Meta: Enable CodeQL static analysis for Serenity

CodeQL is a static analysis technology that was purchased by GitHub and has been tightly integrated into the platform. It's different from most other static analysis solutions because it's based on a database built from your codebase, and then language specific rules can be executed against that database. The rules are fully user extensible, and are written in a datalog/query language. The default cpp language rules coming from CodeQL will probably find some issues, the ability to easily write custom rules/queries will lend it self nicely to allowing us to validate Serenity specific semantics are followed throughout the code. References: - https://www.youtube.com/watch?v=AMzGorD28Ks - https://securitylab.github.com/tools/codeql
Author: https://github.com/bgianfo Commit: https://github.com/SerenityOS/serenity/commit/f0bf7234240 Pull-request: https://github.com/SerenityOS/serenity/pull/4175
2024-09-29 08:11:13 +00:00 · 2020-11-26 00:16:50 -08:00 · 2020-11-26 00:16:50 -08:00 · f0bf723424 · 2024-07-19 01:15:50 +09:00
parent 922d0759b0
commit f0bf723424
2 changed files with 19 additions and 0 deletions
--- a/.github/codeql/config.yml
+++ b/.github/codeql/config.yml
@ -0,0 +1,8 @@
+name: "SerenityOS CodeQL Config"
+
+queries:
+ - uses: security-and-quality
+ - uses: security-extended 
+
+# Documentation for configuring CodeQL is located here:
+# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning
--- a/.github/workflows/cmake.yml
+++ b/.github/workflows/cmake.yml
@ -49,6 +49,7 @@ jobs:
        key: ${{ runner.os }}-toolchain-${{ hashFiles('Libraries/LibC/**/*.h', 'Toolchain/Patches/*.patch') }}
    - name: Restore or regenerate Toolchain
      run: TRY_USE_LOCAL_TOOLCHAIN=y ${{ github.workspace }}/Toolchain/BuildIt.sh
+
    # TODO: ccache
    # https://cristianadam.eu/20200113/speeding-up-c-plus-plus-github-actions-using-ccache/
    # https://github.com/cristianadam/HelloWorld/blob/master/.github/workflows/build_cmake.yml
@ -63,6 +64,12 @@ jobs:

    # === ACTUALLY BUILD AND TEST ===

+    - name: Initialize CodeQL Static Analysis for C++
+      uses: github/codeql-action/init@v1
+      with:
+        languages: cpp
+        config-file: ./.github/codeql/config.yml
+
    - name: Build Serenity and Tests
      working-directory: ${{ github.workspace }}/Build
      run: cmake --build . -j2
@ -76,6 +83,10 @@ jobs:
      working-directory: ${{ github.workspace }}/Build/Meta/Lagom
      run: DISABLE_DBG_OUTPUT=1 ./test-js

+     # Run analysis last, so contributors get lint/test feedback ASAP.
+    - name: Perform post build CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
+
    # === NOTIFICATIONS ===

    - name: Dump event info