[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] codeql: add support for analyzing C, Python and Go

  • To: Roger Pau Monne <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Mon, 21 Mar 2022 13:02:30 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+arapnF+7LDEVvbYniWryjnZfp9Fq3Zj4jbB/ONgScg=; b=iMYlWpSW5+n6E0amcLXjYAWOcuZVkgZ/dbiQeI/6AkXWW7lmeJ/40AZWFR9zEfWAlEsfr1v0ERZ+n1tnlhMHJYYOqtia8qInUQCBH2GAw+6v1JbCxRDu/pwdwP74XoO0zCYbQhQ3iy/GYyPC196aMJTHV7LOExj/BCbz4HqRtIifcsiXdtlwXJTD7a/rnenUg0LiuTQykcZqStKzQkOSgFNgApJefKI3Jade6/z8k0htz8QXPamdCZJbjjgM5HnnF/3Kxi/f9N9XFDMW0DmOKUxqGXTYibm38vcc4qZQHdNk6l4mlCbqWY/r4/G/LIPSVnh8pDqySozQUWgGCLUomQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eVehk+AJpf/aZa5rBbfBuEeATifsds1d8tXvMSDleNlzVo2mnOIQB7hJCVdqx56xMwW4eHOl8zxaDOMHIz4lTWJPp7TrPpttI8MOL7ioYNx80oOhtA8cPJ6grMUeuIKdtQJNqAMS0D+Fxcylg9iD/FkwrfGcp7BciTJNYOHAixupFOB9yqnsTFDvC+1RsB960EuaA0xMwOCsVFsaz1vv1ENtohjdfFpKzFW5t7aOLBafhyNmtiQZyvZg2y+UPsVJXo7A8WoB7o+QiR+Z52cFPBXXxPdsJeLf5Gf/lGpXGuRogAZL9Jls6plbY3Kwm0b0O90Nc0OCObOCZQSPVdLW/Q==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Mon, 21 Mar 2022 13:02:52 +0000
  • Ironport-data: A9a23:yNtPVKmD9Z7sOIDPF6dDd/fo5gywJkRdPkR7XQ2eYbSJt1+Wr1Gzt xJMWz3QOv+MZDamfNwnaY+0pBwAvJ6HzNRkTlY+qy48QSMWpZLJC+rCIxarNUt+DCFioGGLT Sk6QoOdRCzhZiaE/n9BCpC48T8kk/vgqoPUUIYoAAgoLeNfYHpn2EoLd9IR2NYy24DiWVrV4 LsenuWEULOb828sWo4rw/rrRCNH5JwebxtB4zTSzdgS1LPvvyF94KA3fMldHFOhKmVgJcaoR v6r8V2M1jixEyHBqD+Suu2TnkUiGtY+NOUV45Zcc/DKbhNq/kTe3kunXRa1hIg+ZzihxrhMJ NtxWZOYSAECM7PepcIndT5HNyw5Ib9g3r7XLi3q2SCT5xWun3rExvxvCAc9PJEC+/YxCmZLn RAaAGlTNFbZ3bvwme/lDLk37iggBJCD0Ic3k3ds1zzGS90hRojOWf7i7t5ExjYgwMtJGJ4yY uJHN2QwPEuZMnWjPH89Uc4Qwe2Ih0LHSAJHrn6Q++05zTf6mVkZPL/Fb4OOJ43iqd9utl2Du mvM8mD9AxcbHN+S0zyI9jSrnOCntTz/cJIfEvu/7PECqF+Owm0eDjUGWF39puO24mauVtQaJ 0EK9y4Gqakp6FftXtT7Rwe/onOPolgbQdU4O+8w5RyJy6HUyx2EHWVCRTlEAOHKr+dvG2Zsj AXQ2Yq0W3o/69V5VE5x6J+Vqxi/JzooC1UkQjAgQEwZ8f/FoZE820enoslYLIa5idj8GDfVy j+MrTQji7h7sfPnx5lX7nic3Wvy+8Ghohodo1yOAzn7tl8RiJuNPdTA1LTN0RpXwG91pHGlt WNMpcWR5ftm4XqlxH3UG7Vl8F1ECp+43NzgbbxHQsJJG9eFoSfLkWVsDNZWfhsBDyr8UWW1C HI/QCsIjHOpAFOkbLVsf6W6ANkwwK7rGLzND66IMYoXOsEoJFbcrUmCgHJ8OEi3zSARfVwXY 8/HIa5A815EYUiY8NZGb7hEiuJ6rszP7WjSWYr633yaPUm2PxaopUM+GALWNIgRtfrcyC2Mq oo3H5bamn13DbylCgGKoNF7ELz/BSVibXwAg5cMLbDrz8sPMDxJNsI9Npt6It07xfsJzrmUl px/M2cBoGfCabT8AVziQlhoaa/1XIY5qnQ+PCc2Ok2v1WRlaoGqhJrzvbNtJ9HLKMQLISZIc sQ4
  • Ironport-hdrordr: A9a23:MnHXaaqBflMce1c3WfSkLL8aV5oXeYIsimQD101hICG9Ffbo8/ xG/c5rsCMc5wxhO03I9ergBEDiex3hHPxOkO4s1N6ZNWGN1VdARLsSi7cKqAeQeREWmNQ86U 5ISdkGNDWuZmIQsS+B2maF+nwbsaG6GduT6dvj8w==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYMkLTly8uCA3NVU+Jb09OwTv6vazJrtuAgAA0doA=
  • Thread-topic: [PATCH v2] codeql: add support for analyzing C, Python and Go
On 21/03/2022 09:54, Roger Pau Monné wrote:
Ping?

On Mon, Mar 07, 2022 at 05:45:52PM +0100, Roger Pau Monne wrote:

Introduce CodeQL support for Xen and analyze the C, Python and Go
files.

Note than when analyzing Python or Go we avoid building the hypervisor
and only build the tools.

Requested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
Changes since v1:
 - Rename to note it's x86 specific right now.
 - Merge the ignored path patch.
---
It's my understanding that we need to force the checkout action to
fetch 'staging' branch, or else for the scheduled runs we would end up
picking the current default branch (master).

Forcing to staging necessary due to a limitation in Coverity.

CodeQL explicitly can cope with multiple branches, so when a user asks for a specific branch, they'd better get a run on the branch they asked for, not have it forced to staging.

It also breaks any fork which has a different default branch.


Maybe we want to remove the scheduled action and just rely on pushes
and manually triggered workflows?
---
 .github/codeql/codeql-config.yml |  3 ++
 .github/workflows/codeql-x86.yml | 60 ++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 .github/codeql/codeql-config.yml
 create mode 100644 .github/workflows/codeql-x86.yml

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000000..721640c2a5
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,3 @@
+paths-ignore:
+  - xen/tools/kconfig
+  - tools/firmware/xen-dir/xen-root/xen/tools/kconfig

From actually running this:

Annotations
2 warnings
analyse (go)
The "paths"/"paths-ignore" fields of the config only have effect for _javascript_, Python, and Ruby
analyse (cpp)
The "paths"/"paths-ignore" fields of the config only have effect for _javascript_, Python, and Ruby

So this obviously can't be used like this.  You'll have to add them to the prebuild step.

diff --git a/.github/workflows/codeql-x86.yml b/.github/workflows/codeql-x86.yml
new file mode 100644
index 0000000000..a3ec6236c4
--- /dev/null
+++ b/.github/workflows/codeql-x86.yml
@@ -0,0 +1,60 @@
+name: CodeQL x86
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [staging]
+  schedule:
+    - cron: '18 10 * * WED,SUN' # Bi-weekly at 10:18 UTC
+
+jobs:
+  analyse:
+
+    strategy:
+      matrix:
+        language: [ 'cpp', 'python', 'go' ]
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Install build dependencies
+      run: |
+        sudo apt-get install -y wget git \
+          libbz2-dev build-essential \
+          zlib1g-dev libncurses5-dev iasl \
+          libbz2-dev e2fslibs-dev uuid-dev libyajl-dev \
+          autoconf libtool liblzma-dev \
+          python3-dev golang python-dev libsystemd-dev
+
+    - uses: actions/checkout@v2
+      with:
+        ref: staging
+
+    - name: Configure Xen
+      run: |
+        ./configure --with-system-qemu=/bin/true \
+                    --with-system-seabios=/bin/true \
+                    --with-system-ovmf=/bin/true
+
+    - name: Pre build stuff
+      run: |
+        make -j`nproc` mini-os-dir
+
+    - uses: github/codeql-action/init@v1
+      with:
+        config-file: ./.github/codeql/codeql-config.yml
+        languages: ${{matrix.language}}
+        queries: security-and-quality

This generates 1117 alerts, lots of which are of dubious utility.  I'd drop the queries line and go with the default, to reduce the triage initially.

~Andrew

+
+    - if: matrix.language == 'cpp'
+      name: Full Build
+      run: |
+        make -j`nproc` build-xen build-tools
+        make -j`nproc` -C extras/mini-os/
+
+    - if: matrix.language == 'python' || matrix.language == 'go'
+      name: Tools Build
+      run: |
+        make -j`nproc` build-tools
+
+    - uses: github/codeql-action/analyze@v1
-- 
2.34.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.