From: Michael Kubacki <michael.kuba...@microsoft.com> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4115
Adds initial support for enabling CodeQL Code Scanning in this repository per the RFC: https://github.com/tianocore/edk2/discussions/3258 Adds the following new files: - .github/workflows/codql-analysis.yml - The main GitHub workflow file used to setup CodeQL in the repo. - .github/codeql/codeql-config.yml - The main CodeQL configuration file used to customize the queries and other resources the repo is using for CodeQL. Cc: Sean Brogan <sean.bro...@microsoft.com> Cc: Michael D Kinney <michael.d.kin...@intel.com> Cc: Liming Gao <gaolim...@byosoft.com.cn> Signed-off-by: Michael Kubacki <michael.kuba...@microsoft.com> --- .github/codeql/codeql-config.yml | 30 ++++++ .github/codeql/edk2.qls | 12 +++ .github/workflows/codeql-analysis.yml | 102 ++++++++++++++++++++ 3 files changed, 144 insertions(+) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 000000000000..3e27c2fb0d28 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,30 @@ +## @file +# CodeQL configuration file for edk2. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +name: "CodeQL config" + +# The following line disables the default queries. This is used because we want to enable on query at a time by +# explicitly specifying each query in a "queries" array as they are enabled. +# +# See the following for more information about adding custom queries: +# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file + +#disable-default-queries: true + +queries: + - name: EDK2 CodeQL Query List + uses: ./.github/codeql/edk2.qls + +# We must specify a query for CodeQL to run. Until the first query is enabled, enable the security query suite but +# exclude all problem levels from impacting the results. After the first query is enabled, this filter can be relaxed +# to find the level of problems desired from the query. +query-filters: +- exclude: + problem.severity: + - error + - warning + - recommendation diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls new file mode 100644 index 000000000000..0efc7dca52db --- /dev/null +++ b/.github/codeql/edk2.qls @@ -0,0 +1,12 @@ +--- +- description: EDK2 (C++) queries + +# Bring in all queries from the official cpp-queries suite so individual queries can be explicitly enabled. + +- queries: '.' + from: codeql/cpp-queries + +# Enable individual queries below. + +- include: + id: cpp/conditionallyuninitializedvariable diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 000000000000..c3227d015477 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,102 @@ +# @file +# GitHub Workflow for CodeQL Analysis +# +# Copyright (c) Microsoft Corporation. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +name: "CodeQL" + +on: + push: + branches: + - master + pull_request: + branches: + - master + paths-ignore: + - '**/*.bat' + - '**/*.md' + - '**/*.py' + - '**/*.rst' + - '**/*.sh' + - '**/*.txt' + + schedule: + # https://crontab.guru/#20_23_*_*_4 + - cron: '20 23 * * 4' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + package: [ + "ArmPkg", + "CryptoPkg", + "DynamicTablesPkg", + "FatPkg", + "FmpDevicePkg", + "IntelFsp2Pkg", + "IntelFsp2WrapperPkg", + "MdeModulePkg", + "MdePkg", + "PcAtChipsetPkg", + "PrmPkg", + "SecurityPkg", + "ShellPkg", + "SourceLevelDebugPkg", + "StandaloneMmPkg", + "UefiCpuPkg", + "UnitTestFrameworkPkg"] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: 'cpp' + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/ + config-file: ./.github/codeql/codeql-config.yml + # Note: Add new queries to codeql-config.yml file as they are enabled. + + - name: Install/Upgrade pip Modules + run: pip install -r pip-requirements.txt --upgrade + + - name: Use Node.js 19.x + uses: actions/setup-node@v3 + with: + node-version: 19.x + + - name: Update apt + run: sudo apt-get update + + - name: Install required tools + run: sudo apt-get install gcc g++ make uuid-dev + + - name: Setup + run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=GCC5 + + - name: Update + run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=GCC5 + + - name: Build Tools From Source + run: python BaseTools/Edk2ToolsBuild.py -t GCC5 + + - name: CI Build + run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.package }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=GCC5 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 -- 2.28.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#95824): https://edk2.groups.io/g/devel/message/95824 Mute This Topic: https://groups.io/mt/94713566/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-