Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create wiki page to guide developers how to manage CodeQL alerts #6463

Open
17 tasks
Tracked by #5242 ...
roslynwythe opened this issue Mar 14, 2024 · 33 comments
Open
17 tasks
Tracked by #5242 ...

Create wiki page to guide developers how to manage CodeQL alerts #6463

roslynwythe opened this issue Mar 14, 2024 · 33 comments
Assignees
Labels
2 weeks inactive An issue that has not been updated by an assignee for two weeks Complexity: Medium Feature: Code Alerts Feature: Wiki role: back end/devOps Tasks for back-end developers role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours

Comments

@roslynwythe
Copy link
Member

roslynwythe commented Mar 14, 2024

Overview

We require a wiki page to guide developers how to manage and resolve CodeQL alerts

Action Items

After this issue is completed

Resources/Instructions

@roslynwythe roslynwythe added Feature Missing This label means that the issue needs to be linked to a precise feature label. size: missing role missing Complexity: Missing labels Mar 14, 2024

This comment has been minimized.

@roslynwythe roslynwythe added Draft Issue is still in the process of being created Feature: Wiki Complexity: Medium size: 1pt Can be done in 4-6 hours role: back end/devOps Tasks for back-end developers role: front end Tasks for front end developers and removed Feature Missing This label means that the issue needs to be linked to a precise feature label. size: missing role missing Complexity: Missing labels Mar 14, 2024
@roslynwythe roslynwythe self-assigned this Mar 17, 2024

This comment has been minimized.

@roslynwythe
Copy link
Member Author

roslynwythe commented Mar 17, 2024

Draft Wiki page: How to manage CodeQL alerts

Overview of CodeQL scanning

  • CodeQL scanning is implemented via the workflow .github/workflows/codeql.yml which is triggered by push, pull request on gh-pages, and scheduled weekly. See codeql-implementation #4886 for details
  • The queries (tests) executed by CodeQL are grouped into query packs. Our workflow specifies the security-and-quality query pack.
  • Code scanning results are available from the code scanning page You can browse to this page from the Security menu item throughout the hackforla/website repository. Note that by default only open alerts are displayed. Closed alerts are those that have been fixed (by code change) or dismissed.
  • To view information about the past resolution of a particular query type, for example "Missing variable declaration", use a query such as "Missing variable declaration" is:closed branch:gh-pages
  • Here is a sample alert detail page https://github.com/hackforla/website/security/code-scanning/40
Screenshot of CodeQL alert detail page with tracking issue outlined in red

CodeQLAlert

  • Note these elements of the detail page
    • The tracking issue (in red) is the issue intended to manage the alert. An issue is linked as a tracking issue for an alert if the alert URL appears in an issue action Item.
    • The code alert details include the file path and line number. Note that the same problem may exist in several locations within a code file. Only update the section of code indicated in the alert detail page.
    • In the right hand column there is important information: the severity of the alert and the tags, which will indicate if the alert is a security alert
    • Dismiss Alert button/form - Alerts should be dismissed only by merge team after review of an issue recommending dismissal. Other developers should not dismiss alerts! When an alert is dismissed the dev lead/merge team member must select one of the following options: false positive, used in test or wont fix.
    • If you are assigned to an issue to resolve a CodeQL alert and you recommend dismissal, document your recommendation in a comment within the tracking issue, then place the issue into the "Questions/In Review" column with a ready for dev lead label. If you are a dev lead or merge team member closing an issue with a recommendation to dismiss, be sure to visit the alert detail page and complete the dismissal.

Issues for resolving CodeQL alerts

  • The workflow .github/workflows/codeql.yml scans all open CodeQL alerts and if an alert is found without a tracking issue, the workflow will create an issue linked to the CodeQL alert.

How to resolve specific alert types

Potentially unsafe external link - sample https://github.com/hackforla/website/security/code-scanning/3

Details

For this alert type we modify the code, adding the attribute rel="noopener noreferrer" to the <a> tag, as recommended in the alert detail page.

Unused variable, import, function or class - sample https://github.com/hackforla/website/security/code-scanning/94

Details

We remove declarations for unused variables, functions or classes to improve readability of the code

Inclusion of functionality from an untrusted source - sample https://github.com/hackforla/website/security/code-scanning/37

Details

These are resolved by implementing SRI check as detailed in #6120

Malformed id attribute (see sample https://github.com/hackforla/website/security/code-scanning/25)

Details

The sample is an example of a false positive which results from the fact that CodeQL scans static HTML. In the static HTML source, the id attribute is empty, but in fact it is populated via Javascript on page load

Syntax error - sample https://github.com/hackforla/website/security/code-scanning/97 not resolved

Details

The sample is an example of a false positive which results from the inclusion of Jekyll/liquid front matter which CodeQL attempts to parse as Javascript.

Superfluous trailing arguments - sample resolution see https://github.com/hackforla/website/security/code-scanning/35

Details

A code quality and readability issue that may indicate a bug

Use of returnless function - https://github.com/hackforla/website/security/code-scanning/57

Details

This usually indicates a bug or a misunderstanding of the syntax

Missing variable declaration - https://github.com/hackforla/website/security/code-scanning/44

Details

A variable is used like a local variable but is missing a declaration, and so it becomes a global variable by default, subject to risk of global variable corruption. Resolved by adding the appropriate variable declaration, followed by testing to confirm that behavior of the code is unchanged.

@roslynwythe roslynwythe added Ready for Prioritization ready for product and removed Draft Issue is still in the process of being created Ready for Prioritization labels Mar 18, 2024
@roslynwythe

This comment was marked as outdated.

@HackforLABot

This comment has been minimized.

@HackforLABot

This comment has been minimized.

@HackforLABot
Copy link
Contributor

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

You are receiving this comment because your last comment was before Monday, November 11, 2024 at 11:04 PM PST.

@HackforLABot
Copy link
Contributor

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

You are receiving this comment because your last comment was before Monday, November 18, 2024 at 11:04 PM PST.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 weeks inactive An issue that has not been updated by an assignee for two weeks Complexity: Medium Feature: Code Alerts Feature: Wiki role: back end/devOps Tasks for back-end developers role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours
Projects
Status: In progress (actively working)
Development

No branches or pull requests

3 participants