From b4a8611439f8dc49c7dd5680e5331c6023f0c7fc Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 15:53:40 +0200 Subject: [PATCH 01/16] Introduce CodeQL analysis While there, tweak some indentation in another GitHub Actions workflow file. --- .github/workflows/build.yaml | 10 ++++----- .github/workflows/codeql.yml | 41 ++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5eab31a497..df91673645 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -29,11 +29,11 @@ jobs: runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} steps: - # We run the build twice for each supported JDK: once against the - # original Error Prone release, using only Error Prone checks available - # on Maven Central, and once against the Picnic Error Prone fork, - # additionally enabling all checks defined in this project and any - # Error Prone checks available only from other artifact repositories. + # We run the build twice for each supported JDK: once against the + # original Error Prone release, using only Error Prone checks available + # on Maven Central, and once against the Picnic Error Prone fork, + # additionally enabling all checks defined in this project and any Error + # Prone checks available only from other artifact repositories. - name: Check out code uses: actions/checkout@v3.1.0 - name: Set up JDK diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..37dafddd8b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,41 @@ +name: CodeQL +on: + pull_request: + branches: [ master ] + push: + branches: [ master ] + schedule: + - cron: '0 4 * * 1' +permissions: + actions: read + contents: read + security-events: write +jobs: + analyze: + strategy: + fail-fast: false + matrix: + language: [ java, ruby ] + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@v3.1.0 + - name: Initialize CodeQL + uses: github/codeql-action/init@v2.2.11 + with: + languages: ${{ matrix.language }} + # XXX: Check whether we should do this instead. + #- name: Set up JDK + # uses: actions/setup-java@v3.8.0 + # with: + # java-version: 17.0.6 + # distribution: temurin + # cache: maven + #- name: Perform minimal build + # run: mvn -T1C clean install -DskipTests -Dverification.skip + - name: Perform autobuild + uses: github/codeql-action/autobuild@v2.2.11 + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v2.2.11 + with: + category: "/language:${{matrix.language}}" From 8405fa0c566977dc33543421d0b59fb2360968d2 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 16:25:07 +0200 Subject: [PATCH 02/16] Alternative --- .github/workflows/codeql.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 37dafddd8b..698c3e2743 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,21 +20,21 @@ jobs: steps: - name: Check out code uses: actions/checkout@v3.1.0 + - name: Set up JDK + uses: actions/setup-java@v3.8.0 + with: + java-version: 17.0.6 + distribution: temurin + cache: maven + - name: Perform minimal build + run: mvn -T1C clean install -DskipTests -Dverification.skip - name: Initialize CodeQL uses: github/codeql-action/init@v2.2.11 with: languages: ${{ matrix.language }} - # XXX: Check whether we should do this instead. - #- name: Set up JDK - # uses: actions/setup-java@v3.8.0 - # with: - # java-version: 17.0.6 - # distribution: temurin - # cache: maven - #- name: Perform minimal build - # run: mvn -T1C clean install -DskipTests -Dverification.skip - - name: Perform autobuild - uses: github/codeql-action/autobuild@v2.2.11 + # XXX: Drop + #- name: Perform autobuild + # uses: github/codeql-action/autobuild@v2.2.11 - name: Perform CodeQL analysis uses: github/codeql-action/analyze@v2.2.11 with: From c6598fb14388cb3e4df2ff4a549e60e6ff886eda Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 16:35:13 +0200 Subject: [PATCH 03/16] Suspicion... --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 698c3e2743..773ecf329d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ jobs: - name: Set up JDK uses: actions/setup-java@v3.8.0 with: - java-version: 17.0.6 + java-version: 11.0.18 distribution: temurin cache: maven - name: Perform minimal build From 1c87eea92f05c4eaf05ab9a15730afd2f012e8f3 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 16:43:58 +0200 Subject: [PATCH 04/16] Debug with custom build --- .github/workflows/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 773ecf329d..b3c3c786d2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ jobs: - name: Set up JDK uses: actions/setup-java@v3.8.0 with: - java-version: 11.0.18 + java-version: 17.0.6 distribution: temurin cache: maven - name: Perform minimal build @@ -31,6 +31,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2.2.11 with: + debug: true languages: ${{ matrix.language }} # XXX: Drop #- name: Perform autobuild From 5cd8dff6c2a83d95f06573fc8e73444678a2382a Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 16:54:29 +0200 Subject: [PATCH 05/16] Ah, order matters...? --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b3c3c786d2..af6c09476b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,13 +26,13 @@ jobs: java-version: 17.0.6 distribution: temurin cache: maven - - name: Perform minimal build - run: mvn -T1C clean install -DskipTests -Dverification.skip - name: Initialize CodeQL uses: github/codeql-action/init@v2.2.11 with: debug: true languages: ${{ matrix.language }} + - name: Perform minimal build + run: mvn -T1C clean install -DskipTests -Dverification.skip # XXX: Drop #- name: Perform autobuild # uses: github/codeql-action/autobuild@v2.2.11 From d0c2ede89c4b3b40cce2a5c980f582ff23d5ef9a Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 17:21:27 +0200 Subject: [PATCH 06/16] Try --- .github/workflows/codeql.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index af6c09476b..91397c51c1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,11 +32,9 @@ jobs: debug: true languages: ${{ matrix.language }} - name: Perform minimal build + if: ${{ matrix.language }} == java run: mvn -T1C clean install -DskipTests -Dverification.skip - # XXX: Drop - #- name: Perform autobuild - # uses: github/codeql-action/autobuild@v2.2.11 - name: Perform CodeQL analysis uses: github/codeql-action/analyze@v2.2.11 with: - category: "/language:${{matrix.language}}" + category: /language:${{ matrix.language }} From 6e6d5a3ce8748b84c41557d599fd4ff050f21cee Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 17:32:09 +0200 Subject: [PATCH 07/16] Ah --- .github/workflows/codeql.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 91397c51c1..e8485c6924 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,10 +29,9 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2.2.11 with: - debug: true languages: ${{ matrix.language }} - name: Perform minimal build - if: ${{ matrix.language }} == java + if: ${{ matrix.language == 'java' }} run: mvn -T1C clean install -DskipTests -Dverification.skip - name: Perform CodeQL analysis uses: github/codeql-action/analyze@v2.2.11 From b080f960d60426acf31adedbed1ccadd55924d07 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 18:05:42 +0200 Subject: [PATCH 08/16] Trigger a violation... --- .../tech/picnic/errorprone/bugpatterns/DirectReturn.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java b/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java index 212d0b1245..1da4345d5a 100644 --- a/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java +++ b/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java @@ -36,6 +36,9 @@ import com.sun.source.tree.VariableTree; import com.sun.source.util.TreeScanner; import com.sun.tools.javac.code.Symbol; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.List; import java.util.Optional; import org.jspecify.annotations.Nullable; @@ -97,6 +100,11 @@ public Description matchBlock(BlockTree tree, VisitorState state) { .orElse(Description.NO_MATCH); } + private static byte[] md5Hash(String s) throws NoSuchAlgorithmException { + MessageDigest md = MessageDigest.getInstance("MD5"); + return md.digest(s.getBytes(StandardCharsets.UTF_8)); + } + private static Optional tryMatchAssignment(Symbol targetSymbol, Tree tree) { if (tree instanceof ExpressionStatementTree) { return tryMatchAssignment(targetSymbol, ((ExpressionStatementTree) tree).getExpression()); From 9402f57024f585235bb5fc6a0ff20e04e4c674f3 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 18:16:40 +0200 Subject: [PATCH 09/16] Try something --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e8485c6924..e32e6bc79e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,7 +7,6 @@ on: schedule: - cron: '0 4 * * 1' permissions: - actions: read contents: read security-events: write jobs: From 07e6cbf7ec9d257a0bd7a0e8d582ef2bd561c781 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 18:23:04 +0200 Subject: [PATCH 10/16] Revert "Trigger a violation..." This reverts commit 512648ba1e97d38587dd43e7fd52781b4a3cd5c2. --- .../tech/picnic/errorprone/bugpatterns/DirectReturn.java | 8 -------- 1 file changed, 8 deletions(-) diff --git a/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java b/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java index 1da4345d5a..212d0b1245 100644 --- a/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java +++ b/error-prone-contrib/src/main/java/tech/picnic/errorprone/bugpatterns/DirectReturn.java @@ -36,9 +36,6 @@ import com.sun.source.tree.VariableTree; import com.sun.source.util.TreeScanner; import com.sun.tools.javac.code.Symbol; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.util.List; import java.util.Optional; import org.jspecify.annotations.Nullable; @@ -100,11 +97,6 @@ public Description matchBlock(BlockTree tree, VisitorState state) { .orElse(Description.NO_MATCH); } - private static byte[] md5Hash(String s) throws NoSuchAlgorithmException { - MessageDigest md = MessageDigest.getInstance("MD5"); - return md.digest(s.getBytes(StandardCharsets.UTF_8)); - } - private static Optional tryMatchAssignment(Symbol targetSymbol, Tree tree) { if (tree instanceof ExpressionStatementTree) { return tryMatchAssignment(targetSymbol, ((ExpressionStatementTree) tree).getExpression()); From be19419bd654e79c7018e2319939063f868fee36 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 18:31:31 +0200 Subject: [PATCH 11/16] Trim --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e32e6bc79e..9c3745e5dc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,7 +31,7 @@ jobs: languages: ${{ matrix.language }} - name: Perform minimal build if: ${{ matrix.language == 'java' }} - run: mvn -T1C clean install -DskipTests -Dverification.skip + run: mvn -T1C clean install -DskipTests -Dverification.skip - name: Perform CodeQL analysis uses: github/codeql-action/analyze@v2.2.11 with: From a4536e85a790181ae520e93092217b662be3182b Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 18:53:59 +0200 Subject: [PATCH 12/16] Actually, we have plenty of PRs anyway, ~all against master --- .github/workflows/codeql.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9c3745e5dc..a81b3deda2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,11 +1,8 @@ -name: CodeQL +name: CodeQL analysis on: pull_request: - branches: [ master ] push: branches: [ master ] - schedule: - - cron: '0 4 * * 1' permissions: contents: read security-events: write From 050d8c33ad7914f527a772b5a12491e1fbb4013b Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 19:05:26 +0200 Subject: [PATCH 13/16] Changed my mind --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a81b3deda2..ceb93926ab 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -3,6 +3,8 @@ on: pull_request: push: branches: [ master ] + schedule: + - cron: '0 4 * * 1' permissions: contents: read security-events: write From 8b545b6a9a7b7e5c6f53f7e3f74015874ef09ac4 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sat, 8 Apr 2023 22:57:12 +0200 Subject: [PATCH 14/16] How about this --- .github/workflows/codeql.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ceb93926ab..bd3cf9554c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,13 +7,14 @@ on: - cron: '0 4 * * 1' permissions: contents: read - security-events: write jobs: analyze: strategy: - fail-fast: false matrix: language: [ java, ruby ] + permissions: + contents: read + security-events: write runs-on: ubuntu-22.04 steps: - name: Check out code @@ -29,7 +30,7 @@ jobs: with: languages: ${{ matrix.language }} - name: Perform minimal build - if: ${{ matrix.language == 'java' }} + if: matrix.language == 'java' run: mvn -T1C clean install -DskipTests -Dverification.skip - name: Perform CodeQL analysis uses: github/codeql-action/analyze@v2.2.11 From 9c9ab0d8e6ea471c6c704a110d8c0020a8a7432b Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sun, 9 Apr 2023 10:32:43 +0200 Subject: [PATCH 15/16] Document (and move unrelated change elsewhere) --- .github/workflows/build.yaml | 10 +++++----- .github/workflows/codeql.yml | 6 ++++++ 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index df91673645..5eab31a497 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -29,11 +29,11 @@ jobs: runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} steps: - # We run the build twice for each supported JDK: once against the - # original Error Prone release, using only Error Prone checks available - # on Maven Central, and once against the Picnic Error Prone fork, - # additionally enabling all checks defined in this project and any Error - # Prone checks available only from other artifact repositories. + # We run the build twice for each supported JDK: once against the + # original Error Prone release, using only Error Prone checks available + # on Maven Central, and once against the Picnic Error Prone fork, + # additionally enabling all checks defined in this project and any + # Error Prone checks available only from other artifact repositories. - name: Check out code uses: actions/checkout@v3.1.0 - name: Set up JDK diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bd3cf9554c..671c61f0d5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,3 +1,7 @@ +# Analyzes the code base using Github's default CodeQL query database. +# Identified issues are registered with GitHub's code scanning dashboard. When +# a pull request is analyzed, any offending lines are annotated. See +# https://codeql.github.com for details. name: CodeQL analysis on: pull_request: @@ -19,6 +23,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v3.1.0 + with: + persist-credentials: false - name: Set up JDK uses: actions/setup-java@v3.8.0 with: From d116ef458ef93e6baea538a6fd87a4d0e672186f Mon Sep 17 00:00:00 2001 From: Rick Ossendrijver Date: Sat, 15 Apr 2023 17:18:16 +0200 Subject: [PATCH 16/16] Tiny typo --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 671c61f0d5..f6bcd764dd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -# Analyzes the code base using Github's default CodeQL query database. +# Analyzes the code using GitHub's default CodeQL query database. # Identified issues are registered with GitHub's code scanning dashboard. When # a pull request is analyzed, any offending lines are annotated. See # https://codeql.github.com for details.