diff --git a/.github/scripts/codeql_buildscript.sh b/.github/scripts/codeql_buildscript.sh index 99060af8f4..dfc5faef34 100755 --- a/.github/scripts/codeql_buildscript.sh +++ b/.github/scripts/codeql_buildscript.sh @@ -19,9 +19,20 @@ sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://gith popd # libtinfo.so.5 for /opt/llvm-18.1.8/lib/libomptarget.rtl.amdgpu.so.18.1 +# Install the libtinfo5 compat package at the same ncurses version as the +# runner's already-installed libtinfo6; fall back to the newest one in the +# pool. A hard-coded URL 404s once the ncurses point release is bumped, which +# then breaks the wamrc link against libomptarget (NCURSES_TINFO_5 symbols). sudo apt -qq update -wget http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb -sudo apt install -y -qq ./libtinfo5_6.3-2ubuntu0.1_amd64.deb +nc_pool="http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses" +nc_ver="$(dpkg-query -W -f='${Version}' libtinfo6)" +libtinfo5_deb="libtinfo5_${nc_ver}_amd64.deb" +if ! wget -q "${nc_pool}/${libtinfo5_deb}"; then + libtinfo5_deb="$(wget -qO- "${nc_pool}/" \ + | grep -oE 'libtinfo5_[0-9][^"]*_amd64\.deb' | sort -Vu | tail -1)" + wget -q "${nc_pool}/${libtinfo5_deb}" +fi +sudo apt install -y -qq "./${libtinfo5_deb}" # Start the build process WAMR_DIR=${PWD} diff --git a/.github/scripts/codeql_fail_on_error.py b/.github/scripts/codeql_fail_on_error.py index f150c38a25..1a6bcdba56 100755 --- a/.github/scripts/codeql_fail_on_error.py +++ b/.github/scripts/codeql_fail_on_error.py @@ -61,9 +61,15 @@ def codeql_sarif_contain_error(filename, dismissed_alerts): s = json.load(f) for run in s.get("runs", []): - rules_metadata = run["tool"]["driver"]["rules"] + # Rule metadata isn't always in one place: CodeQL keeps it on the tool + # driver, but rules contributed by a query-pack extension live on that + # extension instead, and the driver's list is empty when nothing fired. + # So read the driver rules, then fall back to gathering them from the + # extensions rather than assuming a fixed location. + rules_metadata = run["tool"]["driver"].get("rules") or [] if not rules_metadata: - rules_metadata = run["tool"]["extensions"][0]["rules"] + for ext in run["tool"].get("extensions", []): + rules_metadata += ext.get("rules", []) for res in run.get("results", []): if "ruleIndex" in res: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c2fff0398c..4660cabe78 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,17 +9,35 @@ on: push: branches: - dev/** + # scan pull requests so findings surface on the PR instead of only post-merge + pull_request: # midnight UTC on the latest commit on the main branch schedule: - cron: "0 0 * * *" # allow to be triggered manually workflow_dispatch: +# Serialize CodeQL runs per PR / branch. Only a pull_request cancels its own +# superseded run - once a PR head is replaced the old analysis is throwaway. +# Pushes to dev/** and the nightly cron are left to finish, so branch and +# scheduled scans are never dropped. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: analyze: - # only run this job if the repository is not a fork - # if want to run this job on a fork, please remove the if condition - if: github.repository == 'bytecodealliance/wasm-micro-runtime' + # Pull requests: only scan when the head branch lives in this same + # repository. A pull request from a fork runs with a read-only GITHUB_TOKEN + # (no `security-events: write`), so uploading results and reading + # code-scanning alerts is not permitted and the job would fail; skip it + # cleanly instead. Other events (push to dev/**, the nightly cron, manual + # runs) keep the original behavior of running only on the upstream repo. + if: >- + (github.event_name == 'pull_request' && + github.event.pull_request.head.repo.full_name == github.repository) + || (github.event_name != 'pull_request' && + github.repository == 'bytecodealliance/wasm-micro-runtime') name: Analyze # Runner size impacts CodeQL analysis time. To learn more, please see: # - https://gh.io/recommended-hardware-resources-for-running-codeql