From b503b2eb3e368b470615f8ad022ac8f8ecc41ebd Mon Sep 17 00:00:00 2001 From: Piotr Korkus Date: Fri, 20 Mar 2026 09:52:23 +0100 Subject: [PATCH 1/4] test --- .../workflows/codeql-multiple-repo-scan.yml | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-multiple-repo-scan.yml b/.github/workflows/codeql-multiple-repo-scan.yml index a22531153b2..d1e6d120b6d 100644 --- a/.github/workflows/codeql-multiple-repo-scan.yml +++ b/.github/workflows/codeql-multiple-repo-scan.yml @@ -40,12 +40,6 @@ jobs: steps: - name: Checkout central repository uses: actions/checkout@v4 - - name: Checkout CodeQL Coding Standards scripts - uses: actions/checkout@v4 - with: - repository: github/codeql-coding-standards - path: codeql-coding-standards-repo # Klonen in diesen Ordner - ref: main # Oder eine spezifische Release-Version, z.B. 'v2.53.0-dev' # Add coding standard packages and dependencies - name: Install Python dependencies for Coding Standards scripts run: | @@ -59,13 +53,37 @@ jobs: id: checkout-repos run: | scripts/workflow/checkout_repos.sh + # - name: Setup Bazel + # uses: bazel-contrib/setup-bazel@0.15.0 + # with: + # # Avoid downloading Bazel every time. + # bazelisk-cache: true + # # Store build cache per workflow. + # disk-cache: codeql-scan + # # Share repository cache between workflows. + # repository-cache: true - name: Initialize CodeQL for all repositories uses: github/codeql-action/init@v4 with: languages: cpp build-mode: none - packs: codeql/misra-cpp-coding-standards + packs: codeql/misra-cpp-coding-standards@2.53.0 config-file: ./.github/codeql/codeql-config.yml + # - name: Build all components with Bazel + # run: | + # echo "Building all C++ and Rust targets for CodeQL analysis" + # # Build all targets from the checked-out repositories + # # This ensures CodeQL captures the compilation database + # bazel build --verbose_failures --config=x86_64-linux \ + # @score_baselibs//... \ + # @score_baselibs_rust//src/... \ + # @score_communication//score/mw/com/impl/... \ + # @score_persistency//src/... \ + # @score_orchestrator//src/... \ + # @score_kyron//src/... \ + # @score_lifecycle_health//src/... \ + # @score_logging//... \ + # || true # Continue even if some targets fail - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: From a40feb3977e88ec80df27a3274108742a4d287f2 Mon Sep 17 00:00:00 2001 From: Piotr Korkus Date: Fri, 20 Mar 2026 10:18:44 +0100 Subject: [PATCH 2/4] recatagorize --- .github/workflows/codeql-multiple-repo-scan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/codeql-multiple-repo-scan.yml b/.github/workflows/codeql-multiple-repo-scan.yml index d1e6d120b6d..4c6533ef04c 100644 --- a/.github/workflows/codeql-multiple-repo-scan.yml +++ b/.github/workflows/codeql-multiple-repo-scan.yml @@ -90,6 +90,12 @@ jobs: upload-database: false # Don't upload databases for each repo output: sarif-results/ category: "multi-repo-scan" + - name: Checkout CodeQL Coding Standards scripts + uses: actions/checkout@v4 + with: + repository: github/codeql-coding-standards + path: codeql-coding-standards-repo # Klonen in diesen Ordner + ref: main # Oder eine spezifische Release-Version, z.B. 'v2.53.0-dev' - name: Recategorize Guidelines if: always() run: | From 49f5508c44d72f6449a7e527c953580fbc14dbc8 Mon Sep 17 00:00:00 2001 From: Piotr Korkus Date: Fri, 20 Mar 2026 12:24:32 +0100 Subject: [PATCH 3/4] manual build --- .../workflows/codeql-multiple-repo-scan.yml | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/codeql-multiple-repo-scan.yml b/.github/workflows/codeql-multiple-repo-scan.yml index 4c6533ef04c..4f26f166dd9 100644 --- a/.github/workflows/codeql-multiple-repo-scan.yml +++ b/.github/workflows/codeql-multiple-repo-scan.yml @@ -53,37 +53,37 @@ jobs: id: checkout-repos run: | scripts/workflow/checkout_repos.sh - # - name: Setup Bazel - # uses: bazel-contrib/setup-bazel@0.15.0 - # with: - # # Avoid downloading Bazel every time. - # bazelisk-cache: true - # # Store build cache per workflow. - # disk-cache: codeql-scan - # # Share repository cache between workflows. - # repository-cache: true + - name: Setup Bazel + uses: bazel-contrib/setup-bazel@0.15.0 + with: + # Avoid downloading Bazel every time. + bazelisk-cache: true + # Store build cache per workflow. + disk-cache: codeql-scan + # Share repository cache between workflows. + repository-cache: true - name: Initialize CodeQL for all repositories uses: github/codeql-action/init@v4 with: languages: cpp - build-mode: none + build-mode: manual packs: codeql/misra-cpp-coding-standards@2.53.0 config-file: ./.github/codeql/codeql-config.yml - # - name: Build all components with Bazel - # run: | - # echo "Building all C++ and Rust targets for CodeQL analysis" - # # Build all targets from the checked-out repositories - # # This ensures CodeQL captures the compilation database - # bazel build --verbose_failures --config=x86_64-linux \ - # @score_baselibs//... \ - # @score_baselibs_rust//src/... \ - # @score_communication//score/mw/com/impl/... \ - # @score_persistency//src/... \ - # @score_orchestrator//src/... \ - # @score_kyron//src/... \ - # @score_lifecycle_health//src/... \ - # @score_logging//... \ - # || true # Continue even if some targets fail + - name: Build all components with Bazel + run: | + echo "Building all C++ and Rust targets for CodeQL analysis" + # Build all targets from the checked-out repositories + # This ensures CodeQL captures the compilation database + bazel build --verbose_failures --config=linux-x86_64 \ + @score_baselibs//score/... \ + @score_baselibs_rust//src/... \ + @score_communication//score/mw/com/impl/... \ + @score_persistency//src/cpp/src/... \ + @score_orchestrator//src/... \ + @score_kyron//src/... \ + @score_lifecycle_health//src/... \ + @score_logging//score/... \ + || true # Continue even if some targets fail - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: From dfb287ab2859c4669ed5691bf426390df235d88d Mon Sep 17 00:00:00 2001 From: Piotr Korkus Date: Fri, 20 Mar 2026 16:15:14 +0100 Subject: [PATCH 4/4] config update --- .github/codeql/codeql-config.yml | 13 ++++++++--- .../workflows/codeql-multiple-repo-scan.yml | 22 +++++++------------ 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 88d151e9ae3..6009c69c169 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -10,12 +10,19 @@ # # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* -name: "Custom CodeQL Configuration for MISRA" -paths: - - repos +name: "Custom CodeQL Configuration for MISRA (Manual Build)" + +# With build-mode: manual, CodeQL only analyzes files that were compiled. +# The paths/paths-ignore act as FILTERS on compiled files, not scan directives. +# Keep this minimal - CodeQL automatically captures everything built by Bazel. + +# Only analyze production code (exclude test/mock code from results) paths-ignore: - "**/*test*" - "**/*mock*" - "**/test/**" + - "**/tests/**" - "**/mock/**" + - "**/examples/**" - "**/codeql-coding-standards-repo/**" + - "**/bazel-*/**" diff --git a/.github/workflows/codeql-multiple-repo-scan.yml b/.github/workflows/codeql-multiple-repo-scan.yml index 4f26f166dd9..10a9b8fdae0 100644 --- a/.github/workflows/codeql-multiple-repo-scan.yml +++ b/.github/workflows/codeql-multiple-repo-scan.yml @@ -45,14 +45,14 @@ jobs: run: | python3 -m pip install --upgrade pip pip3 install pyyaml jsonpath-ng jsonschema jsonpatch jsonpointer pytest sarif-tools - - name: Parse known_good.json and create repos.json - id: parse-repos - run: | - scripts/workflow/parse_repos.sh - - name: Checkout all pinned repositories - id: checkout-repos - run: | - scripts/workflow/checkout_repos.sh + # - name: Parse known_good.json and create repos.json + # id: parse-repos + # run: | + # scripts/workflow/parse_repos.sh + # - name: Checkout all pinned repositories + # id: checkout-repos + # run: | + # scripts/workflow/checkout_repos.sh - name: Setup Bazel uses: bazel-contrib/setup-bazel@0.15.0 with: @@ -75,12 +75,6 @@ jobs: # Build all targets from the checked-out repositories # This ensures CodeQL captures the compilation database bazel build --verbose_failures --config=linux-x86_64 \ - @score_baselibs//score/... \ - @score_baselibs_rust//src/... \ - @score_communication//score/mw/com/impl/... \ - @score_persistency//src/cpp/src/... \ - @score_orchestrator//src/... \ - @score_kyron//src/... \ @score_lifecycle_health//src/... \ @score_logging//score/... \ || true # Continue even if some targets fail