Add CodeQL variant analysis scanning #2041
Conversation
dfarrell07
requested review from
mkolesnik,
Oats87,
skitt,
sridhargaddam and
tpantelis
as code owners
|
🤖 Created branch: z_pr2041/dfarrell07/codeql3 |
|
There's still an issue with reproducing negative results: #1970 (comment) But checks are clearly running, and I think we're using the GHA as we should be. Maybe it's okay to merge? |
|
Could you try adding a code change that this should flag, just to check whether it finds issues? |
Yeah, that's what I was doing to try to reproduce negative results. One example (there are others linked in the tracking issue): dfarrell07#54 |
Better example based on exactly this change: dfarrell07#56 |
Where are the results supposed to show up? The check says “No new or fixed alerts” which suggests it didn’t find anything amiss. |
Right, that's the issue, we fixed all the issues flagged by CodeQL (run through LGTM.com) before I was able to verify the negative case. I the linked example I revert a fix and it still passes. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Is this PR still relevant? |
I'd still like to merge it as I think it's helpful, I just can't show it's actually catching issues. So to be explicit, I'd like to merge it although it's a bit below the quality standard I typically strive for. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I see that submariner-operator is already running this tool. But I'm not clear on where we can view or use the results... |
It publishes SARIF reports that GitHub automatically consumes and shows in the Security tab. |
This is a different type of static analysis than others we run. > Variant analysis is the process of using a known security vulnerability as a seed to find similar problems in your code. https://codeql.github.com/docs/codeql-overview/about-codeql/ CodeQL doesn't only do variant analysis for security issues, it also has semantic queries/rules for other types of issues. https://github.com/github/codeql/tree/main/go/ql/src It identified new issues (already fixed) that our other tools missed. The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow. Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results. Relates-to: submariner-io#1970 Signed-off-by: Daniel Farrell <[email protected]>
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
🤖 Closed branches: [z_pr2041/dfarrell07/codeql3] |
This is a different type of static analysis than others we run.
https://codeql.github.com/docs/codeql-overview/about-codeql/
CodeQL doesn't only do variant analysis for security issues, it also has semantic queries/rules for other types of issues.
https://github.com/github/codeql/tree/main/go/ql/src
It identified new issues (already fixed) that our other tools missed.
The company that built it was bought by GitHub and the tool is being integrated into GitHub's security workflow.
Add one unprivileged version of the job to gate PRs and one privileged version on-merge to report results.
Relates-to: #1970
Signed-off-by: Daniel Farrell [email protected]