testing fixes for CodeQL (#4198)

Timothy Mothra · web-flow · commit d7f8764ad4d8 · 2025-05-12T21:07:00.000Z
diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml
@@ -2,11 +2,16 @@ name: CodeQL (daily)
 
 on:
   schedule:
-    - cron: '30 1 * * *'
+    - cron: '30 1 * * *' # run daily at 1:30 AM UTC
   workflow_dispatch:
+  push:
+    branches:
+      - '**'
 
 jobs:
-  analyze:
+  # ===== Java Analysis Job =====
+  analyze-java:
+    name: "Analyze Java Code"
     permissions:
       actions: read  # for github/codeql-action/init to get workflow details
       security-events: write  # for github/codeql-action/analyze to upload SARIF results
@@ -21,27 +26,114 @@ jobs:
           distribution: temurin
           java-version: 17
 
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: java, c-cpp
+          languages: java
+
+      - name: Build Java code
+        # skipping build cache is needed so that all modules will be analyzed
+        run: ./gradlew assemble --no-build-cache
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: java
+
+  # ===== C++ Analysis Job =====
+  analyze-cpp:
+    name: "Analyze C++ Code"
+    permissions:
+      actions: read
+      security-events: write
+    runs-on: windows-latest
+    
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Java 17 (required for JNI compilation)
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Setup Visual Studio Build Tools
+        uses: microsoft/setup-msbuild@v1
+      
+      # This step uses Microsoft's vswhere tool to verify that the official Windows 10 SDK (version 19041) is installed.
+      # vswhere is a Microsoft-provided command-line utility that locates Visual Studio installations and their components.
+      - name: Verify Windows SDK installation
+        run: |
+          & "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe" -products * -requires Microsoft.VisualStudio.Component.Windows10SDK.19041 -property installationPath
+        shell: pwsh
 
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 
-      - name: Assemble
-        # skipping build cache is needed so that all modules will be analyzed
-        run: ./gradlew assemble --no-build-cache
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: cpp
+          debug: true
+
+      - name: Build C++ code
+        shell: cmd
+        run: |
+          "%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe" -latest -products * -requires Microsoft.VisualStudio.Component.VC.Tools.x86.x64 -property installationPath > vs.txt
+          set /p VSPATH=<vs.txt
+          set VCVARS=%VSPATH%\VC\Auxiliary\Build\vcvars64.bat
+          call "%VCVARS%"
+          set APPINSIGHTS_WIN10_SDK_PATH=C:\Program Files (x86)\Windows Kits\10
+          set APPINSIGHTS_VS_PATH=%VSPATH%
+          set JAVA_HOME=%JAVA_HOME_17_X64%
+          set sourceDir=etw/native/src/main/cpp
+          set headerDir=etw/native/src/main/headers
+          set cppFile=%sourceDir%/etw_provider.cpp
+          echo Analyzing C++ file: %cppFile%
+          echo [ > compile_commands.json
+          echo   { >> compile_commands.json
+          echo     "directory": "%CD%/%sourceDir%", >> compile_commands.json
+          echo     "command": "cl.exe /W4 /EHsc /sdl /std:c++14 /I\"%APPINSIGHTS_WIN10_SDK_PATH%/include/10.0.22621.0/um\" /I\"%JAVA_HOME%/include\" /I\"%JAVA_HOME%/include/win32\" /I\"%CD%/%headerDir%\" /c %cppFile%", >> compile_commands.json
+          echo     "file": "%cppFile%" >> compile_commands.json
+          echo   } >> compile_commands.json
+          echo ] >> compile_commands.json
+          echo // Simple file to ensure compiler is run > codeql_trigger.cpp
+          echo #include ^<windows.h^> >> codeql_trigger.cpp
+          echo #include ^<jni.h^> >> codeql_trigger.cpp
+          echo #include "etw_provider.h" >> codeql_trigger.cpp
+          echo int main() { return 0; } >> codeql_trigger.cpp
+          dir %sourceDir% /s /b *.cpp
+          dir %headerDir% /s /b *.h
+          cl.exe /c codeql_trigger.cpp /I"%headerDir%" /I"%sourceDir%" /I"%JAVA_HOME%/include" /I"%JAVA_HOME%/include/win32" /EHsc
+          if %errorlevel%==0 (
+            echo C++ preparation completed successfully
+            echo CPP_BUILD_SUCCEEDED=true>>%GITHUB_ENV%
+          ) else (
+            echo Warning: C++ build step encountered an error
+            echo Proceeding with CodeQL analysis anyway
+            echo CPP_BUILD_SUCCEEDED=false>>%GITHUB_ENV%
+          )
 
       - name: Perform CodeQL analysis
         uses: github/codeql-action/analyze@v3
+        with:
+          category: cpp
+
+      - name: Report C++ build status
+        if: env.CPP_BUILD_SUCCEEDED == 'false'
+        run: |
+          echo "::warning::C++ build failed but CodeQL scan was attempted anyway. Some C++ issues may not be detected."
 
   scheduled-job-notification:
     permissions:
       issues: write
     needs:
-      - analyze
+      - analyze-java
+      - analyze-cpp
     if: always()
     uses: ./.github/workflows/reusable-scheduled-job-notification.yml
     with:
-      success: ${{ needs.analyze.result == 'success' }}
+      success: ${{ needs.analyze-java.result == 'success' && needs.analyze-cpp.result == 'success' }}
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,6 @@ build/
 
 # Intellij
 /.idea/
+
+# Visual Studio
+.vs
