From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 0D27C740034 for ; Mon, 13 Nov 2023 13:40:07 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=8k2tem8gRv1H3Lf9xn9HqyYP6GW0ORHMJ1DrrkFA2h4=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:Subject:To:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1699882806; v=1; b=wa3vnMejA2NNhIYX+dO7PZEy9Az55kcqRmG93wkRMwmbPO2m6QbpLAjmIOdGWy3SVZn/FEex HQu3ke8R/HUEQd8nl9C1GKnq4UbftFc8FfKGeyQnGt2wIsL88oyojrMCjYSNQJhRBeWXPIi8ZBw FNkcjg2ztU1MJ38sCUC4Ebak= X-Received: by 127.0.0.2 with SMTP id dEj3YY7687511xBh3FIuvLLW; Mon, 13 Nov 2023 05:40:06 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.36714.1699882806041518890 for ; Mon, 13 Nov 2023 05:40:06 -0800 X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-638-Wldwle1YPpWnhSa3fMlL0g-1; Mon, 13 Nov 2023 08:39:56 -0500 X-MC-Unique: Wldwle1YPpWnhSa3fMlL0g-1 X-Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6366B299E748; Mon, 13 Nov 2023 13:39:56 +0000 (UTC) X-Received: from [10.39.192.220] (unknown [10.39.192.220]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CC711492BFD; Mon, 13 Nov 2023 13:39:55 +0000 (UTC) Message-ID: <7c8e4787-74e4-f144-123f-9d44d094ce86@redhat.com> Date: Mon, 13 Nov 2023 14:39:54 +0100 MIME-Version: 1.0 Subject: Re: [edk2-devel] CodeQL Analysis in edk2 To: devel@edk2.groups.io, mikuback@linux.microsoft.com References: From: "Laszlo Ersek" In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: TNuHI2ygDickeUvflAFO2GVgx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=wa3vnMej; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On 11/7/23 16:43, Michael Kubacki wrote: > The series that makes it easy to run CodeQL locally and have access to > results from any PR or push to master. > > Those that have access can see the results directly in "Code Scanning" > in the "Security" tab of the edk2 repo. That may be affected in times > like freezes when permissions are adjusted (write permission is needed). > > I am hoping we can work together to improve the overall quality of the > code and minimize the number of CodeQL alerts. > > This is an example of that interface: > > *Overview of Issues (many)* > > > *Example of Details for a Specific Issue* > > *---* > > *However, you can always download the results for an individual package* > from its GitHub Action run. I encourage people to do so. > > 1. Go to Actions -> CodeQL > > (https://github.com/tianocore/edk2/actions/workflows/codeql.yml). > Anything to "master" are results at that point in time on the master > branch. Individual PR branches are shown to get results for a specific PR. > > > > 2. Download and open the SARIF file for a package. In the commit to > master shown above in > https://github.com/tianocore/edk2/actions/runs/6779575049, for > MdeModulePkg, I would download "MdeModulePkg-CodeQL-SARIF" and unzip. > > > > 3. Open the SARIF file to view results. For example, drag/drop the file > "codeql-db-mdemodulepkg-debug-0.sarif" into VS Code with the "SARIF > Viewer" > installed. It shows all of the issues by file or rule with click to the problem and more details about it. There are other SARIF viewers available as well. I've investigated "sarif", from "sarif-tools version 2.0.0", at . The "emacs" output module of "sarif" would be ideal for my needs, but I have two questions / requests regarding that: - would it be possible to run "sarif emacs" immediately in the github action, so that the text file can be downloaded at once? (I currently have sarif-tools installed in a python venv, but I'd prefer avoiding even that.) - the "sarif emacs" output seems a bit broken, actually, so it's not usable. Consider the following entry from the original JSON file: }, { "ruleId" : "cpp/missing-null-test", "ruleIndex" : 0, "rule" : { "id" : "cpp/missing-null-test", "index" : 0 }, "message" : { "text" : "Value may be null; it should be checked before dereferencing." }, "locations" : [ { "physicalLocation" : { "artifactLocation" : { "uri" : "MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c", "uriBaseId" : "%SRCROOT%", "index" : 0 }, "region" : { "startLine" : 355, "startColumn" : 48, "endColumn" : 52 } } } ], "partialFingerprints" : { "primaryLocationLineHash" : "f374f6e6dfc92010:1", "primaryLocationStartColumnFingerprint" : "43" } }, { In the "emacs" output, it appears as: -------- ModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c:355: cpp/missing-null-test Value may be null; it should be checked before dereferencing. -------- Note that the first three characters, "Mde" of "Mde" are lost. This issue (first three chars cut) affects all other pathnames in the emacs output too. Is this a known issue perhaps? Thanks! Laszlo > > > > Keep in mind that CodeQL will often not highlight everything that needs > to be done to fix an issue. It alerts the developer to an issue and then > you need to inspect the code to determine if other code paths or > refactoring should be applied. > > I will create a wiki page with more user focused information, but I > wanted to share some quick info for getting started. > > More technical details about how the plugin itself works and applying > exceptions are available in its readme > - edk2/BaseTools/Plugin/CodeQL/Readme.md at master · tianocore/edk2 > (github.com). > > > Thanks, > Michael > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#111153): https://edk2.groups.io/g/devel/message/111153 Mute This Topic: https://groups.io/mt/102444916/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-