-
-
Notifications
You must be signed in to change notification settings - Fork 778
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ER: Create documentation for reviewing CodeQL PRs #6904
Comments
Hi @elliot-d-kim. Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing:
NOTE: Please ignore this comment if you do not have 'write' access to this directory. To add a label, take a look at Github's documentation here. Also, don't forget to remove the "missing labels" afterwards. After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization. Additional Resources: |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
@elliot-d-kim you raised a good point in this ER. My assumption had been that if CodeQL did not raise any alerts/annotations in the Pull Request process, we could be assured that the updated code would resolve the alert. Do we understand why that would not be the case? I too have seen instances where CodeQL seems to have failed to flag an issue and I would like to understand more about why that happens. We do still have instances of liquid/YAML code in many files, which is not supported by CodeQL so I'm wondering if that might be the cause of CodQL odd behavior. |
@elliot-d-kim - Roslyn left you a message on this issue #6904 (comment) |
Hi @elliot-d-kim, thank you for taking up this issue! Hfla appreciates you :) Do let fellow developers know about your:- You're awesome! P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :) |
Emergent Requirement - Problem
When reviewing PRs that are supposed to resolve CodeQL alerts, there is a lack of documentation on how to verify that the code changes resolve the alert. This expends developer resources and may allow improper code reviews.
Issue you discovered this emergent requirement in
Date discovered
4/19/24
Did you have to do something temporarily
Who was involved
@gaylem, @t-will-gillis, @marioantonini, @Dartis4
What happens if this is not addressed
Resources
hackforla
's testing framework, which may resolve this issue as an aside. However, this appears to be far from implementation and deployment at this time.Recommended Action Items
Potential solutions [draft]
Verify that the code changes flip the target CodeQL alert from 'Open' to 'Fixed'
a. Navigate to personal fork remote repo
b. From fork, create new branch according to following naming scheme:
contributorUsername-issueBranchName
. This is to match the name of the branch created later in Step 2a.c. Set issue branch as default: Settings > General > Default branch > Switch > select newly created issue branch
d. Run workflow from branch: Actions > CodeQL Scan > Run workflow > Use workflow from 'Branch: [name of the branch]' > Run workflow
e. Find target alert: Security > Code scanning > (use filters/details like filename to find the same alert)
hackforla
repo and personal forkEG: Before code changes applied: note 'Open' label
a. Create branch locally and pull proposed code changes from PR (refer to commandline instructions in Step 3 of 'How to Review Pull Requests')
b. Modify
.github/workflow/codeql.yml
: Underon:
>push:
, setbranches: ['name of the branch']
c. git add, commit, push. This should push the code changes to the branch that was previously created in Step 1, making the two branches one.
d. At this point, a new workflow run should be queued to be run. Check under Actions > CodeQL Scan
e. Once workflow finishes, check that the CodeQL alert has been closed: Security > Code scanning > Closed
EG: After code changes applied: note 'Fixed' label
Other common problems encountered when reviewing CodeQL PRs
Great documentation exists for the following, but contributors would benefit from this documentation being more obviously accessible
hackforla
repo (Tip 6 from Hack for LA's GitHub Actions)hackforla
's) are being sunsetted and duplication is no longer possible until the project is migrated to the new Projects format.The text was updated successfully, but these errors were encountered: