You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
304 lines
10 KiB
304 lines
10 KiB
8 months ago
|
From 2b1dbcab1af1a22f3a46fa23aa551a7394673938 Mon Sep 17 00:00:00 2001
|
||
|
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||
|
Date: Thu, 15 Sep 2022 15:29:23 +0200
|
||
|
Subject: [PATCH] ci: replace LGTM with CodeQL
|
||
|
|
||
|
As LGTM is going to be shut down by EOY, let's use CodeQL instead.
|
||
|
|
||
|
This is loosely based on upstream's CodeQL configs with some minor
|
||
|
tweaks to avoid backporting tons of unrelated commits.
|
||
|
|
||
|
rhel-only
|
||
|
Related: #2122499
|
||
|
---
|
||
|
.github/codeql-config.yml | 12 ++++
|
||
|
.github/codeql-custom.qls | 44 ++++++++++++
|
||
|
.../PotentiallyDangerousFunction.ql | 3 +
|
||
|
.../UninitializedVariableWithCleanup.ql | 16 ++---
|
||
|
.github/codeql-queries/qlpack.yml | 11 +++
|
||
|
.github/workflows/codeql.yml | 68 +++++++++++++++++++
|
||
|
.lgtm.yml | 37 ----------
|
||
|
7 files changed, 146 insertions(+), 45 deletions(-)
|
||
|
create mode 100644 .github/codeql-config.yml
|
||
|
create mode 100644 .github/codeql-custom.qls
|
||
|
rename {.lgtm/cpp-queries => .github/codeql-queries}/PotentiallyDangerousFunction.ql (93%)
|
||
|
rename {.lgtm/cpp-queries => .github/codeql-queries}/UninitializedVariableWithCleanup.ql (86%)
|
||
|
create mode 100644 .github/codeql-queries/qlpack.yml
|
||
|
create mode 100644 .github/workflows/codeql.yml
|
||
|
delete mode 100644 .lgtm.yml
|
||
|
|
||
|
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
|
||
|
new file mode 100644
|
||
|
index 0000000000..7c01d32caa
|
||
|
--- /dev/null
|
||
|
+++ b/.github/codeql-config.yml
|
||
|
@@ -0,0 +1,12 @@
|
||
|
+---
|
||
|
+# vi: ts=2 sw=2 et:
|
||
|
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
||
|
+name: "CodeQL config"
|
||
|
+
|
||
|
+disable-default-queries: false
|
||
|
+
|
||
|
+queries:
|
||
|
+ - name: Enable possibly useful queries which are disabled by default
|
||
|
+ uses: ./.github/codeql-custom.qls
|
||
|
+ - name: systemd-specific CodeQL queries
|
||
|
+ uses: ./.github/codeql-queries/
|
||
|
diff --git a/.github/codeql-custom.qls b/.github/codeql-custom.qls
|
||
|
new file mode 100644
|
||
|
index 0000000000..d35fbe3114
|
||
|
--- /dev/null
|
||
|
+++ b/.github/codeql-custom.qls
|
||
|
@@ -0,0 +1,44 @@
|
||
|
+---
|
||
|
+# vi: ts=2 sw=2 et syntax=yaml:
|
||
|
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
||
|
+#
|
||
|
+# Note: it is not recommended to directly reference the respective queries from
|
||
|
+# the github/codeql repository, so we have to "dance" around it using
|
||
|
+# a custom QL suite
|
||
|
+# See:
|
||
|
+# - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#running-additional-queries
|
||
|
+# - https://github.com/github/codeql-action/issues/430#issuecomment-806092120
|
||
|
+# - https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
|
||
|
+
|
||
|
+# Note: the codeql/<lang>-queries pack name can be found in the CodeQL repo[0]
|
||
|
+# in <lang>/ql/src/qlpack.yml. The respective codeql-suites are then
|
||
|
+# under <lang>/ql/src/codeql-suites/.
|
||
|
+#
|
||
|
+# [0] https://github.com/github/codeql
|
||
|
+- import: codeql-suites/cpp-lgtm.qls
|
||
|
+ from: codeql/cpp-queries
|
||
|
+- import: codeql-suites/python-lgtm.qls
|
||
|
+ from: codeql/python-queries
|
||
|
+- include:
|
||
|
+ id:
|
||
|
+ - cpp/bad-strncpy-size
|
||
|
+ - cpp/declaration-hides-variable
|
||
|
+ - cpp/include-non-header
|
||
|
+ - cpp/inconsistent-null-check
|
||
|
+ - cpp/mistyped-function-arguments
|
||
|
+ - cpp/nested-loops-with-same-variable
|
||
|
+ - cpp/sizeof-side-effect
|
||
|
+ - cpp/suspicious-pointer-scaling
|
||
|
+ - cpp/suspicious-pointer-scaling-void
|
||
|
+ - cpp/suspicious-sizeof
|
||
|
+ - cpp/unsafe-strcat
|
||
|
+ - cpp/unsafe-strncat
|
||
|
+ - cpp/unsigned-difference-expression-compared-zero
|
||
|
+ - cpp/unused-local-variable
|
||
|
+ tags:
|
||
|
+ - "security"
|
||
|
+ - "correctness"
|
||
|
+ severity: "error"
|
||
|
+- exclude:
|
||
|
+ id:
|
||
|
+ - cpp/fixme-comment
|
||
|
diff --git a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql
|
||
|
similarity index 93%
|
||
|
rename from .lgtm/cpp-queries/PotentiallyDangerousFunction.ql
|
||
|
rename to .github/codeql-queries/PotentiallyDangerousFunction.ql
|
||
|
index 39e8dddd13..63fd14e75f 100644
|
||
|
--- a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql
|
||
|
+++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql
|
||
|
@@ -46,6 +46,9 @@ predicate potentiallyDangerousFunction(Function f, string message) {
|
||
|
) or (
|
||
|
f.getQualifiedName() = "accept" and
|
||
|
message = "Call to accept() is not O_CLOEXEC-safe. Use accept4() instead."
|
||
|
+ ) or (
|
||
|
+ f.getQualifiedName() = "dirname" and
|
||
|
+ message = "Call dirname() is icky. Use path_extract_directory() instead."
|
||
|
)
|
||
|
}
|
||
|
|
||
|
diff --git a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
|
||
|
similarity index 86%
|
||
|
rename from .lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
|
||
|
rename to .github/codeql-queries/UninitializedVariableWithCleanup.ql
|
||
|
index 6b3b62f8bc..e514111f28 100644
|
||
|
--- a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
|
||
|
+++ b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
|
||
|
@@ -50,16 +50,16 @@ class UninitialisedLocalReachability extends StackVariableReachability {
|
||
|
* fun(&x);
|
||
|
* puts(x);
|
||
|
*
|
||
|
- * `useOfVarActual()` won't treat this an an uninitialized read even if the callee
|
||
|
+ * `useOfVarActual()` won't treat this as an uninitialized read even if the callee
|
||
|
* doesn't modify the argument, however, `useOfVar()` will
|
||
|
*/
|
||
|
override predicate isSink(ControlFlowNode node, StackVariable v) { useOfVar(v, node) }
|
||
|
|
||
|
override predicate isBarrier(ControlFlowNode node, StackVariable v) {
|
||
|
- // only report the _first_ possibly uninitialized use
|
||
|
+ /* only report the _first_ possibly uninitialized use */
|
||
|
useOfVar(v, node) or
|
||
|
(
|
||
|
- /* If there's an return statement somewhere between the variable declaration
|
||
|
+ /* If there's a return statement somewhere between the variable declaration
|
||
|
* and a possible definition, don't accept is as a valid initialization.
|
||
|
*
|
||
|
* E.g.:
|
||
|
@@ -71,7 +71,7 @@ class UninitialisedLocalReachability extends StackVariableReachability {
|
||
|
* x = malloc(...);
|
||
|
*
|
||
|
* is not a valid initialization, since we might return from the function
|
||
|
- * _before_ the actual iniitialization (emphasis on _might_, since we
|
||
|
+ * _before_ the actual initialization (emphasis on _might_, since we
|
||
|
* don't know if the return statement might ever evaluate to true).
|
||
|
*/
|
||
|
definitionBarrier(v, node) and
|
||
|
@@ -92,14 +92,14 @@ predicate containsInlineAssembly(Function f) { exists(AsmStmt s | s.getEnclosing
|
||
|
* for this check to exclude them.
|
||
|
*/
|
||
|
VariableAccess commonException() {
|
||
|
- // If the uninitialized use we've found is in a macro expansion, it's
|
||
|
- // typically something like va_start(), and we don't want to complain.
|
||
|
+ /* If the uninitialized use we've found is in a macro expansion, it's
|
||
|
+ * typically something like va_start(), and we don't want to complain. */
|
||
|
result.getParent().isInMacroExpansion()
|
||
|
or
|
||
|
result.getParent() instanceof BuiltInOperation
|
||
|
or
|
||
|
- // Finally, exclude functions that contain assembly blocks. It's
|
||
|
- // anyone's guess what happens in those.
|
||
|
+ /* Finally, exclude functions that contain assembly blocks. It's
|
||
|
+ * anyone's guess what happens in those. */
|
||
|
containsInlineAssembly(result.getEnclosingFunction())
|
||
|
}
|
||
|
|
||
|
diff --git a/.github/codeql-queries/qlpack.yml b/.github/codeql-queries/qlpack.yml
|
||
|
new file mode 100644
|
||
|
index 0000000000..a1a2dec6d6
|
||
|
--- /dev/null
|
||
|
+++ b/.github/codeql-queries/qlpack.yml
|
||
|
@@ -0,0 +1,11 @@
|
||
|
+---
|
||
|
+# vi: ts=2 sw=2 et syntax=yaml:
|
||
|
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
||
|
+
|
||
|
+library: false
|
||
|
+name: systemd/cpp-queries
|
||
|
+version: 0.0.1
|
||
|
+dependencies:
|
||
|
+ codeql/cpp-all: "*"
|
||
|
+ codeql/suite-helpers: "*"
|
||
|
+extractor: cpp
|
||
|
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
|
||
|
new file mode 100644
|
||
|
index 0000000000..c5426d5686
|
||
|
--- /dev/null
|
||
|
+++ b/.github/workflows/codeql.yml
|
||
|
@@ -0,0 +1,68 @@
|
||
|
+---
|
||
|
+# vi: ts=2 sw=2 et:
|
||
|
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
||
|
+#
|
||
|
+name: "CodeQL"
|
||
|
+
|
||
|
+on:
|
||
|
+ pull_request:
|
||
|
+ branches:
|
||
|
+ - master
|
||
|
+ - rhel-*
|
||
|
+ paths:
|
||
|
+ - '**/meson.build'
|
||
|
+ - '.github/**/codeql*'
|
||
|
+ - 'src/**'
|
||
|
+ - 'test/**'
|
||
|
+ - 'tools/**'
|
||
|
+ push:
|
||
|
+ branches:
|
||
|
+ - master
|
||
|
+ - rhel-*
|
||
|
+
|
||
|
+permissions:
|
||
|
+ contents: read
|
||
|
+
|
||
|
+jobs:
|
||
|
+ analyze:
|
||
|
+ name: Analyze
|
||
|
+ runs-on: ubuntu-22.04
|
||
|
+ concurrency:
|
||
|
+ group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
|
||
|
+ cancel-in-progress: true
|
||
|
+ permissions:
|
||
|
+ actions: read
|
||
|
+ security-events: write
|
||
|
+
|
||
|
+ strategy:
|
||
|
+ fail-fast: false
|
||
|
+ matrix:
|
||
|
+ language: ['cpp', 'python']
|
||
|
+
|
||
|
+ steps:
|
||
|
+ - name: Checkout repository
|
||
|
+ uses: actions/checkout@v3
|
||
|
+
|
||
|
+ - name: Initialize CodeQL
|
||
|
+ uses: github/codeql-action/init@v2
|
||
|
+ with:
|
||
|
+ languages: ${{ matrix.language }}
|
||
|
+ config-file: ./.github/codeql-config.yml
|
||
|
+
|
||
|
+ - name: Install dependencies
|
||
|
+ if: matrix.language == 'cpp'
|
||
|
+ run: |
|
||
|
+ echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
|
||
|
+ sudo apt-get -y update
|
||
|
+ sudo apt-get -y build-dep systemd
|
||
|
+ sudo apt-get -y install libfdisk-dev libpwquality-dev libqrencode-dev libssl-dev libxkbcommon-dev libzstd-dev
|
||
|
+
|
||
|
+ - name: Build
|
||
|
+ if: matrix.language == 'cpp'
|
||
|
+ run: |
|
||
|
+ # EL 8 systemd fails to build with newer gnu-efi (3.0.13 on Ubuntu Jammy ATTOW)
|
||
|
+ meson build -Dlibiptc=false -Dgnu-efi=false
|
||
|
+ ninja -C build -v
|
||
|
+
|
||
|
+ - name: Perform CodeQL Analysis
|
||
|
+ uses: github/codeql-action/analyze@v2
|
||
|
diff --git a/.lgtm.yml b/.lgtm.yml
|
||
|
deleted file mode 100644
|
||
|
index fe93957b67..0000000000
|
||
|
--- a/.lgtm.yml
|
||
|
+++ /dev/null
|
||
|
@@ -1,37 +0,0 @@
|
||
|
----
|
||
|
-# vi: ts=2 sw=2 et:
|
||
|
-
|
||
|
-# Explicitly enable certain checks which are hidden by default
|
||
|
-queries:
|
||
|
- - include: cpp/bad-strncpy-size
|
||
|
- - include: cpp/declaration-hides-variable
|
||
|
- - include: cpp/inconsistent-null-check
|
||
|
- - include: cpp/mistyped-function-arguments
|
||
|
- - include: cpp/nested-loops-with-same-variable
|
||
|
- - include: cpp/sizeof-side-effect
|
||
|
- - include: cpp/suspicious-pointer-scaling
|
||
|
- - include: cpp/suspicious-pointer-scaling-void
|
||
|
- - include: cpp/suspicious-sizeof
|
||
|
- - include: cpp/unsafe-strcat
|
||
|
- - include: cpp/unsafe-strncat
|
||
|
- - include: cpp/unsigned-difference-expression-compared-zero
|
||
|
- - include: cpp/unused-local-variable
|
||
|
- - include:
|
||
|
- tags:
|
||
|
- - "security"
|
||
|
- - "correctness"
|
||
|
- severity: "error"
|
||
|
-
|
||
|
-extraction:
|
||
|
- cpp:
|
||
|
- prepare:
|
||
|
- packages:
|
||
|
- - python3-pip
|
||
|
- - python3-setuptools
|
||
|
- - python3-wheel
|
||
|
- after_prepare:
|
||
|
- - pip3 install meson
|
||
|
- - export PATH="$HOME/.local/bin/:$PATH"
|
||
|
- python:
|
||
|
- python_setup:
|
||
|
- version: 3
|