Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Google Summer of Code 2025 - Final Report

Project Summary

This project develops a standalone tool to integrate CodeQL directly into the local development workflow, enabling developers to perform static analysis on their own machines before committing code. This approach eliminates reliance on external platforms and provides customization options, allowing users to create specific rules tailored to their project's needs. The tool can be configured to filter out and ignore irrelevant files, directories, or rules, ensuring the analysis is focused and produces meaningful results. To improve efficiency, it also automates the generation of clear, structured reports, which simplifies the review process and helps in quickly identifying potential issues. To support adoption, the project includes the creation of comprehensive documentation to guide developers on how to install, configure, and effectively use the tool.

My Contributions

For this summer, I have focused on developing a set of Python scripts to make CodeQL an essential and accessible static analysis tool for the RTEMS project. The work was divided into two main phases: initial automation to ensure reproducibility and the development of a user-friendly command-line interface (CLI) wrapper.

ContributionStatusMerge Request Link
CodeQL CLI wrapperNot MergedMR !66
Usage documentationNot MergedMR !191

Foundational Scripting and Reproducibility

The initial phase of the project involved manually downloading, installing, and testing the CodeQL tool to generate static analysis reports. To ensure this process could be easily and consistently replicated by any developer, I created a suite of Python scripts. These scripts automate the entire setup and execution process, providing a reliable foundation for running CodeQL within the RTEMS ecosystem.

Command-Line Interface (CLI) Wrapper

To create a more robust and maintainable solution suitable for integration into the official rtems-tools repository, the foundational scripts were refactored into a comprehensive CLI wrapper. This wrapper provides a structured and user-friendly way to interact with CodeQL through a set of clear and distinct commands. The primary functions exposed by the CLI wrapper include:

  • sb_check:This command verifies that the CodeQL executable is present in the system's PATH. If CodeQL is not found, it provides meaningful error messages and warnings to guide the user on how to install or correctly configure their environment.
  • create_db:This command is responsible for creating a CodeQL database for a specified RTEMS source code directory. A database is a necessary prerequisite for running any analysis, as it contains an analyzable representation of the source code.
  • analyze_db:Once a database is created, this command executes the static analysis by running a suite of CodeQL queries against it. It identifies potential bugs, vulnerabilities, and coding standard violations, and outputs the results, typically in a CSV format.
  • filter_csv:This command processes the CSV report generated by analyze_db. It allows developers to filter the results based on custom criteria, such as ignoring specific files, directories, or rule types, thereby reducing noise and helping them focus on the most relevant findings.
  • delete_db: This is a utility command that removes a specified CodeQL database from the system. This helps in managing disk space, especially when dealing with large and numerous databases.

Pending Work

While the core functionality of the CodeQL wrapper is complete, there are a few key areas that require further attention:

  • Creating a Comprehensive Rule Set: A dedicated list of CodeQL rules, similar in format to the Xen Project's MISRA rules page, needs to be created. This will provide RTEMS developers with clear guidance on which static analysis checks are enforced.

What I Learned

Before this project, I was unfamiliar with static analysis tools and their practical applications. Throughout the summer, I worked closely with my mentors to integrate CodeQL, a process that involved making mistakes and, most importantly, learning from them. This hands-on experience not only taught me the difficulties of static analysis but also significantly improved my proficiency in Python. I had the opportunity to write numerous Python scripts and develop documentation, which has prepared me to contribute effectively to open-source projects and create tools that are useful for other developers. Crucially, I also learned how to adapt when a plan goes wrong and how to formulate a new one, a skill my mentors demonstrated and supported me in developing.