From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web11.5972.1667521997081489734 for ; Thu, 03 Nov 2022 17:33:17 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=jO9jMfR0; spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com) Received: from localhost.localdomain (unknown [47.201.8.94]) by linux.microsoft.com (Postfix) with ESMTPSA id 3C0C720C28B1; Thu, 3 Nov 2022 17:33:16 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 3C0C720C28B1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1667521996; bh=qhY/CKa1RtGUJmcHS0i11uJJJkIoyiNSbHYJodvVm6s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jO9jMfR08qGv6Vs8ZOVvMjgd5TMQP1UmErwmGZTQMo4BlEJ9w8D9XU19ihmoZ6IlN 5TXxoaAHd+HkX48ainKYD3xDT63Q1QFcRRTCNpIMyW5AhuvonTd6GpJxOsGMCpLY5Q 2Bx7cxFAQWe2pqqsauqGgmstjfRgI0ruUC/zm/VI= From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Sean Brogan , Michael D Kinney , Liming Gao Subject: [PATCH v3 2/2] .github: Add initial CodeQL config and workflow files Date: Thu, 3 Nov 2022 20:32:35 -0400 Message-Id: <20221104003235.2429-3-mikuback@linux.microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20221104003235.2429-1-mikuback@linux.microsoft.com> References: <20221104003235.2429-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Michael Kubacki REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4115 Adds initial support for enabling CodeQL Code Scanning in this repository per the RFC: https://github.com/tianocore/edk2/discussions/3258 Adds the following new files: - .github/workflows/codql-analysis.yml - The main GitHub workflow file used to setup CodeQL in the repo. - .github/codeql/codeql-config.yml - The main CodeQL configuration file used to customize the queries and other resources the repo is using for CodeQL. Cc: Sean Brogan Cc: Michael D Kinney Cc: Liming Gao Signed-off-by: Michael Kubacki --- .github/codeql/codeql-config.yml | 30 +++++++ .github/codeql/edk2.qls | 12 +++ .github/workflows/codeql-analysis.yml | 91 ++++++++++++++++++++ 3 files changed, 133 insertions(+) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-con= fig.yml new file mode 100644 index 000000000000..3e27c2fb0d28 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,30 @@ +## @file +# CodeQL configuration file for edk2. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +name: "CodeQL config" + +# The following line disables the default queries. This is used because = we want to enable on query at a time by +# explicitly specifying each query in a "queries" array as they are enab= led. +# +# See the following for more information about adding custom queries: +# https://docs.github.com/en/code-security/code-scanning/automatically-s= canning-your-code-for-vulnerabilities-and-errors/configuring-code-scannin= g#using-a-custom-configuration-file + +#disable-default-queries: true + +queries: + - name: EDK2 CodeQL Query List + uses: ./.github/codeql/edk2.qls + +# We must specify a query for CodeQL to run. Until the first query is en= abled, enable the security query suite but +# exclude all problem levels from impacting the results. After the first= query is enabled, this filter can be relaxed +# to find the level of problems desired from the query. +query-filters: +- exclude: + problem.severity: + - error + - warning + - recommendation diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls new file mode 100644 index 000000000000..0efc7dca52db --- /dev/null +++ b/.github/codeql/edk2.qls @@ -0,0 +1,12 @@ +--- +- description: EDK2 (C++) queries + +# Bring in all queries from the official cpp-queries suite so individual= queries can be explicitly enabled. + +- queries: '.' + from: codeql/cpp-queries + +# Enable individual queries below. + +- include: + id: cpp/conditionallyuninitializedvariable diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/co= deql-analysis.yml new file mode 100644 index 000000000000..2eacb9c9e1a1 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,91 @@ +# @file +# GitHub Workflow for CodeQL Analysis +# +# Copyright (c) Microsoft Corporation. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +name: "CodeQL" + +on: + push: + branches: + - master + pull_request: + branches: + - master + paths-ignore: + - '**/*.bat' + - '**/*.md' + - '**/*.py' + - '**/*.rst' + - '**/*.sh' + - '**/*.txt' + + schedule: + # https://crontab.guru/#20_23_*_*_4 + - cron: '20 23 * * 4' + +jobs: + analyze: + name: Analyze + runs-on: windows-2019 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + package: [ + "ArmPkg", + "CryptoPkg", + "DynamicTablesPkg", + "FatPkg", + "FmpDevicePkg", + "IntelFsp2Pkg", + "IntelFsp2WrapperPkg", + "MdeModulePkg", + "MdePkg", + "PcAtChipsetPkg", + "PrmPkg", + "SecurityPkg", + "ShellPkg", + "SourceLevelDebugPkg", + "StandaloneMmPkg", + "UefiCpuPkg", + "UnitTestFrameworkPkg"] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: 'cpp' + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript',= 'python', 'ruby' ] + # Learn more about CodeQL language support at https://codeql.git= hub.com/docs/codeql-overview/supported-languages-and-frameworks/ + config-file: ./.github/codeql/codeql-config.yml + # Note: Add new queries to codeql-config.yml file as they are en= abled. + + - name: Install/Upgrade pip Modules + run: pip install -r pip-requirements.txt --upgrade + + - name: Setup + run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TO= OL_CHAIN_TAG=3DVS2019 + + - name: Update + run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 T= OOL_CHAIN_TAG=3DVS2019 + + - name: Build Tools From Source + run: python BaseTools/Edk2ToolsBuild.py -t VS2019 + + - name: CI Build + run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.packag= e }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=3DVS2019 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 --=20 2.28.0.windows.1