DO NOT MERGE test misra23

README.md

@@ -10,10 +10,15 @@ This repository contains CodeQL queries and libraries which support various Codi
 
 The following coding standards are supported:
 - [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems (Releases R22-11, R20-11, R19-11 and R19-03)](https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_RS_CPP14Guidelines.pdf). 
-- [MISRA C++:2008](https://www.misra.org.uk) (support limited to the rules specified in AUTOSAR).
 - [SEI CERT C++ Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=494932)
 - [SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition)](https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf)
-- [MISRA C 2012](https://www.misra.org.uk/product/misra-c2012-third-edition-first-revision/).
+- [MISRA C 2012, 3rd Edition, 1st revision](https://www.misra.org.uk/product/misra-c2012-third-edition-first-revision/) (incoporating Amendment 1 & Technical Corrigendum 1). In addition, we support the following additional amendments and technical corrigendums:
+   - [MISRA C 2012 Amendment 2](https://misra.org.uk/app/uploads/2021/06/MISRA-C-2012-AMD2.pdf)
+   - [MISRA C 2012 Technical Corrigendum 2](https://misra.org.uk/app/uploads/2022/04/MISRA-C-2012-TC2.pdf)
+
+## :construction: Standards under development :construction:
+
+- [MISRA C++ 2023](https://misra.org.uk/product/misra-cpp2023/) - under development _scheduled for release 2024 Q4_.
 
 ## How do I use the CodeQL Coding Standards Queries?
 

cpp/common/src/codingstandards/cpp/exclusions/cpp/DeadCode.qll

@@ -19,7 +19,8 @@ newtype DeadCodeQuery =
   TSingleUseLocalPODVariableQuery() or
   TSingleUseGlobalOrNamespacePODVariableQuery() or
   TSingleUseMemberPODVariableQuery() or
-  TDeadCodeQuery()
+  TDeadCodeQuery() or
+  TFunctionContainUnreachableStatementsQuery()
 
 predicate isDeadCodeQueryMetadata(Query query, string queryId, string ruleId, string category) {
   query =
@@ -165,6 +166,15 @@ predicate isDeadCodeQueryMetadata(Query query, string queryId, string ruleId, st
     "cpp/autosar/dead-code" and
   ruleId = "M0-1-9" and
   category = "required"
+  or
+  query =
+    // `Query` instance for the `functionContainUnreachableStatements` query
+    DeadCodePackage::functionContainUnreachableStatementsQuery() and
+  queryId =
+    // `@id` for the `functionContainUnreachableStatements` query
+    "cpp/misra/function-contain-unreachable-statements" and
+  ruleId = "RULE-0-0-1" and
+  category = "required"
 }
 
 module DeadCodePackage {
@@ -279,4 +289,11 @@ module DeadCodePackage {
       // `Query` type for `deadCode` query
       TQueryCPP(TDeadCodePackageQuery(TDeadCodeQuery()))
   }
+
+  Query functionContainUnreachableStatementsQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `functionContainUnreachableStatements` query
+      TQueryCPP(TDeadCodePackageQuery(TFunctionContainUnreachableStatementsQuery()))
+  }
 }

cpp/common/test/options

@@ -0,0 +1 @@
+semmle-extractor-options:--clang -std=c++17 -nostdinc++ -I../../../../common/test/includes/standard-library -I../../../../common/test/includes/custom-library

cpp/misra/src/codeql-suites/misra-default.qls

@@ -0,0 +1,10 @@
+- description: MISRA C++ 2023 (Default)
+- qlpack: codeql/misra-cpp-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+- exclude:
+    tags contain:
+    - external/misra/audit
+    - external/misra/default-disabled

cpp/misra/src/codeql-suites/misra-single-translation-unit.qls

@@ -0,0 +1,12 @@
+- description: MISRA C++ 2023 (Single Translation Unit)
+- qlpack: codeql/misra-cpp-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    tags contain:
+    - scope/single-translation-unit
+- exclude:
+    tags contain:
+    - external/misra/audit
+    - external/misra/default-disabled

cpp/misra/src/codingstandards/cpp/misra.qll

@@ -0,0 +1,4 @@
+import cpp
+import misra.Customizations
+import codingstandards.cpp.CodingStandards
+import codingstandards.cpp.exclusions.cpp.RuleMetadata

cpp/misra/src/codingstandards/cpp/misra/Customizations.qll

@@ -0,0 +1,8 @@
+/**
+ * Contains customizations to the MISRA C++ query rules.
+ *
+ * This module is imported by `misra.qll`, so any customizations defined here
+ * automatically apply to all MISRA C++ queries.
+ */
+
+import cpp

cpp/misra/src/qlpack.yml

@@ -1,6 +1,6 @@
 name: codeql/misra-cpp-coding-standards
-version: 2.29.0-dev
-description: MISRA C++ 2008
+version: 2.28.0-dev
+description: MISRA C++ 2023
 suites: codeql-suites
 license: MIT
 dependencies:

cpp/misra/src/rules/RULE-0-0-1/FunctionContainUnreachableStatements.ql

@@ -0,0 +1,21 @@
+/**
+ * @id cpp/misra/function-contain-unreachable-statements
+ * @name RULE-0-0-1: A function shall not contain unreachable statements
+ * @description Unreachable statements can indicate a mistake on the part of the programmer.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/misra/id/rule-0-0-1
+ *       scope/single-translation-unit
+ *       readability
+ *       maintainability
+ *       external/misra/enforcement/decidable
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codingstandards.cpp.misra
+
+from Expr x
+where not isExcluded(x, DeadCodePackage::functionContainUnreachableStatementsQuery())
+select x, "none"

cpp/misra/test/options

@@ -0,0 +1 @@
+semmle-extractor-options:--clang -std=c++17 -nostdinc++ -I../../../../common/test/includes/standard-library -I../../../../common/test/includes/custom-library

cpp/misra/test/rules/RULE-0-0-1/FunctionContainUnreachableStatements.expected

@@ -0,0 +1 @@
+| test.cpp:1:26:1:28 | arg | none |

cpp/misra/test/rules/RULE-0-0-1/FunctionContainUnreachableStatements.qlref

@@ -0,0 +1 @@
+rules/RULE-0-0-1/FunctionContainUnreachableStatements.ql

cpp/misra/test/rules/RULE-0-0-1/test.cpp

@@ -0,0 +1 @@
+int f1(int arg) { return arg; }

docs/design/guideline_recategorization.md

@@ -101,7 +101,7 @@ The *effective category* is the category whose policy is applied during the eval
 The policy of a category dictates if a result can be deviated from and implements the effect described in the design section.
 The existing exclusion mechanism implemented in the predicate `isExcluded` defined in the `Exclusions.qll` library will be updated to consider the applicable policy of a guideline.
 
-Note: This changes the behavior of deviations which will no longer have an impact on Mandatory guidelines! However, this will only affect MISRA C rules because there are no MISRA C++ Guidelines with a Mandatory category.
+Note: This changes the behavior of deviations which will no longer have an impact on Mandatory MISRA guidelines!
 
 ### Specification validation
 

docs/development_handbook.md

@@ -39,17 +39,11 @@
 | 0.29.1 | 2023-10-11 | Remco Vermeulen | Address Markdown linter problems. |
 | 0.30.0 | 2023-11-14 | Remco Vermeulen | Clarify release steps in case of a hotfix release. |
 | 0.31.0 | 2024-02-23 | Remco Vermeulen | Clarify the required use of Python version 3.9 |
+| 0.32.0 | 2024-05-01 | Luke Cartey | Refer to the user manual for the list of supported standards. |
 
 ## Scope of work
 
-A *coding standard* is a set of rules or guidelines which restrict or prohibit the use of certain dangerous or confusing coding patterns or language features. This repository contains CodeQL queries (and supporting processes) which implement a number of different coding standards. The currently supported standards are:
-
-| Standard                                                                                                             | Version | Total rules | Total supportable rules | Status         | Notes                                                                                                                                                     |
-| -------------------------------------------------------------------------------------------------------------------- | ------- | ----------- | ----------------------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [AUTOSAR C++](https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_RS_CPP14Guidelines.pdf) | R22-11, R21-11, R20-11, R19-11, R19-03  | 397         | 375                     | Implemented    | |
-| [CERT-C++](https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-cpp-coding-standard-2016-v01.pdf)   | 2016    | 83          | 83                      | Implemented    | AUTOSAR includes a sub-set of rules take from MISRA C++ 2008, which can be purchased for a small fee from [the MISRA website](https://misra.org.uk/shop). |
-| [CERT-C](https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf)       | 2016    | 120         | 99                      | In development | The implementation excludes rules not part of 2016, but that are added to the [CERT-C wiki](https://wiki.sei.cmu.edu/confluence/display/c/)               |
-| [MISRA C](https://www.misra.org.uk/product/misra-c2012-third-edition-first-revision/ )                               | 2012    | 172         | 172                     | In development | This includes the [MISRA C:2012 Amendment 2](https://www.misra.org.uk/app/uploads/2021/06/MISRA-C-2012-AMD2.pdf)                                          |
+A *coding standard* is a set of rules or guidelines which restrict or prohibit the use of certain dangerous or confusing coding patterns or language features. This repository contains CodeQL queries (and supporting processes) which implement a number of different coding standards. The currently supported standards are documented in the [user manual](user_manual.md).
 
 Each coding standard consists of a list of "guidelines", however not all the guidelines in all the standards will be amenable to automated static analysis. The AUTOSAR C++ standard categorizes the guidelines according to enforcement by static analysis tools in section *5.1.3 Rule classification according to enforcement by static analysis* of the standard. The CERT-C++ standard does not provide such categorization, but frequently has a [documented](https://wiki.sei.cmu.edu/confluence/display/cplusplus/How+this+Coding+Standard+Is+Organized#HowthisCodingStandardIsOrganized-AutomatedDetection) automated detection section for guidelines that documents tools, including their limitations, that can verify the guidelines in question. We have therefore carefully reviewed each supported standard. For each guidelines that is not categorized as automatic enforceable we have determined,in conjunction with end users, what parts of the guideline can be supported in which capacity with CodeQL.
 

docs/user_manual.md

@@ -26,6 +26,7 @@
 | 0.18.0  | 2024-01-30 | Luke Cartey     | Update product description and coverage table.                                                                          |
 | 0.19.0  | 2024-02-23 | Remco Vermeulen | Clarify the required use of Python version 3.9.                                                                         |
 | 0.20.0  | 2024-02-23 | Remco Vermeulen | Add table describing the permitted guideline re-categorizations.                                                        |
+| 0.21.0  | 2024-05-01 | Luke Cartey | Add MISRA C++ 2023 as under development, and clarify MISRA C 2012 coverage.                                                        |
 
 ## Release information
 
@@ -54,10 +55,11 @@ The _CodeQL Coding Standards_ product is a set of CodeQL queries for identifying
 
 | Standard                                                                                                             | Version | Rules | Supportable rules | Implemented rules | Status            |
 | -------------------------------------------------------------------------------------------------------------------- | ------- | ----------- | ----------------------- | ----------------- | ------- |
-| [AUTOSAR C++](https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_RS_CPP14Guidelines.pdf) | [^1] R22-11, R21-11, R20-11, R19-11, R19-03 | 397         | 372                     | 370[^2] | Implemented       |
-| [CERT-C++](https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-cpp-coding-standard-2016-v01.pdf)   | 2016    | 83          | 82                      | 82 | Implemented       |
-| [CERT C](https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf)       | 2016    | 99          | 97                      | 97 | Implemented |
-| [MISRA C](https://www.misra.org.uk/product/misra-c2012-third-edition-first-revision/)                                | 2012    | 175         | 164                     | 162[^3] | Implemented |
+| AUTOSAR C++ | [^1] [R22-11](https://www.autosar.org/fileadmin/standards/R22-11/AP/AUTOSAR_RS_CPP14Guidelines.pdf), R21-11, R20-11, R19-11, R19-03 | 397         | 372                     | 370[^2] | Implemented       |
+| CERT-C++   | [2016](https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-cpp-coding-standard-2016-v01.pdf)    | 83          | 82                      | 82 | Implemented       |
+| CERT C       | [2016](https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf)    | 99          | 97                      | 97 | Implemented |
+| MISRA C                                | [2012 Third Edition, First Revision](](https://www.misra.org.uk/product/misra-c2012-third-edition-first-revision/)), and [Amendment 2](https://misra.org.uk/app/uploads/2021/06/MISRA-C-2012-AMD2.pdf) and TC2  | 175         | 164                     | 162[^3] | Implemented |
+| MISRA C++                                | [2023](https://misra.org.uk/product/misra-cpp2023/)  | 179         | 176[^4]                     | 0 | Under development |
 
 Not all rules in these standards are amenable to static analysis by CodeQL - some rules require external or domain specific knowledge to validate, or refer to properties which are not present in our representation of the codebase under analysis. In addition, some rules are natively enforced by the supported compilers. As CodeQL requires that the program under analysis compiles, we are unable to implement queries for these rules, and doing so would be redundant.
 
@@ -73,6 +75,7 @@ The datasheet _"CodeQL Coding Standards: supported rules"_, provided with each r
 [^1]: AUTOSAR C++ versions R22-11, R21-11, R20-11, R19-11 and R19-03 are all identical as indicated in the document change history.
 [^2]: The unimplemented supportable AUTOSAR rules are `A7-1-8` and `A8-2-1`. These rules require additional support in the CodeQL CLI to ensure the required information is available in the CodeQL database to identify violations of these rules.
 [^3]: The unimplemented supportable MISRA C 2012 rules are `Rule 9.5` and `Dir 4.14`. `Rule 9.5` requires additional support in the CodeQL CLI to ensure the required information is available in the CodeQL database to identify violations of these rules. `Dir 4.14` is covered by the default CodeQL queries, which identify potential security vulnerabilities caused by not validating external input.
+[^4]: The rules 5.13.7, 19.0.1 and 19.1.2 are not planned to be implemented by CodeQL as they are compiler checked in all supported compilers.
 
 ## Supported environment
 

rule_packages/cpp/DeadCode.json

@@ -349,5 +349,29 @@
       ],
       "title": "There shall be no dead code."
     }
+  },
+  "MISRA-C++-2023": {
+    "RULE-0-0-1": {
+      "properties": {
+        "enforcement": "decidable",
+        "obligation": "required"
+      },
+      "queries": [
+        {
+          "description": "Unreachable statements can indicate a mistake on the part of the programmer.",
+          "kind": "problem",
+          "name": "A function shall not contain unreachable statements",
+          "precision": "high",
+          "severity": "error",
+          "short_name": "FunctionContainUnreachableStatements",
+          "tags": [
+            "scope/single-translation-unit",
+            "readability",
+            "maintainability"
+          ]
+        }
+      ],
+      "title": "A function shall not contain unreachable statements"
+    }
   }
-}
+}