CodeQL documentation
CodeQL resources
CodeQL overview
CodeQL guides
Writing CodeQL queries
CodeQL language guides
Reference docs
QL language reference
CodeQL standard-libraries
CodeQL query help
Source files
CodeQL repository
Academic
QL publications
CodeQL query help for C and C++
‘new’ object freed with ‘delete[]’
‘new[]’ array freed with ‘delete’
Accidental rethrow
Ambiguously signed bit-field member
Arithmetic operation assumes 365 days per year
Array argument size mismatch
Array offset used before range check
Assignment where comparison was intended
Authentication bypass by spoofing
Avoid floats in for loops
Bad check for oddness
Bad check for overflow of integer addition
Badly bounded write
Block with too many statements
CGI script vulnerable to cross-site scripting
Call to
memset
may be deleted
Call to a function with one or more incompatible arguments
Call to alloca in a loop
Call to function with extraneous arguments
Call to function with fewer arguments than declared parameters
Call to memory access function may overflow buffer
Cast between HRESULT and a Boolean type
Cast from char* to wchar_t*
Catching by value
Certificate not checked
Certificate result conflation
Cleartext storage of sensitive information in an SQLite database
Cleartext storage of sensitive information in buffer
Cleartext storage of sensitive information in file
Cleartext transmission of sensitive information
Comma before misleading indentation
Commented-out code
Comparison of narrow type with wide type in loop condition
Comparison result is always the same
Comparison where assignment was intended
Complex condition
Constant return type
Constant return type on member
Continue statement that does not continue
Dangerous use of ‘cin’
Dead code due to goto or break statement
Declaration hides parameter
Declaration hides variable
Dubious NULL check
Duplicate include guard
Empty branch of conditional
Equality test on floating-point values
Exception thrown in destructor
Exposure of system data to an unauthorized control sphere
Expression has no effect
FIXME comment
Failure to use HTTPS URLs
File created without restricting permissions
File opened with O_CREAT flag but without mode argument
For loop variable changed in body
Function declared in block
Futile conditional
Guarded Free
Implicit downcast from bitfield
Implicit function declaration
Include header files only
Inconsistent definition of copy constructor and assignment (’Rule of Two’)
Inconsistent direction of for loop
Inconsistent nullness check
Inconsistent operation on return value
Inconsistent virtual inheritance
Incorrect ‘not’ operator usage
Incorrect allocation-error handling
Incorrect constructor delegation
Incorrect return-value check for a ‘scanf’-like function
Invalid pointer dereference
Irregular enum initialization
Iterator to expired container
Large object passed by value
Leaky catch
Likely overrunning write
Local variable address stored in non-local memory
Local variable hides global variable
Long switch case
Lossy function result cast
Lossy pointer cast
Mismatching new/free or malloc/delete
Missing enum case in switch
Missing header guard
Missing return statement
Missing return-value check for a ‘scanf’-like function
Multiplication result converted to larger type
NULL application name with an unquoted path in call to CreateProcess
Nested loops with same variable
No raw arrays in interfaces
No space for zero terminator
No trivial switch statements
Non-constant format string
Non-virtual destructor in base class
Not enough memory allocated for array of pointer type
Not enough memory allocated for pointer type
Overloaded assignment does not return ‘this’
Overrunning write
Pointer overflow check
Poorly documented large function
Possibly wrong buffer size in string copy
Potential double free
Potential exposure of sensitive system data to an unauthorized control sphere
Potential use after free
Potentially overflowing call to snprintf
Potentially overrunning write
Potentially overrunning write with float to string conversion
Potentially uninitialized local variable
Potentially unsafe call to strncat
Potentially unsafe use of strcat
Redefined default parameter
Redundant null check due to previous dereference
Resource not released in destructor
Return c_str of local std::string
Returning stack-allocated memory
Self comparison
Setting a DACL to NULL in a SECURITY_DESCRIPTOR
Short global name
Short-circuiting operator applied to flag
Sign check of bitwise operation
Signed overflow check
Sizeof with side effects
Slicing
Static array access may cause overflow
Suspicious ‘sizeof’ use
Suspicious add with sizeof
Suspicious pointer scaling
Suspicious pointer scaling to void
Throwing pointers
Time-of-check time-of-use filesystem race condition
Too few arguments to formatting function
Too many arguments to formatting function
Type confusion
Unbounded write
Unchecked return value for time conversion function
Unclear comparison precedence
Uncontrolled allocation size
Uncontrolled data in SQL query
Uncontrolled data in arithmetic expression
Uncontrolled data used in OS command
Uncontrolled data used in path expression
Uncontrolled format string
Uncontrolled process operation
Undisciplined multiple inheritance
Unsafe use of this in constructor
Unsigned comparison to zero
Unsigned difference expression compared to zero
Unterminated variadic call
Untrusted input for a condition
Unused local variable
Unused static function
Unused static variable
Upcast array used in pointer arithmetic
Use of a broken or risky cryptographic algorithm
Use of a cryptographic algorithm with insufficient key size
Use of a version of OpenSSL with Heartbleed
Use of dangerous function
Use of expired stack-address
Use of goto
Use of integer where enum is preferred
Use of potentially dangerous function
Use of string after lifetime ends
Use of string copy function in a condition
Use of unique pointer after lifetime ends