Skip to content

CodeQL No-Build Analysis #3

CodeQL No-Build Analysis

CodeQL No-Build Analysis #3

name: CodeQL No-Build Analysis
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * SUN"
pull_request:
paths:
- "*.py"
- "*.yml"
- "*.c"
- "*.h"
- "*.cpp"
- "*.hpp"
- "*.ino"
jobs:
codeql-analysis:
name: CodeQL ${{ matrix.language }} Analysis
runs-on: ubuntu-latest
strategy:
matrix:
language:
- python
- actions
- cpp
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Initialize CodeQL
uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
build-mode: none
- name: Process .ino files
if: matrix.language == 'cpp'
run: |
# Create a mapping file to track renamed files
echo "{}" > renamed_files.json
# Find all .ino files and process them
find . -name "*.ino" -type f | while read -r file; do
echo "Processing $file"
# Get the relative path from repository root
rel_path=$(realpath --relative-to=. "$file")
cpp_path="${rel_path%.ino}.cpp"
# Create new .cpp file with Arduino.h include
echo "#include <Arduino.h>" > "$cpp_path"
# Append the original content
cat "$file" >> "$cpp_path"
# Update the mapping file
jq --arg ino "$rel_path" --arg cpp "$cpp_path" '. += {($cpp): $ino}' renamed_files.json > temp.json && mv temp.json renamed_files.json
# Remove the original .ino file
rm "$file"
echo "Converted $file to $cpp_path"
done
echo "Renamed files mapping:"
cat renamed_files.json
- name: Run CodeQL Analysis
uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
with:
category: "Analysis: ${{ matrix.language }}"
output: sarif-results
upload: failure-only
- name: Process SARIF file
if: matrix.language == 'cpp'
run: |
sarif_file="sarif-results/${{ matrix.language }}.sarif"
if [ -f "$sarif_file" ] && [ -f "renamed_files.json" ]; then
echo "Processing SARIF file: $sarif_file"
# Read the renamed files mapping
renamed_files=$(cat renamed_files.json)
# Create a backup of the original SARIF
cp "$sarif_file" "${sarif_file}.backup"
# Process the SARIF file to rename files back to .ino and adjust line numbers
jq --argjson renamed "$renamed_files" '
.runs[0].results |= map(
if .locations[0].physicalLocation.artifactLocation.uri in $renamed then
.locations[0].physicalLocation.artifactLocation.uri = $renamed[.locations[0].physicalLocation.artifactLocation.uri] |
if .locations[0].physicalLocation.region.startLine then
.locations[0].physicalLocation.region.startLine = (.locations[0].physicalLocation.region.startLine - 1)
else .
end |
if .locations[0].physicalLocation.region.endLine then
.locations[0].physicalLocation.region.endLine = (.locations[0].physicalLocation.region.endLine - 1)
else .
end
else .
end
)
' "$sarif_file" > "${sarif_file}.processed"
# Replace the original SARIF with the processed version
mv "${sarif_file}.processed" "$sarif_file"
echo "SARIF file processed successfully"
else
echo "SARIF file or renamed files mapping not found, skipping processing"
fi
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
with:
sarif_file: sarif-results/${{ matrix.language }}.sarif
category: "Analysis: ${{ matrix.language }}"