GitHub CodeQL (formerly Semmle LGTM)
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
Be nice to others! Respect the FreeCAD code of conduct!
GitHub CodeQL (formerly Semmle LGTM)
CodeQL
https://codeql.github.com/
Building blocks for scalable product security
https://www.youtube.com/watch?v=nY991AhhATw
Finding non-intuitive string manipulation vulnerabilities in C code
https://www.twitch.tv/videos/672848979
Welcoming Semmle to GitHub
https://github.blog/2019-09-18-github-welcomes-semmle/
Code scanning is now available!
https://github.blog/2020-09-30-code-sca ... available/
The next step for LGTM.com: GitHub code scanning!
https://github.blog/2022-08-15-the-next ... -scanning/
Make Memcpy Safe Again: CodeQL
https://www.cyberark.com/resources/thre ... ain-codeql
CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research
https://github.blog/2023-03-31-codeql-z ... -research/
CodeQL zero to hero part 2: getting started with CodeQL
https://github.blog/2023-06-15-codeql-z ... th-codeql/
ICYMI: improved C++ vulnerability coverage and CodeQL support for Lombok
https://github.blog/2023-10-19-icymi-im ... or-lombok/
Security best practices for authors of GitHub Actions
https://github.blog/2023-11-16-security ... b-actions/
Addressing post-quantum cryptography with CodeQL
https://github.blog/2023-12-05-addressi ... th-codeql/
Found means fixed: Introducing code scanning autofix, powered by GitHub Copilot and CodeQL
https://github.blog/2024-03-20-found-me ... nd-codeql/
Publishing Trail of Bits’ CodeQL queries
https://blog.trailofbits.com/2023/12/06 ... l-queries/
https://appsec.guide/docs/static-analysis/codeql/
https://github.com/trailofbits/codeql-queries
A general post about the security and code quality tools https://forum.freecadweb.org/viewtopic. ... 02#p274069
https://codeql.github.com/
Building blocks for scalable product security
https://www.youtube.com/watch?v=nY991AhhATw
Finding non-intuitive string manipulation vulnerabilities in C code
https://www.twitch.tv/videos/672848979
Welcoming Semmle to GitHub
https://github.blog/2019-09-18-github-welcomes-semmle/
Code scanning is now available!
https://github.blog/2020-09-30-code-sca ... available/
The next step for LGTM.com: GitHub code scanning!
https://github.blog/2022-08-15-the-next ... -scanning/
Make Memcpy Safe Again: CodeQL
https://www.cyberark.com/resources/thre ... ain-codeql
CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research
https://github.blog/2023-03-31-codeql-z ... -research/
CodeQL zero to hero part 2: getting started with CodeQL
https://github.blog/2023-06-15-codeql-z ... th-codeql/
ICYMI: improved C++ vulnerability coverage and CodeQL support for Lombok
https://github.blog/2023-10-19-icymi-im ... or-lombok/
Security best practices for authors of GitHub Actions
https://github.blog/2023-11-16-security ... b-actions/
Addressing post-quantum cryptography with CodeQL
https://github.blog/2023-12-05-addressi ... th-codeql/
Found means fixed: Introducing code scanning autofix, powered by GitHub Copilot and CodeQL
https://github.blog/2024-03-20-found-me ... nd-codeql/
Publishing Trail of Bits’ CodeQL queries
https://blog.trailofbits.com/2023/12/06 ... l-queries/
https://appsec.guide/docs/static-analysis/codeql/
https://github.com/trailofbits/codeql-queries
A general post about the security and code quality tools https://forum.freecadweb.org/viewtopic. ... 02#p274069
Last edited by saso on Thu Mar 21, 2024 5:55 pm, edited 26 times in total.
Re: Code quality checker
I did a spot check and it looks really good!
@bernd: you might be interested to take a look at it. (<-- does that @ work as expected?)
@bernd: you might be interested to take a look at it. (<-- does that @ work as expected?)
Re: Code quality checker
Not that i know of
Works (Don't forgot the user ID).
Code: Select all
[quote=bernd user_id=2069]
ping
[/quote]
bernd wrote: ping
Re: Code quality checker
Had a look at this, it finds some problems which are not found by pep8. It's great
https://lgtm.com/projects/g/FreeCAD/Fre ... de=heatmap
https://lgtm.com/projects/g/FreeCAD/Fre ... de=heatmap
Re: Code quality checker
It seams possible to exclude files from analysis ... https://lgtm.com/help/lgtm/customizing- ... sification
Zhis would make sense for the following file: https://github.com/FreeCAD/FreeCAD/blob ... sign.py#L1
It s autogenerated and has 881 allerts !!! https://lgtm.com/projects/g/FreeCAD/Fre ... de=heatmap
Zhis would make sense for the following file: https://github.com/FreeCAD/FreeCAD/blob ... sign.py#L1
It s autogenerated and has 881 allerts !!! https://lgtm.com/projects/g/FreeCAD/Fre ... de=heatmap
Re: Code quality checker
I will look in to it when I will try to make it work for C++
Re: Code quality checker
somehow lgtm is missing files in FEM ...
Re: Code quality checker
Great, this is what this tools are for... There are a few FEM related issues reported also in Coverity, if you maybe want to kill some more bugs
Check the three posts I made here for some basic help on how to use it https://forum.freecadweb.org/viewtopic. ... 30#p210644
There is an "show excluded files" checkbox at the top with some more information about this.
Re: Code quality checker
ahh, ok. Would you move these files out of excluded files? They should be analysed as any other file in FEM.