[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] codeql: add support for analyzing C, Python and Go



On 25/02/2022 15:19, Roger Pau Monne wrote:
> Introduce CodeQL support for Xen and analyze the C, Python and Go
> files.
>
> Note than when analyzing Python or Go we avoid building the hypervisor
> and only build the tools.
>
> Requested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> ---
> TBD: there's no limit in the number of scans here unlike Coverity, but
> each takes github minutes and we are limited to 2000 per month IIRC.
> We might want to not perform a scan for each push.

We don't push very often, and github is slower at noticing anyway, so I
think we ought to be fine.

We can always revisit the decision if we do end up hitting limits.

> TBD: should we also disable the shim build? I'm not sure there's much
> value in analyzing it.

Shim's logic is quite different in areas.  I'd say it's worth keeping.

> ---
>  .github/workflows/codeql.yml | 59 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 59 insertions(+)
>  create mode 100644 .github/workflows/codeql.yml
>
> diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
> new file mode 100644
> index 0000000000..5bfe478983
> --- /dev/null
> +++ b/.github/workflows/codeql.yml
> @@ -0,0 +1,59 @@
> +name: CodeQL

As a thought... As we're considering doing cross-arm checks, should we
use an x86 suffix here ?

> +
> +on:
> +  workflow_dispatch:
> +  push:
> +    branches: [staging]
> +  schedule:
> +    - cron: '18 10 * * WED,SUN' # Bi-weekly at 10:18 UTC
> +
> +jobs:
> +  analyse:
> +
> +    strategy:
> +      matrix:
> +        language: [ 'cpp', 'python', 'go' ]
> +
> +    runs-on: ubuntu-latest
> +
> +    steps:
> +    - name: Install build dependencies
> +      run: |
> +        sudo apt-get install -y wget git \
> +          libbz2-dev build-essential \
> +          zlib1g-dev libncurses5-dev iasl \
> +          libbz2-dev e2fslibs-dev uuid-dev libyajl-dev \
> +          autoconf libtool liblzma-dev \
> +          python3-dev golang python-dev libsystemd-dev
> +
> +    - uses: actions/checkout@v2
> +      with:
> +        ref: staging

This one doesn't want to be forced to staging.  The github integration
does work properly with different branches.

Importantly, it will allow anyone with a fork of Xen to use the
workflow_dispatch UI to do a one-off run on any branch.

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.