diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 000000000..0cb8861c0 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,22 @@ +name: "CodeQL Analysis: cFS-Bundle" + +on: + push: + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '**/*.dox' + + pull_request: + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '**/*.dox' + +jobs: + codeql: + uses: nasa/cFS/.github/workflows/codeql-reusable.yml@main + with: + component-path: cFS + make: make -j8 + test: true diff --git a/.github/workflows/codeql-build-reuse.yml b/.github/workflows/codeql-build-reuse.yml deleted file mode 100644 index ee5a9a66e..000000000 --- a/.github/workflows/codeql-build-reuse.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: Reuse CodeQl Analysis - -on: - push: - pull_request: - -jobs: - codeql: - name: CodeQL Analysis - uses: nasa/cFS/.github/workflows/codeql-build.yml@main \ No newline at end of file diff --git a/.github/workflows/codeql-build.yml b/.github/workflows/codeql-build.yml deleted file mode 100644 index 773b7ca2b..000000000 --- a/.github/workflows/codeql-build.yml +++ /dev/null @@ -1,130 +0,0 @@ -name: "CodeQL Analysis" - -on: - workflow_call: - inputs: - setup: - description: 'Build Prep' - type: string - default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs' - make-prep: - description: 'Make Prep' - type: string - default: '' - make: - description: 'Make Copy' - type: string - default: 'make' - tests: - description: 'Tests' - type: string - default: '' - -env: - SIMULATION: native - ENABLE_UNIT_TESTS: true - OMIT_DEPRECATED: true - BUILDTYPE: release - -jobs: - #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. - check-for-duplicates: - runs-on: ubuntu-latest - # Map a step output to a job output - outputs: - should_skip: ${{ steps.skip_check.outputs.should_skip }} - steps: - - id: skip_check - uses: fkirc/skip-duplicate-actions@master - with: - concurrent_skipping: 'same_content' - skip_after_successful_duplicate: 'true' - do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' - - CodeQL-Security-Build: - #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. - needs: check-for-duplicates - if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} - runs-on: ubuntu-18.04 - timeout-minutes: 15 - - steps: - # Checks out a copy of your repository - - name: Checkout code - uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - - name: Check versions - run: | - git log -1 --pretty=oneline - git submodule - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: c - config-file: nasa/cFS/.github/codeql/codeql-security.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} - - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install - run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 - - CodeQL-Coding-Standard-Build: - #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. - needs: check-for-duplicates - if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} - runs-on: ubuntu-18.04 - timeout-minutes: 15 - - steps: - # Checks out a copy of your repository - - name: Checkout code - uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - - name: Check versions - run: | - git log -1 --pretty=oneline - git submodule - - name: Checkout codeql code - uses: actions/checkout@v2 - with: - repository: github/codeql - submodules: true - path: codeql - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: c - config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} - - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install - run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml new file mode 100644 index 000000000..091df690e --- /dev/null +++ b/.github/workflows/codeql-reusable.yml @@ -0,0 +1,133 @@ +name: "CodeQL Reusable Workflow" + +on: + workflow_call: + inputs: + # REQUIRED Inputs + component-path: + description: 'Path to repo being tested in a cFS bundle setup' + type: string + required: true + default: cFS + + # Optional inputs + category: + description: 'Analysis Category' + required: false + type: string + + make: + description: 'Build Command' + default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source + required: false + type: string + + prep: + description: 'Make Prep' + default: make prep + required: false + type: string + + setup: + description: 'Build Prep Commands' + type: string + default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs + required: false + + test: + description: 'Value for ENABLE_UNIT_TESTS flag' + type: string + default: false + required: false + +env: + SIMULATION: native + ENABLE_UNIT_TESTS: ${{inputs.test}} + OMIT_DEPRECATED: true + BUILDTYPE: release + REPO: ${{github.event.repository.name}} + +jobs: + #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. + check-for-duplicates: + runs-on: ubuntu-latest + # Map a step output to a job output + outputs: + should_skip: ${{ steps.skip_check.outputs.should_skip }} + steps: + - id: skip_check + uses: fkirc/skip-duplicate-actions@master + with: + concurrent_skipping: 'same_content' + skip_after_successful_duplicate: 'true' + do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' + + Analysis: + #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. + needs: check-for-duplicates + if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} + runs-on: ubuntu-18.04 + timeout-minutes: 15 + + strategy: + fail-fast: false + matrix: + scan-type: [security, coding-standard] + + permissions: + security-events: write + + steps: + # Setup Bundle directory + - name: Setup cFS-Bundle directory (component-path = cFS) + if: inputs.component-path == 'cFS' + run: + echo "BUILD_DIRECTORY=${{github.workspace}}" >> $GITHUB_ENV + + - name: Setup cFS-Bundle directory (component-path != cFS) + if: inputs.component-path != 'cFS' + run: | + cd .. + git clone https://github.com/nasa/cFS.git --recurse-submodules + cd cFS + echo "BUILD_DIRECTORY=$(pwd)" >> $GITHUB_ENV + git log -1 --pretty=oneline + git submodule + rm -r .git + rm -r ${{ inputs.component-path }} + ln -s ${{github.workspace}} ${{ inputs.component-path }} + + + - name: Checkout ${{ github.repository }} + uses: actions/checkout@v2 + with: + submodules: recursive + + # Setup the build system + - name: cFS Build Setup + run: | + ${{ inputs.setup }} + ${{ inputs.prep }} + working-directory: ${{env.BUILD_DIRECTORY}} + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: c + config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main + + - name: Build + run: ${{ inputs.make }} + working-directory: ${{env.BUILD_DIRECTORY}} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 + with: + add-snippets: true + category: ${{matrix.scan-type}} + + - name: Archive Sarif + uses: actions/upload-artifact@v2 + with: + name: CodeQL-Sarif-${{ matrix.scan-type }} + path: /home/runner/work/${{env.REPO}}/results/cpp.sarif