Skip to content

testing fixes for CodeQL #4198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 24 commits into from
May 12, 2025
+103 −8
Merged

testing fixes for CodeQL #4198

Changes from 12 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
dc7ecca
testing fixes for CodeQL
May 1, 2025
0e20865
testing
May 1, 2025
3299c03
test: :etw:build
May 1, 2025
c320043
reorder tasks. enable debug logging
May 1, 2025
dc31c7c
testing compilation on windows
May 1, 2025
b96e609
changing task to use powershell
May 1, 2025
12afcd9
adding build tools
May 1, 2025
328f2b4
testing changes for windows sdk
May 1, 2025
259bc81
additional changes. also split languages into two jobs
May 1, 2025
834eac0
trying again.
May 2, 2025
db72c43
remove reference to config
May 2, 2025
211f681
testing fix for jni.h file
May 2, 2025
5e56cc9
Update codeql-daily.yml
May 9, 2025
c6cfc03
testing a alternative task to verify Windows SDK.
May 12, 2025
d058aff
Merge branch 'tilee/202505_testingCodeQLfix' of https://github.com/mi…
May 12, 2025
629c5eb
temp change to workflow to test on push to PR
May 12, 2025
be1d886
testing build C++
May 12, 2025
d660785
testing changes to script
May 12, 2025
3a99280
testing build fix
May 12, 2025
09e1740
build fix
May 12, 2025
2027b8d
update and gitignore
May 12, 2025
1ecdd70
Remove .vs directory from version control
May 12, 2025
35d5fc8
refactor
May 12, 2025
c59343a
cleanup
May 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 139 additions & 10 deletions .github/workflows/codeql-daily.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,19 @@ on:
schedule:
- cron: '30 1 * * *'
workflow_dispatch:
push:
branches:
- '**'

jobs:
analyze:
# ===== Java Analysis Job =====
analyze-java:
name: "Analyze Java Code"
permissions:
actions: read # for github/codeql-action/init to get workflow details
security-events: write # for github/codeql-action/analyze to upload SARIF results
actions: read
security-events: write
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

Expand All @@ -21,27 +26,151 @@ jobs:
distribution: temurin
java-version: 17

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java, c-cpp
languages: java

- name: Build Java code
run: ./gradlew assemble --no-build-cache
# Skip build cache for full code analysis

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: java

# ===== C++ Analysis Job =====
analyze-cpp:
name: "Analyze C++ Code"
permissions:
actions: read
security-events: write
runs-on: windows-latest

steps:
- uses: actions/checkout@v4

- name: Set up Java 17 (required for JNI compilation)
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17

- name: Setup Visual Studio Build Tools
uses: microsoft/setup-msbuild@v1

- name: Set up Windows SDK
uses: ilammy/msvc-dev-cmd@v1

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Assemble
# skipping build cache is needed so that all modules will be analyzed
run: ./gradlew assemble --no-build-cache
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: cpp
debug: true

- name: Build C++ code
Copy link
Member

@trask trask May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe worth adding a comment here about why the normal compilation of C++ code that we do via gradle doesn't get picked up by codeql?

shell: powershell
id: build-cpp
run: |
# Set required environment variables
$env:APPINSIGHTS_WIN10_SDK_PATH = "C:\Program Files (x86)\Windows Kits\10"
$env:APPINSIGHTS_VS_PATH = $env:VsInstallRoot
$env:JAVA_HOME = $env:JAVA_HOME_17_X64

# Explicitly define which C++ file we're interested in
$sourceDir = "etw/native/src/main/cpp"
$headerDir = "etw/native/src/main/headers"
$cppFile = "$sourceDir/etw_provider.cpp"
Copy link
Contributor Author

@TimothyMothra TimothyMothra May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the C++ files in this repo exist in this directory:
https://github.com/microsoft/ApplicationInsights-Java/tree/main/etw/native/src/main


Write-Host "Analyzing C++ file: $cppFile"

# Create compile_commands.json for CodeQL to use
$compileCommandsJson = @"
[
{
"directory": "${PWD}/$sourceDir",
"command": "cl.exe /W4 /EHsc /sdl /std:c++14 /I\"${env:APPINSIGHTS_WIN10_SDK_PATH}/include/10.0.22621.0/um\" /I\"${env:JAVA_HOME}/include\" /I\"${env:JAVA_HOME}/include/win32\" /I\"${PWD}/$headerDir\" /c $cppFile",
"file": "$cppFile"
}
]
"@

$compileCommandsFile = "compile_commands.json"
Write-Host "Creating $compileCommandsFile..."
Set-Content -Path $compileCommandsFile -Value $compileCommandsJson

# Create a simple C++ file in the same directory to ensure the compiler is called
$simpleCode = @"
// Simple file to ensure compiler is run
#include <windows.h>
#include <jni.h>
#include "etw_provider.h"
int main() { return 0; }
"@

Set-Content -Path "codeql_trigger.cpp" -Value $simpleCode

# Use a try/catch block to handle errors without failing the job
try {
# List files for debugging
Write-Host "C++ files that will be analyzed:"
Get-ChildItem -Path $sourceDir -Recurse -Include "*.cpp" | ForEach-Object {
Write-Host " $($_.FullName)"
}
Get-ChildItem -Path $headerDir -Recurse -Include "*.h" | ForEach-Object {
Write-Host " $($_.FullName)"
}

# Try a minimal compile to help CodeQL recognize the files
Write-Host "Running minimal compile..."
# Print the Java home path to verify it
Write-Host "Using JAVA_HOME: $env:JAVA_HOME"
# Check if the JNI include directory exists
$jniIncludePath = "$env:JAVA_HOME/include"
$jniIncludeWinPath = "$env:JAVA_HOME/include/win32"

if (Test-Path $jniIncludePath) {
Write-Host "JNI include path exists: $jniIncludePath"
} else {
Write-Host "WARNING: JNI include path doesn't exist: $jniIncludePath"
}

# Compile with explicit include paths
& cl.exe /c codeql_trigger.cpp /I"$headerDir" /I"$sourceDir" /I"$jniIncludePath" /I"$jniIncludeWinPath" /EHsc

Write-Host "C++ preparation completed successfully"
echo "CPP_BUILD_SUCCEEDED=true" | Out-File -FilePath $env:GITHUB_ENV -Append
}
catch {
Write-Host "Warning: C++ build step encountered an error: $_"
Write-Host "Proceeding with CodeQL analysis anyway"
echo "CPP_BUILD_SUCCEEDED=false" | Out-File -FilePath $env:GITHUB_ENV -Append
}

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: cpp

- name: Report C++ build status
if: env.CPP_BUILD_SUCCEEDED == 'false'
run: |
echo "::warning::C++ build failed but CodeQL scan was attempted anyway. Some C++ issues may not be detected."

scheduled-job-notification:
permissions:
issues: write
needs:
- analyze
- analyze-java
- analyze-cpp
if: always()
uses: ./.github/workflows/reusable-scheduled-job-notification.yml
with:
success: ${{ needs.analyze.result == 'success' }}
success: ${{ needs.analyze-java.result == 'success' && needs.analyze-cpp.result == 'success' }}
Loading