Re: [edk2-devel] CodeQL Analysis in edk2

["Laszlo Ersek" <lersek@redhat.com>]

On 11/7/23 16:43, Michael Kubacki wrote:
> The series that makes it easy to run CodeQL locally and have access to
> results from any PR or push to master.
> 
> Those that have access can see the results directly in "Code Scanning"
> in the "Security" tab of the edk2 repo. That may be affected in times
> like freezes when permissions are adjusted (write permission is needed).
> 
> I am hoping we can work together to improve the overall quality of the
> code and minimize the number of CodeQL alerts.
> 
> This is an example of that interface:
> 
> *Overview of Issues (many)*
> 
> 
> *Example of Details for a Specific Issue*
> 
> *---*
> 
> *However, you can always download the results for an individual package*
> from its GitHub Action run. I encourage people to do so.
> 
> 1. Go to Actions -> CodeQL
> <https://github.com/tianocore/edk2/actions/workflows/codeql.yml>
> (https://github.com/tianocore/edk2/actions/workflows/codeql.yml).
> Anything to "master" are results at that point in time on the master
> branch. Individual PR branches are shown to get results for a specific PR.
> 
> 
> 
> 2. Download and open the SARIF file for a package. In the commit to
> master shown above in
> https://github.com/tianocore/edk2/actions/runs/6779575049, for
> MdeModulePkg, I would download "MdeModulePkg-CodeQL-SARIF" and unzip.
> 
> 
> 
> 3. Open the SARIF file to view results. For example, drag/drop the file
> "codeql-db-mdemodulepkg-debug-0.sarif" into VS Code with the "SARIF
> Viewer"
> <https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer> installed. It shows all of the issues by file or rule with click to the problem and more details about it. There are other SARIF viewers available as well.

I've investigated "sarif", from "sarif-tools version 2.0.0", at <https://github.com/microsoft/sarif-tools>.

The "emacs" output module of "sarif" would be ideal for my needs, but I have two questions / requests regarding that:

- would it be possible to run "sarif emacs" immediately in the github action, so that the text file can be downloaded at once? (I currently have sarif-tools installed in a python venv, but I'd prefer avoiding even that.)

- the "sarif emacs" output seems a bit broken, actually, so it's not usable. Consider the following entry from the original JSON file:

    }, {
      "ruleId" : "cpp/missing-null-test",
      "ruleIndex" : 0,
      "rule" : {
        "id" : "cpp/missing-null-test",
        "index" : 0
      },
      "message" : {
        "text" : "Value may be null; it should be checked before dereferencing."
      },
      "locations" : [ {
        "physicalLocation" : {
          "artifactLocation" : {
            "uri" : "MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c",
            "uriBaseId" : "%SRCROOT%",
            "index" : 0
          },
          "region" : {
            "startLine" : 355,
            "startColumn" : 48,
            "endColumn" : 52
          }
        }
      } ],
      "partialFingerprints" : {
        "primaryLocationLineHash" : "f374f6e6dfc92010:1",
        "primaryLocationStartColumnFingerprint" : "43"
      }
    }, {

In the "emacs" output, it appears as:

--------
ModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c:355: cpp/missing-null-test Value may be null; it should be checked before dereferencing.
--------

Note that the first three characters, "Mde" of "Mde" are lost.

This issue (first three chars cut) affects all other pathnames in the emacs output too.

Is this a known issue perhaps?

Thanks!
Laszlo

> 
> 
> 
> Keep in mind that CodeQL will often not highlight everything that needs
> to be done to fix an issue. It alerts the developer to an issue and then
> you need to inspect the code to determine if other code paths or
> refactoring should be applied.
> 
> I will create a wiki page with more user focused information, but I
> wanted to share some quick info for getting started.
> 
> More technical details about how the plugin itself works and applying
> exceptions are available in its readme
> - edk2/BaseTools/Plugin/CodeQL/Readme.md at master · tianocore/edk2
> (github.com).
> <https://github.com/tianocore/edk2/blob/master/BaseTools/Plugin/CodeQL/Readme.md>
> 
> Thanks,
> Michael
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111153): https://edk2.groups.io/g/devel/message/111153
Mute This Topic: https://groups.io/mt/102444916/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-