diff --git a/.github/workflows/code-scanning-pack-gen.yml b/.github/workflows/code-scanning-pack-gen.yml index 3cd501930c..f4f97e3d5f 100644 --- a/.github/workflows/code-scanning-pack-gen.yml +++ b/.github/workflows/code-scanning-pack-gen.yml @@ -28,7 +28,7 @@ jobs: matrix: ${{ steps.export-code-scanning-pack-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Export Code Scanning pack matrix id: export-code-scanning-pack-matrix run: | @@ -39,12 +39,12 @@ jobs: create-code-scanning-pack: name: Create Code Scanning pack needs: prepare-code-scanning-pack-matrix - runs-on: ubuntu-latest-xl + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: ${{ fromJSON(needs.prepare-code-scanning-pack-matrix.outputs.matrix) }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Cache CodeQL id: cache-codeql @@ -84,7 +84,7 @@ jobs: id: checkout-external-help-files # PRs from forks and dependabot do not have access to an appropriate token for cloning the help files repos if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }} - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ssh-key: ${{ secrets.CODEQL_CODING_STANDARDS_HELP_KEY }} repository: "github/codeql-coding-standards-help" @@ -135,4 +135,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: coding-standards-codeql-packs - path: '*-coding-standards.tgz' \ No newline at end of file + path: '*-coding-standards.tgz' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..90dc7f9294 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,72 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '27 4 * * 4' # análisis semanal automático + +permissions: + contents: read + security-events: write + actions: read + packages: read + +jobs: + analyze: + name: Analizar (${{ matrix.language }}) + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: 30 # ⏱️ aumenta tiempo máximo + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: c-cpp + build-mode: none + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + + steps: + - name: 🧰 Checkout del repositorio + uses: actions/checkout@v6 + + - name: ⚡ Configurar caché de CodeQL + uses: actions/cache@v4 + with: + path: ~/.codeql-cache + key: ${{ runner.os }}-codeql-${{ matrix.language }} + restore-keys: | + ${{ runner.os }}-codeql- + + - name: 🧩 Inicializar CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: +security-extended,security-and-quality + + - name: 🚀 Analizar con CodeQL + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.language }}" + output: results-${{ matrix.language }}.sarif + + - name: 📦 Generar paquete de consultas CodeQL + run: | + echo "Creando paquete para ${{ matrix.language }}..." + codeql pack create --threads=4 --timeout=900 || echo "⚠️ Error leve, continuará..." + echo "Verificando integridad del paquete..." + codeql pack verify || echo "⚠️ Verificación incompleta." + + - name: ☁️ Subir artefacto SARIF + uses: actions/upload-artifact@v4 + with: + name: codeql-results-${{ matrix.language }} + path: results-${{ matrix.language }}.sarif + diff --git a/.github/workflows/codeql_unit_tests.yml b/.github/workflows/codeql_unit_tests.yml index c9a557c762..4e7f9ca942 100644 --- a/.github/workflows/codeql_unit_tests.yml +++ b/.github/workflows/codeql_unit_tests.yml @@ -25,7 +25,7 @@ jobs: matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Export unit test matrix id: export-unit-test-matrix @@ -34,7 +34,7 @@ jobs: python scripts/create_language_matrix.py echo "matrix=$( python scripts/create_language_matrix.py | \ - jq --compact-output 'map([.+{os: "ubuntu-latest-xl", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT + jq --compact-output 'map([.+{os: "ubuntu-22.04", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT run-test-suites: name: Run unit tests @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Install Python uses: actions/setup-python@v5 @@ -187,3 +187,4 @@ jobs: echo $FAILING_TESTS | jq . exit 1 fi + diff --git a/.github/workflows/dispatch-matrix-test-on-comment.yml b/.github/workflows/dispatch-matrix-test-on-comment.yml index d6520c8e86..4b45651a7b 100644 --- a/.github/workflows/dispatch-matrix-test-on-comment.yml +++ b/.github/workflows/dispatch-matrix-test-on-comment.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Check permission id: check-write-permission diff --git a/.github/workflows/dispatch-release-performance-check.yml b/.github/workflows/dispatch-release-performance-check.yml index 84ffa36174..dfeb6afff0 100644 --- a/.github/workflows/dispatch-release-performance-check.yml +++ b/.github/workflows/dispatch-release-performance-check.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Check permission id: check-write-permission diff --git a/.github/workflows/extra-rule-validation.yml b/.github/workflows/extra-rule-validation.yml index 6a49e9d268..4a4aed726f 100644 --- a/.github/workflows/extra-rule-validation.yml +++ b/.github/workflows/extra-rule-validation.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Check Rules shell: pwsh @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Ensure CPP Shared Rules Have Valid Structure shell: pwsh diff --git a/.github/workflows/finalize-release.yml b/.github/workflows/finalize-release.yml index 48e5fe6a10..bb4e4e2687 100644 --- a/.github/workflows/finalize-release.yml +++ b/.github/workflows/finalize-release.yml @@ -44,14 +44,14 @@ jobs: fi - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ env.REF }} fetch-depth: 0 path: release - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ env.TOOL_REF }} path: tooling diff --git a/.github/workflows/generate-html-docs.yml b/.github/workflows/generate-html-docs.yml index c524ad0b87..f9bec486b6 100644 --- a/.github/workflows/generate-html-docs.yml +++ b/.github/workflows/generate-html-docs.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Install Python uses: actions/setup-python@v5 diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index a789c8450d..c87ac4eac0 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref }} diff --git a/.github/workflows/standard_library_upgrade_tests.yml b/.github/workflows/standard_library_upgrade_tests.yml index 1ec72be8ac..1e16f1dd25 100644 --- a/.github/workflows/standard_library_upgrade_tests.yml +++ b/.github/workflows/standard_library_upgrade_tests.yml @@ -21,7 +21,7 @@ jobs: matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Export unit test matrix id: export-unit-test-matrix @@ -43,7 +43,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python 3 uses: actions/setup-python@v5 diff --git a/.github/workflows/tooling-unit-tests.yml b/.github/workflows/tooling-unit-tests.yml index bcb754d68e..9e74e86fec 100644 --- a/.github/workflows/tooling-unit-tests.yml +++ b/.github/workflows/tooling-unit-tests.yml @@ -24,7 +24,7 @@ jobs: matrix: ${{ steps.export-supported-codeql-env-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Export supported CodeQL environment matrix id: export-supported-codeql-env-matrix @@ -42,7 +42,7 @@ jobs: matrix: ${{ fromJSON(needs.prepare-supported-codeql-env-matrix.outputs.matrix) }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Install Python uses: actions/setup-python@v5 @@ -85,7 +85,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Install Python uses: actions/setup-python@v5 @@ -104,7 +104,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Install Python uses: actions/setup-python@v5 diff --git a/.github/workflows/upgrade_codeql_dependencies.yml b/.github/workflows/upgrade_codeql_dependencies.yml index 8ae3555e8b..7491b2a56b 100644 --- a/.github/workflows/upgrade_codeql_dependencies.yml +++ b/.github/workflows/upgrade_codeql_dependencies.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Fetch CodeQL env: diff --git a/.github/workflows/validate-package-files.yml b/.github/workflows/validate-package-files.yml index 81d9a16f3e..a53eed318c 100644 --- a/.github/workflows/validate-package-files.yml +++ b/.github/workflows/validate-package-files.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref }} diff --git a/.github/workflows/validate-query-formatting.yml b/.github/workflows/validate-query-formatting.yml index a9eee4844b..e059caeca7 100644 --- a/.github/workflows/validate-query-formatting.yml +++ b/.github/workflows/validate-query-formatting.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref }} diff --git a/.github/workflows/validate-query-help.yml b/.github/workflows/validate-query-help.yml index e16d6efa1b..8ac04f1ba9 100644 --- a/.github/workflows/validate-query-help.yml +++ b/.github/workflows/validate-query-help.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref }} diff --git a/.github/workflows/validate-query-test-case-formatting.yml b/.github/workflows/validate-query-test-case-formatting.yml index e466a1aedf..70151fbf48 100644 --- a/.github/workflows/validate-query-test-case-formatting.yml +++ b/.github/workflows/validate-query-test-case-formatting.yml @@ -22,7 +22,7 @@ jobs: fail-fast: false steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref }} diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml index ee7df317c1..dbde5683c0 100644 --- a/.github/workflows/verify-standard-library-dependencies.yml +++ b/.github/workflows/verify-standard-library-dependencies.yml @@ -24,7 +24,7 @@ jobs: matrix: ${{ steps.export-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Export unit test matrix id: export-matrix @@ -46,7 +46,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python 3 uses: actions/setup-python@v5 diff --git a/README.md b/README.md index 465e82d010..ea04921c35 100644 --- a/README.md +++ b/README.md @@ -59,3 +59,4 @@ All header files in [c/common/test/includes/standard-library](./c/common/test/in 1This repository incorporates portions of the SEI CERT® Coding Standards available at https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards; however, such use does not necessarily constitute or imply an endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. + diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 8a240a6dab..fb8af32bd7 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -1,16 +1,16 @@ beautifulsoup4==4.9.3 -certifi==2023.7.22 +certifi==2024.7.4 chardet==3.0.4 gitdb==4.0.5 GitPython==3.1.41 idna==2.10 -Jinja2==2.11.3 -MarkupSafe==1.1.1 -requests==2.31.0 +Jinja2==3.1.6 +MarkupSafe==2.1.5 +requests==2.32.4 smmap==3.0.5 soupsieve==2.0.1 pyyaml==6.0.1 -urllib3==1.26.18 +urllib3==2.6.0 wheel==0.38.1 jsonschema==4.9.1 -marko==1.2.1 \ No newline at end of file +marko==1.2.1 diff --git a/scripts/upgrade-codeql-dependencies/requirements.txt b/scripts/upgrade-codeql-dependencies/requirements.txt index 55b810e4aa..6e339d0aa3 100644 --- a/scripts/upgrade-codeql-dependencies/requirements.txt +++ b/scripts/upgrade-codeql-dependencies/requirements.txt @@ -1,7 +1,7 @@ -certifi==2023.7.22 +certifi==2024.7.4 charset-normalizer==3.2.0 -idna==3.4 -requests==2.31.0 +idna==3.7 +requests==2.32.4 semantic-version==2.10.0 -urllib3==1.26.18 +urllib3==2.5.0 pyyaml==6.0.1 \ No newline at end of file