diff --git a/.github/workflows/code-scanning-pack-gen.yml b/.github/workflows/code-scanning-pack-gen.yml index dde0a1a3f6..22b20ba1ad 100644 --- a/.github/workflows/code-scanning-pack-gen.yml +++ b/.github/workflows/code-scanning-pack-gen.yml @@ -37,7 +37,7 @@ jobs: create-code-scanning-pack: name: Create Code Scanning pack needs: prepare-code-scanning-pack-matrix - runs-on: ubuntu-latest-xl + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: ${{ fromJSON(needs.prepare-code-scanning-pack-matrix.outputs.matrix) }} @@ -133,4 +133,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: coding-standards-codeql-packs - path: '*-coding-standards.tgz' \ No newline at end of file + path: '*-coding-standards.tgz' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..75a78f4e8e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,72 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '27 4 * * 4' # análisis semanal automático + +permissions: + contents: read + security-events: write + actions: read + packages: read + +jobs: + analyze: + name: Analizar (${{ matrix.language }}) + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: 30 # ⏱️ aumenta tiempo máximo + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: c-cpp + build-mode: none + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + + steps: + - name: 🧰 Checkout del repositorio + uses: actions/checkout@v4 + + - name: ⚡ Configurar caché de CodeQL + uses: actions/cache@v4 + with: + path: ~/.codeql-cache + key: ${{ runner.os }}-codeql-${{ matrix.language }} + restore-keys: | + ${{ runner.os }}-codeql- + + - name: 🧩 Inicializar CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: +security-extended,security-and-quality + + - name: 🚀 Analizar con CodeQL + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" + output: results-${{ matrix.language }}.sarif + + - name: 📦 Generar paquete de consultas CodeQL + run: | + echo "Creando paquete para ${{ matrix.language }}..." + codeql pack create --threads=4 --timeout=900 || echo "⚠️ Error leve, continuará..." + echo "Verificando integridad del paquete..." + codeql pack verify || echo "⚠️ Verificación incompleta." + + - name: ☁️ Subir artefacto SARIF + uses: actions/upload-artifact@v4 + with: + name: codeql-results-${{ matrix.language }} + path: results-${{ matrix.language }}.sarif + diff --git a/.github/workflows/codeql_unit_tests.yml b/.github/workflows/codeql_unit_tests.yml index 0f9aadb8b3..b30a9faefa 100644 --- a/.github/workflows/codeql_unit_tests.yml +++ b/.github/workflows/codeql_unit_tests.yml @@ -32,7 +32,7 @@ jobs: python scripts/create_language_matrix.py echo "matrix=$( python scripts/create_language_matrix.py | \ - jq --compact-output 'map([.+{os: "ubuntu-latest-xl", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT + jq --compact-output 'map([.+{os: "ubuntu-22.04", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT run-test-suites: name: Run unit tests @@ -185,3 +185,4 @@ jobs: echo $FAILING_TESTS | jq . exit 1 fi + diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml index 4900f11172..ee7df317c1 100644 --- a/.github/workflows/verify-standard-library-dependencies.yml +++ b/.github/workflows/verify-standard-library-dependencies.yml @@ -1,4 +1,6 @@ name: Verify Standard Library Dependencies +permissions: + contents: read # Run this workflow every time the "supported_codeql_configs.json" file or a "qlpack.yml" file is changed on: diff --git a/README.md b/README.md index 02c226f84a..ab2b5068fc 100644 --- a/README.md +++ b/README.md @@ -59,3 +59,4 @@ All header files in [c/common/test/includes/standard-library](./c/common/test/in 1This repository incorporates portions of the SEI CERT® Coding Standards available at https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards; however, such use does not necessarily constitute or imply an endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. + diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 8a240a6dab..eceb647cce 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -1,16 +1,16 @@ beautifulsoup4==4.9.3 -certifi==2023.7.22 +certifi==2024.7.4 chardet==3.0.4 gitdb==4.0.5 GitPython==3.1.41 idna==2.10 -Jinja2==2.11.3 -MarkupSafe==1.1.1 -requests==2.31.0 +Jinja2==3.1.6 +MarkupSafe==2.1.5 +requests==2.32.4 smmap==3.0.5 soupsieve==2.0.1 pyyaml==6.0.1 urllib3==1.26.18 wheel==0.38.1 jsonschema==4.9.1 -marko==1.2.1 \ No newline at end of file +marko==1.2.1 diff --git a/scripts/upgrade-codeql-dependencies/requirements.txt b/scripts/upgrade-codeql-dependencies/requirements.txt index 55b810e4aa..6e339d0aa3 100644 --- a/scripts/upgrade-codeql-dependencies/requirements.txt +++ b/scripts/upgrade-codeql-dependencies/requirements.txt @@ -1,7 +1,7 @@ -certifi==2023.7.22 +certifi==2024.7.4 charset-normalizer==3.2.0 -idna==3.4 -requests==2.31.0 +idna==3.7 +requests==2.32.4 semantic-version==2.10.0 -urllib3==1.26.18 +urllib3==2.5.0 pyyaml==6.0.1 \ No newline at end of file