naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
6f381c
From 2b1dbcab1af1a22f3a46fa23aa551a7394673938 Mon Sep 17 00:00:00 2001
6f381c
From: Frantisek Sumsal <frantisek@sumsal.cz>
6f381c
Date: Thu, 15 Sep 2022 15:29:23 +0200
6f381c
Subject: [PATCH] ci: replace LGTM with CodeQL
6f381c
6f381c
As LGTM is going to be shut down by EOY, let's use CodeQL instead.
6f381c
6f381c
This is loosely based on upstream's CodeQL configs with some minor
6f381c
tweaks to avoid backporting tons of unrelated commits.
6f381c
6f381c
rhel-only
6f381c
Related: #2122499
6f381c
---
6f381c
 .github/codeql-config.yml                     | 12 ++++
6f381c
 .github/codeql-custom.qls                     | 44 ++++++++++++
6f381c
 .../PotentiallyDangerousFunction.ql           |  3 +
6f381c
 .../UninitializedVariableWithCleanup.ql       | 16 ++---
6f381c
 .github/codeql-queries/qlpack.yml             | 11 +++
6f381c
 .github/workflows/codeql.yml                  | 68 +++++++++++++++++++
6f381c
 .lgtm.yml                                     | 37 ----------
6f381c
 7 files changed, 146 insertions(+), 45 deletions(-)
6f381c
 create mode 100644 .github/codeql-config.yml
6f381c
 create mode 100644 .github/codeql-custom.qls
6f381c
 rename {.lgtm/cpp-queries => .github/codeql-queries}/PotentiallyDangerousFunction.ql (93%)
6f381c
 rename {.lgtm/cpp-queries => .github/codeql-queries}/UninitializedVariableWithCleanup.ql (86%)
6f381c
 create mode 100644 .github/codeql-queries/qlpack.yml
6f381c
 create mode 100644 .github/workflows/codeql.yml
6f381c
 delete mode 100644 .lgtm.yml
6f381c
6f381c
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
6f381c
new file mode 100644
6f381c
index 0000000000..7c01d32caa
6f381c
--- /dev/null
6f381c
+++ b/.github/codeql-config.yml
6f381c
@@ -0,0 +1,12 @@
6f381c
+---
6f381c
+# vi: ts=2 sw=2 et:
6f381c
+# SPDX-License-Identifier: LGPL-2.1-or-later
6f381c
+name: "CodeQL config"
6f381c
+
6f381c
+disable-default-queries: false
6f381c
+
6f381c
+queries:
6f381c
+  - name: Enable possibly useful queries which are disabled by default
6f381c
+    uses: ./.github/codeql-custom.qls
6f381c
+  - name: systemd-specific CodeQL queries
6f381c
+    uses: ./.github/codeql-queries/
6f381c
diff --git a/.github/codeql-custom.qls b/.github/codeql-custom.qls
6f381c
new file mode 100644
6f381c
index 0000000000..d35fbe3114
6f381c
--- /dev/null
6f381c
+++ b/.github/codeql-custom.qls
6f381c
@@ -0,0 +1,44 @@
6f381c
+---
6f381c
+# vi: ts=2 sw=2 et syntax=yaml:
6f381c
+# SPDX-License-Identifier: LGPL-2.1-or-later
6f381c
+#
6f381c
+# Note: it is not recommended to directly reference the respective queries from
6f381c
+#       the github/codeql repository, so we have to "dance" around it using
6f381c
+#       a custom QL suite
6f381c
+# See:
6f381c
+#   - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#running-additional-queries
6f381c
+#   - https://github.com/github/codeql-action/issues/430#issuecomment-806092120
6f381c
+#   - https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
6f381c
+
6f381c
+# Note: the codeql/<lang>-queries pack name can be found in the CodeQL repo[0]
6f381c
+#       in <lang>/ql/src/qlpack.yml. The respective codeql-suites are then
6f381c
+#       under <lang>/ql/src/codeql-suites/.
6f381c
+#
6f381c
+# [0] https://github.com/github/codeql
6f381c
+- import: codeql-suites/cpp-lgtm.qls
6f381c
+  from: codeql/cpp-queries
6f381c
+- import: codeql-suites/python-lgtm.qls
6f381c
+  from: codeql/python-queries
6f381c
+- include:
6f381c
+    id:
6f381c
+      - cpp/bad-strncpy-size
6f381c
+      - cpp/declaration-hides-variable
6f381c
+      - cpp/include-non-header
6f381c
+      - cpp/inconsistent-null-check
6f381c
+      - cpp/mistyped-function-arguments
6f381c
+      - cpp/nested-loops-with-same-variable
6f381c
+      - cpp/sizeof-side-effect
6f381c
+      - cpp/suspicious-pointer-scaling
6f381c
+      - cpp/suspicious-pointer-scaling-void
6f381c
+      - cpp/suspicious-sizeof
6f381c
+      - cpp/unsafe-strcat
6f381c
+      - cpp/unsafe-strncat
6f381c
+      - cpp/unsigned-difference-expression-compared-zero
6f381c
+      - cpp/unused-local-variable
6f381c
+    tags:
6f381c
+      - "security"
6f381c
+      - "correctness"
6f381c
+    severity: "error"
6f381c
+- exclude:
6f381c
+    id:
6f381c
+      - cpp/fixme-comment
6f381c
diff --git a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql
6f381c
similarity index 93%
6f381c
rename from .lgtm/cpp-queries/PotentiallyDangerousFunction.ql
6f381c
rename to .github/codeql-queries/PotentiallyDangerousFunction.ql
6f381c
index 39e8dddd13..63fd14e75f 100644
6f381c
--- a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql
6f381c
+++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql
6f381c
@@ -46,6 +46,9 @@ predicate potentiallyDangerousFunction(Function f, string message) {
6f381c
   ) or (
6f381c
     f.getQualifiedName() = "accept" and
6f381c
     message = "Call to accept() is not O_CLOEXEC-safe. Use accept4() instead."
6f381c
+  ) or (
6f381c
+    f.getQualifiedName() = "dirname" and
6f381c
+    message = "Call dirname() is icky. Use path_extract_directory() instead."
6f381c
   )
6f381c
 }
6f381c
 
6f381c
diff --git a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
6f381c
similarity index 86%
6f381c
rename from .lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
6f381c
rename to .github/codeql-queries/UninitializedVariableWithCleanup.ql
6f381c
index 6b3b62f8bc..e514111f28 100644
6f381c
--- a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
6f381c
+++ b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
6f381c
@@ -50,16 +50,16 @@ class UninitialisedLocalReachability extends StackVariableReachability {
6f381c
    * fun(&x);
6f381c
    * puts(x);
6f381c
    *
6f381c
-   * `useOfVarActual()` won't treat this an an uninitialized read even if the callee
6f381c
+   * `useOfVarActual()` won't treat this as an uninitialized read even if the callee
6f381c
    * doesn't modify the argument, however, `useOfVar()` will
6f381c
    */
6f381c
   override predicate isSink(ControlFlowNode node, StackVariable v) { useOfVar(v, node) }
6f381c
 
6f381c
   override predicate isBarrier(ControlFlowNode node, StackVariable v) {
6f381c
-    // only report the _first_ possibly uninitialized use
6f381c
+    /* only report the _first_ possibly uninitialized use */
6f381c
     useOfVar(v, node) or
6f381c
     (
6f381c
-      /* If there's an return statement somewhere between the variable declaration
6f381c
+      /* If there's a return statement somewhere between the variable declaration
6f381c
        * and a possible definition, don't accept is as a valid initialization.
6f381c
        *
6f381c
        * E.g.:
6f381c
@@ -71,7 +71,7 @@ class UninitialisedLocalReachability extends StackVariableReachability {
6f381c
        * x = malloc(...);
6f381c
        *
6f381c
        * is not a valid initialization, since we might return from the function
6f381c
-       * _before_ the actual iniitialization (emphasis on _might_, since we
6f381c
+       * _before_ the actual initialization (emphasis on _might_, since we
6f381c
        * don't know if the return statement might ever evaluate to true).
6f381c
        */
6f381c
       definitionBarrier(v, node) and
6f381c
@@ -92,14 +92,14 @@ predicate containsInlineAssembly(Function f) { exists(AsmStmt s | s.getEnclosing
6f381c
  * for this check to exclude them.
6f381c
  */
6f381c
 VariableAccess commonException() {
6f381c
-  // If the uninitialized use we've found is in a macro expansion, it's
6f381c
-  // typically something like va_start(), and we don't want to complain.
6f381c
+  /* If the uninitialized use we've found is in a macro expansion, it's
6f381c
+   * typically something like va_start(), and we don't want to complain. */
6f381c
   result.getParent().isInMacroExpansion()
6f381c
   or
6f381c
   result.getParent() instanceof BuiltInOperation
6f381c
   or
6f381c
-  // Finally, exclude functions that contain assembly blocks. It's
6f381c
-  // anyone's guess what happens in those.
6f381c
+  /* Finally, exclude functions that contain assembly blocks. It's
6f381c
+   * anyone's guess what happens in those. */
6f381c
   containsInlineAssembly(result.getEnclosingFunction())
6f381c
 }
6f381c
 
6f381c
diff --git a/.github/codeql-queries/qlpack.yml b/.github/codeql-queries/qlpack.yml
6f381c
new file mode 100644
6f381c
index 0000000000..a1a2dec6d6
6f381c
--- /dev/null
6f381c
+++ b/.github/codeql-queries/qlpack.yml
6f381c
@@ -0,0 +1,11 @@
6f381c
+---
6f381c
+# vi: ts=2 sw=2 et syntax=yaml:
6f381c
+# SPDX-License-Identifier: LGPL-2.1-or-later
6f381c
+
6f381c
+library: false
6f381c
+name: systemd/cpp-queries
6f381c
+version: 0.0.1
6f381c
+dependencies:
6f381c
+  codeql/cpp-all: "*"
6f381c
+  codeql/suite-helpers: "*"
6f381c
+extractor: cpp
6f381c
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
6f381c
new file mode 100644
6f381c
index 0000000000..c5426d5686
6f381c
--- /dev/null
6f381c
+++ b/.github/workflows/codeql.yml
6f381c
@@ -0,0 +1,68 @@
6f381c
+---
6f381c
+# vi: ts=2 sw=2 et:
6f381c
+# SPDX-License-Identifier: LGPL-2.1-or-later
6f381c
+#
6f381c
+name: "CodeQL"
6f381c
+
6f381c
+on:
6f381c
+  pull_request:
6f381c
+    branches:
6f381c
+      - master
6f381c
+      - rhel-*
6f381c
+    paths:
6f381c
+      - '**/meson.build'
6f381c
+      - '.github/**/codeql*'
6f381c
+      - 'src/**'
6f381c
+      - 'test/**'
6f381c
+      - 'tools/**'
6f381c
+  push:
6f381c
+    branches:
6f381c
+      - master
6f381c
+      - rhel-*
6f381c
+
6f381c
+permissions:
6f381c
+  contents: read
6f381c
+
6f381c
+jobs:
6f381c
+  analyze:
6f381c
+    name: Analyze
6f381c
+    runs-on: ubuntu-22.04
6f381c
+    concurrency:
6f381c
+      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
6f381c
+      cancel-in-progress: true
6f381c
+    permissions:
6f381c
+      actions: read
6f381c
+      security-events: write
6f381c
+
6f381c
+    strategy:
6f381c
+      fail-fast: false
6f381c
+      matrix:
6f381c
+        language: ['cpp', 'python']
6f381c
+
6f381c
+    steps:
6f381c
+    - name: Checkout repository
6f381c
+      uses: actions/checkout@v3
6f381c
+
6f381c
+    - name: Initialize CodeQL
6f381c
+      uses: github/codeql-action/init@v2
6f381c
+      with:
6f381c
+        languages: ${{ matrix.language }}
6f381c
+        config-file: ./.github/codeql-config.yml
6f381c
+
6f381c
+    - name: Install dependencies
6f381c
+      if: matrix.language == 'cpp'
6f381c
+      run: |
6f381c
+        echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
6f381c
+        sudo apt-get -y update
6f381c
+        sudo apt-get -y build-dep systemd
6f381c
+        sudo apt-get -y install libfdisk-dev libpwquality-dev libqrencode-dev libssl-dev libxkbcommon-dev libzstd-dev
6f381c
+
6f381c
+    - name: Build
6f381c
+      if: matrix.language == 'cpp'
6f381c
+      run: |
6f381c
+        # EL 8 systemd fails to build with newer gnu-efi (3.0.13 on Ubuntu Jammy ATTOW)
6f381c
+        meson build -Dlibiptc=false -Dgnu-efi=false
6f381c
+        ninja -C build -v
6f381c
+
6f381c
+    - name: Perform CodeQL Analysis
6f381c
+      uses: github/codeql-action/analyze@v2
6f381c
diff --git a/.lgtm.yml b/.lgtm.yml
6f381c
deleted file mode 100644
6f381c
index fe93957b67..0000000000
6f381c
--- a/.lgtm.yml
6f381c
+++ /dev/null
6f381c
@@ -1,37 +0,0 @@
6f381c
----
6f381c
-# vi: ts=2 sw=2 et:
6f381c
-
6f381c
-# Explicitly enable certain checks which are hidden by default
6f381c
-queries:
6f381c
-  - include: cpp/bad-strncpy-size
6f381c
-  - include: cpp/declaration-hides-variable
6f381c
-  - include: cpp/inconsistent-null-check
6f381c
-  - include: cpp/mistyped-function-arguments
6f381c
-  - include: cpp/nested-loops-with-same-variable
6f381c
-  - include: cpp/sizeof-side-effect
6f381c
-  - include: cpp/suspicious-pointer-scaling
6f381c
-  - include: cpp/suspicious-pointer-scaling-void
6f381c
-  - include: cpp/suspicious-sizeof
6f381c
-  - include: cpp/unsafe-strcat
6f381c
-  - include: cpp/unsafe-strncat
6f381c
-  - include: cpp/unsigned-difference-expression-compared-zero
6f381c
-  - include: cpp/unused-local-variable
6f381c
-  - include:
6f381c
-      tags:
6f381c
-        - "security"
6f381c
-        - "correctness"
6f381c
-      severity: "error"
6f381c
-
6f381c
-extraction:
6f381c
-  cpp:
6f381c
-    prepare:
6f381c
-      packages:
6f381c
-        - python3-pip
6f381c
-        - python3-setuptools
6f381c
-        - python3-wheel
6f381c
-    after_prepare:
6f381c
-      - pip3 install meson
6f381c
-      - export PATH="$HOME/.local/bin/:$PATH"
6f381c
-  python:
6f381c
-    python_setup:
6f381c
-      version: 3