Enable CodeQL as part of PR process. Add codeql filters file for code…

…ql issuse that should be ignored.
microsoft · Aug 27, 2024 · 6959ebb · 6959ebb
1 parent d3ac723
commit 6959ebb
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 8 deletions.
diff --git a/.pytool/CISettings.py b/.pytool/CISettings.py
@@ -142,10 +142,6 @@ def GetActiveScopes(self):
                 scopes += codeql_helpers.get_scopes(self.codeql)
 
                 if self.codeql:
-                    shell_environment.GetBuildVars().SetValue(
-                        "STUART_CODEQL_AUDIT_ONLY",
-                        "TRUE",
-                        "Set in CISettings.py")
                     codeql_filter_files = [str(n) for n in glob.glob(
                         os.path.join(self.GetWorkspaceRoot(),
                             '**/CodeQlFilters.yml'),
@@ -188,17 +184,17 @@ def GetDependencies(self):
             {
                 "Path": "MU_BASECORE",
                 "Url": "https://github.com/Microsoft/mu_basecore.git",
-                "Branch": "release/202311"
+                "Branch": "release/202405"
             },
             {
                 "Path": "Common/MU",
                 "Url": "https://github.com/Microsoft/mu_plus.git",
-                "Branch": "release/202311"
+                "Branch": "release/202405"
             },
             {
                 "Path": "Common/MU_TIANO",
                 "Url": "https://github.com/Microsoft/mu_tiano_plus.git",
-                "Branch": "release/202311"
+                "Branch": "release/202405"
             },
             {
                 "Path": "Features/MU_FEATURE_DFCI",

diff --git a/CodeQlFilters.yml b/CodeQlFilters.yml
@@ -0,0 +1,22 @@
+## @file
+# CodeQL Result Filters for Packages in oem_sample
+#
+# Note:
+#   1. Packages that use Mu Basecore can reuse this file to quickly pick up the
+#      same filters applied to results in the Mu Basecore repo.
+#   2. It is recommended paths begin with `**/` in filter files residing in repos that
+#      are used as dependencies by other repos. That way the filter
+#      will apply both in the current repo directly and regardless of where the repo is
+#      located within a downstream repos directory hierarchy.
+#
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+{
+  "Filters":
+    [
+      "-**/OemPkg/Library/MsBootManagerSettingsDxeLib/BootManagerSettings.c:cpp/unsigned-comparison-zero",
+      "-**/OemPkg/Library/PasswordPolicyLib/PasswordPolicyLib.c:cpp/unused-static-variable",
+    ],
+}
diff --git a/OemPkg/OemConfigPolicyCreatorPei/OemConfigPolicyCreatorPei.c b/OemPkg/OemConfigPolicyCreatorPei/OemConfigPolicyCreatorPei.c
@@ -177,7 +177,7 @@ CreateConfPolicy (
     ActiveProfileIndex = GENERIC_PROFILE_INDEX;
   }
 
-  if ((ActiveProfileIndex >= 0) && (ActiveProfileIndex < gNumProfiles)) {
+  if (ActiveProfileIndex < gNumProfiles) {
     // if ActiveProfileIndex == GENERIC_PROFILE_INDEX, we are using the generic profile and don't
     // look for any profile overrides. Otherwise, ensure that the active profile index
     // is valid, otherwise use the generic profile. If it is valid, apply those overrides.