Meta: Enable CodeQL static analysis for Serenity

CodeQL is a static analysis technology that was purchased by GitHub
and has been tightly integrated into the platform. It's different
from most other static analysis solutions because it's based on a
database built from your codebase, and then language specific rules
can be executed against that database. The rules are fully user
extensible, and are written in a datalog/query language.

The default cpp language rules coming from CodeQL will probably find
some issues, the ability to easily write custom rules/queries will
lend it self nicely to allowing us to validate Serenity specific
semantics are followed throughout the code.

References:
- https://www.youtube.com/watch?v=AMzGorD28Ks
- https://securitylab.github.com/tools/codeql
This commit is contained in:
Brian Gianforcaro 2020-11-26 00:16:50 -08:00 committed by Andreas Kling
parent 922d0759b0
commit f0bf723424
Notes: sideshowbarker 2024-07-19 01:15:50 +09:00
2 changed files with 19 additions and 0 deletions

8
.github/codeql/config.yml vendored Normal file
View file

@ -0,0 +1,8 @@
name: "SerenityOS CodeQL Config"
queries:
- uses: security-and-quality
- uses: security-extended
# Documentation for configuring CodeQL is located here:
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning

View file

@ -49,6 +49,7 @@ jobs:
key: ${{ runner.os }}-toolchain-${{ hashFiles('Libraries/LibC/**/*.h', 'Toolchain/Patches/*.patch') }} key: ${{ runner.os }}-toolchain-${{ hashFiles('Libraries/LibC/**/*.h', 'Toolchain/Patches/*.patch') }}
- name: Restore or regenerate Toolchain - name: Restore or regenerate Toolchain
run: TRY_USE_LOCAL_TOOLCHAIN=y ${{ github.workspace }}/Toolchain/BuildIt.sh run: TRY_USE_LOCAL_TOOLCHAIN=y ${{ github.workspace }}/Toolchain/BuildIt.sh
# TODO: ccache # TODO: ccache
# https://cristianadam.eu/20200113/speeding-up-c-plus-plus-github-actions-using-ccache/ # https://cristianadam.eu/20200113/speeding-up-c-plus-plus-github-actions-using-ccache/
# https://github.com/cristianadam/HelloWorld/blob/master/.github/workflows/build_cmake.yml # https://github.com/cristianadam/HelloWorld/blob/master/.github/workflows/build_cmake.yml
@ -63,6 +64,12 @@ jobs:
# === ACTUALLY BUILD AND TEST === # === ACTUALLY BUILD AND TEST ===
- name: Initialize CodeQL Static Analysis for C++
uses: github/codeql-action/init@v1
with:
languages: cpp
config-file: ./.github/codeql/config.yml
- name: Build Serenity and Tests - name: Build Serenity and Tests
working-directory: ${{ github.workspace }}/Build working-directory: ${{ github.workspace }}/Build
run: cmake --build . -j2 run: cmake --build . -j2
@ -76,6 +83,10 @@ jobs:
working-directory: ${{ github.workspace }}/Build/Meta/Lagom working-directory: ${{ github.workspace }}/Build/Meta/Lagom
run: DISABLE_DBG_OUTPUT=1 ./test-js run: DISABLE_DBG_OUTPUT=1 ./test-js
# Run analysis last, so contributors get lint/test feedback ASAP.
- name: Perform post build CodeQL Analysis
uses: github/codeql-action/analyze@v1
# === NOTIFICATIONS === # === NOTIFICATIONS ===
- name: Dump event info - name: Dump event info