Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create codeql-analysis.yml #5234

Merged
merged 12 commits into from
Sep 7, 2022
Merged

Create codeql-analysis.yml #5234

merged 12 commits into from
Sep 7, 2022

Conversation

antgamdia
Copy link
Contributor

@antgamdia antgamdia commented Aug 24, 2022
edited
Loading

Description of the change

While having a look at the repo settings, I noticed we didn't enable the CodeQL built-in support that GitHub offers for analyzing the code quality. This PR is the result of clicking on "enable" and adding a couple of copyright lines + customizing the cron, but otherwise it's the default config.

See an example of an alert below:

image

Benefits

Periodic report of the code quality status directly in Github

Possible drawbacks

More noise, but we can always allowlist any alert if think so

Applicable issues

Additional information

The results are stored in the "security" section of the github repo.

@antgamdia
Create codeql-analysis.yml
6827499 
Signed-off-by: Antonio Gámez, PhD <agamez@vmware.com>
@netlify
Copy link

netlify bot commented Aug 24, 2022
edited
Loading

Deploy Preview for kubeapps-dev canceled.

Name Link
🔨 Latest commit 47fd427
🔍 Latest deploy log https://app.netlify.com/sites/kubeapps-dev/deploys/63176518113da00008fd32a3

castelblanque
castelblanque approved these changes Aug 24, 2022
View reviewed changes
Copy link
Collaborator

@castelblanque castelblanque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks!

@antgamdia
Copy link
Contributor Author

There are two issues with this PR:

  • 1 issue was detected with this workflow: Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch. Minor issue, I'll fix after having a look at the docs.
  • There are actual detected problems that need to be fixed. I'll do it in a stacked PR soon.

@antgamdia
Remove old api docs
0a81717 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia
Fix codeql issues in website
298a7ec 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia
Unquote before building json
6e808dc 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia
Fix codeql config
058ffd1 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia
Parse version to detect malformed strings
8786312 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia
Opt-out golint by default when building
9e0d3e5 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia
Fix typo
303784e 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia antgamdia marked this pull request as draft August 30, 2022 17:49
@antgamdia
Merge branch 'main'
db04d1e 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>

Conflicts:
	cmd/kubeops/Dockerfile
@antgamdia
Fix some codeql issues
01c3d15 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia
Merge branch 'main'
e5458c7 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>

Conflicts:
	cmd/apprepository-controller/Dockerfile
	cmd/asset-syncer/Dockerfile
	cmd/kubeapps-apis/Dockerfile
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 6, 2022
View reviewed changes
cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/server.go
log.Infof("+helm AddPackageRepository '%s' pointing to '%s'", request.GetName(), request.GetUrl())
repoName := request.GetName()
repoUrl := request.GetUrl()
log.Infof("+helm AddPackageRepository '%s' pointing to '%s'", repoName, repoUrl)

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

Sensitive data returned by [an access to UsernamePassword](1) is logged here.
cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/server.go
log.Infof("+helm AddPackageRepository '%s' pointing to '%s'", request.GetName(), request.GetUrl())
repoName := request.GetName()
repoUrl := request.GetUrl()
log.Infof("+helm AddPackageRepository '%s' pointing to '%s'", repoName, repoUrl)

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

Sensitive data returned by [an access to UsernamePassword](1) is logged here.
@antgamdia
Validate versions before db query
47fd427 
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
@antgamdia antgamdia marked this pull request as ready for review September 6, 2022 16:04
@antgamdia antgamdia merged commit 4cadfb9 into main Sep 7, 2022
@antgamdia antgamdia deleted the add-codeql-gha branch September 7, 2022 07:42
@absoludity absoludity mentioned this pull request Nov 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@castelblanque castelblanque castelblanque approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add static code analysis to CI
3 participants
@antgamdia @castelblanque @vmwclabot