CodeQL Queries and Suites for Windows Driver Testing

The Microsoft CodeQL GitHub repository provides three query suites to simplify the end-to-end driver developer workflow. These suites are included in the microsoft/windows-drivers CodeQL pack, and make use of queries unique to that pack and general C++ queries from the microsoft/cpp-queries pack.

• recommended.qls contains a broad set of checks for common driver and C/C++ bugs. We recommend running this suite by default and reviewing results.
• mustrun.qls contains checks that must be run in order to pass Windows Hardware Compatibility Program (WHCP) certification. Because these queries may produce false positives in some cases, failing these checks will not fail the Static Tools Logo test, but developers should review the results and fix and real bugs. A DVL generated without results for these checks fails the Static Tools Logo test. For 26H1, mustrun.qls and recommended.qls are identical.
• mustfix.qls serves as a subset of the must-run queries and contains checks that report issues that must be fixed in order to pass WHCP certification. A DVL generated with failures in these rules does not pass the Static Tools Logo test.

For details of the contents of the query suites, see CodeQL Queries and Suites.

Must-Fix queries for WHCP certification

The following subset of queries are Must-Fix for WHCP certification and are also included in the Recommended Fix suite.This set of rules is included in mustfix.qls.

Many of the following rules correspond to Common Weakness Enumeration (CWEs) or previous Code Analysis Warnings.

Must-Fix queries from the microsoft/windows-drivers pack

ID	Location	Common Weakness Enumeration / Code Analysis Warning
cpp/drivers/wdk-deprecated-api	/microsoft/windows-drivers/<Version>/drivers/general/queries/WdkDeprecatedApis/wdk-deprecated-api.ql	N/A
cpp/drivers/extended-deprecated-apis	/microsoft/windows-drivers/<Version>/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql	C28719 Warning, C28726 Warning, C28735 Warning, C28750 Warning
cpp/incorrect-string-type-conversion-ignore-puchar-casts	/microsoft/windows-drivers/<Version>/microsoft/Security/CWE/CWE-704/WcharCharConversionLimited.ql	CWE-704

Must-Fix queries from the microsoft/cpp-queries pack

ID	Location	Common Weakness Enumeration
cpp/bad-addition-overflow-check	/microsoft/cpp-queries/<Version>/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql	CWE-190, CWE-192
cpp/wrong-number-format-arguments	/microsoft/cpp-queries/<Version>/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	CWE-234, CWE-685
cpp/pointer-overflow-check	/microsoft/cpp-queries/<Version>/Likely Bugs/Memory Management/PointerOverflow.ql	CWE-758
cpp/unsafe-strncat	/microsoft/cpp-queries/<Version>/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	CWE-119, CWE-251, CWE-676, CWE-788
cpp/unsafe-use-of-this	/microsoft/cpp-queries/<Version>/Likely Bugs/OO/UnsafeUseOfThis.ql	CWE-670
cpp/boost/tls-settings-misconfiguration	/microsoft/cpp-queries/<Version>/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql	CWE-326
cpp/boost/use-of-deprecated-hardcoded-security-protocol	/microsoft/cpp-queries/<Version>/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql	CWE-327
cpp/too-few-arguments	/microsoft/cpp-queries/<Version>/Likely Bugs/Underspecified Functions/TooFewArguments.ql	CWE-234, CWE-685
cpp/microsoft/public/badoverflowguard	/microsoft/cpp-queries/<Version>/Microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql	CWE-190, CWE-191
cpp/microsoft/public/drivers/incorrect-usage-of-rtlcomparememory	/microsoft/cpp-queries/<Version>/Microsoft/Likely Bugs/Drivers/IncorrectUsageOfRtlCompareMemory.ql	N/A
cpp/microsoft/public/weak-crypto/banned-encryption-algorithms	/microsoft/cpp-queries/<Version>/Microsoft/Security/Cryptography/BannedEncryption.ql	CWE-327
cpp/microsoft/public/weak-crypto/capi/banned-modes	/microsoft/cpp-queries/<Version>/Microsoft/Security/Cryptography/BannedModesCAPI.ql	CWE-327
cpp/microsoft/public/weak-crypto/cng/banned-modes	/microsoft/cpp-queries/<Version>/Microsoft/Security/Cryptography/BannedModesCNG.ql	CWE-327
cpp/microsoft/public/weak-crypto/cng/hardcoded-iv	/microsoft/cpp-queries/<Version>/Microsoft/Security/Cryptography/HardcodedIVCNG.ql	CWE-327
cpp/microsoft/public/enum-index	/microsoft/cpp-queries/<Version>/Microsoft/Security/MemoryAccess/EnumIndex/UncheckedBoundsEnumAsIndex.ql	CWE-125
cpp/command-line-injection	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-078/ExecTainted.ql	CWE-078, CWE-088
cpp/uncontrolled-process-operation	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-114/UncontrolledProcessOperation.ql	CWE-114
cpp/badly-bounded-write	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-120/BadlyBoundedWrite.ql	CWE-120, CWE-787, CWE-805
cpp/overrunning-write	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-120/OverrunWrite.ql	CWE-120, CWE-787, CWE-805
cpp/no-space-for-terminator	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql	CWE-120, CWE-122, CWE-131
cpp/user-controlled-null-termination-tainted	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql	CWE-170
cpp/comparison-with-wider-type	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-190/ComparisonWithWiderType.ql	CWE-190, CWE-197, CWE-835
cpp/hresult-boolean-conversion	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-253/HResultBooleanConversion.ql	CWE-253
cpp/openssl-heartbleed	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-327/OpenSslHeartbleed.ql	CWE-327, CWE-788
cpp/dangerous-function-overflow	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-676/DangerousFunctionOverflow.ql	CWE-242, CWE-676
cpp/dangerous-cin	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-676/DangerousUseOfCin.ql	CWE-676
cpp/incorrect-string-type-conversion	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-704/WcharCharConversion.ql	CWE-704
cpp/unsafe-dacl-security-descriptor	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql	CWE-732

Recommended Queries

The recommended.qls suite includes all queries from the mustfix.qls suite plus the following queries from the microsoft/windows-drivers and microsoft/cpp-queries packs.

General driver queries from the microsoft/windows-drivers pack

ID	Location	Code Analysis Warning
cpp/drivers/annotation-syntax	/microsoft/windows-drivers/<Version>/drivers/general/queries/AnnotationSyntax/AnnotationSyntax.ql	C28266 Warning
cpp/drivers/current-function-type-not-correct	/microsoft/windows-drivers/<Version>/drivers/general/queries/CurrentFunctionTypeNotCorrect/CurrentFunctionTypeNotCorrect.ql	C28101 Warning
cpp/drivers/default-pool-tag	/microsoft/windows-drivers/<Version>/drivers/general/queries/DefaultPoolTag/DefaultPoolTag.ql	C28147 Warning
cpp/drivers/driver-entry-save-buffer	/microsoft/windows-drivers/<Version>/drivers/general/queries/DriverEntrySaveBuffer/DriverEntrySaveBuffer.ql	C28131 Warning
cpp/drivers/examined-value	/microsoft/windows-drivers/<Version>/drivers/general/queries/ExaminedValue/ExaminedValue.ql	C28193 Warning
cpp/drivers/irp-stack-entry-copy	/microsoft/windows-drivers/<Version>/drivers/general/queries/IRPStackEntryCopy/IRPStackEntryCopy.ql	C28114 Warning
cpp/drivers/important-function-call-optimized-out	/microsoft/windows-drivers/<Version>/drivers/general/queries/ImportantFunctionCallOptimizedOut/ImportantFunctionCallOptimizedOut.ql	C28625 Warning
cpp/drivers/improper-not-operator-on-zero	/microsoft/windows-drivers/<Version>/drivers/general/queries/ImproperNotOperatorOnZero/ImproperNotOperatorOnZero.ql	C28650 Warning
cpp/drivers/invalid-function-class-typedef	/microsoft/windows-drivers/<Version>/drivers/general/queries/InvalidFunctionClassTypedef/InvalidFunctionClassTypedef.ql	C28268 Warning
cpp/drivers/invalid-function-pointer-annotation	/microsoft/windows-drivers/<Version>/drivers/general/queries/InvalidFunctionPointerAnnotation/InvalidFunctionPointerAnnotation.ql	C28165 Warning
cpp/drivers/io-initialize-timer-call	/microsoft/windows-drivers/<Version>/drivers/general/queries/IoInitializeTimerCall/IoInitializeTimerCall.ql	C28133 Warning
cpp/drivers/irql-annotation-issue	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlAnnotationIssue/IrqlAnnotationIssue.ql	C28153 Warning
cpp/drivers/irql-cancel-routine	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlCancelRoutine/IrqlCancelRoutine.ql	C28144 Warning
cpp/drivers/irql-float-state-mismatch	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.ql	C28111 Warning
cpp/drivers/irql-not-saved	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlNotSaved/IrqlNotSaved.ql	C28158 Warning
cpp/drivers/irql-not-used	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlNotUsed/IrqlNotUsed.ql	C28157 Warning
cpp/drivers/irql-set-too-high	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.ql	C28150 Warning
cpp/drivers/irql-set-too-low	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.ql	C28124 Warning
cpp/drivers/irql-too-high	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlTooHigh/IrqlTooHigh.ql	C28121 Warning
cpp/drivers/irql-too-low	/microsoft/windows-drivers/<Version>/drivers/general/queries/IrqlTooLow/IrqlTooLow.ql	C28120 Warning
cpp/drivers/ke-set-event-pageable	/microsoft/windows-drivers/<Version>/drivers/general/queries/KeSetEventPageable/KeSetEventPageable.ql	No associated CA check
cpp/drivers/multithreaded-av-condition	/microsoft/windows-drivers/<Version>/drivers/general/queries/MultithreadedAVCondition/MultithreadedAVCondition.ql	C28616 Warning
cpp/drivers/ntstatus-explicit-cast	/microsoft/windows-drivers/<Version>/drivers/general/queries/NtstatusExplicitCast/NtstatusExplicitCast.ql	C28714 Warning
cpp/drivers/ntstatus-explicit-cast2	/microsoft/windows-drivers/<Version>/drivers/general/queries/NtstatusExplicitCast2/NtstatusExplicitCast2.ql	C28715 Warning
cpp/drivers/ntstatus-explicit-cast3	/microsoft/windows-drivers/<Version>/drivers/general/queries/NtstatusExplicitCast3/NtstatusExplicitCast3.ql	C28716 Warning
cpp/drivers/null-character-pointer-assignment	/microsoft/windows-drivers/<Version>/drivers/general/queries/NullCharacterPointerAssignment/NullCharacterPointerAssignment.ql	C28730 Warning
cpp/drivers/operand-assignment	/microsoft/windows-drivers/<Version>/drivers/general/queries/OperandAssignment/OperandAssignment.ql	C28129 Warning
cpp/drivers/pointer-variable-size	/microsoft/windows-drivers/<Version>/drivers/general/queries/PointerVariableSize/PointerVariableSize.ql	C28132 Warning
cpp/drivers/pool-tag-integral	/microsoft/windows-drivers/<Version>/drivers/general/queries/PoolTagIntegral/PoolTagIntegral.ql	C28134 Warning
cpp/drivers/role-type-correctly-used	/microsoft/windows-drivers/<Version>/drivers/general/queries/RoleTypeCorrectlyUsed/RoleTypeCorrectlyUsed.ql	C28158 Warning
cpp/drivers/routine-function-type-not-expected	/microsoft/windows-drivers/<Version>/drivers/general/queries/RoutineFunctionTypeNotExpected/RoutineFunctionTypeNotExpected.ql	C28127 Warning
cpp/drivers/str-safe	/microsoft/windows-drivers/<Version>/drivers/general/queries/StrSafe/StrSafe.ql	C28146 Warning
cpp/drivers/strict-type-match	/microsoft/windows-drivers/<Version>/drivers/general/queries/StrictTypeMatch/StrictTypeMatch.ql	C28139 Warning

WDM driver queries from the microsoft/windows-drivers pack

ID	Location	Code Analysis Warning
cpp/drivers/illegal-field-access	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/IllegalFieldAccess/IllegalFieldAccess.ql	C28128 Warning
cpp/drivers/illegal-field-access-2	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/IllegalFieldAccess2/IllegalFieldAccess2.ql	C28175 Warning
cpp/drivers/illegal-field-write	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/IllegalFieldWrite/IllegalFieldWrite.ql	C28176 Warning
cpp/drivers/init-not-cleared	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/InitNotCleared/InitNotCleared.ql	C28152 Warning
cpp/drivers/kewaitlocal-requires-kernel-mode	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/KeWaitLocal/KeWaitLocal.ql	C28135 Warning
cpp/drivers/multiple-paged-code	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/MultiplePagedCode/MultiplePagedCode.ql	C28171 Warning
cpp/drivers/ob-reference-mode	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/ObReferenceMode/ObReferenceMode.ql	C28126 Warning
cpp/drivers/opaque-mdl-use	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/OpaqueMdlUse/OpaqueMdlUse.ql	No associated CA check
cpp/drivers/opaque-mdl-write	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/OpaqueMdlWrite/OpaqueMdlWrite.ql	C28145 Warning
cpp/drivers/pending-status-error	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/PendingStatusError/PendingStatusError.ql	C28143 Warning
cpp/drivers/wrong-dispatch-table-assignment	/microsoft/windows-drivers/<Version>/drivers/wdm/queries/WrongDispatchTableAssignment/WrongDispatchTableAssignment.ql	C28168 Warning, C28169 Warning

General C++ queries from the microsoft/windows-drivers pack

ID	Location	Common Weakness Enumeration / Code Analysis warning
cpp/paddingbyteinformationdisclosure	/microsoft/windows-drivers/<Version>/microsoft/Likely Bugs/Boundary Violations/PaddingByteInformationDisclosure.ql	N/A
cpp/badoverflowguard	/microsoft/windows-drivers/<Version>/microsoft/Likely Bugs/Conversion/BadOverflowGuard.ql	N/A
cpp/infiniteloop	/microsoft/windows-drivers/<Version>/microsoft/Likely Bugs/Conversion/InfiniteLoop.ql	N/A
cpp/use-after-free	/microsoft/windows-drivers/<Version>/microsoft/Likely Bugs/Memory Management/UseAfterFree/UseAfterFree.ql	N/A
cpp/uninitializedptrfield	/microsoft/windows-drivers/<Version>/microsoft/Likely Bugs/UninitializedPtrField.ql	N/A
cpp/weak-crypto/cng/hardcoded-iv	/microsoft/windows-drivers/<Version>/microsoft/Security/Crytpography/HardcodedIVCNG.ql	N/A

General C++ queries from the microsoft/cpp-queries pack

ID	Location	Common Weakness Enumeration
cpp/offset-use-before-range-check	/microsoft/cpp-queries/<Version>/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql	CWE-120, CWE-125
cpp/integer-multiplication-cast-to-long	/microsoft/cpp-queries/<Version>/Likely Bugs/Arithmetic/IntMultToLong.ql	CWE-190, CWE-192, CWE-197, CWE-681
cpp/signed-overflow-check	/microsoft/cpp-queries/<Version>/Likely Bugs/Arithmetic/SignedOverflowCheck.ql	CWE-128, CWE-190
cpp/upcast-array-pointer-arithmetic	/microsoft/cpp-queries/<Version>/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	CWE-119, CWE-843
cpp/incorrect-not-operator-usage	/microsoft/cpp-queries/<Version>/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql	CWE-480
cpp/suspicious-sizeof	/microsoft/cpp-queries/<Version>/Likely Bugs/Memory Management/SuspiciousSizeof.ql	CWE-467
cpp/uninitialized-local	/microsoft/cpp-queries/<Version>/Likely Bugs/Memory Management/UninitializedLocal.ql	CWE-457, CWE-665
cpp/unterminated-variadic-call	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-121/UnterminatedVarargsCall.ql	CWE-121
cpp/conditionally-uninitialized-variable	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql	CWE-457
cpp/suspicious-add-sizeof	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql	CWE-468
cpp/suspicious-pointer-scaling	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-468/IncorrectPointerScaling.ql	CWE-468
cpp/suspicious-pointer-scaling-void	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql	CWE-468
cpp/potentially-dangerous-function	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql	CWE-676
cpp/overflow-buffer	/microsoft/cpp-queries/<Version>/Security/CWE/CWE-119/OverflowBuffer.ql	CWE-119, CWE-121, CWE-122, CWE-126

Must-Run Queries

The mustrun.qls suite contains queries that must be run in order to pass WHCP certification. These queries may not necessarily need to be fixed due to potential false positives, but should have their results reviewed and any real bugs found fixed. A DVL generated without results for these checks fails the Static Tools Logo test.

For Windows 11, version 26H1, the queries exposed by mustrun.qls and recommended.qls are identical.

Related Content

• Run the CodeQL analysis on your driver code
• CodeQL Overview
• CodeQL FAQ