search

rnpgp / rnp

RNP: high performance C++ OpenPGP library used by Mozilla Thunderbird
https://www.rnpgp.org
Other
199 stars 55 forks source link

Consider adding LGTM.com runner to the CI. #1585

Closed ni4 closed 2 years ago

ni4 commented 3 years ago

Description

LGTM.com: Continuous security analysis

A code analysis platform for finding zero-days and preventing critical vulnerabilities

ronaldtse commented 2 years ago

@ni4 I've added LGTM, and we need to configure its build:

Screenshot 2021-10-13 at 5 35 09 PM

Relevant link: https://lgtm.com/help/lgtm/customizing-code-extraction

Sample configuration file:

extraction:
  cpp:
     prepare:
        packages: 
          - libboost-all-dev
          - bison
     configure:
        command:
        - ./bootstrap
        - ./configure --with-modules="" --without-lua
     index:
        build_command:
        - ./project-builder.sh

Badge: 

[![Total alerts](https://img.shields.io/lgtm/alerts/g/rnpgp/rnp.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/rnpgp/rnp/alerts/)
ni4 commented 2 years ago

@ronaldtse Ok, I'll (try to) handle this!

ni4 commented 2 years ago

@ronaldtse Could you please disable unneeded languages (all except C/C++/Python, I guess), like described here: https://help.semmle.com/lgtm-enterprise/admin/help/disabling-analysis-language.html ? Cannot do that since not a repository administrator.

ronaldtse commented 2 years ago

@ni4 I cannot see any "administration" options as per the help article. No method to enable/disable. By default, all languages are enabled... Let's try to merge #1649 to see if it helps.

ni4 commented 2 years ago

@ronaldtse thanks for checking! Let's see how it would go.

ronaldtse commented 2 years ago

Finally working! I had to copy/paste your YAML file into the "Test analysis configuration" box, run it, wait for it to finish, then it works.

https://lgtm.com/projects/g/rnpgp/rnp/logs/languages/lang:cpp

Screenshot 2021-10-14 at 10 14 03 PM

@ni4 would it be possible to disable the other failing languages?

ni4 commented 2 years ago

@ronaldtse I see this message at the 'Logs' page: 

Other languages
The following languages are not included when determining the overall build status. This is because the project doesn't use these languages, analysis of the languages hasn't been tried, or the build has never succeeded. If the languages are used and failed to build, you can use the "Test analysis configuration" button above to try the build with a custom analysis configuration.

Soo looks like it's okay - only succeeded languages would run, until we add support for more. Will push some cli_tests fixes PR soon to see whether it would report something for C++ as well.

ronaldtse commented 2 years ago

Thanks @ni4 ! They already provide alerts, there is are 3 for C++, 31 for Python, which are just tests 😉 Closing this and posting the rest separately