diff options
| author | Michael Kubacki <michael.kubacki@microsoft.com> | 2022-08-03 16:19:02 -0400 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2022-11-08 15:29:26 +0000 |
| commit | 6c1a4a376e97800c555dab9ca9d9651a5676d231 (patch) | |
| tree | 97484a1878315564042ce66cdd263c5feb2ab6c4 | |
| parent | c7aecf2a4fcd75bd5dbc3fef69aad5431469ebe7 (diff) | |
| download | edk2-6c1a4a376e97800c555dab9ca9d9651a5676d231.tar.gz edk2-6c1a4a376e97800c555dab9ca9d9651a5676d231.tar.bz2 edk2-6c1a4a376e97800c555dab9ca9d9651a5676d231.zip | |
.github: Add initial CodeQL config and workflow files
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4115
Adds initial support for enabling CodeQL Code Scanning in this
repository per the RFC:
https://github.com/tianocore/edk2/discussions/3258
Adds the following new files:
- .github/workflows/codql-analysis.yml - The main GitHub workflow
file used to setup CodeQL in the repo.
- .github/codeql/codeql-config.yml - The main CodeQL configuration
file used to customize the queries and other resources the repo
is using for CodeQL.
- edk2.qls - A query set of queries to run for CodeQL.
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
| -rw-r--r-- | .github/codeql/codeql-config.yml | 30 | ||||
| -rw-r--r-- | .github/codeql/edk2.qls | 12 | ||||
| -rw-r--r-- | .github/workflows/codeql-analysis.yml | 91 |
3 files changed, 133 insertions, 0 deletions
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..3e27c2fb0d --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,30 @@ +## @file
+# CodeQL configuration file for edk2.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+name: "CodeQL config"
+
+# The following line disables the default queries. This is used because we want to enable on query at a time by
+# explicitly specifying each query in a "queries" array as they are enabled.
+#
+# See the following for more information about adding custom queries:
+# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file
+
+#disable-default-queries: true
+
+queries:
+ - name: EDK2 CodeQL Query List
+ uses: ./.github/codeql/edk2.qls
+
+# We must specify a query for CodeQL to run. Until the first query is enabled, enable the security query suite but
+# exclude all problem levels from impacting the results. After the first query is enabled, this filter can be relaxed
+# to find the level of problems desired from the query.
+query-filters:
+- exclude:
+ problem.severity:
+ - error
+ - warning
+ - recommendation
diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls new file mode 100644 index 0000000000..0efc7dca52 --- /dev/null +++ b/.github/codeql/edk2.qls @@ -0,0 +1,12 @@ +---
+- description: EDK2 (C++) queries
+
+# Bring in all queries from the official cpp-queries suite so individual queries can be explicitly enabled.
+
+- queries: '.'
+ from: codeql/cpp-queries
+
+# Enable individual queries below.
+
+- include:
+ id: cpp/conditionallyuninitializedvariable
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000000..2eacb9c9e1 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,91 @@ +# @file
+# GitHub Workflow for CodeQL Analysis
+#
+# Copyright (c) Microsoft Corporation.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+name: "CodeQL"
+
+on:
+ push:
+ branches:
+ - master
+ pull_request:
+ branches:
+ - master
+ paths-ignore:
+ - '**/*.bat'
+ - '**/*.md'
+ - '**/*.py'
+ - '**/*.rst'
+ - '**/*.sh'
+ - '**/*.txt'
+
+ schedule:
+ # https://crontab.guru/#20_23_*_*_4
+ - cron: '20 23 * * 4'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: windows-2019
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ package: [
+ "ArmPkg",
+ "CryptoPkg",
+ "DynamicTablesPkg",
+ "FatPkg",
+ "FmpDevicePkg",
+ "IntelFsp2Pkg",
+ "IntelFsp2WrapperPkg",
+ "MdeModulePkg",
+ "MdePkg",
+ "PcAtChipsetPkg",
+ "PrmPkg",
+ "SecurityPkg",
+ "ShellPkg",
+ "SourceLevelDebugPkg",
+ "StandaloneMmPkg",
+ "UefiCpuPkg",
+ "UnitTestFrameworkPkg"]
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: 'cpp'
+ # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+ # Learn more about CodeQL language support at https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
+ config-file: ./.github/codeql/codeql-config.yml
+ # Note: Add new queries to codeql-config.yml file as they are enabled.
+
+ - name: Install/Upgrade pip Modules
+ run: pip install -r pip-requirements.txt --upgrade
+
+ - name: Setup
+ run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019
+
+ - name: Update
+ run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019
+
+ - name: Build Tools From Source
+ run: python BaseTools/Edk2ToolsBuild.py -t VS2019
+
+ - name: CI Build
+ run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.package }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
|