diff --git a/.github/codeql/codeql-coding-standard.yml b/.github/codeql/codeql-coding-standard.yml new file mode 100644 index 0000000..57b668f --- /dev/null +++ b/.github/codeql/codeql-coding-standard.yml @@ -0,0 +1,19 @@ +name: "CodeQL Coding Standard Configuration File" + +disable-default-queries: true + +queries: + - name: JPL Rules + uses: ./codeql/cpp/ql/src/JPL_C + - name: MISRA Rule 9-5-1 + uses: ./codeql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql + - name: MISRA Rule 5-18-1 + uses: ./codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql + - name: MISRA 6-2-2 + uses: ./codeql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql + - name: MISRA Rule 5-14-1 + uses: ./codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql + - name: MISRA Rule 5-3-2 + uses: ./codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql + - name: MISRA Rule 7-5-2 + uses: ./codeql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql diff --git a/.github/codeql/codeql-security.yml b/.github/codeql/codeql-security.yml new file mode 100644 index 0000000..a1cfa6a --- /dev/null +++ b/.github/codeql/codeql-security.yml @@ -0,0 +1,8 @@ +name: "CodeQL Security Configuration File" + +queries: + - name: Security and Quality + uses: security-and-quality + - name: Security Extended + uses: security-extended + \ No newline at end of file diff --git a/.github/workflows/codeql-build.yml b/.github/workflows/codeql-build.yml new file mode 100644 index 0000000..3ce7799 --- /dev/null +++ b/.github/workflows/codeql-build.yml @@ -0,0 +1,112 @@ +name: "CodeQL Analysis" + +on: + push: + pull_request: + branches: + - main + +env: + SIMULATION: native + ENABLE_UNIT_TESTS: true + OMIT_DEPRECATED: true + BUILDTYPE: release + +jobs: + #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. + check-for-duplicates: + runs-on: ubuntu-latest + # Map a step output to a job output + outputs: + should_skip: ${{ steps.skip_check.outputs.should_skip }} + steps: + - id: skip_check + uses: fkirc/skip-duplicate-actions@master + with: + concurrent_skipping: 'same_content' + skip_after_successful_duplicate: 'true' + do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' + + CodeQL-Security-Build: + needs: check-for-duplicates + if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} + runs-on: ubuntu-18.04 + timeout-minutes: 15 + + steps: + # Checks out a copy of your repository on the ubuntu-latest machine + - name: Checkout bundle + uses: actions/checkout@v2 + with: + repository: nasa/cFS + submodules: true + + - name: Checkout submodule + uses: actions/checkout@v2 + with: + path: tools/elf2cfetbl + + - name: Check versions + run: git submodule + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: c + config-file: nasa/cFS-GroundSystem/.github/codeql/codeql-security.yml@main + + # Setup the build system + - name: Set up for build + run: | + cp ./cfe/cmake/Makefile.sample Makefile + cp -r ./cfe/cmake/sample_defs sample_defs + make prep + + # Build the code + - name: Build + run: make tools/elf2cfetbl/ + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 + + CodeQL-Coding-Standard-Build: + needs: check-for-duplicates + if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }} + runs-on: ubuntu-18.04 + timeout-minutes: 15 + + steps: + # Checks out a copy of your repository on the ubuntu-latest machine + - name: Checkout bundle + uses: actions/checkout@v2 + with: + repository: nasa/cFS + submodules: true + + - name: Checkout submodule + uses: actions/checkout@v2 + with: + path: tools/elf2cfetbl + + - name: Check versions + run: git submodule + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: c + config-file: nasa/cFS-GroundSystem/.github/codeql/codeql-coding-standard.yml@main + + # Setup the build system + - name: Set up for build + run: | + cp ./cfe/cmake/Makefile.sample Makefile + cp -r ./cfe/cmake/sample_defs sample_defs + make prep + + # Build the code + - name: Build + run: make tools/elf2cfetbl/ + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1