|
 |
6f381c |
From 2b1dbcab1af1a22f3a46fa23aa551a7394673938 Mon Sep 17 00:00:00 2001
|
|
|
6f381c |
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
|
|
6f381c |
Date: Thu, 15 Sep 2022 15:29:23 +0200
|
|
|
6f381c |
Subject: [PATCH] ci: replace LGTM with CodeQL
|
|
|
6f381c |
|
|
|
6f381c |
As LGTM is going to be shut down by EOY, let's use CodeQL instead.
|
|
|
6f381c |
|
|
|
6f381c |
This is loosely based on upstream's CodeQL configs with some minor
|
|
|
6f381c |
tweaks to avoid backporting tons of unrelated commits.
|
|
|
6f381c |
|
|
|
6f381c |
rhel-only
|
|
|
6f381c |
Related: #2122499
|
|
|
6f381c |
---
|
|
|
6f381c |
.github/codeql-config.yml | 12 ++++
|
|
|
6f381c |
.github/codeql-custom.qls | 44 ++++++++++++
|
|
|
6f381c |
.../PotentiallyDangerousFunction.ql | 3 +
|
|
|
6f381c |
.../UninitializedVariableWithCleanup.ql | 16 ++---
|
|
|
6f381c |
.github/codeql-queries/qlpack.yml | 11 +++
|
|
|
6f381c |
.github/workflows/codeql.yml | 68 +++++++++++++++++++
|
|
|
6f381c |
.lgtm.yml | 37 ----------
|
|
|
6f381c |
7 files changed, 146 insertions(+), 45 deletions(-)
|
|
|
6f381c |
create mode 100644 .github/codeql-config.yml
|
|
|
6f381c |
create mode 100644 .github/codeql-custom.qls
|
|
|
6f381c |
rename {.lgtm/cpp-queries => .github/codeql-queries}/PotentiallyDangerousFunction.ql (93%)
|
|
|
6f381c |
rename {.lgtm/cpp-queries => .github/codeql-queries}/UninitializedVariableWithCleanup.ql (86%)
|
|
|
6f381c |
create mode 100644 .github/codeql-queries/qlpack.yml
|
|
|
6f381c |
create mode 100644 .github/workflows/codeql.yml
|
|
|
6f381c |
delete mode 100644 .lgtm.yml
|
|
|
6f381c |
|
|
|
6f381c |
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
|
|
|
6f381c |
new file mode 100644
|
|
|
6f381c |
index 0000000000..7c01d32caa
|
|
|
6f381c |
--- /dev/null
|
|
|
6f381c |
+++ b/.github/codeql-config.yml
|
|
|
6f381c |
@@ -0,0 +1,12 @@
|
|
|
6f381c |
+---
|
|
|
6f381c |
+# vi: ts=2 sw=2 et:
|
|
|
6f381c |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
6f381c |
+name: "CodeQL config"
|
|
|
6f381c |
+
|
|
|
6f381c |
+disable-default-queries: false
|
|
|
6f381c |
+
|
|
|
6f381c |
+queries:
|
|
|
6f381c |
+ - name: Enable possibly useful queries which are disabled by default
|
|
|
6f381c |
+ uses: ./.github/codeql-custom.qls
|
|
|
6f381c |
+ - name: systemd-specific CodeQL queries
|
|
|
6f381c |
+ uses: ./.github/codeql-queries/
|
|
|
6f381c |
diff --git a/.github/codeql-custom.qls b/.github/codeql-custom.qls
|
|
|
6f381c |
new file mode 100644
|
|
|
6f381c |
index 0000000000..d35fbe3114
|
|
|
6f381c |
--- /dev/null
|
|
|
6f381c |
+++ b/.github/codeql-custom.qls
|
|
|
6f381c |
@@ -0,0 +1,44 @@
|
|
|
6f381c |
+---
|
|
|
6f381c |
+# vi: ts=2 sw=2 et syntax=yaml:
|
|
|
6f381c |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
6f381c |
+#
|
|
|
6f381c |
+# Note: it is not recommended to directly reference the respective queries from
|
|
|
6f381c |
+# the github/codeql repository, so we have to "dance" around it using
|
|
|
6f381c |
+# a custom QL suite
|
|
|
6f381c |
+# See:
|
|
|
6f381c |
+# - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#running-additional-queries
|
|
|
6f381c |
+# - https://github.com/github/codeql-action/issues/430#issuecomment-806092120
|
|
|
6f381c |
+# - https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
|
|
|
6f381c |
+
|
|
|
6f381c |
+# Note: the codeql/<lang>-queries pack name can be found in the CodeQL repo[0]
|
|
|
6f381c |
+# in <lang>/ql/src/qlpack.yml. The respective codeql-suites are then
|
|
|
6f381c |
+# under <lang>/ql/src/codeql-suites/.
|
|
|
6f381c |
+#
|
|
|
6f381c |
+# [0] https://github.com/github/codeql
|
|
|
6f381c |
+- import: codeql-suites/cpp-lgtm.qls
|
|
|
6f381c |
+ from: codeql/cpp-queries
|
|
|
6f381c |
+- import: codeql-suites/python-lgtm.qls
|
|
|
6f381c |
+ from: codeql/python-queries
|
|
|
6f381c |
+- include:
|
|
|
6f381c |
+ id:
|
|
|
6f381c |
+ - cpp/bad-strncpy-size
|
|
|
6f381c |
+ - cpp/declaration-hides-variable
|
|
|
6f381c |
+ - cpp/include-non-header
|
|
|
6f381c |
+ - cpp/inconsistent-null-check
|
|
|
6f381c |
+ - cpp/mistyped-function-arguments
|
|
|
6f381c |
+ - cpp/nested-loops-with-same-variable
|
|
|
6f381c |
+ - cpp/sizeof-side-effect
|
|
|
6f381c |
+ - cpp/suspicious-pointer-scaling
|
|
|
6f381c |
+ - cpp/suspicious-pointer-scaling-void
|
|
|
6f381c |
+ - cpp/suspicious-sizeof
|
|
|
6f381c |
+ - cpp/unsafe-strcat
|
|
|
6f381c |
+ - cpp/unsafe-strncat
|
|
|
6f381c |
+ - cpp/unsigned-difference-expression-compared-zero
|
|
|
6f381c |
+ - cpp/unused-local-variable
|
|
|
6f381c |
+ tags:
|
|
|
6f381c |
+ - "security"
|
|
|
6f381c |
+ - "correctness"
|
|
|
6f381c |
+ severity: "error"
|
|
|
6f381c |
+- exclude:
|
|
|
6f381c |
+ id:
|
|
|
6f381c |
+ - cpp/fixme-comment
|
|
|
6f381c |
diff --git a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql
|
|
|
6f381c |
similarity index 93%
|
|
|
6f381c |
rename from .lgtm/cpp-queries/PotentiallyDangerousFunction.ql
|
|
|
6f381c |
rename to .github/codeql-queries/PotentiallyDangerousFunction.ql
|
|
|
6f381c |
index 39e8dddd13..63fd14e75f 100644
|
|
|
6f381c |
--- a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql
|
|
|
6f381c |
+++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql
|
|
|
6f381c |
@@ -46,6 +46,9 @@ predicate potentiallyDangerousFunction(Function f, string message) {
|
|
|
6f381c |
) or (
|
|
|
6f381c |
f.getQualifiedName() = "accept" and
|
|
|
6f381c |
message = "Call to accept() is not O_CLOEXEC-safe. Use accept4() instead."
|
|
|
6f381c |
+ ) or (
|
|
|
6f381c |
+ f.getQualifiedName() = "dirname" and
|
|
|
6f381c |
+ message = "Call dirname() is icky. Use path_extract_directory() instead."
|
|
|
6f381c |
)
|
|
|
6f381c |
}
|
|
|
6f381c |
|
|
|
6f381c |
diff --git a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
|
|
|
6f381c |
similarity index 86%
|
|
|
6f381c |
rename from .lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
|
|
|
6f381c |
rename to .github/codeql-queries/UninitializedVariableWithCleanup.ql
|
|
|
6f381c |
index 6b3b62f8bc..e514111f28 100644
|
|
|
6f381c |
--- a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
|
|
|
6f381c |
+++ b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
|
|
|
6f381c |
@@ -50,16 +50,16 @@ class UninitialisedLocalReachability extends StackVariableReachability {
|
|
|
6f381c |
* fun(&x);
|
|
|
6f381c |
* puts(x);
|
|
|
6f381c |
*
|
|
|
6f381c |
- * `useOfVarActual()` won't treat this an an uninitialized read even if the callee
|
|
|
6f381c |
+ * `useOfVarActual()` won't treat this as an uninitialized read even if the callee
|
|
|
6f381c |
* doesn't modify the argument, however, `useOfVar()` will
|
|
|
6f381c |
*/
|
|
|
6f381c |
override predicate isSink(ControlFlowNode node, StackVariable v) { useOfVar(v, node) }
|
|
|
6f381c |
|
|
|
6f381c |
override predicate isBarrier(ControlFlowNode node, StackVariable v) {
|
|
|
6f381c |
- // only report the _first_ possibly uninitialized use
|
|
|
6f381c |
+ /* only report the _first_ possibly uninitialized use */
|
|
|
6f381c |
useOfVar(v, node) or
|
|
|
6f381c |
(
|
|
|
6f381c |
- /* If there's an return statement somewhere between the variable declaration
|
|
|
6f381c |
+ /* If there's a return statement somewhere between the variable declaration
|
|
|
6f381c |
* and a possible definition, don't accept is as a valid initialization.
|
|
|
6f381c |
*
|
|
|
6f381c |
* E.g.:
|
|
|
6f381c |
@@ -71,7 +71,7 @@ class UninitialisedLocalReachability extends StackVariableReachability {
|
|
|
6f381c |
* x = malloc(...);
|
|
|
6f381c |
*
|
|
|
6f381c |
* is not a valid initialization, since we might return from the function
|
|
|
6f381c |
- * _before_ the actual iniitialization (emphasis on _might_, since we
|
|
|
6f381c |
+ * _before_ the actual initialization (emphasis on _might_, since we
|
|
|
6f381c |
* don't know if the return statement might ever evaluate to true).
|
|
|
6f381c |
*/
|
|
|
6f381c |
definitionBarrier(v, node) and
|
|
|
6f381c |
@@ -92,14 +92,14 @@ predicate containsInlineAssembly(Function f) { exists(AsmStmt s | s.getEnclosing
|
|
|
6f381c |
* for this check to exclude them.
|
|
|
6f381c |
*/
|
|
|
6f381c |
VariableAccess commonException() {
|
|
|
6f381c |
- // If the uninitialized use we've found is in a macro expansion, it's
|
|
|
6f381c |
- // typically something like va_start(), and we don't want to complain.
|
|
|
6f381c |
+ /* If the uninitialized use we've found is in a macro expansion, it's
|
|
|
6f381c |
+ * typically something like va_start(), and we don't want to complain. */
|
|
|
6f381c |
result.getParent().isInMacroExpansion()
|
|
|
6f381c |
or
|
|
|
6f381c |
result.getParent() instanceof BuiltInOperation
|
|
|
6f381c |
or
|
|
|
6f381c |
- // Finally, exclude functions that contain assembly blocks. It's
|
|
|
6f381c |
- // anyone's guess what happens in those.
|
|
|
6f381c |
+ /* Finally, exclude functions that contain assembly blocks. It's
|
|
|
6f381c |
+ * anyone's guess what happens in those. */
|
|
|
6f381c |
containsInlineAssembly(result.getEnclosingFunction())
|
|
|
6f381c |
}
|
|
|
6f381c |
|
|
|
6f381c |
diff --git a/.github/codeql-queries/qlpack.yml b/.github/codeql-queries/qlpack.yml
|
|
|
6f381c |
new file mode 100644
|
|
|
6f381c |
index 0000000000..a1a2dec6d6
|
|
|
6f381c |
--- /dev/null
|
|
|
6f381c |
+++ b/.github/codeql-queries/qlpack.yml
|
|
|
6f381c |
@@ -0,0 +1,11 @@
|
|
|
6f381c |
+---
|
|
|
6f381c |
+# vi: ts=2 sw=2 et syntax=yaml:
|
|
|
6f381c |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
6f381c |
+
|
|
|
6f381c |
+library: false
|
|
|
6f381c |
+name: systemd/cpp-queries
|
|
|
6f381c |
+version: 0.0.1
|
|
|
6f381c |
+dependencies:
|
|
|
6f381c |
+ codeql/cpp-all: "*"
|
|
|
6f381c |
+ codeql/suite-helpers: "*"
|
|
|
6f381c |
+extractor: cpp
|
|
|
6f381c |
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
|
|
|
6f381c |
new file mode 100644
|
|
|
6f381c |
index 0000000000..c5426d5686
|
|
|
6f381c |
--- /dev/null
|
|
|
6f381c |
+++ b/.github/workflows/codeql.yml
|
|
|
6f381c |
@@ -0,0 +1,68 @@
|
|
|
6f381c |
+---
|
|
|
6f381c |
+# vi: ts=2 sw=2 et:
|
|
|
6f381c |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
6f381c |
+#
|
|
|
6f381c |
+name: "CodeQL"
|
|
|
6f381c |
+
|
|
|
6f381c |
+on:
|
|
|
6f381c |
+ pull_request:
|
|
|
6f381c |
+ branches:
|
|
|
6f381c |
+ - master
|
|
|
6f381c |
+ - rhel-*
|
|
|
6f381c |
+ paths:
|
|
|
6f381c |
+ - '**/meson.build'
|
|
|
6f381c |
+ - '.github/**/codeql*'
|
|
|
6f381c |
+ - 'src/**'
|
|
|
6f381c |
+ - 'test/**'
|
|
|
6f381c |
+ - 'tools/**'
|
|
|
6f381c |
+ push:
|
|
|
6f381c |
+ branches:
|
|
|
6f381c |
+ - master
|
|
|
6f381c |
+ - rhel-*
|
|
|
6f381c |
+
|
|
|
6f381c |
+permissions:
|
|
|
6f381c |
+ contents: read
|
|
|
6f381c |
+
|
|
|
6f381c |
+jobs:
|
|
|
6f381c |
+ analyze:
|
|
|
6f381c |
+ name: Analyze
|
|
|
6f381c |
+ runs-on: ubuntu-22.04
|
|
|
6f381c |
+ concurrency:
|
|
|
6f381c |
+ group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
|
|
|
6f381c |
+ cancel-in-progress: true
|
|
|
6f381c |
+ permissions:
|
|
|
6f381c |
+ actions: read
|
|
|
6f381c |
+ security-events: write
|
|
|
6f381c |
+
|
|
|
6f381c |
+ strategy:
|
|
|
6f381c |
+ fail-fast: false
|
|
|
6f381c |
+ matrix:
|
|
|
6f381c |
+ language: ['cpp', 'python']
|
|
|
6f381c |
+
|
|
|
6f381c |
+ steps:
|
|
|
6f381c |
+ - name: Checkout repository
|
|
|
6f381c |
+ uses: actions/checkout@v3
|
|
|
6f381c |
+
|
|
|
6f381c |
+ - name: Initialize CodeQL
|
|
|
6f381c |
+ uses: github/codeql-action/init@v2
|
|
|
6f381c |
+ with:
|
|
|
6f381c |
+ languages: ${{ matrix.language }}
|
|
|
6f381c |
+ config-file: ./.github/codeql-config.yml
|
|
|
6f381c |
+
|
|
|
6f381c |
+ - name: Install dependencies
|
|
|
6f381c |
+ if: matrix.language == 'cpp'
|
|
|
6f381c |
+ run: |
|
|
|
6f381c |
+ echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
|
|
|
6f381c |
+ sudo apt-get -y update
|
|
|
6f381c |
+ sudo apt-get -y build-dep systemd
|
|
|
6f381c |
+ sudo apt-get -y install libfdisk-dev libpwquality-dev libqrencode-dev libssl-dev libxkbcommon-dev libzstd-dev
|
|
|
6f381c |
+
|
|
|
6f381c |
+ - name: Build
|
|
|
6f381c |
+ if: matrix.language == 'cpp'
|
|
|
6f381c |
+ run: |
|
|
|
6f381c |
+ # EL 8 systemd fails to build with newer gnu-efi (3.0.13 on Ubuntu Jammy ATTOW)
|
|
|
6f381c |
+ meson build -Dlibiptc=false -Dgnu-efi=false
|
|
|
6f381c |
+ ninja -C build -v
|
|
|
6f381c |
+
|
|
|
6f381c |
+ - name: Perform CodeQL Analysis
|
|
|
6f381c |
+ uses: github/codeql-action/analyze@v2
|
|
|
6f381c |
diff --git a/.lgtm.yml b/.lgtm.yml
|
|
|
6f381c |
deleted file mode 100644
|
|
|
6f381c |
index fe93957b67..0000000000
|
|
|
6f381c |
--- a/.lgtm.yml
|
|
|
6f381c |
+++ /dev/null
|
|
|
6f381c |
@@ -1,37 +0,0 @@
|
|
|
6f381c |
----
|
|
|
6f381c |
-# vi: ts=2 sw=2 et:
|
|
|
6f381c |
-
|
|
|
6f381c |
-# Explicitly enable certain checks which are hidden by default
|
|
|
6f381c |
-queries:
|
|
|
6f381c |
- - include: cpp/bad-strncpy-size
|
|
|
6f381c |
- - include: cpp/declaration-hides-variable
|
|
|
6f381c |
- - include: cpp/inconsistent-null-check
|
|
|
6f381c |
- - include: cpp/mistyped-function-arguments
|
|
|
6f381c |
- - include: cpp/nested-loops-with-same-variable
|
|
|
6f381c |
- - include: cpp/sizeof-side-effect
|
|
|
6f381c |
- - include: cpp/suspicious-pointer-scaling
|
|
|
6f381c |
- - include: cpp/suspicious-pointer-scaling-void
|
|
|
6f381c |
- - include: cpp/suspicious-sizeof
|
|
|
6f381c |
- - include: cpp/unsafe-strcat
|
|
|
6f381c |
- - include: cpp/unsafe-strncat
|
|
|
6f381c |
- - include: cpp/unsigned-difference-expression-compared-zero
|
|
|
6f381c |
- - include: cpp/unused-local-variable
|
|
|
6f381c |
- - include:
|
|
|
6f381c |
- tags:
|
|
|
6f381c |
- - "security"
|
|
|
6f381c |
- - "correctness"
|
|
|
6f381c |
- severity: "error"
|
|
|
6f381c |
-
|
|
|
6f381c |
-extraction:
|
|
|
6f381c |
- cpp:
|
|
|
6f381c |
- prepare:
|
|
|
6f381c |
- packages:
|
|
|
6f381c |
- - python3-pip
|
|
|
6f381c |
- - python3-setuptools
|
|
|
6f381c |
- - python3-wheel
|
|
|
6f381c |
- after_prepare:
|
|
|
6f381c |
- - pip3 install meson
|
|
|
6f381c |
- - export PATH="$HOME/.local/bin/:$PATH"
|
|
|
6f381c |
- python:
|
|
|
6f381c |
- python_setup:
|
|
|
6f381c |
- version: 3
|