[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH-XENVBD] Add CodeQL build stage


  • To: <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Owen Smith <owen.smith@xxxxxxxxxx>
  • Date: Fri, 5 Mar 2021 10:16:05 +0000
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: Owen Smith <owen.smith@xxxxxxxxxx>
  • Delivery-date: Fri, 05 Mar 2021 10:16:31 +0000
  • Ironport-sdr: 28x3b2VDWkAyS5VIbELYBfa/MysyKWma7XSC+Qx4eVpz+qWjdc+6GAg06opb/qgHDbNQ4jmlDO MFnZpc3HqbveXlodmORCbqgfZYheERODP3Lit004YwjfrkdIS5JsMZZYmfy3Sjekeot6zljU6W SEzl//b34l8ZT+rLJylRvy0ZYqpla4YqTQy9ekjPJCyXuz/5BRenTU/f+vawp9mY+CPXGOWp27 I4chbMcRwDPE8soKiGCjsXUPJmvk1iF0ORNMYXsRsJJSMz5tsZGm6GyvuacmwNKDS+NlOeTEvd xqg=
  • List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

CodeQL logs will be required for future WHQL submissions. Add a stage
that generates the required SARIF files. CodeQL is a semantic code
analysis engine, which will highlight vunerabilities that will need
fixing.

In order to use CodeQL, the CodeQL binaries must be on the path and the
Windows-Driver-Developer-Supplemental-Tools must be on the path defined
by the CODEQL_QUERY_SUITE environment variable (if defined), or under
the parent folder (if CODEQL_QUERY_SUITE variable is not defined)

Note: Due to the way the codeql command line is built, using quotes in a
MSBuild command line is not possible, so generate a batch file to wrap
the command line.

Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx>
---
 build.ps1   | 20 +++++++++++
 msbuild.ps1 | 97 +++++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 111 insertions(+), 6 deletions(-)

diff --git a/build.ps1 b/build.ps1
index 2ea6428..346d187 100644
--- a/build.ps1
+++ b/build.ps1
@@ -6,6 +6,7 @@ param(
        [Parameter(Mandatory = $true)]
        [string]$Type,
        [string]$Arch,
+       [switch]$CodeQL,
        [switch]$Sdv
 )
 
@@ -51,6 +52,21 @@ Function SdvBuild {
        & ".\msbuild.ps1" @params
 }
 
+function CodeQLBuild {
+       $visualstudioversion = $Env:VisualStudioVersion
+       $solutiondir = @{ "14.0" = "vs2015"; "15.0" = "vs2017"; "16.0" = 
"vs2019"; }
+       $configurationbase = @{ "14.0" = "Windows 10"; "15.0" = "Windows 10"; 
"16.0" = "Windows 10"; }
+       $arch = "x64"
+
+       $params = @{
+               SolutionDir = $solutiondir[$visualstudioversion];
+               ConfigurationBase = $configurationbase[$visualstudioversion];
+               Arch = $arch;
+               Type = "codeql"
+               }
+       & ".\msbuild.ps1" @params
+}
+
 if ($Type -ne "free" -and $Type -ne "checked") {
        Write-Host "Invalid Type"
        Exit -1
@@ -99,6 +115,10 @@ if ([string]::IsNullOrEmpty($Arch) -or $Arch -eq "x64") {
        Build "x64" $Type
 }
 
+if ($CodeQL) {
+       CodeQLBuild
+}
+
 if ($Sdv) {
        SdvBuild
 }
diff --git a/msbuild.ps1 b/msbuild.ps1
index b918cfa..4cb408a 100644
--- a/msbuild.ps1
+++ b/msbuild.ps1
@@ -67,14 +67,81 @@ Function Run-MSBuildSDV {
        Set-Location $basepath
 }
 
+Function Run-CodeQL {
+       param(
+               [string]$SolutionPath,
+               [string]$Name,
+               [string]$Configuration,
+               [string]$Platform,
+               [string]$SearchPath,
+               [string]$OutputPath
+       )
+
+       $projpath = Resolve-Path (Join-Path $SolutionPath $Name)
+       $project = [string]::Format("{0}.vcxproj", $Name)
+       $output = [string]::Format("{0}.sarif", $Name)
+       $database = Join-Path "database" $Name
+
+       # write a bat file to wrap msbuild parameters
+       $bat = [string]::Format("{0}.bat", $Name)
+       if (Test-Path $bat) {
+               Remove-Item $bat
+       }
+       $a = "msbuild.exe"
+       $a += " /m:4"
+       $a += " /t:Build"
+       $a += [string]::Format(" /p:Configuration=""{0}""", $Configuration)
+       $a += [string]::Format(" /p:Platform=""{0}""", $Platform)
+       $a += " "
+       $a += Join-Path $projpath $project
+       $a | Set-Content $bat
+
+       # generate the database
+       $b = "codeql"
+       $b += " database"
+       $b += " create"
+       $b += " -l=cpp"
+       $b += " -s=src"
+       $b += " -c"
+       $b += ' "' + (Resolve-Path $bat) + '" '
+       $b += $database
+       Invoke-Expression $b
+       if ($LASTEXITCODE -ne 0) {
+               Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" 
$LASTEXITCODE
+               Exit $LASTEXITCODE
+       }
+       Remove-Item $bat
+
+       # perform the analysis on the database
+       $c = "codeql"
+       $c += " database"
+       $c += " analyze "
+       $c += $database
+       $c += " windows_driver_recommended.qls"
+       $c += " --format=sarifv2.1.0"
+       $c += " --output="
+       $c += (Join-Path $OutputPath $output)
+       $c += " --search-path="
+       $c += $SearchPath
+
+       Invoke-Expression $c
+       if ($LASTEXITCODE -ne 0) {
+               Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" 
$LASTEXITCODE
+               Exit $LASTEXITCODE
+       }
+}
+
 #
 # Script Body
 #
 
-$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = 
"$ConfigurationBase Debug"; "sdv" = "$ConfigurationBase Release"; }
+$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = 
"$ConfigurationBase Debug"; "sdv" = "$ConfigurationBase Release"; "codeql" = 
"$ConfigurationBase Release"; }
 $platform = @{ "x86" = "Win32"; "x64" = "x64" }
 $solutionpath = Resolve-Path $SolutionDir
 
+$archivepath = "xenvbd"
+$projectlist = @( "xencrsh", "xendisk", "xenvbd" )
+
 Set-ExecutionPolicy -Scope CurrentUser -Force Bypass
 
 if ($Type -eq "free") {
@@ -83,16 +150,34 @@ if ($Type -eq "free") {
 elseif ($Type -eq "checked") {
        Run-MSBuild $solutionpath "xenvbd.sln" $configuration["checked"] 
$platform[$Arch]
 }
-elseif ($Type -eq "sdv") {
-       $archivepath = "xenvbd"
+elseif ($Type -eq "codeql") {
+       if (-Not (Test-Path -Path $archivepath)) {
+               New-Item -Name $archivepath -ItemType Directory | Out-Null
+       }
 
+       if ([string]::IsNullOrEmpty($Env:CODEQL_QUERY_SUITE)) {
+               $searchpath = Resolve-Path ".."
+       } else {
+               $searchpath = $Env:CODEQL_QUERY_SUITE
+       }
+
+       if (Test-Path "database") {
+               Remove-Item -Recurse -Force "database"
+       }
+       New-Item -ItemType Directory "database" | Out-Null
+
+       $projectlist | ForEach {
+               Run-CodeQL $solutionpath $_ $configuration["codeql"] 
$platform[$Arch] $searchpath $archivepath
+       }
+}
+elseif ($Type -eq "sdv") {
        if (-Not (Test-Path -Path $archivepath)) {
                New-Item -Name $archivepath -ItemType Directory | Out-Null
        }
 
-       Run-MSBuildSDV $solutionpath "xencrsh" $configuration["sdv"] 
$platform[$Arch]
-       Run-MSBuildSDV $solutionpath "xendisk" $configuration["sdv"] 
$platform[$Arch]
-       Run-MSBuildSDV $solutionpath "xenvbd" $configuration["sdv"] 
$platform[$Arch]
+       $projectlist | ForEach {
+               Run-MSBuildSDV $solutionpath $_ $configuration["sdv"] 
$platform[$Arch]
+       }
 
        Copy-Item -Path (Join-Path -Path $SolutionPath -ChildPath "*DVL*") 
-Destination $archivepath
 }
-- 
2.30.1.windows.1




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.