04e329
From 2b1dbcab1af1a22f3a46fa23aa551a7394673938 Mon Sep 17 00:00:00 2001
04e329
From: Frantisek Sumsal <frantisek@sumsal.cz>
04e329
Date: Thu, 15 Sep 2022 15:29:23 +0200
04e329
Subject: [PATCH] ci: replace LGTM with CodeQL
04e329
04e329
As LGTM is going to be shut down by EOY, let's use CodeQL instead.
04e329
04e329
This is loosely based on upstream's CodeQL configs with some minor
04e329
tweaks to avoid backporting tons of unrelated commits.
04e329
04e329
rhel-only
04e329
Related: #2122499
04e329
---
04e329
 .github/codeql-config.yml                     | 12 ++++
04e329
 .github/codeql-custom.qls                     | 44 ++++++++++++
04e329
 .../PotentiallyDangerousFunction.ql           |  3 +
04e329
 .../UninitializedVariableWithCleanup.ql       | 16 ++---
04e329
 .github/codeql-queries/qlpack.yml             | 11 +++
04e329
 .github/workflows/codeql.yml                  | 68 +++++++++++++++++++
04e329
 .lgtm.yml                                     | 37 ----------
04e329
 7 files changed, 146 insertions(+), 45 deletions(-)
04e329
 create mode 100644 .github/codeql-config.yml
04e329
 create mode 100644 .github/codeql-custom.qls
04e329
 rename {.lgtm/cpp-queries => .github/codeql-queries}/PotentiallyDangerousFunction.ql (93%)
04e329
 rename {.lgtm/cpp-queries => .github/codeql-queries}/UninitializedVariableWithCleanup.ql (86%)
04e329
 create mode 100644 .github/codeql-queries/qlpack.yml
04e329
 create mode 100644 .github/workflows/codeql.yml
04e329
 delete mode 100644 .lgtm.yml
04e329
04e329
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
04e329
new file mode 100644
04e329
index 0000000000..7c01d32caa
04e329
--- /dev/null
04e329
+++ b/.github/codeql-config.yml
04e329
@@ -0,0 +1,12 @@
04e329
+---
04e329
+# vi: ts=2 sw=2 et:
04e329
+# SPDX-License-Identifier: LGPL-2.1-or-later
04e329
+name: "CodeQL config"
04e329
+
04e329
+disable-default-queries: false
04e329
+
04e329
+queries:
04e329
+  - name: Enable possibly useful queries which are disabled by default
04e329
+    uses: ./.github/codeql-custom.qls
04e329
+  - name: systemd-specific CodeQL queries
04e329
+    uses: ./.github/codeql-queries/
04e329
diff --git a/.github/codeql-custom.qls b/.github/codeql-custom.qls
04e329
new file mode 100644
04e329
index 0000000000..d35fbe3114
04e329
--- /dev/null
04e329
+++ b/.github/codeql-custom.qls
04e329
@@ -0,0 +1,44 @@
04e329
+---
04e329
+# vi: ts=2 sw=2 et syntax=yaml:
04e329
+# SPDX-License-Identifier: LGPL-2.1-or-later
04e329
+#
04e329
+# Note: it is not recommended to directly reference the respective queries from
04e329
+#       the github/codeql repository, so we have to "dance" around it using
04e329
+#       a custom QL suite
04e329
+# See:
04e329
+#   - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#running-additional-queries
04e329
+#   - https://github.com/github/codeql-action/issues/430#issuecomment-806092120
04e329
+#   - https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
04e329
+
04e329
+# Note: the codeql/<lang>-queries pack name can be found in the CodeQL repo[0]
04e329
+#       in <lang>/ql/src/qlpack.yml. The respective codeql-suites are then
04e329
+#       under <lang>/ql/src/codeql-suites/.
04e329
+#
04e329
+# [0] https://github.com/github/codeql
04e329
+- import: codeql-suites/cpp-lgtm.qls
04e329
+  from: codeql/cpp-queries
04e329
+- import: codeql-suites/python-lgtm.qls
04e329
+  from: codeql/python-queries
04e329
+- include:
04e329
+    id:
04e329
+      - cpp/bad-strncpy-size
04e329
+      - cpp/declaration-hides-variable
04e329
+      - cpp/include-non-header
04e329
+      - cpp/inconsistent-null-check
04e329
+      - cpp/mistyped-function-arguments
04e329
+      - cpp/nested-loops-with-same-variable
04e329
+      - cpp/sizeof-side-effect
04e329
+      - cpp/suspicious-pointer-scaling
04e329
+      - cpp/suspicious-pointer-scaling-void
04e329
+      - cpp/suspicious-sizeof
04e329
+      - cpp/unsafe-strcat
04e329
+      - cpp/unsafe-strncat
04e329
+      - cpp/unsigned-difference-expression-compared-zero
04e329
+      - cpp/unused-local-variable
04e329
+    tags:
04e329
+      - "security"
04e329
+      - "correctness"
04e329
+    severity: "error"
04e329
+- exclude:
04e329
+    id:
04e329
+      - cpp/fixme-comment
04e329
diff --git a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql
04e329
similarity index 93%
04e329
rename from .lgtm/cpp-queries/PotentiallyDangerousFunction.ql
04e329
rename to .github/codeql-queries/PotentiallyDangerousFunction.ql
04e329
index 39e8dddd13..63fd14e75f 100644
04e329
--- a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql
04e329
+++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql
04e329
@@ -46,6 +46,9 @@ predicate potentiallyDangerousFunction(Function f, string message) {
04e329
   ) or (
04e329
     f.getQualifiedName() = "accept" and
04e329
     message = "Call to accept() is not O_CLOEXEC-safe. Use accept4() instead."
04e329
+  ) or (
04e329
+    f.getQualifiedName() = "dirname" and
04e329
+    message = "Call dirname() is icky. Use path_extract_directory() instead."
04e329
   )
04e329
 }
04e329
 
04e329
diff --git a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
04e329
similarity index 86%
04e329
rename from .lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
04e329
rename to .github/codeql-queries/UninitializedVariableWithCleanup.ql
04e329
index 6b3b62f8bc..e514111f28 100644
04e329
--- a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
04e329
+++ b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
04e329
@@ -50,16 +50,16 @@ class UninitialisedLocalReachability extends StackVariableReachability {
04e329
    * fun(&x);
04e329
    * puts(x);
04e329
    *
04e329
-   * `useOfVarActual()` won't treat this an an uninitialized read even if the callee
04e329
+   * `useOfVarActual()` won't treat this as an uninitialized read even if the callee
04e329
    * doesn't modify the argument, however, `useOfVar()` will
04e329
    */
04e329
   override predicate isSink(ControlFlowNode node, StackVariable v) { useOfVar(v, node) }
04e329
 
04e329
   override predicate isBarrier(ControlFlowNode node, StackVariable v) {
04e329
-    // only report the _first_ possibly uninitialized use
04e329
+    /* only report the _first_ possibly uninitialized use */
04e329
     useOfVar(v, node) or
04e329
     (
04e329
-      /* If there's an return statement somewhere between the variable declaration
04e329
+      /* If there's a return statement somewhere between the variable declaration
04e329
        * and a possible definition, don't accept is as a valid initialization.
04e329
        *
04e329
        * E.g.:
04e329
@@ -71,7 +71,7 @@ class UninitialisedLocalReachability extends StackVariableReachability {
04e329
        * x = malloc(...);
04e329
        *
04e329
        * is not a valid initialization, since we might return from the function
04e329
-       * _before_ the actual iniitialization (emphasis on _might_, since we
04e329
+       * _before_ the actual initialization (emphasis on _might_, since we
04e329
        * don't know if the return statement might ever evaluate to true).
04e329
        */
04e329
       definitionBarrier(v, node) and
04e329
@@ -92,14 +92,14 @@ predicate containsInlineAssembly(Function f) { exists(AsmStmt s | s.getEnclosing
04e329
  * for this check to exclude them.
04e329
  */
04e329
 VariableAccess commonException() {
04e329
-  // If the uninitialized use we've found is in a macro expansion, it's
04e329
-  // typically something like va_start(), and we don't want to complain.
04e329
+  /* If the uninitialized use we've found is in a macro expansion, it's
04e329
+   * typically something like va_start(), and we don't want to complain. */
04e329
   result.getParent().isInMacroExpansion()
04e329
   or
04e329
   result.getParent() instanceof BuiltInOperation
04e329
   or
04e329
-  // Finally, exclude functions that contain assembly blocks. It's
04e329
-  // anyone's guess what happens in those.
04e329
+  /* Finally, exclude functions that contain assembly blocks. It's
04e329
+   * anyone's guess what happens in those. */
04e329
   containsInlineAssembly(result.getEnclosingFunction())
04e329
 }
04e329
 
04e329
diff --git a/.github/codeql-queries/qlpack.yml b/.github/codeql-queries/qlpack.yml
04e329
new file mode 100644
04e329
index 0000000000..a1a2dec6d6
04e329
--- /dev/null
04e329
+++ b/.github/codeql-queries/qlpack.yml
04e329
@@ -0,0 +1,11 @@
04e329
+---
04e329
+# vi: ts=2 sw=2 et syntax=yaml:
04e329
+# SPDX-License-Identifier: LGPL-2.1-or-later
04e329
+
04e329
+library: false
04e329
+name: systemd/cpp-queries
04e329
+version: 0.0.1
04e329
+dependencies:
04e329
+  codeql/cpp-all: "*"
04e329
+  codeql/suite-helpers: "*"
04e329
+extractor: cpp
04e329
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
04e329
new file mode 100644
04e329
index 0000000000..c5426d5686
04e329
--- /dev/null
04e329
+++ b/.github/workflows/codeql.yml
04e329
@@ -0,0 +1,68 @@
04e329
+---
04e329
+# vi: ts=2 sw=2 et:
04e329
+# SPDX-License-Identifier: LGPL-2.1-or-later
04e329
+#
04e329
+name: "CodeQL"
04e329
+
04e329
+on:
04e329
+  pull_request:
04e329
+    branches:
04e329
+      - master
04e329
+      - rhel-*
04e329
+    paths:
04e329
+      - '**/meson.build'
04e329
+      - '.github/**/codeql*'
04e329
+      - 'src/**'
04e329
+      - 'test/**'
04e329
+      - 'tools/**'
04e329
+  push:
04e329
+    branches:
04e329
+      - master
04e329
+      - rhel-*
04e329
+
04e329
+permissions:
04e329
+  contents: read
04e329
+
04e329
+jobs:
04e329
+  analyze:
04e329
+    name: Analyze
04e329
+    runs-on: ubuntu-22.04
04e329
+    concurrency:
04e329
+      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
04e329
+      cancel-in-progress: true
04e329
+    permissions:
04e329
+      actions: read
04e329
+      security-events: write
04e329
+
04e329
+    strategy:
04e329
+      fail-fast: false
04e329
+      matrix:
04e329
+        language: ['cpp', 'python']
04e329
+
04e329
+    steps:
04e329
+    - name: Checkout repository
04e329
+      uses: actions/checkout@v3
04e329
+
04e329
+    - name: Initialize CodeQL
04e329
+      uses: github/codeql-action/init@v2
04e329
+      with:
04e329
+        languages: ${{ matrix.language }}
04e329
+        config-file: ./.github/codeql-config.yml
04e329
+
04e329
+    - name: Install dependencies
04e329
+      if: matrix.language == 'cpp'
04e329
+      run: |
04e329
+        echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
04e329
+        sudo apt-get -y update
04e329
+        sudo apt-get -y build-dep systemd
04e329
+        sudo apt-get -y install libfdisk-dev libpwquality-dev libqrencode-dev libssl-dev libxkbcommon-dev libzstd-dev
04e329
+
04e329
+    - name: Build
04e329
+      if: matrix.language == 'cpp'
04e329
+      run: |
04e329
+        # EL 8 systemd fails to build with newer gnu-efi (3.0.13 on Ubuntu Jammy ATTOW)
04e329
+        meson build -Dlibiptc=false -Dgnu-efi=false
04e329
+        ninja -C build -v
04e329
+
04e329
+    - name: Perform CodeQL Analysis
04e329
+      uses: github/codeql-action/analyze@v2
04e329
diff --git a/.lgtm.yml b/.lgtm.yml
04e329
deleted file mode 100644
04e329
index fe93957b67..0000000000
04e329
--- a/.lgtm.yml
04e329
+++ /dev/null
04e329
@@ -1,37 +0,0 @@
04e329
----
04e329
-# vi: ts=2 sw=2 et:
04e329
-
04e329
-# Explicitly enable certain checks which are hidden by default
04e329
-queries:
04e329
-  - include: cpp/bad-strncpy-size
04e329
-  - include: cpp/declaration-hides-variable
04e329
-  - include: cpp/inconsistent-null-check
04e329
-  - include: cpp/mistyped-function-arguments
04e329
-  - include: cpp/nested-loops-with-same-variable
04e329
-  - include: cpp/sizeof-side-effect
04e329
-  - include: cpp/suspicious-pointer-scaling
04e329
-  - include: cpp/suspicious-pointer-scaling-void
04e329
-  - include: cpp/suspicious-sizeof
04e329
-  - include: cpp/unsafe-strcat
04e329
-  - include: cpp/unsafe-strncat
04e329
-  - include: cpp/unsigned-difference-expression-compared-zero
04e329
-  - include: cpp/unused-local-variable
04e329
-  - include:
04e329
-      tags:
04e329
-        - "security"
04e329
-        - "correctness"
04e329
-      severity: "error"
04e329
-
04e329
-extraction:
04e329
-  cpp:
04e329
-    prepare:
04e329
-      packages:
04e329
-        - python3-pip
04e329
-        - python3-setuptools
04e329
-        - python3-wheel
04e329
-    after_prepare:
04e329
-      - pip3 install meson
04e329
-      - export PATH="$HOME/.local/bin/:$PATH"
04e329
-  python:
04e329
-    python_setup:
04e329
-      version: 3