Compare commits

...

2 Commits

Author SHA1 Message Date
liang.he
57131bd3c1
Merge 915b00e980 into fbd27e5e03 2025-07-09 14:09:24 +08:00
liang.he@intel.com
915b00e980 Use a customized codeql configration
- Specifying directories to scan
- Refactor build script for WAMR project
  - add functions for wamrc and iwasm builds
  - streamline options handling
  - include LLVM installation steps.
- Filter out source code related to dependencies, testing,
  and wasm applications
- Exclude unimportant issues and coding style problems
2025-07-03 08:13:05 +00:00
3 changed files with 251 additions and 381 deletions

46
.github/codeql/codeql_config.yml vendored Normal file
View File

@ -0,0 +1,46 @@
# Copyright (C) 2019 Intel Corporation. All rights reserved.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
paths:
- .github
- core/iwasm
- core/shared/platform/common/
- core/shared/platform/include/
- core/shared/platform/linux/
- product-mini/platforms/common/
- product-mini/platforms/linux/
# TODO: add other platforms back if able to do cross-compilation
# - product-mini/platforms/
# TODO: add samples back after buildscript modification
# - need to ignore workloads and wasm-apps
# - samples
- wamr-compiler/
paths-ignore:
# always ignore build
- '**/build/**'
- '**/test*/**'
- '**/wasm-app*/**'
- core/deps/
# platform specific
- core/iwasm/aot/arch/aot_reloc_aarch64.c
- core/iwasm/aot/arch/aot_reloc_arc.c
- core/iwasm/aot/arch/aot_reloc_arm.c
- core/iwasm/aot/arch/aot_reloc_dummy.c
- core/iwasm/aot/arch/aot_reloc_mips.c
- core/iwasm/aot/arch/aot_reloc_riscv.c
- core/iwasm/aot/arch/aot_reloc_thumb.c
- core/iwasm/aot/arch/aot_reloc_xtensa.c
- core/iwasm/libraries/lib-rats/
- core/iwasm/libraries/lib-socket/
- core/iwasm/libraries/lib-wasi-threads/*-test/
- core/shared/platform/common/freertos/
- core/shared/platform/common/math/
#TODO: add me back if lldb libraries installed
- core/iwasm/compilation/debug/
# spend disk space and slow
- core/iwasm/libraries/wasi-nn/src/wasi_nn_tflite*
#TODO: add me back if openvino installed
- core/iwasm/libraries/wasi-nn/src/wasi_nn_openvino*
# for wasm
- core/iwasm/libraries/wasi-nn/include/wasi_nn.h
# reference
- core/iwasm/common/arch/invokeNative_general.c

View File

@ -5,308 +5,117 @@
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
# #
sudo apt update # This script is used to build the WAMR project for CodeQL analysis.
sudo apt install -y build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build # Pre-requisites
sudo apt -qq update
sudo apt install -y -qq build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build
LLVM_VER=18.1.8
pushd /opt
sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VER}/clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04.tar.xz \
&& tar -xf clang+llvm-x86_64-linux-gnu.tar.xz \
&& mv clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04 llvm-${LLVM_VER}
popd
# libtinfo.so.5 for /opt/llvm-18.1.8/lib/libomptarget.rtl.amdgpu.so.18.1
sudo apt -qq update
wget http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb
sudo apt install -y -qq ./libtinfo5_6.3-2ubuntu0.1_amd64.deb
# Start the build process
WAMR_DIR=${PWD} WAMR_DIR=${PWD}
LLVM_DIR=/opt/llvm-${LLVM_VER}/lib/cmake/llvm
# TODO: use pre-built llvm binary to build wamrc to # Function to build wamrc
# avoid static code analysing for llvm build_wamrc() {
: ' local options="$1"
# build wamrc echo "Building wamrc with options: $options"
cd ${WAMR_DIR}/wamr-compiler
./build_llvm.sh
rm -fr build && mkdir build && cd build
cmake ..
make -j
if [[ $? != 0 ]]; then
echo "Failed to build wamrc!"
exit 1;
fi
'
# build iwasm with default features enabled pushd ${WAMR_DIR}/wamr-compiler
cd ${WAMR_DIR}/product-mini/platforms/linux rm -rf build
rm -fr build && mkdir build && cd build cmake -S . -B build \
cmake .. -G Ninja \
make -j -DCMAKE_BUILD_TYPE=Debug \
if [[ $? != 0 ]]; then -DWAMR_BUILD_WITH_CUSTOM_LLVM=1 -DLLVM_DIR=${LLVM_DIR} \
echo "Failed to build iwasm with default features enabled!" $options
exit 1; cmake --build build --target wamrc --parallel
fi if [[ $? != 0 ]]; then
echo "Failed to build wamrc with options: $options"
exit 1
fi
popd
}
# build iwasm with default features enabled on x86_32 # Function to build iwasm
cd ${WAMR_DIR}/product-mini/platforms/linux build_iwasm() {
rm -fr build && mkdir build && cd build local options="$1"
cmake .. -DWAMR_BUILD_TARGET=X86_32 echo "Building iwasm with options: $options"
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with default features enabled on x86_32!"
exit 1;
fi
# build iwasm with classic interpreter enabled pushd ${WAMR_DIR}/product-mini/platforms/linux
cd ${WAMR_DIR}/product-mini/platforms/linux rm -rf build
rm -rf build && mkdir build && cd build cmake -S . -B build \
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_INTERP=0 -G Ninja \
make -j -DCMAKE_BUILD_TYPE=Debug \
if [[ $? != 0 ]]; then -DLLVM_DIR=${LLVM_DIR} \
echo "Failed to build iwasm with classic interpreter enabled!" $options
exit 1; cmake --build build --target iwasm --parallel
fi if [[ $? != 0 ]]; then
echo "Failed to build iwasm with options: $options"
exit 1
fi
popd
}
# build iwasm with extra features enabled # List of compilation options for wamrc
cd ${WAMR_DIR}/product-mini/platforms/linux wamrc_options_list=(
rm -fr build && mkdir build && cd build #default
cmake .. -DCMAKE_BUILD_TYPE=Debug \ ""
-DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1 \ )
-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_SIMD=1 \
-DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_REF_TYPES=1 \
-DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_MEMORY_PROFILING=1 \
-DWAMR_BUILD_PERF_PROFILING=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 \
-DWAMR_BUILD_LOAD_CUSTOM_SECTION=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build wamrc iwasm with extra features enabled!"
exit 1;
fi
# build iwasm with global heap pool enabled # List of compilation options for iwasm
cd ${WAMR_DIR}/product-mini/platforms/linux iwasm_options_list=(
rm -fr build && mkdir build && cd build #default
cmake .. -DCMAKE_BUILD_TYPE=Debug \ ""
-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 \ # +classic interp
-DWAMR_DISABLE_STACK_HW_BOUND_CHECK=1 \ "-DWAMR_BUILD_FAST_INTERP=0"
-DWAMR_BUILD_GLOBAL_HEAP_POOL=1 \ # +llvm jit + fast jit
-DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072 "-DWAMR_BUILD_JIT=1 -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1"
make -j #
if [[ $? != 0 ]]; then "-DWAMR_BUILD_TARGET=X86_32"
echo "Failed to build iwasm with global heap pool enabled!" #
exit 1; # libraries
fi "-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_UVWASI=1 -DWAMR_BUILD_LIBC_EMCC=1"
"-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
"-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_WASI_THREADS=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
"-DWAMR_BUILD_WASI_NN=1 -DWAMR_BUILD_WASI_NN_LLAMACPP=1"
#
# Wasm specs
"-DWAMR_BUILD_GC=1 -DWAMR_BUILD_EXCE_HANDLING=1 -DWAMR_BUILD_STRINGREF=1 -DWAMR_STRINGREF_IMPL_SOURCE=STUB"
"-DWAMR_BUILD_MEMORY64=1 -DWAMR_BUILD_MULTI_MEMORY=1"
#
# WARM features
"-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_MINI_LOADER=1 -DWAMR_BUILD_SHARED_HEAP=1"
"-DWAMR_DISABLE_HW_BOUND_CHECK=1"
"-DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1"
# - Debug
"-DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1 -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1"
# - developer options
"-DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 -DWAMR_BUILD_LINUX_PERF=1 -DWAMR_BUILD_AOT_VALIDATOR=1 -DWAMR_BUILD_MEMORY_PROFILING=1 -DWAMR_BUILD_PERF_PROFILING=1"
# - global heap
"-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072"
"-DWAMR_BUILD_QUICK_AOT_ENTRY=0 -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1 -DWAMR_BUILD_MODULE_INST_CONTEXT=0"
# - pgo
"-DWAMR_BUILD_STATIC_PGO=1"
# TODO: SGX specifics.
)
# build iwasm with wasi-threads enabled # Loop through all iwasm options and build
cd ${WAMR_DIR}/product-mini/platforms/linux for options in "${iwasm_options_list[@]}"; do
rm -fr build && mkdir build && cd build build_iwasm "$options"
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIB_WASI_THREADS=1 done
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with wasi-threads enabled!"
exit 1;
fi
# build iwasm with GC enabled # Loop through all wamrc options and build
cd ${WAMR_DIR}/product-mini/platforms/linux for options in "${wamrc_options_list[@]}"; do
rm -rf build && mkdir build && cd build build_wamrc "$options"
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_GC=1 done
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with GC enabled!"
exit 1;
fi
# build iwasm with exception handling enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_EXCE_HANDLING=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with exception handling enabled!"
exit 1;
fi
# build iwasm with memory64 enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MEMORY64=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with memory64 enabled!"
exit 1;
fi
# build iwasm with multi-memory enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MULTI_MEMORY=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with multi-memory enabled!"
exit 1;
fi
# build iwasm with hardware boundary check disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_HW_BOUND_CHECK=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with hardware boundary check disabled!"
exit 1;
fi
# build iwasm with quick AOT entry disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_QUICK_AOT_ENTRY=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with quick AOT entry disabled!"
exit 1;
fi
# build iwasm with wakeup of blocking operations disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with wakeup of blocking operations disabled!"
exit 1;
fi
# build iwasm with module instance context disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MODULE_INST_CONTEXT=0 \
-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_WASI=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with module instance context disabled!"
exit 1;
fi
# build iwasm with libc-uvwasi enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIBC_UVWASI=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with libc-uvwasi enabled!"
exit 1;
fi
# build iwasm with fast jit lazy mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with fast jit lazy mode enabled!"
exit 1;
fi
# build iwasm with fast jit eager mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with fast jit eager mode enabled!"
exit 1;
fi
# TODO: use pre-built llvm binary to build llvm-jit and multi-tier-jit
: '
# build iwasm with llvm jit lazy mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build llvm jit lazy mode enabled!"
exit 1;
fi
# build iwasm with llvm jit eager mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build llvm jit eager mode enabled!"
exit 1;
fi
# build iwasm with multi-tier jit enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_JIT=1 \
-DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with multi-tier jit enabled!"
exit 1;
fi
'
# build iwasm with wasm mini-loader enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MINI_LOADER=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build with wasm mini-loader enabled!"
exit 1;
fi
# build iwasm with source debugging enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with source debugging enabled!"
exit 1;
fi
# build iwasm with AOT static PGO enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_STATIC_PGO=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with AOT static PGO enabled!"
exit 1;
fi
# build iwasm with configurable bounds checks enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with configurable bounds checks enabled!"
exit 1;
fi
# build iwasm with linux perf support enabled
cd ${WAMR_DIR}/product-mini/platforms/linux/
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LINUX_PERF=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with linux perf support enabled!"
exit 1;
fi
# build iwasm with shared heap enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_SHARED_HEAP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with shared heap enabled!"
exit 1;
fi
# build iwasm with dynamic aot debug enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm dynamic aot debug enabled!"
exit 1;
fi

View File

@ -1,29 +1,24 @@
# For most projects, this workflow file will not need changing; you simply need # Copyright (C) 2019 Intel Corporation. All rights reserved.
# to commit it to your repository. # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
name: "CodeQL" name: "CodeQL"
on: on:
#pull_request: # run on every push to the feature-development branch
# types: # the main branch is covered by below cron plan
# - opened push:
# branches: '*' branches:
#push: - dev/**
# branches: [ "main" ] # midnight UTC on the latest commit on the main branch
# midnight UTC
schedule: schedule:
- cron: '0 0 * * *' - cron: "0 0 * * *"
# allow to be triggered manually # allow to be triggered manually
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
analyze: analyze:
# only run this job if the repository is not a fork
# if want to run this job on a fork, please remove the if condition
if: github.repository == 'bytecodealliance/wasm-micro-runtime' if: github.repository == 'bytecodealliance/wasm-micro-runtime'
name: Analyze name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see: # Runner size impacts CodeQL analysis time. To learn more, please see:
@ -31,14 +26,15 @@ jobs:
# - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners # - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements. # Consider using larger runners for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }} # But it is not free, so please be aware of the cost.
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} runs-on: ubuntu-22.04
timeout-minutes: 360
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
language: [ 'cpp' ] #TODO: add actions
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] language: ["cpp"]
permissions: permissions:
contents: read contents: read
@ -46,76 +42,95 @@ jobs:
security-events: write security-events: write
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@v3
with: with:
submodules: recursive submodules: recursive
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3.29.1 uses: github/codeql-action/init@v3.29.1
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
queries: security-and-quality
config-file: ./.github/codeql/codeql_config.yml
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - run: |
# queries: security-extended,security-and-quality ./.github/scripts/codeql_buildscript.sh
queries: security-and-quality
# Command-line programs to run using the OS shell. - name: Perform CodeQL Analysis
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun uses: github/codeql-action/analyze@v3.29.1
with:
category: "/language:${{matrix.language}}"
upload: false
id: step1
# If the Autobuild fails above, remove it and uncomment the following three lines. # - cpp/alloca-in-loop is about touch_pages() which is intended to
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - cpp/command-line-injection is about bh_system() which is used to
# - cpp/path-injection is used in bh_read_file_to_buffer() to load a .wasm.
# or operate a stack usage file which is not sensitive or generate a .aot
# - cpp/suspicious-pointer-scaling
# - wasm_runtime_invoke_native() used to trivial registers
# - cpp/uncontrolled-process-operation is about dlopen() which is used by
# native libraries registrations.
# - cpp/world-writable-file-creation is about fopen() a temporary file
# for perf-PID.map or .aot(wamrc). The permission isn't sensitive.
# file.
#
# execute customized compiler
- name: Filter out unwanted errors and warnings
uses: advanced-security/filter-sarif@v1
with:
patterns: |
## Exclude files and directories
-**/build/**
-**/core/deps/**
-**/cmake*/Modules/**
-**/test*/**
-**/wasm-app*/**
## Exclude rules 1. Related to formatting, style
-**:cpp/commented-out-code
-**:cpp/complex-condition
-**:cpp/empty-if
-**:cpp/fixme-comment
-**:cpp/include-non-header
-**:cpp/long-switch
-**:cpp/poorly-documented-function
-**:cpp/trivial-switch
-**:cpp/unused-local-variable
-**:cpp/unused-static-function
-**:cpp/unused-static-variable
-**:cpp/use-of-goto
## Exclude rules 2. Related to special usage of APIs
-**:cpp/alloca-in-loop
-**:cpp/command-line-injection
-**:cpp/path-injection
-core/iwasm/common/wasm_runtime_common.c:cpp/suspicious-pointer-scaling
-**:cpp/uncontrolled-process-operation
-**:cpp/world-writable-file-creation
input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
- run: | - name: Upload CodeQL results to code scanning
./.github/scripts/codeql_buildscript.sh uses: github/codeql-action/upload-sarif@v3.29.1
- name: Perform CodeQL Analysis with:
uses: github/codeql-action/analyze@v3.29.1 sarif_file: ${{ steps.step1.outputs.sarif-output }}
with: category: "/language:${{matrix.language}}"
category: "/language:${{matrix.language}}"
upload: false
id: step1
# Filter out rules with low severity or high false positve rate - name: Upload CodeQL results as an artifact
# Also filter out warnings in third-party code if: success() || failure()
- name: Filter out unwanted errors and warnings uses: actions/upload-artifact@v4.6.2
uses: advanced-security/filter-sarif@v1 with:
with: name: codeql-results
patterns: | path: ${{ steps.step1.outputs.sarif-output }}
-**:cpp/path-injection retention-days: 10
-**:cpp/world-writable-file-creation
-**:cpp/poorly-documented-function
-**:cpp/potentially-dangerous-function
-**:cpp/use-of-goto
-**:cpp/integer-multiplication-cast-to-long
-**:cpp/comparison-with-wider-type
-**:cpp/leap-year/*
-**:cpp/ambiguously-signed-bit-field
-**:cpp/suspicious-pointer-scaling
-**:cpp/suspicious-pointer-scaling-void
-**:cpp/unsigned-comparison-zero
-**/cmake*/Modules/**
input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
- name: Upload CodeQL results to code scanning - name: Fail if an error is found
uses: github/codeql-action/upload-sarif@v3.29.1 run: |
with: ./.github/scripts/codeql_fail_on_error.py \
sarif_file: ${{ steps.step1.outputs.sarif-output }} ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
category: "/language:${{matrix.language}}" env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload CodeQL results as an artifact GITHUB_REPOSITORY: ${{ github.repository }}
if: success() || failure()
uses: actions/upload-artifact@v4.6.2
with:
name: codeql-results
path: ${{ steps.step1.outputs.sarif-output }}
retention-days: 10
- name: Fail if an error is found
run: |
./.github/scripts/codeql_fail_on_error.py \
${{ steps.step1.outputs.sarif-output }}/cpp.sarif
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}