From 6ebad26904af2cb966335ff89b049b321370000f Mon Sep 17 00:00:00 2001 From: Bruno Oliveira da Silva Date: Tue, 15 Mar 2022 04:59:59 -0300 Subject: [PATCH] Failure to upload the SARIF file on pull requests (#10725) The changes proposed here will resolve the issues we have with pull-request after the merge of #10606. It creates 3 different workflows to conditionally execute the job based on changes submitted. A detailed explanation about the issue can be found on #10717. Resolves #10717 --- .github/scripts/codeql/codeql-analyze.sh | 40 ----------- .../scripts/codeql/codeql-database-create.sh | 25 ------- .github/scripts/codeql/codeql-install.sh | 6 -- .github/workflows/codeql-analysis.yml | 72 ------------------- .github/workflows/codeql-java-analysis.yml | 45 ++++++++++++ .../workflows/codeql-js-adapter-analysis.yml | 46 ++++++++++++ .github/workflows/codeql-theme-analysis.yml | 46 ++++++++++++ 7 files changed, 137 insertions(+), 143 deletions(-) delete mode 100755 .github/scripts/codeql/codeql-analyze.sh delete mode 100755 .github/scripts/codeql/codeql-database-create.sh delete mode 100755 .github/scripts/codeql/codeql-install.sh delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/codeql-java-analysis.yml create mode 100644 .github/workflows/codeql-js-adapter-analysis.yml create mode 100644 .github/workflows/codeql-theme-analysis.yml diff --git a/.github/scripts/codeql/codeql-analyze.sh b/.github/scripts/codeql/codeql-analyze.sh deleted file mode 100755 index fd1b399cdbe..00000000000 --- a/.github/scripts/codeql/codeql-analyze.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -CODEQL_BINARY="./codeql/codeql" - -# Check if the binary exists -if [ ! -f "$CODEQL_BINARY" ]; -then - printf "CodeQL binary not found!" - exit 1 -fi - -upload_results () { - echo "Uploading $1" - $CODEQL_BINARY github upload-results --sarif="$1" --repository="$GITHUB_REPOSITORY" --ref="$GITHUB_REF" -} - - -# Create the database based on the specifics per language -if [ "$1" = "java" ]; -then - printf "Analyzing CodeQL Java database" - $CODEQL_BINARY database analyze "$1-database" codeql/java-queries --format=sarifv2.1.0 --output="$1".sarif --download --max-paths=1 --sarif-add-query-help - < java.sarif jq 'del(.runs[].results[].codeFlows)' > processed-java.sarif - upload_results processed-java.sarif - -elif [ "$1" = "javascript" ]; -then - printf "Analyzing themes database" - $CODEQL_BINARY database analyze themes-database codeql/javascript-queries --format=sarifv2.1.0 --output=themes.sarif --download --max-paths=1 --sarif-add-query-help - < themes.sarif jq 'del(.runs[].results[].codeFlows)' > processed-themes.sarif - upload_results processed-themes.sarif - - printf "Analyzing js-adapter database" - $CODEQL_BINARY database analyze js-adapter-database codeql/javascript-queries --format=sarifv2.1.0 --output=js-adapter.sarif --download --max-paths=1 --sarif-add-query-help - < js-adapter.sarif jq 'del(.runs[].results[].codeFlows)' > processed-js-adapter.sarif - upload_results processed-js-adapter.sarif - -fi - - diff --git a/.github/scripts/codeql/codeql-database-create.sh b/.github/scripts/codeql/codeql-database-create.sh deleted file mode 100755 index 16075915ef7..00000000000 --- a/.github/scripts/codeql/codeql-database-create.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -CODEQL_BINARY="./codeql/codeql" - -# Check if the binary exists -if [ ! -f "$CODEQL_BINARY" ]; -then - printf "CodeQL binary not found!" - exit 1 -fi - -# Create the database based on the specifics per language -if [ "$1" = "java" ]; -then - printf "Creating CodeQL Java database" - $CODEQL_BINARY database create "$1-database" --no-run-unnecessary-builds --language="$1" --command='mvn clean install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests' -elif [ "$1" = "javascript" ]; -then - printf "Creating themes database" - $CODEQL_BINARY database create themes-database --no-run-unnecessary-builds --language=javascript --source-root=themes/ --command='mvn install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests' - printf "Creating js-adapter database" - $CODEQL_BINARY database create js-adapter-database --no-run-unnecessary-builds --language=javascript --source-root=adapters/oidc/js/ --command='mvn install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests' -fi - - diff --git a/.github/scripts/codeql/codeql-install.sh b/.github/scripts/codeql/codeql-install.sh deleted file mode 100755 index 4eb89b319b4..00000000000 --- a/.github/scripts/codeql/codeql-install.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -LATEST_RELEASE_URL=$(curl -s https://api.github.com/repos/github/codeql-cli-binaries/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep -i linux) - -wget -q --show-progress "$LATEST_RELEASE_URL" -unzip codeql-linux64.zip diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 3ecb2eda96b..00000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,72 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL" - -on: -# Disable for push and pull_request until https://github.com/keycloak/keycloak/issues/10203 is resolved - push: - branches: [main] - pull_request: - # The branches below must be a subset of the branches above - branches: [main] - schedule: - - cron: '0 9 * * 2' - -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - -permissions: - security-events: write - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] - language: ['java', 'javascript'] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Install CodeQL - run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-install.sh - - - uses: actions/setup-java@v2 - if: ${{ matrix.language == 'java' }} - with: - distribution: 'temurin' - java-version: '11' - - - name: Update maven settings - run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ - - # Create the codeql database for Java - - name: Create CodeQL Java database - if: ${{ matrix.language == 'java' }} - run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-database-create.sh java - - # Run the analysis for Java - - name: Run CodeQL analysis for Java - if: ${{ matrix.language == 'java' }} - run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-analyze.sh java - - # Create the codeql database for JavaScript - - name: Create CodeQL JavaScript database - if: ${{ matrix.language == 'javascript' }} - run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-database-create.sh javascript - - # Run the analysis for JavaScript - - name: Run CodeQL analysis for JavaScript - if: ${{ matrix.language == 'javascript' }} - run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-analyze.sh javascript diff --git a/.github/workflows/codeql-java-analysis.yml b/.github/workflows/codeql-java-analysis.yml new file mode 100644 index 00000000000..9b32b0db6e3 --- /dev/null +++ b/.github/workflows/codeql-java-analysis.yml @@ -0,0 +1,45 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL Java" + +on: + push: + branches: [main] + pull_request: + branches: [main] + paths: + - '**.java' + schedule: + - cron: '0 9 * * 2' + +jobs: + analyze: + name: CodeQL analyze + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-java@v1 + with: + java-version: '11' + + - name: Update maven settings + run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' + with: + languages: java + + - name: Build Keycloak + run: mvn install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' diff --git a/.github/workflows/codeql-js-adapter-analysis.yml b/.github/workflows/codeql-js-adapter-analysis.yml new file mode 100644 index 00000000000..1ff93c8c0db --- /dev/null +++ b/.github/workflows/codeql-js-adapter-analysis.yml @@ -0,0 +1,46 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL JS Adapter" + +on: + push: + branches: [main] + pull_request: + branches: [main] + paths: + - 'adapters/oidc/js/**' + schedule: + - cron: '0 9 * * 2' + +jobs: + analyze: + name: CodeQL analyze + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-java@v1 + with: + java-version: '11' + + - name: Update maven settings + run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' + with: + languages: javascript + source-root: adapters/oidc/js/ + + - name: Build Keycloak + run: mvn install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}' diff --git a/.github/workflows/codeql-theme-analysis.yml b/.github/workflows/codeql-theme-analysis.yml new file mode 100644 index 00000000000..09bc75606b3 --- /dev/null +++ b/.github/workflows/codeql-theme-analysis.yml @@ -0,0 +1,46 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL Themes" + +on: + push: + branches: [main] + pull_request: + branches: [main] + paths: + - 'themes/src/**' + schedule: + - cron: '0 9 * * 2' + +jobs: + analyze: + name: CodeQL analyze + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-java@v1 + with: + java-version: '11' + + - name: Update maven settings + run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ + + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}' + with: + languages: javascript + source-root: themes/ + + - name: Build Keycloak + run: mvn install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 + env: + CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'