.github/workflows/codeql-analysis.yml

   1 name: "CodeQL"
   2
   3 on:
   4   push:
   5   pull_request:
   6   schedule:
   7     - cron: '0 22 * * 2'
   8
   9 permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
  10   contents: read
  11
  12 jobs:
  13   analyze:
  14     name: Analyze
  15     runs-on: ubuntu-20.04
  16
  17     permissions:
  18       actions: read # for github/codeql-action/init to get workflow details
  19       contents: read  # for actions/checkout to fetch code
  20       security-events: write  # for github/codeql-action/analyze to upload SARIF results
  21
  22     strategy:
  23       fail-fast: false
  24       matrix:
  25         # Override automatic language detection by changing the below list
  26         # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
  27         language: ['cpp']
  28         product: ['rec']
  29         # Learn more...
  30         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
  31
  32     steps:
  33     - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
  34     - name: Checkout repository
  35       uses: actions/checkout@v3.1.0
  36       with:
  37         # We must fetch at least the immediate parents so that if this is
  38         # a pull request then we can checkout the head.
  39         fetch-depth: 2
  40
  41     # Python is required for building the Authoritative server
  42     - uses: actions/setup-python@v4
  43       with:
  44         python-version: '3.8'
  45
  46     # Initializes the CodeQL tools for scanning.
  47     - name: Initialize CodeQL
  48       uses: github/codeql-action/init@v2
  49       with:
  50         languages: ${{ matrix.language }}
  51         queries: +security-and-quality
  52         # TODO: go through +security-and-quality (400 alerts) once, then see if we can upgrade to it
  53
  54         # If you wish to specify custom queries, you can do so here or in a config file.
  55         # By default, queries listed here will override any specified in a config file.
  56         # Prefix the list here with "+" to use these queries and those in the config file.
  57         # queries: ./path/to/local/query, your-org/your-repo/queries@main
  58
  59     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
  60     # If this step fails, then you should remove it and run the build manually (see below)
  61     # - name: Autobuild
  62     #   uses: github/codeql-action/autobuild@v2
  63
  64     # ℹ️ Command-line programs to run using the OS shell.
  65     # 📚 https://git.io/JvXDl
  66
  67     # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
  68     #    and modify them (or add more) to build your code if your project
  69     #    uses a compiled language
  70
  71     - name: Update repository metadata
  72       run: |
  73         sudo apt-get update
  74     - name: Install dependencies
  75       run: |
  76         sudo apt-get -qq -y --no-install-recommends --allow-downgrades install \
  77                 bison \
  78                 default-libmysqlclient-dev \
  79                 flex \
  80                 libboost-all-dev \
  81                 libcap-dev \
  82                 libcdb-dev \
  83                 libcurl4-openssl-dev \
  84                 libedit-dev \
  85                 libfstrm-dev \
  86                 libgeoip-dev \
  87                 libgnutls28-dev \
  88                 libh2o-evloop-dev \
  89                 libkrb5-dev \
  90                 libldap2-dev \
  91                 liblmdb-dev \
  92                 liblua5.3-dev \
  93                 libmaxminddb-dev \
  94                 libnghttp2-dev \
  95                 libp11-kit-dev \
  96                 libpq-dev \
  97                 libre2-dev \
  98                 libsnmp-dev \
  99                 libsodium-dev \
 100                 libsqlite3-dev \
 101                 libssl-dev \
 102                 libsystemd-dev \
 103                 libwslay-dev \
 104                 libyaml-cpp-dev \
 105                 ragel \
 106                 unixodbc-dev
 107
 108     - name: Build auth
 109       if: matrix.product == 'auth'
 110       run: |
 111         autoreconf -vfi
 112         ./configure --with-modules='bind geoip gmysql godbc gpgsql gsqlite3 ldap lmdb lua2 pipe remote tinydns' --enable-tools --enable-ixfrdist --enable-dns-over-tls --enable-experimental-pkcs11 --with-libsodium --enable-lua-records CFLAGS='-O0' CXXFLAGS='-O0'
 113         make -j8 -C ext
 114         make -j8 -C modules
 115         make -j8 -C pdns
 116
 117     - name: Build dnsdist
 118       if: matrix.product == 'dnsdist'
 119       run: |
 120         cd pdns/dnsdistdist
 121         autoreconf -vfi
 122         ./configure --enable-unit-tests --enable-dnstap --enable-dnscrypt --enable-dns-over-tls --enable-dns-over-https LIBS=-lwslay CFLAGS='-O0' CXXFLAGS='-O0'
 123         make -j8 -C ext/ipcrypt
 124         make -j8 -C ext/yahttp
 125         make -j4 dnsdist
 126
 127     - name: Build recursor
 128       if: matrix.product == 'rec'
 129       run: |
 130         cd pdns/recursordist
 131         autoreconf -vfi
 132         ./configure --enable-unit-tests --enable-nod --enable-dnstap CFLAGS='-O0' CXXFLAGS='-O0'
 133         make -j8 -C ext
 134         make htmlfiles.h
 135         make -j4 pdns_recursor rec_control
 136
 137     - name: Perform CodeQL Analysis
 138       uses: github/codeql-action/analyze@v2