From 1f2cf94504091d8893816e15586447f166e7445f Mon Sep 17 00:00:00 2001 From: "Gerardo E. Cruz-Ortiz" <59618057+astrogeco@users.noreply.github.com> Date: Wed, 26 Jan 2022 18:32:14 -0500 Subject: [PATCH] Fix #412, git error in CodeQL Analyze Action - Adds new component-path input parameter - Use git clone instead of checkout@v2 for the cFS-Bundle - Use symlink to map calling repo workspace to expected cFS Bundle directory location - Repurpose tests input to be a boolean tied to "ENABLE_UNIT_TESTS" flag - Enable "code snippets" option to CodeQL Analyze action - Archives sarif files from analysis output - Removes code duplication by using a matrix build for security and coding standard analyses - Alphabetizes workflow inputs and order based on "required" flag --- .github/workflows/codeql-build.yml | 153 ++++++++++++++--------------- 1 file changed, 75 insertions(+), 78 deletions(-) diff --git a/.github/workflows/codeql-build.yml b/.github/workflows/codeql-build.yml index 773b7ca2b..3bcea7309 100644 --- a/.github/workflows/codeql-build.yml +++ b/.github/workflows/codeql-build.yml @@ -3,28 +3,47 @@ name: "CodeQL Analysis" on: workflow_call: inputs: - setup: - description: 'Build Prep' + # REQUIRED + component-path: + description: 'Path to repo being tested in a cFS bundle setup' type: string - default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs' - make-prep: - description: 'Make Prep' + required: true + + category: + description: 'Analysis Category' + required: false type: string - default: '' + make: - description: 'Make Copy' + description: 'Build Command' + default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source + required: false + type: string + + prep: + description: 'Make Prep' + default: make prep + required: false + type: string + + setup: + description: 'Build Prep Commands' type: string - default: 'make' - tests: - description: 'Tests' + default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs + required: false + + test: + description: 'Value for ENABLE_UNIT_TESTS flag' type: string - default: '' + default: false + required: false env: SIMULATION: native - ENABLE_UNIT_TESTS: true + ENABLE_UNIT_TESTS: ${{inputs.tests}} OMIT_DEPRECATED: true BUILDTYPE: release + REPO: ${{github.event.repository.name}} jobs: #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. @@ -40,91 +59,69 @@ jobs: concurrent_skipping: 'same_content' skip_after_successful_duplicate: 'true' do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' - - CodeQL-Security-Build: + + Analysis: #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. needs: check-for-duplicates if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} runs-on: ubuntu-18.04 timeout-minutes: 15 + strategy: + fail-fast: false + matrix: + scan-type: [security, coding-standard] + + permissions: + security-events: write + steps: - # Checks out a copy of your repository - - name: Checkout code + # Checks out a copy of calling repository + - name: Checkout ${{ github.repository }} uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - name: Check versions + - name: Clone cFS bundle run: | - git log -1 --pretty=oneline - git submodule - + cd .. + git clone https://github.com/nasa/cFS.git --recurse-submodules + cd cFS + git log -1 --pretty=oneline + git submodule + rm -r .git + + - name: Create symlink to current repo + run: | + cd ../cFS + rm -r ${{ inputs.component-path }} + ln -s ${{github.workspace}} ${{ inputs.component-path }} + + # Setup the build system + - name: cFS Build Setup + run: ${{ inputs.setup }} + working-directory: ../cFS + + - name: Prep Build + run: ${{ inputs.prep }} + working-directory: ../cFS + - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: c - config-file: nasa/cFS/.github/codeql/codeql-security.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} + config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install + - name: Build run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} + working-directory: ../cFS - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1 - - CodeQL-Coding-Standard-Build: - #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. - needs: check-for-duplicates - if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} - runs-on: ubuntu-18.04 - timeout-minutes: 15 - - steps: - # Checks out a copy of your repository - - name: Checkout code - uses: actions/checkout@v2 - with: - repository: nasa/cFS - submodules: true - - - name: Check versions - run: | - git log -1 --pretty=oneline - git submodule - - name: Checkout codeql code - uses: actions/checkout@v2 with: - repository: github/codeql - submodules: true - path: codeql + add-snippets: true + category: ${{matrix.scan-type}} - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + - name: Archive Sarif + uses: actions/upload-artifact@v2 with: - languages: c - config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main - - - name: Copy sample_defs - run: ${{ inputs.setup }} - - - name: Make prep - run: ${{ inputs.make-prep }} - - - name: Make Install - run: ${{ inputs.make }} - - - name: Run tests - run: ${{ inputs.tests }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file + name: CodeQL-Sarif-${{ matrix.scan-type }} + path: /home/runner/work/${{env.REPO}}/results/cpp.sarif