chg: dev: migrate codeql to config file with custom query pack

sarnold · sarnold · commit 4b94a0f3cdee · 2025-03-02T15:35:28.000-08:00
Signed-off-by: Stephen L Arnold &lt;sarnold@vctlabs.com&gt;
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1,5 @@
+name: "CodeQL config"
+
+queries:
+  - name: Use custom query pack (security-and-quality plus critical minus dev)
+    uses: ./.github/codeql/default.qls
diff --git a/.github/codeql/default.qls b/.github/codeql/default.qls
@@ -0,0 +1,21 @@
+# https://github.com/zbazztian/custom-queries/blob/master/cpp/default.qls
+
+# add standard security and quality query set
+- import: codeql-suites/cpp-security-and-quality.qls
+  from: codeql/cpp-queries
+- exclude:
+    id:
+      - cpp/fixme-comment
+      - cpp/short-global-name
+
+# add non-standard queries, which are normally disabled
+- queries: '.'
+  from: codeql/cpp-queries
+- include:
+    id:
+    - cpp/descriptor-may-not-be-closed
+    - cpp/descriptor-never-closed
+    - cpp/file-may-not-be-closed
+    - cpp/file-never-closed
+    - cpp/memory-may-not-be-freed
+    - cpp/memory-never-freed
diff --git a/.github/codeql/qlpack.yml b/.github/codeql/qlpack.yml
@@ -0,0 +1,3 @@
+name: custom-cpp-query-pack
+version: 1.0.0
+libraryPathDependencies: codeql-cpp
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -11,8 +11,10 @@ on:
 
 jobs:
   analyze:
-    name: Analyze Cpp
+    name: Analyze Code
     runs-on: ubuntu-22.04
+    env:
+      LLVM_VER: 15
     permissions:
       # required for all workflows
       security-events: write
@@ -27,7 +29,7 @@ jobs:
       matrix:
         include:
         - language: c-cpp
-          build-mode: autobuild
+          build-mode: manual
         - language: python
           build-mode: none
         - language: actions
@@ -48,29 +50,41 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
 
     - name: Install dependencies
-      if: matrix.language == 'cpp'
+    - if: matrix.build-mode == 'manual'
       run: |
         sudo apt-get -qq update
         sudo apt-get install -yqq software-properties-common redis-server
-        sudo add-apt-repository -y -s ppa:nerdboy/embedded
         sudo add-apt-repository -y -s ppa:ubuntu-toolchain-r/ppa
         sudo apt-get -qq update
-        sudo apt-get install -y libhiredis-dev autoconf automake
-        sudo apt-get install -y libjson-c-dev
+        sudo apt-get install -yqq libjson-c-dev libhiredis-dev libgtest-dev libgmock-dev lcov
         sudo systemctl stop redis
-        sudo apt-get install -y g++-11 g++-11-multilib
-        echo "CC=gcc-11" >> $GITHUB_ENV
-        echo "CXX=g++-11" >> $GITHUB_ENV
+        sudo apt-get install -y clang-${{ env.LLVM_VER }} llvm-${{ env.LLVM_VER }} lld-${{ env.LLVM_VER }} llvm-${{ env.LLVM_VER }}-tools g++-multilib
+        echo "CC=clang-${{ env.LLVM_VER }}" >> $GITHUB_ENV
+        echo "CXX=clang++-${{ env.LLVM_VER }}" >> $GITHUB_ENV
+        echo "LLVM_VER_DIR=/usr/lib/llvm-${{ env.LLVM_VER }}" >> $GITHUB_ENV
 
     - if: matrix.build-mode == 'manual'
       uses: actions/setup-python@v5
       with:
-        python-version: "3.10"
+        python-version: "3.11"
+
+    - if: matrix.build-mode == 'manual'
+      name: Install Tox
+      run: |
+        python -m pip install --upgrade pip
+        pip install tox
 
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+    - if: matrix.build-mode == 'manual'
+      name: Build
+      env:
+        CC: ${{ env.CC }}
+        CXX: ${{ env.CXX }}
+        LLVM_VER_DIR: ${{ env.LLVM_VER_DIR }}
+      run: |
+        tox -e clang
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
@@ -85,7 +85,7 @@ jobs:
           build/coverage/html
           build/coverage/lcov.info
 
-  check:
+  ci_metrics:
     name: Collect metrics
     runs-on: ubuntu-22.04
     permissions:
diff --git a/tox.ini b/tox.ini
@@ -76,12 +76,12 @@ commands =
     clang: bash -c 'cmake --build . --target coverage'
     lcov: lcov_cobertura build/coverage/lcov.info --base-dir {toxinidir} --output coverage.xml
     lint: bash -c 'cpplint --output=gsed {toxinidir}/src/* {toxinidir}/inc/*'
-    {bionic,tests}: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s -b -r {toxinidir} .
+    {bionic,tests}: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s --txt-metric branch -r {toxinidir} .
     bionic: gcovr -r {toxinidir} --xml-pretty -o coverage.xml .
     bionic: gcovr -r {toxinidir} --html --html-details -o {toxinidir}/coverage/coverage.html .
     {bionic}: bash -c 'RIPC_RUNTIME_DIR=$ENV_RIPC_RUNTIME_DIR {toxinidir}/scripts/run_redis.sh stop'
-    ctest: bash -c 'ctest --build-generator {posargs:"Unix Makefiles"} --build-and-test . build --build-options -DWITH_COVERAGE=ON -DCMAKE_BUILD_TYPE=Debug --test-command ctest --rerun-failed --output-on-failure -V'
-    ctest: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s -b build/
+    ctest: bash -c 'ctest --build-generator {posargs:"Ninja"} --build-and-test . build --build-options -DWITH_COVERAGE=ON -DCMAKE_BUILD_TYPE=Debug --test-command ctest --rerun-failed --output-on-failure -V'
+    ctest: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s --txt-metric branch build/
     cover: gcovr --xml-pretty -o coverage.xml build/
     # runtime assertion error without || true =>  (SIGSEGV)) (exited with code -11)
     grind: bash -c 'valgrind --tool=memcheck --xml=yes --xml-file=json_check.xml --leak-check=full --show-leak-kinds=definite,possible --error-exitcode=127 ./json_test || true'

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+name: custom-cpp-query-pack`
	`2`	`+version: 1.0.0`
	`3`	`+libraryPathDependencies: codeql-cpp`