diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000..99f04ee --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,5 @@ +name: "CodeQL config" + +queries: + - name: Use custom query pack (security-and-quality plus critical minus dev) + uses: ./.github/codeql/default.qls diff --git a/.github/codeql/default.qls b/.github/codeql/default.qls new file mode 100644 index 0000000..469b5b0 --- /dev/null +++ b/.github/codeql/default.qls @@ -0,0 +1,21 @@ +# https://github.com/zbazztian/custom-queries/blob/master/cpp/default.qls + +# add standard security and quality query set +- import: codeql-suites/cpp-security-and-quality.qls + from: codeql/cpp-queries +- exclude: + id: + - cpp/fixme-comment + - cpp/short-global-name + +# add non-standard queries, which are normally disabled +- queries: '.' + from: codeql/cpp-queries +- include: + id: + - cpp/descriptor-may-not-be-closed + - cpp/descriptor-never-closed + - cpp/file-may-not-be-closed + - cpp/file-never-closed + - cpp/memory-may-not-be-freed + - cpp/memory-never-freed diff --git a/.github/codeql/qlpack.yml b/.github/codeql/qlpack.yml new file mode 100644 index 0000000..fd2e14f --- /dev/null +++ b/.github/codeql/qlpack.yml @@ -0,0 +1,3 @@ +name: custom-cpp-query-pack +version: 1.0.0 +libraryPathDependencies: codeql-cpp diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 873725f..0a24a27 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,8 +11,10 @@ on: jobs: analyze: - name: Analyze Cpp + name: Analyze Code runs-on: ubuntu-22.04 + env: + LLVM_VER: 15 permissions: # required for all workflows security-events: write @@ -27,7 +29,7 @@ jobs: matrix: include: - language: c-cpp - build-mode: autobuild + build-mode: manual - language: python build-mode: none - language: actions @@ -48,29 +50,41 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} + config-file: ./.github/codeql/codeql-config.yml - name: Install dependencies - if: matrix.language == 'cpp' + if: matrix.build-mode == 'manual' run: | sudo apt-get -qq update sudo apt-get install -yqq software-properties-common redis-server - sudo add-apt-repository -y -s ppa:nerdboy/embedded sudo add-apt-repository -y -s ppa:ubuntu-toolchain-r/ppa sudo apt-get -qq update - sudo apt-get install -y libhiredis-dev autoconf automake - sudo apt-get install -y libjson-c-dev + sudo apt-get install -yqq libjson-c-dev libhiredis-dev libgtest-dev libgmock-dev lcov sudo systemctl stop redis - sudo apt-get install -y g++-11 g++-11-multilib - echo "CC=gcc-11" >> $GITHUB_ENV - echo "CXX=g++-11" >> $GITHUB_ENV + sudo apt-get install -y clang-${{ env.LLVM_VER }} llvm-${{ env.LLVM_VER }} lld-${{ env.LLVM_VER }} llvm-${{ env.LLVM_VER }}-tools g++-multilib + echo "CC=clang-${{ env.LLVM_VER }}" >> $GITHUB_ENV + echo "CXX=clang++-${{ env.LLVM_VER }}" >> $GITHUB_ENV + echo "LLVM_VER_DIR=/usr/lib/llvm-${{ env.LLVM_VER }}" >> $GITHUB_ENV - if: matrix.build-mode == 'manual' uses: actions/setup-python@v5 with: - python-version: "3.10" + python-version: "3.11" - - name: Autobuild - uses: github/codeql-action/autobuild@v3 + - if: matrix.build-mode == 'manual' + name: Install Tox + run: | + python -m pip install --upgrade pip + pip install tox + + - if: matrix.build-mode == 'manual' + name: Build + env: + CC: ${{ env.CC }} + CXX: ${{ env.CXX }} + LLVM_VER_DIR: ${{ env.LLVM_VER_DIR }} + run: | + tox -e clang - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml index ff7c4d3..22eba1d 100644 --- a/.github/workflows/smoke.yml +++ b/.github/workflows/smoke.yml @@ -85,7 +85,7 @@ jobs: build/coverage/html build/coverage/lcov.info - check: + ci_metrics: name: Collect metrics runs-on: ubuntu-22.04 permissions: diff --git a/tox.ini b/tox.ini index ceba42d..1f13325 100644 --- a/tox.ini +++ b/tox.ini @@ -76,12 +76,12 @@ commands = clang: bash -c 'cmake --build . --target coverage' lcov: lcov_cobertura build/coverage/lcov.info --base-dir {toxinidir} --output coverage.xml lint: bash -c 'cpplint --output=gsed {toxinidir}/src/* {toxinidir}/inc/*' - {bionic,tests}: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s -b -r {toxinidir} . + {bionic,tests}: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s --txt-metric branch -r {toxinidir} . bionic: gcovr -r {toxinidir} --xml-pretty -o coverage.xml . bionic: gcovr -r {toxinidir} --html --html-details -o {toxinidir}/coverage/coverage.html . {bionic}: bash -c 'RIPC_RUNTIME_DIR=$ENV_RIPC_RUNTIME_DIR {toxinidir}/scripts/run_redis.sh stop' - ctest: bash -c 'ctest --build-generator {posargs:"Unix Makefiles"} --build-and-test . build --build-options -DWITH_COVERAGE=ON -DCMAKE_BUILD_TYPE=Debug --test-command ctest --rerun-failed --output-on-failure -V' - ctest: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s -b build/ + ctest: bash -c 'ctest --build-generator {posargs:"Ninja"} --build-and-test . build --build-options -DWITH_COVERAGE=ON -DCMAKE_BUILD_TYPE=Debug --test-command ctest --rerun-failed --output-on-failure -V' + ctest: gcovr --gcov-ignore-parse-errors=negative_hits.warn -s --txt-metric branch build/ cover: gcovr --xml-pretty -o coverage.xml build/ # runtime assertion error without || true => (SIGSEGV)) (exited with code -11) grind: bash -c 'valgrind --tool=memcheck --xml=yes --xml-file=json_check.xml --leak-check=full --show-leak-kinds=definite,possible --error-exitcode=127 ./json_test || true'