CodeQL query help for C and C++¶
Visit the articles below to see the documentation for the queries included in the following query suites:
code-scanning: queries run by default in CodeQL code scanning on GitHub.security-extended: queries fromcode-scanning, plus extra security queries with slightly lower precision and severity.security-and-quality: queries fromcode-scanning,security-extended, plus extra maintainability and reliability queries.
These queries are published in the CodeQL query pack codeql/cpp-queries (changelog, source).
For shorter queries that you can use as building blocks when writing your own queries, see the example queries in the CodeQL repository.
- ‘new’ object freed with ‘delete[]’
- ‘new[]’ array freed with ‘delete’
- Accidental rethrow
- Ambiguously signed bit-field member
- Arithmetic operation assumes 365 days per year
- Array argument size mismatch
- Array offset used before range check
- Assignment where comparison was intended
- Authentication bypass by spoofing
- Avoid floats in for loops
- Bad check for oddness
- Bad check for overflow of integer addition
- Badly bounded write
- Block with too many statements
- CGI script vulnerable to cross-site scripting
- Call to
memsetmay be deleted - Call to a function with one or more incompatible arguments
- Call to alloca in a loop
- Call to function with extraneous arguments
- Call to function with fewer arguments than declared parameters
- Cast between HRESULT and a Boolean type
- Cast from char* to wchar_t*
- Catching by value
- Certificate not checked
- Certificate result conflation
- Cleartext storage of sensitive information in an SQLite database
- Cleartext storage of sensitive information in buffer
- Cleartext storage of sensitive information in file
- Cleartext transmission of sensitive information
- Comma before misleading indentation
- Commented-out code
- Comparison of narrow type with wide type in loop condition
- Comparison result is always the same
- Comparison where assignment was intended
- Complex condition
- Constant return type
- Constant return type on member
- Continue statement that does not continue
- Dangerous use of ‘cin’
- Dead code due to goto or break statement
- Declaration hides parameter
- Declaration hides variable
- Dubious NULL check
- Duplicate include guard
- Empty branch of conditional
- Equality test on floating-point values
- Exception thrown in destructor
- Exposure of system data to an unauthorized control sphere
- Expression has no effect
- FIXME comment
- Failure to use HTTPS URLs
- File created without restricting permissions
- File opened with O_CREAT flag but without mode argument
- For loop variable changed in body
- Function declared in block
- Futile conditional
- Implicit downcast from bitfield
- Implicit function declaration
- Include header files only
- Inconsistent definition of copy constructor and assignment (’Rule of Two’)
- Inconsistent direction of for loop
- Inconsistent nullness check
- Inconsistent operation on return value
- Inconsistent virtual inheritance
- Incorrect ‘not’ operator usage
- Incorrect allocation-error handling
- Incorrect constructor delegation
- Irregular enum initialization
- Large object passed by value
- Leaky catch
- Likely overrunning write
- Lines of code in files
- Lines of commented-out code in files
- Lines of comments in files
- Local variable address stored in non-local memory
- Local variable hides global variable
- Long switch case
- Lossy function result cast
- Lossy pointer cast
- Mismatching new/free or malloc/delete
- Missing enum case in switch
- Missing header guard
- Missing return statement
- Missing return-value check for a ‘scanf’-like function
- Multiplication result converted to larger type
- NULL application name with an unquoted path in call to CreateProcess
- Nested loops with same variable
- No raw arrays in interfaces
- No space for zero terminator
- No trivial switch statements
- Non-constant format string
- Non-virtual destructor in base class
- Not enough memory allocated for array of pointer type
- Not enough memory allocated for pointer type
- Number of tests
- Overflow in uncontrolled allocation size
- Overloaded assignment does not return ‘this’
- Pointer overflow check
- Poorly documented large function
- Possibly wrong buffer size in string copy
- Potential exposure of sensitive system data to an unauthorized control sphere
- Potentially overflowing call to snprintf
- Potentially overrunning write
- Potentially overrunning write with float to string conversion
- Potentially uninitialized local variable
- Potentially unsafe call to strncat
- Potentially unsafe use of strcat
- Redefined default parameter
- Resource not released in destructor
- Return c_str of local std::string
- Returning stack-allocated memory
- Self comparison
- Setting a DACL to NULL in a SECURITY_DESCRIPTOR
- Short global name
- Short-circuiting operator applied to flag
- Sign check of bitwise operation
- Signed overflow check
- Sizeof with side effects
- Slicing
- Static array access may cause overflow
- Suspicious ‘sizeof’ use
- Suspicious add with sizeof
- Suspicious pointer scaling
- Suspicious pointer scaling to void
- Throwing pointers
- Time-of-check time-of-use filesystem race condition
- Too few arguments to formatting function
- Too many arguments to formatting function
- Unbounded write
- Unchecked return value for time conversion function
- Unclear comparison precedence
- Uncontrolled data in SQL query
- Uncontrolled data in arithmetic expression
- Uncontrolled data used in OS command
- Uncontrolled data used in path expression
- Uncontrolled format string
- Uncontrolled format string (through global variable)
- Uncontrolled process operation
- Undisciplined multiple inheritance
- Unsafe use of this in constructor
- Unsigned comparison to zero
- Unsigned difference expression compared to zero
- Unterminated variadic call
- Untrusted input for a condition
- Unused local variable
- Unused static function
- Unused static variable
- Upcast array used in pointer arithmetic
- Use of a broken or risky cryptographic algorithm
- Use of a cryptographic algorithm with insufficient key size
- Use of a version of OpenSSL with Heartbleed
- Use of dangerous function
- Use of expired stack-address
- Use of goto
- Use of integer where enum is preferred
- Use of potentially dangerous function
- Use of string copy function in a condition
- Variable used in its own initializer
- Virtual call from constructor or destructor
- Wrong type of arguments to formatting function
- XML external entity expansion
- Year field changed using an arithmetic operation without checking for leap year