diff --git a/assets/duckdb-database-gh.zip b/assets/duckdb-database-gh.zip new file mode 100644 index 0000000..b7f1df5 --- /dev/null +++ b/assets/duckdb-database-gh.zip @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb8f67770e1b1b48f444f4c5af6aab6d4c92889d500aa3b39d0677ecab2052b3 +size 170600981 diff --git a/assets/duckdb-db-local.zip b/assets/duckdb-db-local.zip new file mode 100644 index 0000000..601831f --- /dev/null +++ b/assets/duckdb-db-local.zip @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6eaf53bba76f3f42b1f4ef49d9842e591e09a93d27cc5e6c34dd21898f5f3294 +size 282883554 diff --git a/codeql-duckdb/README.org b/codeql-duckdb/README.org new file mode 100644 index 0000000..dac8d43 --- /dev/null +++ b/codeql-duckdb/README.org @@ -0,0 +1,44 @@ +* Duckdb Codeql Setup + - fork at https://github.com/hohn/duckdb + - github db build: enable code scanning, advanced config + - only c/cpp + - creates https://github.com/hohn/duckdb/blob/main/.github/workflows/codeql.yml + - action run at https://github.com/hohn/duckdb/actions/runs/15939648352/job/44965776267 + - db download + #+BEGIN_SRC sh + # list dbs + curl -H "Authorization: token $GITHUB_TOKEN" \ + https://api.github.com/repos/hohn/duckdb/code-scanning/analyses + + + # Get DB via curl + cd ~/work-gh/codeql-lab/assets + curl -H "Authorization: token $GITHUB_TOKEN" \ + -H "Accept: application/zip" \ + -L \ + https://api.github.com/repos/hohn/duckdb/code-scanning/codeql/databases/cpp \ + -o duckdb-database-gh.zip + #+END_SRC + + - local db build: + #+BEGIN_SRC sh + cd ~/work-gh/codeql-lab/extern/duckdb + # follow https://duckdb.org/docs/stable/dev/building/macos + brew install git cmake ninja + + # edit makefile to speed up build: + ' + release: ${EXTENSION_CONFIG_STEP} + mkdir -p ./build/release && \ + cd build/release && \ + cmake $(GENERATOR) $(FORCE_COLOR) ${WARNINGS_AS_ERRORS} ${FORCE_WARN_UNUSED_FLAG} ${FORCE_32_BIT_FLAG} ${DISABLE_UNITY_FLAG} ${DISABLE_SANITIZER_FLAG} ${STATIC_LIBCPP} ${CMAKE_VARS} ${CMAKE_VARS_BUILD} -DCMAKE_BUILD_TYPE=Release ../.. + + rbuild: release + cd build/release && cmake --build . --config Release -j10 + ' + + codeql database create --language=cpp -s . -j 10 -v \ + duckdb-db \ + --command='make rbuild' + #+END_SRC + diff --git a/codeql-duckdb/codeql-pack.lock.yml b/codeql-duckdb/codeql-pack.lock.yml new file mode 100644 index 0000000..5300427 --- /dev/null +++ b/codeql-duckdb/codeql-pack.lock.yml @@ -0,0 +1,4 @@ +--- +lockVersion: 1.0.0 +dependencies: {} +compiled: false diff --git a/codeql-duckdb/example.ql b/codeql-duckdb/example.ql new file mode 100644 index 0000000..1ea60a7 --- /dev/null +++ b/codeql-duckdb/example.ql @@ -0,0 +1,12 @@ +/** + * @name Empty block + * @kind problem + * @problem.severity warning + * @id cpp/example/empty-block + */ + +import cpp + +from BlockStmt b +where b.getNumStmt() = 0 +select b, "This is an empty block." diff --git a/codeql-duckdb/qlpack.yml b/codeql-duckdb/qlpack.yml new file mode 100644 index 0000000..ea79011 --- /dev/null +++ b/codeql-duckdb/qlpack.yml @@ -0,0 +1,6 @@ +name: getting-started/codeql-duckdb +version: 0.0.0 +dependencies: + # This uses the latest version of the codeql/cpp-all library. + # You may want to change to a more precise semver string. + codeql/cpp-all: "*"