Merge a09b6ad6b9 into f4f33b6a76

for test
Use a customized codeql configration
2025-07-11 15:03:33 +00:00 · 2025-05-20 00:34:05 +08:00 · 2025-05-19 01:53:50 +00:00 · 2025-05-19 01:47:47 +00:00
3 changed files with 245 additions and 382 deletions
--- a/.github/codeql/codeql_config.yml
+++ b/.github/codeql/codeql_config.yml
@ -0,0 +1,46 @@
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+paths:
+  - .github
+  - core/iwasm
+  - core/shared/platform/common/
+  - core/shared/platform/include/
+  - core/shared/platform/linux/
+  - product-mini/platforms/common/
+  - product-mini/platforms/linux/
+  # TODO: add other platforms back if able to do cross-compilation
+  # - product-mini/platforms/
+  # TODO: add samples back after buildscript modification
+  # - need to ignore workloads and wasm-apps
+  # - samples
+  - wamr-compiler/
+paths-ignore:
+  # always ignore build
+  - '**/build/**'
+  - '**/test*/**'
+  - '**/wasm-app*/**'
+  - core/deps/
+  # platform specific
+  - core/iwasm/aot/arch/aot_reloc_aarch64.c
+  - core/iwasm/aot/arch/aot_reloc_arc.c
+  - core/iwasm/aot/arch/aot_reloc_arm.c
+  - core/iwasm/aot/arch/aot_reloc_dummy.c
+  - core/iwasm/aot/arch/aot_reloc_mips.c
+  - core/iwasm/aot/arch/aot_reloc_riscv.c
+  - core/iwasm/aot/arch/aot_reloc_thumb.c
+  - core/iwasm/aot/arch/aot_reloc_xtensa.c
+  - core/iwasm/libraries/lib-rats/
+  - core/iwasm/libraries/lib-socket/
+  - core/iwasm/libraries/lib-wasi-threads/*-test/
+  - core/shared/platform/common/freertos/
+  - core/shared/platform/common/math/
+  #TODO: add me back if lldb libraries installed
+  - core/iwasm/compilation/debug/
+  # spend disk space and slow
+  - core/iwasm/libraries/wasi-nn/src/wasi_nn_tflite*
+  #TODO: add me back if openvino installed
+  - core/iwasm/libraries/wasi-nn/src/wasi_nn_openvino*
+  # for wasm
+  - core/iwasm/libraries/wasi-nn/include/wasi_nn.h
+  # reference
+  - core/iwasm/common/arch/invokeNative_general.c
--- a/.github/scripts/codeql_buildscript.sh
+++ b/.github/scripts/codeql_buildscript.sh
@ -5,308 +5,112 @@
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 #

-sudo apt update
+# This script is used to build the WAMR project for CodeQL analysis.

-sudo apt install -y build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build
+# Pre-requisites
+sudo apt -qq update
+sudo apt install -y -qq build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build

+LLVM_VER=15.0.6
+pushd /opt
+sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VER}/clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04.tar.xz \
+  && tar -xf clang+llvm-x86_64-linux-gnu.tar.xz \
+  && mv clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04 llvm-${LLVM_VER}
+popd
+
+# Start the build process
 WAMR_DIR=${PWD}
+LLVM_DIR=/opt/llvm-${LLVM_VER}/lib/cmake/llvm

-# TODO: use pre-built llvm binary to build wamrc to
-#       avoid static code analysing for llvm
-: '
-# build wamrc
-cd ${WAMR_DIR}/wamr-compiler
-./build_llvm.sh
-rm -fr build && mkdir build && cd build
-cmake ..
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build wamrc!"
-    exit 1;
-fi
-'
+# Function to build wamrc
+build_wamrc() {
+    local options="$1"
+    echo "Building wamrc with options: $options"

-# build iwasm with default features enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake ..
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with default features enabled!"
-    exit 1;
-fi
+    pushd ${WAMR_DIR}/wamr-compiler
+    rm -rf build
+    cmake -S . -B build \
+        -G Ninja \
+        -DCMAKE_BUILD_TYPE=Debug \
+        -DWAMR_BUILD_WITH_CUSTOM_LLVM=1 -DLLVM_DIR=${LLVM_DIR} \
+        $options
+    cmake --build build --target wamrc --parallel
+    if [[ $? != 0 ]]; then
+        echo "Failed to build wamrc with options: $options"
+        exit 1
+    fi
+    popd
+}

-# build iwasm with default features enabled on x86_32
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DWAMR_BUILD_TARGET=X86_32
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with default features enabled on x86_32!"
-    exit 1;
-fi
+# Function to build iwasm
+build_iwasm() {
+    local options="$1"
+    echo "Building iwasm with options: $options"

-# build iwasm with classic interpreter enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_INTERP=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with classic interpreter enabled!"
-    exit 1;
-fi
+    pushd ${WAMR_DIR}/product-mini/platforms/linux
+    rm -rf build
+    cmake -S . -B build \
+        -G Ninja \
+        -DCMAKE_BUILD_TYPE=Debug \
+        -DLLVM_DIR=${LLVM_DIR} \
+        $options
+    cmake --build build --target iwasm --parallel
+    if [[ $? != 0 ]]; then
+        echo "Failed to build iwasm with options: $options"
+        exit 1
+    fi
+    popd
+}

-# build iwasm with extra features enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug \
-    -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1 \
-    -DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_SIMD=1 \
-    -DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_REF_TYPES=1 \
-    -DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_MEMORY_PROFILING=1 \
-    -DWAMR_BUILD_PERF_PROFILING=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 \
-    -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build wamrc iwasm with extra features enabled!"
-    exit 1;
-fi
+# List of compilation options for wamrc
+wamrc_options_list=(
+    #default
+    ""
+)

-# build iwasm with global heap pool enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug \
-    -DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 \
-    -DWAMR_DISABLE_STACK_HW_BOUND_CHECK=1 \
-    -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 \
-    -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with global heap pool enabled!"
-    exit 1;
-fi
+# List of compilation options for iwasm
+iwasm_options_list=(
+    #default
+    ""
+    # +classic interp
+    "-DWAMR_BUILD_FAST_INTERP=0"
+    # +llvm jit + fast jit
+    "-DWAMR_BUILD_JIT=1 -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1"
+    #
+    "-DWAMR_BUILD_TARGET=X86_32"
+    #
+    # libraries
+    "-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_UVWASI=1 -DWAMR_BUILD_LIBC_EMCC=1"
+    "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_PTHREAD=1      -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
+    "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_WASI_THREADS=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
+    "-DWAMR_BUILD_WASI_NN=1 -DWAMR_BUILD_WASI_NN_LLAMACPP=1"
+    #
+    # Wasm specs
+    "-DWAMR_BUILD_GC=1 -DWAMR_BUILD_EXCE_HANDLING=1 -DWAMR_BUILD_STRINGREF=1 -DWAMR_STRINGREF_IMPL_SOURCE=STUB"
+    "-DWAMR_BUILD_MEMORY64=1 -DWAMR_BUILD_MULTI_MEMORY=1"
+    #
+    # WARM features
+    "-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_MINI_LOADER=1 -DWAMR_BUILD_SHARED_HEAP=1"
+    "-DWAMR_DISABLE_HW_BOUND_CHECK=1"
+    "-DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1"
+    # - Debug
+    "-DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1 -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1"
+    # - developer options
+    "-DWAMR_BUILD_CUSTOM_NAME_SECTION=1  -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 -DWAMR_BUILD_LINUX_PERF=1 -DWAMR_BUILD_AOT_VALIDATOR=1 -DWAMR_BUILD_MEMORY_PROFILING=1 -DWAMR_BUILD_PERF_PROFILING=1"
+    # - global heap
+    "-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1  -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072"
+    "-DWAMR_BUILD_QUICK_AOT_ENTRY=0 -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1 -DWAMR_BUILD_MODULE_INST_CONTEXT=0"
+    # - pgo
+    "-DWAMR_BUILD_STATIC_PGO=1"
+    # TODO: SGX specifics.
+)

-# build iwasm with wasi-threads enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIB_WASI_THREADS=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with wasi-threads enabled!"
-    exit 1;
-fi
+# Loop through all iwasm options and build
+for options in "${iwasm_options_list[@]}"; do
+    build_iwasm "$options"
+done

-# build iwasm with GC enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_GC=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with GC enabled!"
-    exit 1;
-fi
-
-# build iwasm with exception handling enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_EXCE_HANDLING=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with exception handling enabled!"
-    exit 1;
-fi
-
-# build iwasm with memory64 enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MEMORY64=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with memory64 enabled!"
-    exit 1;
-fi
-
-# build iwasm with multi-memory enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MULTI_MEMORY=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with multi-memory enabled!"
-    exit 1;
-fi
-
-# build iwasm with hardware boundary check disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_HW_BOUND_CHECK=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with hardware boundary check disabled!"
-    exit 1;
-fi
-
-# build iwasm with quick AOT entry disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_QUICK_AOT_ENTRY=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with quick AOT entry disabled!"
-    exit 1;
-fi
-
-# build iwasm with wakeup of blocking operations disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with wakeup of blocking operations disabled!"
-    exit 1;
-fi
-
-# build iwasm with module instance context disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MODULE_INST_CONTEXT=0 \
-         -DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_WASI=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with module instance context disabled!"
-    exit 1;
-fi
-
-# build iwasm with libc-uvwasi enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIBC_UVWASI=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with libc-uvwasi enabled!"
-    exit 1;
-fi
-
-# build iwasm with fast jit lazy mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with fast jit lazy mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with fast jit eager mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with fast jit eager mode enabled!"
-    exit 1;
-fi
-
-# TODO: use pre-built llvm binary to build llvm-jit and multi-tier-jit
-: '
-# build iwasm with llvm jit lazy mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build llvm jit lazy mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with llvm jit eager mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build llvm jit eager mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with multi-tier jit enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_JIT=1 \
-                                    -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with multi-tier jit enabled!"
-    exit 1;
-fi
-'
-
-# build iwasm with wasm mini-loader enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MINI_LOADER=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build with wasm mini-loader enabled!"
-    exit 1;
-fi
-
-# build iwasm with source debugging enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with source debugging enabled!"
-    exit 1;
-fi
-
-# build iwasm with AOT static PGO enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_STATIC_PGO=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with AOT static PGO enabled!"
-    exit 1;
-fi
-
-# build iwasm with configurable bounds checks enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with configurable bounds checks enabled!"
-    exit 1;
-fi
-
-# build iwasm with linux perf support enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux/
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LINUX_PERF=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with linux perf support enabled!"
-    exit 1;
-fi
-
-# build iwasm with shared heap enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_SHARED_HEAP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with shared heap enabled!"
-    exit 1;
-fi
-
-# build iwasm with dynamic aot debug enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm dynamic aot debug enabled!"
-    exit 1;
-fi
+# Loop through all wamrc options and build
+for options in "${wamrc_options_list[@]}"; do
+    build_wamrc "$options"
+done
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -1,44 +1,39 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
 name: "CodeQL"

 on:
-  #pull_request:
-  #  types:
-  #    - opened
-  #  branches: '*'
-  #push:
-  #   branches: [ "main" ]
-  # midnight UTC
+  # run on every push to the feature-development branch
+  # the main branch is covered by below cron plan
+  push:
+    branches:
+      - dev/**
+  # midnight UTC on the latest commit on the main branch
  schedule:
-    - cron: '0 0 * * *'
+    - cron: "0 0 * * *"
  # allow to be triggered manually
  workflow_dispatch:

-permissions:
-  contents: read
-
 jobs:
  analyze:
-    if: github.repository == 'bytecodealliance/wasm-micro-runtime'
+    # only run this job if the repository is not a fork
+    # if want to run this job on a fork, please remove the if condition
+    # if: github.repository == 'bytecodealliance/wasm-micro-runtime'
    name: Analyze
    # Runner size impacts CodeQL analysis time. To learn more, please see:
    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
    #   - https://gh.io/supported-runners-and-hardware-resources
    #   - https://gh.io/using-larger-runners
    # Consider using larger runners for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }}
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 360

    strategy:
      fail-fast: false
      matrix:
-        language: [ 'cpp' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        #TODO: add actions
+        language: ["cpp"]

    permissions:
      contents: read
@ -56,19 +51,14 @@ jobs:
        uses: github/codeql-action/init@v3.28.17
        with:
          languages: ${{ matrix.language }}
-
          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # queries: security-extended,security-and-quality
          queries: security-and-quality
-
-    # Command-line programs to run using the OS shell.
-    # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+          config-file: ./.github/codeql/codeql_config.yml

      - run: |
          ./.github/scripts/codeql_buildscript.sh
+
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3.28.17
        with:
@ -76,25 +66,48 @@ jobs:
          upload: false
        id: step1

-    # Filter out rules with low severity or high false positve rate
-    # Also filter out warnings in third-party code
+      # TODO: need to reconsider whether to filter out
+      # those rules after cpp/use-of-goto
+      #
+      # cpp/uncontrolled-process-operation is about dlopen() which is used by
+      # native libraries registrations.
+      #
+      # cpp/alloca-in-loop is about touch_pages() which is intended to
+      #
      - name: Filter out unwanted errors and warnings
        uses: advanced-security/filter-sarif@v1
        with:
          patterns: |
+            -**/build/**
+            -**/core/deps/**
+            -**/cmake*/Modules/**
+            -**/test*/**
+            -**/wasm-app*/**
+            -**:cpp/commented-out-code
+            -**:cpp/complex-condition
+            -**:cpp/empty-if
+            -**:cpp/fixme-comment
+            -**:cpp/include-non-header
+            -**:cpp/long-switch
+            -**:cpp/poorly-documented-function
+            -**:cpp/trivial-switch
+            -**:cpp/unused-local-variable
+            -**:cpp/unused-static-function
+            -**:cpp/unused-static-variable
+            -**:cpp/use-of-goto
+            -product-mini/platforms/posix/main.c:cpp/uncontrolled-process-operation
+            -wamr-compiler/main.c:cpp/uncontrolled-process-operation
+            -core/shared/platform/common/posix/posix_thread.c:cpp/alloca-in-loop
            -**:cpp/path-injection
            -**:cpp/world-writable-file-creation
-          -**:cpp/poorly-documented-function
            -**:cpp/potentially-dangerous-function
-          -**:cpp/use-of-goto
            -**:cpp/integer-multiplication-cast-to-long
            -**:cpp/comparison-with-wider-type
            -**:cpp/leap-year/*
            -**:cpp/ambiguously-signed-bit-field
            -**:cpp/suspicious-pointer-scaling
            -**:cpp/suspicious-pointer-scaling-void
-          -**:cpp/unsigned-comparison-zero
-          -**/cmake*/Modules/**
+            -**:cpp/unsigne-comparison-zero
          input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
          output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif