From cc50f05370981e4933504e8aaec6b15880ff847f Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Thu, 11 Sep 2025 19:50:40 +0200 Subject: [PATCH] GHA/codeql: re-enable for C with the default query pack Earlier we used `security-extended` and tried `security-and-quality`. Try the default to see how it works. CodeQL no longer uses the project's Actions cache, also fixing the previously seen repeat cache entry issue. - switch to `manual` build. It's 3x faster than the default `autobuild`. - enable more dependencies to increase coverage. - docs/tests/CI.md: re-add CodeQL. Ref: https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites Ref: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages Ref: #16263 Ref: 173805b2e76960de5c51fd5fe64286d8ac81f1ff #15798 Closes #18528 --- .github/scripts/spellcheck.words | 1 + .github/workflows/codeql.yml | 34 ++++++++++++++++++++++++++++++++ docs/tests/CI.md | 4 ++++ 3 files changed, 39 insertions(+) diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words index 13b7b2f367..46c05b741b 100644 --- a/.github/scripts/spellcheck.words +++ b/.github/scripts/spellcheck.words @@ -122,6 +122,7 @@ CMakeLists CNA CNAME CNAMEs +CodeQL CODESET codeset CodeSonar diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9863f7624d..0952eb3d1d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,3 +59,37 @@ jobs: - name: 'perform analysis' uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3 + + c: + name: 'C' + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: 'install prereqs' + timeout-minutes: 5 + run: | + sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list + sudo apt-get -o Dpkg::Use-Pty=0 update + sudo rm -f /var/lib/man-db/auto-update + sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: 'initialize' + uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3 + with: + languages: cpp + build-mode: manual + + - name: 'build' + timeout-minutes: 10 + run: | + cmake -B . -G Ninja + cmake --build . --verbose + src/curl -V + + - name: 'perform analysis' + uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3 diff --git a/docs/tests/CI.md b/docs/tests/CI.md index d101e3563c..40c87ba14e 100644 --- a/docs/tests/CI.md +++ b/docs/tests/CI.md @@ -31,8 +31,10 @@ Consider the following table while looking at pull request failures: | CI platform as shown in PR | State | What to look at next | | ----------------------------------- | ------ | -------------------------- | + | CI / CodeQL | stable | quality check results | | CI / fuzzing | stable | fuzzing results | | CI / macos ... | stable | all errors and failures | + | Code scanning results / CodeQL | stable | quality check results | | FreeBSD FreeBSD: ... | stable | all errors and failures | | LGTM analysis: Python | stable | new findings | | LGTM analysis: C/C++ | stable | new findings | @@ -40,6 +42,7 @@ Consider the following table while looking at pull request failures: | AppVeyor | flaky | all errors and failures | | curl.curl (linux ...) | stable | all errors and failures | | curl.curl (windows ...) | flaky | repetitive errors/failures | + | CodeQL | stable | new findings | Sometimes the tests fail due to a dependency service temporarily being offline or otherwise unavailable, for example package downloads. In this case you can @@ -58,6 +61,7 @@ GitHub Actions runs the following tests: - macOS tests with a variety of different compilation options - Fuzz tests ([see the curl-fuzzer repo for more info](https://github.com/curl/curl-fuzzer)). +- CodeQL static analysis These are each configured in different files in `.github/workflows`. -- 2.47.3