-
Notifications
You must be signed in to change notification settings - Fork 2.6k
361 lines (308 loc) · 13 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
# This workflow runs CodeQL against the repository.
#
# Results are uploaded to GitHub Code Scanning.
#
# Due to a known issue with the CodeQL extractor when building the edk2
# codebase on Linux systems, only Windows agents are used for build with
# the VS toolchain.
#
# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent
name: "CodeQL"
on:
push:
branches:
- master
pull_request:
branches:
- master
paths-ignore:
- '!**.c'
- '!**.h'
jobs:
analyze:
name: Analyze
runs-on: windows-2019
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- Package: "ArmPkg"
ArchList: "IA32,X64"
- Package: "CryptoPkg"
ArchList: "IA32"
- Package: "CryptoPkg"
ArchList: "X64"
- Package: "DynamicTablesPkg"
ArchList: "IA32,X64"
- Package: "FatPkg"
ArchList: "IA32,X64"
- Package: "FmpDevicePkg"
ArchList: "IA32,X64"
- Package: "IntelFsp2Pkg"
ArchList: "IA32,X64"
- Package: "IntelFsp2WrapperPkg"
ArchList: "IA32,X64"
- Package: "MdeModulePkg"
ArchList: "IA32"
- Package: "MdeModulePkg"
ArchList: "X64"
- Package: "MdePkg"
ArchList: "IA32,X64"
- Package: "PcAtChipsetPkg"
ArchList: "IA32,X64"
- Package: "PrmPkg"
ArchList: "IA32,X64"
- Package: "SecurityPkg"
ArchList: "IA32,X64"
- Package: "ShellPkg"
ArchList: "IA32,X64"
- Package: "SourceLevelDebugPkg"
ArchList: "IA32,X64"
- Package: "StandaloneMmPkg"
ArchList: "IA32,X64"
- Package: "UefiCpuPkg"
ArchList: "IA32,X64"
- Package: "UnitTestFrameworkPkg"
ArchList: "IA32,X64"
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
cache-dependency-path: 'pip-requirements.txt'
- name: Use Git Long Paths on Windows
if: runner.os == 'Windows'
shell: pwsh
run: |
git config --system core.longpaths true
- name: Install/Upgrade pip Modules
run: pip install -r pip-requirements.txt --upgrade requests sarif-tools
- name: Determine CI Settings File Supported Operations
id: get_ci_file_operations
shell: python
run: |
import importlib
import os
import sys
from pathlib import Path
from edk2toolext.invocables.edk2_ci_setup import CiSetupSettingsManager
from edk2toolext.invocables.edk2_setup import SetupSettingsManager
# Find the repo CI Settings file
ci_settings_file = list(Path(os.environ['GITHUB_WORKSPACE']).rglob('.pytool/CISettings.py'))
# Note: At this point, submodules have not been pulled, only one CI Settings file should exist
if len(ci_settings_file) != 1 or not ci_settings_file[0].is_file():
print("::error title=Workspace Error!::Failed to find CI Settings file!")
sys.exit(1)
ci_settings_file = ci_settings_file[0]
# Try Finding the Settings class in the file
module_name = 'ci_settings'
spec = importlib.util.spec_from_file_location(module_name, ci_settings_file)
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
try:
settings = getattr(module, 'Settings')
except AttributeError:
print("::error title=Workspace Error!::Failed to find Settings class in CI Settings file!")
sys.exit(1)
# Determine Which Operations Are Supported by the Settings Class
ci_setup_supported = issubclass(settings, CiSetupSettingsManager)
setup_supported = issubclass(settings, SetupSettingsManager)
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'ci_setup_supported={str(ci_setup_supported).lower()}', file=fh)
print(f'setup_supported={str(setup_supported).lower()}', file=fh)
- name: Convert Arch to Log Format
id: convert_arch_hyphen
env:
ARCH_LIST: ${{ matrix.ArchList }}
shell: python
run: |
import os
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'arch_list={os.environ["ARCH_LIST"].replace(",", "-")}', file=fh)
- name: Setup
if: steps.get_ci_file_operations.outputs.setup_supported == 'true'
run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
- name: Upload Setup Log As An Artifact
uses: actions/upload-artifact@v4
if: (success() || failure()) && steps.get_ci_file_operations.outputs.setup_supported == 'true'
with:
name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Setup-Log
path: |
**/SETUPLOG.txt
retention-days: 7
if-no-files-found: ignore
- name: CI Setup
if: steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
run: stuart_ci_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
- name: Upload CI Setup Log As An Artifact
uses: actions/upload-artifact@v4
if: (success() || failure()) && steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
with:
name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-CI-Setup-Log
path: |
**/CISETUP.txt
retention-days: 7
if-no-files-found: ignore
- name: Update
run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
- name: Upload Update Log As An Artifact
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Update-Log
path: |
**/UPDATE_LOG.txt
retention-days: 7
if-no-files-found: ignore
- name: Build Tools From Source
run: python BaseTools/Edk2ToolsBuild.py -t VS2019
- name: Find CodeQL Plugin Directory
id: find_dir
shell: python
run: |
import os
import sys
from pathlib import Path
# Find the plugin directory that contains the CodeQL plugin
plugin_dir = list(Path(os.environ['GITHUB_WORKSPACE']).rglob('BaseTools/Plugin/CodeQL'))
# This should only be found once
if len(plugin_dir) == 1:
plugin_dir = str(plugin_dir[0])
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'codeql_plugin_dir={plugin_dir}', file=fh)
else:
print("::error title=Workspace Error!::Failed to find CodeQL plugin directory!")
sys.exit(1)
- name: Get CodeQL CLI Cache Data
id: cache_key_gen
env:
CODEQL_PLUGIN_DIR: ${{ steps.find_dir.outputs.codeql_plugin_dir }}
shell: python
run: |
import os
import yaml
codeql_cli_ext_dep_name = 'codeqlcli_windows_ext_dep'
codeql_plugin_file = os.path.join(os.environ['CODEQL_PLUGIN_DIR'], codeql_cli_ext_dep_name + '.yaml')
with open (codeql_plugin_file) as pf:
codeql_cli_ext_dep = yaml.safe_load(pf)
cache_key_name = codeql_cli_ext_dep['name']
cache_key_version = codeql_cli_ext_dep['version']
cache_key = f'{cache_key_name}-{cache_key_version}'
codeql_plugin_cli_ext_dep_dir = os.path.join(os.environ['CODEQL_PLUGIN_DIR'], codeql_cli_ext_dep['name'].strip() + '_extdep')
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
print(f'codeql_cli_cache_key={cache_key}', file=fh)
print(f'codeql_cli_ext_dep_dir={codeql_plugin_cli_ext_dep_dir}', file=fh)
- name: Attempt to Load CodeQL CLI From Cache
id: codeqlcli_cache
uses: actions/cache@v4
with:
path: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
key: ${{ steps.cache_key_gen.outputs.codeql_cli_cache_key }}
- name: Download CodeQL CLI
if: steps.codeqlcli_cache.outputs.cache-hit != 'true'
run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019 --codeql
- name: Remove CI Plugins Irrelevant to CodeQL
shell: python
env:
CODEQL_PLUGIN_DIR: ${{ steps.find_dir.outputs.codeql_plugin_dir }}
run: |
import os
import shutil
from pathlib import Path
# Only these two plugins are needed for CodeQL
plugins_to_keep = ['CompilerPlugin']
plugin_dir = Path('.pytool/Plugin').absolute()
if plugin_dir.is_dir():
for dir in plugin_dir.iterdir():
if str(dir.stem) not in plugins_to_keep:
shutil.rmtree(str(dir.absolute()), ignore_errors=True)
- name: CI Build
env:
STUART_CODEQL_PATH: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
run: stuart_ci_build -c .pytool/CISettings.py -t DEBUG -p ${{ matrix.Package }} -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019 --codeql
- name: Build Cleanup
id: build_cleanup
shell: python
run: |
import os
import shutil
from pathlib import Path
dirs_to_delete = ['ia32', 'x64', 'arm', 'aarch64']
def delete_dirs(path: Path):
if path.exists() and path.is_dir():
if path.name.lower() in dirs_to_delete:
print(f'Removed {str(path)}')
shutil.rmtree(path)
return
for child_dir in path.iterdir():
delete_dirs(child_dir)
build_path = Path(os.environ['GITHUB_WORKSPACE'], 'Build')
delete_dirs(build_path)
- name: Upload Build Logs As An Artifact
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Build-Logs
path: |
**/BUILD_REPORT.TXT
**/OVERRIDELOG.TXT
**/BUILDLOG_*.md
**/BUILDLOG_*.txt
**/CI_*.md
**/CI_*.txt
retention-days: 7
if-no-files-found: ignore
- name: Prepare Env Data for CodeQL Upload
id: env_data
env:
PACKAGE_NAME: ${{ matrix.Package }}
shell: python
run: |
import logging
import os
from edk2toollib.utility_functions import RunCmd
from io import StringIO
from pathlib import Path
package = os.environ['PACKAGE_NAME'].strip().lower()
directory_name = 'codeql-analysis-' + package + '-debug'
file_name = 'codeql-db-' + package + '-debug-0.sarif'
sarif_path = Path('Build', directory_name, file_name)
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
if sarif_path.is_file():
emacs_file_path = sarif_path.with_name(sarif_path.stem + "-emacs.txt")
out_stream_buffer = StringIO()
exit_code = RunCmd("sarif", f"emacs {sarif_path} --output {emacs_file_path} --no-autotrim",
outstream=out_stream_buffer,
logging_level=logging.NOTSET)
print(f'upload_sarif_file=true', file=fh)
print(f'emacs_file_path={emacs_file_path}', file=fh)
print(f'sarif_file_path={sarif_path}', file=fh)
else:
print(f'upload_sarif_file=false', file=fh)
- name: Upload CodeQL Results (SARIF) As An Artifact
uses: actions/upload-artifact@v4
if: steps.env_data.outputs.upload_sarif_file == 'true'
with:
name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-CodeQL-SARIF
path: |
${{ steps.env_data.outputs.emacs_file_path }}
${{ steps.env_data.outputs.sarif_file_path }}
retention-days: 14
if-no-files-found: warn
- name: Upload CodeQL Results (SARIF) To GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
if: steps.env_data.outputs.upload_sarif_file == 'true'
with:
# Path to SARIF file relative to the root of the repository.
sarif_file: ${{ steps.env_data.outputs.sarif_file_path }}
# Optional category for the results. Used to differentiate multiple results for one commit.
# Each package is a separate category.
category: ${{ matrix.Package }}