From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web12.380.1664806762978643758 for ; Mon, 03 Oct 2022 07:19:23 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=PtVT3ktA; spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com) Received: from [192.168.4.22] (unknown [47.201.8.94]) by linux.microsoft.com (Postfix) with ESMTPSA id 17B0320C33A9; Mon, 3 Oct 2022 07:19:21 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 17B0320C33A9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1664806762; bh=7jQDokgGRpNeets4vtHccXlDNBBjB3kA19enAQmFF+E=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=PtVT3ktAy9p4qSmi5a3CxsYbDSdRVrSkyrXw5e2U0RGtQxM2VtedhQgg49muJ5PXr d08Tq3Jd8j4LapMuCQKyVN4z6yqqDVergt3vle3ozxLgMPeWONNyIIvZt6TO8NUFDo SWbSnlVw0muRPKtnn2jTa+Z3O/BcaRB21wr+v0nA= Message-ID: <3c80fc9e-02e3-867b-10fc-06ab26e2d9d0@linux.microsoft.com> Date: Mon, 3 Oct 2022 10:19:21 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.13.1 Subject: Re: [edk2-devel] [RFC] Adoption of CodeQL in edk2 To: devel@edk2.groups.io, ray.ni@intel.com Cc: "Kinney, Michael D" References: <0da4bc04-851e-7028-9c34-e0b37bdf105c@linux.microsoft.com> <8117.1664496315698093072@groups.io> From: "Michael Kubacki" In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Code changes do not need to be made for anything except actual fixes and=20 improvements. The process to dismiss alerts is mentioned in the RFC post=20 (https://github.com/tianocore/edk2/discussions/3258) under "Dismissing=20 CodeQL Alerts" which links to to this page with more info: https://docs.github.com/en/code-security/code-scanning/automatically-scanni= ng-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-f= or-your-repository#dismissing--alerts. On 9/29/2022 10:53 PM, Ni, Ray wrote: > Multiplication result converted to larger type =C2=B7 Code scanning alert= #66=20 > =C2=B7 tianocore/edk2 (github.com)=20 > >=20 > Michael, I do not think above issue is a real issue. Will them be=20 > required to fix before enabling te CodeQL? >=20 > *From:* devel@edk2.groups.io *On Behalf Of=20 > *Michael D Kinney > *Sent:* Friday, September 30, 2022 9:03 AM > *To:* devel@edk2.groups.io; mikuback@linux.microsoft.com; Kinney,=20 > Michael D > *Subject:* Re: [edk2-devel] [RFC] Adoption of CodeQL in edk2 >=20 > I just want to reiterate.=C2=A0 If there are no concerns or objections ra= ised=20 > by Oct 4, then the >=20 > CodeQL static analysis will be phased into use in the edk2 repo and=20 > there will be code >=20 > changes made to address the issues identified by COdeQL and all future=20 > code changes >=20 > after a CodeQL check is enabled will be blocked until the CodeQL CI=20 > checks pass. >=20 > This will impact all future code changes and all developers will have to= =20 > learn how to >=20 > interpret CodeQL reports and fix issues. >=20 > Thanks, >=20 > Mike >=20 > *From:* devel@edk2.groups.io =20 > > *On Behalf Of=20 > *Michael Kubacki > *Sent:* Thursday, September 29, 2022 5:05 PM > *To:* Michael Kubacki >; devel@edk2.groups.io=20 > > *Subject:* Re: [edk2-devel] [RFC] Adoption of CodeQL in edk2 >=20 > If there's any further feedback on this RFC, please respond by Tuesday,= =20 > October 4th. We plan to start implementing the changes later in the week. >=20 > Thanks, > Michael >=20 >=20