From ab02f4149583860d7a850e66e4d0a8fb226891b8 Mon Sep 17 00:00:00 2001
From: Kanwalpreet Dhindsa <kpdhindsa@gmail.com>
Date: Thu, 9 May 2024 11:47:17 -0700
Subject: [PATCH] added codeql config

---
 .github/workflows/codeql.yml | 83 ++++++++++++++++++++++++++++++++++++
 ci-build.sh                  | 42 +++++++++++++-----
 2 files changed, 114 insertions(+), 11 deletions(-)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000000..597e17f4ed
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,83 @@
+name: "CodeQL"
+
+on:
+  # allow manual run
+  workflow_dispatch:
+  schedule:
+    # run every Sunday at 4:30 UTC
+    - cron: '30 4 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze c-cpp
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: c-cpp
+          build-mode: manual
+        toolchain: ["gcc", "clang"]
+        protocol: ["current", "next"]
+
+    steps:  
+    - name: Fix kernel mmap rnd bits
+      # Asan in llvm provided in ubuntu 22.04 is incompatible with
+      # high-entropy ASLR in much newer kernels that GitHub runners are
+      # using leading to random crashes: https://reviews.llvm.org/D148280
+      run: sudo sysctl vm.mmap_rnd_bits=28
+    - uses: actions/checkout@v3.5.2
+      with:
+          fetch-depth: 200
+          submodules: true
+    - name: Get CodeQL CLI
+      run: |
+        cd /home/runner/work/stellar-core
+        wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.17.2/codeql-bundle-linux64.tar.gz
+        tar -xvzf codeql-bundle-linux64.tar.gz
+    - name: Add CodeQL CLI to PATH
+      env:
+        ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+      run: |
+        echo "::add-path::/home/runner/work/stellar-core/codeql:$PATH"
+    - name: install core packages
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install --no-install-recommends apt-utils dialog git iproute2 procps lsb-release
+    - name: install tool chain
+      run: |
+        sudo apt-get -y install libstdc++-10-dev clang-format-12 ccache lldb
+        if test "${{ matrix.toolchain }}" = "gcc" ; then
+          sudo apt-get -y install cpp-10 gcc-10 g++-10
+        else
+          sudo apt-get -y install clang-12 llvm-12
+        fi
+    - name: install rustup components
+      run: rustup component add rustfmt
+    - name: install dependencies
+      run: sudo apt-get -y install postgresql git build-essential pkg-config autoconf automake libtool bison flex libpq-dev parallel libunwind-dev sed perl
+    - name: Build
+      run: |
+        if test "${{ matrix.toolchain }}" = "gcc" ; then
+          export CC='gcc'
+          export CXX='g++'
+        else
+          export CC='clang'
+          export CXX='clang++'
+        fi
+        echo Build with $CC and $CXX
+        ./ci-build.sh --build-with-codeql --disable-tests --protocol ${{ matrix.protocol }}
+    - name: Perform CodeQL Analysis
+      run: |
+        codeql database analyze core-codeql-database --format=sarif-latest --output=results.sarif
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
+        category: CodeQL
+
diff --git a/ci-build.sh b/ci-build.sh
index 066eab0c76..9c15eafd8c 100755
--- a/ci-build.sh
+++ b/ci-build.sh
@@ -10,6 +10,7 @@ CACHE_MAX_DAYS=30
 
 WITH_TESTS=1
 export TEMP_POSTGRES=0
+WITH_CODEQL=0
 
 PROTOCOL_CONFIG=""
 
@@ -26,6 +27,10 @@ while [[ -n "$1" ]]; do
             export TEMP_POSTGRES=1
             echo Using temp database
             ;;
+    "--build-with-codeql")
+            WITH_CODEQL=1
+            echo Building with CodeQL for static analysis
+            ;;
     "--check-test-tx-meta")
             if [[ -z "${PROTOCOL}" ]]; then
                 echo 'must specify --protocol before --check-test-tx-meta'
@@ -68,16 +73,20 @@ NPROCS=$(getconf _NPROCESSORS_ONLN)
 echo "Found $NPROCS processors"
 date
 
-# Short-circuit transient 'auto-initialization' builds
-git fetch origin master
-MASTER=$(git describe --always FETCH_HEAD)
-HEAD=$(git describe --always HEAD)
-echo $MASTER
-echo $HEAD
-if [ $HEAD == $MASTER ]
+# Short-circuit transient 'auto-initialization' builds (if not building through CodeQL
+# since CodeQL shall only build from master periodically and not on PRs, as CodeQL scan takes around 3 hrs to run)
+if [ $WITH_CODEQL -eq 0 ]
 then
-    echo "HEAD SHA1 equals master; probably just establishing merge, exiting build early"
-    exit 1
+    git fetch origin master
+    MASTER=$(git describe --always FETCH_HEAD)
+    HEAD=$(git describe --always HEAD)
+    echo $MASTER
+    echo $HEAD
+    if [ $HEAD == $MASTER ]
+    then
+        echo "HEAD SHA1 equals master; probably just establishing merge, exiting build early"
+        exit 1
+    fi
 fi
 
 # Try to ensure we're using the real g++ and clang++ versions we want
@@ -107,7 +116,13 @@ elif test $CXX = 'g++'; then
     g++ -v
 fi
 
-config_flags="--enable-asan --enable-extrachecks --enable-ccache --enable-sdfprefs ${PROTOCOL_CONFIG}"
+if [ $WITH_CODEQL -eq 0 ]
+then
+    config_flags="--enable-asan --enable-extrachecks --enable-ccache --enable-sdfprefs ${PROTOCOL_CONFIG}"
+else
+    # Don't enable asan when building with CodeQL as it interferes with CodeQL build
+    config_flags="--enable-extrachecks --enable-ccache --enable-sdfprefs ${PROTOCOL_CONFIG}"
+fi
 export CFLAGS="-O2 -g1 -fno-omit-frame-pointer -fsanitize-address-use-after-scope -fno-common"
 export CXXFLAGS="-w $CFLAGS"
 
@@ -160,7 +175,12 @@ then
 fi
 
 date
-time make -j$(($NPROCS + 1))
+if [ $WITH_CODEQL -eq 0 ]
+then
+    time make -j$(($NPROCS + 1))
+else
+    codeql database create core-codeql-database --language=c-cpp --command make -j$(($NPROCS + 1))
+fi
 
 ccache -s