From 37f732a65f4d2122a46d06d3bc7ca1f40f83eaf2 Mon Sep 17 00:00:00 2001 From: Tomas Tauber <2410580+tomtau@users.noreply.github.com> Date: Fri, 20 May 2022 13:57:52 +0800 Subject: [PATCH] Problem: outdated CodeQL scanning pipeline (fixes #772) Solution: - updated the GH action pipeline - removed Nondeterministic.ql (the more refined version is now contained in the query pack: https://github.com/crypto-com/cosmos-sdk-codeql/blob/main/src/map-iteration.ql ) --- .github/codeql/codeql-config.yml | 7 --- .github/codeql/queries/Nondeterministic.ql | 14 ----- .github/codeql/queries/custom.qls | 11 ---- .github/codeql/queries/qlpack.xml | 1 - .github/codeql/queries/qlpack.yml | 6 --- .github/workflows/codeql-analysis.yml | 61 ++++++++++++---------- third_party/cosmos-sdk | 2 +- 7 files changed, 35 insertions(+), 67 deletions(-) delete mode 100644 .github/codeql/codeql-config.yml delete mode 100644 .github/codeql/queries/Nondeterministic.ql delete mode 100644 .github/codeql/queries/custom.qls delete mode 100644 .github/codeql/queries/qlpack.xml delete mode 100644 .github/codeql/queries/qlpack.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml deleted file mode 100644 index e9082b814..000000000 --- a/.github/codeql/codeql-config.yml +++ /dev/null @@ -1,7 +0,0 @@ -name: "Chain CodeQL config" - -queries: - - name: security-extended, plus maintainability and reliability queries - uses: security-and-quality - - name: defer in loop etc. - uses: ./.github/codeql/queries/custom.qls \ No newline at end of file diff --git a/.github/codeql/queries/Nondeterministic.ql b/.github/codeql/queries/Nondeterministic.ql deleted file mode 100644 index eab6a5f2f..000000000 --- a/.github/codeql/queries/Nondeterministic.ql +++ /dev/null @@ -1,14 +0,0 @@ -/** - * @name Iteration over map - * @description Iteration over map is non-deterministic and could cause issues in consensus-critical code. - * @kind problem - * @problem.severity warning - * @id go/map-iteration - * @tags correctness - */ - -import go - -from RangeStmt loop -where loop.getDomain().getType() instanceof MapType -select loop, "Iteration over map" \ No newline at end of file diff --git a/.github/codeql/queries/custom.qls b/.github/codeql/queries/custom.qls deleted file mode 100644 index 3f5b5a2fc..000000000 --- a/.github/codeql/queries/custom.qls +++ /dev/null @@ -1,11 +0,0 @@ -- description: Custom CodeQL queries from experimental -- qlpack: codeql-go -- include: - id: go/examples/deferinloop -- include: - id: go/divide-by-zero -- include: - id: go/wrong-usage-of-unsafe -- qlpack: chain-custom -- include: - id: go/map-iteration diff --git a/.github/codeql/queries/qlpack.xml b/.github/codeql/queries/qlpack.xml deleted file mode 100644 index 924303054..000000000 --- a/.github/codeql/queries/qlpack.xml +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/.github/codeql/queries/qlpack.yml b/.github/codeql/queries/qlpack.yml deleted file mode 100644 index 0b4b95286..000000000 --- a/.github/codeql/queries/qlpack.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: chain-custom -version: 0.0.0 -dependencies: - # This uses the latest version of the codeql/go-all library. - # You may want to change to a more precise semver string. - codeql/go-all: "*" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 94c3d5cb2..9f5df5035 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -16,10 +16,14 @@ on: branches: - master - release/** + paths: + - "**.go" pull_request: branches: - master - release/** + paths: + - "**.go" jobs: analyze: @@ -36,35 +40,38 @@ jobs: language: [ 'go' ] steps: - - name: Checkout repository - uses: actions/checkout@v2 + - name: Checkout repository + uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.18 + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: "go" + queries: +security-and-quality,github/codeql-go/ql/src/experimental/InconsistentCode/DeferInLoop.ql@main,github/codeql-go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql@main,github/codeql-go/ql/src/experimental/CWE-369/DivideByZero.ql@main + packs: +crypto-com/cosmos-sdk-codeql + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - config-file: ./.github/codeql/codeql-config.yml - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + #- run: | + # make bootstrap + # make release - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 \ No newline at end of file diff --git a/third_party/cosmos-sdk b/third_party/cosmos-sdk index 2646b474c..ad9e5620f 160000 --- a/third_party/cosmos-sdk +++ b/third_party/cosmos-sdk @@ -1 +1 @@ -Subproject commit 2646b474c7beb0c93d4fafd395ef345f41afc251 +Subproject commit ad9e5620fb3445c716e9de45cfcdb56e8f1745bf