CodeQL-Community-Packs icon indicating copy to clipboard operation
CodeQL-Community-Packs copied to clipboard
verified publisher icon GitHubSecurityLab

Java: remove SpringBootActuators query

Open jcogs33 opened this issue 8 months ago • 8 comments

Description

This PR removes the githubsecuritylab/java/spring-boot-exposed-actuators query. This query was added to the default code scanning query suite by https://github.com/github/codeql/pull/18793 and released in CodeQL 2.21.0.

I will make follow-up PRs to update package dependencies for 2.21.0 (draft PR) and to publish a new release.

Consideration

  • Does this need a change note? I see a Change notes section in CONTRIBUTING.md, but since the linked guide does not exist, I'm not sure if a change note is needed.
  • I have not contributed to this repo before, so let me know if there's anything else I need to do.

(cc @michaelnebel)

jcogs33 avatar Apr 21 '25 19:04 jcogs33

I will make follow-up PRs to update package dependencies for 2.21.0 (draft PR) and to publish a new release. Excellent!

Does this need a change note? I see a Change notes section in CONTRIBUTING.md, but since the linked guide does not exist, I'm not sure if a change note is needed.

Good question. It appears that this guide was merged around the time, where we added the experimental queries in the first place (at that time we didn't make any change notes). My best guess is that we don't need to add a change note (as this part of the documentation is dangling/unfinished). In any case, maybe ask in #codeql-community-packs on slack (the section in Contributing file should either be deleted or extended with the missing parts).

michaelnebel avatar Apr 23 '25 08:04 michaelnebel

In any case, maybe ask in #codeql-community-packs on slack

Will do, thanks!

jcogs33 avatar Apr 28 '25 21:04 jcogs33

@michaelnebel A change note is not required. The section in the Contributing file will be deleted in https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/pull/127.

Can you merge this PR for me? Or give me access to merge in this repo? I don't have an option to merge, I just see:

Merging is blocked
You're not authorized to push to this branch. Visit https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches for more information.
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

jcogs33 avatar Apr 30 '25 13:04 jcogs33

@michaelnebel A change note is not required. The section in the Contributing file will be deleted in #127.

Can you merge this PR for me? Or give me access to merge in this repo? I don't have an option to merge, I just see:

Merging is blocked
You're not authorized to push to this branch. Visit https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches for more information.
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

I have added you as maintainer. Maybe it should be done properly as part of entitlements (maybe ask for permission in the slack channel - this is probably up to SecLab).

michaelnebel avatar Apr 30 '25 13:04 michaelnebel

I have added you as maintainer.

Thanks! I have access to push to the repo now, but I still see:

Merging is blocked
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

Do you know what needs to be done to resolve that message?

jcogs33 avatar Apr 30 '25 13:04 jcogs33

I have added you as maintainer.

Thanks! I have access to push to the repo now, but I still see:

Merging is blocked
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

Do you know what needs to be done to resolve that message?

Haven't seen that before; Maybe the CodeQL workflow wasn't triggered when the PR was made since you didn't have the right permissions at that time. Maybe rebase and push again.

michaelnebel avatar May 02 '25 09:05 michaelnebel

Haven't seen that before; Maybe the CodeQL workflow wasn't triggered when the PR was made since you didn't have the right permissions at that time. Maybe rebase and push again.

I've rebased but am still seeing the same message. 🤔 I'll ask about this in the slack channel.

jcogs33 avatar May 02 '25 14:05 jcogs33

Haven't seen that before; Maybe the CodeQL workflow wasn't triggered when the PR was made since you didn't have the right permissions at that time. Maybe rebase and push again.

I've rebased but am still seeing the same message. 🤔 I'll ask about this in the slack channel.

Its odd - the CodeQL workflow is not triggered at all. Maybe consider opening a new PR since we changed the permissions. Alternatively we can ignore this - the CodeQL analysis will not tell us anything - as this PR is deleting a QL query.

michaelnebel avatar May 02 '25 14:05 michaelnebel

@jcogs33 / @michaelnebel I think we can ignore the CodeQL error for now. I'm not sure why it's not run but maybe it was something to do with me setting up the Rules back in May

GeekMasher avatar Jun 02 '25 14:06 GeekMasher