Skip to content

Commit 90faa95

Browse files
committed
Code scanning update 5
1 parent 6221544 commit 90faa95

File tree

3 files changed

+41
-19
lines changed

3 files changed

+41
-19
lines changed

.github/security-scan-excludes.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ deps
1515
deps/*
1616
external
1717
external/*
18+
others/*
1819

1920
# VCS / CI
2021
.git

.github/workflows/ci.yml

Lines changed: 20 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -185,30 +185,38 @@ jobs:
185185
# run: |
186186
# cmake --build build --config Release
187187

188-
189-
cppcheck:
190-
runs-on: [macos-14]
188+
cppcheck-macos:
189+
name: cppcheck (macOS)
190+
runs-on: macos-14
191+
191192
steps:
192193
- name: Setup Dependencies
193194
run: |
194-
brew install autoconf \
195-
automake \
196-
libtool \
197-
cppcheck \
198-
mbedtls
199-
- uses: actions/checkout@v6
195+
brew update
196+
brew install autoconf automake libtool cppcheck mbedtls
197+
198+
- name: Checkout (with submodules)
199+
uses: actions/checkout@v6
200200
with:
201-
submodules: true
201+
submodules: recursive
202202
fetch-depth: 0
203+
204+
- name: Ensure submodules are up to date
205+
run: |
206+
git submodule sync --recursive
207+
git submodule update --init --recursive --force
208+
203209
- name: Build-Script ausführbar machen
204210
run: chmod +x build_on_macos.sh
211+
205212
- name: build_on_macos.sh
206213
run: ./build_on_macos.sh
214+
207215
- name: configure
208216
env:
209217
CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include
210218
LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib
211-
run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking
212-
./configure
219+
run: ./configure --disable-dependency-tracking
220+
213221
- name: cppcheck
214222
run: make check-static

.github/workflows/flawfinder.yml

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -63,21 +63,34 @@ jobs:
6363
echo "Files to scan: $(wc -l < /tmp/flawfinder-files.txt)"
6464
fi
6565
66-
- name: Run Flawfinder (SARIF)
66+
- name: Build Flawfinder file list (headers only)
6767
shell: bash
6868
run: |
69-
if [[ ! -s /tmp/flawfinder-files.txt ]]; then
70-
echo "Skipping flawfinder: no files."
71-
echo '{"version":"2.1.0","runs":[]}' > flawfinder.sarif
69+
git ls-files headers '*.h' > /tmp/flawfinder-headers-files.txt
70+
71+
- name: Run Flawfinder (SARIF, headers strict)
72+
shell: bash
73+
run: |
74+
if [[ ! -s /tmp/flawfinder-headers-files.txt ]]; then
75+
echo "Skipping flawfinder headers: no files."
76+
echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif
7277
exit 0
7378
fi
7479
75-
flawfinder --sarif --quiet --minlevel=1 $(cat /tmp/flawfinder-files.txt) > flawfinder.sarif
80+
flawfinder \
81+
--sarif \
82+
--quiet \
83+
--minlevel=1 \
84+
--exclude-dir=vendor,third_party,deps,external,mbedtls \
85+
$(cat /tmp/flawfinder-headers-files.txt) \
86+
> flawfinder-headers.sarif
87+
88+
7689
7790
7891
- name: Upload SARIF
7992
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
8093
uses: github/codeql-action/upload-sarif@v4
8194
with:
82-
sarif_file: flawfinder.sarif
83-
category: flawfinder
95+
sarif_file: flawfinder-headers.sarif
96+
category: flawfinder-headers-strict

0 commit comments

Comments
 (0)