Add additional CERT-C rules to rules.csv

c/cert/src/codeql-suites/cert-c-default.qls

@@ -0,0 +1,10 @@
+- description: CERT C 2016 (Default)
+- qlpack: codeql/cert-c-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    - external/cert/obligation/rule
+- exclude:
+    tags contain:
+    - external/cert/default-disabled

c/cert/src/codeql-suites/cert-c-recommendation.qls

@@ -0,0 +1,10 @@
+- description: CERT C 2016 (Recommendations)
+- qlpack: codeql/cert-c-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    - external/cert/obligation/recommendation
+- exclude:
+    tags contain:
+    - external/cert/default-disabled

c/cert/src/codeql-suites/cert-default.qls

@@ -1,9 +1,2 @@
-- description: CERT C 2016 (Default)
-- qlpack: codeql/cert-c-coding-standards
-- include:
-    kind:
-    - problem
-    - path-problem
-- exclude:
-    tags contain:
-    - external/cert/default-disabled
+- description: "DEPRECATED - CERT C 2016 - use cert-c-default.qls instead"
+- import: codeql-suites/cert-c-default.qls

c/cert/src/qlpack.yml

@@ -3,6 +3,7 @@ version: 2.44.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT
+default-suite-file: codeql-suites/cert-c-default.qls
 dependencies:
   codeql/common-c-coding-standards: '*'
   codeql/cpp-all: 2.1.1

change_notes/2025-04-09-new-cert-c-recommendation-query-suite.md

@@ -0,0 +1,9 @@
+ - The following query suites have been added or modified for CERT C:
+   - A new query suite has been created `cert-c-default.qls` to avoid confusion with the CERT C++ query suites. The `cert-default.qls` suite has been deprecated, and will be removed in a future releases, and is replaced by the `cert-c-default.qls` suite.
+     - The `cert-c-default.qls` suite has been specified as the default for the pack, and will include our most up-to-date coverage for CERT C.
+   - One new query suite, `cert-c-recommended.qls` has been added to enable running CERT recommendations (as opposed to rules) that will be added in the future.
+   - The default query suite, `cert-c-default.qls` has been set to exclude CERT recommendations (as opposed to rules) that will be added in the future.
+ - The following query suites have been added or modified for CERT C++:
+   - A new query suite has been created `cert-cpp-default.qls` to avoid confusion with the CERT C query suites. The `cert-default.qls` suite has been deprecated, and will be removed in a future releases, and is replaced by the `cert-cpp-default.qls` suite.
+     - The `cert-cpp-default.qls` suite has been specified as the default for the pack, and will include our most up-to-date coverage for CERT C.
+   - A new query suite has been created `cert-cpp-single-translation-unit.qls` to avoid confusion with the CERT C query suites. The `cert-single-translation-unit.qls` suite has been deprecated, and will be removed in a future releases, and is replaced by the `cert-cpp-single-translation-unit.qls` suite.

cpp/cert/src/codeql-suites/cert-cpp-default.qls

@@ -0,0 +1,9 @@
+- description: CERT C++ 2016 (Default)
+- qlpack: codeql/cert-cpp-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+- exclude:
+    tags contain:
+    - external/cert/default-disabled

cpp/cert/src/codeql-suites/cert-cpp-single-translation-unit.qls

@@ -0,0 +1,11 @@
+- description: CERT C++ 2016 (Single Translation Unit)
+- qlpack: codeql/cert-cpp-coding-standards
+- include:
+    kind:
+    - problem
+    - path-problem
+    tags contain:
+    - scope/single-translation-unit
+- exclude:
+    tags contain:
+    - external/cert/default-disabled

cpp/cert/src/codeql-suites/cert-default.qls

@@ -1,9 +1,2 @@
-- description: CERT C++ 2016 (Default)
-- qlpack: codeql/cert-cpp-coding-standards
-- include:
-    kind:
-    - problem
-    - path-problem
-- exclude:
-    tags contain:
-    - external/cert/default-disabled
+- description: "DEPRECATED - CERT C++ 2016 - use cert-cpp-default.qls instead"
+- import: codeql-suites/cert-cpp-default.qls

cpp/cert/src/codeql-suites/cert-single-translation-unit.qls

@@ -1,11 +1,2 @@
-- description: CERT C++ 2016 (Single Translation Unit)
-- qlpack: codeql/cert-cpp-coding-standards
-- include:
-    kind:
-    - problem
-    - path-problem
-    tags contain:
-    - scope/single-translation-unit
-- exclude:
-    tags contain:
-    - external/cert/default-disabled
+- description: "DEPRECATED - CERT C++ 2016 (Single Translation Unit) - use cert-cpp-single-translation-unit.qls instead"
+- import: codeql-suites/cert-cpp-single-translation-unit.qls

cpp/cert/src/qlpack.yml

@@ -3,6 +3,7 @@ version: 2.44.0-dev
 description: CERT C++ 2016
 suites: codeql-suites
 license: MIT
+default-suite-file: codeql-suites/cert-cpp-default.qls
 dependencies:
   codeql/cpp-all: 2.1.1
   codeql/common-cpp-coding-standards: '*'

rules.csv

@@ -515,6 +515,7 @@ c,CERT-C,ERR30-C,Yes,Rule,,,Take care when reading errno,M19-3-1,Contracts4,Hard
 c,CERT-C,ERR32-C,Yes,Rule,,,Do not rely on indeterminate values of errno,,Contracts5,Hard,
 c,CERT-C,ERR33-C,Yes,Rule,,,Detect and handle standard library errors,MEM52-CPP,Contracts5,Hard,
 c,CERT-C,ERR34-C,OutOfScope,Rule,,,Detect errors when converting a string to a number,,,,
+c,CERT-C,EXP16-C,Yes,Recommendation,,,Do not compare function pointers to constant values,,Expressions2,Medium,
 c,CERT-C,EXP30-C,Yes,Rule,,,Do not depend on the order of evaluation for side effects,EXP50-CPP,SideEffects1,Easy,
 c,CERT-C,EXP32-C,Yes,Rule,,,Do not access a volatile object through a nonvolatile reference,,Pointers3,Easy,
 c,CERT-C,EXP33-C,Yes,Rule,,,Do not read uninitialized memory,EXP53-CPP,InvalidMemory1,Import,
@@ -530,6 +531,8 @@ c,CERT-C,EXP44-C,Yes,Rule,,,"Do not rely on side effects in operands to sizeof,
 c,CERT-C,EXP45-C,Yes,Rule,,,Do not perform assignments in selection statements,M6-2-1,SideEffects1,Medium,
 c,CERT-C,EXP46-C,Yes,Rule,,,Do not use a bitwise operator with a Boolean-like operand,,Expressions,Easy,
 c,CERT-C,EXP47-C,OutOfScope,Rule,,,Do not call va_arg with an argument of the incorrect type,,,,
+c,CERT-C,FIO03-C,Yes,Recommendation,,,Do not make assumptions about fopen() and file creation,,IO5,Hard,
+c,CERT-C,FIO21-C,Yes,Recommendation,,,Do not create temporary files in shared directories,,IO5,Easy,
 c,CERT-C,FIO30-C,Yes,Rule,,,Exclude user input from format strings,A27-0-1,IO1,Import,
 c,CERT-C,FIO32-C,Yes,Rule,,,Do not perform operations on devices that are only appropriate for files,,IO3,Medium,
 c,CERT-C,FIO34-C,Yes,Rule,,,Distinguish between characters read from a file and EOF or WEOF,,IO1,Hard,
@@ -569,7 +572,7 @@ c,CERT-C,MSC38-C,Yes,Rule,,,Do not treat a predefined identifier as an object if
 c,CERT-C,MSC39-C,Yes,Rule,,,Do not call va_arg() on a va_list that has an indeterminate value,,Contracts7,Hard,
 c,CERT-C,MSC40-C,Yes,Rule,,,Do not violate constraints,,Contracts,Very Hard,
 c,CERT-C,MSC41-C,OutOfScope,Rule,,,Never hard code sensitive information,,,,
-c,CERT-C,POS30-C,OutOfScope,Rule,,,Use the readlink() function properly,,,,
+c,CERT-C,POS30-C,Yes,Rule,,,Use the readlink() function properly,,IO5,Hard,
 c,CERT-C,POS34-C,OutOfScope,Rule,,,Do not call putenv() with a pointer to an automatic variable as the argument,,,,
 c,CERT-C,POS35-C,OutOfScope,Rule,,,Avoid race conditions while checking for the existence of a symbolic link,,,,
 c,CERT-C,POS36-C,OutOfScope,Rule,,,Observe correct revocation order while relinquishing privileges,,,,

schemas/rule-package.schema.json

@@ -141,7 +141,8 @@
                                         "obligation": {
                                             "type": "string",
                                             "enum": [
-                                                "rule"
+                                                "rule",
+                                                "recommendation"
                                             ]
                                         }
                                     },