From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.92.19.59]) by mx.groups.io with SMTP id smtpd.web10.8912.1668614229504716724 for ; Wed, 16 Nov 2022 07:57:09 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@outlook.com header.s=selector1 header.b=NkmboesU; spf=pass (domain: outlook.com, ip: 40.92.19.59, mailfrom: michael.kubacki@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D/Wn+Syg7IsDlMkGpVRJT9bIXLMzvB3Ydv6jHpUUznEErHGmpc6tfg23K+ycz52VJY+VRn0v85UR8NClOutDeT/cNKga83Ug1oTXfkpkU653O3KHMwhZ9P12c88gT3vMRV4ViRiPWfY1b1aBLZMfsKkKX1szwoiHICrFe38arNI3rMWy0PYGe7XVx76F3P7HFm2L8peUTsGR8VX9BdcRK2D55avVn+z+YYXw2FALj8pD6Hl9nlmEhfmlsL3Apw9JpeJrkg62uZbmF8sV1kMCJ6/+SI/lEUDs1wUHLwR2Vt9IXXIMUURngF6TQXV/quWAuuwT5oS3dTURYyyfQv2jLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Epju5TDKFqfieHJ/2P4k0o9Y6Fh8qyq33v+l/LDk+WM=; b=elbq14BU07fQLyu0K7sy01cQh+pS8rdxDgra51dhNNTuyKZMBi02fnjRMJBlnRrJLlQuLo8CNgSvwB0xptxUFgN44ew4+XU3/1yU9xCDxA89MWVg+Vr59drhckUEasBG4RgHq/e4rQhdleh1AlpUQQT9P5yP85bGGBwQgFsai8hYOgokEwHVJgDlkwjodZdnHCB9ftqL13A/8Sp82rSDpL4IKWSjalYA9kSusTykojlzjV79+57S+DiUluf/IsHSlI+HAyfgcFin0NnidnHBdzUuZEx9m10ye1PoFv5J2rO4kzhLi2I5eI38NAdei/b2C6M697SN0SOyrOyjPdWvdA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Epju5TDKFqfieHJ/2P4k0o9Y6Fh8qyq33v+l/LDk+WM=; b=NkmboesUcSSJjQr2i9buRoYfpArI/7w6D8k7NmRfiIzqckkVvkHdHApwE+asBIGCHfeC2AYJQKkxL6iLfYXRkA5Hs2DttLy1W+YipowuglKhCfCmMUEFdIlHavcO5i4U+DNqcoCKJ4V/2voYeYeyZuA0AExYjP7tG72N5prDetzD6Zvmm0tvpYnLYgBaJvRWou5DHndFFxn78U2Y58IppSK9OdbhFOx2zIUSF1svACITA1PvGzALn3+6V8dhRgpjkRJZPSDNYQPfDpiMD6IxDjQ3PlSYlVTNZhyPplATRHu5B8T2yHWjdGFS5cfJwGDjuXWFq2KZQdw92W4R2AEK8Q== Received: from SN7PR11MB6678.namprd11.prod.outlook.com (2603:10b6:806:26a::20) by PH8PR11MB7142.namprd11.prod.outlook.com (2603:10b6:510:22e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.19; Wed, 16 Nov 2022 15:57:07 +0000 Received: from SN7PR11MB6678.namprd11.prod.outlook.com ([fe80::fe8c:c1b:dc2:1372]) by SN7PR11MB6678.namprd11.prod.outlook.com ([fe80::fe8c:c1b:dc2:1372%5]) with mapi id 15.20.5813.018; Wed, 16 Nov 2022 15:57:07 +0000 From: "Michael Kubacki" To: devel@edk2.groups.io CC: Sean Brogan , Michael Kubacki , Michael D Kinney Subject: [edk2-wiki][PATCH v1 1/1] Adds EDK II Code Scanning page Date: Wed, 16 Nov 2022 10:56:44 -0500 Message-ID: X-Mailer: git-send-email 2.28.0.windows.1 X-TMN: [2RsQs48De7az/EDpy03QMg16nRw01AM7] X-ClientProxiedBy: BN9PR03CA0245.namprd03.prod.outlook.com (2603:10b6:408:ff::10) To SN7PR11MB6678.namprd11.prod.outlook.com (2603:10b6:806:26a::20) Return-Path: michael.kubacki@outlook.com X-Microsoft-Original-Message-ID: <20221116155644.3005-1-michael.kubacki@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN7PR11MB6678:EE_|PH8PR11MB7142:EE_ X-MS-Office365-Filtering-Correlation-Id: 4f5e3420-96be-44bb-66f9-08dac7eb3692 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: qxS8RVlLHk4PM+sgbDisxDWfRMkhvi+PGO5N0pZkhXj0MzVEKMlTp4jfM5z0MNCQF6ha3iVpCJMLlVJYMSaMKPSMpq3ji9WZrcUTBMxTvv8zogAdZL8dEsjM8hop/z0OiM121wmjQn4uVLxdqgfxaO3UIBwsl9YGYzAFIkfuLWeRIN0MJ84kM2tUu2KqdknVRAanFf+0TrXuTeOaveSr0CH0BtjsuyuP4PU2d4JalZ9PcSWN1nnQXRq73YpHNbV3RupAH9ljfY62U7m6h9X+Cmq5oq6+t2eXjwsZmMTwpNYPVzT2brMCgNfGBpeywqVrepmC/zKbtaQG4ezwrYwIc+lIipGgktlX8vW15tXs/xuPL63g7RB6fV0yN7HbOzA3pnEal2e5W+1vbZVPRPJTl6NnBCcQfS4tIXfYXbz5cCFWb99yxqyoYlKra35VLuUFzRarDc/xFNfigzryQcVJ50PqBAMgxxTEXijtnOPTXBhcB8vWv7rpeHMCm2z6UUqWVGJv2CsXQjPABA5IdnitwN3wDqywbJCHs6Rnl4IGIfGbdiOwfSiSJs7ShlnaiUbIgQxRn95FA/Kimj+/ND4xtegVFWOeHixt3f2CMkyCaoKZd1x/lQTn2KqeqbZoVJDkc0q+ljzNFVZc/ZKDiwqFplRMYiYkRwSXY3DXf+Rk2Rc= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?VER7boeYBRs14ClwpOMYq5+tOWrSOgLSAV1GUhI7b72DBBirQcSwsFmQqLCI?= =?us-ascii?Q?hoowWXoiLALoRgvzFzSwk2VPCVp6dWehFP1ZlfFhRZQACrMJz9myBsjuAOWQ?= =?us-ascii?Q?Es1pxIrq0ZCVcZ6xZbtzXSj0l6dLl9wJLFnVVtg4TLKlnzk89imalOJMn8+M?= =?us-ascii?Q?1eXE7Sc4pRW0O69WrRUjW8g8CxDuCO31/ZyywzLgaizoim2O635rr1TDl43E?= =?us-ascii?Q?cqaMoeLzpUZIBUhmlpxHLhM8Z8K41rDdjBtpGzeImfQr1/ebwxSSCpedbUHp?= =?us-ascii?Q?5+/ybDhAO1/eQNxz+8qDU8G7qtQcHpXJBvisfU7wtJ5xbY06adawMi6KBLoL?= =?us-ascii?Q?nDv3LNixG4qrz8Kv6LeaypD7GfxnW2VUd1UF9dReL0Vxxj+y0Th0HFBnCoG0?= =?us-ascii?Q?A4lOvIDJvwILp3tn7fSqWuuw56WBVoRUM5+qZOORHSLZv3zBjHHZdkQfZnmU?= =?us-ascii?Q?aztKhOU2k81r+2zpMULhJT1RrdpUUR9PP238V8A1PeIkQCC7rSddWoF02f22?= =?us-ascii?Q?r7nvJltEAemedxiz23uZzElilDqVz8m5P4igikzZpBkJuTV0A9Lk8qHpchOj?= =?us-ascii?Q?V1/J8v0aCEXsv5t9cHgpVLCDGHg1yunUgxaZkSxGNTxAUD9Ek8bNzbzAMTfk?= =?us-ascii?Q?Qch9SZN4FOufwYsEwIi2s705qlNrlelx5UNkfwBQyvBUv3wX029/tnVLeGAd?= =?us-ascii?Q?k3mA8+CtJ44JutCQnNM6WldbAVf8WmAjxgIxBH8EXdgx2pbiqZuopw4seKco?= =?us-ascii?Q?poZ3Bl2n4VaFG8HQn9jkc3B8J32UXhSMceSjdjJFysTJUXSsNM2NP0L/Roce?= =?us-ascii?Q?b/wfSTeTldwbggOz/7b3i5jT0SVouO9e+vsjBiFLq0P88DrFDZ/2MI7EDM5i?= =?us-ascii?Q?GWjbc6LDZtyh2HMwVVCFN5vUMdRmzkxQcpDXdbZnFtCx2yISvT4uVE8FoeLb?= =?us-ascii?Q?IRDX0XCUiJxm7IREJd2x33LxsLZ6obivGRGCIFcWBd9M/xtLu3Cnvrh8Irl2?= =?us-ascii?Q?LfxvP1WQEITtl9wURMvg6ihIc28pn2tsJ73awKkcxo20NNyXslNg4ox+MBHF?= =?us-ascii?Q?4z1Tj2q5p4ArCTYzmyrYgxXbisVvxw8qh5TuFOfX0xCtkfgXrOBKbN7NUpvu?= =?us-ascii?Q?a56M7g4Ul6bmy+s/AGkWCu4W4tL71nOpKNqEeA75B9lz5l6QQDfq6JdrT0Dv?= =?us-ascii?Q?473McjTW6tCnIUo8SBqjFcZ2aEFYsCline7f3Pjd6EFyKill8n50/l+b/pxk?= =?us-ascii?Q?nO/7JJOIRVsrd7IkvIYNI5gsGGz9KIEJevClzBgndw=3D=3D?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4f5e3420-96be-44bb-66f9-08dac7eb3692 X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB6678.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Nov 2022 15:57:07.6120 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB7142 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain From: Michael Kubacki This page includes: 1. An explanation of how Code Scanning works in edk2 2. An overview of CodeQL 3. Links to key CodeQL resources 4. Links to key CodeQL files in the edk2 repo 5. A CodeQL query target list for edk2 with completion status 6. An explanation on how query filtering is used in edk2 7. The process for proposing new CodeQL queries for edk2 8. Basic CodeQL CLI usage for the edk2 build process This is meant to be a starting point to document CodeQL information for edk2. It will be updated over time. Cc: Sean Brogan Cc: Michael Kubacki Cc: Michael D Kinney Signed-off-by: Michael Kubacki --- Notes: A rendered version of this markdown document is available on my fork: =20 https://github.com/makubacki/tianocore.github.io/blob/add_edk2_code_sca= nning_page/EDK-II-Code-Scanning.md EDK-II-Code-Scanning.md | 232 ++++++++++++++++++++ 1 file changed, 232 insertions(+) diff --git a/EDK-II-Code-Scanning.md b/EDK-II-Code-Scanning.md new file mode 100644 index 000000000000..c54c7bef4214 --- /dev/null +++ b/EDK-II-Code-Scanning.md @@ -0,0 +1,232 @@ +# EDK II Code Scanning + +CodeQL is a code analysis engine developed by Github to automate security = checks. + +It is used for Code Scanning in the TianoCore edk2 repository. + +## Table of Contents + +1. [Overview](#overview) +2. [CodeQL Usage in edk2](#codeql-usage-in-edk2) + - [Query Target List](#query-target-list) + - [Query Filtering in edk2](#query-filtering-in-edk2) + - [Process for Suggesting New Queries for edk2](#process-for-suggesting= -new-queries-for-edk2) + - [Query Enabling Process](#query-enabling-process) + - [CodeQL in Pull Requests](#codeql-in-pull-requests) + - [Dismissing CodeQL Alerts](#dismissing-codeql-alerts) +3. [CodeQL CLI Local Commands](#codeql-cli-local-commands) +4. [The CodeQL Project](#the-codeql-project) + +## Overview + +CodeQL is open source and free for open source projects. It is maintained = by GitHub and naturally has excellent +integration with GitHub projects. CodeQL uses a semantic code analysis eng= ine to discover vulnerabilities in a +number of programming languages (both compiled and interpreted). + +[General CodeQL Information](https://codeql.github.com/) + +TianoCore uses CodeQL C/C++ queries to find common programming errors and = security vulnerabilities in firmware code. +Many open-source queries are officially supported and comprise the vulnera= bility analysis performed against the +database. + +[CodeQL Query Repository](https://github.com/github/codeql) + +In addition, anyone can leverage the code analysis engine by writing a cus= tom query. Information around writing a +custom query is available in the official documentation. + +[CodeQL Query Documentation](https://codeql.github.com/docs/writing-codeql= -queries/codeql-queries/#codeql-queries). + +The [edk2](https://github.com/tianocore/edk2) repository uses GitHub's Cod= e Scanning feature (free for public +repositories on GitHub.com) to show alerts directly in the repository and = run CodeQL on pull requests and pushes +to the repository. + +[About GitHub Code Scanning](https://docs.github.com/en/code-security/code= -scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/a= bout-code-scanning) + +Current CodeQL scanning results in the edk2 project are available in the "= Actions" page of the GitHub repository. + +[edk2 CodeQL Workflow](https://github.com/tianocore/edk2/actions) + +A CodeQL command-line interface (CLI) is also available which can be run l= ocally. A CodeQL CLI reference and manual +are available in the documentation to learn how to use the CLI. + +[CodeQL CLI Documenation](https://codeql.github.com/docs/codeql-cli/) + +At a high-level, there's two main phases of CodeQL execution to be aware o= f. + +1. CodeQL database generation + - [CodeQL Database Documentation](https://codeql.github.com/docs/codeql= -cli/creating-codeql-databases/) +2. CodeQL database analysis + - [CodeQL Analysis Documentation](https://codeql.github.com/docs/codeql= -cli/analyzing-databases-with-the-codeql-cli/) + +The CodeQL CLI hooks into the normal firmware build process to generate a = CodeQL database. Once the database is +generated, any number of CodeQL queries can be run against the database fo= r analysis. + +CodeQL analysis results can be stored in the +[SARIF](https://sarifweb.azurewebsites.net/) (Static Analysis Results Inte= rchange Format) file format. + +[CodeQL SARIF documentation](https://codeql.github.com/docs/codeql-cli/sar= if-output/) + +SARIF files are JSON following the SARIF specification/schema. The files c= an be opened with SARIF viewers to more +conveniently view the results in the file. + +For example, the [SARIF Viewer extension for VS Code](https://marketplace.= visualstudio.com/items?itemName=3DMS-SarifVSCode.sarif-viewer) +can open a .sarif file generated by the CodeQL CLI and allow you to click = links directly to the problematic line in +source files. + +In summary, the edk2 repository runs CodeQL on pull requests and CI builds= . Any alerts will be flagged in the pull +request status checks area. The queries used by the edk2 repository are st= ored in the edk2 CodeQL query set file. + +[edk2 CodeQL Query Set](https://github.com/tianocore/edk2/blob/master/.git= hub/codeql/edk2.qls) + +## CodeQL Usage in edk2 + +CodeQL provides the capability to debug the actual queries and for our (Ti= anoCore) community to write our own queries +and even contribute back to the upstream repo when appropriate. In other c= ases, we might choose to keep our own +queries in a separate TianoCore repo or within a directory in the edk2 cod= e tree. + +This is all part of CodeQL Scanning. Information on the particular topic o= f running additional custom queries in +Code Scanning is documented [here](https://docs.github.com/en/code-securit= y/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-er= rors/configuring-code-scanning#running-additional-queries) +in that page. + +In addition, CodeQL offers the flexibility to: + +- Build databases locally +- Retrieve databases from server builds +- Relatively quickly test queries locally against a database for a fast fe= edback loop +- Suppress false positives +- Customize the files and queries used in the edk2 project and quickly kee= p this list in sync between the server and local execution + +### Query Target List + +While CodeQL can scan various languages including Python and C/C++, the Ti= anoCore project is only focused on C/C++ +checks at this time. TianoCore has an initial set of queries to evaluate s= hown below (checked boxes are done). + +- [x] [cpp/conditionally-uninitialized-variable](https://github.com/github= /codeql/blob/main/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitialize= dVariable.ql) +- [x] [cpp/infinite-loop-with-unsatisfiable-exit-condition](https://github= .com/github/codeql/blob/main/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWi= thUnsatisfiableExitCondition.ql) +- [x] [cpp/overflow-buffer](https://github.com/github/codeql/blob/main/cpp= /ql/src/Security/CWE/CWE-119/OverflowBuffer.ql) +- [x] [cpp/pointer-overflow-check](https://github.com/github/codeql/blob/m= ain/cpp/ql/src/Likely%20Bugs/Memory%20Management/PointerOverflow.ql) +- [x] [cpp/potential-buffer-overflow](https://github.com/github/codeql/blo= b/main/cpp/ql/src/Likely%20Bugs/Memory%20Management/PotentialBufferOverflow= .ql) +- [ ] [cpp/toctou-race-condition](https://github.com/github/codeql/blob/ma= in/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql) +- [ ] [cpp/unclear-array-index-validation](https://github.com/github/codeq= l/blob/main/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql= ) +- [ ] [cpp/unsafe-strncat](https://github.com/github/codeql/blob/main/cpp/= ql/src/Likely%20Bugs/Memory%20Management/SuspiciousCallToStrncat.ql) +- [ ] [cpp/use-after-free](https://github.com/github/codeql/blob/main/cpp/= ql/src/Critical/UseAfterFree.ql) +- [ ] [cpp/user-controlled-null-termination-tainted](https://github.com/gi= thub/codeql/blob/main/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminati= onTainted.ql) +- [ ] [cpp/wrong-number-format-arguments](https://github.com/github/codeql= /blob/main/cpp/ql/src/Likely%20Bugs/Format/WrongNumberOfFormatArguments.ql) +- [ ] [cpp/wrong-type-format-argument](https://github.com/github/codeql/bl= ob/main/cpp/ql/src/Likely%20Bugs/Format/WrongTypeFormatArguments.ql) + +Additional queries completed: + +- [x] [cpp/overrunning-write](https://github.com/github/codeql/blob/main/c= pp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql) +- [x] [cpp/overrunning-write-with-float](https://github.com/github/codeql/= blob/main/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql) +- [x] [cpp/very-likely-overrunning-write](https://github.com/github/codeql= /blob/main/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql) + +### Query Filtering in edk2 + +CodeQL query files (`.ql` files) contain metadata about the query. For exa= mple, +[cpp/conditionally-uninitialized-variable](https://github.com/github/codeq= l/blob/main/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVaria= ble.ql) +states the following about the query: + +```plaintext +/** + * @name Conditionally uninitialized variable + * @description An initialization function is used to initialize a local v= ariable, but the + * returned status code is not checked. The variable may be l= eft in an uninitialized + * state, and reading the variable may result in undefined be= havior. + * @kind problem + * @problem.severity warning + * @security-severity 7.8 + * @id cpp/conditionally-uninitialized-variable + * @tags security + * external/cwe/cwe-457 + */ +``` + +edk2 automatically include queries against certain criteria using "query f= ilters". For example, this could include any +`problem` query above a certain `security-severity` level. Or all queries = with `security` in `tags`. + +Because edk2 favors consistency in CI results, the project maintains a rel= atively fixed query set that is updated with +individual queries over time. + +- [edk2 Active Queries](https://github.com/tianocore/edk2/blob/master/.git= hub/codeql/edk2.qls) +- [edk2 Active CodeQL Configuration](https://github.com/tianocore/edk2/bl= ob/master/.github/codeql/codeql-config.yml) + +> _Note:_ Additional queries can be found here as well - https://lgtm.com/= search?q=3Dcpp&t=3Drules + +### Process for Suggesting New Queries for edk2 + +New query adoption in edk2 can be proposed by sending an RFC to the TianoC= ore development mailing list +(devel@edk2.groups.io) with the query link and justification for adopting = the query in edk2. + +Everyone is welcome to suggest new queries. + +### Query Enabling Process + +Enabling a new query may trigger zero to thousands of alerts. Therefore, t= wo paths are used to enable a new query in +the project. + +1. A single patch series - The first set of patches fixes the issues neede= d for the query to pass. The later set of + patches enables the query. +2. A query enabling branch - A branch is created where multiple contributo= rs can work together on fixing issues related + to enabling a new query. Once the branch is ready, the history is clean= ed up into a patch series that is submitted + to the edk2 project. + +(1) is recommended if the query is relatively simple to enable and one or = two people are doing the work. (2) is +recommended if a lot of effort is needed to fix issues for the query espec= ially issues spanning across packages. + +If a query is deemed fruitless during enabling testing, it can simply be r= ejected. The goal for CodeQL in edk2 is to +enable an effective set of queries that improve the codebase. As the list = of enabled queries grows, total CodeQL +coverage will increase against active pull requests. We want to have relev= ant and effective coverage. + +### CodeQL in Pull Requests + +TianoCore is enabling CodeQL in a step-by-step fashion. The goal with this= approach is to make steady progress +enabling CodeQL to become more comprehensive and useful while not impactin= g day-to-day code contributions. + +Throughout the process described in this section, CodeQL Code Scanning is = be a mandatory status check for edk2 +pull requests. + +### Dismissing CodeQL Alerts + +The following documentation describes how to dismiss alerts: +[Dismissing Alerts](https://docs.github.com/en/code-security/code-scanning= /automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-c= ode-scanning-alerts-for-your-repository#dismissing--alerts) + +> _Note:_ If query has a false positive a GitHub Issue can be submitted in= the +> [CodeQL repo issues page](https://github.com/github/codeql/issues) with = the `false-positive` tag to help improve +> the query. + +## CodeQL CLI Local Commands + +The [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/) can be used a= s follows to wrap around the edk2 build +process (`MdeModulePkg` in this case) to generate a database in the direct= ory `cpp-database`. The example shown uses +[stuart](https://github.com/tianocore/edk2-pytool-extensions) build comman= ds. + +```cmd +codeql database create cpp-database --language=3Dcpp --command=3D"stuart_c= i_build -c .pytool/CISettings.py -p MdeModulePkg +-a IA32,X64 TOOL_CHAIN_TAG=3DVS2019 Target=3DDEBUG --clean" --overwrite +``` + +The following command can be used to generate a [SARIF file](https://codeq= l.github.com/docs/codeql-cli/sarif-output/) +(called `query-results.sarif`) from that database with the results of the +[cpp/conditionally-uninitialized-variable](https://github.com/github/codeq= l/blob/main/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVaria= ble.ql) query: + +```cmd +codeql database analyze cpp-database codeql\cpp\ql\src\Security\CWE\CWE-45= 7\ConditionallyUninitializedVariable.ql --format=3Dsarifv2.1.0 --output=3Dq= uery-results.sarif +``` + +SARIF logs can be read by log viewers such as the [Sarif Viewer](https://m= arketplace.visualstudio.com/items?itemName=3DMS-SarifVSCode.sarif-viewer) e= xtension for [VS Code](https://code.visualstudio.com/). + +## The CodeQL Project + +CodeQL is an actively maintained project. Here is a comparison of edk2 com= mit activity versus CodeQL for reference: + +- [CodeQL Commit Activity](https://github.com/github/codeql/graphs/commit-= activity) +- [edk2 Commit Activity](https://github.com/github/codeql/graphs/commit-ac= tivity) + +Because CodeQL does maintain a strong open-source presence, the TianoCore = community should be able to file +[issues](https://github.com/github/codeql/issues) and [pull requests](http= s://github.com/github/codeql/pulls) +into the project. + +--- + +> The original RFC for adoption of CodeQL in edk2 is available here for re= ference: +> [Adoption of CodeQL in edk2](https://github.com/tianocore/edk2/discussio= ns/3258#discussioncomment-3682099) --=20 2.28.0.windows.1