From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id C813FAC17C3 for ; Mon, 23 Oct 2023 18:13:03 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=MxICZX7DJZ3NS8OV9bc14FcJJVUWJAfqK3LXnJkmOU8=; c=relaxed/simple; d=groups.io; h=DKIM-Filter:Message-ID:Date:MIME-Version:User-Agent:Subject:From:To:Reply-To:References:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1698084782; v=1; b=lKP+2DPxVca0EUMoPI8COhNX3JI7j3CsT68SjeIGgtNmZFr7Fjf99uvt90uKCKgq09/ZSjKF lUkAmDkTPU/lJxbPqmJ/U7lu209ofsdtSCDC86t0QX5o+wtBcK30XFTKAGXnEok640VBGUrT9Dr TNeoiJxn8+ShdOQirlm5o9KI= X-Received: by 127.0.0.2 with SMTP id f8DjYY7687511xN8LidSyNDU; Mon, 23 Oct 2023 11:13:02 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web10.128324.1698084781900342547 for ; Mon, 23 Oct 2023 11:13:01 -0700 X-Received: from [192.168.4.22] (unknown [47.201.241.95]) by linux.microsoft.com (Postfix) with ESMTPSA id 96C7820B74C0; Mon, 23 Oct 2023 11:13:00 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 96C7820B74C0 Message-ID: Date: Mon, 23 Oct 2023 14:12:59 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [PATCH v3 0/7] Use CodeQL CLI From: "Michael Kubacki" To: devel@edk2.groups.io, Bob Feng , Liming Gao , Michael D Kinney , Rebecca Cran , Sean Brogan , Yuwei Chen Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com References: <178F0E1DF715166D.14388@groups.io> <9bb28371-54ce-4749-8034-23a761d29c17@linux.microsoft.com> In-Reply-To: <9bb28371-54ce-4749-8034-23a761d29c17@linux.microsoft.com> Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: HjlKvkypCzbPyw3zm7nA13lDx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=lKP+2DPx; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=linux.microsoft.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Another reminder. It would be nice to get this merged soon so actual=20 code fixes can follow. Thanks, Michael On 10/19/2023 9:07 PM, Michael Kubacki wrote: > A reminder to review this series. It's been on the mailing list for a=20 > few weeks now. >=20 > Thanks, > Michael >=20 > On 10/17/2023 9:04 PM, Michael Kubacki wrote: >> From: Michael Kubacki >> >> CodeQL currently runs via the codeql-analysis.yml GitHub workflow >> which uses the github/codeql-action/init@v2 action (pre-build) >> and the github/codeql-action/analyze@v2 action (post-build) to >> setup the CodeQL environment and extract results. >> >> This infrastructure is removed in preparation for a new design that >> will directly run the CodeQL CLI as part of the build. This will >> allow CodeQL to be run locally as part of the normal build process >> with results that match 1:1 with CI builds. >> >> The CodeQL CLI design is automatically driven by a set of CodeQL >> plugins: >> >> =C2=A0=C2=A0 1. `CodeQlBuildPlugin` - Used to produce a CodeQL database = from a >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 build. >> =C2=A0=C2=A0 2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL databas= e. >> >> This approach offers the following advantages: >> >> =C2=A0=C2=A0 1. Provides exactly the same results locally as on a CI ser= ver. >> =C2=A0=C2=A0 2. Integrates very well into IDEs such as VS Code. >> =C2=A0=C2=A0 3. Very simple to use - just use normal Stuart update and b= uild >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 commands. >> =C2=A0=C2=A0 4. Very simple to understand - minimally wraps the official= CodeQL >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CLI. >> =C2=A0=C2=A0 5. Very simple to integrate - works like any other Stuart b= uild >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 plugin. >> =C2=A0=C2=A0 6. Portable - not tied to Azure DevOps specific, GitHub spe= cific, >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 or other host infrastructure. >> =C2=A0=C2=A0 7. Versioned - the query and filters are versioned in sourc= e >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 control so easy to find and track. >> >> The appropriate CodeQL CLI is downloaded for the host OS by passing >> the `--codeql` argument to the update command. >> >> =C2=A0=C2=A0 `stuart_update -c .pytool/CISettings.py --codeql` >> >> After that, CodeQL can be run in a build by similarly passing the >> `--codeql` argument to the build command. For example: >> >> =C2=A0=C2=A0 `stuart_ci_build -c .pytool/CISettings.py --codeql` >> >> Going forward, CI will simply use those commands in CodeQL builds >> to get results instead of the CodeQL GitHub actions. >> >> When `--codeql` is specified in the build command, each package will >> contain two main artifacts in the Build directory. >> >> =C2=A0=C2=A0 1. The CodeQL database for the package >> =C2=A0=C2=A0 2. The CodeQL SARIF (result) file for the package >> >> The CodeQL database (1) can be used to run queries against without >> rebuilding any code. The SARIF result file (2) is the result of >> running enabled queries against the database. >> >> SARIF stands for Static Analysis Results Interchange Format and it >> is an industry standard format for output from static analysis tools. >> >> https://sarifweb.azurewebsites.net/ >> >> The SARIF file can be opened with any standard SARIF file viewer >> such as this one for VS Code: >> >> https://marketplace.visualstudio.com/items?itemName=3DMS-SarifVSCode.sar= if-viewer >> >> That includes the ability to jump directly to issues in the source >> code file with relevant code highlighted and suggestions included. >> >> This means that after simply adding `--codeql` to the normal build >> commands, a database will be present for future querying and a SARIF >> result file will be present to allow the developer to immediately >> start fixing issues. >> >> More details about the location of these and usage is in the >> BaseTools/Plugin/CodeQL/Readme.md included in this patch series. >> >> The CI process pushes the SARIF file to GitHub Code Scanning so the >> results are generated exactly the same way they are locally. >> >> All build logs and the SARIF file for each package are uploaded to >> the GitHub action run as artifacts. If a CodeQL issue is found, a >> developer can download the SARIF file directly from the GitHub action >> run to fix the problem without needing to rebuild locally. >> >> An example run of these changes showing the packages built and output >> logs and SARIF files is available here: >> >> https://github.com/tianocore/edk2/actions/runs/6317077528 >> >> The series enables a new set of CodeQL queries that helps find useful >> issues in the codebase. So, new CodeQL results will appear in the edk2 >> GitHub Code Scanning area after the change. It is expected that the >> community will work together to prioritize and resolve issues to improve >> the quality of the codebase. >> >> V3 Changes: >> >> 1. Add a "Resolution Guidelines" section to the CodeQL plugin readme >> =C2=A0=C2=A0=C2=A0 file based on feedback in the October 16, 2023 Tianoc= ore Tools & >> =C2=A0=C2=A0=C2=A0 CI meeting to capture some notes useful in solving is= sues in the >> =C2=A0=C2=A0=C2=A0 file. >> >> V2 Changes: >> >> 1. Enable CodeQL audit mode. This is because a new patch also enables >> =C2=A0=C2=A0=C2=A0 queries that will result in unresolved issues so audi= t mode is needed >> =C2=A0=C2=A0=C2=A0 for the build to succeed. >> 2. Enable new CodeQL queries. This will enable new CodeQL queries so the >> =C2=A0=C2=A0=C2=A0 issues are easier to find and track. >> >> Links and refernces: >> >> =C2=A0=C2=A0 - CodeQL Overview: >> =C2=A0=C2=A0=C2=A0=C2=A0 https://codeql.github.com/docs/codeql-overview/ >> =C2=A0=C2=A0 - CodeQL open-source queries: >> =C2=A0=C2=A0=C2=A0=C2=A0 https://github.com/github/codeql >> =C2=A0=C2=A0 - CodeQL CLI: >> =C2=A0=C2=A0=C2=A0=C2=A0 https://docs.github.com/en/code-security/codeql= -cli#codeql-cli >> =C2=A0=C2=A0 - SARIF Specification and Information: >> =C2=A0=C2=A0=C2=A0=C2=A0 https://sarifweb.azurewebsites.net/ >> >> Cc: Bob Feng >> Cc: Liming Gao >> Cc: Michael D Kinney >> Cc: Rebecca Cran >> Cc: Sean Brogan >> Cc: Yuwei Chen >> >> Michael Kubacki (7): >> =C2=A0=C2=A0 Remove existing CodeQL infrastructure >> =C2=A0=C2=A0 BaseTools/Plugin/CodeQL: Add CodeQL build plugin >> =C2=A0=C2=A0 BaseTools/Plugin/CodeQL: Add integration helpers >> =C2=A0=C2=A0 .pytool/CISettings.py: Integrate CodeQL >> =C2=A0=C2=A0 .github/workflows/codeql.yml: Add CodeQL workflow >> =C2=A0=C2=A0 .pytool/CISettings: Enable CodeQL audit mode >> =C2=A0=C2=A0 BaseTools/Plugin/CodeQL: Enable 30 queries >> >> =C2=A0 .github/codeql/codeql-config.yml=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 29 -- >> =C2=A0 .github/codeql/edk2.qls=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2= =A0 24 -- >> =C2=A0 .github/workflows/codeql-analysis.yml=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= | 118 ------ >> =C2=A0 .github/workflows/codeql.yml=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 338=20 >> +++++++++++++++++ >> =C2=A0 .pytool/CISettings.py=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 |=C2=A0 36 ++ >> =C2=A0 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 222=20 >> +++++++++++ >> =C2=A0 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml=C2=A0=C2=A0=C2= =A0=C2=A0 |=C2=A0 13 + >> =C2=A0 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 172 +++++++++ >> =C2=A0 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 |=C2=A0 13 + >> =C2=A0 BaseTools/Plugin/CodeQL/CodeQlQueries.qls=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 118 ++++++ >> =C2=A0 BaseTools/Plugin/CodeQL/Readme.md=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 | 388=20 >> ++++++++++++++++++++ >> =C2=A0 BaseTools/Plugin/CodeQL/analyze/__init__.py=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 0 >> =C2=A0 BaseTools/Plugin/CodeQL/analyze/analyze_filter.py=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 | 176 +++++++++ >> =C2=A0 BaseTools/Plugin/CodeQL/analyze/globber.py=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 132 +++++++ >> =C2=A0 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 26 ++ >> =C2=A0 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml=C2=A0=C2=A0 = |=C2=A0 24 ++ >> =C2=A0 BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml |=C2=A0 24= ++ >> =C2=A0 BaseTools/Plugin/CodeQL/common/__init__.py=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 0 >> =C2=A0 BaseTools/Plugin/CodeQL/common/codeql_plugin.py=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 74 ++++ >> =C2=A0 BaseTools/Plugin/CodeQL/integration/__init__.py=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 0 >> =C2=A0 BaseTools/Plugin/CodeQL/integration/stuart_codeql.py=C2=A0=C2=A0 = |=C2=A0 79 ++++ >> =C2=A0 21 files changed, 1835 insertions(+), 171 deletions(-) >> =C2=A0 delete mode 100644 .github/codeql/codeql-config.yml >> =C2=A0 delete mode 100644 .github/codeql/edk2.qls >> =C2=A0 delete mode 100644 .github/workflows/codeql-analysis.yml >> =C2=A0 create mode 100644 .github/workflows/codeql.yml >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.= yaml >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.ya= ml >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/CodeQlQueries.qls >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/Readme.md >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/analyze/__init__.py >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/analyze/analyze_filter= .py >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/analyze/globber.py >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_de= p.yaml >> =C2=A0 create mode 100644=20 >> BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/common/__init__.py >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/common/codeql_plugin.p= y >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/integration/__init__.p= y >> =C2=A0 create mode 100644 BaseTools/Plugin/CodeQL/integration/stuart_cod= eql.py >> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109948): https://edk2.groups.io/g/devel/message/109948 Mute This Topic: https://groups.io/mt/102031054/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-