From a6cbaeeae53e0735aede55cfa55ff88dd349aa90 Mon Sep 17 00:00:00 2001 From: "Michael Hawker MSFT (XAML Llama)" <24302614+michael-hawker@users.noreply.github.com> Date: Thu, 24 Aug 2023 12:53:48 -0700 Subject: [PATCH 1/4] Create codeql.yml file for custom build Auto-build could not build our repository, so adding in steps from our build.yml to enable scanning with CodeQL --- .github/workflows/codeql.yml | 99 ++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..d1a733c4 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,99 @@ + +name: "CodeQL Scan" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '28 19 * * 0' + +env: + DOTNET_VERSION: ${{ '7.0.100' }} + MULTI_TARGET_DIRECTORY: tooling/MultiTarget + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: windows-latest + timeout-minutes: 360 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'csharp' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Install .NET SDK v${{ env.DOTNET_VERSION }} + uses: actions/setup-dotnet@v3 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: .NET Info (if diagnostics) + run: dotnet --info + + - name: Checkout repository + uses: actions/checkout@v3 + with: + submodules: recursive + + # Restore Tools from Manifest list in the Repository + - name: Restore dotnet tools + run: dotnet tool restore + + - name: Run Uno Check to Install Dependencies + run: dotnet tool run uno-check --ci --fix --non-interactive --skip wsl --skip androidemulator --skip vswinworkloads --verbose + + - name: Add msbuild to PATH + uses: microsoft/setup-msbuild@v1.3.1 + + - name: Enable all TargetFrameworks + working-directory: ./${{ env.MULTI_TARGET_DIRECTORY }} + run: ./UseTargetFrameworks.ps1 all -ErrorAction Stop + + - name: Generate solution w/ All Tests + working-directory: ./ + run: powershell -version 5.1 -command "./tooling/GenerateAllSolution.ps1 -IncludeHeads WinAppSdk -UseDiagnostics" -ErrorAction Stop + + - name: Enable Uno.WinUI + working-directory: ./${{ env.MULTI_TARGET_DIRECTORY }} + run: ./UseUnoWinUI.ps1 3 -ErrorAction Stop + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + - name: MSBuild + run: > + msbuild.exe /restore /nowarn:MSB4011 + /p:Configuration=Release + /m + CommunityToolkit.AllComponents.sln + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" From 762b038210a92724a4b323f250668b48a51a8115 Mon Sep 17 00:00:00 2001 From: michael-hawker <24302614+michael-hawker@users.noreply.github.com> Date: Thu, 24 Aug 2023 15:32:13 -0700 Subject: [PATCH 2/4] Update sub-module with clean-up and fix for WASM CodeQL warning --- tooling | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tooling b/tooling index d8230e99..2f3aa1d8 160000 --- a/tooling +++ b/tooling @@ -1 +1 @@ -Subproject commit d8230e99d43c67f31b014583c769d5192832afed +Subproject commit 2f3aa1d8debec357bb5f57066cf0c1925c2e1f1a From 9f781d0427acbb6ddf21b59c8bfa663b59139d23 Mon Sep 17 00:00:00 2001 From: michael-hawker <24302614+michael-hawker@users.noreply.github.com> Date: Fri, 25 Aug 2023 15:28:17 -0700 Subject: [PATCH 3/4] Add CodeQL Config file to enable additional queries for Security Also go back to large runner as analysis ran out of memory before --- .github/codeql/codeql-config.yml | 7 +++++++ .github/workflows/codeql.yml | 5 +++-- 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..d52973fc --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,7 @@ +name: "Security and Quality" + +queries: + - name: Queries from security-extended, plus maintainability and reliability queries + uses: security-and-quality + - name: Queries from the default suite, plus lower severity and precision queries + uses: security-extended \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d1a733c4..732ce8e0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ jobs: # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners # Consider using larger runners for possible analysis time improvements. - runs-on: windows-latest + runs-on: windows-latest-large timeout-minutes: 360 permissions: actions: read @@ -79,12 +79,13 @@ jobs: uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config.yml # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + # queries: +security-extended,security-and-quality - name: MSBuild run: > From b821a161e3443aefb7d96eaa99764207d26c14da Mon Sep 17 00:00:00 2001 From: michael-hawker <24302614+michael-hawker@users.noreply.github.com> Date: Mon, 28 Aug 2023 07:18:19 -0700 Subject: [PATCH 4/4] Update CodeQL Config to Limit Scope Don't run if only changes to markdown files, samples, or tests Only analyze src files and not generated files .g.cs files --- .github/codeql/codeql-config.yml | 7 ++++++- .github/workflows/codeql.yml | 5 +++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index d52973fc..44363610 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -4,4 +4,9 @@ queries: - name: Queries from security-extended, plus maintainability and reliability queries uses: security-and-quality - name: Queries from the default suite, plus lower severity and precision queries - uses: security-extended \ No newline at end of file + uses: security-extended + +paths: + - '**/src/**/*.cs' +paths-ignore: + - '**/*.g.cs' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 732ce8e0..fae24a27 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,6 +7,11 @@ on: pull_request: # The branches below must be a subset of the branches above branches: [ "main" ] + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '**/samples/**/*' + - '**/tests/**/*' schedule: - cron: '28 19 * * 0'