Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
earn how CodeQL helps reduce the attack surface for Windows by ensuring third-party drivers meet strong security standards. This article explains the benefits of using CodeQL for WHCP compliance.
One step in setting this security bar is the requirement to the Windows Hardware Compatibility Program (WHCP) which states that all driver submissions must use the CodeQL engine on driver source code and fix any violations that are deemed Must-Fix.
Understanding CodeQL concepts
CodeQL is a static analysis engine used by developers to perform security analysis on code outside of a live environment.
CodeQL ingests code during compilation and builds a database from it. The database becomes a directory containing queryable data, a source reference, and log files. Once the database is built, one can run analysis on it by utilizing CodeQL queries (also called checks or rules) which will determine if the source code contains violations or security vulnerabilities.
CodeQL provides a library of standard queries that check for language correctness and semantics, offering great value to developers who want to ensure their code is free of bugs and vulnerabilities.
CodeQL also provides the option to build custom queries.
To learn more about writing custom queries, see Writing queries in the CodeQL documentation.
CodeQL also provides a CodeQL command-line tool (CLI) to perform CodeQL actions or large-scale analysis.
Find additional CodeQL CLI documentation at CodeQL Getting Started.
How CodeQL Enhances Driver Security
CodeQL, by GitHub, is a powerful semantic code analysis engine, and the combination of an extensive suite of high-value security queries along with a robust platform make it an invaluable tool for securing driver code.
Using CodeQL for WHCP testing is allowed under the Hardware Lab Kit (HLK) End User License Agreement.
For WHCP participants, the HLK's EULA overwrites GitHub's CodeQL Terms and Conditions by stating that CodeQL can be used during automated analysis, CI or CD, as part of normal engineering processes for the purposes of analyzing drivers to be submitted and certified as part of the WHCP.
The Static Tools Logo Test enforces this requirement to analyze driver source code and fix any *Must-Fix violations.
Important
Windows Hardware Compatibility Program requires CodeQL for Static Tool Logo (STL) Tests on our Client and Server Operating Systems. We will continue to maintain support for SDV and CA on older products. We strongly encourage partners to review the CodeQL requirements for the Static Tool Logo Test.
HLK EULA and CodeQL
Usage of CodeQL for the purpose of certifying for the Windows Hardware Compatibility Program testing is acceptable under the Hardware Lab Kit (HLK) End User License Agreement.
For WHCP participants, the HLK's EULA overrides GitHub's CodeQL Terms and Conditions, allowing CodeQL to be used during automated analysis, CI, or CD as part of normal engineering processes to analyze drivers submitted for WHCP certification.
For those following along for general use, read the GitHub CodeQL Terms and Conditions and/or contact CodeQL.