* [PATCH v1 2/2] .github: Add initial CodeQL config and workflow files
2022-11-01 15:54 [PATCH v1 0/2] Enable Initial CodeQL Support Michael Kubacki
2022-11-01 15:54 ` [PATCH v1 1/2] Maintainers.txt: Add .github maintainers and reviewers Michael Kubacki
@ 2022-11-01 15:54 ` Michael Kubacki
1 sibling, 0 replies; 3+ messages in thread
From: Michael Kubacki @ 2022-11-01 15:54 UTC (permalink / raw)
To: devel; +Cc: Sean Brogan, Michael D Kinney, Liming Gao
From: Michael Kubacki <michael.kubacki@microsoft.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4115
Adds initial support for enabling CodeQL Code Scanning in this
repository per the RFC:
https://github.com/tianocore/edk2/discussions/3258
Adds the following new files:
- .github/workflows/codql-analysis.yml - The main GitHub workflow
file used to setup CodeQL in the repo.
- .github/codeql/codeql-config.yml - The main CodeQL configuration
file used to customize the queries and other resources the repo
is using for CodeQL.
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
.github/codeql/codeql-config.yml | 30 ++++++
.github/codeql/edk2.qls | 12 +++
.github/workflows/codeql-analysis.yml | 102 ++++++++++++++++++++
3 files changed, 144 insertions(+)
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 000000000000..3e27c2fb0d28
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,30 @@
+## @file
+# CodeQL configuration file for edk2.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+name: "CodeQL config"
+
+# The following line disables the default queries. This is used because we want to enable on query at a time by
+# explicitly specifying each query in a "queries" array as they are enabled.
+#
+# See the following for more information about adding custom queries:
+# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file
+
+#disable-default-queries: true
+
+queries:
+ - name: EDK2 CodeQL Query List
+ uses: ./.github/codeql/edk2.qls
+
+# We must specify a query for CodeQL to run. Until the first query is enabled, enable the security query suite but
+# exclude all problem levels from impacting the results. After the first query is enabled, this filter can be relaxed
+# to find the level of problems desired from the query.
+query-filters:
+- exclude:
+ problem.severity:
+ - error
+ - warning
+ - recommendation
diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
new file mode 100644
index 000000000000..0efc7dca52db
--- /dev/null
+++ b/.github/codeql/edk2.qls
@@ -0,0 +1,12 @@
+---
+- description: EDK2 (C++) queries
+
+# Bring in all queries from the official cpp-queries suite so individual queries can be explicitly enabled.
+
+- queries: '.'
+ from: codeql/cpp-queries
+
+# Enable individual queries below.
+
+- include:
+ id: cpp/conditionallyuninitializedvariable
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000000..c3227d015477
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,102 @@
+# @file
+# GitHub Workflow for CodeQL Analysis
+#
+# Copyright (c) Microsoft Corporation.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+name: "CodeQL"
+
+on:
+ push:
+ branches:
+ - master
+ pull_request:
+ branches:
+ - master
+ paths-ignore:
+ - '**/*.bat'
+ - '**/*.md'
+ - '**/*.py'
+ - '**/*.rst'
+ - '**/*.sh'
+ - '**/*.txt'
+
+ schedule:
+ # https://crontab.guru/#20_23_*_*_4
+ - cron: '20 23 * * 4'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ package: [
+ "ArmPkg",
+ "CryptoPkg",
+ "DynamicTablesPkg",
+ "FatPkg",
+ "FmpDevicePkg",
+ "IntelFsp2Pkg",
+ "IntelFsp2WrapperPkg",
+ "MdeModulePkg",
+ "MdePkg",
+ "PcAtChipsetPkg",
+ "PrmPkg",
+ "SecurityPkg",
+ "ShellPkg",
+ "SourceLevelDebugPkg",
+ "StandaloneMmPkg",
+ "UefiCpuPkg",
+ "UnitTestFrameworkPkg"]
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: 'cpp'
+ # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+ # Learn more about CodeQL language support at https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
+ config-file: ./.github/codeql/codeql-config.yml
+ # Note: Add new queries to codeql-config.yml file as they are enabled.
+
+ - name: Install/Upgrade pip Modules
+ run: pip install -r pip-requirements.txt --upgrade
+
+ - name: Use Node.js 19.x
+ uses: actions/setup-node@v3
+ with:
+ node-version: 19.x
+
+ - name: Update apt
+ run: sudo apt-get update
+
+ - name: Install required tools
+ run: sudo apt-get install gcc g++ make uuid-dev
+
+ - name: Setup
+ run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=GCC5
+
+ - name: Update
+ run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=GCC5
+
+ - name: Build Tools From Source
+ run: python BaseTools/Edk2ToolsBuild.py -t GCC5
+
+ - name: CI Build
+ run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.package }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=GCC5
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
--
2.28.0.windows.1
^ permalink raw reply related [flat|nested] 3+ messages in thread