From 91908316bfbd40b85a8b6cd107b8843ff2517ca2 Mon Sep 17 00:00:00 2001 From: claudiamurialdo <33756655+claudiamurialdo@users.noreply.github.com> Date: Thu, 19 Oct 2023 10:10:04 -0300 Subject: [PATCH 1/8] Revert "Stop running codeql analysis tool. Static analysis is covered with Veracode and Fortify scanning actions. (#760)" This reverts commit 29c5eb48b7fe175cb37d3ee0dae891cc3077d22b. --- .github/workflows/codeql-analysis.yml | 97 +++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 000000000..83bb23249 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,97 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# ******** NOTE ******** + +name: "CodeQL" + +on: + push: + branches: [ master, beta*, release-* ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '28 9 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: windows-2019 + + env: + Configuration: Release + SolutionFile: dotnet\DotNetStandardClasses.sln + + strategy: + fail-fast: false + matrix: + language: [ 'csharp' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + # Fixes issue of JVM running out of memory when analyzing the scan results + - name: configure Pagefile + uses: al-cheb/configure-pagefile-action@7e234852c937eea04d6ee627c599fb24a5bfffee # SHA of v1.2 + with: + minimum-size: 8GB + maximum-size: 32GB + disk-root: "D:" + + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + - name: Install .NET Core 5.0 + uses: actions/setup-dotnet@v1 + with: + dotnet-version: '5.0.x' + + - name: Install .NET 6 + uses: actions/setup-dotnet@v1 + with: + dotnet-version: '6.0.x' + include-prerelease: True + + - uses: actions/setup-dotnet@v1 + with: + source-url: https://nuget.pkg.github.com/genexuslabs/index.json + env: + NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 1cd042c6ede208ef081c4c8174df48f7255c79ad Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Thu, 19 Oct 2023 10:12:41 -0300 Subject: [PATCH 2/8] Upgrade codeql deprecated actions. https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/ --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 83bb23249..43deb5e2b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -52,7 +52,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -80,7 +80,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -94,4 +94,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 From 7809c553f26cfb2060c5f001f17c9efebc2692bb Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Thu, 19 Oct 2023 11:06:20 -0300 Subject: [PATCH 3/8] Remove dotnet5 from scan and upgrade setup dotnet action. --- .github/workflows/codeql-analysis.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 43deb5e2b..3cc8a5161 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -48,7 +48,7 @@ jobs: disk-root: "D:" - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL @@ -60,18 +60,12 @@ jobs: # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main - - name: Install .NET Core 5.0 - uses: actions/setup-dotnet@v1 - with: - dotnet-version: '5.0.x' - - name: Install .NET 6 - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@v2 with: dotnet-version: '6.0.x' - include-prerelease: True - - - uses: actions/setup-dotnet@v1 + + - uses: actions/setup-dotnet@v2 with: source-url: https://nuget.pkg.github.com/genexuslabs/index.json env: @@ -95,3 +89,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file From b7cd5dfc33aa29c1d2e6ad43ee8c01723f6c6da3 Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Thu, 19 Oct 2023 11:16:09 -0300 Subject: [PATCH 4/8] Remove unused env var NUGET_AUTH_TOKEN --- .github/workflows/codeql-analysis.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3cc8a5161..a4ab9c411 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -65,12 +65,6 @@ jobs: with: dotnet-version: '6.0.x' - - uses: actions/setup-dotnet@v2 - with: - source-url: https://nuget.pkg.github.com/genexuslabs/index.json - env: - NUGET_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild From b8067483c73826d17eeeb66a65fbc49c71175aac Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Thu, 19 Oct 2023 11:50:04 -0300 Subject: [PATCH 5/8] Install net8 (used in beta) --- .github/workflows/codeql-analysis.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a4ab9c411..e66e5dc0c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -65,6 +65,11 @@ jobs: with: dotnet-version: '6.0.x' + - name: Install .NET 8 + uses: actions/setup-dotnet@v3 + with: + dotnet-version: '8.0.100-rc.1.23455.8' + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild From 7c07aebfbcebca59f8769336e628005e02553950 Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Thu, 19 Oct 2023 13:59:01 -0300 Subject: [PATCH 6/8] Remove step for configuring minim-size memory (which is 7GB in github runner) --- .github/workflows/codeql-analysis.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e66e5dc0c..a899bb71a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,13 +39,6 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - # Fixes issue of JVM running out of memory when analyzing the scan results - - name: configure Pagefile - uses: al-cheb/configure-pagefile-action@7e234852c937eea04d6ee627c599fb24a5bfffee # SHA of v1.2 - with: - minimum-size: 8GB - maximum-size: 32GB - disk-root: "D:" - name: Checkout repository uses: actions/checkout@v3 From 4323c44e096eef44d6747355976eda0c202043fd Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Thu, 19 Oct 2023 17:20:15 -0300 Subject: [PATCH 7/8] Change to windows-latest. Upgrade setup-dotnet@v2 to setup-dotnet@v3 --- .github/workflows/codeql-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a899bb71a..4fe8607c6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,7 +24,7 @@ on: jobs: analyze: name: Analyze - runs-on: windows-2019 + runs-on: windows-latest env: Configuration: Release @@ -54,7 +54,7 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Install .NET 6 - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@v3 with: dotnet-version: '6.0.x' From d2e5c9d77b7845700bc6d14588d76d0c73e32182 Mon Sep 17 00:00:00 2001 From: Claudia Murialdo Date: Fri, 20 Oct 2023 13:59:03 -0300 Subject: [PATCH 8/8] Enable debug to obtain source files scanned by CodeQL. --- .github/workflows/codeql-analysis.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4fe8607c6..99baa795e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -47,11 +47,8 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: + debug: true languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Install .NET 6 uses: actions/setup-dotnet@v3