From 7e24318f221f7cfb816634c0c78cb651e4b9e173 Mon Sep 17 00:00:00 2001 From: "Gerardo E. Cruz-Ortiz" <59618057+astrogeco@users.noreply.github.com> Date: Tue, 1 Feb 2022 18:19:42 -0500 Subject: [PATCH] Fix #412, resolve error in CodeQL Analyze Action Fixes errors in CodeQL results uploads step. Update parameters in CodeQL "reusable" workflow. BREAKING Interface changes: - Renames callable workflow to `codeql-reusable.yml`, submodules will have to be updated - Adds required `component-path` input parameter - Repurpose tests input to be a boolean tied to "ENABLE_UNIT_TESTS" flag Internal changes: - Use git clone instead of checkout@v2 for the cFS-Bundle - Use symlink to map calling repo workspace to expected cFS Bundle directory location - Enable "code snippets" option to CodeQL Analyze action - Archives sarif files from analysis output - Removes code duplication by using a matrix build for security and coding standard analyses - Alphabetizes workflow inputs and order based on "required" flag --- .github/workflows/codeql-analysis.yml | 18 ++- .github/workflows/codeql-reusable.yml | 156 +++++++++++++------------- 2 files changed, 93 insertions(+), 81 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ee5a9a66e..a04ec1ecd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,10 +1,22 @@ -name: Reuse CodeQl Analysis +name: "CodeQl Analysis: cFS-Bundle" on: push: + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '**/*.dox' + pull_request: + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '**/*.dox' jobs: codeql: - name: CodeQL Analysis - uses: nasa/cFS/.github/workflows/codeql-build.yml@main \ No newline at end of file + uses: astrogeco/cFS/.github/workflows/codeql-reusable.yml@fix-codeql-workflow + with: + component-path: cFS + make: make -j8 + test: true diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml index 773b7ca2b..c9ac0aabe 100644 --- a/.github/workflows/codeql-reusable.yml +++ b/.github/workflows/codeql-reusable.yml @@ -3,28 +3,49 @@ name: "CodeQL Analysis" on: workflow_call: inputs: - setup: - description: 'Build Prep' + # REQUIRED Inputs + component-path: + description: 'Path to repo being tested in a cFS bundle setup' type: string - default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs' - make-prep: - description: 'Make Prep' + required: true + default: cFS + + # Optional inputs + category: + description: 'Analysis Category' + required: false type: string - default: '' + make: - description: 'Make Copy' + description: 'Build Command' + default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source + required: false + type: string + + prep: + description: 'Make Prep' + default: make prep + required: false + type: string + + setup: + description: 'Build Prep Commands' type: string - default: 'make' - tests: - description: 'Tests' + default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs + required: false + + test: + description: 'Value for ENABLE_UNIT_TESTS flag' type: string - default: '' + default: false + required: false env: SIMULATION: native - ENABLE_UNIT_TESTS: true + ENABLE_UNIT_TESTS: ${{inputs.test}} OMIT_DEPRECATED: true BUILDTYPE: release + REPO: ${{github.event.repository.name}} jobs: #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. @@ -40,91 +61,70 @@ jobs: concurrent_skipping: 'same_content' skip_after_successful_duplicate: 'true' do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' - - CodeQL-Security-Build: + + Analysis: #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. needs: check-for-duplicates if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} runs-on: ubuntu-18.04 timeout-minutes: 15 + strategy: + fail-fast: false + matrix: + scan-type: [security, coding-standard] + + permissions: + security-events: write + steps: - # Checks out a copy of your repository - - name: Checkout code + # Checks out a copy of calling repository + - name: Checkout ${{ github.repository }} uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - name: Check versions + - name: Clone cFS bundle run: | - git log -1 --pretty=oneline - git submodule - + cd .. + git clone https://github.com/nasa/cFS.git --recurse-submodules + cd cFS + git log -1 --pretty=oneline + git submodule + rm -r .git + + - name: Create symlink to current repo + if: inputs.component-path != "cFS" + run: | + cd ../cFS + rm -r ${{ inputs.component-path }} + ln -s ${{github.workspace}} ${{ inputs.component-path }} + + # Setup the build system + - name: cFS Build Setup + run: ${{ inputs.setup }} + working-directory: ../cFS + + - name: Prep Build + run: ${{ inputs.prep }} + working-directory: ../cFS + - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: c - config-file: nasa/cFS/.github/codeql/codeql-security.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} + config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install + - name: Build run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} + working-directory: ../cFS - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1 - - CodeQL-Coding-Standard-Build: - #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. - needs: check-for-duplicates - if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} - runs-on: ubuntu-18.04 - timeout-minutes: 15 - - steps: - # Checks out a copy of your repository - - name: Checkout code - uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - - name: Check versions - run: | - git log -1 --pretty=oneline - git submodule - - name: Checkout codeql code - uses: actions/checkout@v2 with: - repository: github/codeql - submodules: true - path: codeql + add-snippets: true + category: ${{matrix.scan-type}} - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + - name: Archive Sarif + uses: actions/upload-artifact@v2 with: - languages: c - config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} - - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install - run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file + name: CodeQL-Sarif-${{ matrix.scan-type }} + path: /home/runner/work/${{env.REPO}}/results/cpp.sarif