diff --git a/.github/workflows/codeql-build.yml b/.github/workflows/codeql-build.yml index 773b7ca2b..3bcea7309 100644 --- a/.github/workflows/codeql-build.yml +++ b/.github/workflows/codeql-build.yml @@ -3,28 +3,47 @@ name: "CodeQL Analysis" on: workflow_call: inputs: - setup: - description: 'Build Prep' + # REQUIRED + component-path: + description: 'Path to repo being tested in a cFS bundle setup' type: string - default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs' - make-prep: - description: 'Make Prep' + required: true + + category: + description: 'Analysis Category' + required: false type: string - default: '' + make: - description: 'Make Copy' + description: 'Build Command' + default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source + required: false + type: string + + prep: + description: 'Make Prep' + default: make prep + required: false + type: string + + setup: + description: 'Build Prep Commands' type: string - default: 'make' - tests: - description: 'Tests' + default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs + required: false + + test: + description: 'Value for ENABLE_UNIT_TESTS flag' type: string - default: '' + default: false + required: false env: SIMULATION: native - ENABLE_UNIT_TESTS: true + ENABLE_UNIT_TESTS: ${{inputs.tests}} OMIT_DEPRECATED: true BUILDTYPE: release + REPO: ${{github.event.repository.name}} jobs: #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. @@ -40,91 +59,69 @@ jobs: concurrent_skipping: 'same_content' skip_after_successful_duplicate: 'true' do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' - - CodeQL-Security-Build: + + Analysis: #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. needs: check-for-duplicates if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} runs-on: ubuntu-18.04 timeout-minutes: 15 + strategy: + fail-fast: false + matrix: + scan-type: [security, coding-standard] + + permissions: + security-events: write + steps: - # Checks out a copy of your repository - - name: Checkout code + # Checks out a copy of calling repository + - name: Checkout ${{ github.repository }} uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - name: Check versions + - name: Clone cFS bundle run: | - git log -1 --pretty=oneline - git submodule - + cd .. + git clone https://github.com/nasa/cFS.git --recurse-submodules + cd cFS + git log -1 --pretty=oneline + git submodule + rm -r .git + + - name: Create symlink to current repo + run: | + cd ../cFS + rm -r ${{ inputs.component-path }} + ln -s ${{github.workspace}} ${{ inputs.component-path }} + + # Setup the build system + - name: cFS Build Setup + run: ${{ inputs.setup }} + working-directory: ../cFS + + - name: Prep Build + run: ${{ inputs.prep }} + working-directory: ../cFS + - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: c - config-file: nasa/cFS/.github/codeql/codeql-security.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} + config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install + - name: Build run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} + working-directory: ../cFS - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1 - - CodeQL-Coding-Standard-Build: - #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. - needs: check-for-duplicates - if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} - runs-on: ubuntu-18.04 - timeout-minutes: 15 - - steps: - # Checks out a copy of your repository - - name: Checkout code - uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - - name: Check versions - run: | - git log -1 --pretty=oneline - git submodule - - name: Checkout codeql code - uses: actions/checkout@v2 with: - repository: github/codeql - submodules: true - path: codeql + add-snippets: true + category: ${{matrix.scan-type}} - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + - name: Archive Sarif + uses: actions/upload-artifact@v2 with: - languages: c - config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} - - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install - run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file + name: CodeQL-Sarif-${{ matrix.scan-type }} + path: /home/runner/work/${{env.REPO}}/results/cpp.sarif