From a5d4292a927925a0c8ac768cb10fb64294057641 Mon Sep 17 00:00:00 2001 From: Stephen Griffin Date: Fri, 8 Nov 2024 17:12:59 -0500 Subject: [PATCH 1/7] Update with current recommendations, upload sarif to artifacts for diag --- .github/workflows/codeql.yml | 48 +++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index caf329e..a250e32 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,18 +1,25 @@ -name: "CodeQL" +name: "CodeQL Advanced" on: workflow_dispatch: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] schedule: - - cron: "0 0 * * 1" - -permissions: - contents: read + - cron: '33 1 * * 2' jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: windows-latest permissions: + packages: read actions: read contents: read security-events: write @@ -20,8 +27,9 @@ jobs: strategy: fail-fast: false matrix: - language: ["cpp"] - + include: + - language: c-cpp + build-mode: autobuild steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -32,17 +40,33 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: 'recursive' - + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - - name: Autobuild - uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # - name: Autobuild + # uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: - category: "/language:${{matrix.language}}" \ No newline at end of file + category: "/language:${{matrix.language}}" + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: SARIF files + path: **/*.sarif + retention-days: 5 From a5f6ceb8fb945eceaaafcb1e1f872f43f81e44ed Mon Sep 17 00:00:00 2001 From: Stephen Griffin Date: Fri, 8 Nov 2024 17:14:34 -0500 Subject: [PATCH 2/7] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a250e32..c393b9c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -68,5 +68,5 @@ jobs: uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF files - path: **/*.sarif + path: /**/*.sarif retention-days: 5 From b58fd6fca856bf281ddd3627ec3c05d6b17fd89a Mon Sep 17 00:00:00 2001 From: Stephen Griffin Date: Fri, 8 Nov 2024 17:28:32 -0500 Subject: [PATCH 3/7] remove upload --- .github/workflows/codeql.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c393b9c..256d76c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -61,12 +61,3 @@ jobs: uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: category: "/language:${{matrix.language}}" - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - with: - name: SARIF files - path: /**/*.sarif - retention-days: 5 From 9e3e432a4abe6f274d5d1d7377fe6566d7f12d6a Mon Sep 17 00:00:00 2001 From: Stephen Griffin Date: Tue, 12 Nov 2024 10:32:44 -0500 Subject: [PATCH 4/7] Remove some files from language detection --- .gitattributes | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..61c4cc0 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +binding.gyp -linguist-detectable +scripts/** -linguist-detectable \ No newline at end of file From 003db22511b0b05f5619c9057896c25e12e3a4f9 Mon Sep 17 00:00:00 2001 From: Stephen Griffin Date: Tue, 12 Nov 2024 11:16:42 -0500 Subject: [PATCH 5/7] try uploading sarif to artifacts --- .github/workflows/codeql.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 29d8b74..5fe9bcd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,6 +58,12 @@ jobs: # uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 - name: Perform CodeQL Analysis + id: analyze uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: category: "/language:${{matrix.language}}" + + - name: CodeQLSARIF + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + path: ${{ steps.analyze.outputs.sarif-output }} \ No newline at end of file From f9bf5434d4daf9de2f60ac01583f3fe2c6c55aeb Mon Sep 17 00:00:00 2001 From: Stephen Griffin Date: Tue, 12 Nov 2024 11:33:18 -0500 Subject: [PATCH 6/7] add more sarif uploads --- .github/workflows/codeql.yml | 2 +- .github/workflows/devskim.yml | 7 ++++++- .github/workflows/github-ci.yml | 6 ++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5fe9bcd..9581da7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -63,7 +63,7 @@ jobs: with: category: "/language:${{matrix.language}}" - - name: CodeQLSARIF + - name: Upload CodeQL Analysis Results uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: path: ${{ steps.analyze.outputs.sarif-output }} \ No newline at end of file diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 8aad510..32d473f 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -31,4 +31,9 @@ jobs: - name: Upload DevSkim scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: - sarif_file: devskim-results.sarif \ No newline at end of file + sarif_file: devskim-results.sarif + + - name: Upload DevSkim scan results as an artifact + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + path: devskim-results.sarif \ No newline at end of file diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml index c0354cb..637e359 100644 --- a/.github/workflows/github-ci.yml +++ b/.github/workflows/github-ci.yml @@ -44,10 +44,16 @@ jobs: & $path\MSBuild\Current\Bin\amd64\msbuild.exe /m /p:Configuration="${{matrix.configuration}}" /p:Platform="${{matrix.platform}}" mapistub.sln - name: Perform CodeQL Analysis + id: analyze uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: category: "/language:cpp" + - name: Upload CodeQL Analysis Results + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + path: ${{ steps.analyze.outputs.sarif-output }} + publish-test-results: name: "Publish Tests Results" needs: build From a974d92499878ac4f238172db0c8f5e2fa470b8f Mon Sep 17 00:00:00 2001 From: Stephen Griffin Date: Tue, 12 Nov 2024 11:52:52 -0500 Subject: [PATCH 7/7] uniquify codeql artifact names --- .github/workflows/github-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml index 637e359..f6c56c7 100644 --- a/.github/workflows/github-ci.yml +++ b/.github/workflows/github-ci.yml @@ -52,6 +52,7 @@ jobs: - name: Upload CodeQL Analysis Results uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: + name: codeql-results-${{ matrix.configuration }}-${{ matrix.platform }} path: ${{ steps.analyze.outputs.sarif-output }} publish-test-results: