-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Add a description - Add how it can be used section - Add a troubleshoot section
- Loading branch information
1 parent
513e38e
commit 835b887
Showing
1 changed file
with
85 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,85 @@ | ||
# codeql-coding-standards-bundle-releases | ||
CodeQL bundles containing the CodeQL Coding Standards queries | ||
# CodeQL Coding Standards Bundle | ||
|
||
The CodeQL Coding Standards Bundle is a CodeQL bundle that includes the queries from the matching [CodeQL Coding Standards](https://github.com/github/codeql-coding-standards) project that is be open sourced in July 2022. More information on the CodeQL Coding Standards project can be found in [this](https://github.blog/2022-06-20-adding-support-for-coding-standards-autosar-c-and-cert-c/) blog post. | ||
|
||
The queries implement the guidelines specified in the following standards targeting the projects using the C++14: | ||
- [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems Release 18-10](https://www.autosar.org/fileadmin/user_upload/standards/adaptive/18-10/AUTOSAR_RS_CPP14Guidelines.pdf) | ||
- [MISRA C++:2008](https://www.misra.org.uk) | ||
- [SEI CERT C++ Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=494932) | ||
|
||
## How to use the bundle | ||
|
||
The bundle can be use with the [Github CodeQL Action](https://github.com/github/codeql-action) by preceding the `github/codeql-action/init@v2` step with the following step: | ||
|
||
```yaml | ||
- name: Download CodeQL Coding Standards Bundle | ||
run: | | ||
gh release download -R advanced-security/codeql-coding-standards-bundle-releases v1.10.0 --pattern 'codeql-coding-standards.tar.gz' | ||
``` | ||
The step initializing the Github CodeQL Action using `github/codeql-action/init@v2` can be instructed to use the bundle through the `tools` key and the queries can be specified through the `queries` key as follows: | ||
|
||
```yaml | ||
- name: CodeQL Initialize | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
tools: codeql-coding-standards.tar.gz | ||
queries: autosar-default,cert-default | ||
``` | ||
|
||
The CodeQL Coding Standards Bundle supports the following CodeQL query suites: | ||
|
||
- `autosar-default`: All the AUTOSAR queries that are not audit queries. | ||
- `autosar-required`: The AUTOSAR ueries with obligation *required*, and that are not audit queries. | ||
- `autosar-advisory`: The AUTOSAR queries with obligation *advisory*, and that are not audit queries. | ||
- `autosar-audit`: The AUTOSAR queries that are audit queries. An audit query provides information that can aid in a manual review of a guideline with enforcement *non-automated*. | ||
- `cert-default`: All the CERT queries. | ||
|
||
## Troubleshooting | ||
|
||
An elaborate user manual will be provided when the CodeQL Coding Standards is open sourced. | ||
However the following errors might be troubleshooted if encountered. | ||
|
||
### Error: Code Scanning could not process the submitted SARIF file | ||
|
||
The error can occur using the action `github/codeql-action/analyze@v2` or `github/codeql-action/upload-sarif@v2` that uploads the results of the CodeQL analysis with the following reason | ||
|
||
`rejecting SARIF, as there are more results per run than allowed (25271 > 25000)` | ||
|
||
This can occur when the CodeQL Coding Standard queries are used on a project that doesn't adhere to the standard resulting a one or more queries returning a large number of alerts. | ||
The following steps can be used to troubleshoot the issue: | ||
|
||
1. When using the `github/codeql-action/analyze@v2`, disable the automatic uploading of the SARIF file as follows: | ||
```yaml | ||
- name: CodeQL Analyze | ||
uses: github/codeql-action/analyze@v2 | ||
with: | ||
upload: "false" | ||
``` | ||
2. Upload the SARIF file with the `actions/` as follows: | ||
```yaml | ||
- name: Upload Sarif | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: results | ||
path: "../results" | ||
``` | ||
3. Analyze the SARIF file in [Visual Studio Code][https://code.visualstudio.com/] using the [Sarif Viewer](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer) extension. The *rules* tab of the Sarif Viewer gives a breakdown per rule and the number of alerts. | ||
4. Note down the rule id (of the form `cpp/autosar/...`) of the rules with a high number of alerts. | ||
5. Revert the above changes to return to the regular workflow. | ||
6. Create a CodeQL query suite that excludes the identified rule(s). More information on creating CodeQL query suites can be found at [Creating CodeQL query suites](https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/). The following is an example for AUTOSAR that excludes the rule `cpp/autosar/undocumented-user-defined-type`: | ||
```yaml | ||
- description: AUTOSAR C++14 Guidelines 19-11 (Customized) | ||
- import: codeql-suites/autosar-default.qls | ||
from: autosar-cpp-coding-standards | ||
- exclude: | ||
id: | ||
- cpp/autosar/undocumented-user-defined-type | ||
``` | ||
7. Add the CodeQL query suite to the repository and refer to it in the `github/codeql-action/init@v2` step. The following example assumes the CodeQL query suite is stored at `.github/code-scanning/autosar.qls`: | ||
```yaml | ||
- name: CodeQL Initialize | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
tools: codeql-coding-standards.tar.gz | ||
queries: cert-default,.github/code-scanning/autosar.qls |