diff --git a/README.md b/README.md index ff9bf62..1cd58ee 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,34 @@ These databases are used by Visual Studio Code to support code navigation and au Congratulations, you are now a dev container enthusiast 😊. +### How to use: codeql + +The devcontainer codeql installation supports C, C++ and Rust source code analysis. All publicly available +"coding standards" are preloaded and codeql is already in PATH. + +Example: + +```sh +git clone https://github.com/nlohmann/json.git +cd json +cmake -S . -B build -G Ninja + +# Step 1: Create database +mkdir _sca +codeql database create _sca/codeql_data \ + --threads=0 \ + --language=cpp \ + --command="ninja -C build" \ + --source-root=. + +# Step 2: Run rulechecker and create SARIF report +codeql database analyze _sca/codeql_data \ + codeql/misra-cpp-coding-standards \ + --threads=0 \ + --format=sarif-latest \ + --output=_sca/codeql-results.sarif +``` + ## Development > [!NOTE] diff --git a/src/s-core-devcontainer/.devcontainer/devcontainer.json b/src/s-core-devcontainer/.devcontainer/devcontainer.json index 183be4d..93380d1 100644 --- a/src/s-core-devcontainer/.devcontainer/devcontainer.json +++ b/src/s-core-devcontainer/.devcontainer/devcontainer.json @@ -69,7 +69,8 @@ "swyddfa.esbonio", // for Sphinx documentation support "rust-lang.rust-analyzer", // Rust language support for Visual Studio Code; see also tasks below "github.vscode-pull-request-github", // GitHub integration - "bierner.markdown-preview-github-styles" // GitHub style for Markdown preview + "bierner.markdown-preview-github-styles", // GitHub style for Markdown preview + "ms-sarifvscode.sarif-viewer" // CodeQL report viewer ], "settings": { "files.insertFinalNewline": true, @@ -90,6 +91,10 @@ "--experimental_use_code_flow_analysis", "--experimental_enable_label_completions" ], + // we are NOT installing the codeql extension, because this is only needed for codeql rule development, + // but just in case someone wants to use it, we preconfigure it here + "codeQL.runningQueries.numberOfThreads": 0, // use all available threads, I can't believe this is not the default + "codeQl.cli.executablePath": "$CODEQL_HOME/codeql", "C_Cpp.intelliSenseEngine": "disabled", // This only supports basic tests: https://github.com/matepek/vscode-catch2-test-adapter/issues/429 // More complex tests may need execution via bazel, which is not done yet. diff --git a/src/s-core-devcontainer/.devcontainer/s-core-local/install.sh b/src/s-core-devcontainer/.devcontainer/s-core-local/install.sh index 498d827..5c7c3a9 100755 --- a/src/s-core-devcontainer/.devcontainer/s-core-local/install.sh +++ b/src/s-core-devcontainer/.devcontainer/s-core-local/install.sh @@ -31,6 +31,9 @@ DEBIAN_FRONTEND=noninteractive # Read tool versions + metadata into environment variables . /devcontainer/features/s-core-local/versions.sh /devcontainer/features/s-core-local/versions.yaml +ARCHITECTURE=$(dpkg --print-architecture) +KERNEL=$(uname -s) + apt-get update # Unminimize the image to include standard packages like man pages @@ -80,13 +83,84 @@ apt-get install -y gdb="${gdb_version}*" apt-get install -y valgrind="1:${valgrind_version}*" +# CodeQL +apt-get install -y zstd +if [ "${ARCHITECTURE}" = "amd64" ]; then + VARIANT=linux64 + SHA256SUM="${codeql_amd64_sha256}" +elif [ "${ARCHITECTURE}" = "arm64" ]; then + if [ "${KERNEL}" = "Darwin" ]; then + VARIANT=osx64 + SHA256SUM="${codeql_arm64_sha256}" + else + echo "CodeQl unsupported architecture/os: ${ARCHITECTURE} on ${KERNEL}, skipping installation" + VARIANT=noinstall + fi +else + echo "Unsupported architecture: ${ARCHITECTURE} for CodeQL" + exit 1 +fi + +if [ "${VARIANT}" != "noinstall" ]; then + codeql_install_dir="/usr/local" + curl -L "https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-${VARIANT}.tar.zst" -o /tmp/codeql.tar.zst + echo "${SHA256SUM} /tmp/codeql.tar.zst" | sha256sum -c - || exit 1 + tar -I zstd -xf /tmp/codeql.tar.zst -C "${codeql_install_dir}" + ln -s "${codeql_install_dir}"/codeql/codeql /usr/local/bin/codeql + rm /tmp/codeql.tar.zst + export CODEQL_HOME=${codeql_install_dir}/codeql + echo "export CODEQL_HOME=${codeql_install_dir}/codeql" > /etc/profile.d/codeql.sh + + codeql pack download codeql/misra-cpp-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/" + codeql pack download codeql/misra-c-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/" + codeql pack download codeql/cert-cpp-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/" + codeql pack download codeql/cert-c-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/" + + # slim down codeql bundle (1.7GB -> 1.1 GB) by removing unnecessary language extractors and qlpacks + codeql_purge_dirs=( + "${codeql_install_dir}/codeql/csharp" + "${codeql_install_dir}/codeql/go" + "${codeql_install_dir}/codeql/java" + "${codeql_install_dir}/codeql/javascript" + "${codeql_install_dir}/codeql/python" + "${codeql_install_dir}/codeql/qlpacks/codeql/csharp-all" + "${codeql_install_dir}/codeql/qlpacks/codeql/csharp-examples" + "${codeql_install_dir}/codeql/qlpacks/codeql/csharp-queries" + "${codeql_install_dir}/codeql/qlpacks/codeql/go-all" + "${codeql_install_dir}/codeql/qlpacks/codeql/go-examples" + "${codeql_install_dir}/codeql/qlpacks/codeql/go-queries" + "${codeql_install_dir}/codeql/qlpacks/codeql/java-all" + "${codeql_install_dir}/codeql/qlpacks/codeql/java-examples" + "${codeql_install_dir}/codeql/qlpacks/codeql/java-queries" + "${codeql_install_dir}/codeql/qlpacks/codeql/javascript-all" + "${codeql_install_dir}/codeql/qlpacks/codeql/javascript-examples" + "${codeql_install_dir}/codeql/qlpacks/codeql/javascript-queries" + "${codeql_install_dir}/codeql/qlpacks/codeql/python-all" + "${codeql_install_dir}/codeql/qlpacks/codeql/python-examples" + "${codeql_install_dir}/codeql/qlpacks/codeql/python-queries" + "${codeql_install_dir}/codeql/qlpacks/codeql/ruby-all" + "${codeql_install_dir}/codeql/qlpacks/codeql/ruby-examples" + "${codeql_install_dir}/codeql/qlpacks/codeql/ruby-queries" + "${codeql_install_dir}/codeql/qlpacks/codeql/swift-all" + "${codeql_install_dir}/codeql/qlpacks/codeql/swift-queries" + "${codeql_install_dir}/codeql/ruby" + "${codeql_install_dir}/codeql/swift" + ) + for dir in "${codeql_purge_dirs[@]}"; do + if [ -d "${dir}" ]; then + rm -rf "${dir}" + fi + done +fi + + # Bash completion for rust tooling rustup completions bash rustup >> /etc/bash_completion.d/rustup.bash rustup completions bash cargo >> /etc/bash_completion.d/cargo.bash # Cleanup # REMOVE CONTAINER BUILD DEPENDENCIES -apt-get remove --purge -y apt-transport-https +apt-get remove --purge -y apt-transport-https zstd apt-get autoremove -y apt-get clean rm -rf /var/lib/apt/lists/* diff --git a/src/s-core-devcontainer/.devcontainer/s-core-local/tests/test_default.sh b/src/s-core-devcontainer/.devcontainer/s-core-local/tests/test_default.sh index 6d714ae..7ea398a 100755 --- a/src/s-core-devcontainer/.devcontainer/s-core-local/tests/test_default.sh +++ b/src/s-core-devcontainer/.devcontainer/s-core-local/tests/test_default.sh @@ -15,6 +15,9 @@ set -euo pipefail +ARCHITECTURE=$(dpkg --print-architecture) +KERNEL=$(uname -s) + # Read tool versions + metadata into environment variables . /devcontainer/features/s-core-local/versions.sh /devcontainer/features/s-core-local/versions.yaml @@ -54,6 +57,9 @@ check "validate JAVA_HOME is set correctly" bash -c "echo ${JAVA_HOME} | xargs r check "validate gdb is working and has the correct version" bash -c "gdb --version | grep '${gdb_version}'" check "validate gh is working and has the correct version" bash -c "gh --version | grep '${gh_version}'" check "validate valgrind is working and has the correct version" bash -c "valgrind --version | grep '${valgrind_version}'" +if [ "${ARCHITECTURE}" = "amd64" ] || { [ "${ARCHITECTURE}" = "arm64" ] && [ "${KERNEL}" = "Darwin" ]; }; then + check "validate codeql is working and has the correct version" bash -c "codeql --version | grep '${codeql_version}'" +fi # Qemu target-related tools check "validate qemu-system-aarch64 is working and has the correct version" bash -c "qemu-system-aarch64 --version | grep '${qemu_system_arm_version}'" diff --git a/src/s-core-devcontainer/.devcontainer/s-core-local/versions.yaml b/src/s-core-devcontainer/.devcontainer/s-core-local/versions.yaml index c017278..d37fa28 100644 --- a/src/s-core-devcontainer/.devcontainer/s-core-local/versions.yaml +++ b/src/s-core-devcontainer/.devcontainer/s-core-local/versions.yaml @@ -46,5 +46,18 @@ openjdk_21: shellcheck: version: 0.9.0 +codeql: + # the coding_standards_version below dictates the codeql version + version: 2.21.4 + amd64: + # see https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-linux64.tar.zst.checksum.txt + sha256: 6da9f3df228d4e162af877569240a627c1af22f6adbd26352b22357fb8bd7545 + arm64: + # see https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-osx64.tar.zst.checksum.txt + sha256: 810a1fff48aeb081be754e46e255edd90d8695966e78431a65edb00e9e6cc399 + +codeql_coding_standards: + version: 2.54.0 + valgrind: version: 3.22.0