.github: Add initial CodeQL config and workflow files

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4115

Adds initial support for enabling CodeQL Code Scanning in this
repository per the RFC:

  https://github.com/tianocore/edk2/discussions/3258

Adds the following new files:
  - .github/workflows/codql-analysis.yml - The main GitHub workflow
    file used to setup CodeQL in the repo.
  - .github/codeql/codeql-config.yml - The main CodeQL configuration
    file used to customize the queries and other resources the repo
    is using for CodeQL.
  - edk2.qls - A query set of queries to run for CodeQL.

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644 (file)
index 0000000..3e27c2f
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,30 @@
+## @file\r
+# CodeQL configuration file for edk2.\r
+#\r
+# Copyright (c) Microsoft Corporation.\r
+# SPDX-License-Identifier: BSD-2-Clause-Patent\r
+##\r
+\r
+name: "CodeQL config"\r
+\r
+# The following line disables the default queries. This is used because we want to enable on query at a time by\r
+# explicitly specifying each query in a "queries" array as they are enabled.\r
+#\r
+# See the following for more information about adding custom queries:\r
+# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file\r
+\r
+#disable-default-queries: true\r
+\r
+queries:\r
+  - name: EDK2 CodeQL Query List\r
+    uses: ./.github/codeql/edk2.qls\r
+\r
+# We must specify a query for CodeQL to run. Until the first query is enabled, enable the security query suite but\r
+# exclude all problem levels from impacting the results. After the first query is enabled, this filter can be relaxed\r
+# to find the level of problems desired from the query.\r
+query-filters:\r
+- exclude:\r
+    problem.severity:\r
+      - error\r
+      - warning\r
+      - recommendation\r

diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls
new file mode 100644 (file)
index 0000000..0efc7dc
--- /dev/null
+++ b/.github/codeql/edk2.qls
@@ -0,0 +1,12 @@
+---\r
+- description: EDK2 (C++) queries\r
+\r
+# Bring in all queries from the official cpp-queries suite so individual queries can be explicitly enabled.\r
+\r
+- queries: '.'\r
+  from: codeql/cpp-queries\r
+\r
+# Enable individual queries below.\r
+\r
+- include:\r
+    id: cpp/conditionallyuninitializedvariable\r

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644 (file)
index 0000000..2eacb9c
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,91 @@
+# @file\r
+# GitHub Workflow for CodeQL Analysis\r
+#\r
+# Copyright (c) Microsoft Corporation.\r
+#\r
+# SPDX-License-Identifier: BSD-2-Clause-Patent\r
+##\r
+\r
+name: "CodeQL"\r
+\r
+on:\r
+  push:\r
+    branches:\r
+      - master\r
+  pull_request:\r
+    branches:\r
+      - master\r
+    paths-ignore:\r
+      - '**/*.bat'\r
+      - '**/*.md'\r
+      - '**/*.py'\r
+      - '**/*.rst'\r
+      - '**/*.sh'\r
+      - '**/*.txt'\r
+\r
+  schedule:\r
+    # https://crontab.guru/#20_23_*_*_4\r
+    - cron: '20 23 * * 4'\r
+\r
+jobs:\r
+  analyze:\r
+    name: Analyze\r
+    runs-on: windows-2019\r
+    permissions:\r
+      actions: read\r
+      contents: read\r
+      security-events: write\r
+\r
+    strategy:\r
+      fail-fast: false\r
+      matrix:\r
+        package: [\r
+          "ArmPkg",\r
+          "CryptoPkg",\r
+          "DynamicTablesPkg",\r
+          "FatPkg",\r
+          "FmpDevicePkg",\r
+          "IntelFsp2Pkg",\r
+          "IntelFsp2WrapperPkg",\r
+          "MdeModulePkg",\r
+          "MdePkg",\r
+          "PcAtChipsetPkg",\r
+          "PrmPkg",\r
+          "SecurityPkg",\r
+          "ShellPkg",\r
+          "SourceLevelDebugPkg",\r
+          "StandaloneMmPkg",\r
+          "UefiCpuPkg",\r
+          "UnitTestFrameworkPkg"]\r
+\r
+    steps:\r
+    - name: Checkout repository\r
+      uses: actions/checkout@v3\r
+\r
+    # Initializes the CodeQL tools for scanning.\r
+    - name: Initialize CodeQL\r
+      uses: github/codeql-action/init@v2\r
+      with:\r
+        languages: 'cpp'\r
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]\r
+        # Learn more about CodeQL language support at https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/\r
+        config-file: ./.github/codeql/codeql-config.yml\r
+        # Note: Add new queries to codeql-config.yml file as they are enabled.\r
+\r
+    - name: Install/Upgrade pip Modules\r
+      run: pip install -r pip-requirements.txt --upgrade\r
+\r
+    - name: Setup\r
+      run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019\r
+\r
+    - name: Update\r
+      run: stuart_update -c .pytool/CISettings.py -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019\r
+\r
+    - name: Build Tools From Source\r
+      run: python BaseTools/Edk2ToolsBuild.py -t VS2019\r
+\r
+    - name: CI Build\r
+      run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.package }} -t DEBUG -a IA32,X64 TOOL_CHAIN_TAG=VS2019\r
+\r
+    - name: Perform CodeQL Analysis\r
+      uses: github/codeql-action/analyze@v2\r