Skip to content

Add sun-misc-Unsafe-bad-array-offset.ql #223

Add sun-misc-Unsafe-bad-array-offset.ql

Add sun-misc-Unsafe-bad-array-offset.ql #223

Workflow file for this run

# This usage of CodeQL CLI is permitted by https://securitylab.github.com/tools/codeql/license
# > Test CodeQL queries that are released under an OSI-approved Licence to confirm that new versions of those queries continue to find the right vulnerabilities.
name: CodeQL checks
# workflow_dispatch to support manually triggering workflow
on: [push, pull_request, workflow_dispatch]
jobs:
codeql-cli:
name: Run CodeQL CLI checks
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Fetch the codeql submodule
submodules: recursive
- name: Get CodeQL submodule version
id: codeql-submodule-version
run: |
# Switch to submodule and get Git tag
cd codeql
# Fetch tags (and only tags), see https://stackoverflow.com/a/20608181
git fetch origin 'refs/tags/*:refs/tags/*' --quiet
tag=$(git describe --exact-match --exclude "codeql-cli/latest")
# Remove 'codeql-cli/' prefix
version="${tag#codeql-cli/}"
echo "version=${version}" >> $GITHUB_OUTPUT
echo "Submodule version: ${version}"
# Based on https://github.com/github/codeql/blob/45c942866830bec3463598774012a33a2cfaff96/.github/workflows/query-list.yml
- name: Download CodeQL CLI
uses: dsaltares/[email protected]
with:
repo: "github/codeql-cli-binaries"
version: ${{ format('tags/{0}', steps.codeql-submodule-version.outputs.version) }}
file: "codeql-linux64.zip"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Unzip CodeQL CLI
# -q to run quietly
run: unzip -q -d codeql-cli codeql-linux64.zip
- name: Print CodeQL CLI version
id: codeql-version
run: |
./codeql-cli/codeql/codeql version --format=terse
echo "version=$(./codeql-cli/codeql/codeql version --format=terse)" >> $GITHUB_OUTPUT
# TODO: Once available, change this to update the cache, see https://github.com/actions/cache/issues/342
# For now include the CodeQL CLI version in the cache key to invalidate the cache, see https://github.com/github/vscode-codeql/issues/730#issuecomment-764855019
- name: Cache CodeQL compilation cache
uses: actions/cache@v4
with:
path: |
~/.codeql
key: ${{ runner.os }}-codeql-compilation-cache-${{ steps.codeql-version.outputs.version }}-${{ github.ref }}
restore-keys: |
${{ runner.os }}-codeql-compilation-cache-${{ steps.codeql-version.outputs.version }}-
# Compile all queries to detect errors in queries even without corresponding tests
- name: Compile queries
# Increase available RAM and use as many threads as there are cores
# Don't use --check-only but perform actual compilation; with cache action above this is a lot faster
run: ./codeql-cli/codeql/codeql query compile --search-path=codeql --ram 4096 --threads=0 --keep-going ./codeql-custom-queries-java/queries
- name: Run query tests
# Increase available RAM and use as many threads as there are cores
run: ./codeql-cli/codeql/codeql test run "--search-path=codeql:./codeql-custom-queries-java/queries" --ram 4096 --threads=0 ./codeql-custom-queries-java/tests