From 56296876c4b118f343599708d9b9b82186dd590c Mon Sep 17 00:00:00 2001 From: Brian Date: Wed, 11 Oct 2023 21:12:06 -0400 Subject: [PATCH 1/3] Add CodeQL Workflow for Code Security Analysis Add CodeQL Workflow for Code Security Analysis This pull request introduces a CodeQL workflow to enhance the security analysis of our repository. CodeQL is a powerful static analysis tool that helps identify and mitigate security vulnerabilities in our codebase. By integrating this workflow into our GitHub Actions, we can proactively identify and address potential issues before they become security threats. We added a new CodeQL workflow file (.github/workflows/codeql.yml) that - Runs on every push and pull request to the main branch. - Excludes queries with a high false positive rate or low-severity findings. - Does not display results for third-party code, focusing only on our own codebase. Testing: To validate the functionality of this workflow, we have run several test scans on the codebase and reviewed the results. The workflow successfully compiles the project, identifies issues, and provides actionable insights while reducing noise by excluding certain queries and third-party code. Deployment: Once this pull request is merged, the CodeQL workflow will be active and automatically run on every push and pull request to the main branch. To view the results of these code scans, please follow these steps: 1. Under the repository name, click on the Security tab. 2. In the left sidebar, click Code scanning alerts. Additional Information: - You can further customize the workflow to adapt to your specific needs by modifying the workflow file. - For more information on CodeQL and how to interpret its results, refer to the GitHub documentation and the CodeQL documentation. Signed-off-by: Brian --- .github/workflows/codeql-buildscript.sh | 448 ++++++++++++++++++++++++ .github/workflows/codeql.yml | 123 +++++++ 2 files changed, 571 insertions(+) create mode 100644 .github/workflows/codeql-buildscript.sh create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql-buildscript.sh b/.github/workflows/codeql-buildscript.sh new file mode 100644 index 00000000..6e2898a7 --- /dev/null +++ b/.github/workflows/codeql-buildscript.sh @@ -0,0 +1,448 @@ +#!/usr/bin/env bash + +sudo apt install python3-virtualenv +virtualenv -p /usr/bin/python2.7 temp-python +source temp-python/bin/activate + +echo " +# +# Automatically generated file; DO NOT EDIT. +# BitThunder Configuration +# +BT_CONFIG_CONFIGURED=y +BT_CONFIG_OS=y +# BT_CONFIG_LIB is not set + +# +# Build System (dbuild) +# +BT_CONFIG_DBUILD_PYTHON="/usr/bin/python" +BT_CONFIG_HOST_LINUX=y +# BT_CONFIG_HOST_WINDOWS is not set +# BT_CONFIG_HOST_OTHER is not set +BT_CONFIG_TOOLCHAIN="arm-none-eabi-" +BT_CONFIG_OPTIMISE_NONE=y +# BT_CONFIG_OPTIMISE_SIZE is not set +# BT_CONFIG_OPTIMISE_SPEED is not set +# BT_CONFIG_OPTIMISE_ULTRA_SPEED is not set +# BT_CONFIG_READABLE_ASM is not set +BT_CONFIG_WARN_NORMAL=y +# BT_CONFIG_WARN_ALL is not set +# BT_CONFIG_WARN_PEDANTIC is not set +# BT_CONFIG_WARN_ERROR is not set +# BT_CONFIG_WARN_ERROR_PEDANTIC is not set +BT_CONFIG_TOOLCHAIN_WARNING="" +BT_CONFIG_TOOLCHAIN_OPTIMISATION="-O0" +BT_CONFIG_TOOLCHAIN_DEBUG=y +BT_CONFIG_TOOLCHAIN_DEBUG_FLAGS="-g" + +# +# Build Configuration +# +BT_CONFIG_BUILD_NOSTDLIB=y +BT_CONFIG_BUILD_GC_UNUSED=y +BT_CONFIG_BUILD_DISASSEMBLE=y +# BT_CONFIG_BUILD_DISASSEMBLE_SOURCE is not set + +# +# System Architecture +# +BT_CONFIG_ARCH_ARM=y +# BT_CONFIG_ARCH_PPC is not set +BT_CONFIG_ARCH="arm" +BT_CONFIG_LITTLE_ENDIAN=y +BT_CONFIG_HAS_MMU=y + +# +# ARM Options +# +# BT_CONFIG_MACH_BCM2835 is not set +# BT_CONFIG_MACH_LPC11xx is not set +# BT_CONFIG_MACH_LPC17xx is not set +# BT_CONFIG_MACH_STM32 is not set +# BT_CONFIG_MACH_LM3Sxx is not set +BT_CONFIG_MACH_ZYNQ=y +BT_CONFIG_ARCH_ARM_CORTEX_A9=y +# BT_CONFIG_ARCH_ARM_ARMv6 is not set +BT_CONFIG_ARCH_ARM_ARMv7=y +BT_CONFIG_ARCH_ARM_ARMv7_A=y +BT_CONFIG_ARCH_ARM_FAMILY="armv7-a" +BT_CONFIG_TOOLCHAIN_CPU="cortex-a9" +# BT_CONFIG_TOOLCHAIN_FLOAT_HARD is not set +# BT_CONFIG_TOOLCHAIN_FLOAT_SOFTFP is not set +BT_CONFIG_TOOLCHAIN_FLOAT_SOFT=y +BT_CONFIG_TOOLCHAIN_MACH_FLAGS="" +BT_CONFIG_TOOLCHAIN_MFPU="-mfpu=neon" +BT_CONFIG_TOOLCHAIN_FPU_ABI="-mfloat-abi=soft" +BT_CONFIG_ARCH_ARM_HAS_NEON=y +BT_CONFIG_ARCH_ARM_BOOT=y +# BT_CONFIG_ARCH_HAVE_MPU is not set +# BT_CONFIG_KERNEL_FREERTOS_CA9_MODERN_PORT is not set +BT_CONFIG_LINKER_STACK_SIZE=0x100 +BT_CONFIG_BOARD_DEFCONFIG_FILE="zedboard.defconfig" +BT_CONFIG_MACH_RAM_START=0x0 +BT_CONFIG_MACH_RAM_SIZE=0x08000000 +BT_CONFIG_MACH_ZYNQ_PLATFORM=y +BT_CONFIG_ARCH_ARM_CORTEX_A9_MPCORE_BASE=0xF8F00000 +BT_CONFIG_CPU_CORES=2 +# BT_CONFIG_ZYNQ_MICROZED is not set +BT_CONFIG_ZYNQ_ZEDBOARD=y +# BT_CONFIG_ZYNQ_ZC702 is not set +# BT_CONFIG_ZYNQ_ZC706 is not set +# BT_CONFIG_ZYNQ_ZYBO is not set + +# +# Zynq Platform Options +# +BT_CONFIG_MACH_ZYNQ_XC7Z020=y + +# +# Startup Hooks +# +BT_CONFIG_MACH_ZYNQ_USE_STARTUP=y +# BT_CONFIG_MACH_ZYNQ_STARTUP_RAM_TEST is not set +# BT_CONFIG_MACH_ZYNQ_STARTUP_PS7INIT is not set +# BT_CONFIG_MACH_ZYNQ_STARTUP_INIT_GT is not set +# BT_CONFIG_MACH_ZYNQ_STARTUP_DDR_RELOCATE is not set +BT_CONFIG_MACH_ZYNQ_SYSCLOCK_FREQ=33333333 + +# +# Peripheral Selection +# + +# +# CAN devices +# +# BT_CONFIG_MACH_ZYNQ_CAN_0 is not set +# BT_CONFIG_MACH_ZYNQ_CAN_1 is not set + +# +# Device Configuration (FPGA loading) +# +# BT_CONFIG_MACH_ZYNQ_DEVCFG is not set + +# +# Gigabit Ethernet MACs +# +# BT_CONFIG_MACH_ZYNQ_GEM_0 is not set +# BT_CONFIG_MACH_ZYNQ_GEM_1 is not set + +# +# GPIO +# +# BT_CONFIG_MACH_ZYNQ_GPIO is not set + +# +# I2C devices +# +# BT_CONFIG_MACH_ZYNQ_I2C is not set +# BT_CONFIG_MACH_ZYNQ_I2C_0 is not set +# BT_CONFIG_MACH_ZYNQ_I2C_1 is not set + +# +# SDIO (SDCard Interfaces) +# +# BT_CONFIG_MACH_ZYNQ_SDIO is not set +# BT_CONFIG_MACH_ZYNQ_SDIO_0 is not set +# BT_CONFIG_MACH_ZYNQ_SDIO_1 is not set +# BT_CONFIG_MACH_ZYNQ_QSPI is not set + +# +# UART devices +# +# BT_CONFIG_MACH_ZYNQ_UART is not set +# BT_CONFIG_MACH_ZYNQ_UART_0 is not set +# BT_CONFIG_MACH_ZYNQ_UART_1 is not set +# BT_CONFIG_MACH_ZYNQ_BOOTLOG_UART_0 is not set +# BT_CONFIG_MACH_ZYNQ_BOOTLOG_UART_1 is not set +BT_CONFIG_MACH_ZYNQ_BOOTLOG_NULL=y +BT_CONFIG_SUBARCH="zynq" + +# +# Memory +# +BT_CONFIG_LINKER_MEMORY_DEFINED=y +# BT_CONFIG_LINKER_MACH_FLASH is not set +# BT_CONFIG_LINKER_MACH_SRAM is not set +BT_CONFIG_LINKER_MACH_RAM=y +# BT_CONFIG_LINKER_MACH_INIT_SECTION_IN_FLASH is not set +# BT_CONFIG_LINKER_MACH_INIT_SECTION_IN_SRAM is not set +BT_CONFIG_LINKER_MACH_INIT_SECTION_IN_RAM=y +# BT_CONFIG_LINKER_MACH_TEXT_SECTION_IN_FLASH is not set +# BT_CONFIG_LINKER_MACH_TEXT_SECTION_IN_SRAM is not set +BT_CONFIG_LINKER_MACH_TEXT_SECTION_IN_RAM=y +# BT_CONFIG_LINKER_MACH_DATA_SECTION_IN_FLASH is not set +# BT_CONFIG_LINKER_MACH_DATA_SECTION_IN_SRAM is not set +BT_CONFIG_LINKER_MACH_DATA_SECTION_IN_RAM=y +# BT_CONFIG_LINKER_MACH_BSS_SECTION_IN_FLASH is not set +# BT_CONFIG_LINKER_MACH_BSS_SECTION_IN_SRAM is not set +BT_CONFIG_LINKER_MACH_BSS_SECTION_IN_RAM=y +# BT_CONFIG_LINKER_SECTION_FLASH is not set +BT_CONFIG_LINKER_FLASH_RESERVED=0x0 +# BT_CONFIG_LINKER_SECTION_SRAM is not set +BT_CONFIG_LINKER_SRAM_RESERVED=0x0 +BT_CONFIG_LINKER_HEAP_DOWN=0x0 +BT_CONFIG_LINKER_SECTION_RAM=y +BT_CONFIG_LINKER_RAM_START_ADDRESS=0x0 +BT_CONFIG_LINKER_RAM_LENGTH=0x08000000 +BT_CONFIG_LINKER_INIT_SECTION_RAM=y +BT_CONFIG_LINKER_TEXT_SECTION_RAM=y +BT_CONFIG_LINKER_DATA_SECTION_RAM=y +BT_CONFIG_LINKER_BSS_SECTION_RAM=y +BT_CONFIG_ARCH_ARM_IRQ_STACK=y +BT_CONFIG_LINKER_IRQ_STACK_SIZE=0x100 +# BT_CONFIG_ARCH_ARM_FULL_INIT is not set +# BT_CONFIG_ARCH_ARM_THUMB is not set +BT_CONFIG_ARCH_ARM_THUMB_INTERWORK=y +BT_CONFIG_KERNEL_CFLAGS_REMOVE="" + +# +# OS Features +# + +# +# Process Manager +# +BT_CONFIG_MAX_PROCESS_NAME=10 +# BT_CONFIG_PROCESS_CWD is not set +# BT_CONFIG_ALIVE_LED is not set + +# +# GPIOs +# +BT_CONFIG_MAX_GPIO_CONTROLLERS=1 + +# +# Interrupts +# +BT_CONFIG_MAX_INTERRUPT_CONTROLLERS=1 +# BT_CONFIG_INTERRUPTS_SOFTIRQ is not set + +# +# Tasklets +# +# BT_CONFIG_TASKLETS is not set + +# +# Filesystems +# +BT_CONFIG_FS=y +# BT_CONFIG_INODE is not set +# BT_CONFIG_FS_DEV_DYNAMIC_REGISTRATION is not set +# BT_CONFIG_FS_FULLFAT is not set +# BT_CONFIG_FS_EXT2 is not set + +# +# Loader +# +# BT_CONFIG_LOADER is not set + +# +# Networking +# +# BT_CONFIG_NET is not set +# BT_CONFIG_SUPPORTS_UDP is not set +# BT_CONFIG_SUPPORTS_TCP is not set +# BT_CONFIG_SUPPORTS_DHCP is not set +# BT_CONFIG_SUPPORTS_IGMP is not set +# BT_CONFIG_NET_LWIP is not set + +# +# lwIP options +# +BT_CONFIG_USE_TCP=0 +BT_CONFIG_USE_UDP=0 +BT_CONFIG_USE_DHCP=0 +BT_CONFIG_USE_IGMP=0 + +# +# Memory Management +# +# BT_CONFIG_MEM_PAGE_ALLOCATOR is not set +# BT_CONFIG_MEM_PAGE_COHERENT_POOL is not set +BT_CONFIG_MEM_KHEAP=y +# BT_CONFIG_USE_VIRTUAL_ADDRESSING is not set +BT_CONFIG_RAM_PHYS=0x0 +BT_CONFIG_RAM_VIRT=0x0 +# BT_CONFIG_TRACE_MALLOC is not set + +# +# Kernel Shell +# +# BT_CONFIG_SHELL is not set + +# +# Commands +# +# BT_CONFIG_SHELL_JIMTCL is not set +# BT_CONFIG_SHELL_MICROPYTHON is not set + +# +# System Calls +# +# BT_CONFIG_SYSCALL is not set + +# +# Syslog +# +# BT_CONFIG_SYSLOG_REMOVE_PRINTK is not set +# BT_CONFIG_SYSLOG_SYSTICK is not set +# BT_CONFIG_SYSLOG_LINE_ENDINGS_CR is not set +BT_CONFIG_SYSLOG_LINE_ENDINGS_LF=y +# BT_CONFIG_SYSLOG_LINE_ENDINGS_CRLF is not set +# BT_CONFIG_SYSLOG_LINE_ENDINGS_LFCR is not set + +# +# Time +# +BT_CONFIG_TIME_CLOCK_SOURCE="/dev/rtc0" + +# +# Library Support +# +BT_CONFIG_LIB_PRINTF=y + +# +# printf features +# +BT_CONFIG_LIB_PRINTF_SUPPORT_HEX=y +# BT_CONFIG_OF is not set +BT_CONFIG_CACHE_MAINTENANCE=y +BT_CONFIG_MAIN_TASK_STACK_DEPTH=512 +BT_CONFIG_MAIN_TASK_PRIORITY=0 +BT_CONFIG_INHERIT_STDIO_FROM_KERNEL=y +BT_CONFIG_MULTITHREADED_INIT=y +BT_CONFIG_INIT_WELCOME=y +# BT_CONFIG_INIT_SHELL is not set +# BT_CONFIG_INIT_FORK is not set + +# +# Subsystems +# +# BT_CONFIG_BLOCK is not set +# BT_CONFIG_BLOCK_SCHEDULER is not set +# BT_CONFIG_BLOCK_SCHEDULER_THREAD_PER_DEVICE is not set +# BT_CONFIG_VOLUME is not set +BT_CONFIG_FILE=y +# BT_CONFIG_DIR is not set +# BT_CONFIG_I2C is not set +# BT_CONFIG_ADC is not set +# BT_CONFIG_DAC is not set +# BT_CONFIG_QEI is not set +# BT_CONFIG_MCPWM is not set +# BT_CONFIG_PWM is not set +# BT_CONFIG_TIMER is not set +# BT_CONFIG_MTD is not set +# BT_CONFIG_RTC is not set +# BT_CONFIG_SPI is not set +# BT_CONFIG_CAN is not set +BT_CONFIG_UART=y +BT_CONFIG_THREADS=y +BT_CONFIG_PROCESS=y +BT_CONFIG_TIMERS=y + +# +# Drivers +# + +# +# Configure all required driver sub-systems +# + +# +# Block Devices +# +# BT_CONFIG_DRIVERS_BLOCK is not set +# BT_CONFIG_DRIVERS_BLOCK_RAMDISK is not set + +# +# GPIO Devices +# +# BT_CONFIG_DRIVERS_GPIO is not set + +# +# I2C GPIO Expanders +# +# BT_CONFIG_DRIVERS_GPIO_I2C_MAX7312 is not set + +# +# DAC Devices +# +# BT_CONFIG_DRIVERS_DAC is not set + +# +# I2C DAC's +# +# BT_CONFIG_DRIVERS_DAC_I2C_MCP4728 is not set + +# +# ADC Devices +# +# BT_CONFIG_DRIVERS_ADC is not set + +# +# SPI ADC's +# +# BT_CONFIG_DRIVERS_ADC_SPI_MAX1231 is not set + +# +# I2C ADC's +# +# BT_CONFIG_DRIVERS_ADC_I2C_MAX1363 is not set + +# +# MMC / SDCard Subsystem +# +# BT_CONFIG_DRIVERS_MMC is not set + +# +# Host Controllers +# + +# +# MTD Devices +# +# BT_CONFIG_DRIVERS_MTD is not set + +# +# SPI Flash devices +# +# BT_CONFIG_DRIVERS_MTD_M25P80 is not set + +# +# Network Controllers +# +# BT_CONFIG_DRIVERS_NET is not set + +# +# PHYs +# +# BT_CONFIG_DRIVERS_NET_PHY_MARVELL is not set + +# +# RTC Devices +# +# BT_CONFIG_DRIVERS_RTC is not set + +# +# I2C RTC devices +# +# BT_CONFIG_DRIVERS_RTC_I2C_DS1338 is not set + +# +# Kernel Options +# +# BT_CONFIG_KERNEL_NONE is not set +BT_CONFIG_KERNEL_FREERTOS=y +# BT_CONFIG_KERNEL_BT is not set + +# +# FreeRTOS Specific options +# +# BT_CONFIG_KERNEL_FREERTOS_NEWLIB_REENTRANCY_SUPPORT is not set +BT_CONFIG_KERNEL_TICK_RATE=1000 +# BT_CONFIG_KERNEL_SYMBOLS is not set +" > .config + +#make menuconfig +make -j$(nproc) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..eaa9599b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,123 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main", "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main", "master" ] + schedule: + - cron: '28 21 * * 0' + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-20.04' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + submodules: recursive + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + queries: security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + #- name: Autobuild + # uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + - run: | + ./.github/workflows/codeql-buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" + upload: false + id: step1 + + # Filter out rules with low severity or high false positve rate + # Also filter out warnings in third-party code + - name: Filter out unwanted errors and warnings + uses: advanced-security/filter-sarif@v1 + with: + patterns: | + -**:cpp/path-injection + -**:cpp/world-writable-file-creation + -**:cpp/poorly-documented-function + -**:cpp/potentially-dangerous-function + -**:cpp/use-of-goto + -**:cpp/integer-multiplication-cast-to-long + -**:cpp/comparison-with-wider-type + -**:cpp/leap-year/* + -**:cpp/ambiguously-signed-bit-field + -**:cpp/suspicious-pointer-scaling + -**:cpp/suspicious-pointer-scaling-void + -**:cpp/unsigned-comparison-zero + -**/third*party/** + -**/3rd*party/** + -**/external/** + input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif + output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.step1.outputs.sarif-output }} + category: "/language:${{matrix.language}}" + + - name: Archive CodeQL results + uses: actions/upload-artifact@v3 + with: + name: codeql-results + path: ${{ steps.step1.outputs.sarif-output }} + retention-days: 5 \ No newline at end of file From 830256e2e3ecaa6eeb5bf8adb115ab4061b531f0 Mon Sep 17 00:00:00 2001 From: Brian Date: Fri, 20 Oct 2023 01:16:09 -0400 Subject: [PATCH 2/3] Add CodeQL Workflow for Code Security Analysis Add CodeQL Workflow for Code Security Analysis This pull request introduces a CodeQL workflow to enhance the security analysis of our repository. CodeQL is a powerful static analysis tool that helps identify and mitigate security vulnerabilities in our codebase. By integrating this workflow into our GitHub Actions, we can proactively identify and address potential issues before they become security threats. We added a new CodeQL workflow file (.github/workflows/codeql.yml) that - Runs on every pull request (functionality to run on every push to main branches is included as a comment for convenience). - Runs daily. - Excludes queries with a high false positive rate or low-severity findings. - Does not display results for git submodules, focusing only on our own codebase. Testing: To validate the functionality of this workflow, we have run several test scans on the codebase and reviewed the results. The workflow successfully compiles the project, identifies issues, and provides actionable insights while reducing noise by excluding certain queries and third-party code. Deployment: Once this pull request is merged, the CodeQL workflow will be active and automatically run on every push and pull request to the main branch. To view the results of these code scans, please follow these steps: 1. Under the repository name, click on the Security tab. 2. In the left sidebar, click Code scanning alerts. Additional Information: - You can further customize the workflow to adapt to your specific needs by modifying the workflow file. - For more information on CodeQL and how to interpret its results, refer to the GitHub documentation and the CodeQL documentation (https://codeql.github.com/ and https://codeql.github.com/docs/). Signed-off-by: Brian --- .github/workflows/codeql.yml | 12 +++++++---- .github/workflows/fail_on_error.py | 34 ++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 4 deletions(-) create mode 100755 .github/workflows/fail_on_error.py diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index eaa9599b..213c59a9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,11 +14,10 @@ name: "CodeQL" on: push: branches: [ "main", "master" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main", "master" ] schedule: - - cron: '28 21 * * 0' + - cron: '0 0 * * *' + pull_request: + branches: '*' jobs: analyze: @@ -50,6 +49,11 @@ jobs: with: submodules: recursive + - name: arm-none-eabi-gcc GNU Arm Embedded Toolchain + uses: carlosperate/arm-none-eabi-gcc-action@v1.6.0 + with: + release: '10.3-2021.10' + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2 diff --git a/.github/workflows/fail_on_error.py b/.github/workflows/fail_on_error.py new file mode 100755 index 00000000..29791742 --- /dev/null +++ b/.github/workflows/fail_on_error.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 + +import json +import sys + +# Return whether SARIF file contains error-level results +def codeql_sarif_contain_error(filename): + with open(filename, 'r') as f: + s = json.load(f) + + for run in s.get('runs', []): + rules_metadata = run['tool']['driver']['rules'] + if not rules_metadata: + rules_metadata = run['tool']['extensions'][0]['rules'] + + for res in run.get('results', []): + if 'ruleIndex' in res: + rule_index = res['ruleIndex'] + elif 'rule' in res and 'index' in res['rule']: + rule_index = res['rule']['index'] + else: + continue + try: + rule_level = rules_metadata[rule_index]['defaultConfiguration']['level'] + except IndexError as e: + print(e, rule_index, len(rules_metadata)) + else: + if rule_level == 'error': + return True + return False + +if __name__ == "__main__": + if codeql_sarif_contain_error(sys.argv[1]): + sys.exit(1) From cff5f66111562bfc0e707f8d98b9f57869012a57 Mon Sep 17 00:00:00 2001 From: Brian Date: Sun, 29 Oct 2023 15:37:37 -0400 Subject: [PATCH 3/3] Add CodeQL Workflow for Code Security Analysis Add CodeQL Workflow for Code Security Analysis This pull request introduces a CodeQL workflow to enhance the security analysis of our repository. CodeQL is a powerful static analysis tool that helps identify and mitigate security vulnerabilities in our codebase. By integrating this workflow into our GitHub Actions, we can proactively identify and address potential issues before they become security threats. We added a new CodeQL workflow file (.github/workflows/codeql.yml) that - Runs on every pull request (functionality to run on every push to main branches is included as a comment for convenience). - Runs daily. - Excludes queries with a high false positive rate or low-severity findings. - Does not display results for git submodules, focusing only on our own codebase. Testing: To validate the functionality of this workflow, we have run several test scans on the codebase and reviewed the results. The workflow successfully compiles the project, identifies issues, and provides actionable insights while reducing noise by excluding certain queries and third-party code. Deployment: Once this pull request is merged, the CodeQL workflow will be active and automatically run on every push and pull request to the main branch. To view the results of these code scans, please follow these steps: 1. Under the repository name, click on the Security tab. 2. In the left sidebar, click Code scanning alerts. Additional Information: - You can further customize the workflow to adapt to your specific needs by modifying the workflow file. - For more information on CodeQL and how to interpret its results, refer to the GitHub documentation and the CodeQL documentation (https://codeql.github.com/ and https://codeql.github.com/docs/). Signed-off-by: Brian --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 213c59a9..56454f22 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -12,8 +12,8 @@ name: "CodeQL" on: - push: - branches: [ "main", "master" ] + # push: + # branches: [ "main", "master" ] schedule: - cron: '0 0 * * *' pull_request: