diff --git a/cpp/autosar/src/rules/A16-2-2/PreprocBlock.qll b/cpp/autosar/src/rules/A16-2-2/PreprocBlock.qll index f684b5d954..d83e33147c 100644 --- a/cpp/autosar/src/rules/A16-2-2/PreprocBlock.qll +++ b/cpp/autosar/src/rules/A16-2-2/PreprocBlock.qll @@ -43,7 +43,7 @@ class PreprocessorBlock extends @element { * The location spans column `startcolumn` of line `startline` to * column `endcolumn` of line `endline` in file `filepath`. * For more information, see - * [LGTM locations](https://lgtm.com/help/ql/locations). + * [CodeQL locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). */ predicate hasLocationInfo( string filepath, int startline, int startcolumn, int endline, int endcolumn diff --git a/docs/development_handbook.md b/docs/development_handbook.md index 897ab59d3b..8aeb1ee5e5 100644 --- a/docs/development_handbook.md +++ b/docs/development_handbook.md @@ -34,6 +34,7 @@ | 0.25.0 | 2022-07-22 | Jeroen Ketema | Document the existence and purpose of the `next` branch. | | 0.26.0 | 2022-08-10 | Remco Vermeulen | Address incorrect package file generation command. This was missing the required language argument. | | 0.27.0 | 2022-11-08 | Luke Cartey | Update the versions of C we intend to support to exclude C90, which reflects the intended scope at the outset of the project. | +| 0.28.0 | 2023-08-14 | Luke Cartey | Remove references to LGTM which is now a legacy product. | ## Scope of work @@ -475,7 +476,7 @@ For the purpose of this repository, and any tool qualification, we consider thes To (a) clearly specify the supported versions of these external dependencies and to (b) enable automation around them, the repository contains a `supported_codeql_configs.json` which lists the sets of supported configurations. There are four fields: * `codeql_cli` - this is the plain version number of the supported CodeQL CLI, e.g. `2.6.3`. - * `codeql_standard_library` - this is the name of a tag on the `github.com/github/codeql` repository. The tag should be compatible with the CodeQL CLI given above. For an enterprise release compatible with LGTM an `lgtm/v` should be chosen. For CodeQL CLI releases which are not tied to an enterprise release we would typically use `codeql-cli/v`, although any tag which is compatible is allowed. + * `codeql_standard_library` - this is the name of a tag on the `github.com/github/codeql` repository. The tag should be compatible with the CodeQL CLI given above. This would typically use the `codeql-cli/v` tag for the release, although any tag which is compatible is allowed. * `codeql_cli_bundle` - (optional) - if present, describes the CodeQL CLI bundle version that is compatible. The bundle should include precisely the CodeQL CLI version and CodeQL Standard Library versions specified in the two mandatory fields. * `ghes` - (optional) - if present describes the GitHub Enterprise Server release whose integrated copy of the CodeQL Action points to the CodeQL CLI bundle specified in the `codeql_cli_bundle` field. @@ -497,8 +498,8 @@ To upgrade the CodeQL external dependencies: - GHES - CodeQL CLI Bundle - and GitHub Enterprise Server > - + > + ## CodeQL dependency upgrade checklist: @@ -548,10 +549,9 @@ Ensure that the same release branch is created in the [codeql-coding-standards-h There is an automated CI/CD job ([Code Scanning Query Pack Generation](../.github/workflows/code-scanning-pack-gen.yml)) provided that generates the following release artifacts for Coding Standards: - - LGTM query pack - generates a query pack that can be deployed to LGTM. - - Code Scanning query pack - generates a zipped folder that can be used with the CodeQL CLI directly, or with GitHub Advanced Security. + - Code Scanning query pack - generates a zipped folder that can be used with the CodeQL CLI directly, or with GitHub Advanced Security. -**Use of LGTM and GitHub Advanced Security is not in scope for ISO 26262 tool qualification. See [user_manual.md#github-advanced-security-and-lgtm](user_manual.md#github-advanced-security-and-lgtm) for more information**. +**Use of Code Scanning within GitHub Advanced Security is not in scope for ISO 26262 tool qualification. See [user_manual.md#github-advanced-security](user_manual.md#github-advanced-security) for more information**. These run on every push to `main` and `rc/*`, and on every pull request, and are releasable without modification, assuming all other status checks succeed on the same commit. diff --git a/docs/iso_26262_tool_qualification.md b/docs/iso_26262_tool_qualification.md index 9240ecefc9..22de2f5a21 100644 --- a/docs/iso_26262_tool_qualification.md +++ b/docs/iso_26262_tool_qualification.md @@ -11,6 +11,7 @@ | 0.3.0 | 2021-09-08 | Luke Cartey | Update the customer table. | | 0.4.0 | 2021-09-19 | Luke Cartey | Add more detail on approach to V&V. Update section around increased confidence from use. | | 0.5.0 | 2021-11-29 | Remco Vermeulen | Add document management section. | +| 0.6.0 | 2023-08-14 | Luke Cartey | Update use and testing statement after LGTM.com deprecation. | ## Introduction @@ -100,9 +101,9 @@ The CodeQL CLI and CodeQL Standard Library for C++ are extensively used by both The versions of the CodeQL CLI and CodeQL Standard Library for C++ are identical to those shipped to both customers and open source users, and the use cases are comparable. -In terms of breadth of use, between the 4th September 2021 and 7th September 2021 11,788 open source C/C++ repositories were successfully analyzed on [LGTM.com](https://lgtm.com), a platform provided by GitHub for performing analysis of open source repositories[^1] using CodeQL. Each version of the CodeQL CLI and CodeQL Standard Library for C++ version will undergo similarly broad testing on LGTM.com before being adopted by the CodeQL Coding Standards. +In terms of breadth of use, between the 4th September 2021 and 7th September 2021 11,788 open source C/C++ repositories were successfully analyzed on [LGTM.com](https://lgtm.com), a platform provided by GitHub for performing analysis of open source repositories[^1] using CodeQL. In addition, at that time we also analyzed a further 748 C++ repos using CodeQL via the "Code Scanning" feature included in GitHub.com. This includes both private closed source and open source software. -In addition to testing on LGTM.com, we have also analyzed a further 748 C++ repos using CodeQL via the "Code Scanning" feature included in GitHub.com. This includes both private closed source and open source software. +Each version of the CodeQL CLI and CodeQL Standard Library for C++ version will undergo similarly broad testing on GitHub.com before being adopted by the CodeQL Coding Standards. In addition, the following companies have publicly described their use of CodeQL for C++: diff --git a/docs/user_manual.md b/docs/user_manual.md index 29e5e737c9..a1404b62b4 100644 --- a/docs/user_manual.md +++ b/docs/user_manual.md @@ -20,16 +20,17 @@ | 0.12.0 | 2022-10-21 | Luke Cartey | Updated version to 2.10.0 | | 0.13.0 | 2022-11-03 | Remco Vermeulen | Add missing deviation analysis report tables to section 'Producing an analysis report'. | | 0.14.0 | 2022-11-03 | Remco Vermeulen | Add guideline recategorization plan. | -| 0.15.0 | 2023-05-24 | Mauro Baluda | Clarify AUTOSAR C++ supported versions. | +| 0.15.0 | 2023-05-24 | Mauro Baluda | Clarify AUTOSAR C++ supported versions. | +| 0.16.0 | 2023-07-03 | Luke Cartey | Remove reference to LGTM, update the name of the query pack | ## Release information This user manual documents release `2.21.0-dev` of the coding standards located at [https://github.com/github/codeql-coding-standards](https://github.com/github/codeql-coding-standards). The release page documents the release notes and contains the following artifacts part of the release: -- `code-scanning-cpp-query-pack-anon-2.21.0-dev.zip`: coding standard queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_. +- `code-scanning-cpp-query-pack-2.21.0-dev.zip`: coding standard queries and scripts to be used with GitHub Code Scanning or the CodeQL CLI as documented in the section _Operating manual_. - `supported_rules_list_2.21.0-dev.csv`: A Comma Separated File (CSV) containing the supported rules per standard and the queries that implement the rule. -- `upported_rules_list_2.18.0-dev.md`: A Markdown formatted file with a table containing the supported rules per standard and the queries that implement the rule. +- `supported_rules_list_2.21.0-dev.md`: A Markdown formatted file with a table containing the supported rules per standard and the queries that implement the rule. - `user_manual_2.21.0-dev.md`: This user manual. - `Source Code (zip)`: A zip archive containing the contents of https://github.com/github/codeql-coding-standards - `Source Code (tar.gz)`: A GZip compressed tar archive containing the contents of https://github.com/github/codeql-coding-standards @@ -426,13 +427,12 @@ and the schema files: The schema files **must** be available in the same directory as the `recategorize.py` file or in any ancestor directory. -### GitHub Advanced Security and LGTM +### GitHub Advanced Security The only use cases that will be certified under ISO 26262 are those listed above. CodeQL Coding Standards is also compatible with, but not certified for, the following use cases: - Creating databases and running the CodeQL Coding Standards queries with the [CodeQL Action](https://github.com/github/codeql-action) (for GitHub Actions CI/CD system). - Uploading the SARIF results files for a CodeQL Coding Standards analysis to the GitHub [Code Scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) feature. - - Deployment of the default CodeQL Coding Standards queries as a custom query pack for [LGTM](https://semmle.com/lgtm). ### Hazard and risk analysis diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh index 5c4209ac99..27a15b8ab8 100644 --- a/scripts/bump_version.sh +++ b/scripts/bump_version.sh @@ -14,7 +14,7 @@ find . -name 'qlpack.yml' | grep -v './codeql_modules' | grep -v './scripts' | x # update the documentation. -find docs -name 'user_manual.md' | xargs sed -i "s/code-scanning-cpp-query-pack-anon-.*\.zip\`/code-scanning-cpp-query-pack-anon-${1}.zip\`/" +find docs -name 'user_manual.md' | xargs sed -i "s/code-scanning-cpp-query-pack-.*\.zip\`/code-scanning-cpp-query-pack-${1}.zip\`/" find docs -name 'user_manual.md' | xargs sed -i "s/supported_rules_list_.*\.csv\`/supported_rules_list_${1}.csv\`/" find docs -name 'user_manual.md' | xargs sed -i "s/supported_rules_list_.*\.md\`/upported_rules_list_${1}.md\`/" find docs -name 'user_manual.md' | xargs sed -i "s/user_manual_.*\.md\`/user_manual_${1}.md\`/"