Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluate codeQL on e.g. on https://github.com/arburk/fishbone #245

Closed
MarkusTiede opened this issue Jul 16, 2020 · 11 comments
Closed

Evaluate codeQL on e.g. on https://github.com/arburk/fishbone #245

MarkusTiede opened this issue Jul 16, 2020 · 11 comments
Assignees
@arburk
Labels
use https://baloise.github.io/open-source/docs/md/goals/uplift.html#use

Comments

@MarkusTiede
Copy link
Member

MarkusTiede commented Jul 16, 2020
edited
Loading

https://github.com/github/codeql
@culmat
Copy link
Member

culmat commented Jul 16, 2020

what is cQL ?

@arburk
Copy link
Contributor

arburk commented Jul 16, 2020

CodeQL
QL is the query language that powers CodeQL. QL is an object-oriented logic programming language. GitHub, language experts, and security researchers create the queries used for code scanning, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see CodeQL on the GitHub Security Lab website.
https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code

@culmat
Copy link
Member

culmat commented Jul 16, 2020

see also
https://semmle.com/codeql
https://lgtm.com/

@arburk
Copy link
Contributor

arburk commented Oct 10, 2020
edited by MarkusTiede
Loading

Conducted the tutorials https://help.semmle.com/QL/learn-ql/beginner/ql-tutorials.html and played around a little. Would like to discuss with someone also interested in this topic.

@MarkusTiede
Copy link
Member Author

Let‘s do that!

@MarkusTiede MarkusTiede added the use https://baloise.github.io/open-source/docs/md/goals/uplift.html#use label Oct 26, 2020
@MarkusTiede
Copy link
Member Author

MarkusTiede commented Oct 26, 2020
edited
Loading

current status & ideas

next steps

@MarkusTiede
Copy link
Member Author

Catch: works as designed - see https://github.com/github/codeql/blob/main/java/ql/test/query-tests/UseBraces/UseBraces.java

@MarkusTiede MarkusTiede mentioned this issue Oct 26, 2020
Open
@MarkusTiede
Copy link
Member Author

MarkusTiede commented Oct 26, 2020
edited by arburk
Loading

Next step(s)

  • execute / run checks locally on dev-machines
  • publish results within GitHub scope

Postponed

  • execute / run checks on Jenkins CI

@MarkusTiede MarkusTiede changed the title Evaluate cQL on e.g. fork of https://owasp.org/www-project-juice-shop/ Evaluate cQL on e.g. on https://github.com/arburk/fishbone Oct 26, 2020
@arburk
Copy link
Contributor

arburk commented Oct 27, 2020

The generated sarif can be added as artifact by the following workflow step

- name: Archive sarif files
    uses: actions/upload-artifact@v2
    with:
      name: Sarif file from codeQL scan
      path: /home/runner/work/fishbone/results/java-builtin.sarif

The path needs to be adjusted to related repo of course 😉

@MarkusTiede MarkusTiede mentioned this issue Nov 18, 2020
Open
@MarkusTiede
Copy link
Member Author

MarkusTiede commented Jan 25, 2021
edited
Loading

agenda for security show & tell (@MarkusTiede, @arburk)

  • introduction to codeQL
  • codeQL hands-on via GitHub
  • codeQL PoC @ Baloise Infrastructure context
    • codeQL CLI in container on Jenkins
    • idea: convert SArif file to sonarcube
  • next steps
    • continue? what's necessary next?

experiences so far

  • code scans are resource intensive

@MarkusTiede MarkusTiede changed the title Evaluate cQL on e.g. on https://github.com/arburk/fishbone Evaluate codeQL on e.g. on https://github.com/arburk/fishbone Jan 25, 2021
@arburk
Copy link
Contributor

arburk commented Feb 12, 2021

Evaluation is completed so far. Followup story to be created for an integrated usage with Jenkins/Sonarqube

@arburk arburk closed this as completed Feb 12, 2021
@MarkusTiede MarkusTiede mentioned this issue Mar 10, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arburk arburk

Labels
use https://baloise.github.io/open-source/docs/md/goals/uplift.html#use
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@culmat @MarkusTiede @arburk