From b23c364fc013c391822c9ff7c2eaf54037230cf2 Mon Sep 17 00:00:00 2001 From: Ben Meadors Date: Tue, 15 Nov 2022 16:22:53 -0600 Subject: [PATCH 1/7] Test it this way --- variants/rak11200/variant.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/variants/rak11200/variant.h b/variants/rak11200/variant.h index 4a8bf0a57..569f8f9de 100644 --- a/variants/rak11200/variant.h +++ b/variants/rak11200/variant.h @@ -79,6 +79,5 @@ static const uint8_t SCK = 33; #define SX126X_DIO1 LORA_DIO1 #define SX126X_BUSY LORA_DIO2 #define SX126X_RESET LORA_RESET -#define SX126X_TXEN RADIOLIB_NC -#define SX126X_RXEN WB_IO3 +#define SX126X_POWER_EN WB_IO3 #define SX126X_E22 // DIO2 controlls an antenna switch and the TCXO voltage is controlled by DIO3 From 681ea420c1a4811b551c2d5ee9ab202d308957be Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 10:53:11 +0100 Subject: [PATCH 2/7] Implement automatic static code scan with Semgrep --- .github/workflows/sast_semgrep_full.yml | 44 +++++++++++++++++++++++++ .github/workflows/sast_semgrep_pull.yml | 28 ++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 .github/workflows/sast_semgrep_full.yml create mode 100644 .github/workflows/sast_semgrep_pull.yml diff --git a/.github/workflows/sast_semgrep_full.yml b/.github/workflows/sast_semgrep_full.yml new file mode 100644 index 000000000..f59424b5f --- /dev/null +++ b/.github/workflows/sast_semgrep_full.yml @@ -0,0 +1,44 @@ +--- +name: Semgrep Full Scan + +on: + workflow_dispatch: + branches: + - main + schedule: + - cron: '0 1 * * 6' + +jobs: + + semgrep-full: + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + + steps: + + # step 1 + - name: clone application source code + uses: actions/checkout@v3 + + # step 2 + - name: full scan + run: | + semgrep \ + --sarif --output report.sarif \ + --metrics=off \ + --config="p/default" + + # step 3 + - name: save report as pipeline artifact + uses: actions/upload-artifact@v3 + with: + name: report.sarif + path: report.sarif + + # step 4 + - name: publish code scanning alerts + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: report.sarif + category: semgrep diff --git a/.github/workflows/sast_semgrep_pull.yml b/.github/workflows/sast_semgrep_pull.yml new file mode 100644 index 000000000..8fe3632b4 --- /dev/null +++ b/.github/workflows/sast_semgrep_pull.yml @@ -0,0 +1,28 @@ +--- +name: Semgrep Differential Scan +on: + pull_request + +jobs: + + semgrep-diff: + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + + steps: + + # step 1 + - name: clone application source code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + # step 2 + - name: differential scan + run: | + semgrep scan \ + --error \ + --metrics=off \ + --baseline-commit ${{ github.event.pull_request.base.sha }} \ + --config="p/default" From 08c69c09c824419b35105eea1f769adcb3e7f974 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 11:58:15 +0100 Subject: [PATCH 3/7] Fix branch name --- .github/workflows/sast_semgrep_full.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sast_semgrep_full.yml b/.github/workflows/sast_semgrep_full.yml index f59424b5f..426250280 100644 --- a/.github/workflows/sast_semgrep_full.yml +++ b/.github/workflows/sast_semgrep_full.yml @@ -4,7 +4,7 @@ name: Semgrep Full Scan on: workflow_dispatch: branches: - - main + - master schedule: - cron: '0 1 * * 6' From 42957207700cfae6770ec260698bc5743413ac10 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 13:50:38 +0100 Subject: [PATCH 4/7] Add flawfinder for cover C++ codebase --- .github/workflows/sast_flawfinder_full.yml | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/sast_flawfinder_full.yml diff --git a/.github/workflows/sast_flawfinder_full.yml b/.github/workflows/sast_flawfinder_full.yml new file mode 100644 index 000000000..a6337ffa6 --- /dev/null +++ b/.github/workflows/sast_flawfinder_full.yml @@ -0,0 +1,40 @@ +--- +name: Flawfinder Full Scan + +on: + workflow_dispatch: + branches: + - master + schedule: + - cron: '0 1 * * 6' + +jobs: + flawfinder: + runs-on: ubuntu-latest + name: Flawfinder + + steps: + # step 1 + - name: clone application source code + uses: actions/checkout@v3 + + # step 2 + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@2.0.19 + with: + arguments: '--sarif ./' + output: 'flawfinder_report.sarif' + + # step 3 + - name: save report as pipeline artifact + uses: actions/upload-artifact@v3 + with: + name: flawfinder_report.sarif + path: flawfinder_report.sarif + + # step 4 + - name: publish code scanning alerts + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: flawfinder_report.sarif + category: flawfinder From 9b43e4911651b7b65b9569e1856e2604fa26c31d Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 16:14:32 +0100 Subject: [PATCH 5/7] Ignore upstream defect --- .semgrepignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.semgrepignore b/.semgrepignore index 6ae867e8b..10fcb5f75 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -1 +1,2 @@ .github/workflows/main_matrix.yml +src/mesh/compression/unishox2.c From b95103cab0692f205c66d9f5b6685d6bad9f32a1 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 16:16:04 +0100 Subject: [PATCH 6/7] Run flawfinder only on push to specific branch --- .github/workflows/sast_flawfinder_full.yml | 12 ++++++------ .github/workflows/sast_flawfinder_pull.yml | 0 2 files changed, 6 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/sast_flawfinder_pull.yml diff --git a/.github/workflows/sast_flawfinder_full.yml b/.github/workflows/sast_flawfinder_full.yml index a6337ffa6..e2ba44090 100644 --- a/.github/workflows/sast_flawfinder_full.yml +++ b/.github/workflows/sast_flawfinder_full.yml @@ -1,12 +1,12 @@ --- -name: Flawfinder Full Scan +name: Flawfinder Scan on: - workflow_dispatch: - branches: - - master - schedule: - - cron: '0 1 * * 6' + push: + branches: [master, develop] + paths-ignore: + - "**.md" + - "version.properties" jobs: flawfinder: diff --git a/.github/workflows/sast_flawfinder_pull.yml b/.github/workflows/sast_flawfinder_pull.yml new file mode 100644 index 000000000..e69de29bb From e54e37a6001bd65eb670645f17c2e3f6ebd53c83 Mon Sep 17 00:00:00 2001 From: Dmitry Galenko Date: Sun, 20 Nov 2022 16:17:58 +0100 Subject: [PATCH 7/7] Rename security workflows to sec_* --- .../{sast_flawfinder_full.yml => sec_sast_flawfinder.yml} | 0 .../{sast_flawfinder_pull.yml => sec_sast_flawfinder_pull.yml} | 0 .../{sast_semgrep_full.yml => sec_sast_semgrep_cron.yml} | 0 .../{sast_semgrep_pull.yml => sec_sast_semgrep_pull.yml} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{sast_flawfinder_full.yml => sec_sast_flawfinder.yml} (100%) rename .github/workflows/{sast_flawfinder_pull.yml => sec_sast_flawfinder_pull.yml} (100%) rename .github/workflows/{sast_semgrep_full.yml => sec_sast_semgrep_cron.yml} (100%) rename .github/workflows/{sast_semgrep_pull.yml => sec_sast_semgrep_pull.yml} (100%) diff --git a/.github/workflows/sast_flawfinder_full.yml b/.github/workflows/sec_sast_flawfinder.yml similarity index 100% rename from .github/workflows/sast_flawfinder_full.yml rename to .github/workflows/sec_sast_flawfinder.yml diff --git a/.github/workflows/sast_flawfinder_pull.yml b/.github/workflows/sec_sast_flawfinder_pull.yml similarity index 100% rename from .github/workflows/sast_flawfinder_pull.yml rename to .github/workflows/sec_sast_flawfinder_pull.yml diff --git a/.github/workflows/sast_semgrep_full.yml b/.github/workflows/sec_sast_semgrep_cron.yml similarity index 100% rename from .github/workflows/sast_semgrep_full.yml rename to .github/workflows/sec_sast_semgrep_cron.yml diff --git a/.github/workflows/sast_semgrep_pull.yml b/.github/workflows/sec_sast_semgrep_pull.yml similarity index 100% rename from .github/workflows/sast_semgrep_pull.yml rename to .github/workflows/sec_sast_semgrep_pull.yml