Merge branch 'main' into next

Author: lcartey

.github/actions/check-permissions/action.yml

@@ -0,0 +1,49 @@
+name: Check current actor permissions
+description: |
+  Checks whether the current actor has the specified permssions
+inputs:
+  minimum-permission:
+    description: |
+      The minimum required permission. One of: read, write, admin
+    required: true
+outputs:
+  has-permission:
+    description: "Whether the actor had the minimum required permission"
+    value: ${{ steps.check-permission.outputs.has-permission }}
+
+runs:
+  using: composite
+  steps:
+  - uses: actions/github-script@v7
+    id: check-permission
+    env:
+      INPUT_MINIMUM-PERMISSION: ${{ inputs.minimum-permission }}
+    with:
+      script: |
+        // Valid permissions are none, read, write, admin (legacy base permissions)
+        const permissionsRanking = ["none", "read", "write", "admin"];
+
+        // Note: core.getInput doesn't work by default in a composite action - in this case
+        //       it would try to fetch the input to the github-script instead of the action
+        //       itself. Instead, we set the appropriate magic env var with the actions input.
+        //       See: https://github.com/actions/runner/issues/665
+        const minimumPermission = core.getInput('minimum-permission');
+        if (!permissionsRanking.includes(minimumPermission)) {
+          core.setFailed(`Invalid minimum permission: ${minimumPermission}`);
+          return;
+        }
+
+        const { data : { permission : actorPermission } } = await github.rest.repos.getCollaboratorPermissionLevel({
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          username: context.actor
+        });
+
+        // Confirm whether the actor permission is at least the selected permission
+        const hasPermission = permissionsRanking.indexOf(minimumPermission) <= permissionsRanking.indexOf(actorPermission) ? "1" : "";
+        core.setOutput('has-permission', hasPermission);
+        if (!hasPermission) {
+          core.info(`Current actor (${context.actor}) does not have the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        } else {
+          core.info(`Current actor (${context.actor}) has the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        }

.github/workflows/code-scanning-pack-gen.yml

@@ -106,7 +106,7 @@ jobs:
           zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/schemas
 
       - name: Upload GHAS Query Pack
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: code-scanning-cpp-query-pack.zip
           path: code-scanning-cpp-query-pack.zip

.github/workflows/dispatch-matrix-check.yml

@@ -11,13 +11,17 @@ jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Matrix Testing Job
-        if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
+        if: steps.check-write-permission.outputs.has-permission
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -26,7 +30,7 @@ jobs:
           client-payload: '{"pr": "${{ github.event.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
+        if: steps.check-write-permission.outputs.has-permission
         with:
           script: |
             github.rest.issues.createComment({

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -3,30 +3,22 @@ name: 🤖 Run Matrix Check (On Comment)
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-          $actor = "${{github.actor}}"
-
-          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Matrix Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -35,7 +27,7 @@ jobs:
           client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({

.github/workflows/dispatch-release-performance-check.yml

@@ -3,30 +3,22 @@ name: 🏁 Run Release Performance Check
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-          $actor = "${{github.actor}}"
-
-          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Performance Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -35,7 +27,7 @@ jobs:
           client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({

.github/workflows/generate-html-docs.yml

@@ -35,7 +35,7 @@ jobs:
           python scripts/documentation/generate_iso26262_docs.py coding-standards-html-docs
 
       - name: Upload HTML documentation
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: coding-standards-docs-${{ github.sha }}
           path: coding-standards-html-docs/

.github/workflows/standard_library_upgrade_tests.yml

@@ -143,7 +143,7 @@ jobs:
               }, test_summary_file)
 
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: test-results-${{runner.os}}-${{matrix.codeql_cli}}-${{matrix.codeql_standard_library_ident}}
           path: |

c/misra/src/codingstandards/c/misra/EssentialTypes.qll

@@ -179,6 +179,10 @@ class EssentialBinaryLogicalOperationExpr extends EssentialExpr, BinaryLogicalOp
   override Type getEssentialType() { result instanceof BoolType }
 }
 
+class EssentialUnaryLogicalOperationExpr extends EssentialExpr, UnaryLogicalOperation {
+  override Type getEssentialType() { result instanceof BoolType }
+}
+
 class EssentialEqualityOperationExpr extends EssentialExpr, EqualityOperation {
   override Type getEssentialType() { result instanceof BoolType }
 }
@@ -355,13 +359,17 @@ class EssentialLiteral extends EssentialExpr, Literal {
     else (
       if this.(CharLiteral).getCharacter().length() = 1
       then result instanceof PlainCharType
-      else (
-        getStandardType().(IntegralType).isSigned() and
-        result = stlr(this)
-        or
-        not getStandardType().(IntegralType).isSigned() and
-        result = utlr(this)
-      )
+      else
+        exists(Type underlyingStandardType |
+          underlyingStandardType = getStandardType().getUnderlyingType()
+        |
+          if underlyingStandardType instanceof IntType
+          then
+            if underlyingStandardType.(IntType).isSigned()
+            then result = stlr(this)
+            else result = utlr(this)
+          else result = underlyingStandardType
+        )
     )
   }
 }

c/misra/src/rules/RULE-10-1/OperandsOfAnInappropriateEssentialType.ql

@@ -178,7 +178,8 @@ predicate isInappropriateEssentialType(
     child =
       [
         operator.(BinaryBitwiseOperation).getAnOperand(),
-        operator.(Bitwise::AssignBitwiseOperation).getAnOperand()
+        operator.(Bitwise::AssignBitwiseOperation).getAnOperand(),
+        operator.(ComplementExpr).getAnOperand()
       ] and
     not operator instanceof LShiftExpr and
     not operator instanceof RShiftExpr and
@@ -240,7 +241,7 @@ string getRationaleMessage(int rationaleId, EssentialTypeCategory etc) {
   result = "Bitwise operator applied to operand of " + etc + " and not essentially unsigned."
   or
   rationaleId = 7 and
-  result = "Right hand operatand of shift operator is " + etc + " and not not essentially unsigned."
+  result = "Right hand operand of shift operator is " + etc + " and not not essentially unsigned."
   or
   rationaleId = 8 and
   result =
@@ -251,4 +252,4 @@ from Expr operator, Expr child, int rationaleId, EssentialTypeCategory etc
 where
   not isExcluded(operator, EssentialTypesPackage::operandsOfAnInappropriateEssentialTypeQuery()) and
   isInappropriateEssentialType(operator, child, etc, rationaleId)
-select operator, getRationaleMessage(rationaleId, etc)
+select child, getRationaleMessage(rationaleId, etc)

c/misra/src/rules/RULE-12-2/RightHandOperandOfAShiftRange.ql

@@ -20,14 +20,51 @@ class ShiftExpr extends BinaryBitwiseOperation {
   ShiftExpr() { this instanceof LShiftExpr or this instanceof RShiftExpr }
 }
 
-from ShiftExpr e, Expr right, int max_val
+MacroInvocation getAMacroInvocation(ShiftExpr se) { result.getAnExpandedElement() = se }
+
+Macro getPrimaryMacro(ShiftExpr se) {
+  exists(MacroInvocation mi |
+    mi = getAMacroInvocation(se) and
+    not exists(MacroInvocation otherMi |
+      otherMi = getAMacroInvocation(se) and otherMi.getParentInvocation() = mi
+    ) and
+    result = mi.getMacro()
+  )
+}
+
+from
+  ShiftExpr e, Expr right, int max_val, float lowerBound, float upperBound, Type essentialType,
+  string extraMessage, Locatable optionalPlaceholderLocation, string optionalPlaceholderMessage
 where
   not isExcluded(right, Contracts7Package::rightHandOperandOfAShiftRangeQuery()) and
   right = e.getRightOperand().getFullyConverted() and
-  max_val = (8 * getEssentialType(e.getLeftOperand()).getSize()) - 1 and
+  essentialType = getEssentialType(e.getLeftOperand()) and
+  max_val = (8 * essentialType.getSize()) - 1 and
+  upperBound = upperBound(right) and
+  lowerBound = lowerBound(right) and
+  (
+    lowerBound < 0 or
+    upperBound > max_val
+  ) and
+  // If this shift happens inside a macro, then report the macro as well
+  // for easier validation
   (
-    lowerBound(right) < 0 or
-    upperBound(right) > max_val
+    if exists(getPrimaryMacro(e))
+    then
+      extraMessage = " from expansion of macro $@" and
+      exists(Macro m |
+        m = getPrimaryMacro(e) and
+        optionalPlaceholderLocation = m and
+        optionalPlaceholderMessage = m.getName()
+      )
+    else (
+      extraMessage = "" and
+      optionalPlaceholderLocation = e and
+      optionalPlaceholderMessage = ""
+    )
   )
 select right,
-  "The right hand operand of the shift operator shall lie in the range 0 to " + max_val + "."
+  "The possible range of the right operand of the shift operator (" + lowerBound + ".." + upperBound
+    + ") is outside the the valid shift range (0.." + max_val +
+    ") for the essential type of the left operand (" + essentialType + ")" + extraMessage + ".",
+  optionalPlaceholderLocation, optionalPlaceholderMessage

c/misra/src/rules/RULE-5-8/IdentifiersWithExternalLinkageNotUnique.ql

@@ -41,7 +41,25 @@ class NotUniqueExternalIdentifier extends ExternalIdentifiers {
 
   Declaration getAConflictingDeclaration() {
     not result = this and
-    isConflictingDeclaration(result, getName())
+    isConflictingDeclaration(result, getName()) and
+    // We only consider a declaration to be conflicting if it shares a link target with the external
+    // identifier. This avoids reporting false positives where multiple binaries or libraries are
+    // built in the same CodeQL database, but are not intended to be linked together.
+    exists(LinkTarget lt |
+      // External declaration can only be a function or global variable
+      lt = this.(Function).getALinkTarget() or
+      lt = this.(GlobalVariable).getALinkTarget()
+    |
+      lt = result.(Function).getALinkTarget()
+      or
+      lt = result.(GlobalVariable).getALinkTarget()
+      or
+      exists(Class c | c.getAMember() = result and c.getALinkTarget() = lt)
+      or
+      result.(LocalVariable).getFunction().getALinkTarget() = lt
+      or
+      result.(Class).getALinkTarget() = lt
+    )
   }
 }
 

c/misra/test/c/misra/EssentialTypes.expected

@@ -38,3 +38,38 @@
 | test.c:26:3:26:3 | f | float | float | essentially Floating type |
 | test.c:27:3:27:5 | f32 | float32_t | float32_t | essentially Floating type |
 | test.c:28:3:28:6 | cf32 | float | float | essentially Floating type |
+| test.c:32:3:32:3 | 1 | signed char | signed char | essentially Signed type |
+| test.c:33:3:33:4 | 1 | unsigned char | unsigned char | essentially Unsigned type |
+| test.c:34:3:34:5 | 1 | unsigned long | unsigned long | essentially Unsigned type |
+| test.c:38:13:38:16 | 1 | bool | bool | essentially Boolean type |
+| test.c:38:13:38:16 | (bool)... | bool | bool | essentially Boolean type |
+| test.c:39:20:39:20 | 1 | signed char | signed char | essentially Signed type |
+| test.c:39:20:39:20 | (unsigned int)... | unsigned int | unsigned int | essentially Unsigned type |
+| test.c:40:23:40:23 | 1 | signed char | signed char | essentially Signed type |
+| test.c:40:23:40:23 | (unsigned short)... | unsigned short | unsigned short | essentially Unsigned type |
+| test.c:41:17:41:18 | 1 | signed char | signed char | essentially Signed type |
+| test.c:42:21:42:21 | 1 | signed char | signed char | essentially Signed type |
+| test.c:42:21:42:21 | (signed short)... | signed short | signed short | essentially Signed type |
+| test.c:44:3:44:4 | ! ... | bool | bool | essentially Boolean type |
+| test.c:44:4:44:4 | b | bool | bool | essentially Boolean type |
+| test.c:45:3:45:4 | ! ... | bool | bool | essentially Boolean type |
+| test.c:45:4:45:4 | u | unsigned int | unsigned int | essentially Unsigned type |
+| test.c:46:3:46:5 | ! ... | bool | bool | essentially Boolean type |
+| test.c:46:4:46:5 | us | unsigned short | unsigned short | essentially Unsigned type |
+| test.c:47:3:47:4 | ! ... | bool | bool | essentially Boolean type |
+| test.c:47:4:47:4 | s | signed int | signed int | essentially Signed type |
+| test.c:48:3:48:5 | ! ... | bool | bool | essentially Boolean type |
+| test.c:48:4:48:5 | ss | signed short | signed short | essentially Signed type |
+| test.c:50:3:50:4 | ~ ... | int | int | essentially Signed type |
+| test.c:50:4:50:4 | (int)... | int | int | essentially Signed type |
+| test.c:50:4:50:4 | b | bool | bool | essentially Boolean type |
+| test.c:51:3:51:4 | ~ ... | unsigned int | unsigned int | essentially Unsigned type |
+| test.c:51:4:51:4 | u | unsigned int | unsigned int | essentially Unsigned type |
+| test.c:52:3:52:5 | ~ ... | unsigned short | unsigned short | essentially Unsigned type |
+| test.c:52:4:52:5 | (int)... | int | int | essentially Signed type |
+| test.c:52:4:52:5 | us | unsigned short | unsigned short | essentially Unsigned type |
+| test.c:53:3:53:4 | ~ ... | signed int | signed int | essentially Signed type |
+| test.c:53:4:53:4 | s | signed int | signed int | essentially Signed type |
+| test.c:54:3:54:5 | ~ ... | int | int | essentially Signed type |
+| test.c:54:4:54:5 | (int)... | int | int | essentially Signed type |
+| test.c:54:4:54:5 | ss | signed short | signed short | essentially Signed type |