What's Changed

🚀 Features & ✨ Enhancements

Add CodeQL Filtering and GitHub Workflow Support [Rebase \& FF] @makubacki (#692)
Change Details
## Description
CodeQL was previously enabled in the repo to the point that it could
be run locally with the --codeql flag. It was not enabled in CI
because the pre-existing CodeQL GitHub workflow did not support platform
builds.

This change hooks PlatformBuild.py into the newer stuart_codeql helper
functionality, adds proper filtering support, and a platform workflow that
allows CodeQL to run in this repo on every PR.

Running CodeQL at a "platform" level is advantageous because it can catch
similar CodeQL violations found when building physical platform code.

Note: codeql-platform.yml is directly checked into the repo here as it has
been tested and it is more clearly explained attached to this PR. In the
future, it will be synced from mu_devops.
There is some similarity with the pre-existing CodeQL CI workflow but those
are relatively simple tasks not expected to change much and may be converged
in the future but that is not a goal right now.

Note: CodeQL is only enabled for QemuQ35Pkg as the CodeQL extractor fails
on Linux for edk2 style builds and QemuSbsaPkg does not build on Windows/
Visual Studio at this time.

pip: bump edk2-pytool-extensions from 0.24.0 to 0.24.1

Includes the edk2toolext.codeql functions needed in upcoming
changes.

QemuQ35Pkg/PlatformBuild.py: Add CodeQL filtering support

Makes a number of adjustments in PlatformBuild.py as outlined below.
The main improvement is adding support to recursively gather CodeQL
filter files within the repo.
1. Remove unused imports at the top of the file.
2. Use the CodeQL functions newly added to edk2-pytool-extensions.
3. Replace local functionality with common implementation in the
  codeql module.
4. Remove trailing whitespace throughout the file.
Add CodeQL platform GitHub workflow

Adds a new GitHub workflow that allows CodeQL to run against platform
builds. Previously, only a "CI" CodeQL workflow existed that did not
support platform builders.

This file is being added directly to the repo as it is paired with
other changes that it has been tested alongside. In the future, it
will automatically be synced from mu_devops.

Nothing about the file is specific to mu_tiano_platforms or any
particular platform. It works by discovering all buildable platforms
in a repo before any dependencies are cloned and then verifying
the build files in the platform package directory support platform
build. If they do, it is checked if they support CodeQL. Only
platforms that meet all of these conditions are actually built via
a dynamic platform package matrix.

This allows the workflow to scale across platform repos and
automatically pick up new platforms as they onboard support for
CodeQL.
- Impacts functionality?
  - Functionality - Does the change ultimately impact how firmware functions?
  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
  - Security - Does the change have a direct security impact on an application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- Breaking change?
  - Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  - Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
- Includes tests?
  - Tests - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
  - Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  - Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...
How This Was Tested
1. Ran the QemuQ35Pkg CodeQL build locally
2. Ran the CodeQL - Platform GitHub workflow
  - Verified successful detection and build of QemuQ35Pkg
Integration Instructions

Moving forward, it is recommended to run CodeQL locally when making C source
code changes in QemuQ35Pkg. Also, CodeQL success will become a required
status check in mu_tiano_platforms CI for QemuQ35Pkg. See the following
CodeQL plugin documentation for more info.

🛠️ Submodule Updates

Bump Common/MU\_TIANO from 2023020000.0.4 to 2023020000.1.0 @ProjectMuBot (#697)
Change Details
Bumps Common/MU_TIANO from `2023020000.0.4` to `2023020000.1.0`
Introduces 2 new commits in Common/MU_TIANO.
Commits
- fd4fa1 Repo File Sync: Add extra_cargo_steps parameter to MuDevOpsWrapper.yml (#175)
- 93034d CodeQlFilters.yml: Glob file patterns in nested directories (#177)
Signed-off-by: Project Mu Bot mubot@microsoft.com

Bump Common/MU from 2023020001.4.1 to 2023020001.5.0 @ProjectMuBot (#698)
Change Details
Bumps Common/MU from `2023020001.4.1` to `2023020001.5.0`
Introduces 2 new commits in Common/MU.
Commits
- 88d3dd Repo File Sync: Add extra_cargo_steps parameter to MuDevOpsWrapper.yml (#305)
- a3d53e CodeQlFilters.yml: Glob file patterns in nested directories (#307)
Signed-off-by: Project Mu Bot mubot@microsoft.com

Bump MU\_BASECORE from 2023020006.0.0 to 2023020006.1.0 @ProjectMuBot (#696)
Change Details
Bumps MU_BASECORE from `2023020006.0.0` to `2023020006.1.0`
Introduces 1 new commits in MU_BASECORE.
Commits
- 8ea518 CodeQlFilters.yml: Glob file patterns in nested directories (#552)
Signed-off-by: Project Mu Bot mubot@microsoft.com

Full Changelog: v4.4.1...v4.5.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v4.5.0

What's Changed

🚀 Features & ✨ Enhancements

How This Was Tested

Integration Instructions

🛠️ Submodule Updates

Contributors