Use a customized codeql configration (#4207)

- Specifying directories to scan
- Refactor build script for WAMR project
  - add functions for wamrc and iwasm builds
  - streamline options handling
  - include LLVM installation steps.
- Filter out source code related to dependencies, testing,
  and wasm applications
- Exclude unimportant issues and coding style problems

.github/codeql/codeql_config.yml

@@ -0,0 +1,46 @@
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+paths:
+  - .github
+  - core/iwasm
+  - core/shared/platform/common/
+  - core/shared/platform/include/
+  - core/shared/platform/linux/
+  - product-mini/platforms/common/
+  - product-mini/platforms/linux/
+  # TODO: add other platforms back if able to do cross-compilation
+  # - product-mini/platforms/
+  # TODO: add samples back after buildscript modification
+  # - need to ignore workloads and wasm-apps
+  # - samples
+  - wamr-compiler/
+paths-ignore:
+  # always ignore build
+  - '**/build/**'
+  - '**/test*/**'
+  - '**/wasm-app*/**'
+  - core/deps/
+  # platform specific
+  - core/iwasm/aot/arch/aot_reloc_aarch64.c
+  - core/iwasm/aot/arch/aot_reloc_arc.c
+  - core/iwasm/aot/arch/aot_reloc_arm.c
+  - core/iwasm/aot/arch/aot_reloc_dummy.c
+  - core/iwasm/aot/arch/aot_reloc_mips.c
+  - core/iwasm/aot/arch/aot_reloc_riscv.c
+  - core/iwasm/aot/arch/aot_reloc_thumb.c
+  - core/iwasm/aot/arch/aot_reloc_xtensa.c
+  - core/iwasm/libraries/lib-rats/
+  - core/iwasm/libraries/lib-socket/
+  - core/iwasm/libraries/lib-wasi-threads/*-test/
+  - core/shared/platform/common/freertos/
+  - core/shared/platform/common/math/
+  #TODO: add me back if lldb libraries installed
+  - core/iwasm/compilation/debug/
+  # spend disk space and slow
+  - core/iwasm/libraries/wasi-nn/src/wasi_nn_tflite*
+  #TODO: add me back if openvino installed
+  - core/iwasm/libraries/wasi-nn/src/wasi_nn_openvino*
+  # for wasm
+  - core/iwasm/libraries/wasi-nn/include/wasi_nn.h
+  # reference
+  - core/iwasm/common/arch/invokeNative_general.c

.github/scripts/codeql_buildscript.sh

@@ -5,308 +5,117 @@
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 #
 
-sudo apt update
+# This script is used to build the WAMR project for CodeQL analysis.
 
-sudo apt install -y build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build
+# Pre-requisites
+sudo apt -qq update
+sudo apt install -y -qq build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build
 
-WAMR_DIR=${PWD}
-
-# TODO: use pre-built llvm binary to build wamrc to
-#       avoid static code analysing for llvm
-: '
-# build wamrc
-cd ${WAMR_DIR}/wamr-compiler
-./build_llvm.sh
-rm -fr build && mkdir build && cd build
-cmake ..
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build wamrc!"
-    exit 1;
-fi
-'
-
-# build iwasm with default features enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake ..
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with default features enabled!"
-    exit 1;
-fi
-
-# build iwasm with default features enabled on x86_32
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DWAMR_BUILD_TARGET=X86_32
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with default features enabled on x86_32!"
-    exit 1;
-fi
-
-# build iwasm with classic interpreter enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_INTERP=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with classic interpreter enabled!"
-    exit 1;
-fi
-
-# build iwasm with extra features enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug \
-    -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1 \
-    -DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_SIMD=1 \
-    -DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_REF_TYPES=1 \
-    -DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_MEMORY_PROFILING=1 \
-    -DWAMR_BUILD_PERF_PROFILING=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 \
-    -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build wamrc iwasm with extra features enabled!"
-    exit 1;
-fi
-
-# build iwasm with global heap pool enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug \
-    -DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 \
-    -DWAMR_DISABLE_STACK_HW_BOUND_CHECK=1 \
-    -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 \
-    -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with global heap pool enabled!"
-    exit 1;
-fi
-
-# build iwasm with wasi-threads enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIB_WASI_THREADS=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with wasi-threads enabled!"
-    exit 1;
-fi
-
-# build iwasm with GC enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_GC=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with GC enabled!"
-    exit 1;
-fi
-
-# build iwasm with exception handling enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_EXCE_HANDLING=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with exception handling enabled!"
-    exit 1;
-fi
-
-# build iwasm with memory64 enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MEMORY64=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with memory64 enabled!"
-    exit 1;
-fi
-
-# build iwasm with multi-memory enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MULTI_MEMORY=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with multi-memory enabled!"
-    exit 1;
-fi
-
-# build iwasm with hardware boundary check disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_HW_BOUND_CHECK=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with hardware boundary check disabled!"
-    exit 1;
-fi
-
-# build iwasm with quick AOT entry disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_QUICK_AOT_ENTRY=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with quick AOT entry disabled!"
-    exit 1;
-fi
+LLVM_VER=18.1.8
+pushd /opt
+sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VER}/clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04.tar.xz \
+  && tar -xf clang+llvm-x86_64-linux-gnu.tar.xz \
+  && mv clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04 llvm-${LLVM_VER}
+popd
 
-# build iwasm with wakeup of blocking operations disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with wakeup of blocking operations disabled!"
-    exit 1;
-fi
+# libtinfo.so.5 for /opt/llvm-18.1.8/lib/libomptarget.rtl.amdgpu.so.18.1
+sudo apt -qq update
+wget http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb
+sudo apt install -y -qq ./libtinfo5_6.3-2ubuntu0.1_amd64.deb
 
-# build iwasm with module instance context disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MODULE_INST_CONTEXT=0 \
-         -DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_WASI=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with module instance context disabled!"
-    exit 1;
-fi
-
-# build iwasm with libc-uvwasi enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIBC_UVWASI=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with libc-uvwasi enabled!"
-    exit 1;
-fi
-
-# build iwasm with fast jit lazy mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with fast jit lazy mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with fast jit eager mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with fast jit eager mode enabled!"
-    exit 1;
-fi
-
-# TODO: use pre-built llvm binary to build llvm-jit and multi-tier-jit
-: '
-# build iwasm with llvm jit lazy mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build llvm jit lazy mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with llvm jit eager mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build llvm jit eager mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with multi-tier jit enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_JIT=1 \
-                                    -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with multi-tier jit enabled!"
-    exit 1;
-fi
-'
-
-# build iwasm with wasm mini-loader enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MINI_LOADER=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build with wasm mini-loader enabled!"
-    exit 1;
-fi
-
-# build iwasm with source debugging enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with source debugging enabled!"
-    exit 1;
-fi
-
-# build iwasm with AOT static PGO enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_STATIC_PGO=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with AOT static PGO enabled!"
-    exit 1;
-fi
-
-# build iwasm with configurable bounds checks enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with configurable bounds checks enabled!"
-    exit 1;
-fi
-
-# build iwasm with linux perf support enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux/
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LINUX_PERF=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with linux perf support enabled!"
-    exit 1;
-fi
-
-# build iwasm with shared heap enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_SHARED_HEAP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with shared heap enabled!"
-    exit 1;
-fi
-
-# build iwasm with dynamic aot debug enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm dynamic aot debug enabled!"
-    exit 1;
-fi
+# Start the build process
+WAMR_DIR=${PWD}
+LLVM_DIR=/opt/llvm-${LLVM_VER}/lib/cmake/llvm
+
+# Function to build wamrc
+build_wamrc() {
+    local options="$1"
+    echo "Building wamrc with options: $options"
+
+    pushd ${WAMR_DIR}/wamr-compiler
+    rm -rf build
+    cmake -S . -B build \
+        -G Ninja \
+        -DCMAKE_BUILD_TYPE=Debug \
+        -DWAMR_BUILD_WITH_CUSTOM_LLVM=1 -DLLVM_DIR=${LLVM_DIR} \
+        $options
+    cmake --build build --target wamrc --parallel
+    if [[ $? != 0 ]]; then
+        echo "Failed to build wamrc with options: $options"
+        exit 1
+    fi
+    popd
+}
+
+# Function to build iwasm
+build_iwasm() {
+    local options="$1"
+    echo "Building iwasm with options: $options"
+
+    pushd ${WAMR_DIR}/product-mini/platforms/linux
+    rm -rf build
+    cmake -S . -B build \
+        -G Ninja \
+        -DCMAKE_BUILD_TYPE=Debug \
+        -DLLVM_DIR=${LLVM_DIR} \
+        $options
+    cmake --build build --target iwasm --parallel
+    if [[ $? != 0 ]]; then
+        echo "Failed to build iwasm with options: $options"
+        exit 1
+    fi
+    popd
+}
+
+# List of compilation options for wamrc
+wamrc_options_list=(
+    #default
+    ""
+)
+
+# List of compilation options for iwasm
+iwasm_options_list=(
+    #default
+    ""
+    # +classic interp
+    "-DWAMR_BUILD_FAST_INTERP=0"
+    # +llvm jit + fast jit
+    "-DWAMR_BUILD_JIT=1 -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1"
+    #
+    "-DWAMR_BUILD_TARGET=X86_32"
+    #
+    # libraries
+    "-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_UVWASI=1 -DWAMR_BUILD_LIBC_EMCC=1"
+    "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_PTHREAD=1      -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
+    "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_WASI_THREADS=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
+    "-DWAMR_BUILD_WASI_NN=1 -DWAMR_BUILD_WASI_NN_LLAMACPP=1"
+    #
+    # Wasm specs
+    "-DWAMR_BUILD_GC=1 -DWAMR_BUILD_EXCE_HANDLING=1 -DWAMR_BUILD_STRINGREF=1 -DWAMR_STRINGREF_IMPL_SOURCE=STUB"
+    "-DWAMR_BUILD_MEMORY64=1 -DWAMR_BUILD_MULTI_MEMORY=1"
+    #
+    # WARM features
+    "-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_MINI_LOADER=1 -DWAMR_BUILD_SHARED_HEAP=1"
+    "-DWAMR_DISABLE_HW_BOUND_CHECK=1"
+    "-DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1"
+    # - Debug
+    "-DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1 -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1"
+    # - developer options
+    "-DWAMR_BUILD_CUSTOM_NAME_SECTION=1  -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 -DWAMR_BUILD_LINUX_PERF=1 -DWAMR_BUILD_AOT_VALIDATOR=1 -DWAMR_BUILD_MEMORY_PROFILING=1 -DWAMR_BUILD_PERF_PROFILING=1"
+    # - global heap
+    "-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1  -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072"
+    "-DWAMR_BUILD_QUICK_AOT_ENTRY=0 -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1 -DWAMR_BUILD_MODULE_INST_CONTEXT=0"
+    # - pgo
+    "-DWAMR_BUILD_STATIC_PGO=1"
+    # TODO: SGX specifics.
+)
+
+# Loop through all iwasm options and build
+for options in "${iwasm_options_list[@]}"; do
+    build_iwasm "$options"
+done
+
+# Loop through all wamrc options and build
+for options in "${wamrc_options_list[@]}"; do
+    build_wamrc "$options"
+done

.github/workflows/codeql.yml

@@ -1,29 +1,24 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
 name: "CodeQL"
 
 on:
-  #pull_request:
-  #  types:
-  #    - opened
-  #  branches: '*'
-  #push:
-  #   branches: [ "main" ]
-  # midnight UTC
+  # run on every push to the feature-development branch
+  # the main branch is covered by below cron plan
+  push:
+    branches:
+      - dev/**
+  # midnight UTC on the latest commit on the main branch
   schedule:
-    - cron: '0 0 * * *'
+    - cron: "0 0 * * *"
   # allow to be triggered manually
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   analyze:
+    # only run this job if the repository is not a fork
+    # if want to run this job on a fork, please remove the if condition
     if: github.repository == 'bytecodealliance/wasm-micro-runtime'
     name: Analyze
     # Runner size impacts CodeQL analysis time. To learn more, please see:
@@ -31,14 +26,15 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners
     # Consider using larger runners for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }}
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    # But it is not free, so please be aware of the cost.
+    runs-on: ubuntu-22.04
+    timeout-minutes: 360
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'cpp' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        #TODO: add actions
+        language: ["cpp"]
 
     permissions:
       contents: read
@@ -46,76 +42,95 @@ jobs:
       security-events: write
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v5
-      with:
-        submodules: recursive
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4.31.2
-      with:
-        languages: ${{ matrix.language }}
-
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-        queries: security-and-quality
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
 
-    # Command-line programs to run using the OS shell.
-    # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4.31.2
+        with:
+          languages: ${{ matrix.language }}
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+          queries: security-and-quality
+          config-file: ./.github/codeql/codeql_config.yml
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+      - run: |
+          ./.github/scripts/codeql_buildscript.sh
 
-    - run: |
-        ./.github/scripts/codeql_buildscript.sh
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4.31.2
-      with:
-        category: "/language:${{matrix.language}}"
-        upload: false
-      id: step1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3.29.1
+        with:
+          category: "/language:${{matrix.language}}"
+          upload: false
+        id: step1
 
-    # Filter out rules with low severity or high false positve rate
-    # Also filter out warnings in third-party code
-    - name: Filter out unwanted errors and warnings
-      uses: advanced-security/filter-sarif@v1
-      with:
-        patterns: |
-          -**:cpp/path-injection
-          -**:cpp/world-writable-file-creation
-          -**:cpp/poorly-documented-function
-          -**:cpp/potentially-dangerous-function
-          -**:cpp/use-of-goto
-          -**:cpp/integer-multiplication-cast-to-long
-          -**:cpp/comparison-with-wider-type
-          -**:cpp/leap-year/*
-          -**:cpp/ambiguously-signed-bit-field
-          -**:cpp/suspicious-pointer-scaling
-          -**:cpp/suspicious-pointer-scaling-void
-          -**:cpp/unsigned-comparison-zero
-          -**/cmake*/Modules/**
-        input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
-        output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+      # - cpp/alloca-in-loop is about touch_pages() which is intended to
+      # - cpp/command-line-injection is about bh_system() which is used to
+      # - cpp/path-injection is used in bh_read_file_to_buffer() to load a .wasm.
+      #   or operate a stack usage file which is not sensitive or generate a .aot
+      # - cpp/suspicious-pointer-scaling
+      #   - wasm_runtime_invoke_native() used to trivial registers
+      # - cpp/uncontrolled-process-operation is about dlopen() which is used by
+      #   native libraries registrations.
+      # - cpp/world-writable-file-creation is about fopen() a temporary file
+      #   for perf-PID.map or .aot(wamrc). The permission isn't sensitive.
+      #   file.
+      #
+      # execute customized compiler
+      - name: Filter out unwanted errors and warnings
+        uses: advanced-security/filter-sarif@v1
+        with:
+          patterns: |
+            ## Exclude files and directories
+            -**/build/**
+            -**/core/deps/**
+            -**/cmake*/Modules/**
+            -**/test*/**
+            -**/wasm-app*/**
+            ## Exclude rules 1. Related to formatting, style
+            -**:cpp/commented-out-code
+            -**:cpp/complex-condition
+            -**:cpp/empty-if
+            -**:cpp/fixme-comment
+            -**:cpp/include-non-header
+            -**:cpp/long-switch
+            -**:cpp/poorly-documented-function
+            -**:cpp/trivial-switch
+            -**:cpp/unused-local-variable
+            -**:cpp/unused-static-function
+            -**:cpp/unused-static-variable
+            -**:cpp/use-of-goto 
+            ## Exclude rules 2. Related to special usage of APIs
+            -**:cpp/alloca-in-loop
+            -**:cpp/command-line-injection
+            -**:cpp/path-injection
+            -core/iwasm/common/wasm_runtime_common.c:cpp/suspicious-pointer-scaling
+            -**:cpp/uncontrolled-process-operation
+            -**:cpp/world-writable-file-creation
+          input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+          output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
 
-    - name: Upload CodeQL results to code scanning
-      uses: github/codeql-action/upload-sarif@v4.31.2
-      with:
-        sarif_file: ${{ steps.step1.outputs.sarif-output }}
-        category: "/language:${{matrix.language}}"
+      - name: Upload CodeQL results to code scanning
+        uses: github/codeql-action/upload-sarif@v4.31.2
+        with:
+          sarif_file: ${{ steps.step1.outputs.sarif-output }}
+          category: "/language:${{matrix.language}}"
 
-    - name: Upload CodeQL results as an artifact
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: codeql-results
-        path: ${{ steps.step1.outputs.sarif-output }}
-        retention-days: 10
+      - name: Upload CodeQL results as an artifact
+        if: success() || failure()
+        uses: actions/upload-artifact@v4.6.2
+        with:
+          name: codeql-results
+          path: ${{ steps.step1.outputs.sarif-output }}
+          retention-days: 10
 
-    - name: Fail if an error is found
-      run: |
-        ./.github/scripts/codeql_fail_on_error.py \
-          ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GITHUB_REPOSITORY: ${{ github.repository }}
+      - name: Fail if an error is found
+        run: |
+          ./.github/scripts/codeql_fail_on_error.py \
+            ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}