microsoft / msvc-code-analysis-action Goto Github PK

Microsoft Visual C++ Code Analysis GitHub Action

License: MIT License

JavaScript 96.23% CMake 1.53% C++ 2.24%

msvc-code-analysis-action's Introduction

Microsoft C++ Code Analysis Action

This actions run code analysis for any CMake project built with the Microsoft Visual C++ Compiler. The analysis will produce SARIF results that can be uploaded to the GitHub Code Scanning Alerts experience and/or included as an artifact to view locally in the Sarif Viewer VSCode Extension.

Usage

Pre-requisites

Include a workflow .yml file using an example below as a template. Run the msvc-code-analysis-action after configuring CMake for your project. Building the project is only required if the C++ source files involve the use of generated files.

Input Parameters

Description of all input parameters: action.yml

Example

env:
  # Path to the CMake build directory.
  build: '${{ github.workspace }}/build'
  config: 'Debug'

jobs:
  analyze:
    name: Analyze
    runs-on: windows-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Configure CMake
        run: cmake -B ${{ env.build }} -DCMAKE_BUILD_TYPE=${{ env.config }}

      # Build is not required unless generated source files are used
      # - name: Build CMake
      #   run: cmake --build ${{ env.build }} --config ${{ env.config }}

      - name: Run MSVC Code Analysis
        uses: microsoft/[email protected]
        # Provide a unique ID to access the sarif output path
        id: run-analysis
        with:
          cmakeBuildDirectory: ${{ env.build }}
          buildConfiguration: ${{ env.config }}
          # Ruleset file that will determine what checks will be run
          ruleset: NativeRecommendedRules.ruleset
          # Paths to ignore analysis of CMake targets and includes
          # ignoredPaths: ${{ github.workspace }}/dependencies;${{ github.workspace }}/test

      # Upload SARIF file to GitHub Code Scanning Alerts
      - name: Upload SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.run-analysis.outputs.sarif }}

      # Upload SARIF file as an Artifact to download and view
      - name: Upload SARIF as an Artifact
        uses: actions/upload-artifact@v2
        with:
          name: sarif-file
          path: ${{ steps.run-analysis.outputs.sarif }}

Warning Configuration

By the default the action will use the set of warnings on by default inside of Visual Studio. However the tool can be configured to use any Ruleset either shipped with Visual Studio or user defined. For the best results it is recommended to use a custom Ruleset that adds/removes warnings on-top an existing Ruleset. This ensures that the user does not miss out on any new warnings are created. Refer to the documentation on Rulesets for more information.

Example Ruleset

<?xml version="1.0" encoding="utf-8"?>
<RuleSet Name="Example" Description="Enable Warnings" ToolsVersion="10.0">
  <!-- Default rules available in Visual Studio -->
  <Include Path="NativeRecommendedRules.ruleset" Action="Default" />
  <Rules AnalyzerId="Microsoft.Analyzers.NativeCodeAnalysis"
         RuleNamespace="Microsoft.Rules.Native">
    <Rule Id="C26440" Action="None" /> <!-- Exclude: Declare noexcept -->
    <Rule Id="C26492" Action="None" /> <!-- Include: No const_cast<> -->
  </Rules>
</RuleSet>

Suppression

Ruleset are the main form of configuration but for a lightweight approach to suppress warnings you can pass options directly to the compiler.

  id: run-analysis
  with:
    additionalArgs: /wd6001 /wd6011 # Suppress C6001 & C6011
    # ....

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

msvc-code-analysis-action's People

Stargazers

Watchers

Forkers

standardgalactic trickster7662 xls mbeckh jonesmz bilke tadscottsmith izzotop rastaban gmh5225 pirulax phonwarit207390 rjoneslegends oboukli

msvc-code-analysis-action's Issues

Action fails in win22/20220814.1 environment

After GitHub updated its Windows environment to win22/20220814.1, the action started failing with the following error:

Loaded 'D:\a\DiligentCore\build\.cmake\api\v1\reply\index-2022-08-16T23-03-14-0395.json' reply generated from CMake API.
Error: Error: Unknown MSVC toolset layout

Absolutely same setup worked ok in win22/20220808.1

Action does not handle CMake Configurations

There is no way to specify the Configuration to use in CMake (Debug, Release, etc.) for multi-configuration generators such as Visual Studio. It currently selects the first configuration which is commonly Debug.

A new parameter buildConfiguration should be added that is required if using a multi-configuration generator.

ignoredPaths doesn't work as expected

See https://github.com/blu3mania/npp-papyrus/actions/runs/3205014421/jobs/5236999872

The action was configured with:
ignoredPaths: ${{ github.workspace }}/src/external/gsl;${{ github.workspace }}/src/external/tinyxml2
Which was expanded to:
ignoredPaths: D:\a\npp-papyrus\npp-papyrus/src/external/gsl;D:\a\npp-papyrus\npp-papyrus/src/external/tinyxml2
However, file 'tinyxml2.cpp' under D:\a\npp-papyrus\npp-papyrus\src\external\tinyxml2 directory was still analyzed:
Running analysis on: D:\a\npp-papyrus\npp-papyrus\src\external\tinyxml2\tinyxml2.cpp

In a later test, the config was changed to use relative paths:
ignoredPaths: src/external/gsl;src/external/tinyxml2
However, the issue was still there (see https://github.com/blu3mania/npp-papyrus/actions/runs/3205291289/jobs/5237620319)

Default template points to old Action with MSVC layout error

Hi,

I've created a new msvc code analysis action a couple days ago using the GitHub UI. The template msvc.yml that it created pointed to an old commit of this repo that resulted in an MSVC layout error when trying to run it. Google wasn't very helpful unfortunately but luckily I found #22, and after pointing my msvc.yml to the latest commit in this repo, it then worked.

I'd encourage you to update the template on GitHub.com so that users that create this action have an easier ride.

Does not work if C/C++ file paths are abs paths

In the loadCompileCommands function, it joins "codemodel.paths.source" and "target.sources[sourceIndex].path)". But both of them can be abs paths.

For example, sometimes the target file could be like:

{
	"sources" : 
	[
		{
			"backtrace" : 1,
			"compileGroupIndex" : 0,
			"path" : "fns_candy_style_transfer/fns_candy_style_transfer.c",
			"sourceGroupIndex" : 0
		},
		{
			"backtrace" : 1,
			"path" : "fns_candy_style_transfer/image_file.h",
			"sourceGroupIndex" : 1
		},
		{
			"backtrace" : 7,
			"compileGroupIndex" : 1,
			"path" : "fns_candy_style_transfer/image_file_wic.cc",
			"sourceGroupIndex" : 0
		}
	],
	"type" : "EXECUTABLE"
}

Sometimes it could be like:

{
        "sources" : 
	[
		{
			"backtrace" : 4,
			"path" : "C:/src/onnxruntime/include/onnxruntime/core/common/basic_types.h",
			"sourceGroupIndex" : 0
		},
		{
			"backtrace" : 4,
			"path" : "C:/src/onnxruntime/include/onnxruntime/core/common/code_location.h",
			"sourceGroupIndex" : 0
		}
	],
	"type" : "EXECUTABLE"

It depends on how these files were added to the target.

Full log: https://github.com/microsoft/onnxruntime/actions/runs/4841537553/jobs/8627860900

CodeQL Action v1 will be deprecated on December 7th, 2022

I've started using the action and it throws a warning that may be relevant to take care of

Analyze
CodeQL Action v1 will be deprecated on December 7th, 2022.
Please upgrade to v2. For more information, see https://github.blog/changelog/2022-04-27-code-scanning-deprecation-of-codeql-action-v1/

Thanks for the very useful action!

Hangs when analyzing with VS 2022

https://github.com/zhihaoy/nontype_functional/runs/5193124036?check_suite_focus=true took 100 minutes without more progress.

To reproduce: clone and try run this branch https://github.com/zhihaoy/nontype_functional/tree/msvc-analysis

Error: Unable to find local or official ruleset specified: NativeRecommendRules.ruleset

I followed the outline as per this blogpost for my project.

I get the above mentioned error Error: Unable to find local or official ruleset specified: NativeRecommendRules.ruleset

This is the current PR
Action run here

Please let me know if I am doing something wrong.
I even copy pasted the example.yml from this repository.

Thanks and Regards,

Don't use distinct `run`s per compile target

github/codeql-action#1058 (comment)

PREfast check concluded as neutral

After the check concluded and the Sarif file is generated, I receive the following message from Github

GitHub Code Scanning / PREfast
completed 16 minutes ago in 2s
Error when processing the SARIF file
This check concluded as neutral.

Additional Information

PR
Code scanning PREfast

Error: TypeError: Assignment to constant variable.

I wanted to get rid of a whole list of bogus "Arithmatic Overflow" warnings and followed the documentation here. This change resulted in mentioned Error: TypeError: Assignment to constant variable.. I used version 0.1.1. Here is the complete workflow file.

The `set-output` command is deprecated and will be disabled on 31 May 2023

Hi,

I'm receiving a warning using this action:

Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

And the linked website says that the warning will result in a hard fail by 31 May / 1 June this year.

I'm not using this command in my msvc.yml, and I think this must come from a script somewhere within this action.

SARIF file generated and uploaded but no altert appears in GitHub

Hello! I have set up this action for my repository, and it is now running end-to-end. I can see the generated SARIF file as an artifact, and see that it contains some warnings: https://github.com/cschreib/lxgui/actions/runs/1393457069

The action step "Upload SARIF to GitHub" completes successfully, however no security alert shows up in GitHub. I also have CodeQL setup, and this works correctly.

As recommended here (and seeing what was done for CodeQL), I tried adding the following to the msvc action job, in case it was a permission issue:

    permissions:
      security-events: write
      actions: read
      contents: read

but this didn't help. Am I missing something?

New tag

Could you please create a new tag that references #29?

Update action to use Node.js 16

The action generates the following warning:

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

TypeError: Cannot read property 'physicalLocation' of undefined

I have configured a run as per the example yml file for my project. After a while fiddling with getting the CMake parameters right, I got it to run the code analysis on all files. Unfortunately, it ended before completing the run with the error:

Error: TypeError: Cannot read property 'physicalLocation' of undefined

See action run: https://github.com/cschreib/lxgui/runs/4019823994?check_suite_focus=true

Suppress some warnings

Is it possible to add an option to suppress some warnings? For example:

ignoreRules: C26812

fatal error C1060: compiler is out of heap space

While analyzing a very large (generated) file - the actions gives the following error
https://github.com/turtlebrowser/turtlebrowser/runs/4080552235?check_suite_focus=true

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: microsoft/[email protected]

It would be good to upgrade the according to https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/ as currently uses of microsoft/[email protected] trigger the following warnings by GHA: