From 1d809959cc4feff0efdff30a80eb70d58f7d0510 Mon Sep 17 00:00:00 2001 From: "Gerardo E. Cruz-Ortiz" <59618057+astrogeco@users.noreply.github.com> Date: Tue, 1 Feb 2022 18:40:16 -0500 Subject: [PATCH 1/2] Fix nasa#412, Rename CodeQL workflows Renames workflows to better describe what each one does. The CodeQL "reusable" workflow is meant to be used by other workflows. The CodeQL "Analysis" workflow calls the "reusable" CodeQL workflow to execute the static analysis runs. Co-authored-by: Ariel Adams --- .github/workflows/{codeql-build-reuse.yml => codeql-analysis.yml} | 0 .github/workflows/{codeql-build.yml => codeql-reusable.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{codeql-build-reuse.yml => codeql-analysis.yml} (100%) rename .github/workflows/{codeql-build.yml => codeql-reusable.yml} (100%) diff --git a/.github/workflows/codeql-build-reuse.yml b/.github/workflows/codeql-analysis.yml similarity index 100% rename from .github/workflows/codeql-build-reuse.yml rename to .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-build.yml b/.github/workflows/codeql-reusable.yml similarity index 100% rename from .github/workflows/codeql-build.yml rename to .github/workflows/codeql-reusable.yml From 98e2ef8713270a00e1d5123c80a9dcfcd5cb5255 Mon Sep 17 00:00:00 2001 From: "Gerardo E. Cruz-Ortiz" <59618057+astrogeco@users.noreply.github.com> Date: Tue, 1 Feb 2022 18:19:42 -0500 Subject: [PATCH 2/2] Fix #412, resolve error in CodeQL Analyze Action Fixes errors in CodeQL results uploads step. Update parameters in CodeQL "reusable" workflow. BREAKING Interface changes: - Renames callable workflow to `codeql-reusable.yml`, submodules will have to be updated - Adds required `component-path` input parameter - Repurpose tests input to be a boolean tied to "ENABLE_UNIT_TESTS" flag Internal changes: - Use git clone instead of checkout@v2 for the cFS-Bundle - Use symlink to map calling repo workspace to expected cFS Bundle directory location - Enable "code snippets" option to CodeQL Analyze action - Archives sarif files from analysis output - Removes code duplication by using a matrix build for security and coding standard analyses - Alphabetizes workflow inputs and order based on "required" flag --- .github/workflows/codeql-analysis.yml | 18 ++- .github/workflows/codeql-reusable.yml | 163 +++++++++++++------------- 2 files changed, 98 insertions(+), 83 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ee5a9a66e..0cb8861c0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,10 +1,22 @@ -name: Reuse CodeQl Analysis +name: "CodeQL Analysis: cFS-Bundle" on: push: + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '**/*.dox' + pull_request: + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '**/*.dox' jobs: codeql: - name: CodeQL Analysis - uses: nasa/cFS/.github/workflows/codeql-build.yml@main \ No newline at end of file + uses: nasa/cFS/.github/workflows/codeql-reusable.yml@main + with: + component-path: cFS + make: make -j8 + test: true diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml index 773b7ca2b..091df690e 100644 --- a/.github/workflows/codeql-reusable.yml +++ b/.github/workflows/codeql-reusable.yml @@ -1,30 +1,51 @@ -name: "CodeQL Analysis" +name: "CodeQL Reusable Workflow" on: workflow_call: inputs: - setup: - description: 'Build Prep' + # REQUIRED Inputs + component-path: + description: 'Path to repo being tested in a cFS bundle setup' type: string - default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs' - make-prep: - description: 'Make Prep' + required: true + default: cFS + + # Optional inputs + category: + description: 'Analysis Category' + required: false type: string - default: '' + make: - description: 'Make Copy' + description: 'Build Command' + default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source + required: false type: string - default: 'make' - tests: - description: 'Tests' + + prep: + description: 'Make Prep' + default: make prep + required: false + type: string + + setup: + description: 'Build Prep Commands' + type: string + default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs + required: false + + test: + description: 'Value for ENABLE_UNIT_TESTS flag' type: string - default: '' + default: false + required: false env: SIMULATION: native - ENABLE_UNIT_TESTS: true + ENABLE_UNIT_TESTS: ${{inputs.test}} OMIT_DEPRECATED: true BUILDTYPE: release + REPO: ${{github.event.repository.name}} jobs: #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. @@ -40,91 +61,73 @@ jobs: concurrent_skipping: 'same_content' skip_after_successful_duplicate: 'true' do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' - - CodeQL-Security-Build: + + Analysis: #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. needs: check-for-duplicates if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} runs-on: ubuntu-18.04 timeout-minutes: 15 - steps: - # Checks out a copy of your repository - - name: Checkout code - uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true + strategy: + fail-fast: false + matrix: + scan-type: [security, coding-standard] + + permissions: + security-events: write - - name: Check versions + steps: + # Setup Bundle directory + - name: Setup cFS-Bundle directory (component-path = cFS) + if: inputs.component-path == 'cFS' + run: + echo "BUILD_DIRECTORY=${{github.workspace}}" >> $GITHUB_ENV + + - name: Setup cFS-Bundle directory (component-path != cFS) + if: inputs.component-path != 'cFS' run: | - git log -1 --pretty=oneline - git submodule - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: c - config-file: nasa/cFS/.github/codeql/codeql-security.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} + cd .. + git clone https://github.com/nasa/cFS.git --recurse-submodules + cd cFS + echo "BUILD_DIRECTORY=$(pwd)" >> $GITHUB_ENV + git log -1 --pretty=oneline + git submodule + rm -r .git + rm -r ${{ inputs.component-path }} + ln -s ${{github.workspace}} ${{ inputs.component-path }} - - name: Make prep - run: ${{ inputs.make-prep }} - - name: Make Install - run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 - - CodeQL-Coding-Standard-Build: - #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. - needs: check-for-duplicates - if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} - runs-on: ubuntu-18.04 - timeout-minutes: 15 - - steps: - # Checks out a copy of your repository - - name: Checkout code + - name: Checkout ${{ github.repository }} uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true + with: + submodules: recursive - - name: Check versions - run: | - git log -1 --pretty=oneline - git submodule - - name: Checkout codeql code - uses: actions/checkout@v2 - with: - repository: github/codeql - submodules: true - path: codeql + # Setup the build system + - name: cFS Build Setup + run: | + ${{ inputs.setup }} + ${{ inputs.prep }} + working-directory: ${{env.BUILD_DIRECTORY}} - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: c - config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} - - - name: Make prep - run: ${{ inputs.make-prep }} + config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main - - name: Make Install + - name: Build run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} + working-directory: ${{env.BUILD_DIRECTORY}} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file + uses: github/codeql-action/analyze@v1 + with: + add-snippets: true + category: ${{matrix.scan-type}} + + - name: Archive Sarif + uses: actions/upload-artifact@v2 + with: + name: CodeQL-Sarif-${{ matrix.scan-type }} + path: /home/runner/work/${{env.REPO}}/results/cpp.sarif