From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 160E674003B for ; Tue, 7 Nov 2023 01:00:44 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=PpZJU73sL+KTpIcwNCftdmtuDVXSG5TQHp9U4CV+Qjs=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:Message-ID:Date:User-Agent:Subject:To:Cc:References:From:In-Reply-To:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1699318843; v=1; b=J1vcoHGTobx48qNEYUqbRwMPybBvpjQdIsGOWk7D+UKim7q6M/5Sx8Un9dYYb3uFoILIKWvt RSzENEMVfTPyX4wDhriGMTU8sR98JDicpWYwTE1lxN9oi8yM2+qIu17+M0jn8pFOfMH5XwglfZq aiAxyE0nHJqfk6beodszWrrs= X-Received: by 127.0.0.2 with SMTP id MvOkYY7687511xYJfFOP0tez; Mon, 06 Nov 2023 17:00:43 -0800 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.92.18.98]) by mx.groups.io with SMTP id smtpd.web10.431.1699318843083515866 for ; Mon, 06 Nov 2023 17:00:43 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C/vzinft6SHlE7jpwelHglY3xrkGf+ns2AHMHfTg/ggXnCVdvrDx5LXU//DnVG1bKdfD7TiRaYwzbxQFoUNLDqEAk8Ux2Lx8MPfdFoZAmqEZFyqhC3ridnz3xcZ1bmoNnZ/48XG/fWRHKmGcrFP60ZTU7YenGqLCfsTxXpUPLs7Rqmz/3kZR7goXCSX0xR489hUf1JOqryhaiZzWQIlpC0vINirbEROIhvZhqG+qzvhfxeQ6UIMYVKQ+g0SqJjK6ToWUjkfMVM+cyNB1A01iPZujDob4K00/CQWY57Pf98uhxeTp/IbJ9Ox3VHI1m30M0/Fip3GYLw/XtiZjee8tuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0usfsGVSDbx6k8Q66uQWUsUgg+W+QgECOmGMjmSPaEY=; b=jhdsoR/4UNT/4Dibp8QIqmZe1oEmJhdzHFEcOCUme2nkT+qv95I6ZzraVLfbJyW6DGEDv+tlCeQCYL5csMyAHuONb6VO7eG+yS6nLRQPp402SlXxZ2GuL76EckIb0xaAGF1Ef2JQHx24DIQy0kKNsl07fQnAjVFjDLthfWESMcAy7RWHTD/bZnzO/6MwNclNWw/mNmIF8fDUgatfI/fnuuQW5Qy0wUvoh9rbTwlOG5US6yUM1Y2iJKQrsA3Pac7DdoRum6s0vkZcnB8/AkqimxabhbH72tAmGCeJuBzdA3JcbttFwD+2MpR1d7farm75N6fFPXOx+VNMC8aB7oGcyA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none X-Received: from SA1PR19MB4911.namprd19.prod.outlook.com (2603:10b6:806:185::10) by DM4PR19MB6487.namprd19.prod.outlook.com (2603:10b6:8:bf::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.26; Tue, 7 Nov 2023 01:00:41 +0000 X-Received: from SA1PR19MB4911.namprd19.prod.outlook.com ([fe80::d81b:3482:f2d3:813c]) by SA1PR19MB4911.namprd19.prod.outlook.com ([fe80::d81b:3482:f2d3:813c%5]) with mapi id 15.20.6954.029; Tue, 7 Nov 2023 01:00:41 +0000 Message-ID: Date: Mon, 6 Nov 2023 17:00:39 -0800 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [PATCH v4 0/8] Use CodeQL CLI To: devel@edk2.groups.io, mikuback@linux.microsoft.com Cc: Andrew Fish , Bob Feng , Laszlo Ersek , Leif Lindholm , Liming Gao , Michael D Kinney , Rebecca Cran , Sean Brogan , Yuwei Chen References: <20231102200313.1010-1-mikuback@linux.microsoft.com> From: "Sean" In-Reply-To: <20231102200313.1010-1-mikuback@linux.microsoft.com> X-TMN: [tiUu/WX5APTJZGAECUFF0Wl2zKPmwXPiF2YxuE+Oowb7K4OYE9UFPWNhvOb5ZUNS] X-ClientProxiedBy: MW4PR03CA0063.namprd03.prod.outlook.com (2603:10b6:303:b6::8) To SA1PR19MB4911.namprd19.prod.outlook.com (2603:10b6:806:185::10) X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SA1PR19MB4911:EE_|DM4PR19MB6487:EE_ X-MS-Office365-Filtering-Correlation-Id: acb8f3c0-6abd-4c0d-a222-08dbdf2cf62c X-Microsoft-Antispam-Message-Info: jCQvReqcK05x4UaspGWQbPDnRItex+oXvPvVzst45qP6JiiM/4HNloIoZkWRi8nvif74OXA/MV/SkR0v251r7UP7EJzAM0U1fKv/KEVbBrY4PPNHgzY2Sscr5lPhu2MvlbNLu5LGlY6gZ3GgFte4Dnkh17at1p727qDSdaKOTjl2fBMP5QLlj38RdgP8ekTumRX532d79h7QA1yO2wFUEyU2rPjVABcW2wh4Ki3yTpTN3fPLOBK3TQtcdFDXUmlwMxIAn6NDP3kasGqUCHcE6CmMPCZeRs+V3sX4MPpB9Hr2wUlyiQYCGMvcA7EjqI9wtXj0IcIFF+U4zMjyRy5hxUqE8X0PundF6vZ/nfmo8hmoULD311fpBFeYZvpMD/3cTu4UyzBvPcCfyveeePo2hEDP5BsqNfS9vG21Litf4DWFqgdTEsYfDJHXQlG65htOFf1mr2QXno29e+WBskOSJtM/62MA0mVYs4YaICuLlt9x86UkLpVdXSskdGPEYwGYgxFXKXVcZVd9wd01gkXrbukVrxGuStfTHsQq9olvKP1sTfpB+Dei3C+fGUD6/FSRw7ZlM+BUjWw3I5G69uanDTWygNMoTzpmwXt/2BEAP0gYCXwIrETsQ/rI8p3ZbLDgJvo8ssKJP91buWS4pP/nAg== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MGp4bTJnaGYvSWhMRGxTY3gxYTMwSEJuUXA3WEJkbmpNeHIyaFFwSGNQZkJM?= =?utf-8?B?UXE2RnJ0N042Qk9kOGlaeUFIM0pkckp5RitQQUh1aENEb3JCQ0JDOWRlQTBP?= =?utf-8?B?TGN2eHFGSUluMzdSN084LzFqVGx6dlhWRlZWeTV3eTVXQWhYNDY3ZkNnbjI1?= =?utf-8?B?VkhaaUVubTN3bWgxbnAzMSt4RUs4YW1DMFFBUzJLVmdNUDB4Qk1VZTYyS2xt?= =?utf-8?B?NXpLejRDczY5Q3RoL01ZYUVMWTNTMGFKenZ3TWtJY1ZoREpKd3RyRnNzdFZS?= =?utf-8?B?MnJVemZPTmdkdXl0ZDBHdlNPSHJuMVN6VVV5OWk4dXo1UmhzZTVPZGZEdlZR?= =?utf-8?B?YWYzVVZFUWZURjIxYm1TdlVsN3d6LzZ6bmZlOEkrS3RvSmNUTVpxdlhhdUdR?= =?utf-8?B?c1dveHk1VFVac0lFZG81b01xaUUycm0zL2I1Tm5NaEluRGVCeHBZdnlob0lE?= =?utf-8?B?NDc1dzhLeUxQSDlsTmhNVUVxaUE2Tkcza1d0L1A0UlgrT24zR1hNTFNSZEJM?= =?utf-8?B?WWRBYmw3ajhSTlJFZEtEbktSQ1M0TURWS21IL1dzTDN5L0dMdy9QdzFtLzA0?= =?utf-8?B?bzRJL0pUTkdOVGw4MGdZQ2xweVhKKzhjank3YU51N2d5WW52OGtDbWNuREZF?= =?utf-8?B?WW0vdjdEVy9VcEpuSGp3VEhhNmhnR3RkcHJraE83R1JiMUdrci9jdGp5SEh2?= =?utf-8?B?cUhnREJGazNiQnI1aU9YUmdvUjdpVEw4WXg4UWpsaWdDRU16ZlFYcUQxdC9D?= =?utf-8?B?U3Jlc1BvcGZRS1BlM0IvQitwVDlpSFNRa3ZOYjl5YlVSclY3QjQrU21Wc3lh?= =?utf-8?B?NTVhdTFDRHNkbjBSenNlZHEybXZ5emM0UHRDeXZiY1cxdGxpQW8vbXN1dXFl?= =?utf-8?B?ZVIzdmxQT2lMcnlOeGlYQjgybXVFS2V5dzNIM0xic3p2djlZeE5iRGNsaVBh?= =?utf-8?B?TTE2UElocTBpemttVW01UjJmMlZsd2JRZ21CajZqMXhhaWZUcjc2M3QyQ3pC?= =?utf-8?B?Zk9rTEx1SE16cUJ4dXkwN1FNWGRwRGg3bEtkNThwV3g5NnZDWjdYVXJpdjl4?= =?utf-8?B?U2Q0NEtUblh0dTYwOUlHbkp2aWhsYXZHMW5NT3VBYWxhd3BObVh4OFNvdmlw?= =?utf-8?B?ZE9ZQnJ1MndRbS9vampCSmE5eFBzNTcrWWRkR3M0MXdObERMNHM4eEJTZkpW?= =?utf-8?B?UU91R1hwKzF2STluSnNzVjBYYjhkL1NNWEFIa3EwbEdqbUJObFZEQ050YUdU?= =?utf-8?B?Mk5qZDBSOVprWTN2RnJkRkZ3SWVqc3FobWwwLzNGc0dwQnI1Z3NVdHlIbWpn?= =?utf-8?B?RjRPa1lnKzRWYWd2cnYybWp0UjUrVkFBc2JnTVdYY25lSnhRaW10NVJEd2x0?= =?utf-8?B?Zmx5bzRQVTV0ckRVZ21vYzMrdjZyNkg0dmV0b1ltL3pzbWZrTHE4RHdPZ0tD?= =?utf-8?B?SXl1T1lTeFRuRkJ3S1dvZ3Z3NWlHeExpTGhMTjZ2ZFNpRHFsSEVHaEpVRGlH?= =?utf-8?B?a2tSTVlzQWJJZlRlMmwvamlXMjd4ZlRScE9mZzFqazJXZUFmS3Y2QzF2a0xB?= =?utf-8?B?NUdUQyswVlhhOVhpYkpzc0RFOEh4eGRQbkl1S0s3MU1IU1QwWG83RS9jRWNR?= =?utf-8?B?ZWlZS3l2Q3owcFl2aEdqTjlKTFU5UjlrWVpvWWl0bXlncTlpZnJlc0l6TEVm?= =?utf-8?B?YlNuZlQ3UE1QaE5JRWhrbGdMQXRYeEJueXVueCs0WDhSSGJwSGZYaFVnPT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: acb8f3c0-6abd-4c0d-a222-08dbdf2cf62c X-MS-Exchange-CrossTenant-AuthSource: SA1PR19MB4911.namprd19.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Nov 2023 01:00:41.0883 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR19MB6487 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,spbrogan@outlook.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: NmSkKcv2JdOnEC48K5022SQEx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=J1vcoHGT; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=outlook.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}") for the series Reviewed-by: Sean Brogan Thanks Sean On 11/2/2023 1:03 PM, Michael Kubacki wrote: > From: Michael Kubacki > > CodeQL currently runs via the codeql-analysis.yml GitHub workflow > which uses the github/codeql-action/init@v2 action (pre-build) > and the github/codeql-action/analyze@v2 action (post-build) to > setup the CodeQL environment and extract results. > > This infrastructure is removed in preparation for a new design that > will directly run the CodeQL CLI as part of the build. This will > allow CodeQL to be run locally as part of the normal build process > with results that match 1:1 with CI builds. > > The CodeQL CLI design is automatically driven by a set of CodeQL > plugins: > > 1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a > build. > 2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database. > > This approach offers the following advantages: > > 1. Provides exactly the same results locally as on a CI server. > 2. Integrates very well into IDEs such as VS Code. > 3. Very simple to use - just use normal Stuart update and build > commands. > 4. Very simple to understand - minimally wraps the official CodeQL > CLI. > 5. Very simple to integrate - works like any other Stuart build > plugin. > 6. Portable - not tied to Azure DevOps specific, GitHub specific, > or other host infrastructure. > 7. Versioned - the query and filters are versioned in source > control so easy to find and track. > > The appropriate CodeQL CLI is downloaded for the host OS by passing > the `--codeql` argument to the update command. > > `stuart_update -c .pytool/CISettings.py --codeql` > > After that, CodeQL can be run in a build by similarly passing the > `--codeql` argument to the build command. For example: > > `stuart_ci_build -c .pytool/CISettings.py --codeql` > > Going forward, CI will simply use those commands in CodeQL builds > to get results instead of the CodeQL GitHub actions. > > When `--codeql` is specified in the build command, each package will > contain two main artifacts in the Build directory. > > 1. The CodeQL database for the package > 2. The CodeQL SARIF (result) file for the package > > The CodeQL database (1) can be used to run queries against without > rebuilding any code. The SARIF result file (2) is the result of > running enabled queries against the database. > > SARIF stands for Static Analysis Results Interchange Format and it > is an industry standard format for output from static analysis tools. > > https://sarifweb.azurewebsites.net/ > > The SARIF file can be opened with any standard SARIF file viewer > such as this one for VS Code: > > https://marketplace.visualstudio.com/items?itemName=3DMS-SarifVSCode.sari= f-viewer > > That includes the ability to jump directly to issues in the source > code file with relevant code highlighted and suggestions included. > > This means that after simply adding `--codeql` to the normal build > commands, a database will be present for future querying and a SARIF > result file will be present to allow the developer to immediately > start fixing issues. > > More details about the location of these and usage is in the > BaseTools/Plugin/CodeQL/Readme.md included in this patch series. > > The CI process pushes the SARIF file to GitHub Code Scanning so the > results are generated exactly the same way they are locally. > > All build logs and the SARIF file for each package are uploaded to > the GitHub action run as artifacts. If a CodeQL issue is found, a > developer can download the SARIF file directly from the GitHub action > run to fix the problem without needing to rebuild locally. > > An example run of these changes showing the packages built and output > logs and SARIF files is available here: > > https://github.com/tianocore/edk2/actions/runs/6317077528 > > The series enables a new set of CodeQL queries that helps find useful > issues in the codebase. So, new CodeQL results will appear in the edk2 > GitHub Code Scanning area after the change. It is expected that the > community will work together to prioritize and resolve issues to improve > the quality of the codebase. > > V4 changes: > > 1. BaseTools/Plugin/CodeQL/analyze - Remove BSD-2-Clause Plus Patent > license. Drop Microsoft copyright. Clean up the licensing header > so its easier to read and follows the declaration provided in > https://www.apache.org/licenses/LICENSE-2.0. > 2. Add a new patch to add the "analyze" directory under the list of > paths in the project with an acceptable but different license > than BSD-2-Clause Plus Patent. > > V3 changes: > > 1. Add a "Resolution Guidelines" section to the CodeQL plugin readme > file based on feedback in the October 16, 2023 Tianocore Tools & > CI meeting to capture some notes useful in solving issues in the > file. > > V2 Changes: > > 1. Enable CodeQL audit mode. This is because a new patch also enables > queries that will result in unresolved issues so audit mode is needed > for the build to succeed. > 2. Enable new CodeQL queries. This will enable new CodeQL queries so the > issues are easier to find and track. > > Links and refernces: > > - CodeQL Overview: > https://codeql.github.com/docs/codeql-overview/ > - CodeQL open-source queries: > https://github.com/github/codeql > - CodeQL CLI: > https://docs.github.com/en/code-security/codeql-cli#codeql-cli > - SARIF Specification and Information: > https://sarifweb.azurewebsites.net/ > > Cc: Andrew Fish > Cc: Bob Feng > Cc: Laszlo Ersek > Cc: Leif Lindholm > Cc: Liming Gao > Cc: Michael D Kinney > Cc: Rebecca Cran > Cc: Sean Brogan > Cc: Yuwei Chen > > Michael Kubacki (8): > Remove existing CodeQL infrastructure > BaseTools/Plugin/CodeQL: Add CodeQL build plugin > BaseTools/Plugin/CodeQL: Add integration helpers > .pytool/CISettings.py: Integrate CodeQL > .github/workflows/codeql.yml: Add CodeQL workflow > .pytool/CISettings: Enable CodeQL audit mode > BaseTools/Plugin/CodeQL: Enable 30 queries > ReadMe.rst: Add CodeQL/analyze directory under other licenses > > .github/codeql/codeql-config.yml | 29 -- > .github/codeql/edk2.qls | 24 -- > .github/workflows/codeql-analysis.yml | 118 ------ > .github/workflows/codeql.yml | 338 ++++++++++= +++++++ > .pytool/CISettings.py | 36 ++ > BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py | 222 ++++++++++= + > BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml | 13 + > BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py | 172 +++++++++ > BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml | 13 + > BaseTools/Plugin/CodeQL/CodeQlQueries.qls | 118 ++++++ > BaseTools/Plugin/CodeQL/Readme.md | 388 ++++++++++= ++++++++++ > BaseTools/Plugin/CodeQL/analyze/__init__.py | 0 > BaseTools/Plugin/CodeQL/analyze/analyze_filter.py | 184 ++++++++++ > BaseTools/Plugin/CodeQL/analyze/globber.py | 127 +++++++ > BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml | 26 ++ > BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml | 24 ++ > BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml | 24 ++ > BaseTools/Plugin/CodeQL/common/__init__.py | 0 > BaseTools/Plugin/CodeQL/common/codeql_plugin.py | 74 ++++ > BaseTools/Plugin/CodeQL/integration/__init__.py | 0 > BaseTools/Plugin/CodeQL/integration/stuart_codeql.py | 79 ++++ > ReadMe.rst | 1 + > 22 files changed, 1839 insertions(+), 171 deletions(-) > delete mode 100644 .github/codeql/codeql-config.yml > delete mode 100644 .github/codeql/edk2.qls > delete mode 100644 .github/workflows/codeql-analysis.yml > create mode 100644 .github/workflows/codeql.yml > create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py > create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml > create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py > create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml > create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls > create mode 100644 BaseTools/Plugin/CodeQL/Readme.md > create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py > create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py > create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py > create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml > create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml > create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.ya= ml > create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py > create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.py > create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.py > create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110777): https://edk2.groups.io/g/devel/message/110777 Mute This Topic: https://groups.io/mt/102350788/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-