Skip to content

Commit 05ae4d9

Browse files
authored
Merge branch 'main' into next
2 parents 55cb51d + dd63211 commit 05ae4d9

24 files changed

+521
-258
lines changed
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
name: Check current actor permissions
2+
description: |
3+
Checks whether the current actor has the specified permssions
4+
inputs:
5+
minimum-permission:
6+
description: |
7+
The minimum required permission. One of: read, write, admin
8+
required: true
9+
outputs:
10+
has-permission:
11+
description: "Whether the actor had the minimum required permission"
12+
value: ${{ steps.check-permission.outputs.has-permission }}
13+
14+
runs:
15+
using: composite
16+
steps:
17+
- uses: actions/github-script@v7
18+
id: check-permission
19+
env:
20+
INPUT_MINIMUM-PERMISSION: ${{ inputs.minimum-permission }}
21+
with:
22+
script: |
23+
// Valid permissions are none, read, write, admin (legacy base permissions)
24+
const permissionsRanking = ["none", "read", "write", "admin"];
25+
26+
// Note: core.getInput doesn't work by default in a composite action - in this case
27+
// it would try to fetch the input to the github-script instead of the action
28+
// itself. Instead, we set the appropriate magic env var with the actions input.
29+
// See: https://github.com/actions/runner/issues/665
30+
const minimumPermission = core.getInput('minimum-permission');
31+
if (!permissionsRanking.includes(minimumPermission)) {
32+
core.setFailed(`Invalid minimum permission: ${minimumPermission}`);
33+
return;
34+
}
35+
36+
const { data : { permission : actorPermission } } = await github.rest.repos.getCollaboratorPermissionLevel({
37+
owner: context.repo.owner,
38+
repo: context.repo.repo,
39+
username: context.actor
40+
});
41+
42+
// Confirm whether the actor permission is at least the selected permission
43+
const hasPermission = permissionsRanking.indexOf(minimumPermission) <= permissionsRanking.indexOf(actorPermission) ? "1" : "";
44+
core.setOutput('has-permission', hasPermission);
45+
if (!hasPermission) {
46+
core.info(`Current actor (${context.actor}) does not have the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
47+
} else {
48+
core.info(`Current actor (${context.actor}) has the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
49+
}

.github/workflows/code-scanning-pack-gen.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ jobs:
106106
zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/schemas
107107
108108
- name: Upload GHAS Query Pack
109-
uses: actions/upload-artifact@v2
109+
uses: actions/upload-artifact@v3
110110
with:
111111
name: code-scanning-cpp-query-pack.zip
112112
path: code-scanning-cpp-query-pack.zip

.github/workflows/dispatch-matrix-check.yml

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,17 @@ jobs:
1111
dispatch-matrix-check:
1212
runs-on: ubuntu-22.04
1313
steps:
14-
- name: Test Variables
15-
shell: pwsh
16-
run: |
17-
Write-Host "Running as: ${{github.actor}}"
14+
- name: Checkout repository
15+
uses: actions/checkout@v4
16+
17+
- name: Check permission
18+
id: check-write-permission
19+
uses: ./.github/actions/check-permissions
20+
with:
21+
minimum-permission: "write"
1822

1923
- name: Dispatch Matrix Testing Job
20-
if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
24+
if: steps.check-write-permission.outputs.has-permission
2125
uses: peter-evans/repository-dispatch@v2
2226
with:
2327
token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -26,7 +30,7 @@ jobs:
2630
client-payload: '{"pr": "${{ github.event.number }}"}'
2731

2832
- uses: actions/github-script@v6
29-
if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
33+
if: steps.check-write-permission.outputs.has-permission
3034
with:
3135
script: |
3236
github.rest.issues.createComment({

.github/workflows/dispatch-matrix-test-on-comment.yml

Lines changed: 9 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -3,30 +3,22 @@ name: 🤖 Run Matrix Check (On Comment)
33
on:
44
issue_comment:
55
types: [created]
6-
branches:
7-
- main
8-
- "rc/**"
9-
- next
106

117
jobs:
128
dispatch-matrix-check:
139
runs-on: ubuntu-22.04
1410
steps:
15-
- name: Test Variables
16-
shell: pwsh
17-
run: |
18-
Write-Host "Running as: ${{github.actor}}"
11+
- name: Checkout repository
12+
uses: actions/checkout@v4
1913

20-
$actor = "${{github.actor}}"
21-
22-
$acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill")
23-
24-
if(-not ($actor -in $acl)){
25-
throw "Refusing to run workflow for user not in acl."
26-
}
14+
- name: Check permission
15+
id: check-write-permission
16+
uses: ./.github/actions/check-permissions
17+
with:
18+
minimum-permission: "write"
2719

2820
- name: Dispatch Matrix Testing Job
29-
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
21+
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
3022
uses: peter-evans/repository-dispatch@v2
3123
with:
3224
token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -35,7 +27,7 @@ jobs:
3527
client-payload: '{"pr": "${{ github.event.issue.number }}"}'
3628

3729
- uses: actions/github-script@v6
38-
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
30+
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
3931
with:
4032
script: |
4133
github.rest.issues.createComment({

.github/workflows/dispatch-release-performance-check.yml

Lines changed: 9 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -3,30 +3,22 @@ name: 🏁 Run Release Performance Check
33
on:
44
issue_comment:
55
types: [created]
6-
branches:
7-
- main
8-
- "rc/**"
9-
- next
106

117
jobs:
128
dispatch-matrix-check:
139
runs-on: ubuntu-22.04
1410
steps:
15-
- name: Test Variables
16-
shell: pwsh
17-
run: |
18-
Write-Host "Running as: ${{github.actor}}"
11+
- name: Checkout repository
12+
uses: actions/checkout@v4
1913

20-
$actor = "${{github.actor}}"
21-
22-
$acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill")
23-
24-
if(-not ($actor -in $acl)){
25-
throw "Refusing to run workflow for user not in acl."
26-
}
14+
- name: Check permission
15+
id: check-write-permission
16+
uses: ./.github/actions/check-permissions
17+
with:
18+
minimum-permission: "write"
2719

2820
- name: Dispatch Performance Testing Job
29-
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
21+
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
3022
uses: peter-evans/repository-dispatch@v2
3123
with:
3224
token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -35,7 +27,7 @@ jobs:
3527
client-payload: '{"pr": "${{ github.event.issue.number }}"}'
3628

3729
- uses: actions/github-script@v6
38-
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
30+
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
3931
with:
4032
script: |
4133
github.rest.issues.createComment({

.github/workflows/generate-html-docs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
python scripts/documentation/generate_iso26262_docs.py coding-standards-html-docs
3636
3737
- name: Upload HTML documentation
38-
uses: actions/upload-artifact@v2
38+
uses: actions/upload-artifact@v3
3939
with:
4040
name: coding-standards-docs-${{ github.sha }}
4141
path: coding-standards-html-docs/

.github/workflows/standard_library_upgrade_tests.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,7 @@ jobs:
143143
}, test_summary_file)
144144
145145
- name: Upload test results
146-
uses: actions/upload-artifact@v2
146+
uses: actions/upload-artifact@v3
147147
with:
148148
name: test-results-${{runner.os}}-${{matrix.codeql_cli}}-${{matrix.codeql_standard_library_ident}}
149149
path: |

c/misra/src/codingstandards/c/misra/EssentialTypes.qll

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,10 @@ class EssentialBinaryLogicalOperationExpr extends EssentialExpr, BinaryLogicalOp
179179
override Type getEssentialType() { result instanceof BoolType }
180180
}
181181

182+
class EssentialUnaryLogicalOperationExpr extends EssentialExpr, UnaryLogicalOperation {
183+
override Type getEssentialType() { result instanceof BoolType }
184+
}
185+
182186
class EssentialEqualityOperationExpr extends EssentialExpr, EqualityOperation {
183187
override Type getEssentialType() { result instanceof BoolType }
184188
}
@@ -355,13 +359,17 @@ class EssentialLiteral extends EssentialExpr, Literal {
355359
else (
356360
if this.(CharLiteral).getCharacter().length() = 1
357361
then result instanceof PlainCharType
358-
else (
359-
getStandardType().(IntegralType).isSigned() and
360-
result = stlr(this)
361-
or
362-
not getStandardType().(IntegralType).isSigned() and
363-
result = utlr(this)
364-
)
362+
else
363+
exists(Type underlyingStandardType |
364+
underlyingStandardType = getStandardType().getUnderlyingType()
365+
|
366+
if underlyingStandardType instanceof IntType
367+
then
368+
if underlyingStandardType.(IntType).isSigned()
369+
then result = stlr(this)
370+
else result = utlr(this)
371+
else result = underlyingStandardType
372+
)
365373
)
366374
}
367375
}

c/misra/src/rules/RULE-10-1/OperandsOfAnInappropriateEssentialType.ql

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,8 @@ predicate isInappropriateEssentialType(
178178
child =
179179
[
180180
operator.(BinaryBitwiseOperation).getAnOperand(),
181-
operator.(Bitwise::AssignBitwiseOperation).getAnOperand()
181+
operator.(Bitwise::AssignBitwiseOperation).getAnOperand(),
182+
operator.(ComplementExpr).getAnOperand()
182183
] and
183184
not operator instanceof LShiftExpr and
184185
not operator instanceof RShiftExpr and
@@ -240,7 +241,7 @@ string getRationaleMessage(int rationaleId, EssentialTypeCategory etc) {
240241
result = "Bitwise operator applied to operand of " + etc + " and not essentially unsigned."
241242
or
242243
rationaleId = 7 and
243-
result = "Right hand operatand of shift operator is " + etc + " and not not essentially unsigned."
244+
result = "Right hand operand of shift operator is " + etc + " and not not essentially unsigned."
244245
or
245246
rationaleId = 8 and
246247
result =
@@ -251,4 +252,4 @@ from Expr operator, Expr child, int rationaleId, EssentialTypeCategory etc
251252
where
252253
not isExcluded(operator, EssentialTypesPackage::operandsOfAnInappropriateEssentialTypeQuery()) and
253254
isInappropriateEssentialType(operator, child, etc, rationaleId)
254-
select operator, getRationaleMessage(rationaleId, etc)
255+
select child, getRationaleMessage(rationaleId, etc)

c/misra/src/rules/RULE-12-2/RightHandOperandOfAShiftRange.ql

Lines changed: 42 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,14 +20,51 @@ class ShiftExpr extends BinaryBitwiseOperation {
2020
ShiftExpr() { this instanceof LShiftExpr or this instanceof RShiftExpr }
2121
}
2222

23-
from ShiftExpr e, Expr right, int max_val
23+
MacroInvocation getAMacroInvocation(ShiftExpr se) { result.getAnExpandedElement() = se }
24+
25+
Macro getPrimaryMacro(ShiftExpr se) {
26+
exists(MacroInvocation mi |
27+
mi = getAMacroInvocation(se) and
28+
not exists(MacroInvocation otherMi |
29+
otherMi = getAMacroInvocation(se) and otherMi.getParentInvocation() = mi
30+
) and
31+
result = mi.getMacro()
32+
)
33+
}
34+
35+
from
36+
ShiftExpr e, Expr right, int max_val, float lowerBound, float upperBound, Type essentialType,
37+
string extraMessage, Locatable optionalPlaceholderLocation, string optionalPlaceholderMessage
2438
where
2539
not isExcluded(right, Contracts7Package::rightHandOperandOfAShiftRangeQuery()) and
2640
right = e.getRightOperand().getFullyConverted() and
27-
max_val = (8 * getEssentialType(e.getLeftOperand()).getSize()) - 1 and
41+
essentialType = getEssentialType(e.getLeftOperand()) and
42+
max_val = (8 * essentialType.getSize()) - 1 and
43+
upperBound = upperBound(right) and
44+
lowerBound = lowerBound(right) and
45+
(
46+
lowerBound < 0 or
47+
upperBound > max_val
48+
) and
49+
// If this shift happens inside a macro, then report the macro as well
50+
// for easier validation
2851
(
29-
lowerBound(right) < 0 or
30-
upperBound(right) > max_val
52+
if exists(getPrimaryMacro(e))
53+
then
54+
extraMessage = " from expansion of macro $@" and
55+
exists(Macro m |
56+
m = getPrimaryMacro(e) and
57+
optionalPlaceholderLocation = m and
58+
optionalPlaceholderMessage = m.getName()
59+
)
60+
else (
61+
extraMessage = "" and
62+
optionalPlaceholderLocation = e and
63+
optionalPlaceholderMessage = ""
64+
)
3165
)
3266
select right,
33-
"The right hand operand of the shift operator shall lie in the range 0 to " + max_val + "."
67+
"The possible range of the right operand of the shift operator (" + lowerBound + ".." + upperBound
68+
+ ") is outside the the valid shift range (0.." + max_val +
69+
") for the essential type of the left operand (" + essentialType + ")" + extraMessage + ".",
70+
optionalPlaceholderLocation, optionalPlaceholderMessage

c/misra/src/rules/RULE-5-8/IdentifiersWithExternalLinkageNotUnique.ql

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,25 @@ class NotUniqueExternalIdentifier extends ExternalIdentifiers {
4141

4242
Declaration getAConflictingDeclaration() {
4343
not result = this and
44-
isConflictingDeclaration(result, getName())
44+
isConflictingDeclaration(result, getName()) and
45+
// We only consider a declaration to be conflicting if it shares a link target with the external
46+
// identifier. This avoids reporting false positives where multiple binaries or libraries are
47+
// built in the same CodeQL database, but are not intended to be linked together.
48+
exists(LinkTarget lt |
49+
// External declaration can only be a function or global variable
50+
lt = this.(Function).getALinkTarget() or
51+
lt = this.(GlobalVariable).getALinkTarget()
52+
|
53+
lt = result.(Function).getALinkTarget()
54+
or
55+
lt = result.(GlobalVariable).getALinkTarget()
56+
or
57+
exists(Class c | c.getAMember() = result and c.getALinkTarget() = lt)
58+
or
59+
result.(LocalVariable).getFunction().getALinkTarget() = lt
60+
or
61+
result.(Class).getALinkTarget() = lt
62+
)
4563
}
4664
}
4765

c/misra/test/c/misra/EssentialTypes.expected

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,3 +38,38 @@
3838
| test.c:26:3:26:3 | f | float | float | essentially Floating type |
3939
| test.c:27:3:27:5 | f32 | float32_t | float32_t | essentially Floating type |
4040
| test.c:28:3:28:6 | cf32 | float | float | essentially Floating type |
41+
| test.c:32:3:32:3 | 1 | signed char | signed char | essentially Signed type |
42+
| test.c:33:3:33:4 | 1 | unsigned char | unsigned char | essentially Unsigned type |
43+
| test.c:34:3:34:5 | 1 | unsigned long | unsigned long | essentially Unsigned type |
44+
| test.c:38:13:38:16 | 1 | bool | bool | essentially Boolean type |
45+
| test.c:38:13:38:16 | (bool)... | bool | bool | essentially Boolean type |
46+
| test.c:39:20:39:20 | 1 | signed char | signed char | essentially Signed type |
47+
| test.c:39:20:39:20 | (unsigned int)... | unsigned int | unsigned int | essentially Unsigned type |
48+
| test.c:40:23:40:23 | 1 | signed char | signed char | essentially Signed type |
49+
| test.c:40:23:40:23 | (unsigned short)... | unsigned short | unsigned short | essentially Unsigned type |
50+
| test.c:41:17:41:18 | 1 | signed char | signed char | essentially Signed type |
51+
| test.c:42:21:42:21 | 1 | signed char | signed char | essentially Signed type |
52+
| test.c:42:21:42:21 | (signed short)... | signed short | signed short | essentially Signed type |
53+
| test.c:44:3:44:4 | ! ... | bool | bool | essentially Boolean type |
54+
| test.c:44:4:44:4 | b | bool | bool | essentially Boolean type |
55+
| test.c:45:3:45:4 | ! ... | bool | bool | essentially Boolean type |
56+
| test.c:45:4:45:4 | u | unsigned int | unsigned int | essentially Unsigned type |
57+
| test.c:46:3:46:5 | ! ... | bool | bool | essentially Boolean type |
58+
| test.c:46:4:46:5 | us | unsigned short | unsigned short | essentially Unsigned type |
59+
| test.c:47:3:47:4 | ! ... | bool | bool | essentially Boolean type |
60+
| test.c:47:4:47:4 | s | signed int | signed int | essentially Signed type |
61+
| test.c:48:3:48:5 | ! ... | bool | bool | essentially Boolean type |
62+
| test.c:48:4:48:5 | ss | signed short | signed short | essentially Signed type |
63+
| test.c:50:3:50:4 | ~ ... | int | int | essentially Signed type |
64+
| test.c:50:4:50:4 | (int)... | int | int | essentially Signed type |
65+
| test.c:50:4:50:4 | b | bool | bool | essentially Boolean type |
66+
| test.c:51:3:51:4 | ~ ... | unsigned int | unsigned int | essentially Unsigned type |
67+
| test.c:51:4:51:4 | u | unsigned int | unsigned int | essentially Unsigned type |
68+
| test.c:52:3:52:5 | ~ ... | unsigned short | unsigned short | essentially Unsigned type |
69+
| test.c:52:4:52:5 | (int)... | int | int | essentially Signed type |
70+
| test.c:52:4:52:5 | us | unsigned short | unsigned short | essentially Unsigned type |
71+
| test.c:53:3:53:4 | ~ ... | signed int | signed int | essentially Signed type |
72+
| test.c:53:4:53:4 | s | signed int | signed int | essentially Signed type |
73+
| test.c:54:3:54:5 | ~ ... | int | int | essentially Signed type |
74+
| test.c:54:4:54:5 | (int)... | int | int | essentially Signed type |
75+
| test.c:54:4:54:5 | ss | signed short | signed short | essentially Signed type |

0 commit comments

Comments
 (0)