website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon hackforla

GitHub Actions: Implement CodeQL

Open macho-catt opened this issue 3 years ago • 23 comments

Overview

As a developer, we need to ensure that we write secure code and defend against vulnerabilities. To do so, we need to configure code scanning using CodeQL.

Action Items

  • [ ] Research and investigate how we can use CodeQL
    • [ ] Any notes should be documented in this ticket, or should be stored in the website team's the Google Drive
  • [ ] We want CodeQL to scan the vulnerabilities for the following:
    • [ ] JS code
    • [ ] GitHub Actions
    • [ ] Liquid
  • [ ] Create a prototype on your own fork of the repository
  • [ ] Schedule a time with the team and the lead to demo your findings and implementation
  • [ ] Once approved, write a pull request to implement CodeQL

Resources/Instructions

Code Scanning in GitHub About CodeQL Events that trigger workflows Workflow syntax for GitHub Actions actions/github-script GitHub RESTAPI

macho-catt avatar Oct 26 '21 16:10 macho-catt

Hi @macho-catt.

Good job adding the required labels to this issue.

Additional Resources: Wiki: How to add status labels to issues (WIP. Link will be updated when the wiki is done) Wiki: How to create issues (WIP. Link will be updated when the wiki is done)

github-actions[bot] avatar Oct 26 '21 16:10 github-actions[bot]

ETA: 5/25/22 Availability: 2 hrs per week

SAUMILDHANKAR avatar May 11 '22 00:05 SAUMILDHANKAR

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures: "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, May 17, 2022 at 12:21 AM PST.

github-actions[bot] avatar May 20 '22 07:05 github-actions[bot]

Progress: Did preliminary research on CodeQL. Planning to start configuring in my own repo next week. Blockers: No blockers Availability: 1 hr ETA: 5/30/22

SAUMILDHANKAR avatar May 21 '22 00:05 SAUMILDHANKAR

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures: "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, May 31, 2022 at 12:19 AM PST.

github-actions[bot] avatar Jun 03 '22 07:06 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures: "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, June 7, 2022 at 12:21 AM PST.

github-actions[bot] avatar Jun 10 '22 07:06 github-actions[bot]

Progress: Not much progress since last week but will have more time next week. Blockers: No blockers Availability: 1 hr ETA: 6/20/22

SAUMILDHANKAR avatar Jun 11 '22 00:06 SAUMILDHANKAR

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, June 21, 2022 at 12:20 AM PST.

github-actions[bot] avatar Jun 24 '22 07:06 github-actions[bot]

Progress: Did some more reading, should have more updates on this, next week Blockers: No blockers Availability: 2 hrs ETA: 7/5/22

SAUMILDHANKAR avatar Jun 26 '22 21:06 SAUMILDHANKAR

Progress: I setup a default version of CodeQL with GitHub actions workflow in one of the branches in my repo. Would be editing the workflow and testing out the functionality next. Blockers: No blockers Availability: 2 hrs ETA: 7/12/22

SAUMILDHANKAR avatar Jul 06 '22 02:07 SAUMILDHANKAR

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, July 12, 2022 at 12:20 AM PST.

github-actions[bot] avatar Jul 15 '22 07:07 github-actions[bot]

Progress: Not much progress, still need to make changes to the workflow. Blockers: No blockers Availability: 2 hrs ETA: 7/29/22

SAUMILDHANKAR avatar Jul 17 '22 09:07 SAUMILDHANKAR

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, July 26, 2022 at 12:20 AM PST.

github-actions[bot] avatar Jul 29 '22 07:07 github-actions[bot]

Progress: Would be working on the workflow changes this week. Blockers: No blockers Availability: 2 hrs ETA: 8/10/22

SAUMILDHANKAR avatar Aug 01 '22 17:08 SAUMILDHANKAR

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, August 9, 2022 at 12:20 AM PST.

github-actions[bot] avatar Aug 12 '22 07:08 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, August 16, 2022 at 12:21 AM PST.

github-actions[bot] avatar Aug 19 '22 07:08 github-actions[bot]

Progress: I was able to run a few tests using the CodeQL workflow which is now setup in my repo and below are the main observations:

  1. Currently, CodeQL only scans vulnerabilities for some of the programming languages including JavaScript. This should be useful for our project since we have a lot of JavaScript code.
  2. CodeQL workflow can be setup for a repo and can be customized similar to how GitHub action workflows are setup. The workflow can be triggered on push, pull requests or on a specific schedule. It can also be customized to work with different branches (Would need a discussion on which approach is the best. My recommendation is to trigger once a month on gh-pages).
  3. While scanning the codebase in my repo, CodeQL reported 3 different types of warnings:
  4. There is also an option to run custom queries but that would need more analysis.

Will be reaching out to the leads to schedule a demo next. Blockers: No blockers Availability: 2 hrs ETA: 8/28/22

SAUMILDHANKAR avatar Aug 21 '22 17:08 SAUMILDHANKAR

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, August 30, 2022 at 12:27 AM PST.

github-actions[bot] avatar Sep 02 '22 07:09 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, September 6, 2022 at 12:28 AM PST.

github-actions[bot] avatar Sep 09 '22 07:09 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, September 13, 2022 at 12:32 AM PST.

github-actions[bot] avatar Sep 16 '22 07:09 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, September 20, 2022 at 12:39 AM PST.

github-actions[bot] avatar Sep 23 '22 07:09 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, September 27, 2022 at 12:45 AM PST.

github-actions[bot] avatar Sep 30 '22 07:09 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, October 4, 2022 at 12:32 AM PST.

github-actions[bot] avatar Oct 07 '22 07:10 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, October 11, 2022 at 12:39 AM PST.

github-actions[bot] avatar Oct 14 '22 07:10 github-actions[bot]

@SAUMILDHANKAR

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, October 18, 2022 at 12:33 AM PST.

github-actions[bot] avatar Oct 21 '22 07:10 github-actions[bot]

@SAUMILDHANKAR hasn't responded since August, sending this back to New Issue Approval to see if anything needs to happen with it before we return it to Prioritized Backlog.

blulady avatar Oct 25 '22 01:10 blulady

@blulady Have we tried to reach Saumil by Slack or email?

bishrfaisal avatar Nov 06 '22 17:11 bishrfaisal

@bishrfaisal I sent Saumil an email today using the [email protected] account and also private messaged him in Slack.

JessicaLucindaCheng avatar Nov 09 '22 00:11 JessicaLucindaCheng

@SAUMILDHANKAR responded with the following Slack message:

I would like to finish the issue. Would work on the demo and post the update in a few days. Will reach out to Kathryn to schedule a demo. Sorry for the delay and thank you for following up.

Thus, I will be moving this issue back to the In Progress column.

Please remember to post progress updates (Progress, Blockers, Availability, ETA) in this issue. Thanks.

JessicaLucindaCheng avatar Nov 09 '22 02:11 JessicaLucindaCheng

Progress: I have set-up the CodeQL workflow in a branch in my repo and ready for demo. @kathrynsilvaconway @blulady, @bishrfaisal @JessicaLucindaCheng Please advise on an appropriate time for the demo. My availability is flexible and I have added preferred time below as well. Blockers: No blockers Availability: Thursday 11/10 6-9 PM Pacific Time, Sunday 11/13 10AM - 1 PM Pacific Time, Tuesday 11/15 6-9 PM Pacific Time ETA: 11/18/22

SAUMILDHANKAR avatar Nov 10 '22 00:11 SAUMILDHANKAR