github · AndresMaqueo · Aug 5, 2025 · Aug 5, 2025 · Aug 9, 2025 · Aug 9, 2025
diff --git a/.github/workflows/code-scanning-pack-gen.yml b/.github/workflows/code-scanning-pack-gen.yml
@@ -37,7 +37,7 @@ jobs:
   create-code-scanning-pack:
     name: Create Code Scanning pack
     needs: prepare-code-scanning-pack-matrix
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON(needs.prepare-code-scanning-pack-matrix.outputs.matrix) }}
@@ -133,4 +133,4 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: coding-standards-codeql-packs
-          path: '*-coding-standards.tgz'
+          path: '*-coding-standards.tgz'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,72 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '27 4 * * 4' # análisis semanal automático
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+  packages: read
+
+jobs:
+  analyze:
+    name: Analizar (${{ matrix.language }})
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: 30  # ⏱️ aumenta tiempo máximo
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: c-cpp
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+          - language: python
+            build-mode: none
+
+    steps:
+      - name: 🧰 Checkout del repositorio
+        uses: actions/checkout@v4
+
+      - name: ⚡ Configurar caché de CodeQL
+        uses: actions/cache@v4
+        with:
+          path: ~/.codeql-cache
+          key: ${{ runner.os }}-codeql-${{ matrix.language }}
+          restore-keys: |
+            ${{ runner.os }}-codeql-
+
+      - name: 🧩 Inicializar CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: +security-extended,security-and-quality
+
+      - name: 🚀 Analizar con CodeQL
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+          output: results-${{ matrix.language }}.sarif
+
+      - name: 📦 Generar paquete de consultas CodeQL
+        run: |
+          echo "Creando paquete para ${{ matrix.language }}..."
+          codeql pack create --threads=4 --timeout=900 || echo "⚠️ Error leve, continuará..."
+          echo "Verificando integridad del paquete..."
+          codeql pack verify || echo "⚠️ Verificación incompleta."
+
+      - name: ☁️ Subir artefacto SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          name: codeql-results-${{ matrix.language }}
+          path: results-${{ matrix.language }}.sarif
+
diff --git a/.github/workflows/codeql_unit_tests.yml b/.github/workflows/codeql_unit_tests.yml
@@ -32,7 +32,7 @@ jobs:
           python scripts/create_language_matrix.py
           echo "matrix=$(
             python scripts/create_language_matrix.py | \
-            jq --compact-output 'map([.+{os: "ubuntu-latest-xl", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT
+            jq --compact-output 'map([.+{os: "ubuntu-22.04", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT
 
   run-test-suites:
     name: Run unit tests
@@ -185,3 +185,4 @@ jobs:
             echo $FAILING_TESTS | jq .
             exit 1
           fi
+
diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml
@@ -1,4 +1,6 @@
 name: Verify Standard Library Dependencies
+permissions:
+  contents: read
 
 # Run this workflow every time the "supported_codeql_configs.json" file or a "qlpack.yml" file is changed
 on:

diff --git a/README.md b/README.md
@@ -59,3 +59,4 @@ All header files in [c/common/test/includes/standard-library](./c/common/test/in
 <sup>1</sup>This repository incorporates portions of the SEI CERT® Coding Standards available at https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards; however, such use does not necessarily constitute or imply an endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
 
 
+
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
@@ -1,16 +1,16 @@
 beautifulsoup4==4.9.3
-certifi==2023.7.22
+certifi==2024.7.4
 chardet==3.0.4
 gitdb==4.0.5
 GitPython==3.1.41
 idna==2.10
-Jinja2==2.11.3
-MarkupSafe==1.1.1
-requests==2.31.0
+Jinja2==3.1.6
+MarkupSafe==2.1.5
+requests==2.32.4
 smmap==3.0.5
 soupsieve==2.0.1
 pyyaml==6.0.1
 urllib3==1.26.18
 wheel==0.38.1
 jsonschema==4.9.1
-marko==1.2.1
+marko==1.2.1
diff --git a/scripts/upgrade-codeql-dependencies/requirements.txt b/scripts/upgrade-codeql-dependencies/requirements.txt
@@ -1,7 +1,7 @@
-certifi==2023.7.22
+certifi==2024.7.4
 charset-normalizer==3.2.0
-idna==3.4
-requests==2.31.0
+idna==3.7
+requests==2.32.4
 semantic-version==2.10.0
-urllib3==1.26.18
+urllib3==2.5.0
 pyyaml==6.0.1
Original file line number	Diff line number	Diff line change
Expand Up		@@ -59,3 +59,4 @@ All header files in [c/common/test/includes/standard-library](./c/common/test/in
		<sup>1</sup>This repository incorporates portions of the SEI CERT® Coding Standards available at https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards; however, such use does not necessarily constitute or imply an endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.