Create codeql.yml #4624
Create codeql.yml #4624
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #4624 +/- ##
=======================================
Coverage 59.74% 59.74%
=======================================
Files 288 288
Lines 24849 24849
=======================================
Hits 14846 14846
Misses 9117 9117
Partials 886 886 |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
Thank you for contributing! It appears your commit message is missing a DCO sign-off, We require all commit messages to have a There is no need to open a new pull request, but to fix this (and make CI pass), Unfortunately, it's not possible to do so through GitHub's web UI, so this needs You can find some instructions in the output of the DCO check (which can be found Steps to do so "roughly" come down to:
Sorry for the hassle (I wish GitHub would make this a bit easier to do), and let me know if you need help or more detailed instructions! |
|
Canned replies FTW 😂 |
.github/workflows/codeql.yml
Outdated
|
|
||
| on: | ||
| push: | ||
| branches: [ "master", "18.06", "18.09", "19.03", "[a-zA-Z0-9][a-zA-Z0-9].[a-zA-Z0-9]", "[a-zA-Z0-9][a-zA-Z0-9].[a-zA-Z0-9][a-zA-Z0-9]" ] |
There was a problem hiding this comment.
We can remove the 19.03 and older branches; they're no longer maintained (I may have locked them as well)
(FWIW I'm considering to use different naming schemes for release branches; release/XXX for actively maintained release branches, and archive/XXX for branches that are no longer maintained - assuming those branches contain possibly code that was not in the latest tag from the branch)
There was a problem hiding this comment.
Canned replies FTW 😂
Lol yes
We can remove the 19.03 and older branches; they're no longer maintained (I may have locked them as well)
Sure, let's leave it just on master! We can update it if you decide to adopt the new release branch naming convention.
gabriellavengeo
force-pushed
the
patch-1
branch
from
0c4b91d to
8d99083
Compare
.github/workflows/codeql.yml
Outdated
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} |
There was a problem hiding this comment.
Guessing this part came from a template / example; we don't have swift in this repository, which effectively means that CodeQL now only runs on ubuntu-latest.
I guess we can remove the swift condition, or make it explicitly only run on ubuntu-latest, or if running it on different platforms improves coverage of CodeQL, perhaps we should have all of Linux, macOS, and Windows
There was a problem hiding this comment.
Yeah, it's from the auto-generated stuff, I'll clean it up
There was a problem hiding this comment.
Sorry for being nit-picky; I expect these kind of changes to apply to other repositories where we'll be adding CodeQL as well, so probably after we tweaked things, we can copy/pasta things to the other repositories 🤗
There was a problem hiding this comment.
No worries at all!
.github/workflows/codeql.yml
Outdated
| # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] | ||
| # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both | ||
| # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both | ||
| # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support |
There was a problem hiding this comment.
We'll unlikely be adding any of the other (currently supported) languages, so perhaps we should remove this comment, also because that list may be out of date at any time in future.
The link to what's currently supported (https://aka.ms/codeql-docs/language-support) may still be useful though, so perhaps keep that one.
There was a problem hiding this comment.
Yeah, sure, I'll clean up all the irrelevant autogenerated stuff
.github/workflows/codeql.yml
Outdated
| # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). | ||
| # If this step fails, then you should remove it and run the build manually (see below) | ||
| - name: Autobuild | ||
| uses: github/codeql-action/autobuild@v2 |
There was a problem hiding this comment.
This part feels like a lot of magic; I suspect it will just do a go build . (or along those lines), which won't match how we build our actual binaries (we may be passing specific build options).
Wondering if we can integrate this with a build-stage, and provide it access to the produced artefacts instead.
I see the lines below this outline "here's what to do if you don't want to use the auto build"
I suspect buildx and buildkit will be in a similar situation, and @crazy-max has a lot more GHA-Fu than I have; perhaps he has suggestions (and we can take a similar approach in the buildx repository - not having to reinvent the wheel)
There was a problem hiding this comment.
Actually autobuild tries to detect build scripts and common build systems, so from the logs it look like it's using the Makefile (https://github.com/docker/cli/actions/runs/6641001271/job/18042547995?pr=4624#step:4:110)
As for giving it access to the produced build artefacts, that wouldn't do the trick as it does some tracing and instrumentation during compilation to do the extraction (https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/database-create#-c---commandcommand). Same reason caching is an issue.
There was a problem hiding this comment.
Hm, right. One thing I notice at least that in that case, it builds on the host (not using the Dockerfile), and will build with a different version of Go;
2023/10/25 13:19:30 Autobuilder was built with go1.21.1, environment has go1.20.10
So we may need a go-setup action added to have the same version of Go as other workflows at least.
Do we know if the CodeQL analysis can be injected into a container somehow, so that it runs in the same environment as we'd otherwise be running in? 🤔
There was a problem hiding this comment.
There was a problem hiding this comment.
Hm, actually, for this to work like in the example
# Specify the container in which actions will run
container:
image: codeql-container:f0f91db
it would need to be an image from Hub or another configured registry, can't just give it a Dockerfile
.github/workflows/codeql.yml
Outdated
|
|
||
| on: | ||
| push: | ||
| branches: [ "master" ] |
There was a problem hiding this comment.
I guess we could use the same list as for the other workflows;
Lines 8 to 14 in 5fc42fc
There was a problem hiding this comment.
Will do, thanks!
gabriellavengeo
force-pushed
the
patch-1
branch
from
8d99083 to
7cda83d
Compare
There was a problem hiding this comment.
We already have a codeql workflow: https://github.com/docker/cli/blob/master/.github/workflows/codeql-analysis.yml
Could you just update this one and rename it codeql.yml?
@thaJeztah Yeah I got similar PR on login-action: docker/login-action#622
|
DOH! I knew we had it, but disabled at some point, so thought we removed it 🙈 |
gabriellavengeo
force-pushed
the
patch-1
branch
from
7cda83d to
4f96358
Compare
| @@ -1,6 +1,15 @@ | |||
| name: codeql | |||
| name: "CodeQL" | |||
There was a problem hiding this comment.
Same as docker/login-action#622 (comment) if you don't mind 😇
| codeql: | ||
| runs-on: ubuntu-20.04 | ||
| analyze: | ||
| name: Analyze |
There was a problem hiding this comment.
Same here docker/login-action#622 (comment)
gabriellavengeo
force-pushed
the
patch-1
branch
from
4f96358 to
a0a598e
Compare
Signed-off-by: Gabriela Georgieva <[email protected]>
.github/workflows/codeql.yml
Outdated
| container: | ||
| image: 'docker-cli-dev:latest' |
There was a problem hiding this comment.
Oh actually you need to remove this otherwise it fails:
Don't think we need it for codeql
There was a problem hiding this comment.
Oh yeah, that wasn't supposed to go into the commit - fixed!
gabriellavengeo
force-pushed
the
patch-1
branch
from
a0a598e to
39b1d37
Compare
|
@crazy-max @thaJeztah Thanks for reviewing! Don't have write access to merge it myself but feel free to do so |
There was a problem hiding this comment.
I was looking at the CodeQL logs and it seems codeql go extractor does not take into account our vendor.mod: https://github.com/github/codeql/blob/dbb4167f804e4b9dc5544a4a7bc19c3e4250ac2d/go/extractor/extractor.go#L221
Which could be an issue because files in vendor are interpreted as legit source code instead of dependencies which could result in false-positives for analysis. Maybe not a real issue though as I can see: https://github.com/github/codeql/blob/dbb4167f804e4b9dc5544a4a7bc19c3e4250ac2d/go/extractor/extractor.go#L200C2-L200C14
Not a CodeQL expert though so I defer 😅
|
@crazy-max yeah I think it's fine, it seems to skip them (seeing |
- What I did
Enable CodeQL scanning.
- How I did it
Add
codeql.yml- How to verify it
Check CodeQL Github action and code scanning results
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)