[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/2] codeql: add support for analyzing C, Python and Go
- To: Andrew Cooper <amc96@xxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Mon, 28 Feb 2022 10:03:15 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=koSxmFAygem3Us67bDFcZ9/VKysWrbqwLtRmZ/bbOOY=; b=G2DEjAWZMYAWOYVdATut2nLwKUafh1pfoF0veAGTAvUTfi2ksOlKu4AzOz33obDoMmqi+tRBwF0CzgZoZ+zDnf2Dm1DJPSgUTdGXoGLpEJMDyds8HFIQxKOQK+VaDmCmnGo3cuePnO+2eBkgj03tvHQGrFQsr32BtBSIeCo/UCiAqSAJcgMJjMVui2nn+aiK5su9JIytnqcZzvCJOvnwt1BE0q3wLrlz9IAVq5q4svN7GCEc1JG1fU9jjXfzMKpzzHahQ8/Ol6GWXsfGrvnmzUxJh6BI30gjQR7h+Y/WomlrDqStFxQqFPIpeqJEqwaO7vmmil8a43BXXNNwy/lCxw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ly4IGcUEoOlXuUEOwcEIAVfeQjD0KiaEva0JNr/6IKuCJVNRfKeLJY9IrBH3/xjs4dOTo+C3ENjgAnIvJPcg2NYfVRh6ZE0vDdi5eX0HtMuJQqjMM8mMYvbaDQwaCxysNvb7pWtmic/tFwAqfJo3ZNc2ppW6LVw2D2ARZm54c3Hzy5vnHkStEs8FnrJygCao11JXkCecn2MEVhjzNOwQvXTL1pFj/qD4fHtOpnPhH3gpTd0eYYzy7WkO5PsBZ+rhIvWiV4pFycQNXW4Kw08l08pxMM8K4hXAuaJADn0F67m/rdnqNEY4bWIZGISHqP3RyqCR52onZrM04u3cMPuAAA==
- Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Jan Beulich" <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
- Delivery-date: Mon, 28 Feb 2022 09:03:51 +0000
- Ironport-data: A9a23:Xztei6jnnAdOwvU0ghVePxmiX161rhAKZh0ujC45NGQN5FlHY01je htvCGrUafncZGb2etByYd+0/BwHvpGEndVnSQs5pXwwFCMb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oDJ9CU6jefSLlbFILas1hpZHGeIcw98z0M78wIFqtQw24LhWVnS4 YmaT/D3YzdJ5RYlagr41IrbwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWSV efbpIxVy0uCl/sb5nFJpZ6gGqECaua60QFjERO6UYD66vRJjnRaPqrWqJPwwKqY4tmEt4kZ9 TlDiXC/YR0KJPDjmM4yaQdnTi9MGu5t3ZDWKlHq5KR/z2WeG5ft6/BnDUVwNowE4OdnR2pJ8 JT0KhhUMErF3bjvhuvmFK883azPL+GyVG8bkmtnwjzDS+4vXLjIQrnQ5M8e1zA17ixLNaiDP pNFMmo+BPjGSyEeNlRUVJhmp92Hn1j7fRNBrXbO9ZNitgA/yyQuieOwYbI5YOeiR9hRn0uej nLL+SL+GB5yHMeE1TOP/3aoh+nOtSD2QoQfEPu/7PECqEKX7nweDlsRT1TTifC8gR/gc8lFI EJS/CcyxYAi+UruQtTjUhmQpH+fogVaS9dWC/c96gyG1uzT+QnxLmoOQyNFadcmnNQrXjFs3 ViM9+4FHhQ27ufTEyjEsO7J83XiYkD5MFPuewcebhFYzNnJj7stsU/BfPEgO4uan9bcTGSYL y+xkAAygLAajMgu3qq9/Ezajz/EmqUlXjLZ9S2MADv7s1oRiJqNItXxtAOFtaoowJOxEwHZ1 EXojfRy+wzn4XulsCWWCNsAE7iyjxpuGG2N2AU/d3XNGtnExpJCQWyyyGwkTKuKGpxdEdMMX KM1kVkMjHO0FCH3BZKbm6rrV6wXIVHITLwJrMz8YNtUeYRWfwSa5ixobkP49zmzzBV9wf5mY MvFKZbE4ZMm5UJPlmfeqwA1i+JD+8zD7TmLGcCTI+qPi9Jym0J5uZ9aaQDTP4jVHYuPoRnP8 sY3Cid54043bQEKWQGOqdR7BQlTdRATXMmqw+QKJr/rClc3QwkJVq6OqY7NjqQ4xsy5YM+Tp SrjMqKZoXKi7UD6xfKiMSgyOOuyBs8k9RrW/0UEZD6V5pTqWq72hI83fJorZ7g3sutlyP9/V f4efMucRP9IT1z6F/41NPERcKQKmMyXuD+z
- Ironport-hdrordr: A9a23:AYvbd6jFfjwKg+NbA6m8t9bna3BQXtUji2hC6mlwRA09TyX+rb HIoB17726RtN91YhodcL+7VpVoLUm8yXcW2/hzAV7SZniChILAFugLgbcK7AeOJ8SUzJ8+6U 4PSchD4JWZNzJHZYyT2mSFL+o=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Fri, Feb 25, 2022 at 03:38:42PM +0000, Andrew Cooper wrote:
> On 25/02/2022 15:19, Roger Pau Monne wrote:
> > Introduce CodeQL support for Xen and analyze the C, Python and Go
> > files.
> >
> > Note than when analyzing Python or Go we avoid building the hypervisor
> > and only build the tools.
> >
> > Requested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > ---
> > TBD: there's no limit in the number of scans here unlike Coverity, but
> > each takes github minutes and we are limited to 2000 per month IIRC.
> > We might want to not perform a scan for each push.
>
> We don't push very often, and github is slower at noticing anyway, so I
> think we ought to be fine.
>
> We can always revisit the decision if we do end up hitting limits.
>
> > TBD: should we also disable the shim build? I'm not sure there's much
> > value in analyzing it.
>
> Shim's logic is quite different in areas. I'd say it's worth keeping.
Ack to both.
> > ---
> > .github/workflows/codeql.yml | 59 ++++++++++++++++++++++++++++++++++++
> > 1 file changed, 59 insertions(+)
> > create mode 100644 .github/workflows/codeql.yml
> >
> > diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
> > new file mode 100644
> > index 0000000000..5bfe478983
> > --- /dev/null
> > +++ b/.github/workflows/codeql.yml
> > @@ -0,0 +1,59 @@
> > +name: CodeQL
>
> As a thought... As we're considering doing cross-arm checks, should we
> use an x86 suffix here ?
It would be nice to handle all arches in the same file, but the
divergences could be bigger than the shared parts, since setting up
all the Arm cross-build env is likely not trivial.
I also wonder how to tag x86 vs Arm databases, but I guess we will
find a way. Maybe using the 'category' field for the analyze action?
> > +
> > +on:
> > + workflow_dispatch:
> > + push:
> > + branches: [staging]
> > + schedule:
> > + - cron: '18 10 * * WED,SUN' # Bi-weekly at 10:18 UTC
> > +
> > +jobs:
> > + analyse:
> > +
> > + strategy:
> > + matrix:
> > + language: [ 'cpp', 'python', 'go' ]
> > +
> > + runs-on: ubuntu-latest
> > +
> > + steps:
> > + - name: Install build dependencies
> > + run: |
> > + sudo apt-get install -y wget git \
> > + libbz2-dev build-essential \
> > + zlib1g-dev libncurses5-dev iasl \
> > + libbz2-dev e2fslibs-dev uuid-dev libyajl-dev \
> > + autoconf libtool liblzma-dev \
> > + python3-dev golang python-dev libsystemd-dev
> > +
> > + - uses: actions/checkout@v2
> > + with:
> > + ref: staging
>
> This one doesn't want to be forced to staging. The github integration
> does work properly with different branches.
Don't we need this so the `schedule` triggered run picks the staging
branch instead of master?
Thanks, Roger.
|