Merge pull request #18687 from Chocobo1/codeql

GHA CI: add CodeQL scanning
qbittorrent · Mar 15, 2023 · f16e903 · f16e903
2 parents 0bb0829 + fa30b70
commit f16e903
Show file tree

Hide file tree

Showing 8 changed files with 57 additions and 8 deletions.
diff --git a/.github/workflows/ci_macos.yaml b/.github/workflows/ci_macos.yaml
@@ -84,7 +84,7 @@ jobs:
           sudo cmake --install build
 
       - name: Build qBittorrent (Qt5)
-        if: ${{ startsWith(matrix.qt_version, 5) }}
+        if: startsWith(matrix.qt_version, 5)
         run: |
           CXXFLAGS="$CXXFLAGS -Werror -Wno-error=deprecated-declarations" \
           LDFLAGS="$LDFLAGS -gz" \
@@ -103,7 +103,7 @@ jobs:
           cmake --build build --target check
 
       - name: Build qBittorrent (Qt6)
-        if: ${{ startsWith(matrix.qt_version, 6) }}
+        if: startsWith(matrix.qt_version, 6)
         run: |
           CXXFLAGS="$CXXFLAGS -Wno-gnu-zero-variadic-macro-arguments -Werror -Wno-error=deprecated-declarations" \
           LDFLAGS="$LDFLAGS -gz" \

diff --git a/.github/workflows/ci_ubuntu.yaml b/.github/workflows/ci_ubuntu.yaml
@@ -4,6 +4,7 @@ on: [pull_request, push]
 
 permissions:
   actions: write
+  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -65,8 +66,16 @@ jobs:
           cmake --build build
           sudo cmake --install build
 
+      # to avoid scanning 3rdparty codebases, initialize it just before building qbt
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        if: startsWith(matrix.libt_version, 2) && (matrix.qbt_gui == 'GUI=ON') && startsWith(matrix.qt_version, 6)
+        with:
+          config-file: ./.github/workflows/helper/codeql/cpp.yaml
+          languages: cpp
+
       - name: Build qBittorrent (Qt5)
-        if: ${{ startsWith(matrix.qt_version, 5) }}
+        if: startsWith(matrix.qt_version, 5)
         run: |
           CXXFLAGS="$CXXFLAGS -Werror -Wno-error=deprecated-declarations" \
           LDFLAGS="$LDFLAGS -gz" \
@@ -85,7 +94,7 @@ jobs:
           DESTDIR="qbittorrent" cmake --install build
 
       - name: Build qBittorrent (Qt6)
-        if: ${{ startsWith(matrix.qt_version, 6) }}
+        if: startsWith(matrix.qt_version, 6)
         run: |
           CXXFLAGS="$CXXFLAGS -Werror" \
           LDFLAGS="$LDFLAGS -gz" \
@@ -104,6 +113,10 @@ jobs:
           cmake --build build --target check
           DESTDIR="qbittorrent" cmake --install build
 
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v2
+        if: startsWith(matrix.libt_version, 2) && (matrix.qbt_gui == 'GUI=ON') && startsWith(matrix.qt_version, 6)
+
       - name: Prepare build artifacts
         run: |
           mkdir upload

diff --git a/.github/workflows/ci_webui.yaml b/.github/workflows/ci_webui.yaml
@@ -2,7 +2,8 @@ name: CI - WebUI
 
 on: [pull_request, push]
 
-permissions: {}
+permissions:
+  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -36,3 +37,12 @@ jobs:
         run: |
           npm run format
           git diff --exit-code
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          config-file: ./.github/workflows/helper/codeql/js.yaml
+          languages: javascript
+
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/helper/codeql/cpp.yaml b/.github/workflows/helper/codeql/cpp.yaml
@@ -0,0 +1,14 @@
+name: "CodeQL config for C++"
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - exclude:
+      id: cpp/commented-out-code
+  - exclude:
+      id: cpp/include-non-header
+  - exclude:
+      id: cpp/loop-variable-changed
+  - exclude:
+      id: cpp/useless-expression
diff --git a/.github/workflows/helper/codeql/js.yaml b/.github/workflows/helper/codeql/js.yaml
@@ -0,0 +1,11 @@
+name: "CodeQL config for Javascript"
+
+paths-ignore:
+  - "**/lib/*"
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - exclude:
+      id: js/superfluous-trailing-arguments
diff --git a/src/webui/www/private/rename_files.html b/src/webui/www/private/rename_files.html
@@ -68,8 +68,10 @@
         }
 
         // Register keyboard events to modal window
+        // https://github.com/qbittorrent/qBittorrent/pull/18687#discussion_r1135045726
+        var keyboard;
         if (!keyboard) {
-            var keyboard = new Keyboard({
+            keyboard = new Keyboard({
                 defaultEventType: 'keydown',
                 events: {
                     'Escape': function(event) {

diff --git a/src/webui/www/private/scripts/piecesbar.js b/src/webui/www/private/scripts/piecesbar.js
@@ -106,7 +106,6 @@ window.qBittorrent.PiecesBar = (() => {
     }
 
     function refresh(force) {
-        const start = Date.now();
         if (!this.parentNode)
             return;
 

diff --git a/src/webui/www/private/scripts/prop-files.js b/src/webui/www/private/scripts/prop-files.js
@@ -564,7 +564,7 @@ window.qBittorrent.PropFiles = (function() {
     };
 
     const multiFileRename = function(hash) {
-        const win = new MochaUI.Window({
+        new MochaUI.Window({
             id: 'multiRenamePage',
             title: "QBT_TR(Renaming)QBT_TR[CONTEXT=TorrentContentTreeView]",
             data: { hash: hash, selectedRows: torrentFilesTable.selectedRows },