Add codeql-analysis.yml GitHub Actions Workflow #7961
Conversation
|
|
||
| on: | ||
| push: | ||
| branches: [ 'jetty-[1-9]?[0-9].[0-9].x', 'feat/JLL/codeql-support' ] |
There was a problem hiding this comment.
Just hardcode jetty-10.0.x, jetty-11.0.x, and jetty-12.0.x
Note: Jetty 9.x is being deprecated soon. See: #7958
There was a problem hiding this comment.
If you support branching names like 9.4.x, and will use that pattern for future development, wouldn't it be this?
[ 'jetty-10.[1-9]?[0-9].x', 'jetty-11.[1-9]?[0-9].x', 'jetty-12.[1-9]?[0-9].x' ]
JLLeitschuh
force-pushed
the
feat/JLL/codeql-support
branch
3 times, most recently
from
221e5c4
to
584cb28
Compare
JLLeitschuh
force-pushed
the
feat/JLL/codeql-support
branch
from
584cb28
to
3f5bcad
Compare
|
Once this is merged, the maintainers of the eclipse jetty project will be able to see the alerts here. Also, merging this will establish a new baseline, and any PRs that unintentionally introduce a new security vulnerability will be flagged 😄 |
|
I think this PR is in a complete state. The one check 'Code scanning results / CodeQL' will not pass this time, but for other PRs it will pass because it will compare against what's on the default branch as a baseline. |
|
This is interesting, but we'll need some time to absorb what this means to our processes. |
|
If you don't want to run this job on PRs in general, we can always remove these lines: |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: [ 'java', 'javascript' ] |
There was a problem hiding this comment.
we do not have any javascript here. So there is no real need of a matrix
There was a problem hiding this comment.
We do have javascript, in the demo apps. Check the bottom of the "files changed" tab in this PR to see where it's finding bugs.
| branches: [ 'jetty-10.[1-9]?[0-9].x', 'jetty-11.[1-9]?[0-9].x', 'jetty-12.[1-9]?[0-9].x' ] | ||
| pull_request: | ||
| # The branches below must be a subset of the branches above | ||
| branches: [ 'jetty-10.[1-9]?[0-9].x', 'jetty-11.[1-9]?[0-9].x', 'jetty-12.[1-9]?[0-9].x' ] |
There was a problem hiding this comment.
not sure we want to run this on PRs.
just a weekly on hardcoded branches might be enough.
There was a problem hiding this comment.
I'm ok with PRs, it will catch accidentally introduced bugs.
correct because we already some reports we do nothing about. |
Not a bad thing, but yes. I'm currently discussing with the GitHub team if there's a way to build the database without reporting query results. They say that there is, but it's a bit of a hack. |
|
is it possible to exclude |
|
It is, but I don't remember how to off hand. I suggest consulting the documentation |
Hello! Your friendly neighborhood security researcher here!
GitHub is slowly (not entirely there yet) migrating away from LGTM.com
to establishing a way for security researchers to work with CodeQL databases
fully through GitHub.com. This 'new' way requires that databases get built
via GitHub actions and uploaded to GitHub.
The old way, supported by the
.lgtm.yamlfile will continue to exist for a while(and I'll continue to use it), but as a researcher, if the Jetty project also built a
CodeQL database and uploaded it, I'd find it incredibly useful.
In summary, this PR adds a GitHub action to build a CodeQL database and runs
GitHub's CodeQL analysis tool which audits the code for security vulnerabilities.