From 690561676602f57d96e4e332d6ae9e4c5700fbe9 Mon Sep 17 00:00:00 2001 From: Marcono1234 Date: Thu, 1 May 2025 01:00:33 +0200 Subject: [PATCH] Run CodeQL for GitHub Actions & improve workflows The CIFuzz workflow has been adjusted based on https://github.com/google/oss-fuzz/blob/cafd7a0eb8ecb4e007c56897996a9b65c49c972f/docs/getting-started/continuous_integration.md --- .github/workflows/check-api-compatibility.yml | 2 ++ .github/workflows/cifuzz.yml | 14 ++++++++++++++ .github/workflows/codeql-analysis.yml | 16 +++++++++++++--- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check-api-compatibility.yml b/.github/workflows/check-api-compatibility.yml index 0616a81d76..7b7e8c392d 100644 --- a/.github/workflows/check-api-compatibility.yml +++ b/.github/workflows/check-api-compatibility.yml @@ -3,6 +3,8 @@ name: Check API compatibility on: pull_request +permissions: + contents: read # to fetch code (actions/checkout) jobs: check-api-compatibility: diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 65eafb4870..f2d416cc3f 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,25 +1,39 @@ name: CIFuzz on: [pull_request] +permissions: {} + jobs: Fuzzing: runs-on: ubuntu-latest + permissions: + security-events: write steps: - name: Build Fuzzers id: build + # Cannot be pinned to commit because there are no releases, see https://github.com/google/oss-fuzz/issues/6836 uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'gson' dry-run: false language: jvm - name: Run Fuzzers + # Cannot be pinned to commit because there are no releases, see https://github.com/google/oss-fuzz/issues/6836 uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'gson' fuzz-seconds: 600 dry-run: false + output-sarif: true - name: Upload Crash uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: failure() && steps.build.outcome == 'success' with: name: artifacts path: ./out/artifacts + - name: Upload Sarif + if: always() && steps.build.outcome == 'success' + uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cifuzz-sarif/results.sarif + checkout_path: cifuzz-sarif diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ccd5467957..785454c090 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,7 +13,7 @@ on: jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest permissions: security-events: write @@ -21,13 +21,19 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'java' ] + include: + - language: java + build-mode: manual + # GitHub Actions + - language: actions + build-mode: none steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 17 + if: ${{ matrix.language == 'java' }} uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: distribution: 'temurin' @@ -39,15 +45,19 @@ jobs: uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} # Run all security queries and maintainability and reliability queries queries: +security-and-quality # Only compile main sources, but ignore test sources because findings for them might not # be that relevant (though GitHub security view also allows filtering by source type) # Can replace this with github/codeql-action/autobuild action to run complete build - - name: Compile sources + - name: Compile sources (Java) + if: ${{ matrix.language == 'java' }} run: | mvn compile --batch-mode --no-transfer-progress - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + with: + category: "/language:${{ matrix.language }}"