  • Internal documentation
  • External documentation
  • Query files (.ql, .qll, .qls or unit tests)
  • External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

  • No rules added
  • Queries have been added for the following rules:
    • rule number here
  • Queries have been modified for the following rules:
    • rule number here

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

  • The structure or layout of the release artifacts.
  • The evaluation performance (memory, execution time) of an existing query.
  • The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

  • Yes
  • No

🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.

  • Confirmed

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

  • Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

Reviewer

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

jketema and others added 30 commits March 6, 2025 13:52
@jketema
Update expected test results after frontend update
1c82682
@jketema
Merge pull request #865 from jketema/frontend-update
ce14612 
Update expected test results after frontend update
@jketema
Merge branch 'main' into next
d6b55ca
@jketema
Update MISRA queries and tests after merging location tables
f07f569
@jketema
Merge pull request #915 from jketema/loc-table-merge
3b4a91c 
Update MISRA queries and tests after merging location tables
@IdrissRio
C++: accept new test results after QL changes
67adebb
@jketema
Merge pull request #916 from IdrissRio/next
60c2e05 
C++: accept new test results after QL changes
@jketema
Merge remote-tracking branch 'upstream/main' into next
740bcd0
@jketema
Comvert ARR37-C to use the new dataflow library
2089bcd
@jketema
Conver ARR39-C to the new dataflow library
cf1b625 
Observe that `sizeof(...)` might not occur as a dataflow node if it has a
parent node with a concrete value. That value will be a dataflow node instead.
Hence, the query has be changed to check for expressions where `sizeof(...)`
is a child of an expression with a concrete value.
@jketema
Convert ERR30-C to use the new dataflow library
8d73f3b
@jketema
Convert FIO45-C to use the new dataflow library
7a1577e
@jketema
Convert EXP36-C to the new datafow library
c5c6c58 
Note that we now properly report the offending cast instead of the expression
that is being cast.
@jketema
Convert MSC33-C to the new dataflow library
8fdea49 
As it is the dataflow used by `asctime` that is relevant, and not the pointer,
use the indirect expression.
@jketema
Convert MSC51-CPP to the new dataflow library
3289621
@jketema
Convert CTR56-CPP to the new dataflow library
d20cd3a
@jketema
Convert EXP51-CPP ot use the new dataflow library
77e8e0e
@jketema
Conver M3-9-3 to use the new dataflow library
57b6091
@jketema
Convert A9-3-1 to use the new dataflow library
357ee08
@jketema
Convert A27-0-4 to use the new dataflow library
30114c5
@jketema
Convert A5-0-4 to use the new dataflow library
d313bf2
@jketema
Merge pull request #920 from jketema/jketema/dataflow
500e96a 
Convert a number of queries to use the new dataflow library
@jketema
Update expected test results for MSC33-C
8529fbb
@jketema
Merge pull request #921 from jketema/jketema/dataflow
363faea 
Update expected test results for MSC33-C
@jketema
Create temporary copies of parts of the concurrency library
012ac3d 
These use the new dataflow library
@jketema
Convert CON30-C to use the new dataflow library
22b8860
@jketema
Convert CON34-C to the new dataflow library
0a846c7 
Since the new dataflow library uses use-use dataflow and not def-use dataflow,
we now need to check for definitions. Note that these queries can probably be
improved by using a dataflow configuration - possibly limited to the local
context of a function by including `DataFlow::FeatureEqualSourceSinkCallContext`
@jketema
Move queries not depending on dataflow over to ConcurrencyNew
1c1f3fb
@jketema
Convert UseOnlyArrayIndexingForPointerArithmetic to use the new dataf…
3ba33c0 
…low library
@jketema
Convert StringNumberConversionMissingErrorCheck to use the new datafl…
e2d44a6 
…ow library
jketema and others added 22 commits February 20, 2026 17:05
@jketema
Merge pull request #1041 from paldepind/revert-accept-changes-after-2…
09d1e3a 
…1313

Revert "C++: Accept test changes after github/codeql#21313."
@jketema
Merge pull request #1042 from jketema/jketema/softfloat
3bc45b8 
Update test expectations after switch to SoftFloat library in the extractor
@jketema
Revert "Merge pull request #1042 from jketema/jketema/softfloat"
b883139 
This reverts commit 3bc45b8, reversing
changes made to 09d1e3a.
@jketema
Merge pull request #1055 from jketema/jketema/softfloat-revert
330fc79 
Revert SoftFloat changes
@jketema
Merge branch 'main' into next
0be4a82
@jketema
Update expected test results
a7b10a1
@jketema
Reapply "Merge pull request #1042 from jketema/jketema/softfloat"
bfc504c 
This reverts commit b883139.
@jketema
Merge pull request #1118 from jketema/softfloat
863046b 
Reapply "Merge pull request #1042 from jketema/jketema/softfloat"
@jketema
Update type alias class names
08b109d
@jketema
Merge pull request #1131 from jketema/jketema/alias-template
9c6f08c 
Update type alias class names
@jketema
Update expected test results
da5f262
@jketema
Update references to deprecated classes
4349da6
@jketema
Update references to deprecated classes
99a5245
@mbaluda
Use the new dataflow module wherever possible without affecting any t…
a568bf4 
…est behavior

- Updated various QL files to replace deprecated 'DataFlow' and 'TaintTracking' imports with 'new.DataFlow' and 'new.TaintTracking'.
- Removed warnings related to deprecated modules in test expectations for affected rules.
@mbaluda
Refactor imports to use the updated DataFlow module in CleanUpThreadS…
ec7adb3 
…pecificStorage and AccessOfUndefinedMemberThroughUninitializedStaticPointer
@mbaluda
Fix import path for DataFlow module in PlacementNewNotProperlyAligned…
db5cd46 
….qll
@mbaluda
Update expected warnings to reflect deprecation of DataFlow and Taint…
c733b75 
…Tracking modules
@mbaluda
Merge branch 'main' into mbaluda-new-dataflow
a0d501e
@mbaluda
Revert "Update type alias class names"
d76a183 
This reverts commit 08b109d.
@mbaluda
Add .qlx files to .gitignore for CodeQL build artifacts
9a3ee4c
@mbaluda
Update CodeQL to versions v2.23.3
0b206ff
@mbaluda
Merge branch 'mbaluda-new-dataflow' into mbaluda-next
ed7bd0f
GitHub Advanced Security started work on behalf of mbaluda June 24, 2026 21:27 View session
GitHub Advanced Security finished work on behalf of mbaluda June 24, 2026 21:28
GitHub Advanced Security started work on behalf of mbaluda June 24, 2026 21:35 View session
GitHub Advanced Security finished work on behalf of mbaluda June 24, 2026 21:36
GitHub Advanced Security started work on behalf of mbaluda June 24, 2026 22:24 View session
GitHub Advanced Security finished work on behalf of mbaluda June 24, 2026 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mbaluda @jketema @IdrissRio @MathiasVP @paldepind