christoph/wamr
1
Fork 0
Code Releases Activity

Refactor CodeQL CI (#3319)

Browse Source 
- Move CodeQL scripts to the scripts directory
- Only report error in CI if it's a CodeQL reported issue and was not dismissed
  before and is likely to be an actual error
This commit is contained in:
TianlongLiang
2024-04-16 16:32:47 +08:00
committed by GitHub
parent 42199f163e
commit 30426be82c
4 changed files with 134 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

282
.github/scripts/codeql_buildscript.sh vendored Executable file
View File

@ -0,0 +1,282 @@
#!/usr/bin/env bash
#
# Copyright (C) 2019 Intel Corporation. All rights reserved.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
#
sudo apt update
sudo apt install -y build-essential cmake g++-multilib libgcc-11-dev lib32gcc-11-dev ccache ninja-build ccache
WAMR_DIR=${PWD}
# TODO: use pre-built llvm binary to build wamrc to
# avoid static code analysing for llvm
: '
# build wamrc
cd ${WAMR_DIR}/wamr-compiler
./build_llvm.sh
rm -fr build && mkdir build && cd build
cmake ..
make -j
if [[ $? != 0 ]]; then
echo "Failed to build wamrc!"
exit 1;
fi
'
# build iwasm with default features enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake ..
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with default features enabled!"
exit 1;
fi
# build iwasm with default features enabled on x86_32
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DWAMR_BUILD_TARGET=X86_32
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with default features enabled on x86_32!"
exit 1;
fi
# build iwasm with classic interpreter enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_INTERP=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with classic interpreter enabled!"
exit 1;
fi
# build iwasm with extra features enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug \
-DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1 \
-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_SIMD=1 \
-DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_REF_TYPES=1 \
-DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_MEMORY_PROFILING=1 \
-DWAMR_BUILD_PERF_PROFILING=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 \
-DWAMR_BUILD_LOAD_CUSTOM_SECTION=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build wamrc iwasm with extra features enabled!"
exit 1;
fi
# build iwasm with global heap pool enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug \
-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 \
-DWAMR_DISABLE_STACK_HW_BOUND_CHECK=1 \
-DWAMR_BUILD_GLOBAL_HEAP_POOL=1 \
-DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with global heap pool enabled!"
exit 1;
fi
# build iwasm with wasi-threads enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIB_WASI_THREADS=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with wasi-threads enabled!"
exit 1;
fi
# build iwasm with GC enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_GC=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with GC enabled!"
exit 1;
fi
# build iwasm with exception handling enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_EXCE_HANDLING=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with exception handling enabled!"
exit 1;
fi
# build iwasm with memory64 enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MEMORY64=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with memory64 enabled!"
exit 1;
fi
# build iwasm with hardware boundary check disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_HW_BOUND_CHECK=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with hardware boundary check disabled!"
exit 1;
fi
# build iwasm with quick AOT entry disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_QUICK_AOT_ENTRY=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with quick AOT entry disabled!"
exit 1;
fi
# build iwasm with wakeup of blocking operations disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with wakeup of blocking operations disabled!"
exit 1;
fi
# build iwasm with module instance context disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MODULE_INST_CONTEXT=0 \
-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_WASI=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with module instance context disabled!"
exit 1;
fi
# build iwasm with libc-uvwasi enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIBC_UVWASI=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with libc-uvwasi enabled!"
exit 1;
fi
# build iwasm with fast jit lazy mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with fast jit lazy mode enabled!"
exit 1;
fi
# build iwasm with fast jit eager mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with fast jit eager mode enabled!"
exit 1;
fi
# TODO: use pre-built llvm binary to build llvm-jit and multi-tier-jit
: '
# build iwasm with llvm jit lazy mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build llvm jit lazy mode enabled!"
exit 1;
fi
# build iwasm with llvm jit eager mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build llvm jit eager mode enabled!"
exit 1;
fi
# build iwasm with multi-tier jit enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_JIT=1 \
-DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with multi-tier jit enabled!"
exit 1;
fi
'
# build iwasm with wasm mini-loader enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MINI_LOADER=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build with wasm mini-loader enabled!"
exit 1;
fi
# build iwasm with source debugging enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with source debugging enabled!"
exit 1;
fi
# build iwasm with AOT static PGO enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_STATIC_PGO=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with AOT static PGO enabled!"
exit 1;
fi
# build iwasm with configurable bounds checks enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_CONFIGUABLE_BOUNDS_CHECKS=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with configurable bounds checks enabled!"
exit 1;
fi
# build iwasm with linux perf support enabled
cd ${WAMR_DIR}/product-mini/platforms/linux/
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LINUX_PERF=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with linux perf support enabled!"
exit 1;
fi

124
.github/scripts/codeql_fail_on_error.py vendored Executable file
View File

@ -0,0 +1,124 @@
#!/usr/bin/env python3
#
# Copyright (C) 2019 Intel Corporation. All rights reserved.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
#
import json
import sys
import os
import requests
def fetch_dismissed_alerts(repo_name, github_token):
headers = {
"Authorization": f"token {github_token}",
"Accept": "application/vnd.github.v3+json",
}
url = (
f"https://api.github.com/repos/{repo_name}/code-scanning/alerts?state=dismissed"
)
response = requests.get(url, headers=headers)
return response.json() # This assumes a successful API call
def parse_location(location):
path = location.get("physicalLocation", {}).get("artifactLocation", {}).get("uri")
start_line = location.get("physicalLocation", {}).get("region", {}).get("startLine")
column_range = (
location.get("physicalLocation", {}).get("region", {}).get("startColumn"),
location.get("physicalLocation", {}).get("region", {}).get("endColumn"),
)
return (path, start_line, column_range)
def is_dismissed(rule_id, path, start_line, column_range, dismissed_alerts):
for alert in dismissed_alerts:
alert_rule_id = alert.get("rule", {}).get("id")
alert_path = alert.get("location", {}).get("path")
alert_start_line = alert.get("location", {}).get("start_line")
alert_column_range = (
alert.get("location", {}).get("start_column"),
alert.get("location", {}).get("end_column"),
)
if (
rule_id == alert_rule_id
and path == alert_path
and start_line == alert_start_line
and column_range == alert_column_range
):
return True
return False
# Return whether SARIF file contains error-level results
def codeql_sarif_contain_error(filename, dismissed_alerts):
has_error = False
with open(filename, "r") as f:
s = json.load(f)
for run in s.get("runs", []):
rules_metadata = run["tool"]["driver"]["rules"]
if not rules_metadata:
rules_metadata = run["tool"]["extensions"][0]["rules"]
for res in run.get("results", []):
if "ruleIndex" in res:
rule_index = res["ruleIndex"]
elif "rule" in res and "index" in res["rule"]:
rule_index = res["rule"]["index"]
else:
continue
# check whether it's dismissed before
rule_id = res["ruleId"]
path, start_line, column_range = parse_location(res["locations"][0])
# the source code is from dependencies
if "_deps" in path:
continue
if is_dismissed(rule_id, path, start_line, column_range, dismissed_alerts):
print(
f"====== Finding a dismissed entry: {rule_id} at {path}:{start_line} is dismissed.======"
)
print(res)
continue
try:
rule_level = rules_metadata[rule_index]["defaultConfiguration"]["level"]
except IndexError as e:
print(e, rule_index, len(rules_metadata))
else:
if rule_level == "error":
# very likely to be an actual error
if rules_metadata[rule_index]["properties"].get("precision") in [
"high",
"very-high",
]:
# the security severity is above medium(Common Vulnerability Scoring System (CVSS) >= 4.0)
if "security-severity" in rules_metadata[rule_index][
"properties"
] and (
float(
rules_metadata[rule_index]["properties"][
"security-severity"
]
)
> 4.0
):
print("====== Finding a likely error. ======")
print(res)
has_error = True
return has_error
if __name__ == "__main__":
GITHUB_TOKEN = os.getenv("GITHUB_TOKEN")
GITHUB_REPOSITORY = os.getenv("GITHUB_REPOSITORY")
dismissed_alerts = fetch_dismissed_alerts(GITHUB_REPOSITORY, GITHUB_TOKEN)
if codeql_sarif_contain_error(sys.argv[1], dismissed_alerts):
sys.exit(1)