[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH] Add CodeQL build stage
On 24/02/2021 08:19, Owen Smith wrote: CodeQL logs will be required for future WHQL submissions. Add a stage that generates the required SARIF files. CodeQL is a semantic code analysis engine, which will highlight vunerabilities that will need fixing. In order to use CodeQL, the CodeQL binaries must be on the path and the Windows-Driver-Developer-Supplemental-Tools must be on the path defined by the CODEQL_QUERY_SUITE environment variable (if defined), or under the parent folder (if CODEQL_QUERY_SUITE variable is not defined) Note: Due to the way the codeql command line is built, using quotes in a MSBuild command line is not possible, so generate a batch file to wrap the command line. Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx> Looks ok to me, but then I'm no powershell expert. Acked-by: Paul Durrant <paul@xxxxxxx> --- build.ps1 | 20 ++++++++++++ msbuild.ps1 | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 107 insertions(+), 1 deletion(-) diff --git a/build.ps1 b/build.ps1 index 2ea6428..346d187 100644 --- a/build.ps1 +++ b/build.ps1 @@ -6,6 +6,7 @@ param( [Parameter(Mandatory = $true)] [string]$Type, [string]$Arch, + [switch]$CodeQL, [switch]$Sdv )@@ -51,6 +52,21 @@ Function SdvBuild {& ".\msbuild.ps1" @params }+function CodeQLBuild {+ $visualstudioversion = $Env:VisualStudioVersion + $solutiondir = @{ "14.0" = "vs2015"; "15.0" = "vs2017"; "16.0" = "vs2019"; } + $configurationbase = @{ "14.0" = "Windows 10"; "15.0" = "Windows 10"; "16.0" = "Windows 10"; } + $arch = "x64" + + $params = @{ + SolutionDir = $solutiondir[$visualstudioversion]; + ConfigurationBase = $configurationbase[$visualstudioversion]; + Arch = $arch; + Type = "codeql" + } + & ".\msbuild.ps1" @params +} + if ($Type -ne "free" -and $Type -ne "checked") { Write-Host "Invalid Type" Exit -1 @@ -99,6 +115,10 @@ if ([string]::IsNullOrEmpty($Arch) -or $Arch -eq "x64") { Build "x64" $Type }+if ($CodeQL) {+ CodeQLBuild +} + if ($Sdv) { SdvBuild } diff --git a/msbuild.ps1 b/msbuild.ps1 index 670050c..de7ad52 100644 --- a/msbuild.ps1 +++ b/msbuild.ps1 @@ -67,11 +67,75 @@ Function Run-MSBuildSDV { Set-Location $basepath }+Function Run-CodeQL {+ param( + [string]$SolutionPath, + [string]$Name, + [string]$Configuration, + [string]$Platform, + [string]$SearchPath, + [string]$OutputPath + ) + + $projpath = Resolve-Path (Join-Path $SolutionPath $Name) + $project = [string]::Format("{0}.vcxproj", $Name) + $output = [string]::Format("{0}.sarif", $Name) + $database = Join-Path "database" $Name + + # write a bat file to wrap msbuild parameters + $bat = [string]::Format("{0}.bat", $Name) + if (Test-Path $bat) { + Remove-Item $bat + } + $a = "msbuild.exe" + $a += " /m:4" + $a += " /t:Build" + $a += [string]::Format(" /p:Configuration=""{0}""", $Configuration) + $a += [string]::Format(" /p:Platform=""{0}""", $Platform) + $a += " " + $a += Join-Path $projpath $project + $a | Set-Content $bat + + # generate the database + $b = "codeql" + $b += " database" + $b += " create" + $b += " -l=cpp" + $b += " -s=src" + $b += " -c" + $b += ' "' + (Resolve-Path $bat) + '" ' + $b += $database + Invoke-Expression $b + if ($LASTEXITCODE -ne 0) { + Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" $LASTEXITCODE + Exit $LASTEXITCODE + } + Remove-Item $bat + + # perform the analysis on the database + $c = "codeql" + $c += " database" + $c += " analyze " + $c += $database + $c += " windows_driver_recommended.qls" + $c += " --format=sarifv2.1.0" + $c += " --output=" + $c += (Join-Path $OutputPath $output) + $c += " --search-path=" + $c += $SearchPath + + Invoke-Expression $c + if ($LASTEXITCODE -ne 0) { + Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" $LASTEXITCODE + Exit $LASTEXITCODE + } +} + # # Script Body #-$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = "$ConfigurationBase Debug"; "sdv" = "$ConfigurationBase Release"; }+$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = "$ConfigurationBase Debug"; "sdv" = "$ConfigurationBase Release"; "codeql" = "$ConfigurationBase Release"; } $platform = @{ "x86" = "Win32"; "x64" = "x64" } $solutionpath = Resolve-Path $SolutionDir@@ -83,6 +147,28 @@ if ($Type -eq "free") {elseif ($Type -eq "checked") { Run-MSBuild $solutionpath "xenbus.sln" $configuration["checked"] $platform[$Arch] } +elseif ($Type -eq "codeql") { + $archivepath = "xenbus" + + if (-Not (Test-Path -Path $archivepath)) { + New-Item -Name $archivepath -ItemType Directory | Out-Null + } + + if ([string]::IsNullOrEmpty($Env:CODEQL_QUERY_SUITE)) { + $searchpath = Resolve-Path ".." + } else { + $searchpath = $Env:CODEQL_QUERY_SUITE + } + + if (Test-Path "database") { + Remove-Item -Recurse -Force "database" + } + New-Item -ItemType Directory "database" + + Run-CodeQL $solutionpath "xen" $configuration["codeql"] $platform[$Arch] $searchpath $archivepath + Run-CodeQL $solutionpath "xenfilt" $configuration["codeql"] $platform[$Arch] $searchpath $archivepath + Run-CodeQL $solutionpath "xenbus" $configuration["codeql"] $platform[$Arch] $searchpath $archivepath +} elseif ($Type -eq "sdv") { $archivepath = "xenbus"
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |