Merge branch 'main' into rc/2.10

Author: jsinglet

.github/workflows/bump-version.yml

@@ -10,7 +10,7 @@ on:
 jobs:
 
   apply-version-bump:
-    runs-on: ubuntu-latest 
+    runs-on: ubuntu-22.04
     name: Apply Version Bump
     steps:
         - name: Checkout 

.github/workflows/code-scanning-pack-gen.yml

@@ -19,7 +19,7 @@ env:
 jobs:
   prepare-code-scanning-pack-matrix:
     name: Prepare CodeQL Code Scanning pack matrix
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       matrix: ${{ steps.export-code-scanning-pack-matrix.outputs.matrix }}
     steps:

.github/workflows/codeql_unit_tests.yml

@@ -14,7 +14,7 @@ on:
 jobs:
   prepare-unit-test-matrix:
     name: Prepare CodeQL unit test matrix
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
@@ -157,7 +157,7 @@ jobs:
   validate-test-results:
     name: Validate test results
     needs: [run-test-suites]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Collect test results
         uses: actions/download-artifact@v2

.github/workflows/create-draft-release.yml

@@ -21,7 +21,7 @@ on:
 jobs:
   create-draft-release:
     name: Create draft release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:      
       # AWS CONFIGURATION
       AWS_EC2_INSTANCE_TYPE: ${{ github.event.inputs.aws_ec2_instance_type }}

.github/workflows/generate-html-docs.yml

@@ -15,7 +15,7 @@ on:
 jobs:
   generate-html-doc:
     name: Generate HTML documentation
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/standard_library_upgrade_tests.yml

@@ -14,7 +14,7 @@ on:
 jobs:
   prepare-unit-test-matrix:
     name: Prepare CodeQL unit test matrix
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
@@ -154,7 +154,7 @@ jobs:
   validate-test-results:
     name: Validate test results
     needs: [run-test-suites]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Install Python
         uses: actions/setup-python@v4

.github/workflows/upgrade_codeql_dependencies.yml

@@ -20,7 +20,7 @@ jobs:
     env:
       CODEQL_CLI_VERSION: ${{ github.event.inputs.codeql_cli_version }}
       CODEQL_LIB_COMMIT: ${{ github.event.inputs.codeql_standard_library_commit }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/validate-coding-standards.yml

@@ -18,7 +18,7 @@ env:
 jobs:
   validate-package-files:
     name: Validate Package Files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -63,7 +63,7 @@ jobs:
 
   validate-codeql-format:
     name: "Validate CodeQL Format"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -94,7 +94,7 @@ jobs:
 
   validate-query-help-files:
     name: Validate Query Help Files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -129,7 +129,7 @@ jobs:
 
   validate-cpp-test-files:
     name: Validate C++ Test Files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -152,7 +152,7 @@ jobs:
 
   validate-c-test-files:
     name: Validate C Test Files
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.github/workflows/validate-rules-csv.yml

@@ -0,0 +1,28 @@
+name: ⚙️ Validate Rules CSV
+
+on:
+  push:
+    branches:
+      - main
+      - "rc/**"
+      - next
+  pull_request:
+    branches:
+      - main
+      - "rc/**"
+      - next
+
+
+jobs:
+  validate-rules-csv:
+    name: Validate Rules CSV 
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Check Rules 
+        shell: pwsh
+        run: scripts/util/Get-DuplicateRules.ps1 -Language 'all' -CIMode
+
+      

.vscode/tasks.json

@@ -185,6 +185,7 @@
             "type": "pickString",
             "options": [
                 "Allocations",
+                "Banned",
                 "BannedFunctions",
                 "BannedLibraries",
                 "BannedSyntax",

c/cert/src/qlpack.yml

@@ -1,4 +1,4 @@
 name: cert-c-coding-standards
-version: 2.10.0
+version: 2.11.0-dev
 suites: codeql-suites
 libraryPathDependencies: common-c-coding-standards

c/cert/src/rules/ENV30-C/DoNotModifyTheReturnValueOfCertainFunctions.ql

@@ -13,57 +13,10 @@
 
 import cpp
 import codingstandards.c.cert
-import semmle.code.cpp.dataflow.DataFlow
-import DataFlow::PathGraph
+import codingstandards.cpp.rules.constlikereturnvalue.ConstLikeReturnValue
 
-/*
- * Call to functions that return pointers to environment objects that should not be modified.
- */
-
-class NotModifiableCall extends FunctionCall {
-  NotModifiableCall() {
-    this.getTarget()
-        .hasGlobalName(["getenv", "setlocale", "localeconv", "asctime", "strerror"])
-  }
-}
-
-/*
- * An expression that modifies an object.
- */
-
-class ObjectWrite extends Expr {
-  ObjectWrite() {
-    // the pointed object is reassigned
-    exists(Expr e |
-      e = [any(AssignExpr ae).getLValue(), any(CrementOperation co).getOperand()] and
-      (
-        this = e.(PointerDereferenceExpr).getOperand()
-        or
-        this = e.(PointerFieldAccess).getQualifier()
-      )
-    )
+class DoNotModifyTheReturnValueOfCertainFunctionsQuery extends ConstLikeReturnValueSharedQuery {
+  DoNotModifyTheReturnValueOfCertainFunctionsQuery() {
+    this = Contracts1Package::doNotModifyTheReturnValueOfCertainFunctionsQuery()
   }
 }
-
-/**
- * DF configuration for flows from a `NotModifiableCall` to a object modifications.
- */
-class DFConf extends DataFlow::Configuration {
-  DFConf() { this = "DFConf" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof NotModifiableCall
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ObjectWrite }
-}
-
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where
-  not isExcluded(sink.getNode().asExpr(),
-    Contracts1Package::doNotModifyTheReturnValueOfCertainFunctionsQuery()) and
-  // the modified object comes from a call to one of the ENV functions
-  any(DFConf d).hasFlowPath(source, sink)
-select sink.getNode(), source, sink,
-  "The object returned by the function " +
-    source.getNode().asExpr().(FunctionCall).getTarget().getName() + " should no be modified."