-
Notifications
You must be signed in to change notification settings - Fork 822
153 lines (139 loc) · 5.99 KB
/
Copy pathcodeql.yml
File metadata and controls
153 lines (139 loc) · 5.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Copyright (C) 2019 Intel Corporation. All rights reserved.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
name: "CodeQL"
on:
# run on every push to the feature-development branch
# the main branch is covered by below cron plan
push:
branches:
- dev/**
# scan pull requests so findings surface on the PR instead of only post-merge
pull_request:
# midnight UTC on the latest commit on the main branch
schedule:
- cron: "0 0 * * *"
# allow to be triggered manually
workflow_dispatch:
# Serialize CodeQL runs per PR / branch. Only a pull_request cancels its own
# superseded run - once a PR head is replaced the old analysis is throwaway.
# Pushes to dev/** and the nightly cron are left to finish, so branch and
# scheduled scans are never dropped.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
analyze:
# Pull requests: only scan when the head branch lives in this same
# repository. A pull request from a fork runs with a read-only GITHUB_TOKEN
# (no `security-events: write`), so uploading results and reading
# code-scanning alerts is not permitted and the job would fail; skip it
# cleanly instead. Other events (push to dev/**, the nightly cron, manual
# runs) keep the original behavior of running only on the upstream repo.
if: >-
(github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository)
|| (github.event_name != 'pull_request' &&
github.repository == 'bytecodealliance/wasm-micro-runtime')
name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
# But it is not free, so please be aware of the cost.
runs-on: ubuntu-22.04
timeout-minutes: 360
strategy:
fail-fast: false
matrix:
#TODO: add actions
language: ["cpp"]
permissions:
contents: read
actions: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v7.0.0
with:
submodules: recursive
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4.37.0
with:
languages: ${{ matrix.language }}
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
queries: security-and-quality
config-file: ./.github/codeql/codeql_config.yml
- run: |
./.github/scripts/codeql_buildscript.sh || exit 1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4.37.0
with:
category: "/language:${{matrix.language}}"
upload: false
id: step1
# - cpp/alloca-in-loop is about touch_pages() which is intended to
# - cpp/command-line-injection is about bh_system() which is used to
# - cpp/path-injection is used in bh_read_file_to_buffer() to load a .wasm.
# or operate a stack usage file which is not sensitive or generate a .aot
# - cpp/suspicious-pointer-scaling
# - wasm_runtime_invoke_native() used to trivial registers
# - cpp/uncontrolled-process-operation is about dlopen() which is used by
# native libraries registrations.
# - cpp/world-writable-file-creation is about fopen() a temporary file
# for perf-PID.map or .aot(wamrc). The permission isn't sensitive.
# file.
#
# execute customized compiler
- name: Filter out unwanted errors and warnings
uses: advanced-security/filter-sarif@v1
with:
patterns: |
## Exclude files and directories
-**/build/**
-**/core/deps/**
-**/cmake*/Modules/**
-**/test*/**
-**/wasm-app*/**
## Exclude rules 1. Related to formatting, style
-**:cpp/commented-out-code
-**:cpp/complex-condition
-**:cpp/empty-if
-**:cpp/fixme-comment
-**:cpp/include-non-header
-**:cpp/long-switch
-**:cpp/poorly-documented-function
-**:cpp/trivial-switch
-**:cpp/unused-local-variable
-**:cpp/unused-static-function
-**:cpp/unused-static-variable
-**:cpp/use-of-goto
## Exclude rules 2. Related to special usage of APIs
-**:cpp/alloca-in-loop
-**:cpp/command-line-injection
-**:cpp/path-injection
-core/iwasm/common/wasm_runtime_common.c:cpp/suspicious-pointer-scaling
-**:cpp/uncontrolled-process-operation
-**:cpp/world-writable-file-creation
input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
- name: Upload CodeQL results to code scanning
uses: github/codeql-action/upload-sarif@v4.37.0
with:
sarif_file: ${{ steps.step1.outputs.sarif-output }}
category: "/language:${{matrix.language}}"
- name: Upload CodeQL results as an artifact
uses: actions/upload-artifact@v7.0.1
with:
name: codeql-results
path: ${{ steps.step1.outputs.sarif-output }}
retention-days: 10
- name: Fail if an error is found
run: |
./.github/scripts/codeql_fail_on_error.py \
${{ steps.step1.outputs.sarif-output }}/cpp.sarif
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}