From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web12.4381.1667511764250683673
 for <devel@edk2.groups.io>;
 Thu, 03 Nov 2022 14:42:44 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=m2UigiOy;
 spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com)
Received: from localhost.localdomain (unknown [47.201.8.94])
	by linux.microsoft.com (Postfix) with ESMTPSA id 2082920C28BD;
	Thu,  3 Nov 2022 14:42:43 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2082920C28BD
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
	s=default; t=1667511763;
	bh=uJu5nggsScDqx8fwX8BDPBb+NS6hrXU9zWxB0ALkz+0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=m2UigiOyW4ib6CkyRWLQl7AKxzHgLcblJwklLedmuBMyt7WtL+GYxamNyFvJLqob9
	 uagoPEyt2M6e7k9eDT4yEaijLJftywqfxhdZDUMwvbTw3+3vJ+jgn9bTpwJjO3vbFC
	 2CmsgaBP6MCSkVjxqgns6tvy3Wcv+a17pbluA4T8=
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Sean Brogan <sean.brogan@microsoft.com>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>
Subject: [PATCH v2 2/2] .github: Add initial CodeQL config and workflow files
Date: Thu,  3 Nov 2022 17:40:30 -0400
Message-Id: <20221103214030.2218-3-mikuback@linux.microsoft.com>
X-Mailer: git-send-email 2.28.0.windows.1
In-Reply-To: <20221103214030.2218-1-mikuback@linux.microsoft.com>
References: <20221103214030.2218-1-mikuback@linux.microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

From: Michael Kubacki <michael.kubacki@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4115

Adds initial support for enabling CodeQL Code Scanning in this
repository per the RFC:

  https://github.com/tianocore/edk2/discussions/3258

Adds the following new files:
  - .github/workflows/codql-analysis.yml - The main GitHub workflow
    file used to setup CodeQL in the repo.
  - .github/codeql/codeql-config.yml - The main CodeQL configuration
    file used to customize the queries and other resources the repo
    is using for CodeQL.

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 .github/codeql/codeql-config.yml      | 30 ++++++
 .github/codeql/edk2.qls               | 12 +++
 .github/workflows/codeql-analysis.yml | 99 ++++++++++++++++++++
 3 files changed, 141 insertions(+)

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-con=
fig.yml
new file mode 100644
index 000000000000..3e27c2fb0d28
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,30 @@
+## @file
+# CodeQL configuration file for edk2.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+name: "CodeQL config"
+
+# The following line disables the default queries. This is used because =
we want to enable on query at a time by
+# explicitly specifying each query in a "queries" array as they are enab=
led.
+#
+# See the following for more information about adding custom queries:
+# https://docs.github.com/en/code-security/code-scanning/automatically-s=
canning-your-code-for-vulnerabilities-and-errors/configuring-code-scannin=
g#using-a-custom-configuration-file
+
+#disable-default-queries: true
+
+queries:
+  - name: EDK2 CodeQL Query List
+    uses: ./.github/codeql/edk2.qls
+
+# We must specify a query for CodeQL to run. Until the first query is en=
abled, enable the security query suite but
+# exclude all problem levels from impacting the results. After the first=
 query is enabled, this filter can be relaxed
+# to find the level of problems desired from the query.
+query-filters:
+- exclude:
+    problem.severity:
+      - error
+      - warning
+      - recommendation
diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
new file mode 100644
index 000000000000..0efc7dca52db
--- /dev/null
+++ b/.github/codeql/edk2.qls
@@ -0,0 +1,12 @@
+---
+- description: EDK2 (C++) queries
+
+# Bring in all queries from the official cpp-queries suite so individual=
 queries can be explicitly enabled.
+
+- queries: '.'
+  from: codeql/cpp-queries
+
+# Enable individual queries below.
+
+- include:
+    id: cpp/conditionallyuninitializedvariable
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/co=
deql-analysis.yml
new file mode 100644
index 000000000000..4ab8be04ecbe
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,99 @@
+# @file
+# GitHub Workflow for CodeQL Analysis
+#
+# Copyright (c) Microsoft Corporation.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - '**/*.bat'
+      - '**/*.md'
+      - '**/*.py'
+      - '**/*.rst'
+      - '**/*.sh'
+      - '**/*.txt'
+
+  schedule:
+    # https://crontab.guru/#20_23_*_*_4
+    - cron: '20 23 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: windows-2019
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        package: [
+          "ArmPkg",
+          "CryptoPkg",
+          "DynamicTablesPkg",
+          "FatPkg",
+          "FmpDevicePkg",
+          "IntelFsp2Pkg",
+          "IntelFsp2WrapperPkg",
+          "MdeModulePkg",
+          "MdePkg",
+          "PcAtChipsetPkg",
+          "PrmPkg",
+          "SecurityPkg",
+          "ShellPkg",
+          "SourceLevelDebugPkg",
+          "StandaloneMmPkg",
+          "UefiCpuPkg",
+          "UnitTestFrameworkPkg"]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: 'cpp'
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript',=
 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://codeql.git=
hub.com/docs/codeql-overview/supported-languages-and-frameworks/
+        config-file: ./.github/codeql/codeql-config.yml
+        # Note: Add new queries to codeql-config.yml file as they are en=
abled.
+
+    - name: Install/Upgrade pip Modules
+      run: pip install -r pip-requirements.txt --upgrade
+
+    - name: Use Node.js 19.x
+      uses: actions/setup-node@v3
+      with:
+          node-version: 19.x
+
+    - name: Install cspell npm
+      run: npm install -g cspell@5.20.0
+
+    - name: Setup
+      run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TO=
OL_CHAIN_TAG=3DVS2019
+
+    - name: Update
+      run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 T=
OOL_CHAIN_TAG=3DVS2019
+
+    - name: Build Tools From Source
+      run: python BaseTools/Edk2ToolsBuild.py -t VS2019
+
+    - name: CI Build
+      run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.packag=
e }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=3DVS2019
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
--=20
2.28.0.windows.1