Cannot suppress warning for Windows Drivers

[bit-envoy]

I cannot suppress warnings while building even basic "Hello World" windows driver project with codeql. I tried to do in source through
// lgtm [cpp/drivers/irql-function-not-annotated]
// codeql [cpp/drivers/irql-function-not-annotated]
#pragma warning(suppress: 28167)

and through global configuration:

name: "CodeQL CPP config"

query-filters:
  - exclude:
      id: 
      - cpp/drivers/irql-function-not-annotated

I am still getting warning which is not suppressed in output sarif:

					"ruleId": "cpp/drivers/irql-function-not-annotated",
					"ruleIndex": 23,
					"rule": {
						"id": "cpp/drivers/irql-function-not-annotated",
						"index": 23
					},
					"message": {
						"text": "Function potentially changes the IRQL without restoring it to the original level, however, the function is not annotated to reflect such a change."
					},
					"locations": [
						{
							"physicalLocation": {
								"artifactLocation": {
									"uri": "MyDriver1/main.c",
									"uriBaseId": "%SRCROOT%",
									"index": 0
								},
								"region": {
									"startLine": 5,
									"startColumn": 6,
									"endColumn": 10
								}
							}
						}
					],
					"partialFingerprints": {
						"primaryLocationLineHash": "a206c19db10e9b5c:1",
						"primaryLocationStartColumnFingerprint": "5"
					}
				},

This is source code for driver:

#include <ntddk.h>
#include <wdm.h>

// lgtm [cpp/drivers/irql-function-not-annotated]
void func()
{
    BOOLEAN locked = FALSE;
    KSPIN_LOCK lock = 0;
    KLOCK_QUEUE_HANDLE lockHandle = { 0 };
    KeInitializeSpinLock(&lock);

    KeAcquireInStackQueuedSpinLock(&lock, &lockHandle);
    locked = TRUE;

    if (locked)
    {
        KeReleaseInStackQueuedSpinLock(&lockHandle);
    }
}

NTSTATUS
DriverEntry(
    _In_ PDRIVER_OBJECT     DriverObject,
    _In_ PUNICODE_STRING    RegistryPath
)
{
    (void)DriverObject;
    (void)RegistryPath;
    func();
    return STATUS_SUCCESS;
}

I am using commands to run codeql:

.\codeql database create .\MyDriver --language=c --source-root="C:\Users\nidanachain\source\repos\MyDriver1" --command="C:\Users\nidanachain\source\repos\MyDriver1\Build.bat" --overwrite --codescanning-config="C:\codeql\config.yml"
.\codeql database analyze .\MyDriver $HOME\.codeql\packages\microsoft\windows-drivers --format=sarifv2.1.0 --output=DriverAnalysis.json

In attachment there is complete driver project
MyDriver1.zip

and sarif output
DriverAnalysis.json

How can I suppress cpp/drivers/irql-function-not-annotated warning from codeql?

[smowton]

Regarding the configuration, how are you referring to the configuration file in the codeql-init step?

[bit-envoy]

I am only referring configuration in:
.\codeql database create .\MyDriver --language=c --source-root="C:\Users\nidanachain\source\repos\MyDriver1" --command="C:\Users\nidanachain\source\repos\MyDriver1\Build.bat" --overwrite --codescanning-config="C:\codeql\config.yml"

I am not using codeql database init command

[smowton]

Apologies, overlooked that you're using the CLI.

I believe the reason your config exclusion doesn't work is that you're passing an explicit query pack (and therefore, set of queries to run) to analyze which is overriding the config specified during init.

You specify $HOME\.codeql\packages\microsoft\windows-drivers. If we look at $HOME/.codeql/packages/microsoft/windows-drivers/$VERSION/qlpack.yml we can see the query suite that implies -- for my version, it's ~/.codeql/packages/microsoft/windows-drivers/1.1.0/windows-driver-suites/windows_recommended_partial.qls. Therefore I recommend copying that qls file and varying it to exclude the query to wish to omit -- or writing a qls file (query suite file) per https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites that (a) references the qlpack whose queries you wish to run then (b) in a subsequent exclude step excludes the queries you don't want -- there's an example like this at https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites#examples-of-filtering-which-queries-are-run, albeit referring to the default codeql/cpp-queries pack rather than the windows-drivers pack.

Meanwhile, what about the annotation route? I believe the annotations that are expected by this query are these ones: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers -- I suggest trying those and see if the query is satisfied.

[bit-envoy]

And why insource suppression doesn't work?

[smowton]

I believe the annotations that are expected by this query are these ones: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers -- I suggest trying those and see if the query is satisfied.

[bit-envoy]

Codeql is detecting false positive, so anottating driver with SAL is not solution. Only solution is to suppress warning, but I cannot do it in source.

[smowton]

I see, you're intending to suppress with https://github.com/github/codeql/blob/main/cpp/ql/src/AlertSuppression.ql . I believe the comment needs to be on the same line as func, so I suggest (a) try void func() { // lgtm [cpp/drivers/irql-function-not-annotated], i.e. comment on the same line as the function not above it, and (b) ensure your query suite includes query cpp/alert-suppression

[bit-envoy]

I tried 1) line above 2) same line 3) line below with no results.
Suppression alert is included:
[2/84] Loaded C:\Users\nidanachain\.codeql\packages\microsoft\windows-drivers\1.8.0\drivers\general\DriverAlertSuppression.qlx.

Any ideas what else can I try?

[smowton]

That query appears to only look for pragmas using prefast:

 * In this library we support two styles:
 * #pragma prefast (suppress:XXXX) which suppresses rule XXXX on the following line of code, and
 * #pragma prefast (disable:XXXX) which suppresses rule XXXX until the pragma stack is adjusted using #pragma (push/pop).

The cpp/alert-suppression query is a different one, coming from the default C/C++ query pack not the driver queries pack; it is that query that should be used in order to match // lgtm[...] suppressions.

[bit-envoy]

#pragma prefast(suppress:C28167) also doesn't work, But anyway DriverAlertSuppression.ql says:

 * This query is a suppression query designed to identify existing PREFast-style suppressions
 * in Windows driver code and honor them through LGTM's suppression system.  It cannot be run
 * on its own.  Instead, it should be run alongside other queries; when the code has a valid
 * suppression for a given result, the SARIF file output by the run will
 * indicate that the result was suppressed in the code.
...
annotation = cas.makeLgtmName() // annotation converted to "lgtm[rule-name]" format

So it looks like lgtm should also suppress warnings.

[smowton]

I don't think that's what that means; rather that's translating FROM prefast pragmas TO LGTM notation as expected by an alert-suppression query. I note that $HOME/.codeql/packages/microsoft/windows-drivers/1.8.0/drivers/libraries/Suppression.qll does not mention C28167 which suggests that a pragma will only suppress via that query according to

result = "lgtm[" + this.getRuleName() + "]"

which suggests it's possible to supply something like #pragma prefast(suppress:cpp/drivers/irql-function-not-annotated)

To check this we can see the SuppressPragma class recognises such suppressions using the regex:

(prefast|warning)\\(\\s*suppress\\s*:\\s*([\\d\\w\\s\\\\\\p{Pd}\\p{Pc}/]+)+(,?([\\s\\w\\d\\W\\p{P}]))*\\)

Unescaping those backslashes yields (prefast|warning)\(\s*suppress\s*:\s*([\d\w\s\\\p{Pd}\p{Pc}/]+)+(,?([\s\w\d\W\p{P}]))*\)

That appears to match prefast(suppress:cpp/drivers/irql-function-not-annotated) but NOT prefast (suppress:cpp/drivers/irql-function-not-annotated), so ensure there is no space and the rule name is given directly in that way.

If that doesn't work I'll need to get a Windows box with the DDK ready to debug which might take a little time; let me know if this is needed.

[bit-envoy]

Thanks, #pragma prefast(suppress:cpp/drivers/irql-function-not-annotated) works.