Enable new CodeQL queries (17 total)

Updates the queries opted into by Project Mu available in the standard CodeQL query package `codeql/cpp-queries`. I tested many queries and found the included set here to be the most useful with the least number of false positives. Some queries had a number of issues that led to them being placed on the exclusion list so they are not considered in the future without the notes there being taken into account. General details about queries available in the pack are available here: https://codeql.github.com/codeql-query-help/cpp/ The changelog for the query pack is available here: https://github.com/github/codeql/blob/codeql-cli/latest/cpp/ql/src/CHANGELOG.md The following new queries are enabled organized alphabetically within sections grouped by type: Errors: - cpp/missing-return - cpp/no-space-for-terminator - cpp/pointer-overflow-check - cpp/redundant-null-check-simple - cpp/very-likely-overrunning-write Warnings: - cpp/comparison-precedence - cpp/implicit-bitfield-downcast - cpp/offset-use-before-range-check - cpp/overflow-calculated - cpp/overflow-destination - cpp/return-stack-allocated-memory - cpp/static-buffer-overflow - cpp/unsigned-comparison-zero Recommendations: - cpp/missing-header-guard - cpp/unused-local-variable - cpp/unused-static-function - cpp/unused-static-variable The following queries are newly explicitly excluded as noted in the file: - cpp/allocation-too-small - cpp/commented-out-code - cpp/duplicate-include-guard - cpp/invalid-pointer-deref - cpp/useless-expression Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
2023-09-05 10:37:40 -04:00 · 2023-09-05 10:37:40 -04:00 · ec8d179329
--- a/.pytool/Plugin/CodeQL/MuCodeQlQueries.qls
+++ b/.pytool/Plugin/CodeQL/MuCodeQlQueries.qls
@ -4,50 +4,132 @@
 - queries: '.'
  from: codeql/cpp-queries

-# "Core" Queries
+##########################################################################################
+# "Core" Queries - Part of Core SDL
+##########################################################################################
+
+## Errors
 - include:
    id: cpp/badoverflowguard
+- include:
+    id: cpp/likely-bugs/memory-management/v2/conditionally-uninitialized-variable
+- include:
+    id: cpp/pointer-overflow-check
+- include:
+    id: cpp/unguardednullreturndereference
+
+## Warnings
 - include:
    id: cpp/comparison-with-wider-type
 - include:
    id: cpp/conditionallyuninitializedvariable
- include:
-    id: cpp/likely-bugs/memory-management/v2/conditionally-uninitialized-variable
 - include:
    id: cpp/paddingbyteinformationdisclosure
- include:
-    id: cpp/pointer-overflow-check
- include:
-    id: cpp/redundant-null-check-param
- include:
-    id: cpp/unguardednullreturndereference
 - include:
    id: cpp/uselesstest

-# Additional Fundamental Queries Not Originally Run
+## Recommendations
 - include:
-    id: cpp/infinite-loop-with-unsatisfiable-exit-condition
+    id: cpp/redundant-null-check-param
+
+##########################################################################################
+# Extra Queries - Outside Core SDL
+##########################################################################################
+
+## Enable When Time is Available to Fix Issues
+# Hundreds of issues. Most appear valid. Type: Recommendation.
+#- include:
+#    id: cpp/missing-null-test
+
+## Errors
 - include:
    id: cpp/infiniteloop
 - include:
-    id: cpp/overflow-buffer
+    id: cpp/missing-return
+- include:
+    id: cpp/no-space-for-terminator
+- include:
+    id: cpp/pointer-overflow-check
+- include:
+    id: cpp/redundant-null-check-simple
 - include:
    id: cpp/sizeof/const-int-argument
 - include:
    id: cpp/sizeof/sizeof-or-operation-as-argument
+- include:
+    id: cpp/very-likely-overrunning-write

+## Warnings
+- include:
+    id: cpp/comparison-precedence
+- include:
+    id: cpp/implicit-bitfield-downcast
+- include:
+    id: cpp/infinite-loop-with-unsatisfiable-exit-condition
+- include:
+    id: cpp/offset-use-before-range-check
+- include:
+    id: cpp/overflow-buffer
+- include:
+    id: cpp/overflow-calculated
+- include:
+    id: cpp/overflow-destination
+- include:
+    id: cpp/return-stack-allocated-memory
+- include:
+    id: cpp/static-buffer-overflow
+- include:
+    id: cpp/unsigned-comparison-zero
+
+## Recommendations
+- include:
+    id: cpp/missing-header-guard
+- include:
+    id: cpp/unused-local-variable
+- include:
+    id: cpp/unused-static-function
+- include:
+    id: cpp/unused-static-variable
+
+# Note: Some queries above are not active by default with the below filter.
+#       Update the filter and run the queries again to get all results.
 - include:
    tags:
      - "security"
      - "correctness"
-    severity: "error"
+    severity:
+      - "error"
+      - "warning"
+      - "recommendation"

 # Specifically hide the results of these.
+#
+# The following rules have been evaluated and explicitly not included for the following reasons:
+#   - `cpp/allocation-too-small` - Appears to be hardcoded for C standard library functions `malloc`, `calloc`,
+#     `realloc`, so it consumes time without much value with custom allocation functions in the codebase.
+#   - `cpp/commented-out-code` - Triggers (way) too often on MU_CHANGE tags.
+#   - `cpp/duplicate-include-guard` - The <Phase>EntryPoint.h files includes a common include guard value
+#     `__MODULE_ENTRY_POINT_H__`. This was the only occurrence found. So not very useful.
+#   - `cpp/invalid-pointer-deref` - Very limited results with what appear to be false positives.
+#   - `cpp/use-of-goto` - Goto is valid and allowed in the codebase.
+#   - `cpp/useless-expression` - Triggers too often on cases where a NULL lib implementation is provided for a function.
+#     Because the implementation simply returns, the check considers it useless.
+#   - `cpp/weak-crypto/*` - Crypto algorithms are tracked outside CodeQL.
+- exclude:
+    id: cpp/allocation-too-small
+- exclude:
+    id: cpp/commented-out-code
+- exclude:
+    id: cpp/duplicate-include-guard
+- exclude:
+    id: cpp/invalid-pointer-deref
 - exclude:
    id: cpp/use-of-goto
+- exclude:
+    id: cpp/useless-expression
 - exclude:
    id: cpp/weak-crypto/banned-hash-algorithms
- exclude:
-    id: cpp/weak-crypto/openssl/banned-hash-algorithms
 - exclude:
    id: cpp/weak-crypto/capi/banned-modes
+- exclude:
+    id: cpp/weak-crypto/openssl/banned-hash-algorithms
--- a/CodeQlFilters.yml
+++ b/CodeQlFilters.yml
@ -15,6 +15,7 @@

 {
  "Filters": [
+    "-**/CryptoPkg/Library/**:cpp/missing-header-guard",
    "-**/CryptoPkg/Library/BaseCryptLib/**/*.c:SM02690",
    "-**/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c:SM02311",
    "-**/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c:SM02311",
@ -22,6 +23,7 @@
    "-**/CryptoPkg/Library/OpensslLib/**/*.c:*",
    "-**/MdeModulePkg/Bus/Pci/PciBusDxe/PciResourceSupport.c:SM02311",
    "-**/MdeModulePkg/Core/Pei/Ppi/Ppi.c:cpp/overflow-buffer",
+    "-**/MdeModulePkg/Core/PiSmmCore/MemoryAttributesTable.c:cpp/unused-static-function",
    "-**/MdeModulePkg/Library/UefiBootManagerLib/BmConsole.c:SM02311",
    "-**/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c:SM02311",
    "-**/MdeModulePkg/Universal/Acpi/S3SaveStateDxe/AcpiS3ContextSave.c:SM02311",
@ -39,8 +41,11 @@
    "-**/NetworkPkg/Ip6Dxe/Ip6Output.c:SM02313",
    # Todo: Exclude for now, needs more review and testing
    "-**/NetworkPkg/Ip6Dxe/Ip6Output.c:cpp/likely-bugs/memory-management/v2/conditionally-uninitialized-variable",
+    "-**/NetworkPkg/IScsiDxe/IScsiDhcp.c:cpp/offset-use-before-range-check",
+    "-**/NetworkPkg/IScsiDxe/IScsiDhcp6.c:cpp/offset-use-before-range-check",
    "-**/ShellPkg/Application/Shell/ShellManParser.c:cpp/redundant-null-check-param",
    "-**/ShellPkg/Application/Shell/ShellProtocol.c:SM02311",
+    "-**/ShellPkg/Library/**:cpp/redundant-null-check-simple",
    "-**/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Aest/AestParser.c:cpp/overflow-buffer",
    "-**/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c:cpp/overflow-buffer",
    "-**/ShellPkg/Library/UefiShellDebug1CommandsLib/DmpStore.c:SM02311",