diff --git a/.github/codeql/codeql-coding-standard.yml b/.github/codeql/codeql-coding-standard.yml new file mode 100644 index 000000000..33fe42523 --- /dev/null +++ b/.github/codeql/codeql-coding-standard.yml @@ -0,0 +1,20 @@ +name: "CodeQL Coding Standard Configuration File" + +disable-default-queries: true + +queries: + - name: JPL Rules + uses: ./codeql/cpp/ql/src/JPL_C + - name: MISRA Rule 9-5-1 + uses: ./codeql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql + - name: MISRA Rule 5-18-1 + uses: ./codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql + - name: MISRA 6-2-2 + uses: ./codeql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql + - name: MISRA Rule 5-14-1 + uses: ./codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql + - name: MISRA Rule 5-3-2 + uses: ./codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql + - name: MISRA Rule 7-5-2 + uses: ./codeql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql + diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml deleted file mode 100644 index 8cfafe37a..000000000 --- a/.github/codeql/codeql-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -name: "CodeQL Configuration File" - -queries: - - uses: security-and-quality - - uses: security-extended diff --git a/.github/codeql/codeql-security.yml b/.github/codeql/codeql-security.yml new file mode 100644 index 000000000..11280c908 --- /dev/null +++ b/.github/codeql/codeql-security.yml @@ -0,0 +1,7 @@ +name: "CodeQL Security Configuration File" + +queries: + - name: Security and Quality + uses: security-and-quality + - name: Security Extended + uses: security-extended diff --git a/.github/workflows/codeql-build.yml b/.github/workflows/codeql-build.yml index 838f44ecb..e52049a07 100644 --- a/.github/workflows/codeql-build.yml +++ b/.github/workflows/codeql-build.yml @@ -28,7 +28,7 @@ jobs: do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' - CodeQL-Build: + CodeQL-Security-Build: #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. needs: check-for-duplicates if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} @@ -55,7 +55,61 @@ jobs: uses: github/codeql-action/init@v1 with: languages: c - config-file: ./.github/codeql/codeql-config.yml + config-file: ./.github/codeql/codeql-security.yml + + # Setup the build system + - name: Copy sample_defs + if: ${{ !steps.skip-workflow.outputs.skip }} + run: | + cp ./cfe/cmake/Makefile.sample Makefile + cp -r ./cfe/cmake/sample_defs sample_defs + + # Setup the build system + - name: Make Install + if: ${{ !steps.skip-workflow.outputs.skip }} + run: make + + # Run CodeQL + - name: Perform CodeQL Analysis + if: ${{ !steps.skip-workflow.outputs.skip }} + uses: github/codeql-action/analyze@v1 + + CodeQL-Coding-Standard-Build: + #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests. + needs: check-for-duplicates + if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} + runs-on: ubuntu-18.04 + timeout-minutes: 15 + + steps: + # Checks out a copy of your repository + - name: Checkout code + if: ${{ !steps.skip-workflow.outputs.skip }} + uses: actions/checkout@v2 + with: + repository: nasa/cFS + submodules: true + + - name: Check versions + if: ${{ !steps.skip-workflow.outputs.skip }} + run: | + git log -1 --pretty=oneline + git submodule + + - name: Checkout codeql code + if: ${{ !steps.skip-workflow.outputs.skip }} + uses: actions/checkout@v2 + with: + repository: github/codeql + submodules: true + path: codeql + + - name: Initialize CodeQL + if: ${{ !steps.skip-workflow.outputs.skip }} + uses: github/codeql-action/init@v1 + with: + languages: c + config-file: ./.github/codeql/codeql-coding-standard.yml # Setup the build system - name: Copy sample_defs