Skip to content

CodeQL

CodeQL #274

Workflow file for this run

---
# codeql workflow for ghidra
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches:
- master
- patch
- stable
- additional_codeql_langs
- dependabot/*
- autofix/alert-*
- ruff_unsafe
pull_request:
# The branches below must be a subset of the branches above
branches:
- master
- patch
- stable
- additional_codeql_langs
- dependabot/*
- autofix/alert-*
- ruff_unsafe
schedule:
- cron: '43 20 * * 5'
jobs:
analyze:
name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
runs-on: 'ubuntu-latest'
timeout-minutes: 420
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ['c-cpp', 'java-kotlin', 'javascript-typescript', 'python']
# CodeQL supports the following languages:
# 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript',
# 'python', 'ruby', 'swift'
# Use 'java-kotlin' to analyze code written in Java, Kotlin, or both
# Use 'javascript-typescript' to analyze code written in JavaScript,
# TypeScript, or both
# Learn more about CodeQL language support at:
# https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Java JDK
uses: actions/setup-java@v4.5.0
if: matrix.language == 'c-cpp' || matrix.language == 'java-kotlin'
with:
distribution: 'temurin'
# The Java version to set up. Takes a whole or semver Java version.
# See examples of supported syntax in README file
java-version: '17'
# The package type (jdk, jre, jdk+fx, jre+fx)
java-package: 'jdk'
# Name of the build platform to cache dependencies.
# It can be "maven", "gradle" or "sbt".
cache: 'gradle'
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a
# config file.
# By default, queries listed here will override any specified in a
# config file.
# Prefix the list here with "+" to use these queries and those in the
# config file.
# For more details on CodeQL's query packs, refer to:
# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- name: Setup Gradle
if: matrix.language == 'java-kotlin'
uses: gradle/gradle-build-action@v3
- name: Additional dependencies
if: matrix.language == 'c-cpp' || matrix.language == 'java-kotlin'
run: |
sudo apt-get -qq update
sudo apt-get -qq install gradle dh-make libgradle-core-java \
libgradle-plugins-java gradle-propdeps-plugin gradle-debian-helper \
libgradle-jflex-plugin-java gradle-plugin-protobuf \
gradle-ice-builder-plugin libgradle-android-plugin-java \
gradle-apt-plugin liblightvalue-gradle-plugin-java binutils \
binutils-dev binutils-multiarch-dev default-jre libasprintf-dev \
libgettextpo-dev ecj libecj-java maven-debian-helper gdb gdbserver \
mingw-w64 wine wine64 libiberty-dev
env | uniq | sort | uniq
if test -x "$(which ecj)"; then \
which -a ecj; \
for myecj in $(which -a ecj); do \
stat -t "${myecj}" || echo "figure out use of ${myecj} yourself"; \
done; \
else \
echo "No usable ecj found; skipping..."; \
fi
- name: Manual Gradle init
if: matrix.language == 'c-cpp' || matrix.language == 'java-kotlin'
run: |
# shellcheck disable=SC2235
if test -x "$(which gradle)" && test -w . && test -w "${HOME}"; then \
if test -w "${HOME}/work/ghidra/ghidra/.gradle" || (test -n "${GRADLE_HOME}" && test -d "${GRADLE_HOME}" && test -w "${GRADLE_HOME}"); then \
echo "initializing gradle ($(which gradle))..."; \
gradle --quiet --continue wrapper || \
find . -name '*/gradlew' -print || echo "whoami? $(whoami)"; \
echo "full list of gradles found:"; \
which -a gradle; \
echo "version info for each of them:"; \
for mygradle in $(which -a gradle); do \
if test -x "${mygradle}" && test -d "$(dirname "${mygradle}")/../share/gradle/bin/.."; then \
"${mygradle}" --version || sudo "${mygradle}" --version || \
stat -t "${mygradle}"; \
else \
echo "warning: cannot use ${mygradle}"; \
fi; \
done; \
echo "continuing with gradle initialization..."; \
gradle --info -I gradle/support/fetchDependencies.gradle init || \
(if test -x ./gradlew; then \
./gradlew --debug -I gradle/support/fetchDependencies.gradle init; \
else \
echo "missing or invalid gradle wrapper" >&2 && exit 1; \
fi) || \
(sudo gradle --quiet --continue -I gradle/support/fetchDependencies.gradle init) | tee gradle_output.log || \
ls "gradle*" 2>gradle_ls_err.txt || pwd; \
echo "one more gradle setup step..."; \
gradle --quiet prepdev eclipse buildNatives || \
(if test -x ./gradlew; then \
./gradlew prepdev eclipse buildNatives; \
else \
echo "missing or invalid gradle wrapper" >&2 && exit 1; \
fi) || \
(echo "gradle files are:" && find . -name '*.gradle' -print); \
else \
echo "Skipping gradle init due to missing/unwritable gradle locs"; \
fi; \
else \
echo "Conditions are wrong for initializing gradle"; \
fi
# Autobuild attempts to build any compiled languages
# (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually
- name: Autobuild
if: matrix.language != 'c-cpp' && matrix.language != 'java-kotlin'
uses: github/codeql-action/autobuild@v3
- name: Manual build (C and C++)
if: matrix.language == 'c-cpp'
run: |
# shellcheck disable=SC2001,SC2044
for cfile in $(find . -name '*.c' -type f); do \
cobjfile="$(echo "${cfile}" | sed "s/\.c/.o/g")"; \
if test ! -e "${cobjfile}"; then \
echo "gcc -c -w -Wno-error -I. -iquote . \"${cfile}\""; \
gcc -c -w -Wno-error -I. -I"$(dirname "${cfile}")" -iquote . \
-iquote "$(dirname "${cfile}")" "${cfile}" || \
stat -t "${cfile}" || echo "cfile is ${cfile}"; \
else \
echo "object file ${cobjfile} already exists for ${cfile}."; \
cp -v "${cobjfile}" "$(dirname "${cfile}")" || \
cp -v "${cobjfile}" . || cp -v "${cobjfile}" .. || \
(if test -d /tmp && test -w /tmp; then \
cp -v "${cobjfile}" /tmp; fi) || \
stat -t "${cobjfile}"; \
fi; \
done
# shellcheck disable=SC2044
for ccfile in $(find . -name '*.cc' -type f); do \
echo "One last attempt at compiling ${ccfile}..."; \
g++ -c "${ccfile}" || g++ -w -c -I. -iquote . "${ccfile}" || \
g++ -w -Wno-error -c -I. -iquote . -I.. -iquote .. \
-I"$(dirname "${cfile}")" \
-iquote "$(dirname "${cfile}")" "${ccfile}" || \
stat -t "${ccfile}"; \
done
# shellcheck disable=SC2044
for cppfile in $(find . -name '*.cpp' -type f); do \
echo "One last attempt at compiling ${cppfile}..."; \
g++ -Wno-write-strings -Wfatal-errors -c "${cppfile}" || \
g++ -w -Wfatal-errors -c -I. -iquote . "${cppfile}" || \
g++ -w -Wno-error -Wfatal-errors -fpermissive -c -I. -iquote . \
-I.. -iquote .. -I"$(dirname "${cfile}")" \
-iquote "$(dirname "${cfile}")" "${cppfile}" || \
stat -t "${cppfile}"; \
done
- name: Manual build (Java)
if: matrix.language == 'java-kotlin'
run: |
i=0
# shellcheck disable=SC2060
total=$(find . -maxdepth 6 -name '*.java' -type f | wc -l | tr -d [:blank:])
# shellcheck disable=SC2044,SC2060
for javafile in $(find . -maxdepth 6 -name '*.java' -type f); do \
i=$((i+1)); \
echo "One last attempt at compiling ${javafile} (file ${i} of ${total} with path length: '$(echo "${javafile}" | wc -c | tr -d [:blank:])')..."; \
javac -nowarn -Xdiags:compact -Xmaxerrs 1 "${javafile}" || \
stat -t "${javafile}"; \
done; \
date
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"