Merge pull request #896 from github/lcartey/add-cert-extra-properties

CERT: Add query tags for "Risk Assessment" properties

Author: lcartey

c/cert/src/codeql-suites/cert-c-l1.qls

@@ -0,0 +1,12 @@
+- description: CERT C 2016 Level 1 Rules (Priority 12 - Priority 27)
+- qlpack: codeql/cert-c-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    - external/cert/obligation/rule
+    tags contain:
+    - external/cert/level/l1
+- exclude:
+    tags contain:
+    - external/cert/default-disabled

c/cert/src/codeql-suites/cert-c-l2.qls

@@ -0,0 +1,12 @@
+- description: CERT C 2016 Level 2 Rules (Priority 6 - Priority 9)
+- qlpack: codeql/cert-c-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    - external/cert/obligation/rule
+    tags contain:
+    - external/cert/level/l2
+- exclude:
+    tags contain:
+    - external/cert/default-disabled

c/cert/src/codeql-suites/cert-c-l3.qls

@@ -0,0 +1,12 @@
+- description: CERT C 2016 Level 3 Rules (Priority 1 - Priority 4)
+- qlpack: codeql/cert-c-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    - external/cert/obligation/rule
+    tags contain:
+    - external/cert/level/l3
+- exclude:
+    tags contain:
+    - external/cert/default-disabled

c/cert/src/rules/ARR30-C/DoNotFormOutOfBoundsPointersOrArraySubscripts.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/arr30-c
  *       correctness
  *       security
+ *       external/cert/severity/high
+ *       external/cert/likelihood/likely
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p9
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/ARR32-C/VariableLengthArraySizeNotInValidRange.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/arr32-c
  *       correctness
  *       security
+ *       external/cert/severity/high
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p6
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/ARR36-C/DoNotRelatePointersThatDoNotReferToTheSameArray.ql

@@ -8,6 +8,11 @@
  * @problem.severity warning
  * @tags external/cert/id/arr36-c
  *       correctness
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p8
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/ARR36-C/DoNotSubtractPointersThatDoNotReferToTheSameArray.ql

@@ -8,6 +8,11 @@
  * @problem.severity warning
  * @tags external/cert/id/arr36-c
  *       correctness
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p8
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/ARR37-C/DoNotUsePointerArithmeticOnNonArrayObjectPointers.ql

@@ -8,6 +8,11 @@
  * @problem.severity error
  * @tags external/cert/id/arr37-c
  *       correctness
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p8
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/ARR38-C/LibraryFunctionArgumentOutOfBounds.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/arr38-c
  *       correctness
  *       security
+ *       external/cert/severity/high
+ *       external/cert/likelihood/likely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p18
+ *       external/cert/level/l1
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql

@@ -8,6 +8,11 @@
  * @problem.severity error
  * @tags external/cert/id/arr39-c
  *       correctness
+ *       external/cert/severity/high
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p6
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON30-C/CleanUpThreadSpecificStorage.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con30-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p4
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON31-C/DoNotAllowAMutexToGoOutOfScopeWhileLocked.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con31-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p4
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON31-C/DoNotDestroyAMutexWhileItIsLocked.ql

@@ -8,6 +8,11 @@
  * @tags external/cert/id/con31-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p4
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON32-C/PreventDataRacesWithMultipleThreads.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con32-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p8
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON33-C/RaceConditionsWhenUsingLibraryFunctions.ql

@@ -8,6 +8,11 @@
  * @tags external/cert/id/con33-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p4
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON34-C/AppropriateThreadObjectStorageDurations.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con34-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p4
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON34-C/ThreadObjectStorageDurationsNotInitialized.ql

@@ -10,6 +10,11 @@
  *       external/cert/audit
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p4
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON35-C/DeadlockByLockingInPredefinedOrder.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con35-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/low
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p4
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON36-C/WrapFunctionsThatCanSpuriouslyWakeUpInLoop.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con36-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p2
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con37-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/low
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/low
+ *       external/cert/priority/p6
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON38-C/PreserveSafetyWhenUsingConditionVariables.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con38-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p2
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON39-C/ThreadWasPreviouslyJoinedOrDetached.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con39-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/low
+ *       external/cert/likelihood/likely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p6
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON40-C/AtomicVariableTwiceInExpression.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con40-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/medium
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p8
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.ql

@@ -9,6 +9,11 @@
  * @tags external/cert/id/con41-c
  *       correctness
  *       concurrency
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p2
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL30-C/AppropriateStorageDurationsFunctionReturn.ql

@@ -8,6 +8,11 @@
  * @problem.severity error
  * @tags external/cert/id/dcl30-c
  *       correctness
+ *       external/cert/severity/high
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p6
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL30-C/AppropriateStorageDurationsStackAdressEscape.ql

@@ -8,6 +8,11 @@
  * @problem.severity error
  * @tags external/cert/id/dcl30-c
  *       correctness
+ *       external/cert/severity/high
+ *       external/cert/likelihood/probable
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p6
+ *       external/cert/level/l2
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL31-C/DeclareIdentifiersBeforeUsingThem.ql

@@ -8,6 +8,11 @@
  * @tags external/cert/id/dcl31-c
  *       correctness
  *       readability
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/low
+ *       external/cert/priority/p3
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL37-C/DoNotDeclareOrDefineAReservedIdentifier.ql

@@ -9,6 +9,11 @@
  *       correctness
  *       maintainability
  *       readability
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/low
+ *       external/cert/priority/p3
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL38-C/DeclaringAFlexibleArrayMember.ql

@@ -10,6 +10,11 @@
  *       correctness
  *       maintainability
  *       readability
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/low
+ *       external/cert/priority/p3
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL39-C/InformationLeakageAcrossTrustBoundariesC.md

@@ -249,7 +249,7 @@ In addition, this solution assumes that there are no integer padding bits in an
 
 From this situation, it can be seen that special care must be taken because no solution to the bit-field padding issue will be 100% portable.
 
-Risk Assessment
+## Risk Assessment
 
 Padding units might contain sensitive data because the C Standard allows any padding to take [unspecified values](https://wiki.sei.cmu.edu/confluence/display/c/BB.+Definitions#BB.Definitions-unspecifiedvalue). A pointer to such a structure could be passed to other functions, causing information leakage.
 

c/cert/src/rules/DCL39-C/InformationLeakageAcrossTrustBoundariesC.ql

@@ -8,6 +8,11 @@
  * @problem.severity error
  * @tags external/cert/id/dcl39-c
  *       security
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/high
+ *       external/cert/priority/p1
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL40-C/ExcessLengthNamesIdentifiersNotDistinct.ql

@@ -9,6 +9,11 @@
  *       correctness
  *       maintainability
  *       readability
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p2
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */
 

c/cert/src/rules/DCL40-C/IncompatibleFunctionDeclarations.ql

@@ -11,6 +11,11 @@
  *       correctness
  *       maintainability
  *       readability
+ *       external/cert/severity/low
+ *       external/cert/likelihood/unlikely
+ *       external/cert/remediation-cost/medium
+ *       external/cert/priority/p2
+ *       external/cert/level/l3
  *       external/cert/obligation/rule
  */