-
Notifications
You must be signed in to change notification settings - Fork 908
168 lines (147 loc) · 6.71 KB
/
codeql-analysis.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: "CodeQL and clang-tidy"
on:
push:
pull_request:
schedule:
- cron: '0 22 * * 2'
permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
contents: read
# clang-tidy fun:
# We need to invoke clang-tidy from the correct directory, the one the product was compiled in, so that we get the correct include paths.
# This means the root for the auth, pdns/recursordist for the rec and pdns/dnsdistdist for dnsdist
# It is important that files that are used by more than one product are processed by all the products using them
# because they might have difference compilation flags.
# We have to use our own clang-tidy-diff.py because the line-filter flag only supports file names, not paths.
# Finally the GH annotations that we generate from clang-tidy.py, have to be relative to the path in the git repository, so we need to
# follow symlinks.
# How does that work? We use git diff to get the list of diffs, and git-filter.py to get the right folder depending on the product.
# Then we call clang-tidy-diff.py, which invokes clang-tidy on the correct file, deducing the line numbers from the diff, and
# merging the results for all processed files to a YAML file. Finally clang-tidy.py converts the YAML output to GitHub annotations
# (GitHub only supports 10 of these per job, the rest are not displayed) and to GitHub markdown step summary (which has no such limits).
jobs:
analyze:
name: Analyze
if: ${{ !github.event.schedule || vars.SCHEDULED_CODEQL_ANALYSIS }}
runs-on: ubuntu-22.04
permissions:
actions: read # for github/codeql-action/init to get workflow details
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/analyze to upload SARIF results
strategy:
fail-fast: false
matrix:
# Override automatic language detection by changing the below list
# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
language: ['cpp']
product: ['auth']
# Learn more...
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
env:
COMPILER: gcc
UNIT_TESTS: yes
FUZZING_TARGETS: yes
COVERAGE: no
OPTIMIZATIONS: no
# for clang-tidy only, not compilation
CLANG_VERSION: '14'
REPO_HOME: ${{ github.workspace }}
DECAF_SUPPORT: no
outputs:
clang-tidy-annotations-auth: ${{ steps.clang-tidy-annotations-auth.outputs.failed }}
steps:
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- name: Checkout repository
uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
# TODO: go through +security-and-quality (400 alerts) once, then see if we can upgrade to it
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
# - name: Autobuild
# uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
- name: Update repository metadata
run: |
sudo apt-get update
- name: Install python invoke and needed libs
run: |
sudo apt-get -qq -y --no-install-recommends install python3 python3-pip python3-invoke python3-git python3-unidiff ccache
- name: Install clang-tidy tools
run: |
inv install-clang-tidy-tools
- name: Install dependencies for auth
if: matrix.product == 'auth'
run: |
inv install-auth-build-deps
- name: Autoreconf auth
if: matrix.product == 'auth'
run: |
inv ci-autoconf
- name: Configure auth
if: matrix.product == 'auth'
run: |
inv ci-auth-configure
- name: Build auth
if: matrix.product == 'auth'
run: |
inv ci-auth-make-bear
- run: ln -s .clang-tidy.full .clang-tidy
if: matrix.product == 'auth'
- name: Run clang-tidy for auth
if: matrix.product == 'auth'
run: git diff --no-prefix -U0 HEAD^..HEAD | python3 .github/scripts/git-filter.py --product auth | python3 .github/scripts/clang-tidy-diff.py -clang-tidy-binary /usr/bin/clang-tidy-${CLANG_VERSION} -extra-arg=-ferror-limit=0 -p0 -export-fixes clang-tidy-auth.yml
- name: Print clang-tidy fixes YAML for auth
if: matrix.product == 'auth'
shell: bash
run: |
if [ -f clang-tidy-auth.yml ]; then
cat clang-tidy-auth.yml
fi
- name: Result annotations for auth
if: matrix.product == 'auth'
id: clang-tidy-annotations-auth
shell: bash
run: |
if [ -f clang-tidy-auth.yml ]; then
set +e
python3 .github/scripts/clang-tidy.py --fixes-file clang-tidy-auth.yml
echo "failed=$?" >> $GITHUB_OUTPUT
fi
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
check-clang-tidy:
needs: analyze
runs-on: ubuntu-22.04
name: Check whether clang-tidy succeeded
steps:
- run: |
if [ "x${{ needs.analyze.outputs.clang-tidy-annotations-auth }}" != "x" -a "${{ needs.analyze.outputs.clang-tidy-annotations-auth }}" != "0" ]; then
echo "::error::Auth clang-tidy failed"
exit 1
fi
check-for-binaries:
runs-on: ubuntu-22.04
name: Force failure in case there are binaries present in a pull request
if: ${{ github.event_name == 'pull_request' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 2
- run: if [[ "$(file -i --dereference $(git diff --name-only HEAD^..HEAD -- . :^fuzzing/corpus) | grep binary | grep -v 'image/' | grep -v 'inode/x-empty' | grep -v 'inode/directory')" != "" ]]; then exit 1; fi