Merge pull request #13149 from issyl0/add-code-scanning-workflow

2022-04-18 19:49:38 +01:00 · 2022-04-18 19:49:38 +01:00 · baceee9d24
commit baceee9d24
parent 09e766f83c 6dd6758824
6 changed files with 47 additions and 14 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@ -0,0 +1,2 @@
+paths-ignore:
+  - Library/Homebrew/vendor/
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,31 @@
+name: "CodeQL"
+
+on:
+ push:
+   branches:
+     - master
+ pull_request:
+   branches:
+     - master
+
+jobs:
+ analyze:
+   name: Analyze
+   runs-on: ubuntu-latest
+   permissions:
+     actions: read
+     contents: read
+     security-events: write
+
+   steps:
+   - name: Checkout repository
+     uses: actions/checkout@v3
+
+   - name: Initialize CodeQL
+     uses: github/codeql-action/init@v2
+     with:
+       languages: ruby
+       config-file: ./.github/codeql/codeql-config.yml
+
+   - name: Perform CodeQL Analysis
+     uses: github/codeql-action/analyze@v2
--- a/Library/Homebrew/dev-cmd/bump-formula-pr.rb
+++ b/Library/Homebrew/dev-cmd/bump-formula-pr.rb
@ -383,13 +383,13 @@ module Homebrew

  def determine_mirror(url)
    case url
-    when %r{.*ftp.gnu.org/gnu.*}
+    when %r{.*ftp\.gnu\.org/gnu.*}
      url.sub "ftp.gnu.org/gnu", "ftpmirror.gnu.org"
-    when %r{.*download.savannah.gnu.org/*}
+    when %r{.*download\.savannah\.gnu\.org/*}
      url.sub "download.savannah.gnu.org", "download-mirror.savannah.gnu.org"
-    when %r{.*www.apache.org/dyn/closer.lua\?path=.*}
+    when %r{.*www\.apache\.org/dyn/closer\.lua\?path=.*}
      url.sub "www.apache.org/dyn/closer.lua?path=", "archive.apache.org/dist/"
-    when %r{.*mirrors.ocf.berkeley.edu/debian.*}
+    when %r{.*mirrors\.ocf\.berkeley\.edu/debian.*}
      url.sub "mirrors.ocf.berkeley.edu/debian", "mirrorservice.org/sites/ftp.debian.org/debian"
    end
  end
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@ -1404,18 +1404,18 @@ class DownloadStrategyDetector
    when %r{^https?://www\.apache\.org/dyn/closer\.cgi},
         %r{^https?://www\.apache\.org/dyn/closer\.lua}
      CurlApacheMirrorDownloadStrategy
-    when %r{^https?://(.+?\.)?googlecode\.com/svn},
+    when %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/svn},
         %r{^https?://svn\.},
         %r{^svn://},
         %r{^svn\+http://},
         %r{^http://svn\.apache\.org/repos/},
-         %r{^https?://(.+?\.)?sourceforge\.net/svnroot/}
+         %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/svnroot/}
      SubversionDownloadStrategy
    when %r{^cvs://}
      CVSDownloadStrategy
    when %r{^hg://},
-         %r{^https?://(.+?\.)?googlecode\.com/hg},
-         %r{^https?://(.+?\.)?sourceforge\.net/hgweb/}
+         %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/hg},
+         %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/hgweb/}
      MercurialDownloadStrategy
    when %r{^bzr://}
      BazaarDownloadStrategy
--- a/Library/Homebrew/rubocops/homepage.rb
+++ b/Library/Homebrew/rubocops/homepage.rb
@ -70,12 +70,12 @@ module RuboCop
          when
               # Check for http:// GitHub homepage URLs, https:// is preferred.
               # Note: only check homepages that are repo pages, not *.github.com hosts
-               %r{^http://github.com/},
+               %r{^http://github\.com/},
               %r{^http://[^/]*\.github\.io/},

               # Savannah has full SSL/TLS support but no auto-redirect.
               # Doesn't apply to the download URLs, only the homepage.
-               %r{^http://savannah.nongnu.org/},
+               %r{^http://savannah\.nongnu\.org/},

               %r{^http://[^/]*\.sourceforge\.io/},
               # There's an auto-redirect here, but this mistake is incredibly common too.
--- a/Library/Homebrew/rubocops/urls.rb
+++ b/Library/Homebrew/rubocops/urls.rb
@ -21,7 +21,7 @@ module RuboCop
          end

          # GNU URLs; doesn't apply to mirrors
-          gnu_pattern = %r{^(?:https?|ftp)://ftpmirror.gnu.org/(.*)}
+          gnu_pattern = %r{^(?:https?|ftp)://ftpmirror\.gnu\.org/(.*)}
          audit_urls(urls, gnu_pattern) do |match, url|
            problem "Please use \"https://ftp.gnu.org/gnu/#{match[1]}\" instead of #{url}."
          end
@ -177,7 +177,7 @@ module RuboCop
          end

          # Check for new-url Google Code download URLs, https:// is preferred
-          google_code_pattern = Regexp.union([%r{^http://.*\.googlecode\.com/files.*},
+          google_code_pattern = Regexp.union([%r{^http://[A-Za-z0-9\-.]*\.googlecode\.com/files.*},
                                              %r{^http://code\.google\.com/}])
          audit_urls(urls, google_code_pattern) do |_, url|
            problem "Please use https:// for #{url}"
@ -267,13 +267,13 @@ module RuboCop
          urls += mirrors

          # Check pypi URLs
-          pypi_pattern = %r{^https?://pypi.python.org/}
+          pypi_pattern = %r{^https?://pypi\.python\.org/}
          audit_urls(urls, pypi_pattern) do |_, url|
            problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)"
          end

          # Require long files.pythonhosted.org URLs
-          pythonhosted_pattern = %r{^https?://files.pythonhosted.org/packages/source/}
+          pythonhosted_pattern = %r{^https?://files\.pythonhosted\.org/packages/source/}
          audit_urls(urls, pythonhosted_pattern) do |_, url|
            problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)"
          end