diff --git a/.github/codeql/codeql_config.yml b/.github/codeql/codeql_config.yml new file mode 100644 index 0000000000..3da712c645 --- /dev/null +++ b/.github/codeql/codeql_config.yml @@ -0,0 +1,46 @@ +# Copyright (C) 2019 Intel Corporation. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +paths: + - .github + - core/iwasm + - core/shared/platform/common/ + - core/shared/platform/include/ + - core/shared/platform/linux/ + - product-mini/platforms/common/ + - product-mini/platforms/linux/ + # TODO: add other platforms back if able to do cross-compilation + # - product-mini/platforms/ + # TODO: add samples back after buildscript modification + # - need to ignore workloads and wasm-apps + # - samples + - wamr-compiler/ +paths-ignore: + # always ignore build + - '**/build/**' + - '**/test*/**' + - '**/wasm-app*/**' + - core/deps/ + # platform specific + - core/iwasm/aot/arch/aot_reloc_aarch64.c + - core/iwasm/aot/arch/aot_reloc_arc.c + - core/iwasm/aot/arch/aot_reloc_arm.c + - core/iwasm/aot/arch/aot_reloc_dummy.c + - core/iwasm/aot/arch/aot_reloc_mips.c + - core/iwasm/aot/arch/aot_reloc_riscv.c + - core/iwasm/aot/arch/aot_reloc_thumb.c + - core/iwasm/aot/arch/aot_reloc_xtensa.c + - core/iwasm/libraries/lib-rats/ + - core/iwasm/libraries/lib-socket/ + - core/iwasm/libraries/lib-wasi-threads/*-test/ + - core/shared/platform/common/freertos/ + - core/shared/platform/common/math/ + #TODO: add me back if lldb libraries installed + - core/iwasm/compilation/debug/ + # spend disk space and slow + - core/iwasm/libraries/wasi-nn/src/wasi_nn_tflite* + #TODO: add me back if openvino installed + - core/iwasm/libraries/wasi-nn/src/wasi_nn_openvino* + # for wasm + - core/iwasm/libraries/wasi-nn/include/wasi_nn.h + # reference + - core/iwasm/common/arch/invokeNative_general.c diff --git a/.github/scripts/codeql_buildscript.sh b/.github/scripts/codeql_buildscript.sh index 388f3680d3..706ff5b787 100755 --- a/.github/scripts/codeql_buildscript.sh +++ b/.github/scripts/codeql_buildscript.sh @@ -5,308 +5,117 @@ # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception # -sudo apt update +# This script is used to build the WAMR project for CodeQL analysis. -sudo apt install -y build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build +# Pre-requisites +sudo apt -qq update +sudo apt install -y -qq build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build -WAMR_DIR=${PWD} - -# TODO: use pre-built llvm binary to build wamrc to -# avoid static code analysing for llvm -: ' -# build wamrc -cd ${WAMR_DIR}/wamr-compiler -./build_llvm.sh -rm -fr build && mkdir build && cd build -cmake .. -make -j -if [[ $? != 0 ]]; then - echo "Failed to build wamrc!" - exit 1; -fi -' - -# build iwasm with default features enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -fr build && mkdir build && cd build -cmake .. -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with default features enabled!" - exit 1; -fi - -# build iwasm with default features enabled on x86_32 -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -fr build && mkdir build && cd build -cmake .. -DWAMR_BUILD_TARGET=X86_32 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with default features enabled on x86_32!" - exit 1; -fi - -# build iwasm with classic interpreter enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_INTERP=0 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with classic interpreter enabled!" - exit 1; -fi - -# build iwasm with extra features enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -fr build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug \ - -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1 \ - -DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_SIMD=1 \ - -DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_REF_TYPES=1 \ - -DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_MEMORY_PROFILING=1 \ - -DWAMR_BUILD_PERF_PROFILING=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 \ - -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build wamrc iwasm with extra features enabled!" - exit 1; -fi - -# build iwasm with global heap pool enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -fr build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug \ - -DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 \ - -DWAMR_DISABLE_STACK_HW_BOUND_CHECK=1 \ - -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 \ - -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with global heap pool enabled!" - exit 1; -fi - -# build iwasm with wasi-threads enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -fr build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIB_WASI_THREADS=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with wasi-threads enabled!" - exit 1; -fi - -# build iwasm with GC enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_GC=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with GC enabled!" - exit 1; -fi - -# build iwasm with exception handling enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_EXCE_HANDLING=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with exception handling enabled!" - exit 1; -fi - -# build iwasm with memory64 enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MEMORY64=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with memory64 enabled!" - exit 1; -fi - -# build iwasm with multi-memory enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MULTI_MEMORY=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with multi-memory enabled!" - exit 1; -fi - -# build iwasm with hardware boundary check disabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_HW_BOUND_CHECK=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with hardware boundary check disabled!" - exit 1; -fi - -# build iwasm with quick AOT entry disabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_QUICK_AOT_ENTRY=0 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with quick AOT entry disabled!" - exit 1; -fi +LLVM_VER=18.1.8 +pushd /opt +sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VER}/clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04.tar.xz \ + && tar -xf clang+llvm-x86_64-linux-gnu.tar.xz \ + && mv clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04 llvm-${LLVM_VER} +popd -# build iwasm with wakeup of blocking operations disabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with wakeup of blocking operations disabled!" - exit 1; -fi +# libtinfo.so.5 for /opt/llvm-18.1.8/lib/libomptarget.rtl.amdgpu.so.18.1 +sudo apt -qq update +wget http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb +sudo apt install -y -qq ./libtinfo5_6.3-2ubuntu0.1_amd64.deb -# build iwasm with module instance context disabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MODULE_INST_CONTEXT=0 \ - -DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_WASI=0 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with module instance context disabled!" - exit 1; -fi - -# build iwasm with libc-uvwasi enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -fr build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIBC_UVWASI=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with libc-uvwasi enabled!" - exit 1; -fi - -# build iwasm with fast jit lazy mode enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with fast jit lazy mode enabled!" - exit 1; -fi - -# build iwasm with fast jit eager mode enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with fast jit eager mode enabled!" - exit 1; -fi - -# TODO: use pre-built llvm binary to build llvm-jit and multi-tier-jit -: ' -# build iwasm with llvm jit lazy mode enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build llvm jit lazy mode enabled!" - exit 1; -fi - -# build iwasm with llvm jit eager mode enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build llvm jit eager mode enabled!" - exit 1; -fi - -# build iwasm with multi-tier jit enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_JIT=1 \ - -DWAMR_BUILD_FAST_JIT_DUMP=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with multi-tier jit enabled!" - exit 1; -fi -' - -# build iwasm with wasm mini-loader enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MINI_LOADER=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build with wasm mini-loader enabled!" - exit 1; -fi - -# build iwasm with source debugging enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with source debugging enabled!" - exit 1; -fi - -# build iwasm with AOT static PGO enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_STATIC_PGO=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with AOT static PGO enabled!" - exit 1; -fi - -# build iwasm with configurable bounds checks enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with configurable bounds checks enabled!" - exit 1; -fi - -# build iwasm with linux perf support enabled -cd ${WAMR_DIR}/product-mini/platforms/linux/ -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LINUX_PERF=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with linux perf support enabled!" - exit 1; -fi - -# build iwasm with shared heap enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_SHARED_HEAP=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm with shared heap enabled!" - exit 1; -fi - -# build iwasm with dynamic aot debug enabled -cd ${WAMR_DIR}/product-mini/platforms/linux -rm -rf build && mkdir build && cd build -cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1 -make -j -if [[ $? != 0 ]]; then - echo "Failed to build iwasm dynamic aot debug enabled!" - exit 1; -fi +# Start the build process +WAMR_DIR=${PWD} +LLVM_DIR=/opt/llvm-${LLVM_VER}/lib/cmake/llvm + +# Function to build wamrc +build_wamrc() { + local options="$1" + echo "Building wamrc with options: $options" + + pushd ${WAMR_DIR}/wamr-compiler + rm -rf build + cmake -S . -B build \ + -G Ninja \ + -DCMAKE_BUILD_TYPE=Debug \ + -DWAMR_BUILD_WITH_CUSTOM_LLVM=1 -DLLVM_DIR=${LLVM_DIR} \ + $options + cmake --build build --target wamrc --parallel + if [[ $? != 0 ]]; then + echo "Failed to build wamrc with options: $options" + exit 1 + fi + popd +} + +# Function to build iwasm +build_iwasm() { + local options="$1" + echo "Building iwasm with options: $options" + + pushd ${WAMR_DIR}/product-mini/platforms/linux + rm -rf build + cmake -S . -B build \ + -G Ninja \ + -DCMAKE_BUILD_TYPE=Debug \ + -DLLVM_DIR=${LLVM_DIR} \ + $options + cmake --build build --target iwasm --parallel + if [[ $? != 0 ]]; then + echo "Failed to build iwasm with options: $options" + exit 1 + fi + popd +} + +# List of compilation options for wamrc +wamrc_options_list=( + #default + "" +) + +# List of compilation options for iwasm +iwasm_options_list=( + #default + "" + # +classic interp + "-DWAMR_BUILD_FAST_INTERP=0" + # +llvm jit + fast jit + "-DWAMR_BUILD_JIT=1 -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1" + # + "-DWAMR_BUILD_TARGET=X86_32" + # + # libraries + "-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_UVWASI=1 -DWAMR_BUILD_LIBC_EMCC=1" + "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1" + "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_WASI_THREADS=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1" + "-DWAMR_BUILD_WASI_NN=1 -DWAMR_BUILD_WASI_NN_LLAMACPP=1" + # + # Wasm specs + "-DWAMR_BUILD_GC=1 -DWAMR_BUILD_EXCE_HANDLING=1 -DWAMR_BUILD_STRINGREF=1 -DWAMR_STRINGREF_IMPL_SOURCE=STUB" + "-DWAMR_BUILD_MEMORY64=1 -DWAMR_BUILD_MULTI_MEMORY=1" + # + # WARM features + "-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_MINI_LOADER=1 -DWAMR_BUILD_SHARED_HEAP=1" + "-DWAMR_DISABLE_HW_BOUND_CHECK=1" + "-DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1" + # - Debug + "-DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1 -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1" + # - developer options + "-DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 -DWAMR_BUILD_LINUX_PERF=1 -DWAMR_BUILD_AOT_VALIDATOR=1 -DWAMR_BUILD_MEMORY_PROFILING=1 -DWAMR_BUILD_PERF_PROFILING=1" + # - global heap + "-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072" + "-DWAMR_BUILD_QUICK_AOT_ENTRY=0 -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1 -DWAMR_BUILD_MODULE_INST_CONTEXT=0" + # - pgo + "-DWAMR_BUILD_STATIC_PGO=1" + # TODO: SGX specifics. +) + +# Loop through all iwasm options and build +for options in "${iwasm_options_list[@]}"; do + build_iwasm "$options" +done + +# Loop through all wamrc options and build +for options in "${wamrc_options_list[@]}"; do + build_wamrc "$options" +done diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1240ea6cac..d8b2aaaeb7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,29 +1,24 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# +# Copyright (C) 2019 Intel Corporation. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + name: "CodeQL" on: - #pull_request: - # types: - # - opened - # branches: '*' - #push: - # branches: [ "main" ] - # midnight UTC + # run on every push to the feature-development branch + # the main branch is covered by below cron plan + push: + branches: + - dev/** + # midnight UTC on the latest commit on the main branch schedule: - - cron: '0 0 * * *' + - cron: "0 0 * * *" # allow to be triggered manually workflow_dispatch: -permissions: - contents: read - jobs: analyze: + # only run this job if the repository is not a fork + # if want to run this job on a fork, please remove the if condition if: github.repository == 'bytecodealliance/wasm-micro-runtime' name: Analyze # Runner size impacts CodeQL analysis time. To learn more, please see: @@ -31,14 +26,15 @@ jobs: # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners # Consider using larger runners for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + # But it is not free, so please be aware of the cost. + runs-on: ubuntu-22.04 + timeout-minutes: 360 strategy: fail-fast: false matrix: - language: [ 'cpp' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + #TODO: add actions + language: ["cpp"] permissions: contents: read @@ -46,76 +42,95 @@ jobs: security-events: write steps: - - name: Checkout repository - uses: actions/checkout@v3 - with: - submodules: recursive - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3.29.2 - with: - languages: ${{ matrix.language }} - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - queries: security-and-quality + - name: Checkout repository + uses: actions/checkout@v3 + with: + submodules: recursive - # Command-line programs to run using the OS shell. - # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3.29.2 + with: + languages: ${{ matrix.language }} + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + queries: security-and-quality + config-file: ./.github/codeql/codeql_config.yml - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + - run: | + ./.github/scripts/codeql_buildscript.sh - - run: | - ./.github/scripts/codeql_buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3.29.2 - with: - category: "/language:${{matrix.language}}" - upload: false - id: step1 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3.29.2 + with: + category: "/language:${{matrix.language}}" + upload: false + id: step1 - # Filter out rules with low severity or high false positve rate - # Also filter out warnings in third-party code - - name: Filter out unwanted errors and warnings - uses: advanced-security/filter-sarif@v1 - with: - patterns: | - -**:cpp/path-injection - -**:cpp/world-writable-file-creation - -**:cpp/poorly-documented-function - -**:cpp/potentially-dangerous-function - -**:cpp/use-of-goto - -**:cpp/integer-multiplication-cast-to-long - -**:cpp/comparison-with-wider-type - -**:cpp/leap-year/* - -**:cpp/ambiguously-signed-bit-field - -**:cpp/suspicious-pointer-scaling - -**:cpp/suspicious-pointer-scaling-void - -**:cpp/unsigned-comparison-zero - -**/cmake*/Modules/** - input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif - output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif + # - cpp/alloca-in-loop is about touch_pages() which is intended to + # - cpp/command-line-injection is about bh_system() which is used to + # - cpp/path-injection is used in bh_read_file_to_buffer() to load a .wasm. + # or operate a stack usage file which is not sensitive or generate a .aot + # - cpp/suspicious-pointer-scaling + # - wasm_runtime_invoke_native() used to trivial registers + # - cpp/uncontrolled-process-operation is about dlopen() which is used by + # native libraries registrations. + # - cpp/world-writable-file-creation is about fopen() a temporary file + # for perf-PID.map or .aot(wamrc). The permission isn't sensitive. + # file. + # + # execute customized compiler + - name: Filter out unwanted errors and warnings + uses: advanced-security/filter-sarif@v1 + with: + patterns: | + ## Exclude files and directories + -**/build/** + -**/core/deps/** + -**/cmake*/Modules/** + -**/test*/** + -**/wasm-app*/** + ## Exclude rules 1. Related to formatting, style + -**:cpp/commented-out-code + -**:cpp/complex-condition + -**:cpp/empty-if + -**:cpp/fixme-comment + -**:cpp/include-non-header + -**:cpp/long-switch + -**:cpp/poorly-documented-function + -**:cpp/trivial-switch + -**:cpp/unused-local-variable + -**:cpp/unused-static-function + -**:cpp/unused-static-variable + -**:cpp/use-of-goto + ## Exclude rules 2. Related to special usage of APIs + -**:cpp/alloca-in-loop + -**:cpp/command-line-injection + -**:cpp/path-injection + -core/iwasm/common/wasm_runtime_common.c:cpp/suspicious-pointer-scaling + -**:cpp/uncontrolled-process-operation + -**:cpp/world-writable-file-creation + input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif + output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif - - name: Upload CodeQL results to code scanning - uses: github/codeql-action/upload-sarif@v3.29.2 - with: - sarif_file: ${{ steps.step1.outputs.sarif-output }} - category: "/language:${{matrix.language}}" + - name: Upload CodeQL results to code scanning + uses: github/codeql-action/upload-sarif@v3.29.2 + with: + sarif_file: ${{ steps.step1.outputs.sarif-output }} + category: "/language:${{matrix.language}}" - - name: Upload CodeQL results as an artifact - if: success() || failure() - uses: actions/upload-artifact@v4.6.2 - with: - name: codeql-results - path: ${{ steps.step1.outputs.sarif-output }} - retention-days: 10 + - name: Upload CodeQL results as an artifact + if: success() || failure() + uses: actions/upload-artifact@v4.6.2 + with: + name: codeql-results + path: ${{ steps.step1.outputs.sarif-output }} + retention-days: 10 - - name: Fail if an error is found - run: | - ./.github/scripts/codeql_fail_on_error.py \ - ${{ steps.step1.outputs.sarif-output }}/cpp.sarif - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} + - name: Fail if an error is found + run: | + ./.github/scripts/codeql_fail_on_error.py \ + ${{ steps.step1.outputs.sarif-output }}/cpp.sarif + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY: ${{ github.repository }}