From c7fd2e930fd0b5c3c4d6bd07bcc04390c21496c5 Mon Sep 17 00:00:00 2001 From: AtomicFS Date: Wed, 14 May 2025 15:18:56 +0200 Subject: [PATCH 1/2] ci: add codeql.yml Signed-off-by: AtomicFS --- .cspell.json | 1 + .github/workflows/codeql.yml | 123 +++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.cspell.json b/.cspell.json index f7a933e0..986f8f28 100644 --- a/.cspell.json +++ b/.cspell.json @@ -57,6 +57,7 @@ "acpica", "addinivalue", "addoption", + "autobuild", "automerge", "autopep", "blkio", diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..956e8798 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,123 @@ +--- +name: 'CodeQL Advanced' + +on: + push: + branches: ['main'] + pull_request: + branches: ['main'] + schedule: + # Run on Sunday at 23:25 + - cron: '25 23 * * 0' + +permissions: read-all + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: go + build-mode: autobuild + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Additional steps: Python + - name: Setup python + if: ${{ matrix.language == 'python' }} + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install deps + if: ${{ matrix.language == 'python' }} + run: | + curl -SL "$( curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'browser_download_url' | grep "docker-compose-linux-$(uname -m)" | grep -v '.sha256' | sed -E 's/.*https/https/g' | sed -E 's/\"//g' | grep -vE '.json$' )" -o docker-compose + sudo mv docker-compose /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + docker-compose --version + docker-compose -f docker/compose.yaml config + + - name: Install Python dependencies + if: ${{ matrix.language == 'python' }} + run: | + pip install -r ./.dagger-ci/daggerci/requirements.txt + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL for not-Python + if: ${{ matrix.language != 'python' }} + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Initialize CodeQL for Python + if: ${{ matrix.language == 'python' }} + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + source-root: ./.dagger-ci + + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: + # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # Command-line programs to run using the OS shell. + # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: '/language:${{matrix.language}}' From 872c60978585abf5ec3bd079b6f2c1977b9b8870 Mon Sep 17 00:00:00 2001 From: AtomicFS Date: Wed, 14 May 2025 16:17:42 +0200 Subject: [PATCH 2/2] fix(codeql): python code analysis - add dedicated CodeQL config file - configure Python-specific analysis with proper PYTHONPATH - add module import script to ensure complete code coverage - move the Python code into different directory and set up proper Python project structure for analysis AI-Generated: true AI-Model: claude-3.7-sonnet Signed-off-by: AtomicFS --- .cspell.json | 7 +++ .github/codeql/codeql-config.yml | 6 ++ .github/workflows/codeql.yml | 97 ++++++++++++++++++++++++-------- 3 files changed, 86 insertions(+), 24 deletions(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.cspell.json b/.cspell.json index 986f8f28..e0430305 100644 --- a/.cspell.json +++ b/.cspell.json @@ -50,7 +50,9 @@ "KERNELVERSION", "Kortumstraße", "NOTSET", + "PYTHONPATH", "REPOPATH", + "STDLIB", "TARGETARCH", "TOOLSDIR", "Taskfile", @@ -68,6 +70,7 @@ "cmds", "cocogitto", "commitlint", + "compileall", "complgen", "composefile", "coreboot", @@ -92,6 +95,7 @@ "elif", "emeraldlake", "endgroup", + "endswith", "exitcode", "filenamify", "githubaction", @@ -143,6 +147,7 @@ "pytest", "rdparty", "readarray", + "relpath", "rootdir", "runslow", "rustup", @@ -150,9 +155,11 @@ "seabios", "setenv", "sethvargo", + "setuptools", "shellcheck", "skipframes", "sloglint", + "splitext", "startswith", "staticcheck", "stmsg", diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..124a9da2 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,6 @@ +paths: + - .dagger-ci +paths-ignore: + - '**/node_modules/**' + - '**/vendor/**' + - '**/tests/**' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 956e8798..761329f6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -77,6 +77,31 @@ jobs: run: | pip install -r ./.dagger-ci/daggerci/requirements.txt + # Copy Python files to a standard location + - name: Copy Python files to standard location + if: ${{ matrix.language == 'python' }} + run: | + # Create a standard Python project structure + mkdir -p /tmp/python-project/src + + # Copy all Python files from .dagger-ci to the standard location + cp -r ./.dagger-ci/* /tmp/python-project/src/ + + # Create a setup.py file to make it look like a standard Python project + cat > /tmp/python-project/setup.py << 'EOF' + from setuptools import setup, find_packages + + setup( + name="daggerci", + version="0.1", + packages=find_packages(where="src"), + package_dir={"": "src"} + ) + EOF + + # List all files in the standard location to verify + find /tmp/python-project -type f | sort + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL for not-Python if: ${{ matrix.language != 'python' }} @@ -84,6 +109,7 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} + config-file: .github/codeql/codeql-config.yml - name: Initialize CodeQL for Python if: ${{ matrix.language == 'python' }} @@ -91,31 +117,54 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - source-root: ./.dagger-ci - - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: - # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # Command-line programs to run using the OS shell. - # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash + config-file: .github/codeql/codeql-config.yml + env: + # Extract the standard library to help with imports + CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB: true + # Set the Python path to include our repository + PYTHONPATH: ${{ github.workspace }}/.dagger-ci:${{ github.workspace }} + + # Run a Python script that imports all modules to ensure they're analyzed + - name: Run Python imports for CodeQL + if: ${{ matrix.language == 'python' }} run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + # Create a script that imports all Python modules + cat > /tmp/import_all.py << 'EOF' + import os + import sys + import importlib + + # Add the repository root to the Python path + repo_root = os.environ.get('GITHUB_WORKSPACE', '/home/runner/work/firmware-action/firmware-action') + sys.path.insert(0, repo_root) + + # Add the .dagger-ci directory to the Python path + dagger_ci_path = os.path.join(repo_root, '.dagger-ci') + sys.path.insert(0, dagger_ci_path) + + # Find all Python files in the .dagger-ci directory + for root, dirs, files in os.walk(dagger_ci_path): + for file in files: + if file.endswith('.py'): + # Convert file path to module name + rel_path = os.path.relpath(os.path.join(root, file), dagger_ci_path) + module_name = os.path.splitext(rel_path)[0].replace(os.path.sep, '.') + + # Skip __init__.py files + if module_name.endswith('__init__'): + module_name = module_name[:-9] + + # Try to import the module + print(f"Trying to import: {module_name}") + try: + importlib.import_module(module_name) + print(f"Successfully imported: {module_name}") + except Exception as e: + print(f"Failed to import {module_name}: {e}") + EOF + + # Run the import script + PYTHONPATH=${{ github.workspace }}/.dagger-ci:${{ github.workspace }} python /tmp/import_all.py - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3