From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: "mikuback@linux.microsoft.com" <mikuback@linux.microsoft.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Kinney, Michael D" <michael.d.kinney@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>,
"Gao, Liming" <gaoliming@byosoft.com.cn>
Subject: Re: [PATCH v3 2/2] .github: Add initial CodeQL config and workflow files
Date: Fri, 4 Nov 2022 00:42:46 +0000 [thread overview]
Message-ID: <CO1PR11MB49297DE7AD48092D75F30134D23B9@CO1PR11MB4929.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20221104003235.2429-3-mikuback@linux.microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
> -----Original Message-----
> From: mikuback@linux.microsoft.com <mikuback@linux.microsoft.com>
> Sent: Thursday, November 3, 2022 5:33 PM
> To: devel@edk2.groups.io
> Cc: Sean Brogan <sean.brogan@microsoft.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> <gaoliming@byosoft.com.cn>
> Subject: [PATCH v3 2/2] .github: Add initial CodeQL config and workflow files
>
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4115
>
> Adds initial support for enabling CodeQL Code Scanning in this
> repository per the RFC:
>
> https://github.com/tianocore/edk2/discussions/3258
>
> Adds the following new files:
> - .github/workflows/codql-analysis.yml - The main GitHub workflow
> file used to setup CodeQL in the repo.
> - .github/codeql/codeql-config.yml - The main CodeQL configuration
> file used to customize the queries and other resources the repo
> is using for CodeQL.
>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
> .github/codeql/codeql-config.yml | 30 +++++++
> .github/codeql/edk2.qls | 12 +++
> .github/workflows/codeql-analysis.yml | 91 ++++++++++++++++++++
> 3 files changed, 133 insertions(+)
>
> diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
> new file mode 100644
> index 000000000000..3e27c2fb0d28
> --- /dev/null
> +++ b/.github/codeql/codeql-config.yml
> @@ -0,0 +1,30 @@
> +## @file
> +# CodeQL configuration file for edk2.
> +#
> +# Copyright (c) Microsoft Corporation.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +name: "CodeQL config"
> +
> +# The following line disables the default queries. This is used because we want to enable on query at a time by
> +# explicitly specifying each query in a "queries" array as they are enabled.
> +#
> +# See the following for more information about adding custom queries:
> +# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-
> errors/configuring-code-scanning#using-a-custom-configuration-file
> +
> +#disable-default-queries: true
> +
> +queries:
> + - name: EDK2 CodeQL Query List
> + uses: ./.github/codeql/edk2.qls
> +
> +# We must specify a query for CodeQL to run. Until the first query is enabled, enable the security query suite but
> +# exclude all problem levels from impacting the results. After the first query is enabled, this filter can be relaxed
> +# to find the level of problems desired from the query.
> +query-filters:
> +- exclude:
> + problem.severity:
> + - error
> + - warning
> + - recommendation
> diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
> new file mode 100644
> index 000000000000..0efc7dca52db
> --- /dev/null
> +++ b/.github/codeql/edk2.qls
> @@ -0,0 +1,12 @@
> +---
> +- description: EDK2 (C++) queries
> +
> +# Bring in all queries from the official cpp-queries suite so individual queries can be explicitly enabled.
> +
> +- queries: '.'
> + from: codeql/cpp-queries
> +
> +# Enable individual queries below.
> +
> +- include:
> + id: cpp/conditionallyuninitializedvariable
> diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
> new file mode 100644
> index 000000000000..2eacb9c9e1a1
> --- /dev/null
> +++ b/.github/workflows/codeql-analysis.yml
> @@ -0,0 +1,91 @@
> +# @file
> +# GitHub Workflow for CodeQL Analysis
> +#
> +# Copyright (c) Microsoft Corporation.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +name: "CodeQL"
> +
> +on:
> + push:
> + branches:
> + - master
> + pull_request:
> + branches:
> + - master
> + paths-ignore:
> + - '**/*.bat'
> + - '**/*.md'
> + - '**/*.py'
> + - '**/*.rst'
> + - '**/*.sh'
> + - '**/*.txt'
> +
> + schedule:
> + # https://crontab.guru/#20_23_*_*_4
> + - cron: '20 23 * * 4'
> +
> +jobs:
> + analyze:
> + name: Analyze
> + runs-on: windows-2019
> + permissions:
> + actions: read
> + contents: read
> + security-events: write
> +
> + strategy:
> + fail-fast: false
> + matrix:
> + package: [
> + "ArmPkg",
> + "CryptoPkg",
> + "DynamicTablesPkg",
> + "FatPkg",
> + "FmpDevicePkg",
> + "IntelFsp2Pkg",
> + "IntelFsp2WrapperPkg",
> + "MdeModulePkg",
> + "MdePkg",
> + "PcAtChipsetPkg",
> + "PrmPkg",
> + "SecurityPkg",
> + "ShellPkg",
> + "SourceLevelDebugPkg",
> + "StandaloneMmPkg",
> + "UefiCpuPkg",
> + "UnitTestFrameworkPkg"]
> +
> + steps:
> + - name: Checkout repository
> + uses: actions/checkout@v3
> +
> + # Initializes the CodeQL tools for scanning.
> + - name: Initialize CodeQL
> + uses: github/codeql-action/init@v2
> + with:
> + languages: 'cpp'
> + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
> + # Learn more about CodeQL language support at https://codeql.github.com/docs/codeql-overview/supported-languages-and-
> frameworks/
> + config-file: ./.github/codeql/codeql-config.yml
> + # Note: Add new queries to codeql-config.yml file as they are enabled.
> +
> + - name: Install/Upgrade pip Modules
> + run: pip install -r pip-requirements.txt --upgrade
> +
> + - name: Setup
> + run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019
> +
> + - name: Update
> + run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019
> +
> + - name: Build Tools From Source
> + run: python BaseTools/Edk2ToolsBuild.py -t VS2019
> +
> + - name: CI Build
> + run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.package }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019
> +
> + - name: Perform CodeQL Analysis
> + uses: github/codeql-action/analyze@v2
> --
> 2.28.0.windows.1
prev parent reply other threads:[~2022-11-04 0:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-04 0:32 [PATCH v3 0/2] Enable Initial CodeQL Support Michael Kubacki
2022-11-04 0:32 ` [PATCH v3 1/2] Maintainers.txt: Add .github maintainers and reviewers Michael Kubacki
2022-11-04 0:32 ` [PATCH v3 2/2] .github: Add initial CodeQL config and workflow files Michael Kubacki
2022-11-04 0:42 ` Michael D Kinney [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO1PR11MB49297DE7AD48092D75F30134D23B9@CO1PR11MB4929.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox