[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Add CodeQL build stage


  • To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Paul Durrant <xadimgnik@xxxxxxxxx>
  • Date: Wed, 24 Feb 2021 16:40:28 +0000
  • Delivery-date: Wed, 24 Feb 2021 16:40:34 +0000
  • List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

On 24/02/2021 08:19, Owen Smith wrote:
CodeQL logs will be required for future WHQL submissions. Add a stage
that generates the required SARIF files. CodeQL is a semantic code
analysis engine, which will highlight vunerabilities that will need
fixing.

In order to use CodeQL, the CodeQL binaries must be on the path and the
Windows-Driver-Developer-Supplemental-Tools must be on the path defined
by the CODEQL_QUERY_SUITE environment variable (if defined), or under
the parent folder (if CODEQL_QUERY_SUITE variable is not defined)

Note: Due to the way the codeql command line is built, using quotes in a
MSBuild command line is not possible, so generate a batch file to wrap
the command line.

Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx>

Looks ok to me, but then I'm no powershell expert.

Acked-by: Paul Durrant <paul@xxxxxxx>

---
  build.ps1   | 20 ++++++++++++
  msbuild.ps1 | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
  2 files changed, 107 insertions(+), 1 deletion(-)

diff --git a/build.ps1 b/build.ps1
index 2ea6428..346d187 100644
--- a/build.ps1
+++ b/build.ps1
@@ -6,6 +6,7 @@ param(
        [Parameter(Mandatory = $true)]
        [string]$Type,
        [string]$Arch,
+       [switch]$CodeQL,
        [switch]$Sdv
  )
@@ -51,6 +52,21 @@ Function SdvBuild {
        & ".\msbuild.ps1" @params
  }
+function CodeQLBuild {
+       $visualstudioversion = $Env:VisualStudioVersion
+       $solutiondir = @{ "14.0" = "vs2015"; "15.0" = "vs2017"; "16.0" = 
"vs2019"; }
+       $configurationbase = @{ "14.0" = "Windows 10"; "15.0" = "Windows 10"; "16.0" = 
"Windows 10"; }
+       $arch = "x64"
+
+       $params = @{
+               SolutionDir = $solutiondir[$visualstudioversion];
+               ConfigurationBase = $configurationbase[$visualstudioversion];
+               Arch = $arch;
+               Type = "codeql"
+               }
+       & ".\msbuild.ps1" @params
+}
+
  if ($Type -ne "free" -and $Type -ne "checked") {
        Write-Host "Invalid Type"
        Exit -1
@@ -99,6 +115,10 @@ if ([string]::IsNullOrEmpty($Arch) -or $Arch -eq "x64") {
        Build "x64" $Type
  }
+if ($CodeQL) {
+       CodeQLBuild
+}
+
  if ($Sdv) {
        SdvBuild
  }
diff --git a/msbuild.ps1 b/msbuild.ps1
index 670050c..de7ad52 100644
--- a/msbuild.ps1
+++ b/msbuild.ps1
@@ -67,11 +67,75 @@ Function Run-MSBuildSDV {
        Set-Location $basepath
  }
+Function Run-CodeQL {
+       param(
+               [string]$SolutionPath,
+               [string]$Name,
+               [string]$Configuration,
+               [string]$Platform,
+               [string]$SearchPath,
+               [string]$OutputPath
+       )
+
+       $projpath = Resolve-Path (Join-Path $SolutionPath $Name)
+       $project = [string]::Format("{0}.vcxproj", $Name)
+       $output = [string]::Format("{0}.sarif", $Name)
+       $database = Join-Path "database" $Name
+
+       # write a bat file to wrap msbuild parameters
+       $bat = [string]::Format("{0}.bat", $Name)
+       if (Test-Path $bat) {
+               Remove-Item $bat
+       }
+       $a = "msbuild.exe"
+       $a += " /m:4"
+       $a += " /t:Build"
+       $a += [string]::Format(" /p:Configuration=""{0}""", $Configuration)
+       $a += [string]::Format(" /p:Platform=""{0}""", $Platform)
+       $a += " "
+       $a += Join-Path $projpath $project
+       $a | Set-Content $bat
+
+       # generate the database
+       $b = "codeql"
+       $b += " database"
+       $b += " create"
+       $b += " -l=cpp"
+       $b += " -s=src"
+       $b += " -c"
+       $b += ' "' + (Resolve-Path $bat) + '" '
+       $b += $database
+       Invoke-Expression $b
+       if ($LASTEXITCODE -ne 0) {
+               Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" 
$LASTEXITCODE
+               Exit $LASTEXITCODE
+       }
+       Remove-Item $bat
+
+       # perform the analysis on the database
+       $c = "codeql"
+       $c += " database"
+       $c += " analyze "
+       $c += $database
+       $c += " windows_driver_recommended.qls"
+       $c += " --format=sarifv2.1.0"
+       $c += " --output="
+       $c += (Join-Path $OutputPath $output)
+       $c += " --search-path="
+       $c += $SearchPath
+
+       Invoke-Expression $c
+       if ($LASTEXITCODE -ne 0) {
+               Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" 
$LASTEXITCODE
+               Exit $LASTEXITCODE
+       }
+}
+
  #
  # Script Body
  #
-$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = "$ConfigurationBase Debug"; "sdv" = "$ConfigurationBase Release"; }
+$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = "$ConfigurationBase Debug"; "sdv" = 
"$ConfigurationBase Release"; "codeql" = "$ConfigurationBase Release"; }
  $platform = @{ "x86" = "Win32"; "x64" = "x64" }
  $solutionpath = Resolve-Path $SolutionDir
@@ -83,6 +147,28 @@ if ($Type -eq "free") {
  elseif ($Type -eq "checked") {
        Run-MSBuild $solutionpath "xenbus.sln" $configuration["checked"] 
$platform[$Arch]
  }
+elseif ($Type -eq "codeql") {
+       $archivepath = "xenbus"
+
+       if (-Not (Test-Path -Path $archivepath)) {
+               New-Item -Name $archivepath -ItemType Directory | Out-Null
+       }
+
+       if ([string]::IsNullOrEmpty($Env:CODEQL_QUERY_SUITE)) {
+               $searchpath = Resolve-Path ".."
+       } else {
+               $searchpath = $Env:CODEQL_QUERY_SUITE
+       }
+
+       if (Test-Path "database") {
+               Remove-Item -Recurse -Force "database"
+       }
+       New-Item -ItemType Directory "database"
+
+       Run-CodeQL $solutionpath "xen" $configuration["codeql"] 
$platform[$Arch] $searchpath $archivepath
+       Run-CodeQL $solutionpath "xenfilt" $configuration["codeql"] 
$platform[$Arch] $searchpath $archivepath
+       Run-CodeQL $solutionpath "xenbus" $configuration["codeql"] 
$platform[$Arch] $searchpath $archivepath
+}
  elseif ($Type -eq "sdv") {
        $archivepath = "xenbus"




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.