Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve Codeql complaints #215

Merged
merged 7 commits into from
Aug 28, 2024
Merged

Resolve Codeql complaints #215

merged 7 commits into from
Aug 28, 2024

Conversation

ivarprudnikov
Copy link
Member

@ivarprudnikov ivarprudnikov commented Aug 26, 2024
edited
Loading

  • CodeQL flagged some Python implementation
  • This is known to be false positives and I've opened an issue in a respective repo but this did not have any attention so far
  • Given we do not want to explain to every person these flags are false positives it is easier to just refactor the code a bit
  • RSA key is now hardcoded to be of size 2048, this is used in tests
  • EC hash algorithms and keys sizes were also changed to use explicit lookup functions instead of indirect dict that referenced types and values in 3rd party cose library

To verify if this was resolved I went through hell and fire of reading the CodeQL docs and running it locally:

  • Download CodeQL CLI with all the bells and whistles
  • Create db from the source files ~/codeql/codeql database create workspace/codeql-dbs --source-root=pyscitt/pyscitt --db-cluster --language=python --overwrite
  • Generate temp token from the GitHub org that has the specific CodeQL queries and set it up in the env vars export GITHUB_TOKEN=...
  • Run analysis which will fetch the queries using the above token ~/codeql/codeql database analyze workspace/codeql-dbs/python/ microsoft-sdl/python-queries --format=sarif-latest --output=python-results.sarif
  • View the sarif file python-results.sarif to see if there are still any issues

@ivarprudnikov ivarprudnikov force-pushed the security/codeql-complaints branch from ed28a13 to 65908bf Compare August 27, 2024 17:10
andpiccione
andpiccione approved these changes Aug 27, 2024
View reviewed changes
pyscitt/pyscitt/key_vault_sign_client.py Outdated Show resolved Hide resolved
@ivarprudnikov ivarprudnikov merged commit 359a78e into main Aug 28, 2024
16 checks passed
@ivarprudnikov ivarprudnikov deleted the security/codeql-complaints branch August 28, 2024 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vimauro vimauro vimauro approved these changes

@andpiccione andpiccione andpiccione approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ivarprudnikov @vimauro @andpiccione