fix(codeql): python code analysis

AtomicFS · AtomicFS · commit a3c81e2d1b58 · 2025-05-16T11:04:06.000+02:00
- add dedicated CodeQL config file
- configure Python-specific analysis with proper PYTHONPATH
- add module import script to ensure complete code coverage
- move the Python code into different directory and set up
  proper Python project structure for analysis

AI-Generated: true
AI-Model: claude-3.7-sonnet
Signed-off-by: AtomicFS &lt;vojtech.vesely@9elements.com&gt;
diff --git a/.cspell.json b/.cspell.json
@@ -50,7 +50,9 @@
     "KERNELVERSION",
     "Kortumstraße",
     "NOTSET",
+    "PYTHONPATH",
     "REPOPATH",
+    "STDLIB",
     "TARGETARCH",
     "TOOLSDIR",
     "Taskfile",
@@ -68,6 +70,7 @@
     "cmds",
     "cocogitto",
     "commitlint",
+    "compileall",
     "complgen",
     "composefile",
     "coreboot",
@@ -92,6 +95,7 @@
     "elif",
     "emeraldlake",
     "endgroup",
+    "endswith",
     "exitcode",
     "filenamify",
     "githubaction",
@@ -143,16 +147,19 @@
     "pytest",
     "rdparty",
     "readarray",
+    "relpath",
     "rootdir",
     "runslow",
     "rustup",
     "savedefconfig",
     "seabios",
     "setenv",
     "sethvargo",
+    "setuptools",
     "shellcheck",
     "skipframes",
     "sloglint",
+    "splitext",
     "startswith",
     "staticcheck",
     "stmsg",
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,6 @@
+paths:
+  - .dagger-ci
+paths-ignore:
+  - '**/node_modules/**'
+  - '**/vendor/**'
+  - '**/tests/**'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -77,45 +77,94 @@ jobs:
         run: |
           pip install -r ./.dagger-ci/daggerci/requirements.txt
 
+      # Copy Python files to a standard location
+      - name: Copy Python files to standard location
+        if: ${{ matrix.language == 'python' }}
+        run: |
+          # Create a standard Python project structure
+          mkdir -p /tmp/python-project/src
+
+          # Copy all Python files from .dagger-ci to the standard location
+          cp -r ./.dagger-ci/* /tmp/python-project/src/
+
+          # Create a setup.py file to make it look like a standard Python project
+          cat > /tmp/python-project/setup.py << 'EOF'
+          from setuptools import setup, find_packages
+
+          setup(
+              name="daggerci",
+              version="0.1",
+              packages=find_packages(where="src"),
+              package_dir={"": "src"}
+          )
+          EOF
+
+          # List all files in the standard location to verify
+          find /tmp/python-project -type f | sort
+
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL for not-Python
         if: ${{ matrix.language != 'python' }}
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
+          config-file: .github/codeql/codeql-config.yml
 
       - name: Initialize CodeQL for Python
         if: ${{ matrix.language == 'python' }}
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
-          source-root: ./.dagger-ci
-
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-          # For more details on CodeQL's query packs, refer to:
-          # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # queries: security-extended,security-and-quality
-
-      # If the analyze step fails for one of the languages you are analyzing with
-      # "We were unable to automatically build your code", modify the matrix above
-      # to set the build mode to "manual" for that language. Then modify this step
-      # to build your code.
-      # Command-line programs to run using the OS shell.
-      # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-      - if: matrix.build-mode == 'manual'
-        shell: bash
+          config-file: .github/codeql/codeql-config.yml
+        env:
+          # Extract the standard library to help with imports
+          CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB: true
+          # Set the Python path to include our repository
+          PYTHONPATH: ${{ github.workspace }}/.dagger-ci:${{ github.workspace }}
+
+      # Run a Python script that imports all modules to ensure they're analyzed
+      - name: Run Python imports for CodeQL
+        if: ${{ matrix.language == 'python' }}
         run: |
-          echo 'If you are using a "manual" build mode for one or more of the' \
-            'languages you are analyzing, replace this with the commands to build' \
-            'your code, for example:'
-          echo '  make bootstrap'
-          echo '  make release'
-          exit 1
+          # Create a script that imports all Python modules
+          cat > /tmp/import_all.py << 'EOF'
+          import os
+          import sys
+          import importlib
+
+          # Add the repository root to the Python path
+          repo_root = os.environ.get('GITHUB_WORKSPACE', '/home/runner/work/firmware-action/firmware-action')
+          sys.path.insert(0, repo_root)
+
+          # Add the .dagger-ci directory to the Python path
+          dagger_ci_path = os.path.join(repo_root, '.dagger-ci')
+          sys.path.insert(0, dagger_ci_path)
+
+          # Find all Python files in the .dagger-ci directory
+          for root, dirs, files in os.walk(dagger_ci_path):
+              for file in files:
+                  if file.endswith('.py'):
+                      # Convert file path to module name
+                      rel_path = os.path.relpath(os.path.join(root, file), dagger_ci_path)
+                      module_name = os.path.splitext(rel_path)[0].replace(os.path.sep, '.')
+
+                      # Skip __init__.py files
+                      if module_name.endswith('__init__'):
+                          module_name = module_name[:-9]
+
+                      # Try to import the module
+                      print(f"Trying to import: {module_name}")
+                      try:
+                          importlib.import_module(module_name)
+                          print(f"Successfully imported: {module_name}")
+                      except Exception as e:
+                          print(f"Failed to import {module_name}: {e}")
+          EOF
+
+          # Run the import script
+          PYTHONPATH=${{ github.workspace }}/.dagger-ci:${{ github.workspace }} python /tmp/import_all.py
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
