-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CodeQL variant analysis scanning #1970
Comments
@skitt do you agree this is useful, something we should implement? |
This does seem worthwhile, especially since it’s being integrated into GitHub code scanning. |
This is a different type of static analysis than any others we run. It identifies new issues that are missed by our other tools. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than any others we run. It identifies new issues that are missed by our other tools. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identifies new issues that are missed by our other tools. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged one to report results on merges. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tool missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tool missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tool missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
I thought there might be an issue where we were building twice, but it turns out init doesn't build for golang despite very confusing docs. |
This job was called vulnerability variant analysis during most of development. It should have been reordered when the name was shortened. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tool missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tool missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
I have the PRs for this on hold, in draft, while I'm trying to sort out some weirdness that was exposed by sending them around to the various repos. In short, I haven't been able get the CodeQL builds to fail on code that contains errors (dfarrell07/submariner-operator#116, dfarrell07#53, dfarrell07#54) and it always fails on subctl even if it doesn't contain errors (dfarrell07/subctl#11, dfarrell07/subctl#14, dfarrell07/subctl#15). |
This job was called vulnerability variant analysis during most of development. It should have been reordered when the name was shortened. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This job was called vulnerability variant analysis during most of development. It should have been reordered when the name was shortened. Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This job was called vulnerability variant analysis during most of development. It should have been reordered when the name was shortened. https://codeql.github.com/docs/codeql-overview/about-codeql/ Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This job was called vulnerability variant analysis during most of development. It should have been reordered when the name was shortened. https://codeql.github.com/docs/codeql-overview/about-codeql/ Relates-to: submariner-io/submariner#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. > Variant analysis is the process of using a known security vulnerability as a seed to find similar problems in your code. https://codeql.github.com/docs/codeql-overview/about-codeql/ It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. > Variant analysis is the process of using a known security vulnerability as a seed to find similar problems in your code. https://codeql.github.com/docs/codeql-overview/about-codeql/ CodeQL doesn't only do variant analysis for security issues, it also has semantic queries/rules for other types of issues. https://github.com/github/codeql/tree/main/go/ql/src It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Still trying to figure out why CodeQL doesn't flag the same issues flagged by LGTM.com using CodeQL. One last test with all the tweaks learned from the Operator iterations, just to be super clear about the lack of negative results: In dfarrell07@260afb3, I revert the commit that is identified by LGTM.com as having fixed an error flagged by CodeQL.
The CodeQL job doesn't flag the reverted code as an issue: https://github.com/dfarrell07/submariner/actions/runs/3153159751/jobs/5129296659 I guess it's possible that the issue is caused by running on a fork, per this warning in the logs:
|
The really fun part is whatever's going on with subctl. Always fails with:
|
This is a different type of static analysis than others we run. > Variant analysis is the process of using a known security vulnerability as a seed to find similar problems in your code. https://codeql.github.com/docs/codeql-overview/about-codeql/ CodeQL doesn't only do variant analysis for security issues, it also has semantic queries/rules for other types of issues. https://github.com/github/codeql/tree/main/go/ql/src It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io#1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This is a different type of static analysis than others we run. > Variant analysis is the process of using a known security vulnerability as a seed to find similar problems in your code. https://codeql.github.com/docs/codeql-overview/about-codeql/ CodeQL doesn't only do variant analysis for security issues, it also has semantic queries/rules for other types of issues. https://github.com/github/codeql/tree/main/go/ql/src It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: #1970 Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
As originally discussed on #794, CodeQL is a different type of scanner than the others we run and identifies new issues.
https://codeql.github.com/docs/codeql-overview/about-codeql/
See also: https://www.youtube.com/watch?v=5beYejYfhjY
CodeQL doesn't only do variant analysis for security issues, it also has semantic queries/rules for other types of issues.
https://github.com/github/codeql/tree/main/go/ql/src
The issues it found are already being fixed in various PRs, but we should likely also add CodeQL linting to keep out similar issues.
Depends on #1969
Depends on stolostron/submariner-addon#474
Depends on submariner-io/subctl#224
Depends on submariner-io/submariner-operator#2212
Depends on submariner-io/submariner-operator#2213
Depends on submariner-io/submariner-operator#2219
Depends on submariner-io/lighthouse#866
Depends on submariner-io/admiral#411
Depends on submariner-io/cloud-prepare#372
Depends on submariner-io/coastguard#81
Depends on submariner-io/subctl#244
Depends on #1994
Depends on submariner-io/submariner-operator#2259
Original issues:
Originally posted by @dfarrell07 in #794 (comment)
The text was updated successfully, but these errors were encountered: