Merge branch 'main' into dependabot/pip/scripts/release/gitpython-3.1.37

Author: lcartey

.github/workflows/prepare-release.yml

@@ -13,9 +13,10 @@ on:
         required: true
       hotfix:
         description: |
-          Whether this is a hotfix release.
+          Hotfix release.
         required: false
         default: false
+        type: boolean
 
 permissions:
   contents: write
@@ -29,10 +30,7 @@ env:
 
 jobs:
   prepare-release:
-    outputs:
-      pull-request-head-sha: ${{ steps.determine-pr-head-sha.outputs.pull-request-head-sha }}
     name: "Prepare release"
-    if: github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
@@ -60,7 +58,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          release=$(gh release view v$RELEASE_VERSION --json name,isDraft)
+          release=$( { gh release view "v$RELEASE_VERSION" --json name,isDraft; } || echo "" )
           if [[ -z "$release" ]]; then
             echo "Release v$RELEASE_VERSION does not exist. Proceeding"
             echo "create_draft_release=true" >> "$GITHUB_ENV"
@@ -79,7 +77,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          release_pr=$(gh pr view rc/$RELEASE_VERSION --json title,state,number)
+          release_pr=$( { gh pr view "rc/$RELEASE_VERSION" --json title,state,number; } || echo "")
           if [[ ! -z "$release_pr" ]]; then
             pr_title=$(echo "$release_pr" | jq -r '.title')
             pr_state=$(echo "$release_pr" | jq -r '.state')
@@ -143,14 +141,26 @@ jobs:
           git commit -m "Update version"
           git push
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards"
+
       - name: Create release PR
         env:
-          GITHUB_TOKEN: ${{ secrets.ACTION_DISPATCH_TOKEN }}
+          # Use the token from the `generate-token` step because we can't use the default workflow token
+          # to create a PR and generate PR events to trigger the next workflow because of recursive workflow
+          # trigger protection.
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           gh pr create \
           -R $GITHUB_REPOSITORY \
           --title "Release v$RELEASE_VERSION" \
           --body "This PR releases codeql-coding-standards version $RELEASE_VERSION." \
           --base rc/$RELEASE_VERSION \
           --head feature/update-user-manual-for-$RELEASE_VERSION \
-          --draft
+          --draft

.github/workflows/update-release-status.yml

@@ -139,6 +139,6 @@ jobs:
     if: needs.validate-check-runs.outputs.status == 'completed'
     uses: ./.github/workflows/update-release.yml
     with:
-        head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }}
+      head-sha: ${{ needs.validate-check-runs.outputs.check-run-head-sha }}
     secrets:
-      RELEASE_ENGINEERING_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+      AUTOMATION_PRIVATE_KEY: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

.github/workflows/update-release.yml

@@ -15,9 +15,9 @@ on:
           The head SHA of the release PR to use for finalizing the release.
         required: true
     secrets:
-      RELEASE_ENGINEERING_TOKEN:
+      AUTOMATION_PRIVATE_KEY:
         description: |
-          The token to use for accessing the release engineering repository.
+          The private key to use to generate a token for accessing the release engineering repository.
         required: true
 env:
   HEAD_SHA: ${{ inputs.head-sha }}
@@ -40,10 +40,19 @@ jobs:
       - name: Install dependencies
         run: pip install -r scripts/release/requirements.txt
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
       - name: Update release assets
         env:
           GITHUB_TOKEN: ${{ github.token }}
-          RELEASE_ENGINEERING_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          RELEASE_ENGINEERING_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           python scripts/release/update-release-assets.py \
             --head-sha $HEAD_SHA \

.github/workflows/validate-release.yml

@@ -14,7 +14,6 @@ env:
   HEAD_SHA: ${{ github.event.pull_request.head.sha }}
 
 jobs:
-
   pre-validate-performance:
     outputs:
       check-run-id: ${{ steps.create-check-run.outputs.check-run-id }}
@@ -39,10 +38,18 @@ jobs:
     needs: pre-validate-performance
     runs-on: ubuntu-22.04
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
       - name: Invoke performance test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
-          GH_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \
@@ -51,8 +58,7 @@ jobs:
           | \
           gh workflow run release-performance-testing.yml \
           --json \
-          -R github/codeql-coding-standards-release-engineering \
-          --ref rvermeulen/release-process
+          -R github/codeql-coding-standards-release-engineering
 
   on-failure-validate-performance-dispatch:
     needs: [pre-validate-performance, validate-performance]
@@ -61,8 +67,8 @@ jobs:
     steps:
       - name: Fail check run status
         env:
-           CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
-           GITHUB_TOKEN: ${{ github.token }}
+          CHECK_RUN_ID: ${{ needs.pre-validate-performance.outputs.check-run-id }}
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           jq -n \
           --arg status "completed" \
@@ -100,10 +106,18 @@ jobs:
     needs: pre-validate-compiler-compatibility
     runs-on: ubuntu-22.04
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
       - name: Invoke compiler compatibility test
         env:
           CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
-          GITHUB_TOKEN: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           jq -n \
           --arg ref "$HEAD_SHA" \
@@ -112,18 +126,18 @@ jobs:
           | \
           gh workflow run release-compiler-validation.yml \
           --json \
-          -R github/codeql-coding-standards-release-engineering \
-          --ref rvermeulen/release-process
+          -R github/codeql-coding-standards-release-engineering
 
   on-failure-validate-compiler-compatibility-dispatch:
-    needs: [pre-validate-compiler-compatibility, validate-compiler-compatibility]
+    needs:
+      [pre-validate-compiler-compatibility, validate-compiler-compatibility]
     if: failure()
     runs-on: ubuntu-22.04
     steps:
       - name: Fail check run status
         env:
-           CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
-           GITHUB_TOKEN: ${{ github.token }}
+          CHECK_RUN_ID: ${{ needs.pre-validate-compiler-compatibility.outputs.check-run-id }}
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           jq -n \
           --arg status "completed" \

c/misra/src/rules/RULE-10-1/OperandsOfAnInappropriateEssentialType.ql

@@ -14,6 +14,7 @@
 import cpp
 import codingstandards.c.misra
 import codingstandards.c.misra.EssentialTypes
+import codingstandards.cpp.Bitwise
 
 /**
  * Holds if the operator `operator` has an operand `child` that is of an inappropriate essential type
@@ -177,7 +178,7 @@ predicate isInappropriateEssentialType(
     child =
       [
         operator.(BinaryBitwiseOperation).getAnOperand(),
-        operator.(AssignBitwiseOperation).getAnOperand()
+        operator.(Bitwise::AssignBitwiseOperation).getAnOperand()
       ] and
     not operator instanceof LShiftExpr and
     not operator instanceof RShiftExpr and

c/misra/test/rules/RULE-10-1/test.c

@@ -492,4 +492,6 @@ void pointerType() {
   b || b; // COMPLIANT
   p || b; // NON_COMPLIANT
   b || p; // NON_COMPLIANT
+  p += 1; // COMPLIANT
+  p -= 1; // COMPLIANT
 }

change_notes/2023-10-04-m5-0-20-exclude-pointer-bitwise.md

@@ -0,0 +1 @@
+ * `M5-0-20`, `M5-0-21`, `RULE-10-1` - exclude pointer assignment operators as bitwise operators.

change_notes/2023-11-07-use-misra-underlying-type.md

@@ -0,0 +1,2 @@
+- `M5-0-20` - `BitwiseOperatorOperandsHaveDifferentUnderlyingType.ql`:
+  - Use the Misra definition of underlying type.

cpp/autosar/src/rules/M5-0-20/BitwiseOperatorOperandsHaveDifferentUnderlyingType.ql

@@ -16,19 +16,30 @@
 
 import cpp
 import codingstandards.cpp.autosar
+import codingstandards.cpp.Bitwise
+import codingstandards.cpp.Conversion
 
 predicate isBinaryBitwiseOperation(Operation o, VariableAccess l, VariableAccess r) {
   exists(BinaryBitwiseOperation bbo | bbo = o |
     l = bbo.getLeftOperand() and r = bbo.getRightOperand()
   )
   or
-  exists(AssignBitwiseOperation abo | abo = o | l = abo.getLValue() and r = abo.getRValue())
+  exists(Bitwise::AssignBitwiseOperation abo | abo = o |
+    l = abo.getLValue() and
+    r = abo.getRValue()
+  )
 }
 
-from Operation o, Variable left, Variable right
+from
+  Operation o, VariableAccess left, VariableAccess right, Type leftUnderlyingType,
+  Type rightUnderlyingType
 where
   not isExcluded(o, ExpressionsPackage::bitwiseOperatorOperandsHaveDifferentUnderlyingTypeQuery()) and
   not o.isFromUninstantiatedTemplate(_) and
-  isBinaryBitwiseOperation(o, left.getAnAccess(), right.getAnAccess()) and
-  left.getUnderlyingType() != right.getUnderlyingType()
-select o, "Operands of the '" + o.getOperator() + "' operation have different underlying types."
+  isBinaryBitwiseOperation(o, left, right) and
+  leftUnderlyingType = MisraConversion::getUnderlyingType(left) and
+  rightUnderlyingType = MisraConversion::getUnderlyingType(right) and
+  leftUnderlyingType != rightUnderlyingType
+select o,
+  "Operands of the '" + o.getOperator() + "' operation have different underlying types '" +
+    leftUnderlyingType.getName() + "' and '" + rightUnderlyingType.getName() + "'."

cpp/autosar/src/rules/M5-0-21/BitwiseOperatorAppliedToSignedTypes.ql

@@ -17,14 +17,15 @@
 
 import cpp
 import codingstandards.cpp.autosar
+import codingstandards.cpp.Bitwise
 
 from Operation o, VariableAccess va
 where
   not isExcluded(o, ExpressionsPackage::bitwiseOperatorAppliedToSignedTypesQuery()) and
   (
     o instanceof UnaryBitwiseOperation or
     o instanceof BinaryBitwiseOperation or
-    o instanceof AssignBitwiseOperation
+    o instanceof Bitwise::AssignBitwiseOperation
   ) and
   o.getAnOperand() = va and
   va.getTarget().getUnderlyingType().(IntegralType).isSigned()

cpp/autosar/src/rules/M5-8-1/RightBitShiftOperandIsNegativeOrTooWide.ql

@@ -17,6 +17,7 @@
 
 import cpp
 import codingstandards.cpp.autosar
+import codingstandards.cpp.Bitwise
 
 class ShiftOperation extends Operation {
   Expr leftOperand;
@@ -33,7 +34,7 @@ class ShiftOperation extends Operation {
       rightOperand = o.getRightOperand()
     )
     or
-    exists(AssignBitwiseOperation o | this = o |
+    exists(Bitwise::AssignBitwiseOperation o | this = o |
       (
         o instanceof AssignLShiftExpr
         or

cpp/autosar/test/rules/M5-0-20/BitwiseOperatorOperandsHaveDifferentUnderlyingType.expected

@@ -1,21 +1,21 @@
-| test.cpp:18:3:18:6 | ... & ... | Operands of the '&' operation have different underlying types. |
-| test.cpp:19:3:19:7 | ... \| ... | Operands of the '\|' operation have different underlying types. |
-| test.cpp:20:3:20:7 | ... ^ ... | Operands of the '^' operation have different underlying types. |
-| test.cpp:21:3:21:8 | ... << ... | Operands of the '<<' operation have different underlying types. |
-| test.cpp:22:3:22:8 | ... >> ... | Operands of the '>>' operation have different underlying types. |
-| test.cpp:23:3:23:8 | ... &= ... | Operands of the '&=' operation have different underlying types. |
-| test.cpp:24:3:24:8 | ... \|= ... | Operands of the '\|=' operation have different underlying types. |
-| test.cpp:25:3:25:8 | ... ^= ... | Operands of the '^=' operation have different underlying types. |
-| test.cpp:26:3:26:9 | ... <<= ... | Operands of the '<<=' operation have different underlying types. |
-| test.cpp:27:3:27:9 | ... >>= ... | Operands of the '>>=' operation have different underlying types. |
-| test.cpp:45:3:45:6 | ... & ... | Operands of the '&' operation have different underlying types. |
-| test.cpp:46:3:46:7 | ... \| ... | Operands of the '\|' operation have different underlying types. |
-| test.cpp:47:3:47:7 | ... ^ ... | Operands of the '^' operation have different underlying types. |
-| test.cpp:48:3:48:8 | ... << ... | Operands of the '<<' operation have different underlying types. |
-| test.cpp:49:3:49:8 | ... >> ... | Operands of the '>>' operation have different underlying types. |
-| test.cpp:50:3:50:8 | ... &= ... | Operands of the '&=' operation have different underlying types. |
-| test.cpp:51:3:51:8 | ... \|= ... | Operands of the '\|=' operation have different underlying types. |
-| test.cpp:52:3:52:8 | ... ^= ... | Operands of the '^=' operation have different underlying types. |
-| test.cpp:53:3:53:9 | ... <<= ... | Operands of the '<<=' operation have different underlying types. |
-| test.cpp:54:3:54:9 | ... >>= ... | Operands of the '>>=' operation have different underlying types. |
-| test.cpp:67:3:67:14 | ... << ... | Operands of the '<<' operation have different underlying types. |
+| test.cpp:18:3:18:6 | ... & ... | Operands of the '&' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:19:3:19:7 | ... \| ... | Operands of the '\|' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:20:3:20:7 | ... ^ ... | Operands of the '^' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:21:3:21:8 | ... << ... | Operands of the '<<' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:22:3:22:8 | ... >> ... | Operands of the '>>' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:23:3:23:8 | ... &= ... | Operands of the '&=' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:24:3:24:8 | ... \|= ... | Operands of the '\|=' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:25:3:25:8 | ... ^= ... | Operands of the '^=' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:26:3:26:9 | ... <<= ... | Operands of the '<<=' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:27:3:27:9 | ... >>= ... | Operands of the '>>=' operation have different underlying types 'unsigned int' and 'unsigned short'. |
+| test.cpp:45:3:45:6 | ... & ... | Operands of the '&' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:46:3:46:7 | ... \| ... | Operands of the '\|' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:47:3:47:7 | ... ^ ... | Operands of the '^' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:48:3:48:8 | ... << ... | Operands of the '<<' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:49:3:49:8 | ... >> ... | Operands of the '>>' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:50:3:50:8 | ... &= ... | Operands of the '&=' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:51:3:51:8 | ... \|= ... | Operands of the '\|=' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:52:3:52:8 | ... ^= ... | Operands of the '^=' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:53:3:53:9 | ... <<= ... | Operands of the '<<=' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:54:3:54:9 | ... >>= ... | Operands of the '>>=' operation have different underlying types 'unsigned char' and 'unsigned short'. |
+| test.cpp:67:3:67:14 | ... << ... | Operands of the '<<' operation have different underlying types 'int &' and 'char &'. |

cpp/autosar/test/rules/M5-0-20/test.cpp

@@ -71,3 +71,8 @@ void test463_2_instantiations() {
   char shift2 = 2;
   test463_2(val, shift2);
 }
+
+void test_add(char *val) {
+  int add = 2;
+  val += add; // COMPLIANT
+}

cpp/autosar/test/rules/M5-0-21/test.cpp

@@ -45,4 +45,8 @@ void test() {
   u ^= u;  // COMPLIANT
   u | 0;   // COMPLIANT
   u |= 0;  // COMPLIANT
+
+  int *p = 0;
+  p += 1; // COMPLIANT
+  p -= 1; // COMPLIANT
 }

cpp/common/src/codingstandards/cpp/Bitwise.qll

@@ -0,0 +1,20 @@
+/**
+ * A library for addressing issues in bitwise operator modelling in our database schema.
+ */
+
+private import cpp as cpp
+
+module Bitwise {
+  /**
+   * A binary bitwise assign operation, excluding += and -= on pointers, which seem to be erroneously
+   * included.
+   */
+  class AssignBitwiseOperation extends cpp::AssignBitwiseOperation {
+    AssignBitwiseOperation() {
+      // exclude += and -= on pointers, which seem to be erroneously included
+      // in the database schema
+      not this instanceof cpp::AssignPointerAddExpr and
+      not this instanceof cpp::AssignPointerSubExpr
+    }
+  }
+}