Merge pull request #3606 from vicentebolea/add-codeql-workflow

Add automated vulnerability code analysis using CodeQL.
ornladios · Aug 17, 2023 · 06c8fec · 06c8fec
2 parents 803f745 + e7f4ef0
commit 06c8fec
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/.github/workflows/everything.yml b/.github/workflows/everything.yml
@@ -492,6 +492,60 @@ jobs:
       - name: Test
         run: /opt/adios2/source/testing/contract/${{ matrix.code }}/test.sh
 
+#######################################
+# Code analysis builds
+#######################################
+
+  analyze:
+    needs: [format, git_checks]
+    name: CodeQL
+    runs-on: ubuntu-latest
+    container:
+      image: 'ghcr.io/ornladios/adios2:ci-spack-ubuntu20.04-gcc8'
+      env:
+        GH_YML_JOBNAME: ubuntu20.04-gcc8-serial-codeql
+        GH_YML_BASE_OS: Linux
+        GH_YML_MATRIX_OS: ubuntu20.04
+        GH_YML_MATRIX_COMPILER: gcc8
+        GH_YML_MATRIX_PARALLEL: serial
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        path: gha
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        path: source
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        config: |
+          paths-ignore:
+            - source/thirdparty/
+    - name: Setup
+      run: gha/scripts/ci/gh-actions/linux-setup.sh
+    - name: Update
+      run: gha/scripts/ci/gh-actions/run.sh update
+    - name: Configure
+      run: gha/scripts/ci/gh-actions/run.sh configure
+    - name: Build
+      run: gha/scripts/ci/gh-actions/run.sh build
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
+
 #######################################
 # Workaround for skipping matrix jobs
 #######################################

diff --git a/scripts/ci/cmake/ci-ubuntu20.04-gcc8-serial-codeql.cmake b/scripts/ci/cmake/ci-ubuntu20.04-gcc8-serial-codeql.cmake
@@ -0,0 +1,35 @@
+set(ENV{CC}  gcc)
+set(ENV{CXX} g++)
+set(ENV{FC}  gfortran)
+
+execute_process(
+  COMMAND "python3-config" "--prefix"
+  OUTPUT_VARIABLE PY_ROOT
+  OUTPUT_STRIP_TRAILING_WHITESPACE)
+
+set(dashboard_cache "
+ADIOS2_USE_BZip2:BOOL=ON
+ADIOS2_USE_Blosc:BOOL=ON
+ADIOS2_USE_DataMan:BOOL=ON
+ADIOS2_USE_Fortran:BOOL=ON
+ADIOS2_USE_HDF5:BOOL=ON
+ADIOS2_USE_MPI:BOOL=OFF
+ADIOS2_USE_Python:BOOL=ON
+ADIOS2_USE_SZ:BOOL=ON
+ADIOS2_USE_ZeroMQ:STRING=ON
+ADIOS2_USE_ZFP:BOOL=ON
+
+Python_ROOT_DIR:PATH=${PY_ROOT}
+Python_FIND_STRATEGY:STRING=LOCATION
+Python_FIND_FRAMEWORK:STRING=FIRST
+
+CMAKE_C_COMPILER_LAUNCHER=ccache
+CMAKE_CXX_COMPILER_LAUNCHER=ccache
+CMAKE_C_FLAGS:STRING=-Wall
+CMAKE_CXX_FLAGS:STRING=-Wall
+CMAKE_Fortran_FLAGS:STRING=-Wall
+")
+
+set(CTEST_CMAKE_GENERATOR "Ninja")
+list(APPEND CTEST_UPDATE_NOTES_FILES "${CMAKE_CURRENT_LIST_FILE}")
+include(${CMAKE_CURRENT_LIST_DIR}/ci-common.cmake)