On 11/7/23 16:43, Michael Kubacki wrote: > The series that makes it easy to run CodeQL locally and have access to > results from any PR or push to master. > > Those that have access can see the results directly in "Code Scanning" > in the "Security" tab of the edk2 repo. That may be affected in times > like freezes when permissions are adjusted (write permission is needed). > > I am hoping we can work together to improve the overall quality of the > code and minimize the number of CodeQL alerts. > > This is an example of that interface: > > *Overview of Issues (many)* > > > *Example of Details for a Specific Issue* > > *---* > > *However, you can always download the results for an individual package* > from its GitHub Action run. I encourage people to do so. > > 1. Go to Actions -> CodeQL > <https://github.com/tianocore/edk2/actions/workflows/codeql.yml> > (https://github.com/tianocore/edk2/actions/workflows/codeql.yml). > Anything to "master" are results at that point in time on the master > branch. Individual PR branches are shown to get results for a specific PR. > > > > 2. Download and open the SARIF file for a package. In the commit to > master shown above in > https://github.com/tianocore/edk2/actions/runs/6779575049, for > MdeModulePkg, I would download "MdeModulePkg-CodeQL-SARIF" and unzip. > > > > 3. Open the SARIF file to view results. For example, drag/drop the file > "codeql-db-mdemodulepkg-debug-0.sarif" into VS Code with the "SARIF > Viewer" > <https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer> > installed. It shows all of the issues by file or rule with click to the > problem and more details about it. There are other SARIF viewers available as > well.
I've investigated "sarif", from "sarif-tools version 2.0.0", at <https://github.com/microsoft/sarif-tools>. The "emacs" output module of "sarif" would be ideal for my needs, but I have two questions / requests regarding that: - would it be possible to run "sarif emacs" immediately in the github action, so that the text file can be downloaded at once? (I currently have sarif-tools installed in a python venv, but I'd prefer avoiding even that.) - the "sarif emacs" output seems a bit broken, actually, so it's not usable. Consider the following entry from the original JSON file: }, { "ruleId" : "cpp/missing-null-test", "ruleIndex" : 0, "rule" : { "id" : "cpp/missing-null-test", "index" : 0 }, "message" : { "text" : "Value may be null; it should be checked before dereferencing." }, "locations" : [ { "physicalLocation" : { "artifactLocation" : { "uri" : "MdeModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c", "uriBaseId" : "%SRCROOT%", "index" : 0 }, "region" : { "startLine" : 355, "startColumn" : 48, "endColumn" : 52 } } } ], "partialFingerprints" : { "primaryLocationLineHash" : "f374f6e6dfc92010:1", "primaryLocationStartColumnFingerprint" : "43" } }, { In the "emacs" output, it appears as: -------- ModulePkg/Application/UiApp/FrontPageCustomizedUiSupport.c:355: cpp/missing-null-test Value may be null; it should be checked before dereferencing. -------- Note that the first three characters, "Mde" of "Mde" are lost. This issue (first three chars cut) affects all other pathnames in the emacs output too. Is this a known issue perhaps? Thanks! Laszlo > > > > Keep in mind that CodeQL will often not highlight everything that needs > to be done to fix an issue. It alerts the developer to an issue and then > you need to inspect the code to determine if other code paths or > refactoring should be applied. > > I will create a wiki page with more user focused information, but I > wanted to share some quick info for getting started. > > More technical details about how the plugin itself works and applying > exceptions are available in its readme > - edk2/BaseTools/Plugin/CodeQL/Readme.md at master · tianocore/edk2 > (github.com). > <https://github.com/tianocore/edk2/blob/master/BaseTools/Plugin/CodeQL/Readme.md> > > Thanks, > Michael > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#111153): https://edk2.groups.io/g/devel/message/111153 Mute This Topic: https://groups.io/mt/102444916/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
