microsoft
/
hcsshim
зеркало из https://github.com/microsoft/hcsshim.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Filter vendor and test CodeQL results (#2243) 

Skip scanning for files under the `test/` or `vendor/` directories, or
for `_test.go` files.

Neither the Go or C/C++ CodeQL scanning support the `path-ignore` config
options, raising the warning:
```
Path filters have no effect for Go
Go does not support path-based filtering. The paths and paths-ignore configuration properties will have no effect for this language.
```

Use the recommended `advanced-security/filter-sarif` action to instead
filter results, based on [provided
example](https://github.com/advanced-security/filter-sarif?tab=readme-ov-file#example).

Remove the config file since there is nothing to configure.

Additionally, build the `securitypolicy.exe` and `dmverity-vhd` binaries
during CodeQL, and `securitypolicy` during the normal build CI.

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
This commit is contained in:
Hamza El-Saawy 2024-08-23 10:15:11 -04:00 коммит произвёл GitHub
Родитель 00640ef8d7
Коммит e7a1be7061
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
3 изменённых файлов: 45 добавлений и 11 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

10
.github/codeql/codeql-config.yml поставляемый
Просмотреть файл

@ -1,10 +0,0 @@
name: "CodeQL config"
# uncomment to run extra queries:
# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs
# queries:
# - uses: security-and-quality
paths-ignore:
- "/vendor/"
- "/test/"

6
.github/workflows/ci.yml поставляемый
Просмотреть файл

@ -698,6 +698,11 @@ jobs:
name: Build networkagent.exe
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/securitypolicy
name: Build securitypolicy.exe
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/securitypolicy
name: Build securitypolicy
env:
GOOS: linux
GOARCH: amd64
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/uvmboot
name: Build uvmboot.exe
- run: ${{ env.GO_BUILD_CMD }} ./internal/tools/zapdir
@ -719,6 +724,7 @@ jobs:
grantvmgroupaccess.exe
networkagent.exe
securitypolicy.exe
securitypolicy
uvmboot.exe
zapdir.exe

40
.github/workflows/codeql.yml поставляемый
Просмотреть файл

@ -68,12 +68,14 @@ jobs:
internal/tools/extendedtask,
internal/tools/grantvmgroupaccess,
internal/tools/networkagent,
internal/tools/securitypolicy
internal/tools/uvmboot,
internal/tools/zapdir,
- goos: linux
language: go, c-cpp
targets: >-
cmd/dmverity-vhd,
cmd/gcs,
cmd/gcstools,
cmd/hooks/wait-paths,
@ -100,7 +102,6 @@ jobs:
with:
build-mode: manual
languages: ${{matrix.language}}
config-file: ./.github/codeql/codeql-config.yml
# build binaries
- name: Build go binaries
@ -122,7 +123,44 @@ jobs:
if: ${{ matrix.goos == 'linux' }}
run: make bin/vsockexec bin/init
# only upload results if the analysis fails
# otherwise, save the output and use `advanced-security/filter-sarif` to filter paths
- name: CodeQL Analyze
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
output: sarif-results
upload: failure-only
- name: Filter Go SARIF Results
uses: advanced-security/filter-sarif@v1
with:
patterns: |
+**/*.go
-**/*_test.go
-test/**/*.go
-vendor/**/*.go
input: sarif-results/go.sarif
output: sarif-results/go.sarif
- name: Filter C/C++ SARIF Results
uses: advanced-security/filter-sarif@v1
if: ${{ matrix.goos == 'linux' }}
with:
patterns: |
+**/*
-vendor/**/*
input: sarif-results/cpp.sarif
output: sarif-results/cpp.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results
- name: Upload SARIF Results as Build Artifact
uses: actions/upload-artifact@v4
with:
name: sarif-results-${{ matrix.goos }}
path: sarif-results
retention-days: 1