CodeQL query help for C and C++¶
Visit the articles below to see the documentation for the queries included in the following query suites:
code-scanning
: queries run by default in CodeQL code scanning on GitHub.security-extended
: queries fromcode-scanning
, plus extra security queries with slightly lower precision and severity.security-and-quality
: queries fromcode-scanning
,security-extended
, plus extra maintainability and reliability queries.
For shorter queries that you can use as building blocks when writing your own queries, see the example queries in the CodeQL repository.
- ‘new’ object freed with ‘delete[]’
- ‘new[]’ array freed with ‘delete’
- Accidental rethrow
- Ambiguously signed bit-field member
- Array argument size mismatch
- Assignment where comparison was intended
- Bad check for overflow of integer addition
- Badly bounded write
- CGI script vulnerable to cross-site scripting
- Call to alloca in a loop
- Call to function with extraneous arguments
- Call to function with fewer arguments than declared parameters
- Cast between HRESULT and a Boolean type
- Cast from char* to wchar_t*
- Catching by value
- Comparison of narrow type with wide type in loop condition
- Comparison result is always the same
- Comparison where assignment was intended
- Constant return type
- Constant return type on member
- Continue statement that does not continue
- Dangerous use of ‘cin’
- Dead code due to goto or break statement
- Declaration hides parameter
- Dubious NULL check
- Duplicate include guard
- Empty branch of conditional
- Exception thrown in destructor
- Expression has no effect
- FIXME comment
- Function declared in block
- Implicit downcast from bitfield
- Implicit function declaration
- Inconsistent definition of copy constructor and assignment (‘Rule of Two’)
- Inconsistent direction of for loop
- Inconsistent virtual inheritance
- Incorrect constructor delegation
- Large object passed by value
- Leaky catch
- Lines of code in files
- Lines of commented-out code in files
- Lines of comments in files
- Local variable hides global variable
- Lossy pointer cast
- Mismatching new/free or malloc/delete
- Missing return statement
- Multiplication result converted to larger type
- No space for zero terminator
- Non-virtual destructor in base class
- Number of tests
- Overloaded assignment does not return ‘this’
- Pointer overflow check
- Potentially overflowing call to snprintf
- Redefined default parameter
- Resource not released in destructor
- Return c_str of local std::string
- Returning stack-allocated memory
- Self comparison
- Setting a DACL to NULL in a SECURITY_DESCRIPTOR
- Short global name
- Short-circuiting operator applied to flag
- Sign check of bitwise operation
- Signed overflow check
- Slicing
- Suspicious add with sizeof
- Throwing pointers
- Too few arguments to formatting function
- Unclear comparison precedence
- Uncontrolled data in SQL query
- Uncontrolled format string
- Uncontrolled format string (through global variable)
- Unsafe use of this in constructor
- Unsigned comparison to zero
- Upcast array used in pointer arithmetic
- Use of a version of OpenSSL with Heartbleed
- Use of dangerous function
- Use of goto
- Use of potentially dangerous function
- Use of string copy function in a condition
- Variable used in its own initializer
- Virtual call from constructor or destructor
- Wrong type of arguments to formatting function