Skip to content

Merge branch next and update CodeQL to v2.23.3#1149

Open
mbaluda wants to merge 152 commits into
mainfrom
mbaluda-next
Open

Merge branch next and update CodeQL to v2.23.3#1149
mbaluda wants to merge 152 commits into
mainfrom
mbaluda-next

Conversation

@mbaluda

@mbaluda mbaluda commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

This pull request upgrades CodeQL dependencies, updates dataflow and concurrency imports to use newer modules, and refines several rule implementations for improved accuracy and maintainability. The changes ensure compatibility with the latest CodeQL libraries and enhance the precision of certain queries.

Dependency and Import Upgrades:

  • Upgraded codeql/cpp-all to version 6.0.0 and updated several other CodeQL dependencies to their latest versions in both qlpack.yml and codeql-pack.lock.yml. Also added codeql/controlflow as a new dependency. [1] [2]
  • Replaced imports of semmle.code.cpp.dataflow.DataFlow and semmle.code.cpp.dataflow.TaintTracking with semmle.code.cpp.dataflow.new.DataFlow and semmle.code.cpp.dataflow.new.TaintTracking across all rule files, ensuring use of the latest dataflow libraries. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
  • Updated concurrency-related imports from codingstandards.cpp.Concurrency to codingstandards.cpp.ConcurrencyNew throughout the codebase. [1] [2] [3] [4] [5] [6] [7]

These changes collectively modernize the codebase, improve compatibility with the latest CodeQL features, and enhance the precision and maintainability of CERT C rules.

Change request type

  • Release or process automation (GitHub workflows, internal scripts)
  • Internal documentation
  • External documentation
  • Query files (.ql, .qll, .qls or unit tests)
  • External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

  • No rules added
  • Queries have been added for the following rules:
    • rule number here
  • Queries have been modified for the following rules:
    • Several queries have been refactored to compile with CodeQL v2.23.3

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

  • The structure or layout of the release artifacts.
  • The evaluation performance (memory, execution time) of an existing query.
  • The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

  • Yes
  • No

🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.

  • Confirmed

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

  • Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

Reviewer

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

jketema and others added 30 commits March 6, 2025 13:52
@jketema
Update expected test results after frontend update
1c82682
@jketema
Merge pull request #865 from jketema/frontend-update
ce14612 
Update expected test results after frontend update
@jketema
Merge branch 'main' into next
d6b55ca
@jketema
Update MISRA queries and tests after merging location tables
f07f569
@jketema
Merge pull request #915 from jketema/loc-table-merge
3b4a91c 
Update MISRA queries and tests after merging location tables
@IdrissRio
C++: accept new test results after QL changes
67adebb
@jketema
Merge pull request #916 from IdrissRio/next
60c2e05 
C++: accept new test results after QL changes
@jketema
Merge remote-tracking branch 'upstream/main' into next
740bcd0
@jketema
Comvert ARR37-C to use the new dataflow library
2089bcd
@jketema
Conver ARR39-C to the new dataflow library
cf1b625 
Observe that `sizeof(...)` might not occur as a dataflow node if it has a
parent node with a concrete value. That value will be a dataflow node instead.
Hence, the query has be changed to check for expressions where `sizeof(...)`
is a child of an expression with a concrete value.
@jketema
Convert ERR30-C to use the new dataflow library
8d73f3b
@jketema
Convert FIO45-C to use the new dataflow library
7a1577e
@jketema
Convert EXP36-C to the new datafow library
c5c6c58 
Note that we now properly report the offending cast instead of the expression
that is being cast.
@jketema
Convert MSC33-C to the new dataflow library
8fdea49 
As it is the dataflow used by `asctime` that is relevant, and not the pointer,
use the indirect expression.
@jketema
Convert MSC51-CPP to the new dataflow library
3289621
@jketema
Convert CTR56-CPP to the new dataflow library
d20cd3a
@jketema
Convert EXP51-CPP ot use the new dataflow library
77e8e0e
@jketema
Conver M3-9-3 to use the new dataflow library
57b6091
@jketema
Convert A9-3-1 to use the new dataflow library
357ee08
@jketema
Convert A27-0-4 to use the new dataflow library
30114c5
@jketema
Convert A5-0-4 to use the new dataflow library
d313bf2
@jketema
Merge pull request #920 from jketema/jketema/dataflow
500e96a 
Convert a number of queries to use the new dataflow library
@jketema
Update expected test results for MSC33-C
8529fbb
@jketema
Merge pull request #921 from jketema/jketema/dataflow
363faea 
Update expected test results for MSC33-C
@jketema
Create temporary copies of parts of the concurrency library
012ac3d 
These use the new dataflow library
@jketema
Convert CON30-C to use the new dataflow library
22b8860
@jketema
Convert CON34-C to the new dataflow library
0a846c7 
Since the new dataflow library uses use-use dataflow and not def-use dataflow,
we now need to check for definitions. Note that these queries can probably be
improved by using a dataflow configuration - possibly limited to the local
context of a function by including `DataFlow::FeatureEqualSourceSinkCallContext`
@jketema
Move queries not depending on dataflow over to ConcurrencyNew
1c1f3fb
@jketema
Convert UseOnlyArrayIndexingForPointerArithmetic to use the new dataf…
3ba33c0 
…low library
@jketema
Convert StringNumberConversionMissingErrorCheck to use the new datafl…
e2d44a6 
…ow library
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 08:36 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 08:36
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 08:55 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 08:55
@mbaluda mbaluda changed the title Mbaluda next Merge branch next and update CodeQL to v2.23.3 Jun 25, 2026
@mbaluda
Add change note
056c20b 
Add change note.
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 11:32 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 11:32
@mbaluda mbaluda marked this pull request as ready for review June 25, 2026 15:05
@mbaluda mbaluda requested review from a team and Copilot June 25, 2026 15:05
Copilot AI reviewed Jun 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository to target CodeQL CLI v2.23.3 (including upgrading CodeQL packs such as codeql/cpp-all), migrates many queries to newer dataflow/concurrency modules, and refreshes test expectations accordingly.

Changes:

  • Bump CodeQL CLI support and upgrade CodeQL pack dependencies/lockfiles (notably codeql/cpp-all: 6.0.0).
  • Migrate multiple C/C++ queries to semmle.code.cpp.dataflow.new.* and codingstandards.cpp.ConcurrencyNew.
  • Update unit tests and .expected outputs to reflect new library behavior and warning/output changes.

Checklist items not satisfied / uncertain:

  • Change note exists but is incorrect (mentions 2.16.6 instead of 2.23.3).
  • Shared query output format validation in VS Code: not confirmed here.
  • Performance/results validation (OpenPilot) is not evidenced here.
Show a summary per file
File Description
supported_codeql_configs.json Bump supported CodeQL CLI to 2.23.3.
scripts/generate_modules/queries/qlpack.yml Upgrade generator pack dependency versions.
scripts/generate_modules/queries/codeql-pack.lock.yml Refresh generator pack lockfile deps.
cpp/report/src/qlpack.yml Upgrade report pack dependency versions.
cpp/report/src/codeql-pack.lock.yml Refresh report pack lockfile deps.
cpp/misra/test/rules/RULE-8-2-8/test.cpp Adjust MISRA test annotations.
cpp/misra/test/rules/RULE-8-2-8/PointerToIntegralCast.expected Update expected findings for RULE-8-2-8.
cpp/misra/test/rules/RULE-19-2-2/test.cpp Update include-directive test annotation.
cpp/misra/test/rules/RULE-19-2-2/InvalidIncludeDirective.expected Add expected finding for new test case.
cpp/misra/test/rules/RULE-15-1-3/NonExplicitConversionMember.expected Update expected operator text.
cpp/misra/test/codeql-pack.lock.yml Refresh MISRA test pack lockfile deps.
cpp/misra/src/rules/RULE-8-7-1/PointerArithmeticFormsAnInvalidPointer.ql Update import to newer SSA internals module.
cpp/misra/src/rules/RULE-0-1-1/UnnecessaryWriteToLocalObject.ql Migrate to dataflow.new import.
cpp/misra/src/qlpack.yml Upgrade MISRA pack dependency versions.
cpp/misra/src/codeql-pack.lock.yml Refresh MISRA pack lockfile deps.
cpp/common/test/rules/unusedtypedeclarations/UnusedTypeDeclarations.expected Update expected locations/results.
cpp/common/test/rules/unusedtypedeclarations/test.cpp Adjust unused-type test annotations.
cpp/common/test/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.expected Update path-problem graph output.
cpp/common/test/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.expected Update expected node selection.
cpp/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected Update path-problem graph output.
cpp/common/test/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.expected Update expected results (dedup).
cpp/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected Update path-problem graph output.
cpp/common/test/codeql-pack.lock.yml Refresh common C++ test pack lockfile deps.
cpp/common/src/qlpack.yml Upgrade common C++ pack dependency versions.
cpp/common/src/codingstandards/cpp/standardlibrary/STLContainers.qll Switch to newer taint tracking module.
cpp/common/src/codingstandards/cpp/standardlibrary/FileStreams.qll Switch to newer taint tracking module.
cpp/common/src/codingstandards/cpp/SmartPointers.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/wrapspuriousfunctioninloop/WrapSpuriousFunctionInLoop.qll Switch to ConcurrencyNew.
cpp/common/src/codingstandards/cpp/rules/useonlyarrayindexingforpointerarithmetic/UseOnlyArrayIndexingForPointerArithmetic.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/unusedtypedeclarations/UnusedTypeDeclarations.qll Update template-parameter type usage.
cpp/common/src/codingstandards/cpp/rules/unsignedoperationwithconstantoperandswraps/UnsignedOperationWithConstantOperandsWraps.qll Update guard-condition logic.
cpp/common/src/codingstandards/cpp/rules/unnecessaryexposedidentifierdeclarationshared/UnnecessaryExposedIdentifierDeclarationShared.qll Update template-parameter type usage.
cpp/common/src/codingstandards/cpp/rules/throwingoperatornewreturnsnull/ThrowingOperatorNewReturnsNull.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/stringnumberconversionmissingerrorcheck/StringNumberConversionMissingErrorCheck.qll Switch to newer taint tracking module.
cpp/common/src/codingstandards/cpp/rules/preventdeadlockbylockinginpredefinedorder/PreventDeadlockByLockingInPredefinedOrder.qll Switch to ConcurrencyNew.
cpp/common/src/codingstandards/cpp/rules/preservesafetywhenusingconditionvariables/PreserveSafetyWhenUsingConditionVariables.qll Switch to ConcurrencyNew.
cpp/common/src/codingstandards/cpp/rules/predicatefunctionobjectsshouldnotbemutable/PredicateFunctionObjectsShouldNotBeMutable.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/placementnewnotproperlyaligned/PlacementNewNotProperlyAligned.qll Remove unused deprecated dataflow import.
cpp/common/src/codingstandards/cpp/rules/placementnewinsufficientstorage/PlacementNewInsufficientStorage.qll Remove unused deprecated dataflow import.
cpp/common/src/codingstandards/cpp/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.qll Switch to newer taint tracking module.
cpp/common/src/codingstandards/cpp/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/nonvoidfunctiondoesnotreturn/NonVoidFunctionDoesNotReturn.qll Update template-parameter type usage.
cpp/common/src/codingstandards/cpp/rules/nonconstantformat/NonConstantFormat.qll Switch to newer taint tracking module.
cpp/common/src/codingstandards/cpp/rules/multipleglobalormemberdeclarators/MultipleGlobalOrMemberDeclarators.qll Update template-parameter type usage.
cpp/common/src/codingstandards/cpp/rules/movedfromobjectsunspecifiedstate/MovedFromObjectsUnspecifiedState.qll Update dataflow modeling to new API.
cpp/common/src/codingstandards/cpp/rules/joinordetachthreadonlyonce/JoinOrDetachThreadOnlyOnce.qll Switch to ConcurrencyNew.
cpp/common/src/codingstandards/cpp/rules/iofstreammissingpositioning/IOFstreamMissingPositioning.qll Switch to newer taint tracking module.
cpp/common/src/codingstandards/cpp/rules/invalidatedenvstringpointers/InvalidatedEnvStringPointers.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/guardaccesstobitfields/GuardAccessToBitFields.qll Switch to ConcurrencyNew.
cpp/common/src/codingstandards/cpp/rules/functionerroneousreturnvaluenottested/FunctionErroneousReturnValueNotTested.qll Update guard-condition logic + dataflow.
cpp/common/src/codingstandards/cpp/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.qll Switch to dataflow.new + add barrier.
cpp/common/src/codingstandards/cpp/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.qll Switch to dataflow.new + add barrier.
cpp/common/src/codingstandards/cpp/rules/donotpassaliasedpointertorestrictqualifiedparamshared/DoNotPassAliasedPointerToRestrictQualifiedParamShared.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/donotaccessaclosedfile/DoNotAccessAClosedFile.qll Update dataflow modeling to new API.
cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenreturninglambdaobject/DanglingCaptureWhenReturningLambdaObject.qll Update dataflow modeling to new API.
cpp/common/src/codingstandards/cpp/rules/danglingcapturewhenmovinglambdaobject/DanglingCaptureWhenMovingLambdaObject.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/containeraccesswithoutrangecheck/ContainerAccessWithoutRangeCheck.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/constlikereturnvalue/ConstLikeReturnValue.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/rules/basicstringmaynotbenullterminated/BasicStringMayNotBeNullTerminated.qll Switch to new taint/dataflow nodes.
cpp/common/src/codingstandards/cpp/ReadErrorsAndEOF.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/Overflow.qll Adjust taint-tracking import visibility.
cpp/common/src/codingstandards/cpp/OutOfBounds.qll Remove unused deprecated dataflow import.
cpp/common/src/codingstandards/cpp/Loops.qll Update unknown-location handling logic.
cpp/common/src/codingstandards/cpp/Iterators.qll Switch to new taint tracking + imports.
cpp/common/src/codingstandards/cpp/Identifiers.qll Update template-parameter type usage.
cpp/common/src/codingstandards/cpp/FgetsErrorManagement.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/Expr.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/deadcode/UnusedVariables.qll Update template-parameter type usage.
cpp/common/src/codingstandards/cpp/ConstHelpers.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/ConcurrencyNew.qll New module aggregating updated concurrency libs.
cpp/common/src/codingstandards/cpp/concurrency/ThreadSpecificStorageNew.qll New TSS modeling using dataflow.new.
cpp/common/src/codingstandards/cpp/Allocations.qll Switch to dataflow.new import.
cpp/common/src/codingstandards/cpp/AccessPath.qll Switch to dataflow.new import.
cpp/common/src/codeql-pack.lock.yml Refresh common C++ pack lockfile deps.
cpp/cert/test/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.expected Remove deprecation warnings from expected output.
cpp/cert/test/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.expected Remove deprecation warnings from expected output.
cpp/cert/test/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.expected Refresh path-problem graph output.
cpp/cert/test/rules/CTR53-CPP/UseValidIteratorRanges.expected Remove deprecation warnings from expected output.
cpp/cert/test/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.expected Remove deprecation warnings from expected output.
cpp/cert/test/codeql-pack.lock.yml Refresh CERT C++ test pack lockfile deps.
cpp/cert/src/rules/MSC51-CPP/BadlySeededRandomNumberGenerator.ql Switch to newer taint tracking module.
cpp/cert/src/rules/MEM52-CPP/DetectAndHandleMemoryAllocationErrors.ql Switch to dataflow.new + update guard checks.
cpp/cert/src/rules/EXP50-CPP/DoNotDependOnTheOrderOfEvaluationForSideEffectsInFunctionCallsAsFunctionArguments.ql Remove unused deprecated dataflow import.
cpp/cert/src/rules/CTR56-CPP/DoNotUsePointerArithmeticOnPolymorphicObjects.ql Switch to dataflow.new import.
cpp/cert/src/rules/CTR55-CPP/DoNotUseAnAdditiveOperatorOnAnIterator.ql Update guard-node casting for new libs.
cpp/cert/src/rules/CTR53-CPP/UseValidIteratorRanges.ql Switch to dataflow.new import.
cpp/cert/src/rules/CTR52-CPP/GuaranteeGenericCppLibraryFunctionsDoNotOverflow.ql Switch to newer taint tracking module.
cpp/cert/src/rules/CON56-CPP/LockedALockedNonRecursiveMutexAudit.ql Switch to ConcurrencyNew.
cpp/cert/src/rules/CON56-CPP/DoNotSpeculativelyLockALockedNonRecursiveMutex.ql Switch to ConcurrencyNew.
cpp/cert/src/qlpack.yml Upgrade CERT C++ pack dependency versions.
cpp/cert/src/codeql-pack.lock.yml Refresh CERT C++ pack lockfile deps.
cpp/autosar/test/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A7-5-1/InvalidFunctionReturnType.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A5-1-7/LambdaPassedToTypeid.expected Refresh path-problem graph output.
cpp/autosar/test/rules/A5-1-7/LambdaPassedToDecltype.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.expected Refresh path-problem graph output.
cpp/autosar/test/rules/A27-0-4/CStyleStringsUsed.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A15-1-3/ThrownExceptionsShouldBeUnique.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A13-5-3/UserDefinedConversionOperatorsShouldNotBeUsed.expected Update expected operator text.
cpp/autosar/test/rules/A13-2-1/AssignmentOperatorReturnThis.expected Remove deprecation warnings from expected output.
cpp/autosar/test/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.expected Remove deprecation warnings from expected output.
cpp/autosar/test/codeql-pack.lock.yml Refresh AUTOSAR test pack lockfile deps.
cpp/autosar/src/rules/M9-3-1/ConstMemberFunctionReturnsNonConstPointer.ql Switch to dataflow.new + update node modeling.
cpp/autosar/src/rules/M5-0-17/PointerSubtractionOnDifferentArrays.ql Switch to dataflow.new + add barrier.
cpp/autosar/src/rules/M3-9-3/UnderlyingBitRepresentationsOfFloatingPointValuesUsed.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A9-3-1/ReturnsNonConstRawPointersOrReferencesToPrivateOrProtectedData.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A8-4-9/InOutParametersDeclaredAsTNotModified.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A8-4-12/UniquePtrPassedToFunctionWithImproperSemantics.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A8-4-11/SmartPointerAsParameterWithoutLifetimeSemantics.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A7-5-1/InvalidFunctionReturnType.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A5-1-7/LambdaPassedToTypeid.ql Switch to dataflow.new + sink modeling.
cpp/autosar/src/rules/A5-1-7/LambdaPassedToDecltype.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A5-0-4/PointerArithmeticUsedWithPointersToNonFinalClasses.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A4-7-1/IntegerExpressionLeadToDataLoss.ql Update guard-condition logic.
cpp/autosar/src/rules/A27-0-4/CStyleStringsUsed.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A20-8-4/SharedPointerUsedWithNoOwnershipSharing.ql Update dataflow modeling to new API.
cpp/autosar/src/rules/A18-9-4/ArgumentToForwardSubsequentlyUsed.ql Switch to dataflow.new + def node modeling.
cpp/autosar/src/rules/A15-2-2/ConstructorErrorLeavesObjectInInvalidState.ql Add global flow config for new/delete tracking.
cpp/autosar/src/rules/A15-1-3/ThrownExceptionsShouldBeUnique.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A13-2-1/AssignmentOperatorReturnThis.ql Switch to dataflow.new import.
cpp/autosar/src/rules/A13-1-3/UserDefinedLiteralsOperatorsShallOnlyPerformConversionOfPassedParameters.ql Switch to newer taint tracking module.
cpp/autosar/src/qlpack.yml Upgrade AUTOSAR pack dependency versions.
cpp/autosar/src/codeql-pack.lock.yml Refresh AUTOSAR pack lockfile deps.
change_notes/2026-06-25-upgrade-to-2.23.3.md Add change note for CodeQL upgrade.
c/misra/test/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.expected Remove deprecation warnings from expected output.
c/misra/test/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.expected Remove deprecation warnings from expected output.
c/misra/test/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.expected Remove deprecation warnings from expected output.
c/misra/test/rules/RULE-2-4/UnusedTagDeclaration.expected Update expected results after behavior change.
c/misra/test/rules/RULE-2-4/test.c Reformat comments / adjust annotations.
c/misra/test/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.expected Remove deprecation warnings from expected output.
c/misra/test/rules/RULE-13-2/UnsequencedAtomicReads.expected Remove deprecation warnings from expected output.
c/misra/test/codeql-pack.lock.yml Refresh MISRA C test pack lockfile deps.
c/misra/src/rules/RULE-22-7/EofShallBeComparedWithUnmodifiedReturnValues.ql Switch to dataflow.new import.
c/misra/src/rules/RULE-22-4/AttemptToWriteToAReadOnlyStream.ql Switch to dataflow.new import.
c/misra/src/rules/RULE-22-3/FileOpenForReadAndWriteOnDifferentStreams.ql Switch to dataflow.new import.
c/misra/src/rules/RULE-22-20/ThreadStoragePointerInitializedInsideThread.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-20/ThreadStorageNotInitializedBeforeUse.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-19/ConditionVariableUsedWithMultipleMutexes.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLockedAudit.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-18/NonRecursiveMutexRecursivelyLocked.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-17/InvalidOperationOnUnlockedMutex.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-15/ThreadResourceDisposedBeforeThreadsJoined.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-14/MutexNotInitializedBeforeUse.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-14/MutexInitWithInvalidMutexType.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-14/MutexInitializedInsideThread.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-13/ThreadingObjectWithInvalidStorageDuration.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-22-12/NonstandardUseOfThreadingObject.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-21-14/MemcmpUsedToCompareNullTerminatedStrings.ql Switch to new taint tracking + sinks.
c/misra/src/rules/RULE-18-6/ThreadLocalObjectAddressCopiedToGlobalObject.ql Switch to ConcurrencyNew.
c/misra/src/rules/RULE-17-5/ArrayFunctionArgumentNumberOfElements.ql Switch to dataflow.new + sink modeling.
c/misra/src/rules/RULE-13-2/UnsequencedAtomicReads.ql Switch to newer taint tracking module.
c/misra/src/rules/DIR-5-3/ThreadCreatedByThread.ql Switch to ConcurrencyNew.
c/misra/src/rules/DIR-5-3/BannedDynamicThreadCreation.ql Switch to ConcurrencyNew.
c/misra/src/qlpack.yml Upgrade MISRA C pack dependency versions.
c/misra/src/codeql-pack.lock.yml Refresh MISRA C pack lockfile deps.
c/common/test/rules/onlyfreememoryallocateddynamicallyshared/OnlyFreeMemoryAllocatedDynamicallyShared.expected Refresh path-problem graph output.
c/common/test/rules/donotuserelationaloperatorswithdifferingarrays/DoNotUseRelationalOperatorsWithDifferingArrays.expected Refresh path-problem graph output.
c/common/test/rules/donotsubtractpointersaddressingdifferentarrays/DoNotSubtractPointersAddressingDifferentArrays.expected Refresh path-problem graph output.
c/common/test/rules/constlikereturnvalue/ConstLikeReturnValue.expected Refresh path-problem graph output.
c/common/test/codeql-pack.lock.yml Refresh common C test pack lockfile deps.
c/common/src/qlpack.yml Upgrade common C pack dependency versions.
c/common/src/codingstandards/c/Signal.qll Switch to dataflow.new import.
c/common/src/codingstandards/c/OutOfBounds.qll Remove unused deprecated dataflow import.
c/common/src/codingstandards/c/initialization/GlobalInitializationAnalysis.qll Switch to ConcurrencyNew.
c/common/src/codingstandards/c/Extensions.qll Narrow/adjust extension detection logic.
c/common/src/codeql-pack.lock.yml Refresh common C pack lockfile deps.
c/cert/test/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.expected Remove deprecation warnings from expected output.
c/cert/test/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.expected Remove deprecation warnings from expected output.
c/cert/test/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.expected Remove deprecation warnings from expected output.
c/cert/test/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.expected Remove deprecation warnings from expected output.
c/cert/test/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.expected Refresh path-problem graph output.
c/cert/test/rules/MEM35-C/InsufficientMemoryAllocatedForObject.expected Update warning line locations/expected output.
c/cert/test/rules/INT31-C/test.c Update test annotations for conversions.
c/cert/test/rules/INT31-C/IntegerConversionCausesDataLoss.expected Add expected results for new cases.
c/cert/test/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.expected Remove deprecation warnings from expected output.
c/cert/test/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.expected Remove deprecation warnings from expected output.
c/cert/test/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.expected Remove deprecation warnings from expected output.
c/cert/test/rules/EXP30-C/DependenceOnOrderOfFunctionArgumentsForSideEffects.expected Remove deprecation warnings from expected output.
c/cert/test/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.expected Remove deprecation warnings from expected output.
c/cert/test/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.expected Remove deprecation warnings from expected output.
c/cert/test/rules/ERR30-C/SetlocaleMightSetErrno.expected Remove deprecation warnings from expected output.
c/cert/test/rules/ERR30-C/ErrnoReadBeforeReturn.expected Remove deprecation warnings from expected output.
c/cert/test/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.expected Refresh expected sink selection.
c/cert/test/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.expected Remove deprecation warnings from expected output.
c/cert/test/rules/CON34-C/AppropriateThreadObjectStorageDurations.expected Remove deprecation warnings from expected output.
c/cert/test/rules/CON30-C/CleanUpThreadSpecificStorage.expected Remove deprecation warnings from expected output.
c/cert/test/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.expected Refresh path-problem graph output.
c/cert/test/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.expected Refresh path-problem graph output.
c/cert/test/codeql-pack.lock.yml Refresh CERT C test pack lockfile deps.
c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.ql Switch to newer taint tracking module.
c/cert/src/rules/SIG35-C/DoNotReturnFromAComputationalExceptionHandler.ql Switch to dataflow.new import.
c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql Switch to dataflow.new import.
c/cert/src/rules/MSC33-C/DoNotPassInvalidDataToTheAsctimeFunction.ql Switch to dataflow.new + add sink helper.
c/cert/src/rules/MEM36-C/DoNotModifyAlignmentOfMemoryWithRealloc.ql Switch to dataflow.new import.
c/cert/src/rules/MEM35-C/InsufficientMemoryAllocatedForObject.ql Remove direct deprecated taint import.
c/cert/src/rules/FIO45-C/ToctouRaceConditionsWhileAccessingFiles.ql Switch to dataflow.new import.
c/cert/src/rules/FIO44-C/OnlyUseValuesForFsetposThatAreReturnedFromFgetpos.ql Switch to dataflow.new + new node modeling.
c/cert/src/rules/FIO40-C/ResetStringsOnFgetsOrFgetwsFailure.ql Switch to dataflow.new import.
c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.ql Switch to dataflow.new import.
c/cert/src/rules/EXP40-C/DoNotModifyConstantObjects.ql Switch to dataflow.new import.
c/cert/src/rules/EXP37-C/DoNotCallFunctionPointerWithIncompatibleType.ql Switch to dataflow.new + add type guard.
c/cert/src/rules/EXP36-C/DoNotCastPointerToMoreStrictlyAlignedPointerType.ql Switch to dataflow.new import.
c/cert/src/rules/EXP30-C/DependenceOnOrderOfFunctionArgumentsForSideEffects.ql Switch to newer taint tracking module.
c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql Update implicit comparison modeling.
c/cert/src/rules/ERR33-C/DetectAndHandleStandardLibraryErrors.ql Switch to dataflow.new import.
c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql Switch to dataflow.new import.
c/cert/src/rules/ERR30-C/SetlocaleMightSetErrno.ql Switch to dataflow.new import.
c/cert/src/rules/ERR30-C/ErrnoReadBeforeReturn.ql Switch to dataflow.new import.
c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql Switch to dataflow.new + new sink modeling.
c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql Switch to ConcurrencyNew.
c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql Switch to ConcurrencyNew.
c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql Switch to ConcurrencyNew.
c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql Switch to ConcurrencyNew + dataflow.new.
c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql Switch to ConcurrencyNew + dataflow.new.
c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql Switch to ConcurrencyNew.
c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql Switch to ConcurrencyNew + dataflow.new and refactor flow config.
c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql Switch to newer taint tracking + refine scaled expr.
c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql Switch to dataflow.new import.
c/cert/src/qlpack.yml Upgrade CERT C pack dependency versions.
c/cert/src/codeql-pack.lock.yml Refresh CERT C pack lockfile deps.
.gitignore Ignore *.qlx artifacts.

Copilot's findings

  • Files reviewed: 239/240 changed files
  • Comments generated: 7

Comment thread change_notes/2026-06-25-upgrade-to-2.23.3.md Outdated
Comment thread c/cert/src/rules/EXP16-C/DoNotCompareFunctionPointersToConstantValues.ql
Comment thread c/common/src/codingstandards/c/Extensions.qll
Comment thread cpp/common/src/codingstandards/cpp/Overflow.qll
Comment thread cpp/common/test/rules/unusedtypedeclarations/test.cpp Outdated
Comment thread cpp/common/src/qlpack.yml Outdated
Comment thread scripts/generate_modules/queries/qlpack.yml Outdated
@mbaluda
Potential fix for pull request finding
1cea4ea 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 15:17 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 15:18
@mbaluda
Potential fix for pull request finding
2031151 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 15:22 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 15:23
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 15:24 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 15:25
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 15:27 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 15:28
GitHub Advanced Security started work on behalf of mbaluda June 25, 2026 15:55 View session
GitHub Advanced Security finished work on behalf of mbaluda June 25, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mbaluda @jketema @IdrissRio @MathiasVP @paldepind