Adding packs #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For most projects, this workflow file will not need changing; you simply need | |
# to commit it to your repository. | |
# | |
# You may wish to alter this file to override the set of languages analyzed, | |
# or to provide custom queries or build logic. | |
# | |
# ******** NOTE ******** | |
# We have attempted to detect the languages in your repository. Please check | |
# the `language` matrix defined below to confirm you have the correct set of | |
# supported CodeQL languages. | |
# | |
name: "CodeQL" | |
on: | |
push: | |
branches: [ "km/adding_code_ql" ] | |
pull_request: | |
branches: [ "main" ] | |
schedule: | |
- cron: '32 5 * * 4' | |
jobs: | |
analyze: | |
name: Analyze (csharp) | |
runs-on: 'ubuntu-latest' | |
timeout-minutes: 360 | |
permissions: | |
# required for all workflows | |
security-events: write | |
# required to fetch internal or private CodeQL packs | |
packages: read | |
# only required for workflows in private repositories | |
actions: read | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- uses: microsoft/azure-orbital-space-sdk-github-actions/composite-actions/initialize@main | |
with: | |
GIT_HUB_USER_NAME: ${{ secrets.GIT_HUB_USER_NAME }} | |
GIT_HUB_USER_TOKEN: ${{ secrets.GIT_HUB_USER_TOKEN }} | |
SETUP_REPO_URL: ${{ secrets.SETUP_REPO_URL }} | |
- name: Stand up Devcontainer | |
shell: bash | |
run: | | |
devcontainer up --workspace-folder ${PWD} \ | |
--workspace-mount-consistency cached \ | |
--id-label devcontainer.local_folder=${PWD} \ | |
--default-user-env-probe loginInteractiveShell \ | |
--build-no-cache \ | |
--remove-existing-container \ | |
--mount type=volume,source=vscode,target=/vscode,external=true \ | |
--update-remote-user-uid-default on \ | |
--mount-workspace-git-root true | |
echo $? | |
- name: install-codeql | |
shell: bash | |
run: | | |
CONTAINER_NAME="hostsvc-link" | |
# Determine the latest release version of CodeQL CLI | |
docker exec $CONTAINER_NAME bash -c "curl -s https://api.github.com/repos/github/codeql-cli-binaries/releases/latest | grep 'tag_name' | awk '{print substr(\$2, 2, length(\$2)-3)}'" > latest_release.txt | |
LATEST_RELEASE=$(<latest_release.txt) | |
# Define the download URL and target directory | |
DOWNLOAD_URL="https://github.com/github/codeql-cli-binaries/releases/download/${LATEST_RELEASE}/codeql-linux64.zip" | |
TARGET_DIR="/root/codeql" # Adjust the target directory as per the container's file system | |
ZIP_FILE="$TARGET_DIR/codeql.zip" | |
# Create target directory if it doesn't exist | |
docker exec $CONTAINER_NAME bash -c "mkdir -p $TARGET_DIR" | |
# Download the latest release of CodeQL CLI | |
echo "Downloading CodeQL CLI ${LATEST_RELEASE}..." | |
docker exec $CONTAINER_NAME bash -c "curl -L '$DOWNLOAD_URL' -o '$ZIP_FILE'" | |
# Extract the downloaded zip file | |
echo "Extracting CodeQL CLI..." | |
docker exec $CONTAINER_NAME bash -c "unzip -o '$ZIP_FILE' -d '$TARGET_DIR'" | |
# Clean up the zip file | |
docker exec $CONTAINER_NAME bash -c "rm '$ZIP_FILE'" | |
# Find the correct path to the codeql executable and update the PATH or use it directly in subsequent commands | |
# This step is crucial and might need adjustment based on the actual structure of the CodeQL CLI zip file | |
# Assuming codeql is in /root/codeql/codeql after extraction | |
EXECUTABLE_PATH="/root/codeql/codeql/codeql" | |
# Optionally, update the PATH in a way that's guaranteed to work for non-interactive shells | |
docker exec $CONTAINER_NAME bash -c "echo 'export PATH=\$PATH:$EXECUTABLE_PATH' > /etc/profile.d/codeql.sh" | |
echo "CodeQL CLI installation completed." | |
- name: restore-projects | |
shell: bash | |
run: | | |
container_name="hostsvc-link" | |
database_name="hostsvc-link-src" | |
cs_proj_name="/workspaces/hostsvc-link/src/hostsvc-link.csproj" | |
source_directory="/workspaces/hostsvc-link/src" | |
echo "Init database..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql database init $database_name -s $source_directory --language=csharp --overwrite" | |
echo "" | |
echo "Download qlpacks..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack download codeql/csharp-queries@1.0.2" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack install codeql/csharp-queries@1.0.2" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack download codeql/threat-models@1.0.2" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack install codeql/threat-models@1.0.2" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack download codeql/csharp-solorigate-queries@1.0.1" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack install codeql/csharp-solorigate-queries@1.0.1" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack download codeql/csharp-solorigate-all@1.0.1" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack install codeql/csharp-solorigate-all@1.0.1" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack download codeql/csharp-upgrades@0.0.7" | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql pack install codeql/csharp-upgrades@0.0.7" | |
echo "" | |
echo "Trace commands dotnet clean..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql database trace-command $database_name dotnet clean $cs_proj_name" | |
echo "" | |
echo "Trace commands dotnet restore..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql database trace-command $database_name dotnet restore $cs_proj_name" | |
echo "" | |
echo "Trace commands dotnet build..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql database trace-command $database_name dotnet build $cs_proj_name" | |
echo "" | |
echo "Database finalize..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql database finalize $database_name" | |
echo "" | |
echo "Resolve qlpacks..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql resolve qlpacks" | |
echo "" | |
echo "Database Query..." | |
docker exec $container_name bash -c "bash /root/codeql/codeql/codeql database analyze $database_name codeql/csharp-queries --format=sarif --output=/var/spacedev/tmp/analysis-results.sarif" | |
- name: Upload analysis results | |
uses: actions/upload-artifact@v2 | |
with: | |
name: codeql-analysis-results | |
path: /var/spacedev/tmp/analysis-results.sarif |