* [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI
@ 2023-10-18 1:04 Michael Kubacki
0 siblings, 0 replies; 4+ messages in thread
From: Michael Kubacki @ 2023-10-18 1:04 UTC (permalink / raw)
To: devel
Cc: Bob Feng, Liming Gao, Michael D Kinney, Rebecca Cran, Sean Brogan,
Yuwei Chen
From: Michael Kubacki <michael.kubacki@microsoft.com>
CodeQL currently runs via the codeql-analysis.yml GitHub workflow
which uses the github/codeql-action/init@v2 action (pre-build)
and the github/codeql-action/analyze@v2 action (post-build) to
setup the CodeQL environment and extract results.
This infrastructure is removed in preparation for a new design that
will directly run the CodeQL CLI as part of the build. This will
allow CodeQL to be run locally as part of the normal build process
with results that match 1:1 with CI builds.
The CodeQL CLI design is automatically driven by a set of CodeQL
plugins:
1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a
build.
2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database.
This approach offers the following advantages:
1. Provides exactly the same results locally as on a CI server.
2. Integrates very well into IDEs such as VS Code.
3. Very simple to use - just use normal Stuart update and build
commands.
4. Very simple to understand - minimally wraps the official CodeQL
CLI.
5. Very simple to integrate - works like any other Stuart build
plugin.
6. Portable - not tied to Azure DevOps specific, GitHub specific,
or other host infrastructure.
7. Versioned - the query and filters are versioned in source
control so easy to find and track.
The appropriate CodeQL CLI is downloaded for the host OS by passing
the `--codeql` argument to the update command.
`stuart_update -c .pytool/CISettings.py --codeql`
After that, CodeQL can be run in a build by similarly passing the
`--codeql` argument to the build command. For example:
`stuart_ci_build -c .pytool/CISettings.py --codeql`
Going forward, CI will simply use those commands in CodeQL builds
to get results instead of the CodeQL GitHub actions.
When `--codeql` is specified in the build command, each package will
contain two main artifacts in the Build directory.
1. The CodeQL database for the package
2. The CodeQL SARIF (result) file for the package
The CodeQL database (1) can be used to run queries against without
rebuilding any code. The SARIF result file (2) is the result of
running enabled queries against the database.
SARIF stands for Static Analysis Results Interchange Format and it
is an industry standard format for output from static analysis tools.
https://sarifweb.azurewebsites.net/
The SARIF file can be opened with any standard SARIF file viewer
such as this one for VS Code:
https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
That includes the ability to jump directly to issues in the source
code file with relevant code highlighted and suggestions included.
This means that after simply adding `--codeql` to the normal build
commands, a database will be present for future querying and a SARIF
result file will be present to allow the developer to immediately
start fixing issues.
More details about the location of these and usage is in the
BaseTools/Plugin/CodeQL/Readme.md included in this patch series.
The CI process pushes the SARIF file to GitHub Code Scanning so the
results are generated exactly the same way they are locally.
All build logs and the SARIF file for each package are uploaded to
the GitHub action run as artifacts. If a CodeQL issue is found, a
developer can download the SARIF file directly from the GitHub action
run to fix the problem without needing to rebuild locally.
An example run of these changes showing the packages built and output
logs and SARIF files is available here:
https://github.com/tianocore/edk2/actions/runs/6317077528
The series enables a new set of CodeQL queries that helps find useful
issues in the codebase. So, new CodeQL results will appear in the edk2
GitHub Code Scanning area after the change. It is expected that the
community will work together to prioritize and resolve issues to improve
the quality of the codebase.
V3 Changes:
1. Add a "Resolution Guidelines" section to the CodeQL plugin readme
file based on feedback in the October 16, 2023 Tianocore Tools &
CI meeting to capture some notes useful in solving issues in the
file.
V2 Changes:
1. Enable CodeQL audit mode. This is because a new patch also enables
queries that will result in unresolved issues so audit mode is needed
for the build to succeed.
2. Enable new CodeQL queries. This will enable new CodeQL queries so the
issues are easier to find and track.
Links and refernces:
- CodeQL Overview:
https://codeql.github.com/docs/codeql-overview/
- CodeQL open-source queries:
https://github.com/github/codeql
- CodeQL CLI:
https://docs.github.com/en/code-security/codeql-cli#codeql-cli
- SARIF Specification and Information:
https://sarifweb.azurewebsites.net/
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Michael Kubacki (7):
Remove existing CodeQL infrastructure
BaseTools/Plugin/CodeQL: Add CodeQL build plugin
BaseTools/Plugin/CodeQL: Add integration helpers
.pytool/CISettings.py: Integrate CodeQL
.github/workflows/codeql.yml: Add CodeQL workflow
.pytool/CISettings: Enable CodeQL audit mode
BaseTools/Plugin/CodeQL: Enable 30 queries
.github/codeql/codeql-config.yml | 29 --
.github/codeql/edk2.qls | 24 --
.github/workflows/codeql-analysis.yml | 118 ------
.github/workflows/codeql.yml | 338 +++++++++++++++++
.pytool/CISettings.py | 36 ++
BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py | 222 +++++++++++
BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml | 13 +
BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py | 172 +++++++++
BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml | 13 +
BaseTools/Plugin/CodeQL/CodeQlQueries.qls | 118 ++++++
BaseTools/Plugin/CodeQL/Readme.md | 388 ++++++++++++++++++++
BaseTools/Plugin/CodeQL/analyze/__init__.py | 0
BaseTools/Plugin/CodeQL/analyze/analyze_filter.py | 176 +++++++++
BaseTools/Plugin/CodeQL/analyze/globber.py | 132 +++++++
BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml | 26 ++
BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml | 24 ++
BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml | 24 ++
BaseTools/Plugin/CodeQL/common/__init__.py | 0
BaseTools/Plugin/CodeQL/common/codeql_plugin.py | 74 ++++
BaseTools/Plugin/CodeQL/integration/__init__.py | 0
BaseTools/Plugin/CodeQL/integration/stuart_codeql.py | 79 ++++
21 files changed, 1835 insertions(+), 171 deletions(-)
delete mode 100644 .github/codeql/codeql-config.yml
delete mode 100644 .github/codeql/edk2.qls
delete mode 100644 .github/workflows/codeql-analysis.yml
create mode 100644 .github/workflows/codeql.yml
create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml
create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py
create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml
create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls
create mode 100644 BaseTools/Plugin/CodeQL/Readme.md
create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py
create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py
create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py
create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.py
create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.py
create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
--
2.42.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109694): https://edk2.groups.io/g/devel/message/109694
Mute This Topic: https://groups.io/mt/102031054/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI
[not found] <178F0E1DF715166D.14388@groups.io>
@ 2023-10-20 1:07 ` Michael Kubacki
2023-10-23 18:12 ` Michael Kubacki
0 siblings, 1 reply; 4+ messages in thread
From: Michael Kubacki @ 2023-10-20 1:07 UTC (permalink / raw)
To: devel, Bob Feng, Liming Gao, Michael D Kinney, Rebecca Cran,
Sean Brogan, Yuwei Chen
A reminder to review this series. It's been on the mailing list for a
few weeks now.
Thanks,
Michael
On 10/17/2023 9:04 PM, Michael Kubacki wrote:
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>
> CodeQL currently runs via the codeql-analysis.yml GitHub workflow
> which uses the github/codeql-action/init@v2 action (pre-build)
> and the github/codeql-action/analyze@v2 action (post-build) to
> setup the CodeQL environment and extract results.
>
> This infrastructure is removed in preparation for a new design that
> will directly run the CodeQL CLI as part of the build. This will
> allow CodeQL to be run locally as part of the normal build process
> with results that match 1:1 with CI builds.
>
> The CodeQL CLI design is automatically driven by a set of CodeQL
> plugins:
>
> 1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a
> build.
> 2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database.
>
> This approach offers the following advantages:
>
> 1. Provides exactly the same results locally as on a CI server.
> 2. Integrates very well into IDEs such as VS Code.
> 3. Very simple to use - just use normal Stuart update and build
> commands.
> 4. Very simple to understand - minimally wraps the official CodeQL
> CLI.
> 5. Very simple to integrate - works like any other Stuart build
> plugin.
> 6. Portable - not tied to Azure DevOps specific, GitHub specific,
> or other host infrastructure.
> 7. Versioned - the query and filters are versioned in source
> control so easy to find and track.
>
> The appropriate CodeQL CLI is downloaded for the host OS by passing
> the `--codeql` argument to the update command.
>
> `stuart_update -c .pytool/CISettings.py --codeql`
>
> After that, CodeQL can be run in a build by similarly passing the
> `--codeql` argument to the build command. For example:
>
> `stuart_ci_build -c .pytool/CISettings.py --codeql`
>
> Going forward, CI will simply use those commands in CodeQL builds
> to get results instead of the CodeQL GitHub actions.
>
> When `--codeql` is specified in the build command, each package will
> contain two main artifacts in the Build directory.
>
> 1. The CodeQL database for the package
> 2. The CodeQL SARIF (result) file for the package
>
> The CodeQL database (1) can be used to run queries against without
> rebuilding any code. The SARIF result file (2) is the result of
> running enabled queries against the database.
>
> SARIF stands for Static Analysis Results Interchange Format and it
> is an industry standard format for output from static analysis tools.
>
> https://sarifweb.azurewebsites.net/
>
> The SARIF file can be opened with any standard SARIF file viewer
> such as this one for VS Code:
>
> https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
>
> That includes the ability to jump directly to issues in the source
> code file with relevant code highlighted and suggestions included.
>
> This means that after simply adding `--codeql` to the normal build
> commands, a database will be present for future querying and a SARIF
> result file will be present to allow the developer to immediately
> start fixing issues.
>
> More details about the location of these and usage is in the
> BaseTools/Plugin/CodeQL/Readme.md included in this patch series.
>
> The CI process pushes the SARIF file to GitHub Code Scanning so the
> results are generated exactly the same way they are locally.
>
> All build logs and the SARIF file for each package are uploaded to
> the GitHub action run as artifacts. If a CodeQL issue is found, a
> developer can download the SARIF file directly from the GitHub action
> run to fix the problem without needing to rebuild locally.
>
> An example run of these changes showing the packages built and output
> logs and SARIF files is available here:
>
> https://github.com/tianocore/edk2/actions/runs/6317077528
>
> The series enables a new set of CodeQL queries that helps find useful
> issues in the codebase. So, new CodeQL results will appear in the edk2
> GitHub Code Scanning area after the change. It is expected that the
> community will work together to prioritize and resolve issues to improve
> the quality of the codebase.
>
> V3 Changes:
>
> 1. Add a "Resolution Guidelines" section to the CodeQL plugin readme
> file based on feedback in the October 16, 2023 Tianocore Tools &
> CI meeting to capture some notes useful in solving issues in the
> file.
>
> V2 Changes:
>
> 1. Enable CodeQL audit mode. This is because a new patch also enables
> queries that will result in unresolved issues so audit mode is needed
> for the build to succeed.
> 2. Enable new CodeQL queries. This will enable new CodeQL queries so the
> issues are easier to find and track.
>
> Links and refernces:
>
> - CodeQL Overview:
> https://codeql.github.com/docs/codeql-overview/
> - CodeQL open-source queries:
> https://github.com/github/codeql
> - CodeQL CLI:
> https://docs.github.com/en/code-security/codeql-cli#codeql-cli
> - SARIF Specification and Information:
> https://sarifweb.azurewebsites.net/
>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
>
> Michael Kubacki (7):
> Remove existing CodeQL infrastructure
> BaseTools/Plugin/CodeQL: Add CodeQL build plugin
> BaseTools/Plugin/CodeQL: Add integration helpers
> .pytool/CISettings.py: Integrate CodeQL
> .github/workflows/codeql.yml: Add CodeQL workflow
> .pytool/CISettings: Enable CodeQL audit mode
> BaseTools/Plugin/CodeQL: Enable 30 queries
>
> .github/codeql/codeql-config.yml | 29 --
> .github/codeql/edk2.qls | 24 --
> .github/workflows/codeql-analysis.yml | 118 ------
> .github/workflows/codeql.yml | 338 +++++++++++++++++
> .pytool/CISettings.py | 36 ++
> BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py | 222 +++++++++++
> BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml | 13 +
> BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py | 172 +++++++++
> BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml | 13 +
> BaseTools/Plugin/CodeQL/CodeQlQueries.qls | 118 ++++++
> BaseTools/Plugin/CodeQL/Readme.md | 388 ++++++++++++++++++++
> BaseTools/Plugin/CodeQL/analyze/__init__.py | 0
> BaseTools/Plugin/CodeQL/analyze/analyze_filter.py | 176 +++++++++
> BaseTools/Plugin/CodeQL/analyze/globber.py | 132 +++++++
> BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml | 26 ++
> BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml | 24 ++
> BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml | 24 ++
> BaseTools/Plugin/CodeQL/common/__init__.py | 0
> BaseTools/Plugin/CodeQL/common/codeql_plugin.py | 74 ++++
> BaseTools/Plugin/CodeQL/integration/__init__.py | 0
> BaseTools/Plugin/CodeQL/integration/stuart_codeql.py | 79 ++++
> 21 files changed, 1835 insertions(+), 171 deletions(-)
> delete mode 100644 .github/codeql/codeql-config.yml
> delete mode 100644 .github/codeql/edk2.qls
> delete mode 100644 .github/workflows/codeql-analysis.yml
> create mode 100644 .github/workflows/codeql.yml
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls
> create mode 100644 BaseTools/Plugin/CodeQL/Readme.md
> create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py
> create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
> create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py
> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py
> create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.py
> create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.py
> create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109819): https://edk2.groups.io/g/devel/message/109819
Mute This Topic: https://groups.io/mt/102031054/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI
2023-10-20 1:07 ` [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI Michael Kubacki
@ 2023-10-23 18:12 ` Michael Kubacki
2023-10-23 23:37 ` Michael D Kinney
0 siblings, 1 reply; 4+ messages in thread
From: Michael Kubacki @ 2023-10-23 18:12 UTC (permalink / raw)
To: devel, Bob Feng, Liming Gao, Michael D Kinney, Rebecca Cran,
Sean Brogan, Yuwei Chen
Another reminder. It would be nice to get this merged soon so actual
code fixes can follow.
Thanks,
Michael
On 10/19/2023 9:07 PM, Michael Kubacki wrote:
> A reminder to review this series. It's been on the mailing list for a
> few weeks now.
>
> Thanks,
> Michael
>
> On 10/17/2023 9:04 PM, Michael Kubacki wrote:
>> From: Michael Kubacki <michael.kubacki@microsoft.com>
>>
>> CodeQL currently runs via the codeql-analysis.yml GitHub workflow
>> which uses the github/codeql-action/init@v2 action (pre-build)
>> and the github/codeql-action/analyze@v2 action (post-build) to
>> setup the CodeQL environment and extract results.
>>
>> This infrastructure is removed in preparation for a new design that
>> will directly run the CodeQL CLI as part of the build. This will
>> allow CodeQL to be run locally as part of the normal build process
>> with results that match 1:1 with CI builds.
>>
>> The CodeQL CLI design is automatically driven by a set of CodeQL
>> plugins:
>>
>> 1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a
>> build.
>> 2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database.
>>
>> This approach offers the following advantages:
>>
>> 1. Provides exactly the same results locally as on a CI server.
>> 2. Integrates very well into IDEs such as VS Code.
>> 3. Very simple to use - just use normal Stuart update and build
>> commands.
>> 4. Very simple to understand - minimally wraps the official CodeQL
>> CLI.
>> 5. Very simple to integrate - works like any other Stuart build
>> plugin.
>> 6. Portable - not tied to Azure DevOps specific, GitHub specific,
>> or other host infrastructure.
>> 7. Versioned - the query and filters are versioned in source
>> control so easy to find and track.
>>
>> The appropriate CodeQL CLI is downloaded for the host OS by passing
>> the `--codeql` argument to the update command.
>>
>> `stuart_update -c .pytool/CISettings.py --codeql`
>>
>> After that, CodeQL can be run in a build by similarly passing the
>> `--codeql` argument to the build command. For example:
>>
>> `stuart_ci_build -c .pytool/CISettings.py --codeql`
>>
>> Going forward, CI will simply use those commands in CodeQL builds
>> to get results instead of the CodeQL GitHub actions.
>>
>> When `--codeql` is specified in the build command, each package will
>> contain two main artifacts in the Build directory.
>>
>> 1. The CodeQL database for the package
>> 2. The CodeQL SARIF (result) file for the package
>>
>> The CodeQL database (1) can be used to run queries against without
>> rebuilding any code. The SARIF result file (2) is the result of
>> running enabled queries against the database.
>>
>> SARIF stands for Static Analysis Results Interchange Format and it
>> is an industry standard format for output from static analysis tools.
>>
>> https://sarifweb.azurewebsites.net/
>>
>> The SARIF file can be opened with any standard SARIF file viewer
>> such as this one for VS Code:
>>
>> https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
>>
>> That includes the ability to jump directly to issues in the source
>> code file with relevant code highlighted and suggestions included.
>>
>> This means that after simply adding `--codeql` to the normal build
>> commands, a database will be present for future querying and a SARIF
>> result file will be present to allow the developer to immediately
>> start fixing issues.
>>
>> More details about the location of these and usage is in the
>> BaseTools/Plugin/CodeQL/Readme.md included in this patch series.
>>
>> The CI process pushes the SARIF file to GitHub Code Scanning so the
>> results are generated exactly the same way they are locally.
>>
>> All build logs and the SARIF file for each package are uploaded to
>> the GitHub action run as artifacts. If a CodeQL issue is found, a
>> developer can download the SARIF file directly from the GitHub action
>> run to fix the problem without needing to rebuild locally.
>>
>> An example run of these changes showing the packages built and output
>> logs and SARIF files is available here:
>>
>> https://github.com/tianocore/edk2/actions/runs/6317077528
>>
>> The series enables a new set of CodeQL queries that helps find useful
>> issues in the codebase. So, new CodeQL results will appear in the edk2
>> GitHub Code Scanning area after the change. It is expected that the
>> community will work together to prioritize and resolve issues to improve
>> the quality of the codebase.
>>
>> V3 Changes:
>>
>> 1. Add a "Resolution Guidelines" section to the CodeQL plugin readme
>> file based on feedback in the October 16, 2023 Tianocore Tools &
>> CI meeting to capture some notes useful in solving issues in the
>> file.
>>
>> V2 Changes:
>>
>> 1. Enable CodeQL audit mode. This is because a new patch also enables
>> queries that will result in unresolved issues so audit mode is needed
>> for the build to succeed.
>> 2. Enable new CodeQL queries. This will enable new CodeQL queries so the
>> issues are easier to find and track.
>>
>> Links and refernces:
>>
>> - CodeQL Overview:
>> https://codeql.github.com/docs/codeql-overview/
>> - CodeQL open-source queries:
>> https://github.com/github/codeql
>> - CodeQL CLI:
>> https://docs.github.com/en/code-security/codeql-cli#codeql-cli
>> - SARIF Specification and Information:
>> https://sarifweb.azurewebsites.net/
>>
>> Cc: Bob Feng <bob.c.feng@intel.com>
>> Cc: Liming Gao <gaoliming@byosoft.com.cn>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Cc: Rebecca Cran <rebecca@bsdio.com>
>> Cc: Sean Brogan <sean.brogan@microsoft.com>
>> Cc: Yuwei Chen <yuwei.chen@intel.com>
>>
>> Michael Kubacki (7):
>> Remove existing CodeQL infrastructure
>> BaseTools/Plugin/CodeQL: Add CodeQL build plugin
>> BaseTools/Plugin/CodeQL: Add integration helpers
>> .pytool/CISettings.py: Integrate CodeQL
>> .github/workflows/codeql.yml: Add CodeQL workflow
>> .pytool/CISettings: Enable CodeQL audit mode
>> BaseTools/Plugin/CodeQL: Enable 30 queries
>>
>> .github/codeql/codeql-config.yml | 29 --
>> .github/codeql/edk2.qls | 24 --
>> .github/workflows/codeql-analysis.yml | 118 ------
>> .github/workflows/codeql.yml | 338
>> +++++++++++++++++
>> .pytool/CISettings.py | 36 ++
>> BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py | 222
>> +++++++++++
>> BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml | 13 +
>> BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py | 172 +++++++++
>> BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml | 13 +
>> BaseTools/Plugin/CodeQL/CodeQlQueries.qls | 118 ++++++
>> BaseTools/Plugin/CodeQL/Readme.md | 388
>> ++++++++++++++++++++
>> BaseTools/Plugin/CodeQL/analyze/__init__.py | 0
>> BaseTools/Plugin/CodeQL/analyze/analyze_filter.py | 176 +++++++++
>> BaseTools/Plugin/CodeQL/analyze/globber.py | 132 +++++++
>> BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml | 26 ++
>> BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml | 24 ++
>> BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml | 24 ++
>> BaseTools/Plugin/CodeQL/common/__init__.py | 0
>> BaseTools/Plugin/CodeQL/common/codeql_plugin.py | 74 ++++
>> BaseTools/Plugin/CodeQL/integration/__init__.py | 0
>> BaseTools/Plugin/CodeQL/integration/stuart_codeql.py | 79 ++++
>> 21 files changed, 1835 insertions(+), 171 deletions(-)
>> delete mode 100644 .github/codeql/codeql-config.yml
>> delete mode 100644 .github/codeql/edk2.qls
>> delete mode 100644 .github/workflows/codeql-analysis.yml
>> create mode 100644 .github/workflows/codeql.yml
>> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
>> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml
>> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py
>> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml
>> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls
>> create mode 100644 BaseTools/Plugin/CodeQL/Readme.md
>> create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py
>> create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
>> create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py
>> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
>> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
>> create mode 100644
>> BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
>> create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py
>> create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.py
>> create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.py
>> create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
>>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109948): https://edk2.groups.io/g/devel/message/109948
Mute This Topic: https://groups.io/mt/102031054/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI
2023-10-23 18:12 ` Michael Kubacki
@ 2023-10-23 23:37 ` Michael D Kinney
0 siblings, 0 replies; 4+ messages in thread
From: Michael D Kinney @ 2023-10-23 23:37 UTC (permalink / raw)
To: devel@edk2.groups.io, mikuback@linux.microsoft.com, Feng, Bob C,
Gao, Liming, Rebecca Cran, Sean Brogan, Chen, Christine
Cc: Kinney, Michael D
Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
> -----Original Message-----
> From: Michael Kubacki <mikuback@linux.microsoft.com>
> Sent: Monday, October 23, 2023 11:13 AM
> To: devel@edk2.groups.io; Feng, Bob C <bob.c.feng@intel.com>; Gao,
> Liming <gaoliming@byosoft.com.cn>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Rebecca Cran <rebecca@bsdio.com>; Sean
> Brogan <sean.brogan@microsoft.com>; Chen, Christine
> <yuwei.chen@intel.com>
> Subject: Re: [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI
>
> Another reminder. It would be nice to get this merged soon so actual
> code fixes can follow.
>
> Thanks,
> Michael
>
> On 10/19/2023 9:07 PM, Michael Kubacki wrote:
> > A reminder to review this series. It's been on the mailing list for
> a
> > few weeks now.
> >
> > Thanks,
> > Michael
> >
> > On 10/17/2023 9:04 PM, Michael Kubacki wrote:
> >> From: Michael Kubacki <michael.kubacki@microsoft.com>
> >>
> >> CodeQL currently runs via the codeql-analysis.yml GitHub workflow
> >> which uses the github/codeql-action/init@v2 action (pre-build)
> >> and the github/codeql-action/analyze@v2 action (post-build) to
> >> setup the CodeQL environment and extract results.
> >>
> >> This infrastructure is removed in preparation for a new design that
> >> will directly run the CodeQL CLI as part of the build. This will
> >> allow CodeQL to be run locally as part of the normal build process
> >> with results that match 1:1 with CI builds.
> >>
> >> The CodeQL CLI design is automatically driven by a set of CodeQL
> >> plugins:
> >>
> >> 1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from
> a
> >> build.
> >> 2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database.
> >>
> >> This approach offers the following advantages:
> >>
> >> 1. Provides exactly the same results locally as on a CI server.
> >> 2. Integrates very well into IDEs such as VS Code.
> >> 3. Very simple to use - just use normal Stuart update and build
> >> commands.
> >> 4. Very simple to understand - minimally wraps the official
> CodeQL
> >> CLI.
> >> 5. Very simple to integrate - works like any other Stuart build
> >> plugin.
> >> 6. Portable - not tied to Azure DevOps specific, GitHub
> specific,
> >> or other host infrastructure.
> >> 7. Versioned - the query and filters are versioned in source
> >> control so easy to find and track.
> >>
> >> The appropriate CodeQL CLI is downloaded for the host OS by passing
> >> the `--codeql` argument to the update command.
> >>
> >> `stuart_update -c .pytool/CISettings.py --codeql`
> >>
> >> After that, CodeQL can be run in a build by similarly passing the
> >> `--codeql` argument to the build command. For example:
> >>
> >> `stuart_ci_build -c .pytool/CISettings.py --codeql`
> >>
> >> Going forward, CI will simply use those commands in CodeQL builds
> >> to get results instead of the CodeQL GitHub actions.
> >>
> >> When `--codeql` is specified in the build command, each package
> will
> >> contain two main artifacts in the Build directory.
> >>
> >> 1. The CodeQL database for the package
> >> 2. The CodeQL SARIF (result) file for the package
> >>
> >> The CodeQL database (1) can be used to run queries against without
> >> rebuilding any code. The SARIF result file (2) is the result of
> >> running enabled queries against the database.
> >>
> >> SARIF stands for Static Analysis Results Interchange Format and it
> >> is an industry standard format for output from static analysis
> tools.
> >>
> >> https://sarifweb.azurewebsites.net/
> >>
> >> The SARIF file can be opened with any standard SARIF file viewer
> >> such as this one for VS Code:
> >>
> >> https://marketplace.visualstudio.com/items?itemName=MS-
> SarifVSCode.sarif-viewer
> >>
> >> That includes the ability to jump directly to issues in the source
> >> code file with relevant code highlighted and suggestions included.
> >>
> >> This means that after simply adding `--codeql` to the normal build
> >> commands, a database will be present for future querying and a
> SARIF
> >> result file will be present to allow the developer to immediately
> >> start fixing issues.
> >>
> >> More details about the location of these and usage is in the
> >> BaseTools/Plugin/CodeQL/Readme.md included in this patch series.
> >>
> >> The CI process pushes the SARIF file to GitHub Code Scanning so the
> >> results are generated exactly the same way they are locally.
> >>
> >> All build logs and the SARIF file for each package are uploaded to
> >> the GitHub action run as artifacts. If a CodeQL issue is found, a
> >> developer can download the SARIF file directly from the GitHub
> action
> >> run to fix the problem without needing to rebuild locally.
> >>
> >> An example run of these changes showing the packages built and
> output
> >> logs and SARIF files is available here:
> >>
> >> https://github.com/tianocore/edk2/actions/runs/6317077528
> >>
> >> The series enables a new set of CodeQL queries that helps find
> useful
> >> issues in the codebase. So, new CodeQL results will appear in the
> edk2
> >> GitHub Code Scanning area after the change. It is expected that the
> >> community will work together to prioritize and resolve issues to
> improve
> >> the quality of the codebase.
> >>
> >> V3 Changes:
> >>
> >> 1. Add a "Resolution Guidelines" section to the CodeQL plugin
> readme
> >> file based on feedback in the October 16, 2023 Tianocore Tools
> &
> >> CI meeting to capture some notes useful in solving issues in
> the
> >> file.
> >>
> >> V2 Changes:
> >>
> >> 1. Enable CodeQL audit mode. This is because a new patch also
> enables
> >> queries that will result in unresolved issues so audit mode is
> needed
> >> for the build to succeed.
> >> 2. Enable new CodeQL queries. This will enable new CodeQL queries
> so the
> >> issues are easier to find and track.
> >>
> >> Links and refernces:
> >>
> >> - CodeQL Overview:
> >> https://codeql.github.com/docs/codeql-overview/
> >> - CodeQL open-source queries:
> >> https://github.com/github/codeql
> >> - CodeQL CLI:
> >> https://docs.github.com/en/code-security/codeql-cli#codeql-cli
> >> - SARIF Specification and Information:
> >> https://sarifweb.azurewebsites.net/
> >>
> >> Cc: Bob Feng <bob.c.feng@intel.com>
> >> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> >> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> >> Cc: Rebecca Cran <rebecca@bsdio.com>
> >> Cc: Sean Brogan <sean.brogan@microsoft.com>
> >> Cc: Yuwei Chen <yuwei.chen@intel.com>
> >>
> >> Michael Kubacki (7):
> >> Remove existing CodeQL infrastructure
> >> BaseTools/Plugin/CodeQL: Add CodeQL build plugin
> >> BaseTools/Plugin/CodeQL: Add integration helpers
> >> .pytool/CISettings.py: Integrate CodeQL
> >> .github/workflows/codeql.yml: Add CodeQL workflow
> >> .pytool/CISettings: Enable CodeQL audit mode
> >> BaseTools/Plugin/CodeQL: Enable 30 queries
> >>
> >> .github/codeql/codeql-config.yml | 29 --
> >> .github/codeql/edk2.qls | 24 --
> >> .github/workflows/codeql-analysis.yml | 118 ----
> --
> >> .github/workflows/codeql.yml | 338
> >> +++++++++++++++++
> >> .pytool/CISettings.py | 36 ++
> >> BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py | 222
> >> +++++++++++
> >> BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml | 13 +
> >> BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py | 172
> +++++++++
> >> BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml | 13 +
> >> BaseTools/Plugin/CodeQL/CodeQlQueries.qls | 118
> ++++++
> >> BaseTools/Plugin/CodeQL/Readme.md | 388
> >> ++++++++++++++++++++
> >> BaseTools/Plugin/CodeQL/analyze/__init__.py | 0
> >> BaseTools/Plugin/CodeQL/analyze/analyze_filter.py | 176
> +++++++++
> >> BaseTools/Plugin/CodeQL/analyze/globber.py | 132
> +++++++
> >> BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml | 26 ++
> >> BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml | 24 ++
> >> BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml | 24 ++
> >> BaseTools/Plugin/CodeQL/common/__init__.py | 0
> >> BaseTools/Plugin/CodeQL/common/codeql_plugin.py | 74 ++++
> >> BaseTools/Plugin/CodeQL/integration/__init__.py | 0
> >> BaseTools/Plugin/CodeQL/integration/stuart_codeql.py | 79 ++++
> >> 21 files changed, 1835 insertions(+), 171 deletions(-)
> >> delete mode 100644 .github/codeql/codeql-config.yml
> >> delete mode 100644 .github/codeql/edk2.qls
> >> delete mode 100644 .github/workflows/codeql-analysis.yml
> >> create mode 100644 .github/workflows/codeql.yml
> >> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
> >> create mode 100644
> BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml
> >> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py
> >> create mode 100644
> BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml
> >> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls
> >> create mode 100644 BaseTools/Plugin/CodeQL/Readme.md
> >> create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py
> >> create mode 100644
> BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
> >> create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py
> >> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
> >> create mode 100644
> BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
> >> create mode 100644
> >> BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
> >> create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py
> >> create mode 100644
> BaseTools/Plugin/CodeQL/common/codeql_plugin.py
> >> create mode 100644
> BaseTools/Plugin/CodeQL/integration/__init__.py
> >> create mode 100644
> BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
> >>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109955): https://edk2.groups.io/g/devel/message/109955
Mute This Topic: https://groups.io/mt/102031054/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-23 23:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <178F0E1DF715166D.14388@groups.io>
2023-10-20 1:07 ` [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI Michael Kubacki
2023-10-23 18:12 ` Michael Kubacki
2023-10-23 23:37 ` Michael D Kinney
2023-10-18 1:04 Michael Kubacki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox