From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 0E7F8780091 for ; Tue, 26 Sep 2023 19:22:01 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=pf5SQdxZhHOtxwK/f1xob7QIv+dzZVqHgwp76y84EIU=; c=relaxed/simple; d=groups.io; h=DKIM-Filter:From:To:Cc:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1695756120; v=1; b=dvOvfB+iB324ByvvOQRWoHwnzSH+2/xVj2GWN3mPhTVZzvJp2iY0hkfvlEBJjY0/qrfWIk0l JFGJjdRY6HN8a5aeip8yMB7jj9zW7KHeQSAyyqsDgHnmSamjojoWPhr2n8HuPHfhNpWvXLT76eK Qq3/drs0FHQu2p/DmZtLXvKk= X-Received: by 127.0.0.2 with SMTP id BnoQYY7687511xlojLB8KCh0; Tue, 26 Sep 2023 12:22:00 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web11.4.1695756113508677609 for ; Tue, 26 Sep 2023 12:21:53 -0700 X-Received: from localhost.localdomain (unknown [47.201.241.95]) by linux.microsoft.com (Postfix) with ESMTPSA id 011B020B74C0; Tue, 26 Sep 2023 12:21:51 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 011B020B74C0 From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Bob Feng , Liming Gao , Michael D Kinney , Rebecca Cran , Sean Brogan , Yuwei Chen Subject: [edk2-devel] [PATCH v1 0/5] Use CodeQL CLI Date: Tue, 26 Sep 2023 15:21:09 -0400 Message-ID: <20230926192114.416-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: sFQUnLx4r4sjZlarYgOALIiKx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=dvOvfB+i; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=linux.microsoft.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Michael Kubacki CodeQL currently runs via the codeql-analysis.yml GitHub workflow which uses the github/codeql-action/init@v2 action (pre-build) and the github/codeql-action/analyze@v2 action (post-build) to setup the CodeQL environment and extract results. This infrastructure is removed in preparation for a new design that will directly run the CodeQL CLI as part of the build. This will allow CodeQL to be run locally as part of the normal build process with results that match 1:1 with CI builds. The CodeQL CLI design is automatically driven by a set of CodeQL plugins: 1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a build. 2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database. This approach offers the following advantages: 1. Provides exactly the same results locally as on a CI server. 2. Integrates very well into IDEs such as VS Code. 3. Very simple to use - just use normal Stuart update and build commands. 4. Very simple to understand - minimally wraps the official CodeQL CLI. 5. Very simple to integrate - works like any other Stuart build plugin. 6. Portable - not tied to Azure DevOps specific, GitHub specific, or other host infrastructure. 7. Versioned - the query and filters are versioned in source control so easy to find and track. The appropriate CodeQL CLI is downloaded for the host OS by passing the `--codeql` argument to the update command. `stuart_update -c .pytool/CISettings.py --codeql` After that, CodeQL can be run in a build by similarly passing the `--codeql` argument to the build command. For example: `stuart_ci_build -c .pytool/CISettings.py --codeql` Going forward, CI will simply use those commands in CodeQL builds to get results instead of the CodeQL GitHub actions. When `--codeql` is specified in the build command, each package will contain two main artifacts in the Build directory. 1. The CodeQL database for the package 2. The CodeQL SARIF (result) file for the package The CodeQL database (1) can be used to run queries against without rebuilding any code. The SARIF result file (2) is the result of running enabled queries against the database. SARIF stands for Static Analysis Results Interchange Format and it is an industry standard format for output from static analysis tools. https://sarifweb.azurewebsites.net/ The SARIF file can be opened with any standard SARIF file viewer such as this one for VS Code: https://marketplace.visualstudio.com/items?itemName=3DMS-SarifVSCode.sari= f-viewer That includes the ability to jump directly to issues in the source code file with relevant code highlighted and suggestions included. This means that after simply adding `--codeql` to the normal build commands, a database will be present for future querying and a SARIF result file will be present to allow the developer to immediately start fixing issues. More details about the location of these and usage is in the BaseTools/Plugin/CodeQL/Readme.md included in this patch series. The CI process pushes the SARIF file to GitHub Code Scanning so the results are generated exactly the same way they are locally. All build logs and the SARIF file for each package are uploaded to the GitHub action run as artifacts. If a CodeQL issue is found, a developer can download the SARIF file directly from the GitHub action run to fix the problem without needing to rebuild locally. An example run of these changes showing the packages built and output logs and SARIF files is available here: https://github.com/tianocore/edk2/actions/runs/6317077528 The packages CodeQL is enabled against and the queries enabled remain unchanged in this series. Links and refernces: - CodeQL Overview: https://codeql.github.com/docs/codeql-overview/ - CodeQL open-source queries: https://github.com/github/codeql - CodeQL CLI: https://docs.github.com/en/code-security/codeql-cli#codeql-cli - SARIF Specification and Information: https://sarifweb.azurewebsites.net/ Cc: Bob Feng Cc: Liming Gao Cc: Michael D Kinney Cc: Rebecca Cran Cc: Sean Brogan Cc: Yuwei Chen Michael Kubacki (5): Remove existing CodeQL infrastructure BaseTools/Plugin/CodeQL: Add CodeQL build plugin BaseTools/Plugin/CodeQL: Add integration helpers .pytool/CISettings.py: Integrate CodeQL .github/workflows/codeql.yml: Add CodeQL workflow .github/codeql/codeql-config.yml | 29 -- .github/codeql/edk2.qls | 24 -- .github/workflows/codeql-analysis.yml | 118 ------ .github/workflows/codeql.yml | 338 +++++++++++= +++++++ .pytool/CISettings.py | 30 ++ BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py | 222 +++++++++++= + BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml | 13 + BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py | 172 +++++++++ BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml | 13 + BaseTools/Plugin/CodeQL/CodeQlQueries.qls | 75 ++++ BaseTools/Plugin/CodeQL/Readme.md | 375 +++++++++++= +++++++++ BaseTools/Plugin/CodeQL/analyze/__init__.py | 0 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py | 176 +++++++++ BaseTools/Plugin/CodeQL/analyze/globber.py | 132 +++++++ BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml | 26 ++ BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml | 24 ++ BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml | 24 ++ BaseTools/Plugin/CodeQL/common/__init__.py | 0 BaseTools/Plugin/CodeQL/common/codeql_plugin.py | 74 ++++ BaseTools/Plugin/CodeQL/integration/__init__.py | 0 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py | 79 +++++ 21 files changed, 1773 insertions(+), 171 deletions(-) delete mode 100644 .github/codeql/codeql-config.yml delete mode 100644 .github/codeql/edk2.qls delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls create mode 100644 BaseTools/Plugin/CodeQL/Readme.md create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yam= l create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.py create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.py create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py --=20 2.42.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109081): https://edk2.groups.io/g/devel/message/109081 Mute This Topic: https://groups.io/mt/101603464/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-