From b12e9534c3ae4be61055d1aac2576700e73bf0ef Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Tue, 7 Mar 2023 13:51:04 +0100 Subject: [PATCH] Replace LGTM with GitHub CodeQL. Many warnings silenced for now. --- .codeql-config.yml | 31 +++++++++++++ .github/workflows/cibuild-setup-ubuntu.sh | 2 +- .github/workflows/codeql.yml | 53 +++++++++++++++++++++++ .lgtm.yml | 11 ----- 4 files changed, 85 insertions(+), 12 deletions(-) create mode 100644 .codeql-config.yml create mode 100644 .github/workflows/codeql.yml delete mode 100644 .lgtm.yml diff --git a/.codeql-config.yml b/.codeql-config.yml new file mode 100644 index 00000000..1311657c --- /dev/null +++ b/.codeql-config.yml @@ -0,0 +1,31 @@ +name: "Cryptsetup CodeQL config" + +query-filters: +- exclude: + id: cpp/fixme-comment +- exclude: + id: cpp/empty-block +- exclude: + id: cpp/poorly-documented-function +- exclude: + id: cpp/loop-variable-changed +- exclude: + id: cpp/empty-if +- exclude: + id: cpp/long-switch +- exclude: + id: cpp/complex-condition +- exclude: + id: cpp/commented-out-code + +# These produce many false positives +- exclude: + id: cpp/uninitialized-local +- exclude: + id: cpp/path-injection +- exclude: + id: cpp/missing-check-scanf + +# CodeQL should understand coverity [toctou] comments +- exclude: + id: cpp/toctou-race-condition diff --git a/.github/workflows/cibuild-setup-ubuntu.sh b/.github/workflows/cibuild-setup-ubuntu.sh index 2c0adb2e..e6890846 100755 --- a/.github/workflows/cibuild-setup-ubuntu.sh +++ b/.github/workflows/cibuild-setup-ubuntu.sh @@ -7,7 +7,7 @@ PACKAGES=( gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass - asciidoctor + asciidoctor meson ninja-build ) COMPILER="${COMPILER:?}" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..047005b6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,53 @@ +name: "CodeQL" + +on: + push: + branches: + - 'main' + - 'wip-luks2' + - 'v2.3.x' + - 'v2.4.x' + paths-ignore: + - 'docs/**' + - 'lib/crypto_backend/argon2/**' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + if: github.repository == 'mbroz/cryptsetup' + concurrency: + group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }} + cancel-in-progress: true + permissions: + actions: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: +security-extended,security-and-quality + config-file: .codeql-config.yml + + - name: Install dependencies + run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh + env: { COMPILER: "gcc", COMPILER_VERSION: "11", RUN_SSH_PLUGIN_TEST: "1" } + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/.lgtm.yml b/.lgtm.yml deleted file mode 100644 index 64d9cc8e..00000000 --- a/.lgtm.yml +++ /dev/null @@ -1,11 +0,0 @@ -queries: - - exclude: cpp/fixme-comment - - exclude: cpp/empty-block -# symver attribute detection cannot be used, disable it for lgtm -extraction: - cpp: - configure: - command: - - "./autogen.sh" - - "./configure --enable-external-tokens --enable-ssh-token" - - "echo \"#undef HAVE_ATTRIBUTE_SYMVER\" >> config.h"