forked from nasa/cFS
-
Notifications
You must be signed in to change notification settings - Fork 0
192 lines (164 loc) · 5.9 KB
/
codeql-reusable.yml
File metadata and controls
192 lines (164 loc) · 5.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
name: "CodeQL Reusable Workflow"
on:
workflow_call:
inputs:
# REQUIRED Inputs
component-path:
description: 'Path to repo being tested in a cFS bundle setup'
type: string
required: true
default: cFS
# Optional inputs
app-name:
description: Application name, if different from repo name
type: string
required: false
default: ${{ github.event.repository.name }}
category:
description: 'Analysis Category'
required: false
type: string
make:
description: 'Build Command'
default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source
required: false
type: string
prep:
description: 'Make Prep'
default: make prep
required: false
type: string
setup:
description: 'Build Prep Commands'
type: string
default: ''
required: false
test:
description: 'Value for ENABLE_UNIT_TESTS flag'
type: string
default: 'false'
required: false
dependency:
description: Additional module/library that this app depends on
type: string
required: false
default: ''
# Force bash to apply pipefail option so pipeline failures aren't masked
defaults:
run:
shell: bash
env:
SIMULATION: native
ENABLE_UNIT_TESTS: ${{inputs.test}}
OMIT_DEPRECATED: false
BUILDTYPE: debug
REPO: ${{github.event.repository.name}}
jobs:
#Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action.
check-for-duplicates:
runs-on: ubuntu-22.04
# Map a step output to a job output
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@master
with:
concurrent_skipping: 'same_content'
skip_after_successful_duplicate: 'true'
do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
Analysis:
#Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
needs: check-for-duplicates
if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
runs-on: ubuntu-22.04
container: ghcr.io/core-flight-system/cfsbuildenv-linux:latest
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
scan-type: [security, coding-standard]
permissions:
security-events: write
steps:
# For apps
- name: Set up app source
if: contains(inputs.component-path, 'apps')
uses: nasa/cFS/actions/setup-app@dev
with:
app-name: ${{ inputs.app-name }}
dependency: ${{ inputs.dependency }}
# For osal cFS bundle build, tools, and psp
- name: Checkout cFS Bundle
if: inputs.component-path == 'osal-bundle' || contains(inputs.component-path, 'tools') || inputs.component-path == 'psp'
uses: actions/checkout@v6
with:
submodules: recursive
repository: nasa/cFS
ref: dev
# For cFS bundle, cFE, osal
- name: Checkout Current Repo
if: "!contains(inputs.component-path, 'apps')"
uses: actions/checkout@v6
with:
submodules: recursive
path: ${{ inputs.component-path == 'osal-bundle' && 'osal' || (inputs.component-path != 'cFS' && inputs.component-path != 'osal' && inputs.component-path || '') }}
# For cFE
- name: Set up cFE
if: inputs.component-path == 'cfe'
uses: nasa/cFE/.github/actions/setup-cfe@dev
with:
source-dir: .
preferred-ref: ${{ github.head_ref }}
org: nasa
# For osal
- name: Setup Build
if: inputs.component-path == 'osal'
run: |
${{ inputs.setup }}
- name: Prep Build
run: |
${{ inputs.prep }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: cpp
config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main
- name: Build
run: ${{ inputs.make }}
working-directory: ${{env.BUILD_DIRECTORY}}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: ${{matrix.scan-type}}
upload: false
output: CodeQL-Sarif-${{ matrix.scan-type }}
- name: Rename Sarif
run: |
mv CodeQL-Sarif-${{ matrix.scan-type }}/cpp.sarif CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif
sed -i 's/"name" : "CodeQL"/"name" : "CodeQL-${{ matrix.scan-type }}"/g' CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif
- name: filter-sarif
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-**/*.md
-**/*.txt
-**/*.dox
input: CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif
output: CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif
- name: Archive Sarif
uses: actions/upload-artifact@v7
with:
name: CodeQL-Sarif-${{ matrix.scan-type }}
path: CodeQL-Sarif-${{ matrix.scan-type }}
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: CodeQL-Sarif-${{ matrix.scan-type }}/Codeql-${{ matrix.scan-type }}.sarif
ref: ${{ github.ref }}
sha: ${{ github.sha }}
checkout_path: ${{
inputs.component-path == 'osal-bundle' && format('{0}/osal', github.workspace) ||
(contains(inputs.component-path, 'apps') || contains(inputs.component-path, 'tools')) && format('{0}/{1}', github.workspace, inputs.component-path) ||
github.workspace
}}