Add CodeQL build stage

CodeQL logs will be required for future WHQL submissions. Add a stage
that generates the required SARIF files. CodeQL is a semantic code
analysis engine, which will highlight vunerabilities that will need
fixing.

In order to use CodeQL, the CodeQL binaries must be on the path and the
Windows-Driver-Developer-Supplemental-Tools must be on the path defined
by the CODEQL_QUERY_SUITE environment variable (if defined), or under
the parent folder (if CODEQL_QUERY_SUITE variable is not defined)

Note: Due to the way the codeql command line is built, using quotes in a
MSBuild command line is not possible, so generate a batch file to wrap
the command line.

Signed-off-by: Owen Smith <owen.smith@citrix.com>

diff --git a/build.ps1 b/build.ps1
index 2ea6428effcc7facc399d8622a26f8fcd48dc16d..346d1874e0e2d43406977e56126849f0a083ae60 100644 (file)
--- a/build.ps1
+++ b/build.ps1
@@ -6,6 +6,7 @@ param(
        [Parameter(Mandatory = $true)]
        [string]$Type,
        [string]$Arch,
+       [switch]$CodeQL,
        [switch]$Sdv
 )
 
@@ -51,6 +52,21 @@ Function SdvBuild {
        & ".\msbuild.ps1" @params
 }
 
+function CodeQLBuild {
+       $visualstudioversion = $Env:VisualStudioVersion
+       $solutiondir = @{ "14.0" = "vs2015"; "15.0" = "vs2017"; "16.0" = "vs2019"; }
+       $configurationbase = @{ "14.0" = "Windows 10"; "15.0" = "Windows 10"; "16.0" = "Windows 10"; }
+       $arch = "x64"
+
+       $params = @{
+               SolutionDir = $solutiondir[$visualstudioversion];
+               ConfigurationBase = $configurationbase[$visualstudioversion];
+               Arch = $arch;
+               Type = "codeql"
+               }
+       & ".\msbuild.ps1" @params
+}
+
 if ($Type -ne "free" -and $Type -ne "checked") {
        Write-Host "Invalid Type"
        Exit -1
@@ -99,6 +115,10 @@ if ([string]::IsNullOrEmpty($Arch) -or $Arch -eq "x64") {
        Build "x64" $Type
 }
 
+if ($CodeQL) {
+       CodeQLBuild
+}
+
 if ($Sdv) {
        SdvBuild
 }

diff --git a/msbuild.ps1 b/msbuild.ps1
index 97e1292bb0c3533b74c5153961620c12b1eed23c..ecf3d10fefad17fe02947847125ef7bcd9039421 100644 (file)
--- a/msbuild.ps1
+++ b/msbuild.ps1
@@ -67,14 +67,81 @@ Function Run-MSBuildSDV {
        Set-Location $basepath
 }
 
+Function Run-CodeQL {
+       param(
+               [string]$SolutionPath,
+               [string]$Name,
+               [string]$Configuration,
+               [string]$Platform,
+               [string]$SearchPath,
+               [string]$OutputPath
+       )
+
+       $projpath = Resolve-Path (Join-Path $SolutionPath $Name)
+       $project = [string]::Format("{0}.vcxproj", $Name)
+       $output = [string]::Format("{0}.sarif", $Name)
+       $database = Join-Path "database" $Name
+
+       # write a bat file to wrap msbuild parameters
+       $bat = [string]::Format("{0}.bat", $Name)
+       if (Test-Path $bat) {
+               Remove-Item $bat
+       }
+       $a = "msbuild.exe"
+       $a += " /m:4"
+       $a += " /t:Build"
+       $a += [string]::Format(" /p:Configuration=""{0}""", $Configuration)
+       $a += [string]::Format(" /p:Platform=""{0}""", $Platform)
+       $a += " "
+       $a += Join-Path $projpath $project
+       $a | Set-Content $bat
+
+       # generate the database
+       $b = "codeql"
+       $b += " database"
+       $b += " create"
+       $b += " -l=cpp"
+       $b += " -s=src"
+       $b += " -c"
+       $b += ' "' + (Resolve-Path $bat) + '" '
+       $b += $database
+       Invoke-Expression $b
+       if ($LASTEXITCODE -ne 0) {
+               Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" $LASTEXITCODE
+               Exit $LASTEXITCODE
+       }
+       Remove-Item $bat
+
+       # perform the analysis on the database
+       $c = "codeql"
+       $c += " database"
+       $c += " analyze "
+       $c += $database
+       $c += " windows_driver_recommended.qls"
+       $c += " --format=sarifv2.1.0"
+       $c += " --output="
+       $c += (Join-Path $OutputPath $output)
+       $c += " --search-path="
+       $c += $SearchPath
+
+       Invoke-Expression $c
+       if ($LASTEXITCODE -ne 0) {
+               Write-Host -ForegroundColor Red "ERROR: CodeQL failed, code:" $LASTEXITCODE
+               Exit $LASTEXITCODE
+       }
+}
+
 #
 # Script Body
 #
 
-$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = "$ConfigurationBase Debug"; "sdv" = "$ConfigurationBase Release"; }
+$configuration = @{ "free" = "$ConfigurationBase Release"; "checked" = "$ConfigurationBase Debug"; "sdv" = "$ConfigurationBase Release"; "codeql" = "$ConfigurationBase Release"; }
 $platform = @{ "x86" = "Win32"; "x64" = "x64" }
 $solutionpath = Resolve-Path $SolutionDir
 
+$archivepath = "xencons"
+$projectlist = @( "xencons" )
+
 Set-ExecutionPolicy -Scope CurrentUser -Force Bypass
 
 if ($Type -eq "free") {
@@ -83,14 +150,34 @@ if ($Type -eq "free") {
 elseif ($Type -eq "checked") {
        Run-MSBuild $solutionpath "xencons.sln" $configuration["checked"] $platform[$Arch]
 }
-elseif ($Type -eq "sdv") {
-       $archivepath = "xencons"
+elseif ($Type -eq "codeql") {
+       if (-Not (Test-Path -Path $archivepath)) {
+               New-Item -Name $archivepath -ItemType Directory | Out-Null
+       }
 
+       if ([string]::IsNullOrEmpty($Env:CODEQL_QUERY_SUITE)) {
+               $searchpath = Resolve-Path ".."
+       } else {
+               $searchpath = $Env:CODEQL_QUERY_SUITE
+       }
+
+       if (Test-Path "database") {
+               Remove-Item -Recurse -Force "database"
+       }
+       New-Item -ItemType Directory "database" | Out-Null
+
+       $projectlist | ForEach {
+               Run-CodeQL $solutionpath $_ $configuration["codeql"] $platform[$Arch] $searchpath $archivepath
+       }
+}
+elseif ($Type -eq "sdv") {
        if (-Not (Test-Path -Path $archivepath)) {
                New-Item -Name $archivepath -ItemType Directory | Out-Null
        }
 
-       Run-MSBuildSDV $solutionpath "xencons" $configuration["sdv"] $platform[$Arch]
+       $projectlist | ForEach {
+               Run-MSBuildSDV $solutionpath $_ $configuration["sdv"] $platform[$Arch]
+       }
 
        Copy-Item -Path (Join-Path -Path $SolutionPath -ChildPath "*DVL*") -Destination $archivepath
 }