Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions .github/scripts/codeql_buildscript.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,20 @@ sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://gith
popd

# libtinfo.so.5 for /opt/llvm-18.1.8/lib/libomptarget.rtl.amdgpu.so.18.1
# Install the libtinfo5 compat package at the same ncurses version as the
# runner's already-installed libtinfo6; fall back to the newest one in the
# pool. A hard-coded URL 404s once the ncurses point release is bumped, which
# then breaks the wamrc link against libomptarget (NCURSES_TINFO_5 symbols).
sudo apt -qq update
wget http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb
sudo apt install -y -qq ./libtinfo5_6.3-2ubuntu0.1_amd64.deb
nc_pool="http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses"
nc_ver="$(dpkg-query -W -f='${Version}' libtinfo6)"
libtinfo5_deb="libtinfo5_${nc_ver}_amd64.deb"
if ! wget -q "${nc_pool}/${libtinfo5_deb}"; then
libtinfo5_deb="$(wget -qO- "${nc_pool}/" \
| grep -oE 'libtinfo5_[0-9][^"]*_amd64\.deb' | sort -Vu | tail -1)"
wget -q "${nc_pool}/${libtinfo5_deb}"
fi
sudo apt install -y -qq "./${libtinfo5_deb}"

# Start the build process
WAMR_DIR=${PWD}
Expand Down
10 changes: 8 additions & 2 deletions .github/scripts/codeql_fail_on_error.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,15 @@ def codeql_sarif_contain_error(filename, dismissed_alerts):
s = json.load(f)

for run in s.get("runs", []):
rules_metadata = run["tool"]["driver"]["rules"]
# Rule metadata isn't always in one place: CodeQL keeps it on the tool
# driver, but rules contributed by a query-pack extension live on that
# extension instead, and the driver's list is empty when nothing fired.
# So read the driver rules, then fall back to gathering them from the
# extensions rather than assuming a fixed location.
rules_metadata = run["tool"]["driver"].get("rules") or []
if not rules_metadata:
rules_metadata = run["tool"]["extensions"][0]["rules"]
for ext in run["tool"].get("extensions", []):
rules_metadata += ext.get("rules", [])

for res in run.get("results", []):
if "ruleIndex" in res:
Expand Down
24 changes: 21 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,35 @@ on:
push:
branches:
- dev/**
# scan pull requests so findings surface on the PR instead of only post-merge
pull_request:
# midnight UTC on the latest commit on the main branch
schedule:
- cron: "0 0 * * *"
# allow to be triggered manually
workflow_dispatch:

# Serialize CodeQL runs per PR / branch. Only a pull_request cancels its own
# superseded run - once a PR head is replaced the old analysis is throwaway.
# Pushes to dev/** and the nightly cron are left to finish, so branch and
# scheduled scans are never dropped.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
analyze:
# only run this job if the repository is not a fork
# if want to run this job on a fork, please remove the if condition
if: github.repository == 'bytecodealliance/wasm-micro-runtime'
# Pull requests: only scan when the head branch lives in this same
# repository. A pull request from a fork runs with a read-only GITHUB_TOKEN
# (no `security-events: write`), so uploading results and reading
# code-scanning alerts is not permitted and the job would fail; skip it
# cleanly instead. Other events (push to dev/**, the nightly cron, manual
# runs) keep the original behavior of running only on the upstream repo.
if: >-
(github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository)
|| (github.event_name != 'pull_request' &&
github.repository == 'bytecodealliance/wasm-micro-runtime')
name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
Expand Down