From e40185523faa7973272f53e9a1d450c145ed1cd6 Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Fri, 21 Jun 2024 13:08:11 +0200 Subject: [PATCH 1/8] testing codacy --- .github/workflows/Codacy.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/Codacy.yml diff --git a/.github/workflows/Codacy.yml b/.github/workflows/Codacy.yml new file mode 100644 index 000000000..4eb162bd2 --- /dev/null +++ b/.github/workflows/Codacy.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ "develop", "featrue_Codacy" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "develop" ] + #schedule: + # - cron: '35 15 * * 5' + +permissions: + contents: read + +jobs: + codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v4 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif From f8c1d40d394f0028661fb9e037d69206576699c1 Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Fri, 21 Jun 2024 13:16:53 +0200 Subject: [PATCH 2/8] breaking code on purpose... --- .github/workflows/Codacy.yml | 2 +- samplePDF/Structs.cpp | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/Codacy.yml b/.github/workflows/Codacy.yml index 4eb162bd2..e1990609c 100644 --- a/.github/workflows/Codacy.yml +++ b/.github/workflows/Codacy.yml @@ -56,6 +56,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/samplePDF/Structs.cpp b/samplePDF/Structs.cpp index afc001563..7fb497c5f 100644 --- a/samplePDF/Structs.cpp +++ b/samplePDF/Structs.cpp @@ -11,6 +11,15 @@ namespace MaCh3Utils { double GetMassFromPDG(int PDG) { // ***************************** + + // Allocate memory but forget to deallocate it + void* memoryLeak = malloc(100 * sizeof(int)); + + int* ptr = nullptr; + *ptr = 10; // Attempting to dereference a null pointer + + double unusedVariable = 0.0; + switch (abs(PDG)) { case 11: return 0.511E-3; From 72c5dadb2015663ee7acc5e6257b613a6f10230d Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Fri, 21 Jun 2024 13:41:32 +0200 Subject: [PATCH 3/8] another test --- .github/workflows/Codacy.yml | 61 ------------------------ .github/workflows/CodeQL.yml | 91 ++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 61 deletions(-) delete mode 100644 .github/workflows/Codacy.yml create mode 100644 .github/workflows/CodeQL.yml diff --git a/.github/workflows/Codacy.yml b/.github/workflows/Codacy.yml deleted file mode 100644 index e1990609c..000000000 --- a/.github/workflows/Codacy.yml +++ /dev/null @@ -1,61 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow checks out code, performs a Codacy security scan -# and integrates the results with the -# GitHub Advanced Security code scanning feature. For more information on -# the Codacy security scan action usage and parameters, see -# https://github.com/codacy/codacy-analysis-cli-action. -# For more information on Codacy Analysis CLI in general, see -# https://github.com/codacy/codacy-analysis-cli. - -name: Codacy Security Scan - -on: - push: - branches: [ "develop", "featrue_Codacy" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "develop" ] - #schedule: - # - cron: '35 15 * * 5' - -permissions: - contents: read - -jobs: - codacy-security-scan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Codacy Security Scan - runs-on: ubuntu-latest - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout code - uses: actions/checkout@v4 - - # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - - name: Run Codacy Analysis CLI - uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b - with: - # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository - # You can also omit the token and run the tools that support default configurations - project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} - verbose: true - output: results.sarif - format: sarif - # Adjust severity of non-security issues - gh-code-scanning-compat: true - # Force 0 exit code to allow SARIF file generation - # This will handover control about PR rejection to the GitHub side - max-allowed-issues: 2147483647 - - # Upload the SARIF file generated in the previous step - - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif diff --git a/.github/workflows/CodeQL.yml b/.github/workflows/CodeQL.yml new file mode 100644 index 000000000..0faa22207 --- /dev/null +++ b/.github/workflows/CodeQL.yml @@ -0,0 +1,91 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "develop", "featrue_Codacy" ] + pull_request: + branches: [ "develop", "featrue_Codacy" ] + #schedule: + # - cron: '35 0 * * 0' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + #build-mode: autobuild + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + #build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + #- if: matrix.build-mode == 'manual' + # shell: bash + # run: | + # echo 'If you are using a "manual" build mode for one or more of the' \ + # 'languages you are analyzing, replace this with the commands to build' \ + # 'your code, for example:' + # echo ' make bootstrap' + # echo ' make release' + # exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 8b804bdb1b3cbb267a9c4a347c4b41c7a59dd4cd Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Fri, 21 Jun 2024 13:49:38 +0200 Subject: [PATCH 4/8] ... --- .github/workflows/CodeQL.yml | 93 +++++++----------------------------- 1 file changed, 17 insertions(+), 76 deletions(-) diff --git a/.github/workflows/CodeQL.yml b/.github/workflows/CodeQL.yml index 0faa22207..3dd921e6e 100644 --- a/.github/workflows/CodeQL.yml +++ b/.github/workflows/CodeQL.yml @@ -1,91 +1,32 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" +name: "CodeQL C++ Analysis" on: push: - branches: [ "develop", "featrue_Codacy" ] + branches: + - develop + - featrue_Codacy pull_request: - branches: [ "develop", "featrue_Codacy" ] - #schedule: - # - cron: '35 0 * * 0' + branches: + - develop + - featrue_Codacy jobs: analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + name: Analyze C++ Code with CodeQL + runs-on: ubuntu-latest permissions: - # required for all workflows security-events: write - - # required to fetch internal or private CodeQL packs packages: read - - # only required for workflows in private repositories actions: read contents: read - - strategy: - fail-fast: false - matrix: - include: - - language: c-cpp - #build-mode: autobuild - # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - #build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + - name: Checkout repository + uses: actions/checkout@v4 - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - #- if: matrix.build-mode == 'manual' - # shell: bash - # run: | - # echo 'If you are using a "manual" build mode for one or more of the' \ - # 'languages you are analyzing, replace this with the commands to build' \ - # 'your code, for example:' - # echo ' make bootstrap' - # echo ' make release' - # exit 1 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: c-cpp - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 1735eb34866f91be860f4976a4b0cf5ab028f88c Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Fri, 21 Jun 2024 13:55:36 +0200 Subject: [PATCH 5/8] arghh --- .github/workflows/CodeQL.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/CodeQL.yml b/.github/workflows/CodeQL.yml index 3dd921e6e..a42a99e29 100644 --- a/.github/workflows/CodeQL.yml +++ b/.github/workflows/CodeQL.yml @@ -27,6 +27,8 @@ jobs: uses: github/codeql-action/init@v3 with: languages: c-cpp + build: none # Specify build none to skip any build steps + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From f481e1fd8ccdbafd7ec770692375aef32b29a0e0 Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Tue, 25 Jun 2024 08:56:13 +0200 Subject: [PATCH 6/8] Check code QL with images --- .github/workflows/CodeQL.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/CodeQL.yml b/.github/workflows/CodeQL.yml index a42a99e29..859b14c49 100644 --- a/.github/workflows/CodeQL.yml +++ b/.github/workflows/CodeQL.yml @@ -14,6 +14,8 @@ jobs: analyze: name: Analyze C++ Code with CodeQL runs-on: ubuntu-latest + container: + image: ghcr.io/mach3-software/mach3:alma9latest permissions: security-events: write packages: read @@ -29,6 +31,12 @@ jobs: languages: c-cpp build: none # Specify build none to skip any build steps + - name: Build Code + run: | + mkdir build + cd build + cmake .. + make - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From b92dd0c448031827155066c70aade473acf7afba Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Tue, 25 Jun 2024 09:24:46 +0200 Subject: [PATCH 7/8] run only on Sunday --- .github/workflows/CodeQL.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/CodeQL.yml b/.github/workflows/CodeQL.yml index 859b14c49..d4bb04831 100644 --- a/.github/workflows/CodeQL.yml +++ b/.github/workflows/CodeQL.yml @@ -1,14 +1,8 @@ name: "CodeQL C++ Analysis" on: - push: - branches: - - develop - - featrue_Codacy - pull_request: - branches: - - develop - - featrue_Codacy + schedule: + - cron: '0 0 * * 0' # Every Sunday at midnight jobs: analyze: From e4dec002fefdb9947346703f5ff9d5f97ac16752 Mon Sep 17 00:00:00 2001 From: Kamil Skwarczynski Date: Wed, 26 Jun 2024 10:18:29 +0200 Subject: [PATCH 8/8] remove debuging --- samplePDF/Structs.cpp | 9 --------- 1 file changed, 9 deletions(-) diff --git a/samplePDF/Structs.cpp b/samplePDF/Structs.cpp index 7fb497c5f..afc001563 100644 --- a/samplePDF/Structs.cpp +++ b/samplePDF/Structs.cpp @@ -11,15 +11,6 @@ namespace MaCh3Utils { double GetMassFromPDG(int PDG) { // ***************************** - - // Allocate memory but forget to deallocate it - void* memoryLeak = malloc(100 * sizeof(int)); - - int* ptr = nullptr; - *ptr = 10; // Attempting to dereference a null pointer - - double unusedVariable = 0.0; - switch (abs(PDG)) { case 11: return 0.511E-3;