From b91e3c62802bfc04f7fd7c0428223caae0807a9e Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Tue, 17 Dec 2024 09:47:37 +0000 Subject: [PATCH 01/16] add checking out sonic-mgmt-common. --- .github/workflows/codeql-analysis.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2997ffea..4682daec 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,6 +31,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 + - name: Checkout sonic-mgmt-common repository + uses: actions/checkout@v3 + with: + repository: owner/sonic-mgmt-common + path: ../sonic-mgmt-common + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2.1.29 From 66fdd2c57c10b98a3698cfb951641d39b30c686c Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Tue, 17 Dec 2024 09:50:20 +0000 Subject: [PATCH 02/16] path needs to be under working dir. --- .github/workflows/codeql-analysis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4682daec..31f97334 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,7 +35,6 @@ jobs: uses: actions/checkout@v3 with: repository: owner/sonic-mgmt-common - path: ../sonic-mgmt-common # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From ad61814fd755e91b36879a48b0d2343eb55d40c6 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Tue, 17 Dec 2024 09:53:34 +0000 Subject: [PATCH 03/16] fix wrong url for repo. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 31f97334..0cbd65db 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,7 +34,7 @@ jobs: - name: Checkout sonic-mgmt-common repository uses: actions/checkout@v3 with: - repository: owner/sonic-mgmt-common + repository: sonic-net/sonic-mgmt-common # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 02d8dd1294d6c8e8da3e623fc4c55862a4934b9c Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Tue, 17 Dec 2024 09:58:04 +0000 Subject: [PATCH 04/16] update to prevent deleting old repo. --- .github/workflows/codeql-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0cbd65db..904d5d4f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,6 +35,7 @@ jobs: uses: actions/checkout@v3 with: repository: sonic-net/sonic-mgmt-common + path: sonic-mgmt-common # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 19e941a293602d53462999865ce7b3e8ee26aaf5 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Tue, 17 Dec 2024 10:50:13 +0000 Subject: [PATCH 05/16] add ref to checkout --- .github/workflows/codeql-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 904d5d4f..dad4ca39 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,6 +36,7 @@ jobs: with: repository: sonic-net/sonic-mgmt-common path: sonic-mgmt-common + ref: master # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From fb263a900e3f7827024c5aadf6688f5f0fd887a5 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 02:19:47 +0000 Subject: [PATCH 06/16] update ref to be the same as build branch. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dad4ca39..3309ca16 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,7 +36,7 @@ jobs: with: repository: sonic-net/sonic-mgmt-common path: sonic-mgmt-common - ref: master + ref: ${{ github.ref }} # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From ebb7f3c0a1b98620a85d9ade0045b7ee27a2337d Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 02:22:35 +0000 Subject: [PATCH 07/16] update to github pr target branch. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3309ca16..fcf2f137 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,7 +36,7 @@ jobs: with: repository: sonic-net/sonic-mgmt-common path: sonic-mgmt-common - ref: ${{ github.ref }} + ref: ${{ github.event.pull_request.base.ref }} # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 659e12d9bede16aa6a40d16e79c413aed12c3818 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 02:32:26 +0000 Subject: [PATCH 08/16] change the clone path to address file not found issue. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fcf2f137..095d2de3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v3 with: repository: sonic-net/sonic-mgmt-common - path: sonic-mgmt-common + path: ../sonic-mgmt-common ref: ${{ github.event.pull_request.base.ref }} # Initializes the CodeQL tools for scanning. From e8bc54727e6832204834462eeb71b6c02302bba4 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 02:35:12 +0000 Subject: [PATCH 09/16] update documentation. --- .github/workflows/codeql-analysis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 095d2de3..eb5e98aa 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,10 +31,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 + # Checkout sonic-mgmt-common repository which sonic-gnmi depends on. - name: Checkout sonic-mgmt-common repository uses: actions/checkout@v3 with: repository: sonic-net/sonic-mgmt-common + # build requires sonic-mgmt-common to be in the same directory as sonic-gnmi. path: ../sonic-mgmt-common ref: ${{ github.event.pull_request.base.ref }} From ff18bcd2d67c7570aa4351c2c9a30502345c7bde Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 02:42:12 +0000 Subject: [PATCH 10/16] use the CI sed hack to go can find the path of sonic-mgmt-common. --- .github/workflows/codeql-analysis.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index eb5e98aa..0cc1a04b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,15 +31,21 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Checkout sonic-mgmt-common repository which sonic-gnmi depends on. + # Checkout sonic-mgmt-common repository which is used by sonic-gnmi - name: Checkout sonic-mgmt-common repository uses: actions/checkout@v3 with: repository: sonic-net/sonic-mgmt-common - # build requires sonic-mgmt-common to be in the same directory as sonic-gnmi. - path: ../sonic-mgmt-common + path: sonic-mgmt-common + # Checkout the branch that is being merged into ref: ${{ github.event.pull_request.base.ref }} + # Update go.mod to use local sonic-mgmt-common. + # This is the same hack used in the CI pipeline. See lgtm.yml. + # We should find a better way to do this. + - name: Update go.mod for sonic-mgmt-common + run: sed -i 's@replace github.com/Azure/sonic-mgmt-common => ../sonic-mgmt-common@replace github.com/Azure/sonic-mgmt-common => ./sonic-mgmt-common@g' go.mod + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2.1.29 From 33db80af570a5763e05a783364bea71d579977f1 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 02:53:27 +0000 Subject: [PATCH 11/16] sed debug mode. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0cc1a04b..d976ae2c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -44,7 +44,7 @@ jobs: # This is the same hack used in the CI pipeline. See lgtm.yml. # We should find a better way to do this. - name: Update go.mod for sonic-mgmt-common - run: sed -i 's@replace github.com/Azure/sonic-mgmt-common => ../sonic-mgmt-common@replace github.com/Azure/sonic-mgmt-common => ./sonic-mgmt-common@g' go.mod + run: sed --debug -i 's@replace github.com/Azure/sonic-mgmt-common => ../sonic-mgmt-common@replace github.com/Azure/sonic-mgmt-common => ./sonic-mgmt-common@g' go.mod # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From c2aead9a1073f5eea640d8f1ee8c16ba018f61d4 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 03:06:28 +0000 Subject: [PATCH 12/16] bypass semgrep check after auditing. --- .github/workflows/codeql-analysis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d976ae2c..f2859bf8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,7 +38,8 @@ jobs: repository: sonic-net/sonic-mgmt-common path: sonic-mgmt-common # Checkout the branch that is being merged into - ref: ${{ github.event.pull_request.base.ref }} + # This workflow has been audited, and no secrets or untrusted code are exposed to the pull_request_target trigger. + ref: ${{ github.event.pull_request.base.ref }} # nosem: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout # Update go.mod to use local sonic-mgmt-common. # This is the same hack used in the CI pipeline. See lgtm.yml. From 44fbc97f1e9038972eac0975b0dcbc5356b3e15a Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 03:08:59 +0000 Subject: [PATCH 13/16] no semgrep instead of nosem. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f2859bf8..d2281487 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: path: sonic-mgmt-common # Checkout the branch that is being merged into # This workflow has been audited, and no secrets or untrusted code are exposed to the pull_request_target trigger. - ref: ${{ github.event.pull_request.base.ref }} # nosem: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout + ref: ${{ github.event.pull_request.base.ref }} # nosemgrep: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout # Update go.mod to use local sonic-mgmt-common. # This is the same hack used in the CI pipeline. See lgtm.yml. From 657691c2e0b3de4998fd7790a919af1f329fe7ae Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 03:12:05 +0000 Subject: [PATCH 14/16] update comment. --- .github/workflows/codeql-analysis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d2281487..79a81e88 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,8 @@ jobs: path: sonic-mgmt-common # Checkout the branch that is being merged into # This workflow has been audited, and no secrets or untrusted code are exposed to the pull_request_target trigger. - ref: ${{ github.event.pull_request.base.ref }} # nosemgrep: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout + # nosemgrep: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout + ref: ${{ github.event.pull_request.base.ref }} # Update go.mod to use local sonic-mgmt-common. # This is the same hack used in the CI pipeline. See lgtm.yml. From 8427ba747fcb0bdf1f009823a1fe30b8ae44ae21 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 03:18:25 +0000 Subject: [PATCH 15/16] follow the azure pipeline way. --- .github/workflows/codeql-analysis.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 79a81e88..6c75e3c5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,6 +13,10 @@ on: - '202[0-9][0-9][0-9]' workflow_dispatch: +env: + BUILD_BRANCH: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.ref || github.ref_name }} + + jobs: analyze: name: Analyze @@ -37,10 +41,7 @@ jobs: with: repository: sonic-net/sonic-mgmt-common path: sonic-mgmt-common - # Checkout the branch that is being merged into - # This workflow has been audited, and no secrets or untrusted code are exposed to the pull_request_target trigger. - # nosemgrep: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout - ref: ${{ github.event.pull_request.base.ref }} + ref: refs/heads/${{ env.BUILD_BRANCH }} # Update go.mod to use local sonic-mgmt-common. # This is the same hack used in the CI pipeline. See lgtm.yml. From 6bc20a0b53e595b753cf97bcc26b768f3627fd41 Mon Sep 17 00:00:00 2001 From: Dawei Huang Date: Wed, 18 Dec 2024 03:37:40 +0000 Subject: [PATCH 16/16] remove --debug from sed. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6c75e3c5..470a2e51 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -47,7 +47,7 @@ jobs: # This is the same hack used in the CI pipeline. See lgtm.yml. # We should find a better way to do this. - name: Update go.mod for sonic-mgmt-common - run: sed --debug -i 's@replace github.com/Azure/sonic-mgmt-common => ../sonic-mgmt-common@replace github.com/Azure/sonic-mgmt-common => ./sonic-mgmt-common@g' go.mod + run: sed -i 's@replace github.com/Azure/sonic-mgmt-common => ../sonic-mgmt-common@replace github.com/Azure/sonic-mgmt-common => ./sonic-mgmt-common@g' go.mod # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL