From 426b2e079c213873d6f5ade662572d71fd9af95d Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Tue, 2 Dec 2025 11:20:34 +0000 Subject: [PATCH 1/4] first try codeql cli integration --- integration_test.sh | 86 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) diff --git a/integration_test.sh b/integration_test.sh index f7aa9e6ea..c36aecc2f 100755 --- a/integration_test.sh +++ b/integration_test.sh @@ -12,6 +12,19 @@ LOG_DIR=${LOG_DIR:-_logs/logs} SUMMARY_FILE=${SUMMARY_FILE:-_logs/build_summary.md} KNOWN_GOOD_FILE="" +# Codeql + +CODEQL_WORK_DIR="./codeql_analysis_results" +CODEQL_DATABASES_DIR="${CODEQL_WORK_DIR}/databases" +CODEQL_SARIF_DIR="${CODEQL_WORK_DIR}/sarif" +CODEQL_LANGUAGE="cpp" +CODEQL_QUERY_PACKS="codeql/cpp-queries,codeql/misra-cpp-coding-standards" # Add more packs as needed +CODEQL_CLI_VERSION="v2.23.6" # Use the latest stable version +CODEQL_PLATFORM="linux64" # e.g., linux64, macos, win64 +CODEQL_BUNDLE="codeql-${CODEQL_PLATFORM}.zip" +CODEQL_URL="https://github.com/github/codeql-cli-binaries/releases/download/${CODEQL_CLI_VERSION}/${CODEQL_BUNDLE}" +#https://github.com/github/codeql-cli-binaries/releases/download/v2.23.6/codeql-linux64.zip + # maybe move this to known_good.json or a config file later declare -A BUILD_TARGET_GROUPS=( [score_baselibs]="@score_baselibs//score/..." @@ -23,6 +36,8 @@ declare -A BUILD_TARGET_GROUPS=( [score_feo]="@score_feo//..." ) + + # Parse command line arguments while [[ $# -gt 0 ]]; do case $1 in @@ -107,11 +122,44 @@ overall_depr_total=0 # Track if any build group failed any_failed=0 +binary_path="${CODEQL_WORK_DIR}/codeql-cli/codeql/codeql" + +if [ -x "${binary_path}" ]; then + echo "Local CodeQL CLI found at ${binary_path}. Adding to PATH." + export PATH="$(pwd)/${CODEQL_WORK_DIR}/codeql-cli/codeql:${PATH}" +else + echo "CodeQL CLI not found. Downloading..." + mkdir -p "${CODEQL_WORK_DIR}/codeql-cli" + curl -L "${CODEQL_URL}" -o "${CODEQL_WORK_DIR}/${CODEQL_BUNDLE}" + unzip "${CODEQL_WORK_DIR}/${CODEQL_BUNDLE}" -d "${CODEQL_WORK_DIR}/codeql-cli" + export PATH="$(pwd)/${CODEQL_WORK_DIR}/codeql-cli/codeql:${PATH}" + echo "CodeQL CLI downloaded and added to PATH." +fi + +# Verify CodeQL CLI is now available +if ! command -v codeql &> /dev/null; then + echo "Error: CodeQL CLI could not be set up. Exiting." + exit 1 +else + echo "codeql found in path" +fi + + +mkdir -p "${CODEQL_DATABASES_DIR}" +mkdir -p "${CODEQL_SARIF_DIR}" for group in "${!BUILD_TARGET_GROUPS[@]}"; do targets="${BUILD_TARGET_GROUPS[$group]}" log_file="${LOG_DIR}/${group}.log" + + db_path="${CODEQL_DATABASES_DIR}/${group}_db" + sarif_output="${CODEQL_SARIF_DIR}/${group}.sarif" + # 1. Clean Bazel to ensure a fresh build for CodeQL tracing + echo "Running 'bazel clean --expunge' and 'bazel shutdown'..." + bazel clean --expunge || { echo "Bazel clean failed for ${group}"; exit 1; } + bazel shutdown || { echo "Bazel shutdown failed for ${group}"; exit 1; } + # Log build group banner only to stdout/stderr (not into summary table file) echo "--- Building group: ${group} ---" start_ts=$(date +%s) @@ -119,7 +167,25 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do # GitHub Actions log grouping start echo "::group::Bazel build (${group})" set +e - bazel build --config "${CONFIG}" ${targets} --verbose_failures 2>&1 | tee "$log_file" + + build_command="bazel build \ + --config '${CONFIG}' \ + ${targets} \ + --verbose_failures \ + --spawn_strategy=local \ + --nouse_action_cache \ + --noremote_accept_cached \ + --noremote_upload_local_results \ + --disk_cache= \ + 2>&1 | tee \\\"${log_file}\\\"" + + codeql database create "${db_path}" \ + --language="${CODEQL_LANGUAGE}" \ + --command="bash -c \"${build_command}\"" \ + --overwrite \ + || { echo "CodeQL database creation failed for ${group}"; exit 1; } + + build_status=${PIPESTATUS[0]} # Track if any build group failed if [[ ${build_status} -ne 0 ]]; then @@ -133,6 +199,24 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do d_count=$(depr_count "$log_file") overall_warn_total=$(( overall_warn_total + w_count )) overall_depr_total=$(( overall_depr_total + d_count )) + + # Shutdown Bazel again after the traced build + echo "Running 'bazel shutdown' after CodeQL database creation..." + bazel shutdown || { echo "Bazel shutdown failed after tracing for ${group}"; exit 1; } + + # 4. Analyze the created database + echo "Analyzing CodeQL database for ${group}..." + codeql database analyze "${DB_PATH}" \ + --format=sarifv2.1.0 \ + --output="${SARIF_OUTPUT}" \ + --sarif-category="${group}-${CODEQL_LANGUAGE}" \ + --packs "${CODEQL_QUERY_PACKS}" \ + || { echo "CodeQL analysis failed for ${group}"; exit 1; } + + echo "CodeQL analysis for ${group} complete. Results saved to: ${SARIF_OUTPUT}" + echo "" + + # Append as a markdown table row (duration without trailing 's') if [[ ${build_status} -eq 0 ]]; then status_symbol="✅" From 00d9e86be0d90b1d50fabd1043ac552f846a7934 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Tue, 2 Dec 2025 12:50:38 +0100 Subject: [PATCH 2/4] try to fix isolation --- integration_test.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/integration_test.sh b/integration_test.sh index c36aecc2f..c2ae4240d 100755 --- a/integration_test.sh +++ b/integration_test.sh @@ -154,11 +154,13 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do db_path="${CODEQL_DATABASES_DIR}/${group}_db" sarif_output="${CODEQL_SARIF_DIR}/${group}.sarif" - + current_bazel_output_base="/tmp/codeql_bazel_output_${group}_$(date +%s%N)" # Add timestamp for extra uniqueness + + # 1. Clean Bazel to ensure a fresh build for CodeQL tracing echo "Running 'bazel clean --expunge' and 'bazel shutdown'..." - bazel clean --expunge || { echo "Bazel clean failed for ${group}"; exit 1; } - bazel shutdown || { echo "Bazel shutdown failed for ${group}"; exit 1; } + bazel clean --expunge --output_base="${current_bazel_output_base}" || { echo "Bazel clean failed for ${group}"; exit 1; } + bazel shutdown --output_base="${current_bazel_output_base}" || { echo "Bazel shutdown failed for ${group}"; exit 1; } # Log build group banner only to stdout/stderr (not into summary table file) echo "--- Building group: ${group} ---" @@ -169,6 +171,7 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do set +e build_command="bazel build \ + --output_base=\\\"${current_bazel_output_base}\\\" \ --config '${CONFIG}' \ ${targets} \ --verbose_failures \ From 81b19b6db138d2c6fe13c3bd0e1672dd5c961039 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Tue, 2 Dec 2025 12:02:29 +0000 Subject: [PATCH 3/4] fix: isolation --- integration_test.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/integration_test.sh b/integration_test.sh index c2ae4240d..a2108638c 100755 --- a/integration_test.sh +++ b/integration_test.sh @@ -159,8 +159,8 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do # 1. Clean Bazel to ensure a fresh build for CodeQL tracing echo "Running 'bazel clean --expunge' and 'bazel shutdown'..." - bazel clean --expunge --output_base="${current_bazel_output_base}" || { echo "Bazel clean failed for ${group}"; exit 1; } - bazel shutdown --output_base="${current_bazel_output_base}" || { echo "Bazel shutdown failed for ${group}"; exit 1; } + bazel --output_base="${current_bazel_output_base}" clean --expunge || { echo "Bazel clean failed for ${group}"; exit 1; } + bazel --output_base="${current_bazel_output_base}" shutdown || { echo "Bazel shutdown failed for ${group}"; exit 1; } # Log build group banner only to stdout/stderr (not into summary table file) echo "--- Building group: ${group} ---" @@ -170,8 +170,7 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do echo "::group::Bazel build (${group})" set +e - build_command="bazel build \ - --output_base=\\\"${current_bazel_output_base}\\\" \ + build_command="bazel --output_base=\\\"${current_bazel_output_base}\\\" build \ --config '${CONFIG}' \ ${targets} \ --verbose_failures \ From 3b8b03b2f303c4e00a96ebe19a276a37e7c637c4 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Tue, 2 Dec 2025 16:01:33 +0000 Subject: [PATCH 4/4] reduced to one lib to test --- integration_test.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/integration_test.sh b/integration_test.sh index a2108638c..748be85a2 100755 --- a/integration_test.sh +++ b/integration_test.sh @@ -28,12 +28,12 @@ CODEQL_URL="https://github.com/github/codeql-cli-binaries/releases/download/${CO # maybe move this to known_good.json or a config file later declare -A BUILD_TARGET_GROUPS=( [score_baselibs]="@score_baselibs//score/..." - [score_communication]="@score_communication//score/mw/com:com" - [score_persistency]="@score_persistency//src/cpp/src/... @score_persistency//src/rust/..." + #[score_communication]="@score_communication//score/mw/com:com" + #[score_persistency]="@score_persistency//src/cpp/src/... @score_persistency//src/rust/..." #[score_logging]="@score_logging//src/..." - [score_orchestrator]="@score_orchestrator//src/..." - [score_test_scenarios]="@score_test_scenarios//..." - [score_feo]="@score_feo//..." + #[score_orchestrator]="@score_orchestrator//src/..." + #[score_test_scenarios]="@score_test_scenarios//..." + #[score_feo]="@score_feo//..." ) @@ -171,19 +171,17 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do set +e build_command="bazel --output_base=\\\"${current_bazel_output_base}\\\" build \ - --config '${CONFIG}' \ ${targets} \ --verbose_failures \ - --spawn_strategy=local \ + --spawn_strategy=standalone \ --nouse_action_cache \ --noremote_accept_cached \ --noremote_upload_local_results \ - --disk_cache= \ - 2>&1 | tee \\\"${log_file}\\\"" + --disk_cache= ${targets}" codeql database create "${db_path}" \ --language="${CODEQL_LANGUAGE}" \ - --command="bash -c \"${build_command}\"" \ + --command="${build_command}" \ --overwrite \ || { echo "CodeQL database creation failed for ${group}"; exit 1; }