Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CodeQL SAST #952

Merged
merged 7 commits into from
Aug 28, 2022
Merged

Add CodeQL SAST #952

merged 7 commits into from
Aug 28, 2022

Conversation

sashashura
Copy link
Contributor

CodeQL is the continuation LGTM. It integrates into GitHub Security tab and is more configurable. I have set it up to scan only for C++ issues.

@sashashura sashashura marked this pull request as ready for review August 23, 2022 22:02
seladb
seladb reviewed Aug 27, 2022
View reviewed changes
.github/workflows/codeql.yml Outdated Show resolved Hide resolved
.github/workflows/codeql.yml Show resolved Hide resolved
.github/workflows/codeql.yml Outdated
Comment on lines 19 to 20
actions: read
contents: read
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the documentation, this is only needed for private repos...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I don't follow. Permissions: at all or some specific right?

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the CodeQL Github Actions README file:

image

https://github.com/github/codeql-action#usage

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. I'll remove it.

.github/workflows/codeql.yml Outdated
Comment on lines 27 to 28
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably remove this comment?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It were just some hints for the future, but if you prefer clean code, sure.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, we can keep it 👍

.github/workflows/codeql.yml
Comment on lines +25 to +26
matrix:
language: [ 'cpp' ]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is matrix needed here? there's only one language...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes it easier to add additional languages if one day you would like to scan python too for example.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we'll need to examine the python code because it's mostly for tests or configuration, but we can keep it as is

@seladb
Copy link
Owner

seladb commented Aug 28, 2022

@sashashura the build is failing because CodeQL check fail: Use of a broken or risky cryptographic algorithm in Packet++/src/SSLHandshake.cpp

These errors should be ignored because PcapPlusPlus uses these to parse SSL/TLS packets. However I'm not sure there is a way to suppress/ignore errors on specific lines as this issue says: github/codeql#9298 (comment)

Should we add paths-ignore for the entire file? 🤔

@sashashura
Copy link
Contributor Author

sashashura commented Aug 28, 2022
edited
Loading

Interesting behavior. From my experience all security issues found by a codeql.yml already merged in repository are placed in Security tab and are visible only to maintainers. It is easy to click a button and suppress specific warnings there if they are false.
While it makes sense to fail the check if changes from pull request introduce a potential security vulnerability, it is inconvenient to suppress them. I think it is better to not use it for pull requests and use it only as a scheduled check. I'll remove the trigger.

seladb
seladb approved these changes Aug 28, 2022
View reviewed changes
Copy link
Owner

@seladb seladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sashashura the next step would be to add a badge to README.md, and then let it run for some time. If CodeQL is stable and works as expected we can probably remove LGTM

@seladb seladb merged commit d7c2b30 into seladb:dev Aug 28, 2022
@sashashura sashashura mentioned this pull request Aug 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seladb seladb seladb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sashashura @seladb