GayHydra/.github/workflows/codeql.yml at master · CryptoJones/GayHydra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: CodeQL

# Advanced CodeQL setup. Replaces the GitHub default-setup that has
# been emitting two warnings against master since the new-fork move:
#
#   1. "1 duplicate classes filtered out" — `Ghidra/Extensions/
#      bundle_examples/scripts_jar{1,2}/org/jarlib/JarUtil.java`
#      both declare `package org.jarlib; class JarUtil`. They're
#      intentional, came from upstream NSA, and `.github/codeql/
#      codeql-config.yml`'s paths-ignore now excludes the
#      bundle_examples tree.
#
#   2. "Required Gradle version not specified" — Ghidra doesn't
#      check in a gradle-wrapper; default-setup's autobuilder
#      can't determine the gradle version it should use. The
#      java-kotlin job below pins gradle 8.5 (matching the rest
#      of the workflow tree: release.yml, audit-datatests.yml)
#      and uses a manual build command so the autobuilder doesn't
#      need to guess.
#
# Maintainer note: when this workflow first runs, GitHub's UI may
# still report default-setup as the active scanner. Disable default
# setup once to switch over:
#
#   gh api -X PATCH /repos/CryptoJones/GayHydra/code-scanning/default-setup \
#     -f state=not-configured
#
# After that, this advanced-setup workflow is the sole CodeQL run.

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]
  schedule:
    # Match the default-setup weekly cadence (Monday 06:00 UTC).
    - cron: '0 6 * * 1'

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    timeout-minutes: 120
    permissions:
      security-events: write
      contents: read
      actions: read
    strategy:
      fail-fast: false
      matrix:
        language: ['actions', 'c-cpp', 'java-kotlin', 'python']
    steps:
      - uses: actions/checkout@v4

      - name: Read Ghidra JDK version
        if: matrix.language == 'java-kotlin'
        run: echo "JDK_VER=$(awk -F'=' '$1=="application.java.min" {print $2}' Ghidra/application.properties)" >> $GITHUB_ENV

      - name: Setup JDK
        if: matrix.language == 'java-kotlin'
        uses: actions/setup-java@v5
        with:
          distribution: 'temurin'
          java-version: '${{ env.JDK_VER }}'

      - name: Setup Gradle
        if: matrix.language == 'java-kotlin'
        uses: gradle/actions/setup-gradle@v4
        with:
          gradle-version: '8.5'

      - name: Install C++ build deps
        if: matrix.language == 'c-cpp'
        # bison + flex are needed to regenerate xml.cc / slghparse.cc /
        # slghscan.cc from their .y / .l sources during the manual
        # build below. binutils-dev + libiberty-dev provide bfd.h —
        # we don't *link* against libbfd (libdecomp_dbg.a is a static
        # archive, no link step), but `analyzesigs.cc` and
        # `loadimage_bfd.cc` `#include <bfd.h>` and therefore need
        # the header at compile time.
        run: |
          sudo apt-get update
          sudo apt-get install -y bison flex g++ make binutils-dev libiberty-dev

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/codeql-config.yml

      - name: Fetch Ghidra dependencies
        if: matrix.language == 'java-kotlin'
        run: gradle -I gradle/support/fetchDependencies.gradle -DhideDownloadProgress -DnoEclipse

      - name: Manual Java build
        if: matrix.language == 'java-kotlin'
        # `gradle prepDev` compiles all Java/Kotlin source without
        # producing a distribution zip — enough for CodeQL's tracer to
        # pick up the .class files. Faster than `buildGhidra` and
        # avoids the SBOM / signing / packaging steps that are
        # irrelevant to static analysis.
        run: gradle prepDev --parallel

      - name: Manual C++ build
        if: matrix.language == 'c-cpp'
        # Autobuild fails for this repo because the decompiler's
        # Makefile lives at Ghidra/Features/Decompiler/src/decompile/cpp/
        # rather than at the repo root, so `cpp/autobuilder.sh` reports
        # "No supported build system detected" and exits 1. Build the
        # static library `libdecomp_dbg.a` instead — that target
        # compiles every C++ source file in the decompiler core (all
        # LIBDECOMP_NAMES → com_dbg/*.o, then ar qc into the archive)
        # without needing BFD at link time. CodeQL's tracer picks up
        # the .o compile commands, which is what static analysis needs.
        run: |
          cd Ghidra/Features/Decompiler/src/decompile/cpp
          make libdecomp_dbg.a

      - name: Autobuild (other languages)
        if: matrix.language != 'java-kotlin' && matrix.language != 'c-cpp'
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: /language:${{ matrix.language }}