From 27d6281158f5c11a557be45a770dabfc66eb980f Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 13 Sep 2022 21:18:44 +0200 Subject: [PATCH 1/3] ci: run CodeQL on push to main/stable branches as well Since we need results for the base branches as well in order to have something to compare against. Follow-up to cbe25d0dccdd3f2901a1e74a665c068f42dae9f5. --- .github/workflows/codeql-analysis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b31dbb8741f..028040d1abe 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,6 +9,10 @@ on: branches: - main - v[0-9]+-stable + push: + branches: + - main + - v[0-9]+-stable permissions: contents: read From 774cf0d8fdc735f71f835987aaf153a809b53403 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 13 Sep 2022 21:28:00 +0200 Subject: [PATCH 2/3] ci: drop LGTM stuff and move remaining bits into a new location --- .github/codeql-config.yml | 2 +- .../PotentiallyDangerousFunction.ql | 0 .../UninitializedVariableWithCleanup.ql | 0 .../codeql-queries}/qlpack.yml | 0 .lgtm.yml | 40 ------------------- 5 files changed, 1 insertion(+), 41 deletions(-) rename {.lgtm/cpp-queries => .github/codeql-queries}/PotentiallyDangerousFunction.ql (100%) rename {.lgtm/cpp-queries => .github/codeql-queries}/UninitializedVariableWithCleanup.ql (100%) rename {.lgtm/cpp-queries => .github/codeql-queries}/qlpack.yml (100%) delete mode 100644 .lgtm.yml diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml index 447e53bd1b8..7c01d32caa3 100644 --- a/.github/codeql-config.yml +++ b/.github/codeql-config.yml @@ -9,4 +9,4 @@ queries: - name: Enable possibly useful queries which are disabled by default uses: ./.github/codeql-custom.qls - name: systemd-specific CodeQL queries - uses: ./.lgtm/cpp-queries/ + uses: ./.github/codeql-queries/ diff --git a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql similarity index 100% rename from .lgtm/cpp-queries/PotentiallyDangerousFunction.ql rename to .github/codeql-queries/PotentiallyDangerousFunction.ql diff --git a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql b/.github/codeql-queries/UninitializedVariableWithCleanup.ql similarity index 100% rename from .lgtm/cpp-queries/UninitializedVariableWithCleanup.ql rename to .github/codeql-queries/UninitializedVariableWithCleanup.ql diff --git a/.lgtm/cpp-queries/qlpack.yml b/.github/codeql-queries/qlpack.yml similarity index 100% rename from .lgtm/cpp-queries/qlpack.yml rename to .github/codeql-queries/qlpack.yml diff --git a/.lgtm.yml b/.lgtm.yml deleted file mode 100644 index 86fd0e742c4..00000000000 --- a/.lgtm.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# vi: ts=2 sw=2 et: -# SPDX-License-Identifier: LGPL-2.1-or-later - -# Explicitly enable certain checks which are hidden by default -queries: - - include: cpp/bad-strncpy-size - - include: cpp/declaration-hides-variable - - include: cpp/inconsistent-null-check - - include: cpp/mistyped-function-arguments - - include: cpp/nested-loops-with-same-variable - - include: cpp/sizeof-side-effect - - include: cpp/suspicious-pointer-scaling - - include: cpp/suspicious-pointer-scaling-void - - include: cpp/suspicious-sizeof - - include: cpp/unsafe-strcat - - include: cpp/unsafe-strncat - - include: cpp/unsigned-difference-expression-compared-zero - - include: cpp/unused-local-variable - - include: - tags: - - "security" - - "correctness" - severity: "error" - -extraction: - cpp: - prepare: - packages: - - libpwquality-dev - - libfdisk-dev - - libp11-kit-dev - - libssl-dev - - python3-jinja2 - after_prepare: - - pip3 install -r .github/workflows/requirements.txt --require-hashes - - export PATH="/opt/work/.local/bin:$PATH" - python: - python_setup: - version: 3 From 736a1df747ee0b2b20f4afa791dcd68e4704610c Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 13 Sep 2022 21:30:10 +0200 Subject: [PATCH 3/3] ci: limit scope for the CodeQL scan Don't run the workflow unnecessarily for non-{cpp,python} related changes. --- .github/workflows/codeql-analysis.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 028040d1abe..b531753caba 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,6 +9,12 @@ on: branches: - main - v[0-9]+-stable + paths: + - '**/meson.build' + - '.github/**/codeql*' + - 'src/**' + - 'test/**' + - 'tools/**' push: branches: - main