Skip to content

Fix CodeQL warnings #1107

Fix CodeQL warnings

Fix CodeQL warnings #1107

Workflow file for this run

name: CI
on: [push, pull_request]
permissions:
contents: read
env:
BUILD_NUMBER: ${{ github.run_number }}
MAKEFLAGS: -j3
jobs:
macos:
name: Build on macOS
runs-on: macos-latest
env:
MACOSX_DEPLOYMENT_TARGET: 11.0
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: recursive
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: build.yml
branch: master
name: pkgs
path: libdigidocpp-pkg
repo: open-eid/libdigidocpp
- name: Install dependencies
env:
HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: YES
run: |
brew install ninja flatbuffers
HASH=($(shasum prepare_osx_build_environment.sh))
curl -O -L -s https://installer.id.ee/media/github/opensc_0.22.0.pkg
curl -O -L -s https://installer.id.ee/media/github/${HASH}.zip
sudo installer -verboseR -pkg libdigidocpp-pkg/libdigidocpp*.pkg -target /
sudo installer -verboseR -pkg opensc_*.pkg -target /
sudo unzip -qq -d /Library/Developer ${HASH}.zip
- name: Build
run: |
QT_DIR=$(ls -d /Library/Developer/Qt-*-OpenSSL | tail -n 1)
cmake "-GNinja" \
-DCMAKE_PREFIX_PATH=${QT_DIR} \
-DOPENSSL_ROOT_DIR=/Library/Developer/OpenSSL \
-DLDAP_ROOT=/Library/Developer/OpenLDAP \
-DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" -B build -S .
cmake --build build --target zipdebug macdeployqt zip
- name: Archive artifacts
uses: actions/upload-artifact@v3
with:
name: pkgs
path: build/qdigidoc4*.zip
ubuntu:
name: Build on Ubuntu to ${{ matrix.container }}
runs-on: ubuntu-latest
container: ${{ matrix.container }}
strategy:
matrix:
container: ['ubuntu:20.04', 'ubuntu:22.04', 'ubuntu:23.04']
env:
DEBIAN_FRONTEND: noninteractive
DEBFULLNAME: github-actions
DEBEMAIL: github-actions@github.com
steps:
- name: Install dependencies
if: matrix.container == 'ubuntu:20.04'
run: apt update -qq && apt install --no-install-recommends -y git lsb-release fakeroot build-essential devscripts debhelper pkg-config cmake libldap2-dev gettext libpcsclite-dev libssl-dev libqt5svg5-dev qttools5-dev-tools qttools5-dev lintian libflatbuffers-dev zlib1g-dev
- name: Install dependencies
if: matrix.container != 'ubuntu:20.04'
run: apt update -qq && apt install --no-install-recommends -y git lsb-release fakeroot build-essential devscripts debhelper pkg-config cmake libldap2-dev gettext libpcsclite-dev libssl-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev lintian libflatbuffers-dev zlib1g-dev
- name: Checkout
uses: actions/checkout@v3
with:
submodules: recursive
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: build.yml
branch: master
name: debs
path: libdigidocpp-pkg
repo: open-eid/libdigidocpp
- name: Install artifact
run: |
apt install --no-install-recommends -y ./libdigidocpp-pkg/*$(lsb_release -rs)*.deb
rm -rf libdigidocpp-pkg
- name: Setup changelog
run: |
export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}")
export VERSIONEX=${VERSION}.${BUILD_NUMBER}.$(lsb_release -rs)
dch --distribution $(lsb_release -cs) -v ${VERSIONEX} "Release ${VERSIONEX}."
- name: Build packages
run: |
dpkg-buildpackage -us -uc
mv ../qdigidoc4*.* .
- name: Lintian
run: lintian *.deb;
- name: Archive artifacts
uses: actions/upload-artifact@v3
with:
name: debs
path: qdigidoc4*.*
fedora:
name: Build on Fedora to ${{ matrix.container }}
runs-on: ubuntu-latest
container: ${{ matrix.container }}
strategy:
matrix:
container: ['fedora:37', 'fedora:38']
env:
MAKEFLAGS: -j3
steps:
- name: Install Deps
run: dnf install -y git gcc-c++ cmake rpm-build gettext openssl-devel openldap-devel pcsc-lite-devel qt6-qtsvg-devel qt6-qttools-devel qt6-qt5compat-devel flatbuffers-devel flatbuffers-compiler zlib-devel
- name: Checkout
uses: actions/checkout@v3
with:
submodules: recursive
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: build.yml
branch: master
name: rpms
path: libdigidocpp-pkg
repo: open-eid/libdigidocpp
- name: Install artifact
run: |
. /etc/os-release
dnf install -y ./libdigidocpp-pkg/*fc${VERSION_ID}*.rpm
- name: Build
run: |
cmake -DCMAKE_INSTALL_PREFIX=/usr -B build -S .
cmake --build build --target all package
- name: Archive artifacts
uses: actions/upload-artifact@v3
with:
name: rpms
path: build/qdigidoc4*.rpm
windows:
name: Build on Windows
runs-on: ${{ matrix.image }}
strategy:
matrix:
vcver: [142, 143]
include:
- vcver: 142
image: windows-2019
- vcver: 143
image: windows-2022
env:
VER_SUFFIX: .VS${{ matrix.vcver }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: recursive
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: build.yml
branch: master
name: msi
path: ./
repo: open-eid/libdigidocpp
- name: Install artifact
run: |
Rename-Item "libdigidocpp*VS${{ matrix.vcver }}.msi" libdigidocpp.msi
msiexec /qn /a libdigidocpp.msi "TARGETDIR=$($pwd.Path)\\libs"
- name: Prepare vcpkg
uses: lukka/run-vcpkg@v7
with:
vcpkgArguments: openssl zlib flatbuffers
vcpkgGitCommitId: 6a349fe1fbea1e5fcda2e0775f555d829a5e82df
vcpkgTriplet: x64-windows
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
version: 6.5.2
arch: win64_msvc2019_64
modules: qt5compat
- name: Setup dev env
uses: ilammy/msvc-dev-cmd@v1
with:
arch: x64
sdk: 10.0.19041.0
- name: Build
run: |
md build/client
copy ${{ env.RUNVCPKG_VCPKG_ROOT }}\installed\x64-windows\bin\*.dll build\client\
cmake "-GNinja" -DCMAKE_BUILD_TYPE=RelWithDebInfo `
-DCMAKE_TOOLCHAIN_FILE=${{ env.RUNVCPKG_VCPKG_ROOT }}/scripts/buildsystems/vcpkg.cmake `
"-DLIBDIGIDOCPP_LIBRARY=libs/libdigidocpp/x64/digidocpp.lib" `
"-DLIBDIGIDOCPP_INCLUDE_DIR=libs/libdigidocpp/include" -B build -S .
cmake --build build --target msi
cmake --build build --target appx
- name: Archive artifacts
uses: actions/upload-artifact@v3
with:
name: msi
path: |
build/*.msi
build/*.appx
coverity:
name: Run Coverity tests
if: github.repository == 'open-eid/DigiDoc4-Client' && contains(github.ref, 'coverity_scan')
runs-on: ubuntu-22.04
env:
TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
PROJECTNAME: open-eid/DigiDoc4-Client
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: recursive
- name: Install dependencies
run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake libldap2-dev gettext libpcsclite-dev libminizip-dev libxml-security-c-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev libflatbuffers-dev zlib1g-dev
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: build.yml
branch: master
name: debs
path: libdigidocpp-pkg
repo: open-eid/libdigidocpp
- name: Install artifact
run: sudo dpkg -i libdigidocpp-pkg/*$(lsb_release -rs)*.deb
- name: Download Coverity Build Tool
run: |
curl -s -d "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64
mkdir cov-analysis-linux64
tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
- name: Build
run: |
cmake .
export PATH=$PWD/cov-analysis-linux64/bin:$PATH
cov-build --dir cov-int make
- name: Submit the result to Coverity Scan
run: |
tar czvf upload.tgz cov-int
curl -s \
-F project=$PROJECTNAME \
-F token=$TOKEN \
-F email=eid-teenusehaldus@ria.ee \
-F file=@upload.tgz \
-F version=master \
-F description="Github Actions CI build" \
https://scan.coverity.com/builds?project=$PROJECTNAME
codeql:
name: Run CodeQL tests
if: github.repository == 'open-eid/DigiDoc4-Client'
runs-on: ubuntu-22.04
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: recursive
- name: Install dependencies
run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake libldap2-dev gettext libpcsclite-dev libminizip-dev libxml-security-c-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev libflatbuffers-dev zlib1g-dev
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: build.yml
branch: master
name: debs
path: libdigidocpp-pkg
repo: open-eid/libdigidocpp
- name: Install artifact
run: sudo dpkg -i libdigidocpp-pkg/*$(lsb_release -rs)*.deb
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: cpp
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
upload: False
output: sarif-results
- name: Filter results
uses: advanced-security/filter-sarif@develop
with:
patterns: |
-**/*autogen*/**
-**/common/qtsingleapplication/**
-**:cpp/loop-variable-changed
-**:cpp/poorly-documented-function
input: sarif-results/cpp.sarif
output: sarif-results/cpp.sarif
- name: Upload results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif-results/cpp.sarif