From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Fri, 25 Sep 2020 15:22:59 +0000 (+0200)
Subject: enable GitHub CodeQL code scanning
X-Git-Tag: auth-4.4.0-alpha2~51^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e5ee9bf9ee9eb47defc24d45d2bb1146a73d142c;p=thirdparty%2Fpdns.git

enable GitHub CodeQL code scanning
---

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000000..c554979205
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,118 @@
+name: "CodeQL"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 22 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['cpp']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        queries: +security-and-quality
+        # TODO: go through +security-and-quality (400 alerts) once, then see if we can upgrade to it
+
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    # - name: Autobuild
+    #   uses: github/codeql-action/autobuild@v1
+
+    # â¹ï¸ Command-line programs to run using the OS shell.
+    # ð https://git.io/JvXDl
+
+    # âï¸ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    - run: |
+        free -m
+        cat /proc/cpuinfo
+        sudo apt-get --no-install-recommends install -qq -y \
+                bison \
+                default-libmysqlclient-dev \
+                flex \
+                libboost-all-dev \
+                libcap-dev \
+                libcdb-dev \
+                libcurl4-openssl-dev \
+                libedit-dev \
+                libfstrm-dev \
+                libgeoip-dev \
+                libgnutls28-dev \
+                libh2o-evloop-dev \
+                libkrb5-dev \
+                libldap2-dev \
+                liblmdb-dev \
+                liblua5.3-dev \
+                libmaxminddb-dev \
+                libp11-kit-dev \
+                libpq-dev \
+                libprotobuf-dev \
+                libre2-dev \
+                libsnmp-dev \
+                libsodium-dev \
+                libsqlite3-dev \
+                libssl-dev \
+                libsystemd-dev \
+                libwslay-dev \
+                libyaml-cpp-dev \
+                protobuf-compiler \
+                ragel \
+                unixodbc-dev
+
+        autoreconf -vfi
+        ./configure --with-modules='bind geoip gmysql godbc gpgsql gsqlite3 ldap lmdb lua2 pipe random remote tinydns' --enable-tools --enable-ixfrdist --enable-dns-over-tls --enable-experimental-pkcs11 --with-libsodium --with-protobuf --enable-lua-records CFLAGS='-O0' CXXFLAGS='-O0'
+        make -j8 -C ext
+        make -j8 -C modules
+        make -j8 -C pdns
+
+        cd pdns/dnsdistdist
+        autoreconf -vfi
+        ./configure --enable-unit-tests --enable-dnstap --enable-dnscrypt --enable-dns-over-tls --enable-dns-over-https LIBS=-lwslay CFLAGS='-O0' CXXFLAGS='-O0'
+        make -j8 -C ext/ipcrypt
+        make -j8 -C ext/yahttp
+        make -j8 dnsdist
+
+        cd ../recursordist
+        autoreconf -vfi
+        ./configure --enable-unit-tests --enable-nod --enable-dnstap CFLAGS='-O0' CXXFLAGS='-O0'
+        make -j8 -C ext
+        make dnsmessage.pb.cc dnstap.pb.cc htmlfiles.h
+        make -j8 pdns_recursor rec_control
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1