Merge branch 'main' into rp/fix-789

.github/workflows/code-scanning-pack-gen.yml

@@ -68,15 +68,17 @@ jobs:
       - name: Determine ref for external help files
         id: determine-ref
         run: |
-          if [[ $GITHUB_EVENT_NAME == "pull_request" || $GITHUB_EVENT_NAME == "merge_group" ]]; then
-            echo "EXTERNAL_HELP_REF=$GITHUB_HEAD_REF" >> "$GITHUB_ENV"
+          if [[ $GITHUB_EVENT_NAME == "pull_request" ]]; then
+            EXTERNAL_HELP_REF="${{ github.event.pull_request.base.ref }}"
+          elif [[ $GITHUB_EVENT_NAME == "merge_group" ]]; then
+            EXTERNAL_HELP_REF="${{ github.event.merge_group.base_ref }}"
           else
-            echo "EXTERNAL_HELP_REF=$GITHUB_REF" >> "$GITHUB_ENV"
+            EXTERNAL_HELP_REF="$GITHUB_REF"
           fi
+          echo "EXTERNAL_HELP_REF=$EXTERNAL_HELP_REF" >> "$GITHUB_ENV"
           echo "Using ref $EXTERNAL_HELP_REF for external help files."
 
       - name: Checkout external help files
-        continue-on-error: true
         id: checkout-external-help-files
         uses: actions/checkout@v4
         with:

c/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT

c/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards-tests
-version: 2.38.0-dev
+version: 2.39.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/common/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'

c/common/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-c-coding-standards-tests
-version: 2.38.0-dev
+version: 2.39.0-dev
 extractor: cpp
 license: MIT
 dependencies:

c/misra/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-c-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 description: MISRA C 2012
 suites: codeql-suites
 license: MIT

c/misra/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-c-coding-standards-tests
-version: 2.38.0-dev
+version: 2.39.0-dev
 extractor: cpp
 license: MIT
 dependencies:

change_notes/2024-10-22-fix-fp-m6-5-3.md

@@ -0,0 +1,2 @@
+- `M6-5-3` - `Loops.qll`:
+  - Fixes #755. Specifies that the access to the loop counter must be via non-const address.

cpp/autosar/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/autosar-cpp-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 description: AUTOSAR C++14 Guidelines R22-11, R21-11, R20-11, R19-11 and R19-03
 suites: codeql-suites
 license: MIT

cpp/autosar/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/autosar-cpp-coding-standards-tests
-version: 2.38.0-dev
+version: 2.39.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/autosar/test/rules/A18-1-1/test.cpp

@@ -11,6 +11,6 @@ int test_c_arrays() {
   int x[100];                 // NON_COMPLIANT
   constexpr int a[]{0, 1, 2}; // NON_COMPLIANT
 
-  __func__; // COMPLAINT
+  __func__; // COMPLIANT
   return 0;
-}
+}

cpp/autosar/test/rules/M6-5-3/LoopCounterModifiedWithinStatement.expected

@@ -2,3 +2,4 @@
 | test.cpp:25:35:25:35 | x | Loop counters should not be modified within a statement in a for loop. |
 | test.cpp:36:5:36:5 | x | Loop counters should not be modified within a statement in a for loop. |
 | test.cpp:43:9:43:9 | i | Loop counters should not be modified within a statement in a for loop. |
+| test.cpp:93:15:93:15 | i | Loop counters should not be modified within a statement in a for loop. |

cpp/autosar/test/rules/M6-5-3/test.cpp

@@ -43,3 +43,54 @@ void test_loop_counter_mod_in_side_effect() {
     inc(i); // NON_COMPLIANT - modifies `i`
   }
 }
+
+void test_loop_counter_reference_mod_in_condition() {
+  auto loop = [](int &i) {
+    for (; (i++ < 10); i++) { // NON_COMPLIANT
+    }
+  };
+  int i = 0;
+  loop(i);
+}
+
+void test_loop_counter_reference_mod() {
+  auto loop = [](int &i) {
+    for (; i < 10; i++) { // COMPLIANT
+    }
+  };
+  int i = 0;
+  loop(i);
+}
+
+void test_loop_const_reference() {
+  auto loop = []([[maybe_unused]] int const &i) {
+    for (int i = 0; i < 10; i++) { // COMPLIANT
+    }
+  };
+  int i = 0;
+  loop(i);
+}
+
+void test_loop_counter_reference_mod_in_statement() {
+  auto loop = [](int &i) {
+    for (; (i < 10); i++) {
+      i++; // NON_COMPLIANT
+    }
+  };
+  int i = 0;
+  loop(i);
+}
+
+int const_reference(int const &i) { return i; }
+
+int reference(int &i) { return i; }
+
+int copy(int i) { return i; }
+
+void test_pass_argument_by() {
+  for (int i = 0; i < 10; i++) {
+    const_reference(i); // COMPLIANT
+    reference(i);       // NON_COMPLIANT
+    copy(i);            // COMPLIANT
+  }
+}

cpp/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-cpp-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 description: CERT C++ 2016
 suites: codeql-suites
 license: MIT

cpp/cert/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-cpp-coding-standards-tests
-version: 2.38.0-dev
+version: 2.39.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/common/src/codingstandards/cpp/Loops.qll

@@ -204,7 +204,7 @@ predicate isLoopCounterModifiedInCondition(ForStmt forLoop, VariableAccess loopC
   loopCounterAccess = getAnIterationVariable(forLoop).getAnAccess() and
   (
     loopCounterAccess.isModified() or
-    loopCounterAccess.isAddressOfAccess()
+    loopCounterAccess.isAddressOfAccessNonConst()
   )
 }
 
@@ -219,7 +219,7 @@ predicate isLoopCounterModifiedInStatement(
   loopCounterAccess = loopCounter.getAnAccess() and
   (
     loopCounterAccess.isModified() or
-    loopCounterAccess.isAddressOfAccess()
+    loopCounterAccess.isAddressOfAccessNonConst()
   ) and
   forLoop.getStmt().getChildStmt*() = loopCounterAccess.getEnclosingStmt()
 }

cpp/common/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-cpp-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 license: MIT
 dependencies:
   codeql/cpp-all: 0.12.9

cpp/common/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/common-cpp-coding-standards-tests
-version: 2.38.0-dev
+version: 2.39.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/misra/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-cpp-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 description: MISRA C++ 2023
 default-suite: codeql-suites/misra-cpp-default.qls
 license: MIT

cpp/misra/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/misra-cpp-coding-standards-tests
-version: 2.38.0-dev
+version: 2.39.0-dev
 extractor: cpp
 license: MIT
 dependencies:

cpp/report/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/report-cpp-coding-standards
-version: 2.38.0-dev
+version: 2.39.0-dev
 license: MIT
 dependencies:
   codeql/cpp-all: 0.12.9

docs/user_manual.md

@@ -33,14 +33,14 @@
 
 ## Release information
 
-This user manual documents release `2.38.0-dev` of the coding standards located at [https://github.com/github/codeql-coding-standards](https://github.com/github/codeql-coding-standards).
+This user manual documents release `2.39.0-dev` of the coding standards located at [https://github.com/github/codeql-coding-standards](https://github.com/github/codeql-coding-standards).
 The release page documents the release notes and contains the following artifacts part of the release:
 
 - `coding-standards-codeql-packs-2.37.0-dev.zip`: CodeQL packs that can be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_.
-- `code-scanning-cpp-query-pack-2.38.0-dev.zip`: Legacy packaging for the queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_.
-- `supported_rules_list_2.38.0-dev.csv`: A Comma Separated File (CSV) containing the supported rules per standard and the queries that implement the rule.
-- `supported_rules_list_2.38.0-dev.md`: A Markdown formatted file with a table containing the supported rules per standard and the queries that implement the rule.
-- `user_manual_2.38.0-dev.md`: This user manual.
+- `code-scanning-cpp-query-pack-2.39.0-dev.zip`: Legacy packaging for the queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_.
+- `supported_rules_list_2.39.0-dev.csv`: A Comma Separated File (CSV) containing the supported rules per standard and the queries that implement the rule.
+- `supported_rules_list_2.39.0-dev.md`: A Markdown formatted file with a table containing the supported rules per standard and the queries that implement the rule.
+- `user_manual_2.39.0-dev.md`: This user manual.
 - `Source Code (zip)`: A zip archive containing the contents of https://github.com/github/codeql-coding-standards
 - `Source Code (tar.gz)`: A GZip compressed tar archive containing the contents of https://github.com/github/codeql-coding-standards
 - `checksums.txt`: A text file containing sha256 checksums for the aforementioned artifacts.
@@ -573,7 +573,7 @@ This section describes known failure modes for "CodeQL Coding Standards" and des
 |                              | Out of space                                                                                                                                                       | Less output. Some files may be only be partially analyzed, or not analyzed at all.                                                                        | Error reported on the command line.                                                                                                                                                                                                                                                                                                  | Increase space. If it remains an issue report space consumption issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                            |
 |                              | False positives                                                                                                                                                    | More output. Results are reported which are not violations of the guidelines.                                                                             | All reported results must be reviewed.                                                                                                                                                                                                                                                                                               | Report false positive issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                                                                      |
 |                              | False negatives                                                                                                                                                    | Less output. Violations of the guidelines are not reported.                                                                                               | Other validation and verification processes during software development should be used to complement the analysis performed by CodeQL Coding Standards.                                                                                                                                                                              | Report false negative issues via the CodeQL Coding Standards [bug tracker](https://github.com/github/codeql-coding-standards/issues).                                                                                                                                                                                                                                      |
-|                              | Modifying coding standard suite                                                                                                                                    | More or less output. If queries are added to the query set more result can be reported. If queries are removed less results might be reported.            | All queries supported by the CodeQL Coding Standards are listed in the release artifacts `supported_rules_list_2.38.0-dev.csv` where VERSION is replaced with the used release. The rules in the resulting Sarif file must be cross-referenced with the expected rules in this list to determine the validity of the used CodeQL suite. | Ensure that the CodeQL Coding Standards are not modified in ways that are not documented as supported modifications.                                                                                                                                                                                                                                                    |
+|                              | Modifying coding standard suite                                                                                                                                    | More or less output. If queries are added to the query set more result can be reported. If queries are removed less results might be reported.            | All queries supported by the CodeQL Coding Standards are listed in the release artifacts `supported_rules_list_2.39.0-dev.csv` where VERSION is replaced with the used release. The rules in the resulting Sarif file must be cross-referenced with the expected rules in this list to determine the validity of the used CodeQL suite. | Ensure that the CodeQL Coding Standards are not modified in ways that are not documented as supported modifications.                                                                                                                                                                                                                                                    |
 |                              | Incorrect deviation record specification                                                                                                                           | More output. Results are reported for guidelines for which a deviation is assigned.                                                                       | Analysis integrity report lists all deviations and incorrectly specified deviation records with a reason. Ensure that all deviation records are correctly specified.                                                                                                                                                                 | Ensure that the deviation record is specified according to the specification in the user manual.                                                                                                                                                                                                                                                                           |
 |                              | Incorrect deviation permit specification                                                                                                                           | More output. Results are reported for guidelines for which a deviation is assigned.                                                                       | Analysis integrity report lists all deviations and incorrectly specified deviation permits with a reason. Ensure that all deviation permits are correctly specified.                                                                                                                                                                 | Ensure that the deviation record is specified according to the specification in the user manual.                                                                                                                                                                                                                                                                           |
 |                              | Unapproved use of a deviation record                                                                                                                               | Less output. Results for guideline violations are not reported.                                                                                           | Validate that the deviation record use is approved by verifying the approved-by attribute of the deviation record specification.                                                                                                                                                                                                     | Ensure that each raised deviation record is approved by an independent approver through an auditable process.                                                                                                                                                                                                                                                              |