From 2e1770c9bef1ff62630d91bfb02bd7bf7285a3c3 Mon Sep 17 00:00:00 2001
From: Daniel Farrell <dfarrell@redhat.com>
Date: Thu, 29 Sep 2022 12:49:57 -0400
Subject: [PATCH] Add CodeQL variant analysis scanning

This is a different type of static analysis than others we run.

> Variant analysis is the process of using a known security
vulnerability as a seed to find similar problems in your code.

https://codeql.github.com/docs/codeql-overview/about-codeql/

CodeQL doesn't only do variant analysis for security issues, it also has
semantic queries/rules for other types of issues.

https://github.com/github/codeql/tree/main/go/ql/src

It identified new issues (already fixed) that our other tools missed.

The company that built it was bought by GitHub and the tool is being
integrated into GitHub's security workflow.

Add one unprivileged version of the job to gate PRs and one privileged
version on-merge to report results.

Relates-to: #1970
Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
---
 .github/workflows/linting.yml | 16 ++++++++++++++++
 .github/workflows/report.yml  | 18 ++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index b82016473..93da6c503 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -130,6 +130,22 @@ jobs:
       - name: Run shellcheck
         run: make shellcheck
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     runs-on: ubuntu-latest
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
index 6b8e648e2..bb7cc0916 100644
--- a/.github/workflows/report.yml
+++ b/.github/workflows/report.yml
@@ -29,6 +29,24 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
+  variant-analysis:
+    name: Variant Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@86f3159a697a097a813ad9bfa0002412d97690a4
+        with:
+          languages: go
+      - name: Run CodeQL variant analysis
+        uses: github/codeql-action/analyze@86f3159a697a097a813ad9bfa0002412d97690a4
+      - name: Show CodeQL scan SARIF report
+        if: always()
+        run: cat ../results/go.sarif
+
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'