Added commented section of Python code#3
Conversation
Added PyGoat code and commented it out to make it easier for people to find, uncomment, and then make a PR to push to the python repo for testing out CodeQL's capabilities.
|
My concern here: I'm pasting code from another open source repo and putting it in here for use in our commercial purposes. I'm wondering if that is violating some license somewhere. :( I can rewrite the code so that it does the same thing, but it's coming from me instead of PyGoat. That's a possible solution. |
securingdev
left a comment
There was a problem hiding this comment.
Could you add a URL and line numbers of where you are retrieving this from?
This is SUPER important to include as part of the "magic" behind CodeQL and helping this point land.
I almost feel like we shouldn't include this in this way, if only because it reduces the impact that this portion of the training has. Seeing is believing, and if it's not in here beforehand, they won't suspect any "sleight of hand" tricks from us.
I'm not sure I 100% agree with this assessment. They won't see this commented code when they start running the scans. After they uncomment, they'll be able to see the "magic". I am having trouble seeing where there is a loss of experience. Could you help me understand that better? |
|
I like that the code is commented out inline. These bootcamps contain a lot of information for both the learner and the presenters to digest and communicate. By including the code in the file, we're making the process simpler for the attendees. In fact, I would go even farther in the simplification: This way, you're not in violation of any license things, the learner isn't distracted trying to understand the code in PyGoat, and you can still talk about the fact that this isn't an SQLi issue. NOTE: I haven't tested that this code fires an alert... |
|
So here's my thinking of it (putting my "customer hat on"). If the code is not there before I see it, I see a scan has run, and then I go and add something new and scan it - I both get to see that this is truly net-new code, and I get to witness the "magic" of CodeQL finding a vulnerability in the PR. But more than that, it finds a different finding than I am expecting - and I have access / can see all of the other code that I originally pulled this from. It totally dismantles the "gotcha" types of things some clever security professionals try to pull when they add malicious code to a repo to "show that CodeQL doesn't work" and then we disprove that entire concept. |
|
I'm not sure that experience is taken away with the code in the repo that is commented out. I think that's the part I'm having trouble understanding. |
securingdev
left a comment
There was a problem hiding this comment.
Given the addition of the link to where the content is retrieved from, I think this should be sufficient 👍
|
Go ahead and merge @WritingPanda when you see fit 👍 |
Added PyGoat code and commented it out to make it easier for people to find, uncomment, and then make a PR to push to the python repo for testing out CodeQL's capabilities.