cpp/memory-may-not-be-freed is not in security-and-quality suite

[szsam]

Description of the issue

The rule cpp/memory-may-not-be-freed in cpp/ql/src/Critical/MemoryMayNotBeFreed.ql (and many other rules in the same directory) is not in the security-and-quality suite.

This is surprising as it is in the Critical/ directory and detects an important kind of security vulnerability. I would expect it in the security-extended or security-and-quality suite.

cpp/memory-may-not-be-freed lacks the property @precision. I believe that is the reason why it is not selected in security-and-quality suite.

codeql/misc/suite-helpers/security-and-quality-selectors.yml

Lines 1 to 16 in fefc02d

	- description: Selectors for selecting the security-and-quality queries for a language
	- include:
	kind:
	- problem
	- path-problem
	precision:
	- high
	- very-high
	- include:
	kind:
	- problem
	- path-problem
	precision: medium
	problem.severity:
	- error
	- warning

[jketema]

Hi @szsam,

Thanks for your question. We are aware that this query is excluded and we would like to fix this. The reason it's excluded - by not having an @precision as you correctly observe - is that the query in its current form has some performance problems, which it unsuitable to be included in any of the query suites.

I've added your observations to the internal issue in which we track fixing the performance of this query.