dvdhrm
commented
2 years ago I fixed the 2 signed-overflow bugs in c-dvar. Thanks for catching them!
Regarding adding CodeQL: I added the scan branch for now, with this pulled in. However, our new build-instructions use meson-0.60, which is not available on the standard github runners. I will defer merging this until this is included, or until I figured out a way to build on a fedora container, but then run codeql on the result but on the github-runner.
mrc0mmand
evverx
This commit introduces GitHub's CodeQL Action[0] which regularly scans code for possible errors and vulnerabilities. I borrowed our custom configs from the systemd repository, since they enable a couple of other security-related checks which are disabled by default.
[0] https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
The results are then shown in the PR (if the PR introduces new alerts) or in the Security tab for the general overview, e.g.:
https://github.com/mrc0mmand/dbus-broker/security/code-scanning?query=+pr%3A1+ or https://github.com/systemd/systemd/security/code-scanning
One minor issue is that the CodeQL workflow processes files from submodules, but it doesn't show preview for them in the UI, e.g.:
However, the offending line is still discoverable from the alerts overview:
so it's not completely useless.
Anyway, this is just a proposal, if this is something which you don't deem useful, feel free to close this PR.