Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update codeql.yml to automatically create new CodeQL issues #6503

Merged
merged 109 commits into from
Apr 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
109 commits
Select commit Hold shift + click to select a range
082857c
Create Check for CodeQL alerts step in codeql.yml
gaylem Mar 22, 2024
abb26c4
Make create-codeql-issue folder with issue-body.md file
gaylem Mar 22, 2024
fa2b801
Change branch name for testing
gaylem Mar 22, 2024
1569ef5
Change branch back to gh-pages and token secrets back to GITHUB_TOKEN
gaylem Mar 22, 2024
c4aaeac
Fix issueBodyTemplatePath
gaylem Mar 22, 2024
044a2f7
Move create-codeql-issues folder into trigger-issue folder
gaylem Mar 22, 2024
a294d2d
Comment out error message for createIssueResponse
gaylem Mar 22, 2024
6ee50af
Merge branch 'gh-pages' into create-new-codeql-issues-5059
gaylem Mar 28, 2024
c83430f
Refactor codeql.yml and move scripts to separate js files
gaylem Mar 28, 2024
1f4a998
Create fetch-alerts.js
gaylem Mar 28, 2024
e16ac9c
Create check-existing-issues.js
gaylem Mar 28, 2024
6acc62f
Create create-new-issues.js
gaylem Mar 28, 2024
8bcf709
Replace branch and token for testing
gaylem Mar 28, 2024
c5e96c9
Move secrets to codeql.yml and pass as argument to functions
gaylem Mar 28, 2024
bd78d85
Require core in fetch-alerts.js and check-existing-issues.js
gaylem Mar 28, 2024
ef67e15
Remove require core and pass as argument to js files
gaylem Mar 28, 2024
c3e7e53
Swap core with setOutput
gaylem Mar 28, 2024
b85effb
Remove require core
gaylem Mar 28, 2024
f47a6bc
Remove core from setOutput invocation
gaylem Mar 28, 2024
60510cd
Add comma
gaylem Mar 28, 2024
c7499eb
Require in core and remove from arguments
gaylem Mar 28, 2024
e8ad404
Remove core require
gaylem Mar 28, 2024
7ac35fd
Remove return statements
gaylem Mar 28, 2024
b2d321d
Add console log for testing
gaylem Mar 28, 2024
f87b375
Add more console logs for testing
gaylem Mar 28, 2024
296cbb7
Add env to yml steps and use process.env in token
gaylem Mar 28, 2024
f440687
Require in core
gaylem Mar 28, 2024
5df8e54
Add Set up Node.js step to enable core
gaylem Mar 28, 2024
c91e01f
Add step to install actions/core module
gaylem Mar 28, 2024
36dfd2b
Declare alerts and alertId in yml file
gaylem Mar 28, 2024
a0fa86d
Add comma to headers in POST request
gaylem Mar 28, 2024
58a9429
Replace TEAMS with H4LA_TOKEN
gaylem Mar 28, 2024
88f8472
Update node version
gaylem Mar 28, 2024
df30789
Revert H4LA_TOKEN to TEAMS
gaylem Mar 28, 2024
4b9fdee
Revert H4LA_TOKEN to GITHUB_TOKEN
gaylem Mar 28, 2024
fc53feb
Remove console logs
gaylem Mar 28, 2024
6cc13b1
Merge branch 'gh-pages' into create-new-codeql-issues-5059
gaylem Mar 30, 2024
4f033de
Update codeql.yml file
gaylem Mar 30, 2024
e548c57
Update fetch-alerts.js file
gaylem Mar 30, 2024
b73dab9
Update check-existing-issues.js file
gaylem Mar 30, 2024
8e760fb
Update create-new-issues.js file
gaylem Mar 30, 2024
6d0537c
Replace missing curly braces
gaylem Mar 30, 2024
b34426b
Replace response with fetchAlertsResponse
gaylem Mar 30, 2024
6138ba7
Replace listAlertsForRepo with GET request
gaylem Mar 30, 2024
5d8546d
Replace ok with 200
gaylem Mar 30, 2024
41a981b
Add comments and console log for testing
gaylem Mar 30, 2024
22e8034
Remove .json()
gaylem Mar 30, 2024
96745c6
Replace ok with 200
gaylem Mar 30, 2024
472d26f
Update comments and POST request syntax
gaylem Mar 30, 2024
aa08576
Replace ok with 200 on create-new-issues.js and change POST to GET on…
gaylem Mar 30, 2024
5c925ab
Replace .json() with .data
gaylem Mar 30, 2024
421513f
Update POST request syntax
gaylem Mar 30, 2024
6465811
Update comments and change secrets
gaylem Mar 30, 2024
42bc5f2
Revert secret name
gaylem Mar 30, 2024
7769774
Add comments
gaylem Mar 30, 2024
c1e7fbf
Batch API requests to avoid hitting rate limit
gaylem Mar 30, 2024
90a1e6a
Add comments
gaylem Mar 30, 2024
1f5c71c
Adjust alertIdsWithoutIssues.push logic
gaylem Mar 30, 2024
bbdd328
Add console logs
gaylem Mar 30, 2024
a59defb
Reduce batches from 10 to 5 due to GitHub limit
gaylem Mar 30, 2024
2c4d5ac
Adjust createIssueResponse query
gaylem Mar 30, 2024
09009b6
Add comment
gaylem Mar 30, 2024
edca295
Add template literals to query url and add comment for testing
gaylem Mar 30, 2024
38b2439
Change 200 to 201
gaylem Mar 30, 2024
f48be3e
Update comment
gaylem Mar 30, 2024
da760a9
Batch issue creation requests to avoid rate limit
gaylem Mar 30, 2024
a586f95
Adjust batching of new issue requests
gaylem Mar 30, 2024
ea352cf
Revert changes
gaylem Mar 30, 2024
5ea64a6
Remove comment
gaylem Mar 30, 2024
bb48088
Move console log
gaylem Mar 30, 2024
61c5884
Update console log
gaylem Mar 30, 2024
79bd852
Update console log
gaylem Mar 30, 2024
6c417c7
Update console log
gaylem Mar 30, 2024
f97ad33
Replaced test branch with gh-pages
gaylem Mar 30, 2024
790c4ee
Update console logs and comments
gaylem Apr 2, 2024
7fefb6b
Removed fs and updated issueTitle
gaylem Apr 3, 2024
16e4f1b
Removed fs
gaylem Apr 3, 2024
f56f591
Add fs back in
gaylem Apr 3, 2024
50d17cb
Remove fs
gaylem Apr 3, 2024
63f4a95
Add HACKFORLA_ADMIN_TOKEN in fetch-alerts secret
gaylem Apr 3, 2024
ca49d34
Revert secret back to HACKFORLA_BOT_PA_TOKEN
gaylem Apr 3, 2024
7961ff2
Swap bot token for GITHUB_TOKEN
gaylem Apr 4, 2024
be8de71
Replace GITHUB_TOKEN with HACKFORLA_BOT_PA_TOKEN on Create New Issues…
gaylem Apr 4, 2024
bcc7673
Revert token on Create New Issues
gaylem Apr 4, 2024
9dd363a
Add How to manage CodeQL alerts to issue template
gaylem Apr 6, 2024
a38a50b
Add workflow_dispatch for manual retries
gaylem Apr 7, 2024
8b5a055
Update put request to use create function
gaylem Apr 7, 2024
a80a14b
Refactor body variable
gaylem Apr 7, 2024
d2c9aad
Change token
gaylem Apr 7, 2024
11fbbc3
Merge branch 'gh-pages' into create-new-codeql-issues-5059
gaylem Apr 7, 2024
dd75897
Changed GITHUB_TOKEN to HACKFORLA_ADMIN_TOKEN
gaylem Apr 14, 2024
f63c632
Add issues: write to permissions
gaylem Apr 14, 2024
f80fe35
Change permissions to write-all
gaylem Apr 14, 2024
3b3ddf3
Move permissions up above jobs
gaylem Apr 14, 2024
30c1928
Merge branch 'gh-pages' into create-new-codeql-issues-5059
gaylem Apr 14, 2024
e2d53e1
Move permissions back to original location
gaylem Apr 14, 2024
3819013
Updated branch to test
gaylem Apr 14, 2024
e8a1a56
Change token and branch
gaylem Apr 14, 2024
36f871d
Change branch back to gh-pages
gaylem Apr 14, 2024
5eb1742
Change branch to test
gaylem Apr 14, 2024
cff82b9
Change branch back to gh-pages
gaylem Apr 14, 2024
68b2de0
Add if statement to new yml steps
gaylem Apr 14, 2024
7efebe1
Change branch for testing
gaylem Apr 14, 2024
10a00ce
Change branch back to gh-pages
gaylem Apr 14, 2024
4a753ff
Add create-new-issues id and reorder id and if conditions to be consi…
gaylem Apr 15, 2024
e88face
Change branch to test
gaylem Apr 15, 2024
23d3cb5
Added unused variable to see if CodeQL picks it up
gaylem Apr 15, 2024
342fdb4
Changed branch to gh-pages
gaylem Apr 15, 2024
4e892ad
Removed unused variable
gaylem Apr 15, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 43 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,13 @@ name: "CodeQL"

on:
push:
branches: [ "gh-pages" ]
branches: [ 'gh-pages' ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "gh-pages" ]
branches: [ 'gh-pages' ]
schedule:
- cron: '30 5 * * 5'
workflow_dispatch:

jobs:
analyze:
Expand All @@ -29,6 +30,7 @@ jobs:
actions: read
contents: read
security-events: write
issues: write

strategy:
fail-fast: false
Expand Down Expand Up @@ -75,4 +77,42 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
category: "/language:${{matrix.language}}"

# Fetch Alerts
- name: Fetch Alerts
id: fetch-alerts
if: github.event_name != 'pull_request'
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const script = require('./github-actions/trigger-issue/create-codeql-issues/fetch-alerts.js');
const fetchAlerts = script({ g: github, c: context });
return fetchAlerts

# Check Existing Issues
- name: Check Existing Issues
id: check-existing-issues
if: github.event_name != 'pull_request'
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const script = require('./github-actions/trigger-issue/create-codeql-issues/check-existing-issues.js');
const alerts = ${{ steps.fetch-alerts.outputs.result }};
const checkExistingIssues = script({ g: github, c: context, alerts});
return checkExistingIssues

# Create New Issues
- name: Create New Issues
id: create-new-issues
if: github.event_name != 'pull_request'
uses: actions/github-script@v7
with:
github-token: ${{ secrets.HACKFORLA_ADMIN_TOKEN }}
script: |
const script = require('./github-actions/trigger-issue/create-codeql-issues/create-new-issues.js');
const alertIds = ${{ steps.check-existing-issues.outputs.result }};
const newIssues = script({ g: github, c: context, alertIds});

Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
// Global variables
var github;
var context;

/**
* Fetches existing issues for each alert and sets the output for alerts without existing issues.
* @param {Object} options - The options object.
* @param {string} options.g - The GitHub access token.
* @param {Object} options.c - The context object.
* @param {Array<Object>} options.alerts - The array of alerts to check.
* @returns {Promise<Array<number>>} An array of alert IDs without existing issues.
* @throws {Error} If the GET request fails.
*/
const checkExistingIssues = async ({ g, c, alerts }) => {
// Rename parameters
github = g;
context = c;

// Initialize empty array to store alertIds
let alertIdsWithoutIssues = [];

// Batch alerts into groups of 5 for each request to avoid rate limit
const batchedAlertIds = alerts.reduce((acc, alert, index) => {
// For indexes 0 to 4, batchIndex == 0
// For indexes 5 to 9, batchIndex == 1
// For indexes 10 to 14, batchIndex == 2
// Etc.
const batchIndex = Math.floor(index / 5);
// if acc[batchIndex] == undefined, a new array is created before pushing the alert number
acc[batchIndex] = acc[batchIndex] || [];
// Push alert.number to inner array
acc[batchIndex].push(alert.number);
// Returns array of arrays
return acc;
}, []);

// Loop through each batch of alerts
for (const fiveAlertIds of batchedAlertIds) {
// Creates one query for multiple alertIds
const q = fiveAlertIds.map(alertId => `repo:${context.repo.owner}/${context.repo.repo}+state:open+"${alertId}"+in:title`).join('+OR+');

// Query GitHub API in batches
const searchResponse = await github.request('GET /search/issues', { q });

// Throw error if GET request fails
if (searchResponse.status !== 200) {
throw new Error(`Failed to search for issues: ${searchResponse.status} - ${searchResponse.statusText}`);
}

// Store the response data in a variable for easy access
const searchResult = searchResponse.data;

// Push alertIds that do not have existing issues in searchResult to output array
alertIdsWithoutIssues.push(...fiveAlertIds.filter(alertId => !searchResult.items.some(item => item.title.includes(alertId))));
};

// Return flat array of alertIds that do not have issues
console.log('alertIds without issues: ', alertIdsWithoutIssues);
return alertIdsWithoutIssues;
};

module.exports = checkExistingIssues
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
const fs = require('fs');

// Global variables
var github;
var context;

/**
* Creates new GitHub issues for each alert that doesn't have an existing issue.
* @param {Object} options - The options object.
* @param {string} options.g - The GitHub access token.
* @param {Object} options.c - The context object.
* @param {Array<number>} options.alertIds - The array of alert IDs to create issues for.
* @returns {Promise<void>}
* @throws {Error} If the POST request fails.
*/
const createNewIssues = async ({ g, c, alertIds }) => {
// Rename parameters
github = g;
context = c;

// Loop through each alertId
for (const alertId of alertIds) {
// Create the issue title
const title = `Resolve CodeQL Alert #${alertId} - Generated by GHA`;

// Read the issue body template file
const issueBodyTemplatePath = 'github-actions/trigger-issue/create-codeql-issues/issue-body.md';
let issueBodyTemplate = fs.readFileSync(issueBodyTemplatePath, 'utf8');

// Replace placeholders with actual values in the issue body template
const body = issueBodyTemplate.replace(/\${alertId}/g, alertId);

// Create a new GitHub issue
const createIssueResponse = await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title,
body,
labels: ['ready for dev lead']
});

// Log issue titles and links in GHA workflow
console.log('Issue Created:', createIssueResponse.data.title, createIssueResponse.data.html_url);

// Throw error if POST request fails (201 not created)
if (createIssueResponse.status !== 201) {
throw new Error(`Failed to create issue for alert ${alertId}: ${createIssueResponse.status} - ${createIssueResponse.statusText}`);
}
}
};

module.exports = createNewIssues;
36 changes: 36 additions & 0 deletions github-actions/trigger-issue/create-codeql-issues/fetch-alerts.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
// Global variables
var github;
var context;

/**
* Fetches a list of open CodeQL alerts from the GitHub API.
* @param {Object} params - The parameters for the fetch operation.
* @param {Object} params.g - The GitHub object for making API requests.
* @param {Object} params.c - The context object containing repository information.
* @returns {Promise<Array>} A promise that resolves with an array of alerts when the fetch is successful.
* @throws {Error} If the GET request fails.
*/
const fetchAlerts = async ({ g, c }) => {
// Rename parameters
github = g;
context = c;

// Get a list of open CodeQL alerts
const fetchAlertsResponse = await github.request('GET /repos/{owner}/{repo}/code-scanning/alerts', {
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
per_page: 100,
page: 1
});

// Throw error if GET request fails
if (fetchAlertsResponse.status !== 200) {
throw new Error(`Failed to fetch alerts: ${fetchAlertsResponse.status} - ${fetchAlertsResponse.statusText}`);
}

// Return alerts
return fetchAlertsResponse.data
};

module.exports = fetchAlerts
26 changes: 26 additions & 0 deletions github-actions/trigger-issue/create-codeql-issues/issue-body.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
### Prerequisite

1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).
2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).

### Overview
We need to resolve the new alert [(${alertId})](https://github.com/hackforla/website/security/code-scanning/${alertId}) and either recommend dismissal of the alert or update the code files to resolve the alert.

### Action Items
- [ ] The following action item serves to "link" this issue as the "tracking issue" for the CodeQL alert and to provide more details regarding the alert: https://github.com/hackforla/website/security/code-scanning/${alertId}
- [ ] In a comment in this issue, add your analysis and recommendations. The recommendation can be one of the following: `dismiss as test`, `dismiss as false positive`, `dismiss as won't fix`, or `update code`. An example of a `false positive` is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as `---` or `{%`
- [ ] **If the recommendation is to dismiss the alert:**
- [ ] Apply the label `ready for dev lead`
- [ ] Move the issue to `Questions/In Review`
- [ ] **If the recommendation is to update code:**
- [ ] Create an issue branch and proceed with the code update
- [ ] Test using docker to ensure that there are no changes to any affected webpage(s)
- [ ] Proceed with pull request in the usual manner

### Resources/Instructions
- [HfLA website: CodeQL scan alert audits - issue 5005](https://docs.google.com/spreadsheets/d/1B3R-fI8OW0LcYuwZICQZ2fB8sjlE3VsfyGIXoReNBIs/edit#gid=193401043)
- [Code scanning results page](https://github.com/hackforla/website/security/code-scanning)
- [CodeQL query help for JavaScript](https://codeql.github.com/codeql-query-help/javascript/)
- [How to manage CodeQL alerts](https://github.com/hackforla/website/issues/6463#issuecomment-2002573270 )

This issue was automatically generated from the codeql.yml workflow