-
-
Notifications
You must be signed in to change notification settings - Fork 777
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
codeql-implementation #4886
codeql-implementation #4886
Conversation
Want to review this pull request? Take a look at this documentation for a step by step guide! From your project repository, check out a new branch and test the changes.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Hi @SAUMILDHANKAR I'm looking at the log of the scan at https://github.com/hackforla/website/actions/runs/5384746526/jobs/9773025851 and I had a few questions. It looks like it scanned all of our JS files (270 files) and found 6 errors and 6 warnings. How can we see the errors and warnings? If there is an error in a scan triggered by a push or PR, would you expect GitHub to display the errors in the same manner it displays the results of other checks, or do we have to go to the Security settings? Would merging be prevented until errors are resolved? |
Hi @roslynwythe thanks for taking a look at this PR. Please use the following link to see all the notifications that would be generated once this PR is merged: https://github.com/hackforla/website/security/code-scanning?query=pr%3A4886+is%3Aopen. I see 57 notifications for the website repo. Once merged, best place to view the results would be under the security tab, though one can also look at the logs of a workflow run. It is similar to other checks and will only fail if the severity level is critical or high. None of the 57 notifications that have been generated so far have this severity level, therefore the check for this PR passed. Similarly, merging will be blocked only for severity level critical or high. Also, we can change the settings if we want merging to be not blocked at all. Please see the image below for the different options that would be available in website repo after merging this PR: |
Thank you @SAUMILDHANKAR that was very useful information. The Security tab doesn't show any scan information so it sounds like it only reflects the scheduled scans performed on the default branch, not scans triggered by PRs. Is that correct? And I didn't see any details about the errors/warnings in the logs; please show me where to find those. |
@roslynwythe Thank you. You are correct, security tab won't display information about unmerged PR scans. It will display the results of weekly workflow run. The workflow run that happened with this PR was successful, so no errors reported in the logs. However, if there is an error, there would be a cross on one of the steps in the workflow run (part of the link that you shared) and we can expand using the dropdowns to learn more. |
Unbelievable, but I posted these questions on #2400 instead of here. Hi @SAUMILDHANKAR thanks so much for your extensive work on this issue. There is a lot of info here to digest and I apologize if I am asking questions that you have already answered, but just to confirm- the current implementation will scan all of the js files in the website repo and generate in this case the 57 notifications that we could address one by one. Then it is also scanning future PRs, correct? You indicate that it will block merging for critical or high security issues- for the others I assume it would flag the issues so they could be addressed before merging? Side discussion: As a group, do we need to decide which “Protection rules” to use, i.e. what “Security” level and “Errors, Warnings, or Any”- or for now do we go with the defaults? Lastly, the 3 linked comments I believe refer to custom queries you wrote for scanning yaml and liquid code. Would these scans run at the same time as scans for the js files? Thank you again- this is going to be very useful when it is up and running |
@SAUMILDHANKAR @t-will-gillis I agree that we should not block merging on Medium level alerts but when reviewing a PR, I wish I could see the details of all of the alerts pertaining to the PR in the GitHub checks area, because they would be useful for identifying code quality issues, and of course we want to resolve those prior to merge. But if I understand you correctly, we will not see those Medium or Warning or Note level alerts until after merge. Looking over the alerts, it appears that the scanner was interpreting liquid elements as js. This happened with the triple dashed lines ending the front matter (see alert#31 https://github.com/hackforla/website/security/code-scanning/31) and also with the characters Also could you explain the "Extraction Errors" and "Could not process some files due to syntax errors" (circled) |
Hi @t-will-gillis, thanks for reviewing this PR.
|
Update: In my own repo, I dismissed one of the syntax errors as a false positive and in subsequent workflow runs, the alert is permanently marked as closed. So, this can be one of the ways to address alerts which we do not want to resolve or make an issue of. |
Hi @SAUMILDHANKAR it sounds like once this PR is merged, we will need to create some new issues.
in order to view the alerts that will be added as a result of merging the PR
Could you explain how we look at all the queries in the CodeQL repo? Are 'queries' equivalent to 'alerts' in this context? Are you saying that we could increase the severity level assigned to a particular alert? Or just that we could decide to change the level at which merge is blocked? Please advise if this sounds correct and if you would be willing to write any of these issues. |
Hi @roslynwythe, thanks for creating an outline for the issues. The first two issues that you mentioned look ready. For the third issue, I would like to add the following:
I am happy to write these issues. Please suggest if I should wait till this review is complete. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @SAUMILDHANKAR Fantastic work on this issue. I know that you and @roslynwythe are still discussing details, and I am happy to give my thoughts on any of the questions about implementation settings and future functionalities. In the meantime, I will submit my approval.
Thanks again!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @SAUMILDHANKAR for a great job on this PR and demo, and for your patience and clarity answering our questions.
I recommend that you write 3 ER (Emergent Requirement) issues which state the requirements we have identified, and briefly propose an issue(s) to address each requirement. Then, PM can advise how to structure the issues so that we don't waste any time or effort. Bonnie might want to split up the first one into multiple issues, and before writing an issue to dive into the CodeQL queries, she might want a DR (Decision Record) about whether we need to make any changes in the severity or blocking levels. When each ER is ready please add the 'ready for dev lead' label and comment mention me so I can help get PM approval. Thank you again for your valuable contributions.
@t-will-gillis @roslynwythe Thanks a lot for all your help with the issue and the PR. Your feedback helped me understand CodeQL workflow in more detail. Really appreciate your approval as well. @roslynwythe Thanks for sharing information about ER issues. Planning to work on this over the weekend. Will add a comment mention when the ER is ready for review as suggested. |
@SAUMILDHANKAR I would like to discuss the ER for reviewing the CodeQL security alerts with you, but I cannot find your Slack contact information or email. We need to expedite the creation of this particular issue, so please advise re: your progress. |
@roslynwythe Sorry for the delay. I was planning to work on this yesterday but got delayed. I just read through the issue that you created, and it looks good. Please let me know if you would still like to discuss anything. I will leave a message on slack as well. |
Fixes #2400
What changes did you make?
security and quality
query to the default workflow.Why did you make the changes (we will use this info to test)?
Screenshots of Proposed Changes Of The Website (if any, please do not screen shot code changes)