add codeql test and reverted integration_test.sh

Author: FScholPer

.github/workflows/codeql-multiple-repo-scan.yml

@@ -0,0 +1,132 @@
+# *******************************************************************************
+# Copyright (c) 2025 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+name: "CodeQL - Multi-Repo Source Scan"
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  merge_group:
+    types: [checks_requested]
+
+permissions:
+  contents: write
+
+jobs:
+  analyze-repos:
+    name: Analyze Multiple Repositories
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout central repository
+      uses: actions/checkout@v4
+      with:
+        path: central-repo
+
+    - name: Parse pinned repository versions
+      id: parse-repos
+      run: |
+        
+        sudo apt-get update && sudo apt-get install -y jq
+        JSON_FILE="known_good.json" 
+
+        # Check if the file exists
+        if [ ! -f "$JSON_FILE" ]; then
+          echo "Fehler: Die Datei '$JSON_FILE' wurde nicht gefunden."
+          exit 1
+        fi
+
+    
+        echo "MODULE_COUNT=$(jq '.modules | length' "$JSON_FILE")" >> $GITHUB_OUTPUT
+
+    
+        jq -c '.modules | to_entries[]' "$JSON_FILE" | while read -r module_entry; do
+          module_name=$(echo "$module_entry" | jq -r '.key')
+          repo_url=$(echo "$module_entry" | jq -r '.value.repo // empty')
+          version=$(echo "$module_entry" | jq -r '.value.version // empty')
+          branch=$(echo "$module_entry" | jq -r '.value.branch // empty')
+          hash=$(echo "$module_entry" | jq -r '.value.hash // empty')
+
+          echo "${module_name}_url=$repo_url" >> $GITHUB_OUTPUT
+      
+          if [ -n "$version" ]; then
+           echo "${module_name}_version=$version" >> $GITHUB_OUTPUT
+          fi
+      
+          if [ -n "$branch" ]; then
+            echo "${module_name}_branch=$branch" >> $GITHUB_OUTPUT
+          fi
+      
+          if [ -n "$hash" ]; then
+            echo "${module_name}_hash=$hash" >> $GITHUB_OUTPUT
+          fi
+        done
+      
+    - name: Checkout all pinned repositories
+      id: checkout-repos
+      run: |
+        # Install jq for JSON parsing
+        sudo apt-get install -y jq
+        
+        # Read repositories from JSON file
+        repos=$(cat repos.json)
+        repo_count=$(echo $repos | jq length)
+        
+        for i in $(seq 0 $((repo_count-1))); do
+          name=$(echo $repos | jq -r ".[$i].name")
+          url=$(echo $repos | jq -r ".[$i].url")
+          version=$(echo $repos | jq -r ".[$i].version")
+          path=$(echo $repos | jq -r ".[$i].path")
+          
+          echo "Checking out $name ($version) to $path"
+          
+          # Checkout the specific version/branch
+          git clone --depth 1 --branch $version $url $path
+          
+          # Store paths for later use
+          echo "$path" >> repo-paths.txt
+        done
+        
+        # Output all paths as a single variable
+        echo "repo_paths=$(cat repo-paths.txt | tr '\n' ',')" >> $GITHUB_OUTPUT
+
+    - name: Initialize CodeQL for all repositories
+      uses: github/codeql-action/init@v4
+      with:
+        languages: cpp, python, javascript
+        build-mode: none
+        # Configure which paths to analyze
+        config: |
+          paths:
+            - 'repos/**' # Analyze all repositories in repos/ directory
+          paths-ignore:
+            - '**/third_party/**'
+            - '**/tests/**'
+            - '**/*.test.*'
+            - 'central-repo/**' # Don't analyze the central repo itself
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        upload-database: false # Don't upload databases for each repo
+        output: sarif-results/
+        category: "multi-repo-scan"
+
+    - name: Upload SARIF results as artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: codeql-sarif-results
+        path: sarif-results/

integration_test.sh

@@ -12,17 +12,32 @@ LOG_DIR=${LOG_DIR:-_logs/logs}
 SUMMARY_FILE=${SUMMARY_FILE:-_logs/build_summary.md}
 KNOWN_GOOD_FILE=""
 
+# Codeql
+
+CODEQL_WORK_DIR="./codeql_analysis_results"
+CODEQL_DATABASES_DIR="${CODEQL_WORK_DIR}/databases"
+CODEQL_SARIF_DIR="${CODEQL_WORK_DIR}/sarif"
+CODEQL_LANGUAGE="cpp"
+CODEQL_QUERY_PACKS="codeql/cpp-queries,codeql/misra-cpp-coding-standards" # Add more packs as needed
+CODEQL_CLI_VERSION="v2.23.6" # Use the latest stable version
+CODEQL_PLATFORM="linux64" # e.g., linux64, macos, win64
+CODEQL_BUNDLE="codeql-${CODEQL_PLATFORM}.zip"
+CODEQL_URL="https://github.com/github/codeql-cli-binaries/releases/download/${CODEQL_CLI_VERSION}/${CODEQL_BUNDLE}"
+#https://github.com/github/codeql-cli-binaries/releases/download/v2.23.6/codeql-linux64.zip
+
 # maybe move this to known_good.json or a config file later
 declare -A BUILD_TARGET_GROUPS=(
     [score_baselibs]="@score_baselibs//score/..."
     [score_communication]="@score_communication//score/mw/com:com"
     [score_persistency]="@score_persistency//src/cpp/src/... @score_persistency//src/rust/..."
-    #[score_logging]="@score_logging//src/..."
+    [score_logging]="@score_logging//src/..."
     [score_orchestrator]="@score_orchestrator//src/..."
     [score_test_scenarios]="@score_test_scenarios//..."
     [score_feo]="@score_feo//..."
 )
 
+
+
 # Parse command line arguments
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -107,19 +122,71 @@ overall_depr_total=0
 
 # Track if any build group failed
 any_failed=0
+binary_path="${CODEQL_WORK_DIR}/codeql-cli/codeql/codeql"
+
+if [ -x "${binary_path}" ]; then
+    echo "Local CodeQL CLI found at ${binary_path}. Adding to PATH."
+    export PATH="$(pwd)/${CODEQL_WORK_DIR}/codeql-cli/codeql:${PATH}"
+else    
+    echo "CodeQL CLI not found. Downloading..."
+    mkdir -p "${CODEQL_WORK_DIR}/codeql-cli"
+    curl -L "${CODEQL_URL}" -o "${CODEQL_WORK_DIR}/${CODEQL_BUNDLE}"
+    unzip "${CODEQL_WORK_DIR}/${CODEQL_BUNDLE}" -d "${CODEQL_WORK_DIR}/codeql-cli"
+    export PATH="$(pwd)/${CODEQL_WORK_DIR}/codeql-cli/codeql:${PATH}"
+    echo "CodeQL CLI downloaded and added to PATH."
+fi
+
+# Verify CodeQL CLI is now available
+if ! command -v codeql &> /dev/null; then
+    echo "Error: CodeQL CLI could not be set up. Exiting."
+    exit 1
+else
+    echo "codeql found in path"    
+fi  
+
+
+mkdir -p "${CODEQL_DATABASES_DIR}"
+mkdir -p "${CODEQL_SARIF_DIR}"
 
 for group in "${!BUILD_TARGET_GROUPS[@]}"; do
     targets="${BUILD_TARGET_GROUPS[$group]}"
     log_file="${LOG_DIR}/${group}.log"
-    
+
+    db_path="${CODEQL_DATABASES_DIR}/${group}_db"
+    sarif_output="${CODEQL_SARIF_DIR}/${group}.sarif"
+    current_bazel_output_base="/tmp/codeql_bazel_output_${group}_$(date +%s%N)" # Add timestamp for extra uniqueness
+
+
+    # 1. Clean Bazel to ensure a fresh build for CodeQL tracing
+    echo "Running 'bazel clean --expunge' and 'bazel shutdown'..."
+    bazel --output_base="${current_bazel_output_base}" clean --expunge  || { echo "Bazel clean failed for ${group}"; exit 1; }
+    bazel --output_base="${current_bazel_output_base}" shutdown  || { echo "Bazel shutdown failed for ${group}"; exit 1; }
+
     # Log build group banner only to stdout/stderr (not into summary table file)
     echo "--- Building group: ${group} ---"
     start_ts=$(date +%s)
     echo "bazel build --config "${CONFIG}" ${targets} --verbose_failures"
     # GitHub Actions log grouping start
     echo "::group::Bazel build (${group})"
     set +e
-    bazel build --config "${CONFIG}" ${targets} --verbose_failures 2>&1 | tee "$log_file"
+    
+    build_command="bazel --output_base=\\\"${current_bazel_output_base}\\\" build \
+      ${targets} \
+      --verbose_failures \
+      --spawn_strategy=standalone \
+      --nouse_action_cache \
+      --noremote_accept_cached \
+      --noremote_upload_local_results \
+      --disk_cache= ${targets}"
+    
+    codeql database create "${db_path}" \
+      --language="${CODEQL_LANGUAGE}" \
+      --build-mode=none \
+      #--command="${build_command}" \
+      --overwrite \
+      || { echo "CodeQL database creation failed for ${group}"; exit 1; }
+    
+    
     build_status=${PIPESTATUS[0]}
     # Track if any build group failed
     if [[ ${build_status} -ne 0 ]]; then
@@ -133,6 +200,24 @@ for group in "${!BUILD_TARGET_GROUPS[@]}"; do
     d_count=$(depr_count "$log_file")
     overall_warn_total=$(( overall_warn_total + w_count ))
     overall_depr_total=$(( overall_depr_total + d_count ))
+
+     # Shutdown Bazel again after the traced build
+    echo "Running 'bazel shutdown' after CodeQL database creation..."
+    bazel shutdown || { echo "Bazel shutdown failed after tracing for ${group}"; exit 1; }
+
+    # 4. Analyze the created database
+    echo "Analyzing CodeQL database for ${group}..."
+    codeql database analyze "${DB_PATH}" \
+      --format=sarifv2.1.0 \
+      --output="${SARIF_OUTPUT}" \
+      --sarif-category="${group}-${CODEQL_LANGUAGE}" \
+      --packs "${CODEQL_QUERY_PACKS}" \
+      || { echo "CodeQL analysis failed for ${group}"; exit 1; }
+
+    echo "CodeQL analysis for ${group} complete. Results saved to: ${SARIF_OUTPUT}"
+    echo ""
+
+
     # Append as a markdown table row (duration without trailing 's')
     if [[ ${build_status} -eq 0 ]]; then
         status_symbol="✅"