Re: [edk2-devel] [PATCH v2 2/2] .github: Add initial CodeQL config and workflow files

[Michael D Kinney]

Glad to see this works on Windows agents.  I know it will be good to switch 
back to Linux agents when stable.

See comments below.

Mike

> -----Original Message-----
> From: mikub...@linux.microsoft.com <mikub...@linux.microsoft.com>
> Sent: Thursday, November 3, 2022 2:41 PM
> To: devel@edk2.groups.io
> Cc: Sean Brogan <sean.bro...@microsoft.com>; Kinney, Michael D 
> <michael.d.kin...@intel.com>; Gao, Liming
> <gaolim...@byosoft.com.cn>
> Subject: [PATCH v2 2/2] .github: Add initial CodeQL config and workflow files
> 
> From: Michael Kubacki <michael.kuba...@microsoft.com>
> 
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4115
> 
> Adds initial support for enabling CodeQL Code Scanning in this
> repository per the RFC:
> 
>   https://github.com/tianocore/edk2/discussions/3258
> 
> Adds the following new files:
>   - .github/workflows/codql-analysis.yml - The main GitHub workflow
>     file used to setup CodeQL in the repo.
>   - .github/codeql/codeql-config.yml - The main CodeQL configuration
>     file used to customize the queries and other resources the repo
>     is using for CodeQL.
> 
> Cc: Sean Brogan <sean.bro...@microsoft.com>
> Cc: Michael D Kinney <michael.d.kin...@intel.com>
> Cc: Liming Gao <gaolim...@byosoft.com.cn>
> Signed-off-by: Michael Kubacki <michael.kuba...@microsoft.com>
> ---
>  .github/codeql/codeql-config.yml      | 30 ++++++
>  .github/codeql/edk2.qls               | 12 +++
>  .github/workflows/codeql-analysis.yml | 99 ++++++++++++++++++++
>  3 files changed, 141 insertions(+)
> 
> diff --git a/.github/codeql/codeql-config.yml 
> b/.github/codeql/codeql-config.yml
> new file mode 100644
> index 000000000000..3e27c2fb0d28
> --- /dev/null
> +++ b/.github/codeql/codeql-config.yml
> @@ -0,0 +1,30 @@
> +## @file
> +# CodeQL configuration file for edk2.
> +#
> +# Copyright (c) Microsoft Corporation.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +name: "CodeQL config"
> +
> +# The following line disables the default queries. This is used because we 
> want to enable on query at a time by
> +# explicitly specifying each query in a "queries" array as they are enabled.
> +#
> +# See the following for more information about adding custom queries:
> +# 
> https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-
> errors/configuring-code-scanning#using-a-custom-configuration-file
> +
> +#disable-default-queries: true
> +
> +queries:
> +  - name: EDK2 CodeQL Query List
> +    uses: ./.github/codeql/edk2.qls
> +
> +# We must specify a query for CodeQL to run. Until the first query is 
> enabled, enable the security query suite but
> +# exclude all problem levels from impacting the results. After the first 
> query is enabled, this filter can be relaxed
> +# to find the level of problems desired from the query.
> +query-filters:
> +- exclude:
> +    problem.severity:
> +      - error
> +      - warning
> +      - recommendation
> diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
> new file mode 100644
> index 000000000000..0efc7dca52db
> --- /dev/null
> +++ b/.github/codeql/edk2.qls
> @@ -0,0 +1,12 @@
> +---
> +- description: EDK2 (C++) queries
> +
> +# Bring in all queries from the official cpp-queries suite so individual 
> queries can be explicitly enabled.
> +
> +- queries: '.'
> +  from: codeql/cpp-queries
> +
> +# Enable individual queries below.
> +
> +- include:
> +    id: cpp/conditionallyuninitializedvariable
> diff --git a/.github/workflows/codeql-analysis.yml 
> b/.github/workflows/codeql-analysis.yml
> new file mode 100644
> index 000000000000..4ab8be04ecbe
> --- /dev/null
> +++ b/.github/workflows/codeql-analysis.yml
> @@ -0,0 +1,99 @@
> +# @file
> +# GitHub Workflow for CodeQL Analysis
> +#
> +# Copyright (c) Microsoft Corporation.
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +name: "CodeQL"
> +
> +on:
> +  push:
> +    branches:
> +      - master
> +  pull_request:
> +    branches:
> +      - master
> +    paths-ignore:
> +      - '**/*.bat'
> +      - '**/*.md'
> +      - '**/*.py'
> +      - '**/*.rst'
> +      - '**/*.sh'
> +      - '**/*.txt'
> +
> +  schedule:
> +    # https://crontab.guru/#20_23_*_*_4
> +    - cron: '20 23 * * 4'
> +
> +jobs:
> +  analyze:
> +    name: Analyze
> +    runs-on: windows-2019
> +    permissions:
> +      actions: read
> +      contents: read
> +      security-events: write
> +
> +    strategy:
> +      fail-fast: false
> +      matrix:
> +        package: [
> +          "ArmPkg",
> +          "CryptoPkg",
> +          "DynamicTablesPkg",
> +          "FatPkg",
> +          "FmpDevicePkg",
> +          "IntelFsp2Pkg",
> +          "IntelFsp2WrapperPkg",
> +          "MdeModulePkg",
> +          "MdePkg",
> +          "PcAtChipsetPkg",
> +          "PrmPkg",
> +          "SecurityPkg",
> +          "ShellPkg",
> +          "SourceLevelDebugPkg",
> +          "StandaloneMmPkg",
> +          "UefiCpuPkg",
> +          "UnitTestFrameworkPkg"]
> +
> +    steps:
> +    - name: Checkout repository
> +      uses: actions/checkout@v3
> +
> +    # Initializes the CodeQL tools for scanning.
> +    - name: Initialize CodeQL
> +      uses: github/codeql-action/init@v2
> +      with:
> +        languages: 'cpp'
> +        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 
> 'python', 'ruby' ]
> +        # Learn more about CodeQL language support at 
> https://codeql.github.com/docs/codeql-overview/supported-languages-and-
> frameworks/
> +        config-file: ./.github/codeql/codeql-config.yml
> +        # Note: Add new queries to codeql-config.yml file as they are 
> enabled.
> +
> +    - name: Install/Upgrade pip Modules
> +      run: pip install -r pip-requirements.txt --upgrade
> +
> +    - name: Use Node.js 19.x
> +      uses: actions/setup-node@v3
> +      with:
> +          node-version: 19.x
> +

Is this only required for cspell?

> +    - name: Install cspell npm
> +      run: npm install -g cspell@5.20.0

Do you have to install cspell to run CodeQL analysis?

> +
> +    - name: Setup
> +      run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 
> TOOL_CHAIN_TAG=VS2019
> +
> +    - name: Update
> +      run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 
> TOOL_CHAIN_TAG=VS2019
> +
> +    - name: Build Tools From Source
> +      run: python BaseTools/Edk2ToolsBuild.py -t VS2019
> +
> +    - name: CI Build
> +      run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.package }} 
> -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019
> +
> +    - name: Perform CodeQL Analysis
> +      uses: github/codeql-action/analyze@v2
> --
> 2.28.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95910): https://edk2.groups.io/g/devel/message/95910
Mute This Topic: https://groups.io/mt/94793996/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-