Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security-extended to CodeQL queries #6815

Closed
wants to merge 1 commit into from

Conversation

tonybaloney
Copy link
Contributor

@tonybaloney tonybaloney commented Mar 30, 2021

This PR adds the security-extended queries to the CodeQL CI workflow.

These queries are more aggressive, which means that they can raise false positives, which is why they are disabled by default. But they're also really helpful and find lots of security bugs that the standard queries don't. The standard queries don't really check much in the way of security scans, they're mostly for general code quality.

@tonybaloney tonybaloney deleted the patch-1 branch March 30, 2021 23:49
@tonybaloney tonybaloney changed the title Add security-extended queries to the CodeQL CI workflow --- Mar 30, 2021
@tonybaloney tonybaloney changed the title --- Add security-extended to CodeQL queries Mar 31, 2021
@tonybaloney tonybaloney restored the patch-1 branch March 31, 2021 07:39
@tonybaloney tonybaloney reopened this Mar 31, 2021
@tonybaloney
Copy link
Contributor Author

For the issues raised in this PR, https://docs.github.com/en/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests#dismissing-an-alert-on-your-pull-request

If someone can please confirm the status of them and I can flag (or the maintainer can), using those instructions.

Issues can be dismissed in a couple of ways:

  • won't fix - kept as an issue but flagged so it won't show again
  • false positive - closes the issue and makes sure it isn't scanned again

As some of the issues are related to file input propagating in tooling, you can also use the "show paths" command in GitHub

@bagder
Copy link
Member

bagder commented Mar 31, 2021

Thanks, I went over all of the alerts and they were all false positives. Primarily in these two categories:

  1. using a file name passed in as an argument via argv[]
  2. using a weak cipher algorithm in NTLM code

@bagder bagder added the CI Continuous Integration label Apr 9, 2021
@bagder
Copy link
Member

bagder commented Apr 9, 2021

Thanks!

@bagder bagder closed this in 2908a82 Apr 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CI Continuous Integration
Development

Successfully merging this pull request may close these issues.

None yet

3 participants