Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create Issues for Analysis of CodeQL alerts #5060

Closed
5 of 16 tasks
roslynwythe opened this issue Jul 25, 2023 · 3 comments
Closed
5 of 16 tasks

Create Issues for Analysis of CodeQL alerts #5060

roslynwythe opened this issue Jul 25, 2023 · 3 comments
Labels
Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Draft Issue is still in the process of being created Feature: Code Alerts Issue Making: Level 2 Make issue(s) from an ER or Epic role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours
Milestone

Comments

@roslynwythe
Copy link
Member

roslynwythe commented Jul 25, 2023

Dependency

Analysis Issues

Overview

We need to create issues for the analysis of CodeQL alerts1 so that information in the alerts can be used to improve the security and quality of the codebase.

Action Items

Resources/Instructions

Footnotes

  1. Code scanning results page

@roslynwythe roslynwythe added role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours Draft Issue is still in the process of being created Issue Making: Level 1 Make issues from a template and a spreadsheet Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Feature: Code Alerts labels Jul 25, 2023
@ExperimentsInHonesty ExperimentsInHonesty added the Dependency An issue is blocking the completion or starting of another issue label Jul 26, 2023
@ExperimentsInHonesty

This comment was marked as outdated.

@Josiah-O Josiah-O added this to the 02. Security milestone Jul 29, 2023
@roslynwythe roslynwythe added Complexity: Medium Feature: Code Alerts ready for product Ready for Prioritization and removed Dependency An issue is blocking the completion or starting of another issue Draft Issue is still in the process of being created Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Feature: Code Alerts ready for product labels Aug 23, 2023
@roslynwythe roslynwythe added Draft Issue is still in the process of being created and removed Ready for Prioritization labels Sep 24, 2023
@roslynwythe roslynwythe mentioned this issue Oct 2, 2023
12 tasks
@ExperimentsInHonesty ExperimentsInHonesty added Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level and removed Complexity: Medium labels Oct 3, 2023
@ExperimentsInHonesty ExperimentsInHonesty added Issue Making: Level 2 Make issue(s) from an ER or Epic and removed Issue Making: Level 1 Make issues from a template and a spreadsheet labels Oct 10, 2023
@roslynwythe
Copy link
Member Author

roslynwythe commented Oct 15, 2023

TEMPLATE: Resolve CodeQL Alert INSERT-ALERT-ID

Prerequisite

  1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our Getting Started page.
  2. Before you claim or start working on an issue, please make sure you have read our How to Contribute to Hack for LA Guide.

Overview

We need to analyze CodeQL query alert INSERT-ALERT-ID then either recommend dismissal of the alert or update the code to resolve the alert.

Action Items

  • DO NOT DISMISS ANY ALERTS. Dismissal of alerts should be done by dev leads only after review of the recommendation
  • Browse to the link in the next Action Item and read the contents. Click "See More" to view Recommendations, Examples and References.
  • https://github.com/hackforla/website/security/code-scanning/INSERT-ALERT-ID
  • In a comment in this issue, add your analysis and recommendations. The recommendation can be one of the following: dismiss as test, dismiss as false positive, dismiss as won't fix, or update code. An example of a false positive is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as --- or {%
  • If the recommendation is to dismiss the alert, apply the label ready for dev lead then move the issue to Questions/In Review
  • If the recommendation is to update code:
    • create an issue branch and proceed with the code update
    • test using docker to ensure that there are no changes to any affected webpage(s)
    • proceed with pull request in the usual manner

For merge team/dev lead

  • If recommendation to dismiss is approved, dismiss the alert with a comment, then close the issue as completed.
  • If recommendation to update code is approved, move the issue to "In Progress", remove "ready for dev lead" label and notify assignee to proceed
  • In either case when this issue is closed please check off the dependency (under "Analysis Issues") in Create Issues for Analysis of CodeQL alerts #5060. If all analysis issues are closed, close Create Issues for Analysis of CodeQL alerts #5060 as completed.

Resources/Instructions

@roslynwythe
Copy link
Member Author

  • This issue is no longer needed because all required issues will be created from Epic: Manage CodeQL deployment #5005. In most cases, we don't require separate issues for analysis and for resolving the alerts, rather the analysis and code fix will be completed in a single issue, with the exception of a few alert queries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Draft Issue is still in the process of being created Feature: Code Alerts Issue Making: Level 2 Make issue(s) from an ER or Epic role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours
Projects
Development

No branches or pull requests

3 participants