From 098aed31a56e0c581bb7a6354e0d9d7b49489091 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 09:43:28 +0000 Subject: [PATCH 01/16] add_codeql --- .github/workflows/codeql.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..9960a1ec --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,31 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + pull_request: + types: [opened, reopened, synchronize] + merge_group: + types: [checks_requested] + +jobs: + analyze: + uses: eclipse-score/cicd-workflows/.github/workflows/codeql.yml@main + with: + build-script: | + bazel build //src/... + bazel build //examples/... + permissions: + security-events: write + packages: read + actions: read + contents: read From f44d8aa5a3c01321fccd40bb230da9d193cf4b61 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 11:03:24 +0100 Subject: [PATCH 02/16] fix wrong target --- .github/workflows/codeql.yml | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9960a1ec..ea4f8fbc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,14 +1,19 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. +# ******************************************************************************* +# Copyright (c) 2025 Contributors to the Eclipse Foundation # -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. # -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. +# This program and the accompanying materials are made available under the +# terms of the Apache License Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 # +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************* + +# Workflow configuration for S-CORE CI - Release Check +# This workflow runs Bazel build and test when triggered by tag creation. + name: "CodeQL Advanced" on: @@ -22,8 +27,8 @@ jobs: uses: eclipse-score/cicd-workflows/.github/workflows/codeql.yml@main with: build-script: | - bazel build //src/... - bazel build //examples/... + bazel build --config bl-x86_64-linux -- //score/... + permissions: security-events: write packages: read From 346e3d76fdf3feee3116e63eb87c683c8eccc9f1 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 11:12:59 +0100 Subject: [PATCH 03/16] added push to main trigger --- .github/workflows/codeql.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ea4f8fbc..92e13aa2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ name: "CodeQL Advanced" on: pull_request: types: [opened, reopened, synchronize] + push: + branches: + - main merge_group: types: [checks_requested] From dd01f304d61c151d316d72056138e9b81e6fd3a4 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 12:44:41 +0100 Subject: [PATCH 04/16] tryout switch to none build mode --- .github/workflows/codeql.yml | 57 ++++++++++++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 92e13aa2..6f3decd1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,15 +25,62 @@ on: merge_group: types: [checks_requested] +#jobs: +# analyze: +# uses: eclipse-score/cicd-workflows/.github/workflows/codeql.yml@main +# with: +# build-script: | +# bazel build --config bl-x86_64-linux -- //score/... + +# permissions: +# security-events: write +# packages: read +# actions: read +# contents: read + jobs: analyze: - uses: eclipse-score/cicd-workflows/.github/workflows/codeql.yml@main - with: - build-script: | - bazel build --config bl-x86_64-linux -- //score/... - + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest permissions: security-events: write packages: read actions: read contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + build-mode: none + - language: rust + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + packs: codeql/misra-cpp-coding-standards + dependency-caching: true + + - if: matrix.build-mode == 'manual' + shell: bash + run: ${{ inputs.build-script }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + output: sarif-results.sarif + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: sarif-results.sarif + path: sarif-results.sarif From e429319da3310061e2980757fbc1f17e0e0e435c Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 13:01:37 +0100 Subject: [PATCH 05/16] try autobild --- .github/workflows/codeql.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6f3decd1..ab08f00d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -53,9 +53,7 @@ jobs: matrix: include: - language: c-cpp - build-mode: none - - language: rust - build-mode: none + build-mode: autobuild steps: - name: Checkout repository uses: actions/checkout@v4 From afd0000d788a76fec928c6a7b473e3c3483c4cdf Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 15:42:25 +0100 Subject: [PATCH 06/16] try to improve bazel setting to codeql usage --- .github/workflows/codeql.yml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ab08f00d..5eb61709 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -53,7 +53,7 @@ jobs: matrix: include: - language: c-cpp - build-mode: autobuild + build-mode: manual steps: - name: Checkout repository uses: actions/checkout@v4 @@ -69,7 +69,27 @@ jobs: - if: matrix.build-mode == 'manual' shell: bash - run: ${{ inputs.build-script }} + run: | + # Clean Bazel cache to ensure a fresh build that CodeQL can trace. + # This is crucial as Bazel often uses cached results, which CodeQL cannot observe. + bazel clean --expunge + + # Build using specific Bazel flags to help CodeQL detect the build. + # --spawn_strategy=local: Ensures local compilation, not distributed. + # --nouse_action_cache: Prevents using action cache, forcing recompilation. + # --noremote_accept_cached, --noremote_upload_local_results: Avoids remote caching. + # --disk_cache=: Disables disk cache. + bazel build \ + --spawn_strategy=local \ + --nouse_action_cache \ + --noremote_accept_cached \ + --noremote_upload_local_results \ + --disk_cache= \ + //score/... + + # Shut down Bazel server processes after the build. + # This ensures future build commands start in a clean Bazel server process without CodeQL attached. + bazel shutdown - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 From 89111e95cc86d3e1e82a13d3016cd5a6e84abd1a Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 14:59:19 +0000 Subject: [PATCH 07/16] readded config and added multicore --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5eb61709..4008dfbb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -79,7 +79,7 @@ jobs: # --nouse_action_cache: Prevents using action cache, forcing recompilation. # --noremote_accept_cached, --noremote_upload_local_results: Avoids remote caching. # --disk_cache=: Disables disk cache. - bazel build \ + bazel build -j 4 --config bl-x86_64-linux \ --spawn_strategy=local \ --nouse_action_cache \ --noremote_accept_cached \ From 67b5fca4e7e5b57a4d795cee02487eb3371f51b3 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 15:52:05 +0000 Subject: [PATCH 08/16] increased version --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4008dfbb..4864baa1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -60,7 +60,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} From bac344d90f53c1b036e341594e9ef48a2ac12971 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 17:07:03 +0100 Subject: [PATCH 09/16] changed version --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4864baa1..f1eafe60 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -92,7 +92,7 @@ jobs: bazel shutdown - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" output: sarif-results.sarif From 271f017b8b5fd6dad8205925bb87af24ca68ee16 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Thu, 4 Dec 2025 17:10:21 +0100 Subject: [PATCH 10/16] added debug flag --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f1eafe60..eeb313b9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -66,6 +66,8 @@ jobs: build-mode: ${{ matrix.build-mode }} packs: codeql/misra-cpp-coding-standards dependency-caching: true + env: + CODEQL_ACTION_DEBUG: true - if: matrix.build-mode == 'manual' shell: bash From 333dfd2361f62e750c8c4856e606d215546f1e34 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Fri, 5 Dec 2025 10:35:47 +0100 Subject: [PATCH 11/16] added LD_PRELOAD and batching --- .github/workflows/codeql.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index eeb313b9..38dbcca0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -81,9 +81,11 @@ jobs: # --nouse_action_cache: Prevents using action cache, forcing recompilation. # --noremote_accept_cached, --noremote_upload_local_results: Avoids remote caching. # --disk_cache=: Disables disk cache. - bazel build -j 4 --config bl-x86_64-linux \ + bazel --batch build -j 4 --config bl-x86_64-linux \ --spawn_strategy=local \ + --strategy=Genrule=local \ --nouse_action_cache \ + --action_env=LD_PRELOAD=$LD_PRELOAD \ --noremote_accept_cached \ --noremote_upload_local_results \ --disk_cache= \ From 9f073e81f4cee5965207be6b50bfc801971ecb11 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Fri, 5 Dec 2025 10:47:38 +0100 Subject: [PATCH 12/16] added debug step --- .github/workflows/codeql.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 38dbcca0..51b091fa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -94,6 +94,13 @@ jobs: # Shut down Bazel server processes after the build. # This ensures future build commands start in a clean Bazel server process without CodeQL attached. bazel shutdown + + - name: Check CodeQL Tracer Log + if: always() + run: | + echo "--- Contents of CODEQL_TRACER_LOG ---" + cat "${CODEQL_TRACER_LOG}" || echo "Tracer log file not found or empty." + echo "-------------------------------------" - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From b9aa4fd28ddaf24b037382fb247bd39306371576 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Fri, 5 Dec 2025 11:16:49 +0100 Subject: [PATCH 13/16] increase the action of preload --- .bazelrc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.bazelrc b/.bazelrc index 5ae452aa..47b1248f 100644 --- a/.bazelrc +++ b/.bazelrc @@ -47,3 +47,5 @@ build:bl-x86_64-qnx --config=bl_toolchain_common build:bl-x86_64-qnx --platforms=@score_bazel_platforms//:x86_64-qnx build:bl-x86_64-qnx --extra_toolchains=@toolchains_qnx_qcc//:qcc_x86_64 test:bl-x86_64-qnx --config=bl_common + +build --action_env=LD_PRELOAD \ No newline at end of file From 9a9d9e3ffd5ffaad33cbcd340831bfa5cc74d138 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Fri, 5 Dec 2025 11:41:48 +0100 Subject: [PATCH 14/16] increased the pressure to bazel --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 51b091fa..63604809 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -85,9 +85,9 @@ jobs: --spawn_strategy=local \ --strategy=Genrule=local \ --nouse_action_cache \ - --action_env=LD_PRELOAD=$LD_PRELOAD \ --noremote_accept_cached \ --noremote_upload_local_results \ + --experimental_action_remote_execution_strategy=local \ --disk_cache= \ //score/... From e58a11a6ee28ad95ff116c5a3fe0b126c19a6184 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Mon, 8 Dec 2025 11:39:09 +0000 Subject: [PATCH 15/16] tried new flags --- .bazelrc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.bazelrc b/.bazelrc index 47b1248f..93ee1634 100644 --- a/.bazelrc +++ b/.bazelrc @@ -48,4 +48,8 @@ build:bl-x86_64-qnx --platforms=@score_bazel_platforms//:x86_64-qnx build:bl-x86_64-qnx --extra_toolchains=@toolchains_qnx_qcc//:qcc_x86_64 test:bl-x86_64-qnx --config=bl_common -build --action_env=LD_PRELOAD \ No newline at end of file +build --action_env=LD_PRELOAD +build --copt=-gdwarf-5 +build --copt=-fno-var-tracking-assignments +build --copt=-fvar-tracking +build --copt=-g3 From d1ac0f39c9a9df69376226ff62c547fb3273c995 Mon Sep 17 00:00:00 2001 From: Frank Scholter Peres Date: Mon, 8 Dec 2025 12:55:48 +0000 Subject: [PATCH 16/16] removed experimental --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 63604809..662dee71 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -87,7 +87,6 @@ jobs: --nouse_action_cache \ --noremote_accept_cached \ --noremote_upload_local_results \ - --experimental_action_remote_execution_strategy=local \ --disk_cache= \ //score/...