{"id":13809724,"url":"https://github.com/advanced-security/codeql-coding-standards-bundle-releases","last_synced_at":"2025-07-23T12:32:34.782Z","repository":{"id":39374350,"uuid":"505796102","full_name":"advanced-security/codeql-coding-standards-bundle-releases","owner":"advanced-security","description":"CodeQL bundles containing the CodeQL Coding Standards queries","archived":false,"fork":false,"pushed_at":"2022-06-24T08:14:52.000Z","size":16,"stargazers_count":4,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-04-14T11:43:00.453Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/advanced-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null}},"created_at":"2022-06-21T10:31:52.000Z","updated_at":"2022-12-12T18:32:20.000Z","dependencies_parsed_at":"2022-09-20T01:42:37.867Z","dependency_job_id":null,"html_url":"https://github.com/advanced-security/codeql-coding-standards-bundle-releases","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/advanced-security/codeql-coding-standards-bundle-releases","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-coding-standards-bundle-releases","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-coding-standards-bundle-releases/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-coding-standards-bundle-releases/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-coding-standards-bundle-releases/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/advanced-security","download_url":"https://codeload.github.com/advanced-security/codeql-coding-standards-bundle-releases/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-coding-standards-bundle-releases/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266679717,"owners_count":23967691,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T02:00:35.011Z","updated_at":"2025-07-23T12:32:34.549Z","avatar_url":"https://github.com/advanced-security.png","language":null,"readme":"# CodeQL Coding Standards Bundle\n\nThe CodeQL Coding Standards Bundle is a CodeQL bundle that includes the queries from the matching [CodeQL Coding Standards](https://github.com/github/codeql-coding-standards) project that is to be open sourced in July 2022.\nMore information on the CodeQL Coding Standards project can be found in [this](https://github.blog/2022-06-20-adding-support-for-coding-standards-autosar-c-and-cert-c/) blog post.\n\nThe queries implement the guidelines specified in the following standards targeting the projects using C++ revision [14](https://www.iso.org/standard/64029.html):\n- [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems Release 18-10](https://www.autosar.org/fileadmin/user_upload/standards/adaptive/18-10/AUTOSAR_RS_CPP14Guidelines.pdf)\n- [MISRA C++:2008](https://www.misra.org.uk)\n- [SEI CERT C++ Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=494932)\n\nThe [list of supported rules](./supported_rules_list.csv) lists per standard and rule what query, or queries, implement that rule.\n\n## How to use the bundle\n\nThe bundle can be use with the [Github CodeQL Action](https://github.com/github/codeql-action) by preceding the `github/codeql-action/init@v2` step with the following step:\n\n```yaml\n- name: Download CodeQL Coding Standards Bundle\n  run: |\n    gh release download -R advanced-security/codeql-coding-standards-bundle-releases v1.10.0 --pattern 'codeql-coding-standards.tar.gz'\n```\n\nThe step initializing the Github CodeQL Action using `github/codeql-action/init@v2` can be instructed to use the bundle through the `tools` key and the queries can be specified through the `queries` key as follows:\n\n```yaml\n- name: CodeQL Initialize\n  uses: github/codeql-action/init@v2\n  with:\n    tools: codeql-coding-standards.tar.gz\n    queries: autosar-default,cert-default\n```\n\nThe CodeQL Coding Standards Bundle supports the following CodeQL query suites:\n\n- `autosar-default`: All the supported AUTOSAR queries that are not audit queries.\n- `autosar-required`: The AUTOSAR queries with obligation *required*, and that are not audit queries.\n- `autosar-advisory`: The AUTOSAR queries with obligation *advisory*, and that are not audit queries.\n- `autosar-audit`: The AUTOSAR queries that are audit queries. An audit query provides information that can aid in a manual review of a guideline with enforcement *non-automated*.\n- `cert-default`: All the supported CERT queries.\n\n## Reporting issues\n\nThis project is providing a deployment option for the coding standards queries, but is not in any way involved with the implementation details of those queries.\nFeel free to open issues encountered when deploying this bundle.\n\nHowever, any issues encountered (e.g., false positives, false negatives, performance) when applying the coding standards queries to your projects should be reported in the CodeQL Coding Standards [issue tracker](https://github.com/github/codeql-coding-standards/issues) when that has been made available.\n\n## Troubleshooting\n\nAn elaborate user manual will be provided when the CodeQL Coding Standards is open sourced.\nHowever the following errors might be troubleshooted if encountered.\n\n### Error: Code Scanning could not process the submitted SARIF file\n\nThe error can occur using the action `github/codeql-action/analyze@v2` or `github/codeql-action/upload-sarif@v2` that uploads the results of the CodeQL analysis with the following reason\n\n`rejecting SARIF, as there are more results per run than allowed (25271 \u003e 25000)`\n\nThis can occur when the CodeQL Coding Standard queries are used on a project that doesn't adhere to the standard resulting a one or more queries returning a large number of alerts.\nThe following steps can be used to troubleshoot the issue:\n\n1. When using the `github/codeql-action/analyze@v2`, disable the automatic uploading of the SARIF file as follows:\n   ```yaml\n   - name: CodeQL Analyze\n     uses: github/codeql-action/analyze@v2\n     with:\n        upload: \"false\"\n   ```\n2. Upload the SARIF file with the `actions/` as follows:\n   ```yaml\n   - name: Upload SARIF\n     uses: actions/upload-artifact@v2\n     with:\n        name: results\n        path: \"../results\"\n   ```\n3. Analyze the SARIF file in [Visual Studio Code](https://code.visualstudio.com/) using the [SARIF Viewer](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer) extension. The *rules* tab of the SARIF Viewer gives a breakdown per rule and the number of alerts.\n4. Note down the rule id (of the form `cpp/autosar/...`) of the rules with a high number of alerts.\n5. Revert the above changes to return to the regular workflow.\n6. Create a CodeQL query suite that excludes the identified rule(s). More information on creating CodeQL query suites can be found at [Creating CodeQL query suites](https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/). The following is an example for AUTOSAR that excludes the rule `cpp/autosar/undocumented-user-defined-type`:\n   ```yaml\n   - description: AUTOSAR C++14 Guidelines 19-11 (Customized)\n   - import: codeql-suites/autosar-default.qls\n     from: autosar-cpp-coding-standards\n   - exclude:\n     id:\n        - cpp/autosar/undocumented-user-defined-type\n   ```\n7. Add the CodeQL query suite to the repository and refer to it in the `github/codeql-action/init@v2` step. The following example assumes the CodeQL query suite is stored at `.github/code-scanning/autosar.qls`:\n   ```yaml\n   - name: CodeQL Initialize\n     uses: github/codeql-action/init@v2\n     with:\n        tools: codeql-coding-standards.tar.gz\n        queries: cert-default,.github/code-scanning/autosar.qls","funding_links":[],"categories":["CodeQL Queries/Bundles"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fcodeql-coding-standards-bundle-releases","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadvanced-security%2Fcodeql-coding-standards-bundle-releases","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fcodeql-coding-standards-bundle-releases/lists"}