BaseTools/Plugin/CodeQL: Add CodeQL build plugin
Adds a CodeQL plugin that supports CodeQL in the build system. 1. CodeQlBuildPlugin - Generates a CodeQL database for a given build. 2. CodeQlAnalyzePlugin - Analyzes a CodeQL database and interprets results. 3. External dependencies - Assist with downloading the CodeQL CLI and making it available to the CodeQL plugins. 4. CodeQlQueries.qls - A C/C++ CodeQL query set run against the code. 5. Readme.md - A comprehensive readme file to help: - Platform integrators understand how to configure the plugin - Developers understand how to modify the plugin - Users understand how to use the plugin Read Readme.md for additional details. Cc: Bob Feng <bob.c.feng@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Rebecca Cran <rebecca@bsdio.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Yuwei Chen <yuwei.chen@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Yuwei Chen <yuwei.chen@intel.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Michael D Kinney <michael.d.kinney@intel.com>
This commit is contained in:
committed by
mergify[bot]
parent
c1393bd486
commit
5464d0bed6
75
BaseTools/Plugin/CodeQL/CodeQlQueries.qls
Normal file
75
BaseTools/Plugin/CodeQL/CodeQlQueries.qls
Normal file
@@ -0,0 +1,75 @@
|
||||
---
|
||||
- description: C++ queries
|
||||
|
||||
- queries: '.'
|
||||
from: codeql/cpp-queries
|
||||
|
||||
##########################################################################################
|
||||
# Queries
|
||||
##########################################################################################
|
||||
|
||||
## Enable When Time is Available to Fix Issues
|
||||
# Hundreds of issues. Most appear valid. Type: Recommendation.
|
||||
#- include:
|
||||
# id: cpp/missing-null-test
|
||||
|
||||
## Errors
|
||||
- include:
|
||||
id: cpp/overrunning-write
|
||||
- include:
|
||||
id: cpp/overrunning-write-with-float
|
||||
- include:
|
||||
id: cpp/pointer-overflow-check
|
||||
- include:
|
||||
id: cpp/very-likely-overrunning-write
|
||||
|
||||
## Warnings
|
||||
- include:
|
||||
id: cpp/conditionallyuninitializedvariable
|
||||
- include:
|
||||
id: cpp/infinite-loop-with-unsatisfiable-exit-condition
|
||||
- include:
|
||||
id: cpp/overflow-buffer
|
||||
|
||||
# Note: Some queries above are not active by default with the below filter.
|
||||
# Update the filter and run the queries again to get all results.
|
||||
- include:
|
||||
tags:
|
||||
- "security"
|
||||
- "correctness"
|
||||
severity:
|
||||
- "error"
|
||||
- "warning"
|
||||
- "recommendation"
|
||||
|
||||
# Specifically hide the results of these.
|
||||
#
|
||||
# The following rules have been evaluated and explicitly not included for the following reasons:
|
||||
# - `cpp/allocation-too-small` - Appears to be hardcoded for C standard library functions `malloc`, `calloc`,
|
||||
# `realloc`, so it consumes time without much value with custom allocation functions in the codebase.
|
||||
# - `cpp/commented-out-code` - Triggers often. Needs further review.
|
||||
# - `cpp/duplicate-include-guard` - The <Phase>EntryPoint.h files includes a common include guard value
|
||||
# `__MODULE_ENTRY_POINT_H__`. This was the only occurrence found. So not very useful.
|
||||
# - `cpp/invalid-pointer-deref` - Very limited results with what appear to be false positives.
|
||||
# - `cpp/use-of-goto` - Goto is valid and allowed in the codebase.
|
||||
# - `cpp/useless-expression` - Triggers too often on cases where a NULL lib implementation is provided for a function.
|
||||
# Because the implementation simply returns, the check considers it useless.
|
||||
# - `cpp/weak-crypto/*` - Crypto algorithms are tracked outside CodeQL.
|
||||
- exclude:
|
||||
id: cpp/allocation-too-small
|
||||
- exclude:
|
||||
id: cpp/commented-out-code
|
||||
- exclude:
|
||||
id: cpp/duplicate-include-guard
|
||||
- exclude:
|
||||
id: cpp/invalid-pointer-deref
|
||||
- exclude:
|
||||
id: cpp/use-of-goto
|
||||
- exclude:
|
||||
id: cpp/useless-expression
|
||||
- exclude:
|
||||
id: cpp/weak-crypto/banned-hash-algorithms
|
||||
- exclude:
|
||||
id: cpp/weak-crypto/capi/banned-modes
|
||||
- exclude:
|
||||
id: cpp/weak-crypto/openssl/banned-hash-algorithms
|
Reference in New Issue
Block a user