• CodeQL query help documentation »

CodeQL query help for C and C++

Visit the articles below to see the documentation for the queries included in the following query suites:

• default: queries run by default in CodeQL code scanning on GitHub.

• security-extended: queries from default, plus extra security queries with slightly lower precision and severity.

• security-and-quality: queries from default, security-extended, plus extra maintainability and reliability queries.

These queries are published in the CodeQL query pack codeql/cpp-queries (changelog, source).

For shorter queries that you can use as building blocks when writing your own queries, see the example queries in the CodeQL repository.

• ‘new’ object freed with ‘delete[]’
• ‘new[]’ array freed with ‘delete’
• Accidental rethrow
• Ambiguously signed bit-field member
• Arithmetic operation assumes 365 days per year
• Array argument size mismatch
• Array offset used before range check
• Assignment where comparison was intended
• Authentication bypass by spoofing
• Avoid floats in for loops
• Bad check for oddness
• Bad check for overflow of integer addition
• Badly bounded write
• Block with too many statements
• CGI script vulnerable to cross-site scripting
• Call to memset may be deleted
• Call to a function with one or more incompatible arguments
• Call to alloca in a loop
• Call to function with extraneous arguments
• Call to function with fewer arguments than declared parameters
• Cast between HRESULT and a Boolean type
• Cast from char* to wchar_t*
• Catching by value
• Certificate not checked
• Certificate result conflation
• Cleartext storage of sensitive information in an SQLite database
• Cleartext storage of sensitive information in buffer
• Cleartext storage of sensitive information in file
• Cleartext transmission of sensitive information
• Comma before misleading indentation
• Commented-out code
• Comparison of narrow type with wide type in loop condition
• Comparison result is always the same
• Comparison where assignment was intended
• Complex condition
• Constant return type
• Constant return type on member
• Continue statement that does not continue
• Dangerous use of ‘cin’
• Dead code due to goto or break statement
• Declaration hides parameter
• Declaration hides variable
• Dubious NULL check
• Duplicate include guard
• Empty branch of conditional
• Equality test on floating-point values
• Exception thrown in destructor
• Exposure of system data to an unauthorized control sphere
• Expression has no effect
• FIXME comment
• Failure to use HTTPS URLs
• File created without restricting permissions
• File opened with O_CREAT flag but without mode argument
• For loop variable changed in body
• Function declared in block
• Futile conditional
• Implicit downcast from bitfield
• Implicit function declaration
• Include header files only
• Inconsistent definition of copy constructor and assignment (’Rule of Two’)
• Inconsistent direction of for loop
• Inconsistent nullness check
• Inconsistent operation on return value
• Inconsistent virtual inheritance
• Incorrect ‘not’ operator usage
• Incorrect allocation-error handling
• Incorrect constructor delegation
• Invalid pointer dereference
• Irregular enum initialization
• Large object passed by value
• Leaky catch
• Likely overrunning write
• Local variable address stored in non-local memory
• Local variable hides global variable
• Long switch case
• Lossy function result cast
• Lossy pointer cast
• Mismatching new/free or malloc/delete
• Missing enum case in switch
• Missing header guard
• Missing return statement
• Missing return-value check for a ‘scanf’-like function
• Multiplication result converted to larger type
• NULL application name with an unquoted path in call to CreateProcess
• Nested loops with same variable
• No raw arrays in interfaces
• No space for zero terminator
• No trivial switch statements
• Non-constant format string
• Non-virtual destructor in base class
• Not enough memory allocated for array of pointer type
• Not enough memory allocated for pointer type
• Overflow in uncontrolled allocation size
• Overloaded assignment does not return ‘this’
• Overrunning write
• Pointer overflow check
• Poorly documented large function
• Possibly wrong buffer size in string copy
• Potential double free
• Potential exposure of sensitive system data to an unauthorized control sphere
• Potential use after free
• Potentially overflowing call to snprintf
• Potentially overrunning write
• Potentially overrunning write with float to string conversion
• Potentially uninitialized local variable
• Potentially unsafe call to strncat
• Potentially unsafe use of strcat
• Redefined default parameter
• Redundant null check due to previous dereference
• Resource not released in destructor
• Return c_str of local std::string
• Returning stack-allocated memory
• Self comparison
• Setting a DACL to NULL in a SECURITY_DESCRIPTOR
• Short global name
• Short-circuiting operator applied to flag
• Sign check of bitwise operation
• Signed overflow check
• Sizeof with side effects
• Slicing
• Static array access may cause overflow
• Suspicious ‘sizeof’ use
• Suspicious add with sizeof
• Suspicious pointer scaling
• Suspicious pointer scaling to void
• Throwing pointers
• Time-of-check time-of-use filesystem race condition
• Too few arguments to formatting function
• Too many arguments to formatting function
• Unbounded write
• Unchecked return value for time conversion function
• Unclear comparison precedence
• Uncontrolled data in SQL query
• Uncontrolled data in arithmetic expression
• Uncontrolled data used in OS command
• Uncontrolled data used in path expression
• Uncontrolled format string
• Uncontrolled format string (through global variable)
• Uncontrolled process operation
• Undisciplined multiple inheritance
• Unsafe use of this in constructor
• Unsigned comparison to zero
• Unsigned difference expression compared to zero
• Unterminated variadic call
• Untrusted input for a condition
• Unused local variable
• Unused static function
• Unused static variable
• Upcast array used in pointer arithmetic
• Use of a broken or risky cryptographic algorithm
• Use of a cryptographic algorithm with insufficient key size
• Use of a version of OpenSSL with Heartbleed
• Use of dangerous function
• Use of expired stack-address
• Use of goto
• Use of integer where enum is preferred
• Use of potentially dangerous function
• Use of string copy function in a condition
• Variable used in its own initializer
• Virtual call from constructor or destructor
• Wrong type of arguments to formatting function
• XML external entity expansion
• Year field changed using an arithmetic operation without checking for leap year

• © GitHub, Inc.
• Terms
• Privacy