Skip to content

v1.1: Vision 42/42 + Enhanced Vision 19/19 across openvx-mark, opencv-mark, and rustVX #6

v1.1: Vision 42/42 + Enhanced Vision 19/19 across openvx-mark, opencv-mark, and rustVX

v1.1: Vision 42/42 + Enhanced Vision 19/19 across openvx-mark, opencv-mark, and rustVX #6

Workflow file for this run

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL Advanced"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '36 4 * * 4'
jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
# c-cpp uses build-mode: manual because the autobuilder can't
# discover our OpenVX dependency on a fresh runner — there is
# no apt package that ships <VX/vx.h>, so autobuild fails at
# the very first `#include <VX/vx.h>` with "fatal error: file
# not found". The manual step below downloads the canonical
# Khronos OpenVX 1.3.1 standard-header tarball (~56 KB) and
# stamps out empty stub libopenvx.so / libvxu.so so CMake's
# find_library() succeeds. CodeQL only needs successful
# compilation through to .o files to extract the AST — it
# tolerates link failures — so the stub libraries are
# sufficient for the analysis surface.
- language: c-cpp
build-mode: manual
- language: python
build-mode: none
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
# Use `c-cpp` to analyze code written in C, C++ or both
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Manual build for c-cpp: we provide Khronos OpenVX headers + stub
# .so files so CMake configures and the compiler emits .o files,
# which is all CodeQL needs to extract source for analysis. We do
# NOT build a real OpenVX runtime here — that's an order of
# magnitude slower and unnecessary for static analysis.
- name: Install build dependencies (c-cpp)
if: matrix.language == 'c-cpp'
run: |
sudo apt-get update
sudo apt-get install -y build-essential cmake git libopencv-dev
- name: Fetch Khronos OpenVX headers + stamp out stub libs (c-cpp)
if: matrix.language == 'c-cpp'
run: |
set -euo pipefail
STAGE="${{ github.workspace }}/openvx-stage"
mkdir -p "$STAGE/include/VX" "$STAGE/lib"
# Pull the canonical OpenVX 1.3.1 standard header tarball from
# the Khronos Registry. Tarball is ~56 KB and contains exactly
# the eight VX/*.h files we include from any of our sources
# (vx.h, vx_api.h, vx_compatibility.h, vx_kernels.h, vx_nodes.h,
# vx_types.h, vx_vendors.h, vxu.h). This is the same source the
# full OpenVX-sample-impl ships in api-docs/include/, just
# delivered as a 56 KB tarball instead of a 50 MB git clone.
curl --proto '=https' --tlsv1.2 -fsSL \
https://registry.khronos.org/OpenVX/api/1.3.1/openvx-standard-headers-1.3.1.tar.bz2 \
-o /tmp/openvx-headers.tar.bz2
tar -xjf /tmp/openvx-headers.tar.bz2 -C "$STAGE/include/"
# Stub libopenvx.so / libvxu.so so CMake's find_library() at
# the top of CMakeLists.txt succeeds. Empty shared libraries
# link cleanly; any vx*/vxu* call site will hit an unresolved
# symbol at LINK time only, which CodeQL ignores — it has
# already captured the AST during the compile step. An empty
# .c file is a valid translation unit for gcc -shared (produces
# a zero-symbol but well-formed ELF .so), so we avoid heredocs
# entirely with `touch`.
touch /tmp/openvx_stub.c
gcc -shared -fPIC -o "$STAGE/lib/libopenvx.so" /tmp/openvx_stub.c
gcc -shared -fPIC -o "$STAGE/lib/libvxu.so" /tmp/openvx_stub.c
echo "--- staged include (VX/*.h) ---"
ls -la "$STAGE/include/VX"
echo "--- staged lib ---"
ls -la "$STAGE/lib"
- name: Configure & build openvx-mark for CodeQL extraction (c-cpp)
if: matrix.language == 'c-cpp'
run: |
set -euo pipefail
STAGE="${{ github.workspace }}/openvx-stage"
mkdir -p build-codeql
cd build-codeql
cmake \
-DCMAKE_BUILD_TYPE=Debug \
-DOPENVX_INCLUDES="$STAGE/include" \
-DOPENVX_LIB_DIR="$STAGE/lib" \
..
# CodeQL only needs the .o files to exist (extracted during
# compilation). The final link will fail because the stub
# libopenvx.so exports no vx*/vxu* symbols — `|| true` swallows
# that expected failure without masking real per-source-file
# compile errors (which would have already produced no .o and
# broken CodeQL's extractor cleanly).
cmake --build . -j"$(nproc)" || true
- name: Run manual build steps (other languages — no-op stub)
if: matrix.build-mode == 'manual' && matrix.language != 'c-cpp'
shell: bash
run: |
echo "No manual build configured for ${{ matrix.language }} — skipping."
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"