From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+109819+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 4C021740037
	for <rebecca@openfw.io>; Fri, 20 Oct 2023 01:07:04 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=ngkkMjHT68kqa5QiZbl6epwyyBcTmO6cPBYb0DcbJnU=;
 c=relaxed/simple; d=groups.io;
 h=DKIM-Filter:Message-ID:Date:MIME-Version:User-Agent:Subject:From:To:Reply-To:References:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1697764023; v=1;
 b=xDzNsq45voVAzpOGD0mJ07YsjC/BCBRR6qifUo2Egt6PORO7St8wviAPibGLh/bDlirOCSsQ
 PLOA73QOVF8J/rUEbu/tXItMlDBdIUefGk+YYDFt1GI07WQUlPczr549fM5m0ExV6uyTEMc8D4f
 qAVXf3GnlJ4fGjz2NydN/59A=
X-Received: by 127.0.0.2 with SMTP id 32RoYY7687511xCo5Zjs3BTV; Thu, 19 Oct 2023 18:07:03 -0700
X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web10.44626.1697764022418398852
 for <devel@edk2.groups.io>;
 Thu, 19 Oct 2023 18:07:02 -0700
X-Received: from [192.168.4.22] (unknown [47.201.241.95])
	by linux.microsoft.com (Postfix) with ESMTPSA id 44FB520B74C0;
	Thu, 19 Oct 2023 18:07:01 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 44FB520B74C0
Message-ID: <9bb28371-54ce-4749-8034-23a761d29c17@linux.microsoft.com>
Date: Thu, 19 Oct 2023 21:07:00 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io, Bob Feng <bob.c.feng@intel.com>,
 Liming Gao <gaoliming@byosoft.com.cn>,
 Michael D Kinney <michael.d.kinney@intel.com>,
 Rebecca Cran <rebecca@bsdio.com>, Sean Brogan <sean.brogan@microsoft.com>,
 Yuwei Chen <yuwei.chen@intel.com>
Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com
References: <178F0E1DF715166D.14388@groups.io>
In-Reply-To: <178F0E1DF715166D.14388@groups.io>
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: 8h4N702awCSdCyDp6B0a13ahx7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=xDzNsq45;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=linux.microsoft.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

A reminder to review this series. It's been on the mailing list for a=20
few weeks now.

Thanks,
Michael

On 10/17/2023 9:04 PM, Michael Kubacki wrote:
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>=20
> CodeQL currently runs via the codeql-analysis.yml GitHub workflow
> which uses the github/codeql-action/init@v2 action (pre-build)
> and the github/codeql-action/analyze@v2 action (post-build) to
> setup the CodeQL environment and extract results.
>=20
> This infrastructure is removed in preparation for a new design that
> will directly run the CodeQL CLI as part of the build. This will
> allow CodeQL to be run locally as part of the normal build process
> with results that match 1:1 with CI builds.
>=20
> The CodeQL CLI design is automatically driven by a set of CodeQL
> plugins:
>=20
>    1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a
>        build.
>    2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database.
>=20
> This approach offers the following advantages:
>=20
>    1. Provides exactly the same results locally as on a CI server.
>    2. Integrates very well into IDEs such as VS Code.
>    3. Very simple to use - just use normal Stuart update and build
>       commands.
>    4. Very simple to understand - minimally wraps the official CodeQL
>       CLI.
>    5. Very simple to integrate - works like any other Stuart build
>       plugin.
>    6. Portable - not tied to Azure DevOps specific, GitHub specific,
>       or other host infrastructure.
>    7. Versioned - the query and filters are versioned in source
>       control so easy to find and track.
>=20
> The appropriate CodeQL CLI is downloaded for the host OS by passing
> the `--codeql` argument to the update command.
>=20
>    `stuart_update -c .pytool/CISettings.py --codeql`
>=20
> After that, CodeQL can be run in a build by similarly passing the
> `--codeql` argument to the build command. For example:
>=20
>    `stuart_ci_build -c .pytool/CISettings.py --codeql`
>=20
> Going forward, CI will simply use those commands in CodeQL builds
> to get results instead of the CodeQL GitHub actions.
>=20
> When `--codeql` is specified in the build command, each package will
> contain two main artifacts in the Build directory.
>=20
>    1. The CodeQL database for the package
>    2. The CodeQL SARIF (result) file for the package
>=20
> The CodeQL database (1) can be used to run queries against without
> rebuilding any code. The SARIF result file (2) is the result of
> running enabled queries against the database.
>=20
> SARIF stands for Static Analysis Results Interchange Format and it
> is an industry standard format for output from static analysis tools.
>=20
> https://sarifweb.azurewebsites.net/
>=20
> The SARIF file can be opened with any standard SARIF file viewer
> such as this one for VS Code:
>=20
> https://marketplace.visualstudio.com/items?itemName=3DMS-SarifVSCode.sari=
f-viewer
>=20
> That includes the ability to jump directly to issues in the source
> code file with relevant code highlighted and suggestions included.
>=20
> This means that after simply adding `--codeql` to the normal build
> commands, a database will be present for future querying and a SARIF
> result file will be present to allow the developer to immediately
> start fixing issues.
>=20
> More details about the location of these and usage is in the
> BaseTools/Plugin/CodeQL/Readme.md included in this patch series.
>=20
> The CI process pushes the SARIF file to GitHub Code Scanning so the
> results are generated exactly the same way they are locally.
>=20
> All build logs and the SARIF file for each package are uploaded to
> the GitHub action run as artifacts. If a CodeQL issue is found, a
> developer can download the SARIF file directly from the GitHub action
> run to fix the problem without needing to rebuild locally.
>=20
> An example run of these changes showing the packages built and output
> logs and SARIF files is available here:
>=20
> https://github.com/tianocore/edk2/actions/runs/6317077528
>=20
> The series enables a new set of CodeQL queries that helps find useful
> issues in the codebase. So, new CodeQL results will appear in the edk2
> GitHub Code Scanning area after the change. It is expected that the
> community will work together to prioritize and resolve issues to improve
> the quality of the codebase.
>=20
> V3 Changes:
>=20
> 1. Add a "Resolution Guidelines" section to the CodeQL plugin readme
>     file based on feedback in the October 16, 2023 Tianocore Tools &
>     CI meeting to capture some notes useful in solving issues in the
>     file.
>=20
> V2 Changes:
>=20
> 1. Enable CodeQL audit mode. This is because a new patch also enables
>     queries that will result in unresolved issues so audit mode is needed
>     for the build to succeed.
> 2. Enable new CodeQL queries. This will enable new CodeQL queries so the
>     issues are easier to find and track.
>=20
> Links and refernces:
>=20
>    - CodeQL Overview:
>      https://codeql.github.com/docs/codeql-overview/
>    - CodeQL open-source queries:
>      https://github.com/github/codeql
>    - CodeQL CLI:
>      https://docs.github.com/en/code-security/codeql-cli#codeql-cli
>    - SARIF Specification and Information:
>      https://sarifweb.azurewebsites.net/
>=20
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
>=20
> Michael Kubacki (7):
>    Remove existing CodeQL infrastructure
>    BaseTools/Plugin/CodeQL: Add CodeQL build plugin
>    BaseTools/Plugin/CodeQL: Add integration helpers
>    .pytool/CISettings.py: Integrate CodeQL
>    .github/workflows/codeql.yml: Add CodeQL workflow
>    .pytool/CISettings: Enable CodeQL audit mode
>    BaseTools/Plugin/CodeQL: Enable 30 queries
>=20
>   .github/codeql/codeql-config.yml                       |  29 --
>   .github/codeql/edk2.qls                                |  24 --
>   .github/workflows/codeql-analysis.yml                  | 118 ------
>   .github/workflows/codeql.yml                           | 338 ++++++++++=
+++++++
>   .pytool/CISettings.py                                  |  36 ++
>   BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py         | 222 ++++++++++=
+
>   BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml     |  13 +
>   BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py           | 172 +++++++++
>   BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml       |  13 +
>   BaseTools/Plugin/CodeQL/CodeQlQueries.qls              | 118 ++++++
>   BaseTools/Plugin/CodeQL/Readme.md                      | 388 ++++++++++=
++++++++++
>   BaseTools/Plugin/CodeQL/analyze/__init__.py            |   0
>   BaseTools/Plugin/CodeQL/analyze/analyze_filter.py      | 176 +++++++++
>   BaseTools/Plugin/CodeQL/analyze/globber.py             | 132 +++++++
>   BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml         |  26 ++
>   BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml   |  24 ++
>   BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml |  24 ++
>   BaseTools/Plugin/CodeQL/common/__init__.py             |   0
>   BaseTools/Plugin/CodeQL/common/codeql_plugin.py        |  74 ++++
>   BaseTools/Plugin/CodeQL/integration/__init__.py        |   0
>   BaseTools/Plugin/CodeQL/integration/stuart_codeql.py   |  79 ++++
>   21 files changed, 1835 insertions(+), 171 deletions(-)
>   delete mode 100644 .github/codeql/codeql-config.yml
>   delete mode 100644 .github/codeql/edk2.qls
>   delete mode 100644 .github/workflows/codeql-analysis.yml
>   create mode 100644 .github/workflows/codeql.yml
>   create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
>   create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml
>   create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py
>   create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml
>   create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls
>   create mode 100644 BaseTools/Plugin/CodeQL/Readme.md
>   create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py
>   create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
>   create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py
>   create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
>   create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
>   create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.ya=
ml
>   create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py
>   create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.py
>   create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.py
>   create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
>=20


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109819): https://edk2.groups.io/g/devel/message/109819
Mute This Topic: https://groups.io/mt/102031054/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-