b11b5f
From 2b1dbcab1af1a22f3a46fa23aa551a7394673938 Mon Sep 17 00:00:00 2001
b11b5f
From: Frantisek Sumsal <frantisek@sumsal.cz>
b11b5f
Date: Thu, 15 Sep 2022 15:29:23 +0200
b11b5f
Subject: [PATCH] ci: replace LGTM with CodeQL
b11b5f
b11b5f
As LGTM is going to be shut down by EOY, let's use CodeQL instead.
b11b5f
b11b5f
This is loosely based on upstream's CodeQL configs with some minor
b11b5f
tweaks to avoid backporting tons of unrelated commits.
b11b5f
b11b5f
rhel-only
b11b5f
Related: #2122499
b11b5f
---
b11b5f
 .github/codeql-config.yml                     | 12 ++++
b11b5f
 .github/codeql-custom.qls                     | 44 ++++++++++++
b11b5f
 .../PotentiallyDangerousFunction.ql           |  3 +
b11b5f
 .../UninitializedVariableWithCleanup.ql       | 16 ++---
b11b5f
 .github/codeql-queries/qlpack.yml             | 11 +++
b11b5f
 .github/workflows/codeql.yml                  | 68 +++++++++++++++++++
b11b5f
 .lgtm.yml                                     | 37 ----------
b11b5f
 7 files changed, 146 insertions(+), 45 deletions(-)
b11b5f
 create mode 100644 .github/codeql-config.yml
b11b5f
 create mode 100644 .github/codeql-custom.qls
b11b5f
 rename {.lgtm/cpp-queries => .github/codeql-queries}/PotentiallyDangerousFunction.ql (93%)
b11b5f
 rename {.lgtm/cpp-queries => .github/codeql-queries}/UninitializedVariableWithCleanup.ql (86%)
b11b5f
 create mode 100644 .github/codeql-queries/qlpack.yml
b11b5f
 create mode 100644 .github/workflows/codeql.yml
b11b5f
 delete mode 100644 .lgtm.yml
b11b5f
b11b5f
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
b11b5f
new file mode 100644
b11b5f
index 0000000000..7c01d32caa
b11b5f
--- /dev/null
b11b5f
+++ b/.github/codeql-config.yml
b11b5f
@@ -0,0 +1,12 @@
b11b5f
+---
b11b5f
+# vi: ts=2 sw=2 et:
b11b5f
+# SPDX-License-Identifier: LGPL-2.1-or-later
b11b5f
+name: "CodeQL config"
b11b5f
+
b11b5f
+disable-default-queries: false
b11b5f
+
b11b5f
+queries:
b11b5f
+  - name: Enable possibly useful queries which are disabled by default
b11b5f
+    uses: ./.github/codeql-custom.qls
b11b5f
+  - name: systemd-specific CodeQL queries
b11b5f
+    uses: ./.github/codeql-queries/
b11b5f
diff --git a/.github/codeql-custom.qls b/.github/codeql-custom.qls
b11b5f
new file mode 100644
b11b5f
index 0000000000..d35fbe3114
b11b5f
--- /dev/null
b11b5f
+++ b/.github/codeql-custom.qls
b11b5f
@@ -0,0 +1,44 @@
b11b5f
+---
b11b5f
+# vi: ts=2 sw=2 et syntax=yaml:
b11b5f
+# SPDX-License-Identifier: LGPL-2.1-or-later
b11b5f
+#
b11b5f
+# Note: it is not recommended to directly reference the respective queries from
b11b5f
+#       the github/codeql repository, so we have to "dance" around it using
b11b5f
+#       a custom QL suite
b11b5f
+# See:
b11b5f
+#   - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#running-additional-queries
b11b5f
+#   - https://github.com/github/codeql-action/issues/430#issuecomment-806092120
b11b5f
+#   - https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
b11b5f
+
b11b5f
+# Note: the codeql/<lang>-queries pack name can be found in the CodeQL repo[0]
b11b5f
+#       in <lang>/ql/src/qlpack.yml. The respective codeql-suites are then
b11b5f
+#       under <lang>/ql/src/codeql-suites/.
b11b5f
+#
b11b5f
+# [0] https://github.com/github/codeql
b11b5f
+- import: codeql-suites/cpp-lgtm.qls
b11b5f
+  from: codeql/cpp-queries
b11b5f
+- import: codeql-suites/python-lgtm.qls
b11b5f
+  from: codeql/python-queries
b11b5f
+- include:
b11b5f
+    id:
b11b5f
+      - cpp/bad-strncpy-size
b11b5f
+      - cpp/declaration-hides-variable
b11b5f
+      - cpp/include-non-header
b11b5f
+      - cpp/inconsistent-null-check
b11b5f
+      - cpp/mistyped-function-arguments
b11b5f
+      - cpp/nested-loops-with-same-variable
b11b5f
+      - cpp/sizeof-side-effect
b11b5f
+      - cpp/suspicious-pointer-scaling
b11b5f
+      - cpp/suspicious-pointer-scaling-void
b11b5f
+      - cpp/suspicious-sizeof
b11b5f
+      - cpp/unsafe-strcat
b11b5f
+      - cpp/unsafe-strncat
b11b5f
+      - cpp/unsigned-difference-expression-compared-zero
b11b5f
+      - cpp/unused-local-variable
b11b5f
+    tags:
b11b5f
+      - "security"
b11b5f
+      - "correctness"
b11b5f
+    severity: "error"
b11b5f
+- exclude:
b11b5f
+    id:
b11b5f
+      - cpp/fixme-comment
b11b5f
diff --git a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql
b11b5f
similarity index 93%
b11b5f
rename from .lgtm/cpp-queries/PotentiallyDangerousFunction.ql
b11b5f
rename to .github/codeql-queries/PotentiallyDangerousFunction.ql
b11b5f
index 39e8dddd13..63fd14e75f 100644
b11b5f
--- a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql
b11b5f
+++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql
b11b5f
@@ -46,6 +46,9 @@ predicate potentiallyDangerousFunction(Function f, string message) {
b11b5f
   ) or (
b11b5f
     f.getQualifiedName() = "accept" and
b11b5f
     message = "Call to accept() is not O_CLOEXEC-safe. Use accept4() instead."
b11b5f
+  ) or (
b11b5f
+    f.getQualifiedName() = "dirname" and
b11b5f
+    message = "Call dirname() is icky. Use path_extract_directory() instead."
b11b5f
   )
b11b5f
 }
b11b5f
 
b11b5f
diff --git a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
b11b5f
similarity index 86%
b11b5f
rename from .lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
b11b5f
rename to .github/codeql-queries/UninitializedVariableWithCleanup.ql
b11b5f
index 6b3b62f8bc..e514111f28 100644
b11b5f
--- a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql
b11b5f
+++ b/.github/codeql-queries/UninitializedVariableWithCleanup.ql
b11b5f
@@ -50,16 +50,16 @@ class UninitialisedLocalReachability extends StackVariableReachability {
b11b5f
    * fun(&x);
b11b5f
    * puts(x);
b11b5f
    *
b11b5f
-   * `useOfVarActual()` won't treat this an an uninitialized read even if the callee
b11b5f
+   * `useOfVarActual()` won't treat this as an uninitialized read even if the callee
b11b5f
    * doesn't modify the argument, however, `useOfVar()` will
b11b5f
    */
b11b5f
   override predicate isSink(ControlFlowNode node, StackVariable v) { useOfVar(v, node) }
b11b5f
 
b11b5f
   override predicate isBarrier(ControlFlowNode node, StackVariable v) {
b11b5f
-    // only report the _first_ possibly uninitialized use
b11b5f
+    /* only report the _first_ possibly uninitialized use */
b11b5f
     useOfVar(v, node) or
b11b5f
     (
b11b5f
-      /* If there's an return statement somewhere between the variable declaration
b11b5f
+      /* If there's a return statement somewhere between the variable declaration
b11b5f
        * and a possible definition, don't accept is as a valid initialization.
b11b5f
        *
b11b5f
        * E.g.:
b11b5f
@@ -71,7 +71,7 @@ class UninitialisedLocalReachability extends StackVariableReachability {
b11b5f
        * x = malloc(...);
b11b5f
        *
b11b5f
        * is not a valid initialization, since we might return from the function
b11b5f
-       * _before_ the actual iniitialization (emphasis on _might_, since we
b11b5f
+       * _before_ the actual initialization (emphasis on _might_, since we
b11b5f
        * don't know if the return statement might ever evaluate to true).
b11b5f
        */
b11b5f
       definitionBarrier(v, node) and
b11b5f
@@ -92,14 +92,14 @@ predicate containsInlineAssembly(Function f) { exists(AsmStmt s | s.getEnclosing
b11b5f
  * for this check to exclude them.
b11b5f
  */
b11b5f
 VariableAccess commonException() {
b11b5f
-  // If the uninitialized use we've found is in a macro expansion, it's
b11b5f
-  // typically something like va_start(), and we don't want to complain.
b11b5f
+  /* If the uninitialized use we've found is in a macro expansion, it's
b11b5f
+   * typically something like va_start(), and we don't want to complain. */
b11b5f
   result.getParent().isInMacroExpansion()
b11b5f
   or
b11b5f
   result.getParent() instanceof BuiltInOperation
b11b5f
   or
b11b5f
-  // Finally, exclude functions that contain assembly blocks. It's
b11b5f
-  // anyone's guess what happens in those.
b11b5f
+  /* Finally, exclude functions that contain assembly blocks. It's
b11b5f
+   * anyone's guess what happens in those. */
b11b5f
   containsInlineAssembly(result.getEnclosingFunction())
b11b5f
 }
b11b5f
 
b11b5f
diff --git a/.github/codeql-queries/qlpack.yml b/.github/codeql-queries/qlpack.yml
b11b5f
new file mode 100644
b11b5f
index 0000000000..a1a2dec6d6
b11b5f
--- /dev/null
b11b5f
+++ b/.github/codeql-queries/qlpack.yml
b11b5f
@@ -0,0 +1,11 @@
b11b5f
+---
b11b5f
+# vi: ts=2 sw=2 et syntax=yaml:
b11b5f
+# SPDX-License-Identifier: LGPL-2.1-or-later
b11b5f
+
b11b5f
+library: false
b11b5f
+name: systemd/cpp-queries
b11b5f
+version: 0.0.1
b11b5f
+dependencies:
b11b5f
+  codeql/cpp-all: "*"
b11b5f
+  codeql/suite-helpers: "*"
b11b5f
+extractor: cpp
b11b5f
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
b11b5f
new file mode 100644
b11b5f
index 0000000000..c5426d5686
b11b5f
--- /dev/null
b11b5f
+++ b/.github/workflows/codeql.yml
b11b5f
@@ -0,0 +1,68 @@
b11b5f
+---
b11b5f
+# vi: ts=2 sw=2 et:
b11b5f
+# SPDX-License-Identifier: LGPL-2.1-or-later
b11b5f
+#
b11b5f
+name: "CodeQL"
b11b5f
+
b11b5f
+on:
b11b5f
+  pull_request:
b11b5f
+    branches:
b11b5f
+      - master
b11b5f
+      - rhel-*
b11b5f
+    paths:
b11b5f
+      - '**/meson.build'
b11b5f
+      - '.github/**/codeql*'
b11b5f
+      - 'src/**'
b11b5f
+      - 'test/**'
b11b5f
+      - 'tools/**'
b11b5f
+  push:
b11b5f
+    branches:
b11b5f
+      - master
b11b5f
+      - rhel-*
b11b5f
+
b11b5f
+permissions:
b11b5f
+  contents: read
b11b5f
+
b11b5f
+jobs:
b11b5f
+  analyze:
b11b5f
+    name: Analyze
b11b5f
+    runs-on: ubuntu-22.04
b11b5f
+    concurrency:
b11b5f
+      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
b11b5f
+      cancel-in-progress: true
b11b5f
+    permissions:
b11b5f
+      actions: read
b11b5f
+      security-events: write
b11b5f
+
b11b5f
+    strategy:
b11b5f
+      fail-fast: false
b11b5f
+      matrix:
b11b5f
+        language: ['cpp', 'python']
b11b5f
+
b11b5f
+    steps:
b11b5f
+    - name: Checkout repository
b11b5f
+      uses: actions/checkout@v3
b11b5f
+
b11b5f
+    - name: Initialize CodeQL
b11b5f
+      uses: github/codeql-action/init@v2
b11b5f
+      with:
b11b5f
+        languages: ${{ matrix.language }}
b11b5f
+        config-file: ./.github/codeql-config.yml
b11b5f
+
b11b5f
+    - name: Install dependencies
b11b5f
+      if: matrix.language == 'cpp'
b11b5f
+      run: |
b11b5f
+        echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
b11b5f
+        sudo apt-get -y update
b11b5f
+        sudo apt-get -y build-dep systemd
b11b5f
+        sudo apt-get -y install libfdisk-dev libpwquality-dev libqrencode-dev libssl-dev libxkbcommon-dev libzstd-dev
b11b5f
+
b11b5f
+    - name: Build
b11b5f
+      if: matrix.language == 'cpp'
b11b5f
+      run: |
b11b5f
+        # EL 8 systemd fails to build with newer gnu-efi (3.0.13 on Ubuntu Jammy ATTOW)
b11b5f
+        meson build -Dlibiptc=false -Dgnu-efi=false
b11b5f
+        ninja -C build -v
b11b5f
+
b11b5f
+    - name: Perform CodeQL Analysis
b11b5f
+      uses: github/codeql-action/analyze@v2
b11b5f
diff --git a/.lgtm.yml b/.lgtm.yml
b11b5f
deleted file mode 100644
b11b5f
index fe93957b67..0000000000
b11b5f
--- a/.lgtm.yml
b11b5f
+++ /dev/null
b11b5f
@@ -1,37 +0,0 @@
b11b5f
----
b11b5f
-# vi: ts=2 sw=2 et:
b11b5f
-
b11b5f
-# Explicitly enable certain checks which are hidden by default
b11b5f
-queries:
b11b5f
-  - include: cpp/bad-strncpy-size
b11b5f
-  - include: cpp/declaration-hides-variable
b11b5f
-  - include: cpp/inconsistent-null-check
b11b5f
-  - include: cpp/mistyped-function-arguments
b11b5f
-  - include: cpp/nested-loops-with-same-variable
b11b5f
-  - include: cpp/sizeof-side-effect
b11b5f
-  - include: cpp/suspicious-pointer-scaling
b11b5f
-  - include: cpp/suspicious-pointer-scaling-void
b11b5f
-  - include: cpp/suspicious-sizeof
b11b5f
-  - include: cpp/unsafe-strcat
b11b5f
-  - include: cpp/unsafe-strncat
b11b5f
-  - include: cpp/unsigned-difference-expression-compared-zero
b11b5f
-  - include: cpp/unused-local-variable
b11b5f
-  - include:
b11b5f
-      tags:
b11b5f
-        - "security"
b11b5f
-        - "correctness"
b11b5f
-      severity: "error"
b11b5f
-
b11b5f
-extraction:
b11b5f
-  cpp:
b11b5f
-    prepare:
b11b5f
-      packages:
b11b5f
-        - python3-pip
b11b5f
-        - python3-setuptools
b11b5f
-        - python3-wheel
b11b5f
-    after_prepare:
b11b5f
-      - pip3 install meson
b11b5f
-      - export PATH="$HOME/.local/bin/:$PATH"
b11b5f
-  python:
b11b5f
-    python_setup:
b11b5f
-      version: 3