Update CodeQL Workflow for Code Security Analysis #1346
Conversation
Include rule filtering to filter out rules with high false positive rates, uploading CodeQL results to 'Code scanning' under the Security tab on Github, uploading CodeQL results as an artifact Signed-off-by: Brian <89487381+b4yuan@users.noreply.github.com>
Signed-off-by: Brian <89487381+b4yuan@users.noreply.github.com>
|
@b4yuan Thank you for your contribution.
The results are already available in GitHub code scanning with the current workflow.
As you may have noticed, we have some false positives, too. But also several reasonable remarks. We would however like to choose a different approach to address these:
I don't see any advantage in just deactivating checks that don't cause actual problems by now. If it turns out in the future that a specific check is prone to trigger false positives quite often in this project, we can still think about filtering it out. |
There is a severe number of false-positive in code scanning caused by inspecting meson-internal test files like 'build/meson-private/tmpzb46osmq/testfile.c'. As a workaround, use the 'filter-sarif' action to filter out these results before uploading the SARIF (Static Analysis Results Interchange Format). This PR was inspired by rauc#1346 and the example from https://github.com/advanced-security/filter-sarif. Signed-off-by: Enrico Joerns <ejo@pengutronix.de>
There is a severe number of false-positive in code scanning caused by inspecting meson-internal test files like 'build/meson-private/tmpzb46osmq/testfile.c'. As a workaround, use the 'filter-sarif' action to filter out these results before uploading the SARIF (Static Analysis Results Interchange Format). This PR was inspired by rauc#1346 and the example from https://github.com/advanced-security/filter-sarif. Signed-off-by: Enrico Joerns <ejo@pengutronix.de>
|
Inspired by your PR, I created #1357 to fix the primary class of false positives we currently see in this project. |
We are researchers at Purdue University in the USA. We are studying the potential benefits and costs of using CodeQL on open-source repositories of embedded software.
We wrote up a report of our findings so far. The TL;DR is “CodeQL outperforms the other freely-available static analysis tools, with fairly low false positive rates and lots of real defects”. You can read about the report here: https://arxiv.org/abs/2310.00205
This PR builds on the previous workflow functionality by allowing for rule filtration, uploading CodeQL results to Code scanning, and uploading CodeQL results as an artifact.
False positives: We find that around 20% of errors are false positives, but that these FPs are polarized and only a few rules contribute to most FPs. We find that the top rules contributing to FPs are: cpp/uninitialized-local, cpp/missing-check-scanf, cpp/suspicious-pointer-scaling, cpp/unbounded-write, cpp/constant-comparison, and cpp/inconsistent-null-check. Adding a filter to filter out certain rules that contribute to a high FP rate can be done simply in the workflow file.
Uploading to Code scanning: This workflow uploads the results to Code scanning under the Security tab on GitHub:
From here, vulnerabilities can be addressed simply by clicking the bug or dismissed for various reasons:
Uploading as an artifact: This workflow also uploads the results as an artifact with a retention period of 5 days.