Skip to content

CodeQL

CodeQL #1511

name: "CodeQL"
on:
push:
branches: [master,development]
pull_request:
branches: [master]
schedule:
- cron: '0 0 * * 4'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['java', 'javascript']
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Maven
uses: hb0730/maven-action@v1
with:
maven-version: 3.8.7
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
if: matrix.language == 'javascript'
uses: github/codeql-action/autobuild@v3
- name: Set up JDK 21
if: matrix.language == 'java'
uses: actions/setup-java@v4
with:
java-version: 21
distribution: "temurin"
- name: Build Java
if: matrix.language == 'java'
run: mvn clean package -Dmaven.test.skip
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
upload: False
output: sarif-results
- name: Filter SARIF results
uses: advanced-security/filter-sarif@v1
if: ${{ matrix.language == 'java' }}
with:
patterns: |
-roda-core/roda-core/src/main/java/org/roda/core/storage/ExternalFileManifestContentPayload.java:java/path-injection
-roda-core/roda-core/src/main/java/org/roda/core/storage/fs/FSUtils.java:java/path-injection
input: sarif-results/java.sarif
output: sarif-results/java.sarif
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results/${{ matrix.language }}.sarif