[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] codeql: add support for analyzing C, Python and Go


  • To: Andrew Cooper <amc96@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Mon, 28 Feb 2022 10:03:15 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=koSxmFAygem3Us67bDFcZ9/VKysWrbqwLtRmZ/bbOOY=; b=G2DEjAWZMYAWOYVdATut2nLwKUafh1pfoF0veAGTAvUTfi2ksOlKu4AzOz33obDoMmqi+tRBwF0CzgZoZ+zDnf2Dm1DJPSgUTdGXoGLpEJMDyds8HFIQxKOQK+VaDmCmnGo3cuePnO+2eBkgj03tvHQGrFQsr32BtBSIeCo/UCiAqSAJcgMJjMVui2nn+aiK5su9JIytnqcZzvCJOvnwt1BE0q3wLrlz9IAVq5q4svN7GCEc1JG1fU9jjXfzMKpzzHahQ8/Ol6GWXsfGrvnmzUxJh6BI30gjQR7h+Y/WomlrDqStFxQqFPIpeqJEqwaO7vmmil8a43BXXNNwy/lCxw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ly4IGcUEoOlXuUEOwcEIAVfeQjD0KiaEva0JNr/6IKuCJVNRfKeLJY9IrBH3/xjs4dOTo+C3ENjgAnIvJPcg2NYfVRh6ZE0vDdi5eX0HtMuJQqjMM8mMYvbaDQwaCxysNvb7pWtmic/tFwAqfJo3ZNc2ppW6LVw2D2ARZm54c3Hzy5vnHkStEs8FnrJygCao11JXkCecn2MEVhjzNOwQvXTL1pFj/qD4fHtOpnPhH3gpTd0eYYzy7WkO5PsBZ+rhIvWiV4pFycQNXW4Kw08l08pxMM8K4hXAuaJADn0F67m/rdnqNEY4bWIZGISHqP3RyqCR52onZrM04u3cMPuAAA==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Jan Beulich" <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, "Stefano Stabellini" <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Mon, 28 Feb 2022 09:03:51 +0000
  • Ironport-data: A9a23:Xztei6jnnAdOwvU0ghVePxmiX161rhAKZh0ujC45NGQN5FlHY01je htvCGrUafncZGb2etByYd+0/BwHvpGEndVnSQs5pXwwFCMb9cadCdqndUqhZCn6wu8v7a5EA 2fyTvGacajYm1eF/k/F3oDJ9CU6jefSLlbFILas1hpZHGeIcw98z0M78wIFqtQw24LhWVnS4 YmaT/D3YzdJ5RYlagr41IrbwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWSV efbpIxVy0uCl/sb5nFJpZ6gGqECaua60QFjERO6UYD66vRJjnRaPqrWqJPwwKqY4tmEt4kZ9 TlDiXC/YR0KJPDjmM4yaQdnTi9MGu5t3ZDWKlHq5KR/z2WeG5ft6/BnDUVwNowE4OdnR2pJ8 JT0KhhUMErF3bjvhuvmFK883azPL+GyVG8bkmtnwjzDS+4vXLjIQrnQ5M8e1zA17ixLNaiDP pNFMmo+BPjGSyEeNlRUVJhmp92Hn1j7fRNBrXbO9ZNitgA/yyQuieOwYbI5YOeiR9hRn0uej nLL+SL+GB5yHMeE1TOP/3aoh+nOtSD2QoQfEPu/7PECqEKX7nweDlsRT1TTifC8gR/gc8lFI EJS/CcyxYAi+UruQtTjUhmQpH+fogVaS9dWC/c96gyG1uzT+QnxLmoOQyNFadcmnNQrXjFs3 ViM9+4FHhQ27ufTEyjEsO7J83XiYkD5MFPuewcebhFYzNnJj7stsU/BfPEgO4uan9bcTGSYL y+xkAAygLAajMgu3qq9/Ezajz/EmqUlXjLZ9S2MADv7s1oRiJqNItXxtAOFtaoowJOxEwHZ1 EXojfRy+wzn4XulsCWWCNsAE7iyjxpuGG2N2AU/d3XNGtnExpJCQWyyyGwkTKuKGpxdEdMMX KM1kVkMjHO0FCH3BZKbm6rrV6wXIVHITLwJrMz8YNtUeYRWfwSa5ixobkP49zmzzBV9wf5mY MvFKZbE4ZMm5UJPlmfeqwA1i+JD+8zD7TmLGcCTI+qPi9Jym0J5uZ9aaQDTP4jVHYuPoRnP8 sY3Cid54043bQEKWQGOqdR7BQlTdRATXMmqw+QKJr/rClc3QwkJVq6OqY7NjqQ4xsy5YM+Tp SrjMqKZoXKi7UD6xfKiMSgyOOuyBs8k9RrW/0UEZD6V5pTqWq72hI83fJorZ7g3sutlyP9/V f4efMucRP9IT1z6F/41NPERcKQKmMyXuD+z
  • Ironport-hdrordr: A9a23:AYvbd6jFfjwKg+NbA6m8t9bna3BQXtUji2hC6mlwRA09TyX+rb HIoB17726RtN91YhodcL+7VpVoLUm8yXcW2/hzAV7SZniChILAFugLgbcK7AeOJ8SUzJ8+6U 4PSchD4JWZNzJHZYyT2mSFL+o=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Feb 25, 2022 at 03:38:42PM +0000, Andrew Cooper wrote:
> On 25/02/2022 15:19, Roger Pau Monne wrote:
> > Introduce CodeQL support for Xen and analyze the C, Python and Go
> > files.
> >
> > Note than when analyzing Python or Go we avoid building the hypervisor
> > and only build the tools.
> >
> > Requested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > ---
> > TBD: there's no limit in the number of scans here unlike Coverity, but
> > each takes github minutes and we are limited to 2000 per month IIRC.
> > We might want to not perform a scan for each push.
> 
> We don't push very often, and github is slower at noticing anyway, so I
> think we ought to be fine.
> 
> We can always revisit the decision if we do end up hitting limits.
> 
> > TBD: should we also disable the shim build? I'm not sure there's much
> > value in analyzing it.
> 
> Shim's logic is quite different in areas.  I'd say it's worth keeping.

Ack to both.

> > ---
> >  .github/workflows/codeql.yml | 59 ++++++++++++++++++++++++++++++++++++
> >  1 file changed, 59 insertions(+)
> >  create mode 100644 .github/workflows/codeql.yml
> >
> > diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
> > new file mode 100644
> > index 0000000000..5bfe478983
> > --- /dev/null
> > +++ b/.github/workflows/codeql.yml
> > @@ -0,0 +1,59 @@
> > +name: CodeQL
> 
> As a thought... As we're considering doing cross-arm checks, should we
> use an x86 suffix here ?

It would be nice to handle all arches in the same file, but the
divergences could be bigger than the shared parts, since setting up
all the Arm cross-build env is likely not trivial.

I also wonder how to tag x86 vs Arm databases, but I guess we will
find a way. Maybe using the 'category' field for the analyze action?

> > +
> > +on:
> > +  workflow_dispatch:
> > +  push:
> > +    branches: [staging]
> > +  schedule:
> > +    - cron: '18 10 * * WED,SUN' # Bi-weekly at 10:18 UTC
> > +
> > +jobs:
> > +  analyse:
> > +
> > +    strategy:
> > +      matrix:
> > +        language: [ 'cpp', 'python', 'go' ]
> > +
> > +    runs-on: ubuntu-latest
> > +
> > +    steps:
> > +    - name: Install build dependencies
> > +      run: |
> > +        sudo apt-get install -y wget git \
> > +          libbz2-dev build-essential \
> > +          zlib1g-dev libncurses5-dev iasl \
> > +          libbz2-dev e2fslibs-dev uuid-dev libyajl-dev \
> > +          autoconf libtool liblzma-dev \
> > +          python3-dev golang python-dev libsystemd-dev
> > +
> > +    - uses: actions/checkout@v2
> > +      with:
> > +        ref: staging
> 
> This one doesn't want to be forced to staging.  The github integration
> does work properly with different branches.

Don't we need this so the `schedule` triggered run picks the staging
branch instead of master?

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.