Add CodeQL for GitHub code scanning (#1548)

* Create codeql.yml * Addressing codeql findings
2025-03-01 10:33:28 +00:00 · 2022-12-27 08:36:10 +01:00
parent 1189f86c1a
commit 6fa7bab6f7
83 changed files with 1984 additions and 2094 deletions
--- a/.github/config/codeql.yml
+++ b/.github/config/codeql.yml
@@ -0,0 +1,4 @@
+name: "CodeQL config"
+paths-ignore:
+  - 'dependencies/external/'
+  - 'assets/webconfig/js/lib'
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,76 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: "36 18 * * 4"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ python, javascript, cpp ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Install Packages (cpp)
+        if: ${{ matrix.language == 'cpp' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes git cmake build-essential qtbase5-dev libqt5serialport5-dev libqt5sql5-sqlite libqt5svg5-dev libqt5x11extras5-dev libusb-1.0-0-dev python3-dev libcec-dev libxcb-image0-dev libxcb-util0-dev libxcb-shm0-dev libxcb-render0-dev libxcb-randr0-dev libxrandr-dev libxrender-dev libavahi-core-dev libavahi-compat-libdnssd-dev libturbojpeg0-dev libjpeg-dev libssl-dev
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+          config-file: ./.github/config/codeql.yml
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"
+          upload: False
+          output: sarif-results
+
+      - name: Filter SARIF
+        uses: advanced-security/filter-sarif@v1
+        with:
+          patterns: |
+            -**/dependencies/**
+            -**/moc_*.cpp
+            -**/libsrc/flatbufserver/hyperion_request_generated.h
+            -**/libsrc/protoserver/message.pb.cc
+            -**/libsrc/protoserver/message.pb.h
+          input: sarif-results/${{ matrix.language }}.sarif
+          output: sarif-results/${{ matrix.language }}.sarif
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif-results/${{ matrix.language }}.sarif
+      - name: Upload loc as a Build Artifact
+        uses: actions/upload-artifact@v2.2.0
+        with:
+          name: sarif-results
+          path: sarif-results
+          retention-days: 1
+