diff --git a/.github/workflows/sca.yml b/.github/workflows/sca.yml new file mode 100644 index 0000000000..95c66a7aa1 --- /dev/null +++ b/.github/workflows/sca.yml @@ -0,0 +1,51 @@ +name: Windows_SCA +on: + push: + branches: + - main + pull_request: + +concurrency: + group: ${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +env: + AZCOPY_AUTO_LOGIN_TYPE: MSI + AZCOPY_MSI_CLIENT_ID: 63b63039-6328-442f-954b-5a64d124e5b4 + +jobs: + Onnxruntime-SCA: + runs-on: ["self-hosted", "1ES.Pool=onnxruntime-github-vs2022-mms"] + steps: + - uses: actions/checkout@v3 + with: + submodules: false + - uses: actions/setup-python@v3 + with: + python-version: '3.11.x' + architecture: 'x64' + + - uses: actions/setup-node@v3 + with: + node-version: 18 + + - name: Download cuda + run: azcopy.exe cp --recursive "https://lotusscus.blob.core.windows.net/models/cuda_sdk/v11.8" cuda_sdk + + + # The build machine doesn't have a GPU. So the value of CMAKE_CUDA_ARCHITECTURES doesn't matter. + - name: Build code + env: + CAExcludePath: 'C:\Program Files;D:\b;${{ github.workspace }}\cmake' + run: python tools\ci_build\build.py --enable_training --build_java --compile_no_warning_as_error --config Debug --build_dir D:\b --skip_submodule_sync --build_csharp --update --build --parallel --cmake_generator "Visual Studio 17 2022" --build_shared_lib --enable_pybind --cmake_extra_defines onnxruntime_USE_CUSTOM_STATIC_ANALYSIS_RULES=ON --cmake_extra_defines onnxruntime_ENABLE_STATIC_ANALYSIS=ON --cmake_extra_defines onnxruntime_REDIRECT_STATIC_ANALYSIS_OUTPUTS_TO_FILE=ON --use_cuda --cuda_home=${{ github.workspace }}\cuda_sdk\v11.8 --enable_cuda_profiling --cmake_extra_defines CMAKE_CUDA_ARCHITECTURES=75 + + - name: Generate sarif + working-directory: D:\b + run: npx @microsoft/sarif-multitool merge *.sarif --recurse --output-directory=${{ github.workspace }}\output --output-file=MergeResult.sarif --merge-runs && dir ${{ github.workspace }}\output + + - name: Upload SARIF to GitHub + uses: github/codeql-action/upload-sarif@v2 + continue-on-error: true + with: + sarif_file: ${{ github.workspace }}\output\MergeResult.sarif + category: VS_SCA diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt index 0b2f980ab2..ab87416ff0 100644 --- a/cmake/CMakeLists.txt +++ b/cmake/CMakeLists.txt @@ -64,6 +64,8 @@ endif() option(onnxruntime_RUN_ONNX_TESTS "Enable ONNX Compatibility Testing" OFF) option(onnxruntime_GENERATE_TEST_REPORTS "Enable test report generation" OFF) option(onnxruntime_ENABLE_STATIC_ANALYSIS "Enable static analysis" OFF) +option(onnxruntime_USE_CUSTOM_STATIC_ANALYSIS_RULES "Use a custom SDL Rule. It is mainly for our CI build" OFF) +option(onnxruntime_REDIRECT_STATIC_ANALYSIS_OUTPUTS_TO_FILE "Use a custom SDL Rule. It is mainly for our CI build" OFF) option(onnxruntime_ENABLE_PYTHON "Enable python buildings" OFF) # Enable it may cause LNK1169 error option(onnxruntime_ENABLE_MEMLEAK_CHECKER "Experimental: Enable memory leak checker in Windows debug build" OFF) @@ -834,8 +836,14 @@ function(onnxruntime_set_compile_flags target_name) target_compile_options(${target_name} PRIVATE "$<$:/external:I${CMAKE_CURRENT_BINARY_DIR}>" "$<$:SHELL:--compiler-options /external:I${CMAKE_CURRENT_BINARY_DIR}>") if (onnxruntime_ENABLE_STATIC_ANALYSIS) target_compile_options(${target_name} PRIVATE "$<$:SHELL:--compiler-options /analyze>" "$<$:/analyze>") + if (onnxruntime_REDIRECT_STATIC_ANALYSIS_OUTPUTS_TO_FILE) + target_compile_options(${target_name} PRIVATE "$<$:SHELL:--compiler-options /analyze:autolog:ext.sarif>" "$<$:/analyze:autolog:ext.sarif>") + endif() target_compile_options(${target_name} PRIVATE "$<$:SHELL:--compiler-options /analyze:external->" "$<$:/analyze:external->") target_compile_options(${target_name} PRIVATE "$<$:SHELL:--compiler-options /wd6385>" ) + # There are many such warnings from STL: + # include\list(148): warning C6011: Dereferencing NULL pointer '_Mycont'. : Lines: 146, 147, 148 + target_compile_options(${target_name} PRIVATE "$<$:SHELL:--compiler-options /wd6011>" ) endif() else() # Enable warning @@ -902,11 +910,10 @@ endfunction() function(onnxruntime_configure_target target_name) target_link_directories(${target_name} PRIVATE ${onnxruntime_LINK_DIRS}) onnxruntime_set_compile_flags(${target_name}) - onnxruntime_set_source_file_properties(${target_name}) - #Uncomment the following three lines to reproduce static analysis errors locally - #if(WIN32 AND onnxruntime_ENABLE_STATIC_ANALYSIS) - # set_target_properties(${target_name} PROPERTIES VS_USER_PROPS ${PROJECT_SOURCE_DIR}/EnableVisualStudioCodeAnalysis.props) - #endif() + onnxruntime_set_source_file_properties(${target_name}) + if(WIN32 AND onnxruntime_ENABLE_STATIC_ANALYSIS AND onnxruntime_USE_CUSTOM_STATIC_ANALYSIS_RULES) + set_target_properties(${target_name} PROPERTIES VS_USER_PROPS ${PROJECT_SOURCE_DIR}/EnableVisualStudioCodeAnalysis.props) + endif() target_include_directories(${target_name} PRIVATE ${CMAKE_CURRENT_BINARY_DIR} ${ONNXRUNTIME_ROOT} ${abseil_cpp_SOURCE_DIR}) if (onnxruntime_ENABLE_TRAINING_APIS) target_include_directories(${target_name} PRIVATE ${ORTTRAINING_ROOT}) diff --git a/cmake/Sdl.ruleset b/cmake/Sdl.ruleset index 7ca26ad5d2..5ab2341f6a 100644 --- a/cmake/Sdl.ruleset +++ b/cmake/Sdl.ruleset @@ -184,7 +184,6 @@ -