From 69e60d50fde93d256e410bc8e2a732e68fe7cb72 Mon Sep 17 00:00:00 2001 From: Federico Zappone Date: Tue, 17 Jan 2023 18:29:18 +0100 Subject: [PATCH 1/6] fixed unwanted execution and wrong database path for p10 analysis --- scrub/tools/templates/codeql.template | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scrub/tools/templates/codeql.template b/scrub/tools/templates/codeql.template index bdbe46c..1a53d94 100644 --- a/scrub/tools/templates/codeql.template +++ b/scrub/tools/templates/codeql.template @@ -39,11 +39,11 @@ do fi # Perform P10 analysis, if desired - if [[ ${{CODEQL_P10_ANALYSIS}} && $language == "cpp" ]]; then - ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif ${{TOOL_ANALYSIS_DIR}}/codeql-database "${{CODEQL_QUERY_PATH}}/cpp/ql/src/Power of 10" "${{CODEQL_QUERY_PATH}}/cpp/ql/src/AlertSuppression.ql" + if [ ${{CODEQL_P10_ANALYSIS}} == true ] && [ $language == "cpp" ]; then + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif $database "${{CODEQL_QUERY_PATH}}/cpp/ql/src/Power of 10" "${{CODEQL_QUERY_PATH}}/cpp/ql/src/AlertSuppression.ql" # Parse the SARIF P10 results output file into SCRUB format python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_p10_raw.scrub ${{SOURCE_DIR}} scrub fi -done \ No newline at end of file +done From 4d8ded13cbd453ebdd2e4ad0ee7db0a9ab52d12a Mon Sep 17 00:00:00 2001 From: Federico Zappone Date: Sat, 21 Jan 2023 19:50:30 +0100 Subject: [PATCH 2/6] added autosar analysis using codeql opensource coding standards --- scrub/scrub.cfg | 2 ++ scrub/tools/templates/codeql.template | 8 ++++++++ scrub/utils/scrub_defaults.cfg | 4 +++- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/scrub/scrub.cfg b/scrub/scrub.cfg index 6c358b7..27145d2 100644 --- a/scrub/scrub.cfg +++ b/scrub/scrub.cfg @@ -88,11 +88,13 @@ PYLINT_FLAGS: CODEQL_WARNINGS: False CODEQL_PATH: CODEQL_QUERY_PATH: +CODEQL_CODING_STANDARDS_PATH: CODEQL_BUILD_DIR: CODEQL_BUILD_CMD: CODEQL_CLEAN_CMD: CODEQL_BASELINE_ANALYSIS: True CODEQL_P10_ANALYSIS: True +CODEQL_AUTOSAR_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: diff --git a/scrub/tools/templates/codeql.template b/scrub/tools/templates/codeql.template index 1a53d94..0513a27 100644 --- a/scrub/tools/templates/codeql.template +++ b/scrub/tools/templates/codeql.template @@ -46,4 +46,12 @@ do python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_p10_raw.scrub ${{SOURCE_DIR}} scrub fi + # Perform AUTOSAR analysis, if desired + if [ ${{CODEQL_AUTOSAR_ANALYSIS}} == true ] && [ $language == "cpp" ]; then + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif $database "${{CODEQL_CODING_STANDARDS_PATH}}/cpp/autosar/src/codeql-suites/autosar-default.qls" "${{CODEQL_QUERY_PATH}}/cpp/ql/src/AlertSuppression.ql" + + # Parse the SARIF AUTOSAR results output file into SCRUB format + python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_autosar_raw.scrub ${{SOURCE_DIR}} scrub + fi + done diff --git a/scrub/utils/scrub_defaults.cfg b/scrub/utils/scrub_defaults.cfg index b402b85..3af079b 100644 --- a/scrub/utils/scrub_defaults.cfg +++ b/scrub/utils/scrub_defaults.cfg @@ -89,11 +89,13 @@ PYLINT_FLAGS: CODEQL_WARNINGS: False CODEQL_PATH: CODEQL_QUERY_PATH: +CODEQL_CODING_STANDARDS_PATH: CODEQL_BUILD_DIR: CODEQL_BUILD_CMD: CODEQL_CLEAN_CMD: CODEQL_BASELINE_ANALYSIS: True CODEQL_P10_ANALYSIS: True +CODEQL_AUTOSAR_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: @@ -231,4 +233,4 @@ ENABLE_EXT_WARNINGS: False ENABLE_MICRO_FILTER: True CUSTOM_FILTER_CMD: ANALYSIS_FILTERS: -QUERY_FILTERS: \ No newline at end of file +QUERY_FILTERS: From 5bad3749149f3e1cfd6b20c2c1b08854f6189bba Mon Sep 17 00:00:00 2001 From: Federico Zappone Date: Sat, 21 Jan 2023 19:58:42 +0100 Subject: [PATCH 3/6] updated detailed configurations and templates for codeql Added the new flags for the CodeQL open-source coding standards path and the AUTOSAR analysis flag. Also modified the template config to reflect the standard CodeQL paths organization specified in their tutorial. The CodeQL coding standard repo containing rules for the AUTOSAR, MISRA, and CERT standards is available here: https://github.com/github/codeql-coding-standards --- docs/configuration-inputs.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/configuration-inputs.md b/docs/configuration-inputs.md index 66274f6..36bc28a 100644 --- a/docs/configuration-inputs.md +++ b/docs/configuration-inputs.md @@ -70,11 +70,13 @@ Each table below represents a portion of the complete `scrub.cfg` file. | CODEQL_WARNINGS | True/False | Yes | Should CodeQL analysis be performed? | False | | CODEQL_PATH | String | Optional | Absolute path to the directory of the CodeQL installation | Check `PATH` | | CODEQL_QUERY_PATH | String | Yes | Absolute path to the CodeQL query files | N/A | +| CODEQL_CODING_STANDARDS_PATH | String | Yes | Absolute path to the CodeQL coding standard files | N/A | | CODEQL_BUILD_DIR | String | Optional | Relative path (to `SOURCE_DIR`) to the build directory | `SOURCE_DIR` | | CODEQL_BUILD_CMD | String | Optional | Command to build the source code for CodeQL analysis | N/A | | CODEQL_CLEAN_CMD | String | Optional | Command to clean the source code for CodeQL analysis | N/A | | CODEQL_BASELINE_ANALYSIS | True/False | Yes | Should baseline CodeQL analysis be performed? | True | | CODEQL_P10_ANALYSIS | True/False | Yes | Should CodeQL P10 analysis be performed? | True | +| CODEQL_AUTOSAR_ANALYSIS | True/False | Yes | Should CodeQL AUTOSAR analysis be performed? | True | | CODEQL_DATABASECREATE_FLAGS | String | Optional | Flags to be passed into 'codeql database create' command | '' | | CODEQL_DATEBASEANALYZE_FLAGS | String | Optional | Flags to be passed into 'codeql database analyze' command | '' | @@ -264,13 +266,15 @@ The configuration file provided below is a sample configuration file for a C pro # [CodeQL Variables] CODEQL_WARNINGS: True - CODEQL_PATH: /opt/local/codeql/codeql-cli - CODEQL_QUERY_PATH: /opt/local/codeql/queries - CODEQL_BUILD_DIR: src + CODEQL_PATH: ~/codeql-home/codeql-cli + CODEQL_QUERY_PATH: ~/codeql-home/codeql-repo + CODEQL_CODING_STANDARDS_PATH: ~/codeql-home/codeql-coding-standards + CODEQL_BUILD_DIR: build CODEQL_BUILD_CMD: make all CODEQL_CLEAN_CMD: make clean CODEQL_BASELINE_ANALYSIS: True - CODEQL_P10_ANALYSIS: False + CODEQL_P10_ANALYSIS: True + CODEQL_AUTOSAR_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: From 990ae1e91b7b7f30aa53e754f0028e5b1204bace Mon Sep 17 00:00:00 2001 From: Federico Zappone Date: Sat, 21 Jan 2023 22:52:51 +0100 Subject: [PATCH 4/6] added post processing and filtering for autosar_raw files --- scrub/tools/templates/codeql.template | 4 +-- scrub/utils/filtering/do_filtering.py | 35 +++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/scrub/tools/templates/codeql.template b/scrub/tools/templates/codeql.template index 0513a27..9b986fb 100644 --- a/scrub/tools/templates/codeql.template +++ b/scrub/tools/templates/codeql.template @@ -40,7 +40,7 @@ do # Perform P10 analysis, if desired if [ ${{CODEQL_P10_ANALYSIS}} == true ] && [ $language == "cpp" ]; then - ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif $database "${{CODEQL_QUERY_PATH}}/cpp/ql/src/Power of 10" "${{CODEQL_QUERY_PATH}}/cpp/ql/src/AlertSuppression.ql" + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif $database "${{CODEQL_QUERY_PATH}}/cpp/ql/src/Power of 10" "$suppression_query" # Parse the SARIF P10 results output file into SCRUB format python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_p10_raw.scrub ${{SOURCE_DIR}} scrub @@ -48,7 +48,7 @@ do # Perform AUTOSAR analysis, if desired if [ ${{CODEQL_AUTOSAR_ANALYSIS}} == true ] && [ $language == "cpp" ]; then - ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif $database "${{CODEQL_CODING_STANDARDS_PATH}}/cpp/autosar/src/codeql-suites/autosar-default.qls" "${{CODEQL_QUERY_PATH}}/cpp/ql/src/AlertSuppression.ql" + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif $database "${{CODEQL_CODING_STANDARDS_PATH}}/cpp/autosar/src/codeql-suites/autosar-default.qls" "$suppression_query" # Parse the SARIF AUTOSAR results output file into SCRUB format python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_autosar_raw.scrub ${{SOURCE_DIR}} scrub diff --git a/scrub/utils/filtering/do_filtering.py b/scrub/utils/filtering/do_filtering.py index d978545..24ca270 100644 --- a/scrub/utils/filtering/do_filtering.py +++ b/scrub/utils/filtering/do_filtering.py @@ -39,12 +39,15 @@ def filter_scrub_results(scrub_conf_data): # Sort the files into groups raw_compiler_files = [] raw_p10_files = [] + raw_autosar_files = [] raw_generic_files = [] for results_file in results_files: if 'compiler_raw' in results_file.stem: raw_compiler_files.append(results_file) elif 'p10_raw' in results_file.stem: raw_p10_files.append(results_file) + elif 'autosar_raw' in results_file.stem: + raw_autosar_files.append(results_file) else: raw_generic_files.append(results_file) @@ -113,6 +116,38 @@ def filter_scrub_results(scrub_conf_data): # Print the exception traceback logging.debug(traceback.format_exc()) + # Filter AUTOSAR results + if raw_autosar_files: + try: + # Set the output file path + filtered_autosar_results = scrub_conf_data.get('scrub_analysis_dir').joinpath('autosar.scrub') + + # Parse all of the input files + autosar_results = [] + valid_warning_types = [] + for results_file in raw_autosar_files: + # Append the results file + autosar_results = (autosar_results + translate_results.parse_scrub(results_file, + scrub_conf_data.get('source_dir'))) + + # Append to the valid warning types + valid_warning_types.append(results_file.stem.split('_')[0]) + + filter_results.filter_results(autosar_results, filtered_autosar_results, + scrub_conf_data.get('filtering_output_file'), + scrub_conf_data.get('query_filters'), + scrub_conf_data.get('source_dir'), + scrub_conf_data.get('enable_micro_filter'), + scrub_conf_data.get('enable_ext_warnings'), + valid_warning_types) + + except: # lgtm [py/catch-base-exception] + # Print a status message + logging.warning("Could not generate output file %s", filtered_autosar_results) + + # Print the exception traceback + logging.debug(traceback.format_exc()) + # Filter everything else if raw_generic_files: for raw_generic_file in raw_generic_files: From e0af1f642ff8370d9b8e57de68e53c8a4b105068 Mon Sep 17 00:00:00 2001 From: Federico Zappone Date: Sat, 21 Jan 2023 23:23:05 +0100 Subject: [PATCH 5/6] added codeql cert checks, updated docs and template configs --- scrub/scrub.cfg | 4 +++ scrub/tools/templates/codeql.template | 10 +++++++- scrub/utils/filtering/do_filtering.py | 35 +++++++++++++++++++++++++++ scrub/utils/scrub_defaults.cfg | 4 +++ 4 files changed, 52 insertions(+), 1 deletion(-) diff --git a/scrub/scrub.cfg b/scrub/scrub.cfg index 27145d2..ca7c728 100644 --- a/scrub/scrub.cfg +++ b/scrub/scrub.cfg @@ -76,11 +76,14 @@ PYLINT_FLAGS: # CODEQL_WARNINGS Yes True/False # CODEQL_PATH No String # CODEQL_QUERY_PATH Yes String +# CODEQL_CODING_STANDARDS_PATH Yes String # CODEQL_BUILD_DIR No String # CODEQL_BUILD_CMD Yes String # CODEQL_CLEAN_CMD Yes String # CODEQL_BASELINE_ANALYSIS Yes True/False # CODEQL_P10_ANALYSIS Yes True/False +# CODEQL_AUTOSAR_ANALYSIS Yes True/False +# CODEQL_CERT_ANALYSIS Yes True/False # CODEQL_DATABASECREATE_FLAGS No String # CODEQL_DATABASEANALYZE_FLAGS No String # @@ -95,6 +98,7 @@ CODEQL_CLEAN_CMD: CODEQL_BASELINE_ANALYSIS: True CODEQL_P10_ANALYSIS: True CODEQL_AUTOSAR_ANALYSIS: True +CODEQL_CERT_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: diff --git a/scrub/tools/templates/codeql.template b/scrub/tools/templates/codeql.template index 9b986fb..7d927a7 100644 --- a/scrub/tools/templates/codeql.template +++ b/scrub/tools/templates/codeql.template @@ -46,7 +46,7 @@ do python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_p10_raw.scrub ${{SOURCE_DIR}} scrub fi - # Perform AUTOSAR analysis, if desired + # Perform AUTOSAR analysis, if desired if [ ${{CODEQL_AUTOSAR_ANALYSIS}} == true ] && [ $language == "cpp" ]; then ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif $database "${{CODEQL_CODING_STANDARDS_PATH}}/cpp/autosar/src/codeql-suites/autosar-default.qls" "$suppression_query" @@ -54,4 +54,12 @@ do python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_autosar_raw.scrub ${{SOURCE_DIR}} scrub fi + # Perform CERT analysis, if desired + if [ ${{CODEQL_CERT_ANALYSIS}} == true ] && [ $language == "cpp" ]; then + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_cert_raw.sarif $database "${{CODEQL_CODING_STANDARDS_PATH}}/cpp/cert/src/codeql-suites/cert-default.qls" "$suppression_query" + + # Parse the SARIF cert results output file into SCRUB format + python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_cert_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_cert_raw.scrub ${{SOURCE_DIR}} scrub + fi + done diff --git a/scrub/utils/filtering/do_filtering.py b/scrub/utils/filtering/do_filtering.py index 24ca270..e6b183d 100644 --- a/scrub/utils/filtering/do_filtering.py +++ b/scrub/utils/filtering/do_filtering.py @@ -40,6 +40,7 @@ def filter_scrub_results(scrub_conf_data): raw_compiler_files = [] raw_p10_files = [] raw_autosar_files = [] + raw_cert_files = [] raw_generic_files = [] for results_file in results_files: if 'compiler_raw' in results_file.stem: @@ -48,6 +49,8 @@ def filter_scrub_results(scrub_conf_data): raw_p10_files.append(results_file) elif 'autosar_raw' in results_file.stem: raw_autosar_files.append(results_file) + elif 'cert_raw' in results_file.stem: + raw_autosar_files.append(results_file) else: raw_generic_files.append(results_file) @@ -148,6 +151,38 @@ def filter_scrub_results(scrub_conf_data): # Print the exception traceback logging.debug(traceback.format_exc()) + # Filter CERT results + if raw_cert_files: + try: + # Set the output file path + filtered_cert_results = scrub_conf_data.get('scrub_analysis_dir').joinpath('cert.scrub') + + # Parse all of the input files + cert_results = [] + valid_warning_types = [] + for results_file in raw_cert_files: + # Append the results file + cert_results = (cert_results + translate_results.parse_scrub(results_file, + scrub_conf_data.get('source_dir'))) + + # Append to the valid warning types + valid_warning_types.append(results_file.stem.split('_')[0]) + + filter_results.filter_results(cert_results, filtered_cert_results, + scrub_conf_data.get('filtering_output_file'), + scrub_conf_data.get('query_filters'), + scrub_conf_data.get('source_dir'), + scrub_conf_data.get('enable_micro_filter'), + scrub_conf_data.get('enable_ext_warnings'), + valid_warning_types) + + except: # lgtm [py/catch-base-exception] + # Print a status message + logging.warning("Could not generate output file %s", filtered_cert_results) + + # Print the exception traceback + logging.debug(traceback.format_exc()) + # Filter everything else if raw_generic_files: for raw_generic_file in raw_generic_files: diff --git a/scrub/utils/scrub_defaults.cfg b/scrub/utils/scrub_defaults.cfg index 3af079b..3d43070 100644 --- a/scrub/utils/scrub_defaults.cfg +++ b/scrub/utils/scrub_defaults.cfg @@ -77,11 +77,14 @@ PYLINT_FLAGS: # CODEQL_WARNINGS Yes True/False # CODEQL_PATH No String # CODEQL_QUERY_PATH Yes String +# CODEQL_CODING_STANDARDS_PATH Yes String # CODEQL_BUILD_DIR No String # CODEQL_BUILD_CMD Yes String # CODEQL_CLEAN_CMD Yes String # CODEQL_BASELINE_ANALYSIS Yes True/False # CODEQL_P10_ANALYSIS Yes True/False +# CODEQL_AUTOSAR_ANALYSIS Yes True/False +# CODEQL_CERT_ANALYSIS Yes True/False # CODEQL_DATABASECREATE_FLAGS No String # CODEQL_DATABASEANALYZE_FLAGS No String # @@ -96,6 +99,7 @@ CODEQL_CLEAN_CMD: CODEQL_BASELINE_ANALYSIS: True CODEQL_P10_ANALYSIS: True CODEQL_AUTOSAR_ANALYSIS: True +CODEQL_CERT_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: From c1021ebc79657f77133b348a6c7cb154f3621ab4 Mon Sep 17 00:00:00 2001 From: Federico Zappone Date: Sat, 21 Jan 2023 23:58:03 +0100 Subject: [PATCH 6/6] small fixes --- scrub/utils/filtering/do_filtering.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scrub/utils/filtering/do_filtering.py b/scrub/utils/filtering/do_filtering.py index e6b183d..ef82143 100644 --- a/scrub/utils/filtering/do_filtering.py +++ b/scrub/utils/filtering/do_filtering.py @@ -50,7 +50,7 @@ def filter_scrub_results(scrub_conf_data): elif 'autosar_raw' in results_file.stem: raw_autosar_files.append(results_file) elif 'cert_raw' in results_file.stem: - raw_autosar_files.append(results_file) + raw_cert_files.append(results_file) else: raw_generic_files.append(results_file)