mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-11-26 01:20:25 +00:00
Meta: Enable CodeQL static analysis for Serenity
CodeQL is a static analysis technology that was purchased by GitHub and has been tightly integrated into the platform. It's different from most other static analysis solutions because it's based on a database built from your codebase, and then language specific rules can be executed against that database. The rules are fully user extensible, and are written in a datalog/query language. The default cpp language rules coming from CodeQL will probably find some issues, the ability to easily write custom rules/queries will lend it self nicely to allowing us to validate Serenity specific semantics are followed throughout the code. References: - https://www.youtube.com/watch?v=AMzGorD28Ks - https://securitylab.github.com/tools/codeql
This commit is contained in:
parent
922d0759b0
commit
f0bf723424
Notes:
sideshowbarker
2024-07-19 01:15:50 +09:00
Author: https://github.com/bgianfo Commit: https://github.com/SerenityOS/serenity/commit/f0bf7234240 Pull-request: https://github.com/SerenityOS/serenity/pull/4175
2 changed files with 19 additions and 0 deletions
8
.github/codeql/config.yml
vendored
Normal file
8
.github/codeql/config.yml
vendored
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
name: "SerenityOS CodeQL Config"
|
||||||
|
|
||||||
|
queries:
|
||||||
|
- uses: security-and-quality
|
||||||
|
- uses: security-extended
|
||||||
|
|
||||||
|
# Documentation for configuring CodeQL is located here:
|
||||||
|
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning
|
11
.github/workflows/cmake.yml
vendored
11
.github/workflows/cmake.yml
vendored
|
@ -49,6 +49,7 @@ jobs:
|
||||||
key: ${{ runner.os }}-toolchain-${{ hashFiles('Libraries/LibC/**/*.h', 'Toolchain/Patches/*.patch') }}
|
key: ${{ runner.os }}-toolchain-${{ hashFiles('Libraries/LibC/**/*.h', 'Toolchain/Patches/*.patch') }}
|
||||||
- name: Restore or regenerate Toolchain
|
- name: Restore or regenerate Toolchain
|
||||||
run: TRY_USE_LOCAL_TOOLCHAIN=y ${{ github.workspace }}/Toolchain/BuildIt.sh
|
run: TRY_USE_LOCAL_TOOLCHAIN=y ${{ github.workspace }}/Toolchain/BuildIt.sh
|
||||||
|
|
||||||
# TODO: ccache
|
# TODO: ccache
|
||||||
# https://cristianadam.eu/20200113/speeding-up-c-plus-plus-github-actions-using-ccache/
|
# https://cristianadam.eu/20200113/speeding-up-c-plus-plus-github-actions-using-ccache/
|
||||||
# https://github.com/cristianadam/HelloWorld/blob/master/.github/workflows/build_cmake.yml
|
# https://github.com/cristianadam/HelloWorld/blob/master/.github/workflows/build_cmake.yml
|
||||||
|
@ -63,6 +64,12 @@ jobs:
|
||||||
|
|
||||||
# === ACTUALLY BUILD AND TEST ===
|
# === ACTUALLY BUILD AND TEST ===
|
||||||
|
|
||||||
|
- name: Initialize CodeQL Static Analysis for C++
|
||||||
|
uses: github/codeql-action/init@v1
|
||||||
|
with:
|
||||||
|
languages: cpp
|
||||||
|
config-file: ./.github/codeql/config.yml
|
||||||
|
|
||||||
- name: Build Serenity and Tests
|
- name: Build Serenity and Tests
|
||||||
working-directory: ${{ github.workspace }}/Build
|
working-directory: ${{ github.workspace }}/Build
|
||||||
run: cmake --build . -j2
|
run: cmake --build . -j2
|
||||||
|
@ -76,6 +83,10 @@ jobs:
|
||||||
working-directory: ${{ github.workspace }}/Build/Meta/Lagom
|
working-directory: ${{ github.workspace }}/Build/Meta/Lagom
|
||||||
run: DISABLE_DBG_OUTPUT=1 ./test-js
|
run: DISABLE_DBG_OUTPUT=1 ./test-js
|
||||||
|
|
||||||
|
# Run analysis last, so contributors get lint/test feedback ASAP.
|
||||||
|
- name: Perform post build CodeQL Analysis
|
||||||
|
uses: github/codeql-action/analyze@v1
|
||||||
|
|
||||||
# === NOTIFICATIONS ===
|
# === NOTIFICATIONS ===
|
||||||
|
|
||||||
- name: Dump event info
|
- name: Dump event info
|
||||||
|
|
Loading…
Reference in a new issue