Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CodeQL workflow #1641

Closed

Conversation

jorgectf
Copy link

@jorgectf jorgectf commented Jul 3, 2023

Hello from GitHub Security Lab!

Your repository is critical to the security of the Open Source Software (OSS) ecosystem, and as part of our mission to make OSS safer, we are contributing a CodeQL configuration for code scanning to your repository. By enabling code scanning with CodeQL, you will be able to continuously analyze your code and surface potential vulnerabilities before they can even reach your codebase.

We’ve tested the configuration manually before opening this pull request and adjusted it to the needs of your particular repository, but feel free to tweak it further! Check this page for detailed documentation.

Questions? Check out the FAQ below!

FAQ

Click here to expand the FAQ section

How often will the code scanning analysis run?

By default, code scanning will trigger a scan with the CodeQL engine on the following events:

  • On every pull request — to flag up potential security problems for you to investigate before merging a PR.
  • On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
  • Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

What will this cost?

Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

Where can I see the results of the analysis?

The results of the analysis will be available on the Security tab of your repository. You can find more information about the results here.

For Pull Requests, you can find the results of the analysis in the Checks tab. You can find more information about the Pull Request results here.

What types of problems does CodeQL find?

CodeQL queries are hosted in the github/codeql repository.

By default, code scanning runs the default query suite. The queries in the default query suite are highly precise and return few false positive code scanning results.

If you are looking for a more comprehensive analysis, which could return a greater number of false positives, you can enable the security-extended query suite in the queries option of github/codeql-action/init.

In the event of finding a false positive, please create a false positive Issue in github/codeql so we can investigate and improve the query in question. You can also contribute to the query by opening a pull request against github/codeql.

How do I customize the analysis?

You can customize the analysis by using a CodeQL configuration file. This way, you can specify which queries should [not] be run, and/or which files should be excluded from the analysis. You can find more information about the configuration file here.

How do I upgrade my CodeQL engine?

No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

The analysis doesn’t seem to be working

If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

Which source code hosting platforms does code scanning support?

GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@CendioOssman
Copy link
Member

Thanks. We experimented with this back in 2021, and unfortunately, we abandoned it because the overhead was just too large. The worst case was the Windows builds, which took over 20 minutes to complete.

Judging from the run here, it looks like things haven't improved, as 6 minutes for a Linux build was what we saw last time as well.

That's still shorter than the slowest other builds, though, so developers don't necessarily have to wait more for that in most cases.

So, I'm conflicted. Having CodeQL for everything still looks unfeasible. And it's still so much slower that we likely want to have a separate job, as suggested in this PR. Which means some duplication and associated maintenance burden. The question is if we get something useful back. Looking at the C++ list, it seems to be mostly false positives.

@bphinz, what do you think? It has a lot to say about the Java code. Anything useful?

@CendioOssman CendioOssman added the enhancement New feature or request label Jul 3, 2023
@bphinz
Copy link
Member

bphinz commented Jul 7, 2023

The analysis results seem to point to an expired S3 bucket

@CendioOssman
Copy link
Member

It seems to work for me. Are you using this link from the earlier comment:

https://github.com/TigerVNC/tigervnc/security/code-scanning?query=pr%3A1641+is%3Aopen

@bphinz
Copy link
Member

bphinz commented Jul 7, 2023

Thanks, that link worked. 99% of what's being flagged is actually in the bundled JSch lib, and then there are a couple of false findings. However there are some findings in our code that I would have to look into as they came in via a recent PR.

@CendioOssman
Copy link
Member

There doesn't seem to be much interest in moving forward with this, so I'll go ahead and close this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants