How do you find / select additional suites for github workflows?

[ryao]

https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/static-tools-and-codeql

That page talks about a windows_driver_recommended.qls suite, but I cannot find documentation on how to use it with a github workflow, which would be extremely helpful at openzfsonwindows/openzfs#169.

The CodeQL documentation does not talk about github workflows as far as I can tell:

https://codeql.github.com/docs/codeql-overview/

There is generic github workflow documentation, but something specific for CodeQL would be nice:

https://docs.github.com/en/actions/using-workflows

I am also interested in expanding the test suites run on the main OpenZFS repository:

https://github.com/openzfs/zfs/blob/master/.github/workflows/codeql.yml

The default suite seems to have a fairly small number of checks and while having it run on every PR is awesome, I can clearly see many more checks than the 47 currently being run for C/C++:

https://github.com/github/codeql/tree/main/cpp/ql/src

Is there any documentation that lowers the learning curve for doing this via github workflows?

[jketema]

hi @ryao. The answers you're looking for can be found in the Code security related docs instead of the workflow docs. In particular, the available suites and how to select them is described here.

The windows driver query suite is provided by Microsoft here. To configure these you want to have a look at custom configuration files, which allow you to specify the query suites from other repositories. Note that in the case of the windows driver query suite there are specific CodeQL version requirements, as mentioned in the top-level README.md file of the linked repository.

[ryao]

I assume that all of the suites in the repository are here:

https://github.com/github/codeql/tree/main/cpp/config/suites

However, I see neither security-extended nor security-and-quality there. Is there a way that I can see a break down of what queries are included in the documented suites (and presumably, be able to discover ones excluded so that I could give them individual consideration)?

[jketema]

In the repository the the suite names are prefixed with the name of the language, so for example cpp-security-extended, which you can find here.

To find out which queries are part of a particular suite, you can use codeql resolve queries. For example, say you want to know which queries are part of the C++ security and quality suite, then - ensuring you've downloaded the codeql/cpp-queries pack - you run the aforementioned command:

codeql pack download codeql/cpp-queries
codeql resolve queries codeql/cpp-queries:codeql-suites/cpp-security-and-quality.qls

or if you have the CodeQL repository checked out at /path/to/CodeQl/repo:

codeql resolve queries /path/to/CodeQL/repo/cpp/ql/src/codeql-suites/cpp-security-and-quality.qls