Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@ build:clang_tidy --@score_bazel_tools_cc//quality:quality_clang_tidy_config=//:c
build:clang_tidy --aspects=@score_bazel_tools_cc//quality:defs.bzl%quality_clang_tidy_aspect
build:clang_tidy --build_tag_filters="-tidy_suite"
build:clang_tidy --force_pic

# CodeQL static analysis evaluation (eclipse-score/baselibs#317)
import %workspace%/score/quality/static_analysis/static_analysis.bazelrc
build:clang_tidy --incompatible_enable_cc_toolchain_resolution
build:clang_tidy --output_groups=clang_tidy_output
build:clang_tidy --verbose_failures
70 changes: 70 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

# CodeQL MISRA C++ static analysis evaluation for baselibs (eclipse-score/baselibs#317).
name: CodeQL static analysis (evaluation)
permissions:
contents: read
actions: write
security-events: write
on:
pull_request:
types: [opened, reopened, synchronize]
jobs:
codeql:
runs-on: ubuntu-24.04
env:
CODEQL_TARGET_SCOPE: //score/bitmanipulation/...
steps:
- uses: eclipse-score/more-disk-space@6a3b48901846bf7f8cc985925157d71a8973e61f # v1
with:
level: 3
- name: Checkout Repository
uses: actions/checkout@v6
- name: Allow linux-sandbox
uses: eclipse-score/cicd-actions/unblock-user-namespace-for-linux-sandbox@f89865691445b60e9229c36adb1c37b675e1ca85
- name: Setup Bazel Cache
uses: eclipse-score/cicd-actions/setup-bazel-cache@659dcbed63f6b7fbde88c7850125ea0a0a92f939
with:
unique-cache-name: ${{ github.workflow }}-${{ github.job }}
- name: Resolve production (non-test) targets
id: resolve-targets
run: |
# Exclude cc_test targets (and testonly helpers/mocks) so CodeQL only
# analyzes production code, not test/GTest framework noise
# (eclipse-score/baselibs#317 finding: GTest's TEST() macro alone
# triggers dozens of unrelated MISRA findings per test file).
bazel query "${CODEQL_TARGET_SCOPE} except kind(cc_test, ${CODEQL_TARGET_SCOPE}) except attr(testonly, 1, ${CODEQL_TARGET_SCOPE})" \
--output=label > /tmp/codeql-targets.txt
echo "Resolved $(wc -l < /tmp/codeql-targets.txt) production target(s):"
cat /tmp/codeql-targets.txt
- name: Run CodeQL analysis
id: run-codeql
run: |
bazel run //score/quality/static_analysis:codeql_lint -- \
--output-dir /tmp/codeql-results \
--output-prefix codeql-baselibs \
--target $(cat /tmp/codeql-targets.txt)
#- name: Upload SARIF to GitHub Code Scanning
# if: always() && steps.run-codeql.outcome == 'success'
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: /tmp/codeql-results/codeql-baselibs.sarif
# category: codeql-baselibs
- name: Upload CSV results
if: always() && steps.run-codeql.outcome == 'success'
uses: actions/upload-artifact@v4
with:
name: codeql-csv-results
path: /tmp/codeql-results/codeql-baselibs.csv
retention-days: 30
29 changes: 29 additions & 0 deletions MODULE.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,35 @@ register_toolchains(
dev_dependency = True,
)

## Configure CodeQL static analysis (evaluation, see eclipse-score/baselibs#317)
## Ported from eclipse-score/communication's quality/static_analysis approach.

pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip", dev_dependency = True)
pip.parse(
hub_name = "codeql_coding_standards_pip_hub",
python_version = PYTHON_VERSION,
requirements_lock = "//third_party/codeql:requirements_lock.txt",
)
use_repo(pip, "codeql_coding_standards_pip_hub")

http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
name = "codeql_bundle",
build_file = "//third_party/codeql:codeql.BUILD",
sha256 = "a94f674bb3c23ea5e9a2ad06b64847dd0277b15014d2517ecd9c41c88e6caa65",
url = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.21.4/codeql-bundle-linux64.tar.gz",
)

git_repository = use_repo_rule("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")

git_repository(
name = "codeql_coding_standards",
build_file = "//third_party/codeql:codeql_coding_standards.BUILD",
commit = "06dc6bc32b05152fbe94dbf341a3e854574c9df5", # v2.61.0
remote = "https://github.com/github/codeql-coding-standards.git",
)

deb = use_repo_rule("@download_utils//download/deb:defs.bzl", "download_deb")

deb(
Expand Down
16 changes: 16 additions & 0 deletions coding-standards.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
deviations:
- rule-id: "RULE-18-5-2"
query-id: "cpp/misra/avoid-program-terminating-functions"
justification: "Evaluation of the CodeQL coding-standards justification mechanism for
baselibs (eclipse-score/baselibs#317). This deviation mirrors the one already
accepted in eclipse-score/communication and is scoped to the score/ tree only."
paths:
- "score"
- rule-id: "RULE-21-6-1"
query-id: "cpp/misra/dynamic-memory-should-not-be-used"
justification: "Evaluation of the CodeQL coding-standards path-scoped justification
mechanism for baselibs (eclipse-score/baselibs#317). score/language/futurecpp
intentionally manages dynamic memory as part of its allocator/memory_resource
implementation; scoped narrowly to that component to demonstrate suppression."
paths:
- "score/language/futurecpp"
6 changes: 3 additions & 3 deletions score/bitmanipulation/bit_manipulation.h
Original file line number Diff line number Diff line change
Expand Up @@ -29,20 +29,20 @@ class HalfByte
{
public:
/// \brief Construct a HalfByte from a uint8, only the last 4 bits are considered
constexpr explicit HalfByte(const std::uint8_t value) : repr{static_cast<std::uint8_t>(value & mask)} {}
constexpr explicit HalfByte(const std::uint8_t value) : repr1{static_cast<std::uint8_t>(value & mask)} {}
// NOLINTBEGIN(google-explicit-constructor): No potentially dangerous type conversion
// AUTOSAR Rule A13-5-2 prohibits implicit user defined conversion operators to avoid potential errors in type
// conversion. But we do not convert underlying type (repr_ is std::uint8_t and return type is std::uint8_t).
// Implicit 'decay' to std::uint8_t is needed as current HalfByte design permits arithmetic operations on it.
// coverity[autosar_cpp14_a13_5_2_violation]
constexpr operator std::uint8_t() const
{
return repr;
return repr1;
}
// NOLINTEND(google-explicit-constructor): see above for detailed explanation
private:
static constexpr std::uint8_t mask{0b0000'1111U};
std::uint8_t repr;
std::uint8_t repr1;
};

// Change to std::byte in C++17
Expand Down
12 changes: 6 additions & 6 deletions score/bitmanipulation/bit_manipulation_test.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@ using ::testing::Eq;

TEST(HalfByte, CanBeConstructedFromUInt8)
{
constexpr HalfByte value{std::uint8_t{4u}};
constexpr HalfByte value1{std::uint8_t{4u}};

EXPECT_THAT(value, Eq(4u));
EXPECT_THAT(value1, Eq(4u));
}

TEST(HalfByte, CanBeConstructedFromUInt16IfInRange)
Expand All @@ -49,16 +49,16 @@ TEST(HalfByte, CanBeConstructedFromBigUInt8ButUpperHalfIsDropped)

TEST(Byte, CanBeConstructedFromUInt8)
{
constexpr Byte value{std::uint8_t{4u}};
constexpr Byte value1{std::uint8_t{4u}};

EXPECT_THAT(value, Eq(4u));
EXPECT_THAT(value1, Eq(4u));
}

TEST(Byte, CanBeConstructedFromUInt16IfInRange)
{
constexpr Byte value{std::uint16_t{4u}};
constexpr Byte value1{std::uint16_t{4u}};

EXPECT_THAT(value, Eq(4u));
EXPECT_THAT(value1, Eq(4u));
}

TEST(Byte, CanBeConstructedFromTwoHalfBytes)
Expand Down
4 changes: 2 additions & 2 deletions score/bitmanipulation/bitmask_operators.h
Original file line number Diff line number Diff line change
Expand Up @@ -117,12 +117,12 @@ constexpr typename std::enable_if<std::is_enum<T>::value && score::enable_bitmas
// coverity[autosar_cpp14_m7_3_1_violation]
operator&(const T & lhs, const T & rhs)
{
using U = std::underlying_type_t<T>;
using U1 = std::underlying_type_t<T>;
// Suppress "AUTOSAR C++14 A4-7-1" rule finding. This rule states: "An integer expression shall not lead to data
// loss." In this context, there is no data loss because lhs/rhs is promoted to std::uint64_t for the bitwise
// operation. The result is then checked for non-zero, ensuring the integrity of the original data.
// coverity[autosar_cpp14_a4_7_1_violation]
return (static_cast<std::uint64_t>(static_cast<U>(lhs)) & static_cast<std::uint64_t>(static_cast<U>(rhs))) != 0U;
return (static_cast<std::uint64_t>(static_cast<U1>(lhs)) & static_cast<std::uint64_t>(static_cast<U1>(rhs))) != 0U;
}

/// @brief Provides the bitwise XOR operator for scoped enums.
Expand Down
8 changes: 4 additions & 4 deletions score/bitmanipulation/bitmask_operators_test.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,10 @@ TEST(MyBitmask, SupportsOperatorAnd)

TEST(MyBitmask, SupportsOperatorXor)
{
MyBitmask bitmask{MyBitmask::a ^ MyBitmask::b};
EXPECT_EQ(static_cast<UnderlyingType>(bitmask), 3);
bitmask = bitmask ^ MyBitmask::b;
EXPECT_EQ(static_cast<UnderlyingType>(bitmask), 1);
MyBitmask abc{MyBitmask::a ^ MyBitmask::b};
EXPECT_EQ(static_cast<UnderlyingType>(abc), 3);
abc = abc ^ MyBitmask::b;
EXPECT_EQ(static_cast<UnderlyingType>(abc), 1);
}

TEST(MyBitmask, SupportsOperatorNot)
Expand Down
37 changes: 37 additions & 0 deletions score/quality/static_analysis/BUILD
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

py_binary(
name = "codeql_lint",
srcs = ["codeql_lint.py"],
args = [
"--codeql_path=$(location @codeql_bundle//:codeql_cli)",
"--config_path=$(location :config)",
"--analysis_report_path=$(location @codeql_coding_standards//:analysis_report)",
],
data = [
":config",
"@codeql_bundle//:codeql_cli",
"@codeql_coding_standards//:analysis_report",
"@codeql_coding_standards//:process_coding_standards_config",
],
main = "codeql_lint.py",
tags = ["local", "manual"],
target_compatible_with = ["@platforms//os:linux"],
)

filegroup(
name = "config",
srcs = ["config.yaml"],
visibility = ["//visibility:public"],
)
Loading
Loading