diff options
Diffstat (limited to '.github/workflows/codeql-analysis.yml')
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 144 |
1 files changed, 114 insertions, 30 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 22c5cc03df..c7d0def7ae 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,40 +1,124 @@ -name: "Code scanning - action" +name: 'CodeQL' on: push: + branches: ['master'] + paths-ignore: + - 'doc/**' + - '**/man' + - '**.md' + - '**.rdoc' + - '**/.document' + - '.*.yml' pull_request: + paths-ignore: + - 'doc/**' + - '**/man' + - '**.md' + - '**.rdoc' + - '**/.document' + - '.*.yml' schedule: - - cron: '0 12 * * 4' + - cron: '0 12 * * *' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} + cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read jobs: - CodeQL-Build: + analyze: + name: Analyze + runs-on: ${{ matrix.os }} + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report + # CodeQL fails to run pull requests from dependabot due to missing write access to upload results. + if: >- + ${{!(false + || contains(github.event.head_commit.message, '[DOC]') + || contains(github.event.head_commit.message, 'Document') + || contains(github.event.pull_request.title, '[DOC]') + || contains(github.event.pull_request.title, 'Document') + || contains(github.event.pull_request.labels.*.name, 'Document') + || (github.event_name == 'push' && github.actor == 'dependabot[bot]') + )}} + + env: + enable_install_doc: no - # CodeQL runs on ubuntu-latest and windows-latest - runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - language: cpp + os: ubuntu-latest + # ruby analysis used large memory. We need to use a larger runner. + - language: ruby + os: ${{ github.repository == 'ruby/ruby' && 'macos-arm-oss' || 'ubuntu-latest' }} steps: - - name: Install libraries - run: | - set -x - sudo apt-get update -q || : - sudo apt-get install --no-install-recommends -q -y build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm-dev bison autoconf ruby - - - name: Checkout repository - uses: actions/checkout@v2 - with: - fetch-depth: 2 - - - name: Remove an obsolete rubygems vendored file - run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb - - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: cpp - config-file: ./.github/codeql/codeql-config.yml - - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + - name: Checkout repository + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + + - name: Install libraries + if: ${{ contains(matrix.os, 'macos') }} + uses: ./.github/actions/setup/macos + + - name: Install libraries + if : ${{ matrix.os == 'ubuntu-latest' }} + uses: ./.github/actions/setup/ubuntu + + - uses: ./.github/actions/setup/directories + + - name: Remove an obsolete rubygems vendored file + if: ${{ matrix.os == 'ubuntu-latest' }} + run: sudo rm /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb + + - name: Initialize CodeQL + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + with: + category: '/language:${{ matrix.language }}' + upload: False + output: sarif-results + + - name: filter-sarif + uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1 + with: + patterns: | + +**/*.rb + -lib/uri/mailto.rb:rb/overly-large-range + -lib/uri/rfc3986_parser.rb:rb/overly-large-range + -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range + -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range + -test/ruby/test_io.rb:rb/non-constant-kernel-open + -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open + -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/binread_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/readlines_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/foreach_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/write_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/io/read_spec.rb:rb/non-constant-kernel-open + -spec/ruby/core/kernel/open_spec.rb:rb/non-constant-kernel-open + input: sarif-results/${{ matrix.language }}.sarif + output: sarif-results/${{ matrix.language }}.sarif + if: ${{ matrix.language == 'ruby' }} + continue-on-error: true + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + with: + sarif_file: sarif-results/${{ matrix.language }}.sarif + continue-on-error: true |