Skip to content

feat(security): add code-scanning with CodeQL #3229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 27, 2021
Merged

feat(security): add code-scanning with CodeQL #3229

merged 3 commits into from
Apr 27, 2021

Conversation

jsjoeio
Copy link
Contributor

@jsjoeio jsjoeio commented Apr 26, 2021
edited
Loading

This PR adds code-scanning using CodeQL (by GitHub) to help automatically detect common vulnerability and coding errors.

Fixes #3176

@jsjoeio jsjoeio added the security Security related label Apr 26, 2021
@jsjoeio jsjoeio self-assigned this Apr 26, 2021
@jsjoeio jsjoeio force-pushed the jsjoeio/add-code-scanning branch 3 times, most recently from 24ff606 to 6e16ffe Compare April 26, 2021 22:29
@jsjoeio jsjoeio marked this pull request as ready for review April 26, 2021 22:31
@jsjoeio jsjoeio requested a review from a team as a code owner April 26, 2021 22:31
@jsjoeio jsjoeio added this to the v3.9.4 milestone Apr 26, 2021
@codecov
Copy link

codecov bot commented Apr 26, 2021
edited
Loading

Codecov Report

Merging #3229 (2bf0907) into main (01e001d) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #3229   +/-   ##
=======================================
  Coverage   46.90%   46.90%           
=======================================
  Files          23       23           
  Lines        1196     1196           
  Branches      237      237           
=======================================
  Hits          561      561           
  Misses        451      451           
  Partials      184      184

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 01e001d...2bf0907. Read the comment docs.

@jsjoeio jsjoeio changed the title security: add code-scanning with CodeQL feat(security): add code-scanning with CodeQL Apr 27, 2021
jawnsy
jawnsy approved these changes Apr 27, 2021
View reviewed changes
Copy link
Contributor

@jawnsy jawnsy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Excellent work Mr. Previte

.github/workflows/codeql-analysis.yml
# make bootstrap
# make release

- name: Perform CodeQL Analysis
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are we going to handle the existing findings, are we going to fix things first, or merge and then reduce them gradually?

Looks pretty useful though!

image

Also seems like it might be a good idea to ignore code that we don't control (e.g. lib/vscode) if we can configure things that way

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably merge and reduce gradually. Seems like a solid approach.

Good idea on ignoring lib/vscode. I'll see if that's configurable

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jsjoeio Replying here so it's threaded

  • @jawnsy how did you know to go here for the Code scanning alerts?

I found it by clicking looking at the Actions result, then clicking "view all alerts" - super unintuitive lmao

image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found this in the docs: Specifying Directories to Scan

It's unclear whether this needs to be in a custom codeql config file or if I can put it in the workflow file. I'm going to try adding to the workflow file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also opened follow-up issue: #3243

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And...there's my answer! I'll do it the proper way instead

image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It worked! https://github.com/cdr/code-server/security/code-scanning?query=ref%3Arefs%2Fpull%2F3229%2Fmerge+tool%3ACodeQL

@jsjoeio
Copy link
Contributor Author

jsjoeio commented Apr 27, 2021
edited
Loading

P.S. - @jawnsy how did you know to go here for the Code scanning alerts?

My intuitive would have told me they show up here but that's not the case 🤷‍♂️

@jsjoeio jsjoeio force-pushed the jsjoeio/add-code-scanning branch from 6e16ffe to 0934acc Compare April 27, 2021 22:23
@jsjoeio jsjoeio force-pushed the jsjoeio/add-code-scanning branch from 2364f92 to 2bf0907 Compare April 27, 2021 22:38
@repo-ranger repo-ranger bot merged commit 9f7ceef into main Apr 27, 2021
@repo-ranger repo-ranger bot deleted the jsjoeio/add-code-scanning branch April 27, 2021 22:55
@jsjoeio jsjoeio added the chore Related to maintenance or clean up label May 14, 2021
@jsjoeio jsjoeio mentioned this pull request May 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jawnsy jawnsy jawnsy approved these changes

Assignees

@jsjoeio jsjoeio

Labels
chore Related to maintenance or clean up security Security related
Projects
None yet
Milestone
v3.10.0
Development

Successfully merging this pull request may close these issues.

Explore CodeQL or other static code analysis tools
2 participants
@jsjoeio @jawnsy