From: Tobias Brunner Date: Thu, 1 Dec 2022 17:17:28 +0000 (+0100) Subject: github: Add CodeQL workflow X-Git-Tag: 5.9.9rc1~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d3fcd100d2f1b094da0258e3b9ff3f1ee66444a;p=thirdparty%2Fstrongswan.git github: Add CodeQL workflow --- diff --git a/.github/codeql/config.yml b/.github/codeql/config.yml new file mode 100644 index 0000000000..ddd2d0954c --- /dev/null +++ b/.github/codeql/config.yml @@ -0,0 +1,11 @@ +queries: + - uses: ./.github/codeql/cpp-queries + +query-filters: + # don't explicitly point out FIXME comments + - exclude: + id: cpp/fixme-comment + # this rule produces too many false positives due to our custom specifiers and + # the use of void pointers in swanctl + - exclude: + id: cpp/wrong-type-format-argument diff --git a/.lgtm/cpp-queries/chunk_from_chars.ql b/.github/codeql/cpp-queries/chunk_from_chars.ql similarity index 100% rename from .lgtm/cpp-queries/chunk_from_chars.ql rename to .github/codeql/cpp-queries/chunk_from_chars.ql diff --git a/.github/codeql/cpp-queries/qlpack.yml b/.github/codeql/cpp-queries/qlpack.yml new file mode 100644 index 0000000000..8b48f38340 --- /dev/null +++ b/.github/codeql/cpp-queries/qlpack.yml @@ -0,0 +1,3 @@ +name: strongswan/cpp-queries +dependencies: + codeql/cpp-all: "*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..4a92b773a2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,72 @@ +name: "CodeQL" + +on: [push, pull_request] + +env: + CCACHE_BASEDIR: ${{ github.workspace }} + CCACHE_COMPRESS: true + CCACHE_MAXSIZE: 200M + OS_NAME: linux + +jobs: + pre-check: + runs-on: ubuntu-latest + outputs: + should_skip: ${{ steps.skip-check.outputs.should_skip }} + steps: + - id: skip-check + uses: fkirc/skip-duplicate-actions@master + with: + concurrent_skipping: 'same_content' + + analyze: + needs: pre-check + if: ${{ needs.pre-check.outputs.should_skip != 'true' }} + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + strategy: + fail-fast: false + matrix: + language: [ 'cpp', 'python', 'ruby' ] + steps: + - uses: actions/checkout@v3 + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/config.yml + + - if: matrix.language == 'python' || matrix.language == 'ruby' + name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # this follows the steps of the Linux workflow + - if: matrix.language == 'cpp' + uses: actions/cache@v3 + with: + path: ~/.cache/ccache + key: ccache-ubuntu-latest-gcc-codeql-${{ github.sha }} + restore-keys: | + ccache-ubuntu-latest-gcc-codeql + ccache-ubuntu-latest-gcc-all-${{ github.sha }} + ccache-ubuntu-latest-gcc-all- + ccache-ubuntu-latest-gcc- + - if: matrix.language == 'cpp' + run: | + sudo apt-get install -qq ccache + echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV + ccache -z + - if: matrix.language == 'cpp' + env: + TEST: codeql + uses: ./.github/actions/default + - if: matrix.language == 'cpp' + run: ccache -s + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/scripts/test.sh b/scripts/test.sh index d528d4bbea..ad450c15a6 100755 --- a/scripts/test.sh +++ b/scripts/test.sh @@ -219,7 +219,7 @@ wolfssl) printf-builtin) CONFIG="--with-printf-hooks=builtin" ;; -all|coverage|sonarcloud) +all|codeql|coverage|sonarcloud) if [ "$TEST" = "sonarcloud" ]; then if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \ @@ -227,6 +227,10 @@ all|coverage|sonarcloud) exit 1 fi fi + if [ "$TEST" = "codeql" ]; then + # don't run tests, only analyze built code + TARGET= + fi CONFIG="--enable-all --disable-android-dns --disable-android-log --disable-kernel-pfroute --disable-keychain --disable-lock-profiler --disable-padlock --disable-fuzzing @@ -498,7 +502,7 @@ CONFIG="$CONFIG --enable-leak-detective=${LEAK_DETECTIVE-no}" case "$TEST" in - coverage|freebsd|fuzzing|sonarcloud|win*) + codeql|coverage|freebsd|fuzzing|sonarcloud|win*) # don't use AddressSanitizer if it's not available or causes conflicts CONFIG="$CONFIG --disable-asan" ;;