-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeQL Action fails blocking code review/merging #13588
Comments
Looks like 403 is not the only error, there is a failure on report like https://github.com/etcd-io/etcd/pull/13590/checks?check_run_id=4789367815 that reports errors like: |
From https://codeql.github.com/codeql-query-help/csharp/cs-log-forging/#recommendation (note that this csharp documentation as there is no article for Go with recommendations on how to handle it) recommendation is to escape user input. Method of escaping depends on output we are generating, for example if we generated HTML document it should use HTML encoder. In Etcd case user input is passed to zap logging library. In default configuration zap will write a JSON and properly escape values, so there is not immediate security threat. One case would be with new v3.6 feature where zap can be switched from JSON to traditional |
Heh, disabling a query is complicated enough that I will look into fixing the errors. |
I didn't found easy way to disable just Dismissing requires Edit permissions on repo. @ptabor can you take a look? |
I see only 2 pretty specific alerts: etcd/tools/etcd-dump-logs/main.go Line 235 in 14c527f
etcd/tools/etcd-dump-db/backend.go Line 125 in 14c527f
And the remaining 44 are not on the list to dismiss. |
Those two errors should be addressed by #13591 |
Looks like issue is still not resolved :( |
This time let's try to get some debug info #13598 |
Yes, specially the changes in backend.go removed the logging per the scanning tool suggest. I have closed/reported that as a false positive. And you also tried taking care of main.go is taken care by not logging anything problematic. So I think we are fine with those two alerts. About the 403 error Investigating further. |
Greetings. I'm on the team at GitHub that maintains the CodeQL Action, and was directed here by our developer relations team, to whom I believe maintainers of this project reached out. Thanks for letting us know, and apologies for the inconvenience. The timeline you describe (9 days ago) coincides with our update of Could you please try one of the following and let me know if they resolve the problem with the failing workflow?
|
This solves one of the problems with CodeQL. @adityasharad please refrain from introducing a breaking changes without proper notification. There is also problem of false positives that we are unable to silence. CodeQL reports problems @adityasharad Do you have any recommendation on silencing those reports? |
@adityasharad thank you so much for helping! A qq - does enabling the |
I see the warnings refreshed now in the security console. I will review them and dismiss when justified. |
Appreciate your patience and willingness to try the workaround. I realise the workaround I suggested may not be enough to handle all situations, in particular workflows running on pull requests from forked repositories, which received a more limited set of permissions by default, even if you specify To learn more about the options for Actions token permissions, you may be in interested in https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token. My understanding is that by keeping the
Thanks for pointing these out too. Dismissing the alerts in the code scanning UI will ensure they don't reappear. However the CodeQL team is interested in hearing about false positives and library coverage that affect our security-focused analysis. In this case it sounds like we could handle Going forward, please don't hesitate to file questions or issues in https://github.com/github/codeql and we will be very happy to help you out. |
Looks like issue has been resolved. |
Within last 19h all CodeQL actions started failing blocking code review/merging.
I'm not familiar with CodeQL, what this action does? Would we be ok with disabling it or should we look into a fix?
I assume that this is organization/project configuration error, to fix it we would need help from maintainer that has access to the Github configuration.
cc @ptabor @spzala @ahrtr @hexfusion
Dashboard: https://github.com/etcd-io/etcd/actions/workflows/codeql-analysis.yml
Error:
The text was updated successfully, but these errors were encountered: