From: "Sean" <spbrogan@outlook.com>
To: devel@edk2.groups.io, mikuback@linux.microsoft.com
Cc: Andrew Fish <afish@apple.com>, Bob Feng <bob.c.feng@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
Leif Lindholm <quic_llindhol@quicinc.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Michael D Kinney <michael.d.kinney@intel.com>,
Rebecca Cran <rebecca@bsdio.com>,
Sean Brogan <sean.brogan@microsoft.com>,
Yuwei Chen <yuwei.chen@intel.com>
Subject: Re: [edk2-devel] [PATCH v4 0/8] Use CodeQL CLI
Date: Mon, 6 Nov 2023 17:00:39 -0800 [thread overview]
Message-ID: <SA1PR19MB4911A1C6465B89B5DF471A85C8A9A@SA1PR19MB4911.namprd19.prod.outlook.com> (raw)
In-Reply-To: <20231102200313.1010-1-mikuback@linux.microsoft.com>
for the series
Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
Thanks
Sean
On 11/2/2023 1:03 PM, Michael Kubacki wrote:
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>
> CodeQL currently runs via the codeql-analysis.yml GitHub workflow
> which uses the github/codeql-action/init@v2 action (pre-build)
> and the github/codeql-action/analyze@v2 action (post-build) to
> setup the CodeQL environment and extract results.
>
> This infrastructure is removed in preparation for a new design that
> will directly run the CodeQL CLI as part of the build. This will
> allow CodeQL to be run locally as part of the normal build process
> with results that match 1:1 with CI builds.
>
> The CodeQL CLI design is automatically driven by a set of CodeQL
> plugins:
>
> 1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a
> build.
> 2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database.
>
> This approach offers the following advantages:
>
> 1. Provides exactly the same results locally as on a CI server.
> 2. Integrates very well into IDEs such as VS Code.
> 3. Very simple to use - just use normal Stuart update and build
> commands.
> 4. Very simple to understand - minimally wraps the official CodeQL
> CLI.
> 5. Very simple to integrate - works like any other Stuart build
> plugin.
> 6. Portable - not tied to Azure DevOps specific, GitHub specific,
> or other host infrastructure.
> 7. Versioned - the query and filters are versioned in source
> control so easy to find and track.
>
> The appropriate CodeQL CLI is downloaded for the host OS by passing
> the `--codeql` argument to the update command.
>
> `stuart_update -c .pytool/CISettings.py --codeql`
>
> After that, CodeQL can be run in a build by similarly passing the
> `--codeql` argument to the build command. For example:
>
> `stuart_ci_build -c .pytool/CISettings.py --codeql`
>
> Going forward, CI will simply use those commands in CodeQL builds
> to get results instead of the CodeQL GitHub actions.
>
> When `--codeql` is specified in the build command, each package will
> contain two main artifacts in the Build directory.
>
> 1. The CodeQL database for the package
> 2. The CodeQL SARIF (result) file for the package
>
> The CodeQL database (1) can be used to run queries against without
> rebuilding any code. The SARIF result file (2) is the result of
> running enabled queries against the database.
>
> SARIF stands for Static Analysis Results Interchange Format and it
> is an industry standard format for output from static analysis tools.
>
> https://sarifweb.azurewebsites.net/
>
> The SARIF file can be opened with any standard SARIF file viewer
> such as this one for VS Code:
>
> https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
>
> That includes the ability to jump directly to issues in the source
> code file with relevant code highlighted and suggestions included.
>
> This means that after simply adding `--codeql` to the normal build
> commands, a database will be present for future querying and a SARIF
> result file will be present to allow the developer to immediately
> start fixing issues.
>
> More details about the location of these and usage is in the
> BaseTools/Plugin/CodeQL/Readme.md included in this patch series.
>
> The CI process pushes the SARIF file to GitHub Code Scanning so the
> results are generated exactly the same way they are locally.
>
> All build logs and the SARIF file for each package are uploaded to
> the GitHub action run as artifacts. If a CodeQL issue is found, a
> developer can download the SARIF file directly from the GitHub action
> run to fix the problem without needing to rebuild locally.
>
> An example run of these changes showing the packages built and output
> logs and SARIF files is available here:
>
> https://github.com/tianocore/edk2/actions/runs/6317077528
>
> The series enables a new set of CodeQL queries that helps find useful
> issues in the codebase. So, new CodeQL results will appear in the edk2
> GitHub Code Scanning area after the change. It is expected that the
> community will work together to prioritize and resolve issues to improve
> the quality of the codebase.
>
> V4 changes:
>
> 1. BaseTools/Plugin/CodeQL/analyze - Remove BSD-2-Clause Plus Patent
> license. Drop Microsoft copyright. Clean up the licensing header
> so its easier to read and follows the declaration provided in
> https://www.apache.org/licenses/LICENSE-2.0.
> 2. Add a new patch to add the "analyze" directory under the list of
> paths in the project with an acceptable but different license
> than BSD-2-Clause Plus Patent.
>
> V3 changes:
>
> 1. Add a "Resolution Guidelines" section to the CodeQL plugin readme
> file based on feedback in the October 16, 2023 Tianocore Tools &
> CI meeting to capture some notes useful in solving issues in the
> file.
>
> V2 Changes:
>
> 1. Enable CodeQL audit mode. This is because a new patch also enables
> queries that will result in unresolved issues so audit mode is needed
> for the build to succeed.
> 2. Enable new CodeQL queries. This will enable new CodeQL queries so the
> issues are easier to find and track.
>
> Links and refernces:
>
> - CodeQL Overview:
> https://codeql.github.com/docs/codeql-overview/
> - CodeQL open-source queries:
> https://github.com/github/codeql
> - CodeQL CLI:
> https://docs.github.com/en/code-security/codeql-cli#codeql-cli
> - SARIF Specification and Information:
> https://sarifweb.azurewebsites.net/
>
> Cc: Andrew Fish <afish@apple.com>
> Cc: Bob Feng <bob.c.feng@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Yuwei Chen <yuwei.chen@intel.com>
>
> Michael Kubacki (8):
> Remove existing CodeQL infrastructure
> BaseTools/Plugin/CodeQL: Add CodeQL build plugin
> BaseTools/Plugin/CodeQL: Add integration helpers
> .pytool/CISettings.py: Integrate CodeQL
> .github/workflows/codeql.yml: Add CodeQL workflow
> .pytool/CISettings: Enable CodeQL audit mode
> BaseTools/Plugin/CodeQL: Enable 30 queries
> ReadMe.rst: Add CodeQL/analyze directory under other licenses
>
> .github/codeql/codeql-config.yml | 29 --
> .github/codeql/edk2.qls | 24 --
> .github/workflows/codeql-analysis.yml | 118 ------
> .github/workflows/codeql.yml | 338 +++++++++++++++++
> .pytool/CISettings.py | 36 ++
> BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py | 222 +++++++++++
> BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml | 13 +
> BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py | 172 +++++++++
> BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml | 13 +
> BaseTools/Plugin/CodeQL/CodeQlQueries.qls | 118 ++++++
> BaseTools/Plugin/CodeQL/Readme.md | 388 ++++++++++++++++++++
> BaseTools/Plugin/CodeQL/analyze/__init__.py | 0
> BaseTools/Plugin/CodeQL/analyze/analyze_filter.py | 184 ++++++++++
> BaseTools/Plugin/CodeQL/analyze/globber.py | 127 +++++++
> BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml | 26 ++
> BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml | 24 ++
> BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml | 24 ++
> BaseTools/Plugin/CodeQL/common/__init__.py | 0
> BaseTools/Plugin/CodeQL/common/codeql_plugin.py | 74 ++++
> BaseTools/Plugin/CodeQL/integration/__init__.py | 0
> BaseTools/Plugin/CodeQL/integration/stuart_codeql.py | 79 ++++
> ReadMe.rst | 1 +
> 22 files changed, 1839 insertions(+), 171 deletions(-)
> delete mode 100644 .github/codeql/codeql-config.yml
> delete mode 100644 .github/codeql/edk2.qls
> delete mode 100644 .github/workflows/codeql-analysis.yml
> create mode 100644 .github/workflows/codeql.yml
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls
> create mode 100644 BaseTools/Plugin/CodeQL/Readme.md
> create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py
> create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py
> create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py
> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
> create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py
> create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.py
> create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.py
> create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110777): https://edk2.groups.io/g/devel/message/110777
Mute This Topic: https://groups.io/mt/102350788/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
prev parent reply other threads:[~2023-11-07 1:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-02 20:03 [edk2-devel] [PATCH v4 0/8] Use CodeQL CLI Michael Kubacki
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 1/8] Remove existing CodeQL infrastructure Michael Kubacki
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 2/8] BaseTools/Plugin/CodeQL: Add CodeQL build plugin Michael Kubacki
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 3/8] BaseTools/Plugin/CodeQL: Add integration helpers Michael Kubacki
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 4/8] .pytool/CISettings.py: Integrate CodeQL Michael Kubacki
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 5/8] .github/workflows/codeql.yml: Add CodeQL workflow Michael Kubacki
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 6/8] .pytool/CISettings: Enable CodeQL audit mode Michael Kubacki
2023-11-07 0:57 ` Sean
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 7/8] BaseTools/Plugin/CodeQL: Enable 30 queries Michael Kubacki
2023-11-07 0:55 ` Sean
2023-11-02 20:03 ` [edk2-devel] [PATCH v4 8/8] ReadMe.rst: Add CodeQL/analyze directory under other licenses Michael Kubacki
2023-11-03 13:06 ` Laszlo Ersek
2023-11-03 14:16 ` Michael Kubacki
2023-11-03 14:46 ` Laszlo Ersek
2023-11-03 14:48 ` Laszlo Ersek
2023-11-03 15:19 ` Michael Kubacki
2023-11-07 1:00 ` Sean [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SA1PR19MB4911A1C6465B89B5DF471A85C8A9A@SA1PR19MB4911.namprd19.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox