From nobody Fri Dec 19 18:44:17 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+96157+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+96157+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.microsoft.com
ARC-Seal: i=1; a=rsa-sha256; t=1668015219; cv=none;
	d=zohomail.com; s=zohoarc;
	b=efSDYC/KdiTMqON/grkXdwnbNyL52jCXoWt/C5pM75l1e6vIJdomnahXEMJoMTGcNW59bc0nZepaYZw+1mSmHmkg7WVWtmE+LkkVWqBGQt+lRwM9MnCEdZYQL3oQIJU2LkwIm9I+0p1ue4WY++0hktfNkjIV2PuOTI5dSCQHiLs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1668015219;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=NSHKp202H29Y5OoZjOwvCjbdN1XZlf7aoOoQhdBTYbs=;
	b=WoJHdNK6YzSMx4PsbvA2raoFFJFGPXjACMom6eqRBzRjN8+eRoP/w5BgO/vrhPxjcSgTqg6v8IrZPe5O7PzWFDkTwzfN7bnftHeYAaCRG++X9xN4gyuQ4g1eJdp7NA0oPceNLwJC0cHTdu/yIJCAJEpn5pDqmsXoxxWnTi4jdlI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+96157+1787277+3901457@groups.io;
	dmarc=fail header.from=<mikuback@linux.microsoft.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1668015219007291.4421985607378;
 Wed, 9 Nov 2022 09:33:39 -0800 (PST)
Return-Path: <bounce+27952+96157+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id x74aYY1788612xg7NugCW7DW;
 Wed, 09 Nov 2022 09:33:37 -0800
X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web12.75.1668015217246250414
 for <devel@edk2.groups.io>;
 Wed, 09 Nov 2022 09:33:37 -0800
X-Received: from localhost.localdomain (unknown [47.201.8.94])
	by linux.microsoft.com (Postfix) with ESMTPSA id 653FC20C3338;
	Wed,  9 Nov 2022 09:33:36 -0800 (PST)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 653FC20C3338
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Sean Brogan <sean.brogan@microsoft.com>,
	Michael Kubacki <mikuback@linux.microsoft.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [edk2-devel] [PATCH v1 11/12] .github/codeql/edk2.qls: Enable CWE
 457, 676, and 758 queries
Date: Wed,  9 Nov 2022 12:32:45 -0500
Message-Id: <20221109173246.174-12-mikuback@linux.microsoft.com>
In-Reply-To: <20221109173246.174-1-mikuback@linux.microsoft.com>
References: <20221109173246.174-1-mikuback@linux.microsoft.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com
X-Gm-Message-State: 44zUi7miytN94Z3PZy3jIdxwx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1668015217;
 bh=eYklwhKRjfVvieqavjrs4F49zJXPJTE9zLeyBhNnMRA=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=LnzXU3xKWLop74VP/89OAMW3uCu7F22azZu+C5lsNntiuxPdXpVVyYBJUczPbNNHp7F
 UhMT2VWdQDfHxydr7m2yJPqJWMt+mbn95Z5mjlZIzC9URwzkFMfUBWG1QqwKQv/DpuPUT
 kw78WFcZhKiWFutwU/Yq0xKOAayq6VimqfM=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1668015220245100005
Content-Type: text/plain; charset="utf-8"

From: Michael Kubacki <michael.kubacki@microsoft.com>

The previous commits fixed issues with these queries across various
packages. Now that those are resolved, enable the queries in the
edk2 query set so regressions can be found in the future.

Enables:

1. cpp/conditionallyuninitializedvariable
   - CWE: https://cwe.mitre.org/data/definitions/457.html
   - @name Conditionally uninitialized variable
   - @description An initialization function is used to initialize a
                  local variable, but the returned status code is
                  not checked. The variable may be left in an
                  uninitialized state, and reading the variable may
                  result in undefined behavior.
   - @kind problem
   - @problem.severity warning
   - @security-severity 7.8
   - @id cpp/conditionally-uninitialized-variable
   - @tags security
     - external/cwe/cwe-457
2. cpp/pointer-overflow-check
   - CWE: https://cwe.mitre.org/data/definitions/758.html
   - @name Pointer overflow check
   - @description Adding a value to a pointer to check if it
                  overflows relies on undefined behavior and
                  may lead to memory corruption.
   - @kind problem
   - @problem.severity error
   - @security-severity 2.1
   - @precision high
   - @id cpp/pointer-overflow-check
   - @tags reliability
     - security
     - external/cwe/cwe-758
3. cpp/potential-buffer-overflow
   - CWE: https://cwe.mitre.org/data/definitions/676.html
   - @name Potential buffer overflow
   - @description Using a library function that does not check
                  buffer bounds requires the surrounding program
                  to be very carefully written to avoid buffer
                  overflows.
   - @kind problem
   - @id cpp/potential-buffer-overflow
   - @problem.severity warning
   - @security-severity 10.0
   - @tags reliability
     - security
     - external/cwe/cwe-676
   - @deprecated This query is deprecated, use
                 Potentially overrunning write
                 (`cpp/overrunning-write`) and
                 Potentially overrunning write with float to string
                 conversion
                 (`cpp/overrunning-write-with-float`) instead.

Note that cpp/potential-buffer-overflow is deprecated. This query
will be updated to the succeeding queries in the next commit. The
query is used in this commit to show that we considered and tested
the query in history.

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Kubacki <mikuback@linux.microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
---
 .github/codeql/edk2.qls | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
index ef9aae790f5f..dc2d87764e93 100644
--- a/.github/codeql/edk2.qls
+++ b/.github/codeql/edk2.qls
@@ -8,7 +8,14 @@
=20
 # Enable individual queries below.
=20
+- include:
+    id: cpp/conditionallyuninitializedvariable
 - include:
     id: cpp/infinite-loop-with-unsatisfiable-exit-condition
 - include:
     id: cpp/overflow-buffer
+- include:
+    id: cpp/pointer-overflow-check
+- include:
+    id: cpp/potential-buffer-overflow
+
--=20
2.28.0.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96157): https://edk2.groups.io/g/devel/message/96157
Mute This Topic: https://groups.io/mt/94918106/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-