|
1 | | -# codeql-coding-standards-bundle-releases |
2 | | -CodeQL bundles containing the CodeQL Coding Standards queries |
| 1 | +# CodeQL Coding Standards Bundle |
| 2 | + |
| 3 | +The CodeQL Coding Standards Bundle is a CodeQL bundle that includes the queries from the matching [CodeQL Coding Standards](https://github.com/github/codeql-coding-standards) project that is be open sourced in July 2022. More information on the CodeQL Coding Standards project can be found in [this](https://github.blog/2022-06-20-adding-support-for-coding-standards-autosar-c-and-cert-c/) blog post. |
| 4 | + |
| 5 | +The queries implement the guidelines specified in the following standards targeting the projects using the C++14: |
| 6 | +- [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems Release 18-10](https://www.autosar.org/fileadmin/user_upload/standards/adaptive/18-10/AUTOSAR_RS_CPP14Guidelines.pdf) |
| 7 | +- [MISRA C++:2008](https://www.misra.org.uk) |
| 8 | +- [SEI CERT C++ Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=494932) |
| 9 | + |
| 10 | +## How to use the bundle |
| 11 | + |
| 12 | +The bundle can be use with the [Github CodeQL Action](https://github.com/github/codeql-action) by preceding the `github/codeql-action/init@v2` step with the following step: |
| 13 | + |
| 14 | +```yaml |
| 15 | +- name: Download CodeQL Coding Standards Bundle |
| 16 | + run: | |
| 17 | + gh release download -R advanced-security/codeql-coding-standards-bundle-releases v1.10.0 --pattern 'codeql-coding-standards.tar.gz' |
| 18 | +``` |
| 19 | +
|
| 20 | +The step initializing the Github CodeQL Action using `github/codeql-action/init@v2` can be instructed to use the bundle through the `tools` key and the queries can be specified through the `queries` key as follows: |
| 21 | + |
| 22 | +```yaml |
| 23 | +- name: CodeQL Initialize |
| 24 | + uses: github/codeql-action/init@v2 |
| 25 | + with: |
| 26 | + tools: codeql-coding-standards.tar.gz |
| 27 | + queries: autosar-default,cert-default |
| 28 | +``` |
| 29 | + |
| 30 | +The CodeQL Coding Standards Bundle supports the following CodeQL query suites: |
| 31 | + |
| 32 | +- `autosar-default`: All the AUTOSAR queries that are not audit queries. |
| 33 | +- `autosar-required`: The AUTOSAR ueries with obligation *required*, and that are not audit queries. |
| 34 | +- `autosar-advisory`: The AUTOSAR queries with obligation *advisory*, and that are not audit queries. |
| 35 | +- `autosar-audit`: The AUTOSAR queries that are audit queries. An audit query provides information that can aid in a manual review of a guideline with enforcement *non-automated*. |
| 36 | +- `cert-default`: All the CERT queries. |
| 37 | + |
| 38 | +## Troubleshooting |
| 39 | + |
| 40 | +An elaborate user manual will be provided when the CodeQL Coding Standards is open sourced. |
| 41 | +However the following errors might be troubleshooted if encountered. |
| 42 | + |
| 43 | +### Error: Code Scanning could not process the submitted SARIF file |
| 44 | + |
| 45 | +The error can occur using the action `github/codeql-action/analyze@v2` or `github/codeql-action/upload-sarif@v2` that uploads the results of the CodeQL analysis with the following reason |
| 46 | + |
| 47 | +`rejecting SARIF, as there are more results per run than allowed (25271 > 25000)` |
| 48 | + |
| 49 | +This can occur when the CodeQL Coding Standard queries are used on a project that doesn't adhere to the standard resulting a one or more queries returning a large number of alerts. |
| 50 | +The following steps can be used to troubleshoot the issue: |
| 51 | + |
| 52 | +1. When using the `github/codeql-action/analyze@v2`, disable the automatic uploading of the SARIF file as follows: |
| 53 | + ```yaml |
| 54 | + - name: CodeQL Analyze |
| 55 | + uses: github/codeql-action/analyze@v2 |
| 56 | + with: |
| 57 | + upload: "false" |
| 58 | + ``` |
| 59 | +2. Upload the SARIF file with the `actions/` as follows: |
| 60 | + ```yaml |
| 61 | + - name: Upload Sarif |
| 62 | + uses: actions/upload-artifact@v2 |
| 63 | + with: |
| 64 | + name: results |
| 65 | + path: "../results" |
| 66 | + ``` |
| 67 | +3. Analyze the SARIF file in [Visual Studio Code][https://code.visualstudio.com/] using the [Sarif Viewer](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer) extension. The *rules* tab of the Sarif Viewer gives a breakdown per rule and the number of alerts. |
| 68 | +4. Note down the rule id (of the form `cpp/autosar/...`) of the rules with a high number of alerts. |
| 69 | +5. Revert the above changes to return to the regular workflow. |
| 70 | +6. Create a CodeQL query suite that excludes the identified rule(s). More information on creating CodeQL query suites can be found at [Creating CodeQL query suites](https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/). The following is an example for AUTOSAR that excludes the rule `cpp/autosar/undocumented-user-defined-type`: |
| 71 | + ```yaml |
| 72 | + - description: AUTOSAR C++14 Guidelines 19-11 (Customized) |
| 73 | + - import: codeql-suites/autosar-default.qls |
| 74 | + from: autosar-cpp-coding-standards |
| 75 | + - exclude: |
| 76 | + id: |
| 77 | + - cpp/autosar/undocumented-user-defined-type |
| 78 | + ``` |
| 79 | +7. Add the CodeQL query suite to the repository and refer to it in the `github/codeql-action/init@v2` step. The following example assumes the CodeQL query suite is stored at `.github/code-scanning/autosar.qls`: |
| 80 | + ```yaml |
| 81 | + - name: CodeQL Initialize |
| 82 | + uses: github/codeql-action/init@v2 |
| 83 | + with: |
| 84 | + tools: codeql-coding-standards.tar.gz |
| 85 | + queries: cert-default,.github/code-scanning/autosar.qls |
0 commit comments