Create GHA to create issues when new CodeQL alerts are detected

[roslynwythe]

Overview

Create a new GitHub action workflow to create GitHub issues when new CodeQL alerts are detected so that we may respond in a prompt manner and ensure the security and quality of our codebase

Details

• The workflow .github/workflows/codeql.yml implements CodeQL scanning of the gh-pages branch weekly, as well as scanning of pushed commits and pull requests, using the "security and code quality" suite.
• Alerts are displayed in the repository "Security" tab on the code scanning page[^1]
• It is also posible to use the REST API to retrieve and update code scanning alerts from a repository.
• To ensure that each CodeQL alert is managed, our goal will be to track each alert with an issue. There are several means to link a tracking issue with a CodeQL alert.
• The suggested strategy for this issue is to check every CodeQL alert for a tracking issue, and create new tracking issues as needed. If a different strategy is proposed, explain the strategy in a comment, move the issue to "Questions/In Review" and apply the ready for dev lead label

Action Items

• [ ] In the workflow file .github/workflows/codeql.yml, add a new job following analyze OR add a new step to analyze, to perform the following steps following the execution of the existing analyze job:
  • [ ] Examine each open CodeQL alert for a tracking issue. If a CodeQL does is not linked to a tracking issue, create an issue with template shown below. Each instance of [ALERT #] in the template must be replaced by the CodeQL alert #.
    • [ ] The new issue should have the title "Resolve CodeQL query [ALERT #] - generated by GHA"
    • [ ] apply the label ready for dev lead

Resources/Instructions

Issue Template

### Prerequisite
1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).
2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).

### Overview
We need to resolve the new `[ALERT #]` and either recommend dismissal of the alert or update the code files to resolve the alert.    

### Action Items
- [ ] The following action item serves to "link" this issue as the "tracking issue" for the CodeQL alert and to provide more details regarding the alert. 
- [ ] https://github.com/hackforla/website/security/code-scanning/`[ALERT #]`
- [ ] In a comment in this issue, add your analysis and recommendations.  The recommendation can be one of the following: `dismiss as test`, `dismiss as false positive`, `dismiss as won't fix`, or `update code`.  An example of a `false positive` is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as `---` or `{%`  
- [ ] If the recommendation is to dismiss the alert, apply the label `ready for dev lead` then move the issue to `Questions/In Review`
- [ ] If the recommendation is to update code:
   - [ ] create an issue branch and proceed with the code update
   - [ ] test using docker to ensure that there are no changes to any affected webpage(s)
   - [ ] proceed with pull request in the usual manner 
  
### Resources/Instructions
[^1]: [HfLA website: CodeQL scan alert audits - issue 5005](https://docs.google.com/spreadsheets/d/1B3R-fI8OW0LcYuwZICQZ2fB8sjlE3VsfyGIXoReNBIs/edit#gid=193401043)
[^2]:[Code scanning results page](https://github.com/hackforla/website/security/code-scanning)
[^3]: [CodeQL query help for JavaScript](https://codeql.github.com/codeql-query-help/javascript/)

- This issue was automatically generated from the codeql.yml workflow

[^1]:code scanning results page [^2]:[code scanning - in the GitHub REST API [^3]:Storing workflow data as artifacts [^4]:[template for issue to manage new alerts]

[github-actions[bot]]

Hi @roslynwythe.

Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing: Complexity, Role, Feature

NOTE: Please ignore the adding proper labels comment if you do not have 'write' access to this directory.

To add a label, take a look at Github's documentation here.

Also, don't forget to remove the "missing labels" afterwards. To remove a label, the process is similar to adding a label, but you select a currently added label to remove it.

After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization.

Additional Resources:

• Wiki: How to create issues
• Wiki: How to read and interpret labels

[ExperimentsInHonesty]

@roslynwythe in the Action Items it says download the artifact. Since this is a script, is it actually downloading the artifact, and if so where does it download it to?

[ExperimentsInHonesty]

Reword issue. a file would be created (log file), and new data would be added to it.

[github-actions[bot]]

Hi @roslynwythe, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[roslynwythe]

@ExperimentsInHonesty I changed the suggested strategy in this issue, so that every open CodeQL alert is examined and new tracking issues are created for those CodeQL alerts that do not have tracking issues.

[github-actions[bot]]

Hi @gaylem, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[gaylem]

Availability: M-Th 11AM-6pm CT, Weekends 12pm - 4pm ETA: Monday, March 25th 10pm CT

[gaylem]

The changes I made to codeql.yml are passing successfully, but I also don't think I'm testing properly:

Here's what I've done so far:

1. Created my own project board (but I don't think that helps in this case).
2. Replaced gh-pages with * in the branches section at the top of the yml file.
3. Replaced GITHUB_TOKEN with my own H4LA_TOKEN which is also stored on my repo in my secrets.
4. Enabled Issues in my repo.
5. Enabled Code Scanning in my Security tab. I'm seeing 38 active issues there.
6. Pushed the changes to my own private repo, where the GHA completed successfully.

Here are the problems:

1. I'm not seeing any issues created in my Issues tab. My best guess is that the CodeQL security alerts only register for changes made to the gh-pages branch, which is why they aren't being detected. I'm nervous about messing with the gh-pages branch locally, so I'm hoping there's another approach. 2. I'm not seeing any of my echo statements print in my GHA logs. This could just be because my code is wrong. I was able to log echo statements before the Workflow completed successfully, so I'm not sure what changed.

Any advice would be greatly appreciated!

Here is the entire updated file. My changes are at the bottom under Check for CodeQL Alerts:

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
  push:
    branches: [ "*" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "*" ]
  schedule:
    - cron: '30 5 * * 5'

jobs:
  analyze:
    name: Analyze
    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
        # Use only 'java' to analyze code written in Java, Kotlin or both
        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        queries: security-and-quality
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.

        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        # queries: security-extended,security-and-quality


    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      uses: github/codeql-action/autobuild@v3

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

    #   If the Autobuild fails above, remove it and uncomment the following three lines.
    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

    # - run: |
    #     echo "Run, Build Application using script"
    #     ./location_of_script_within_repo/buildscript.sh

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"

    - name: Check for CodeQL alerts
      run: |
        # Get a list of open CodeQL alerts
        alerts=$(curl -s -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -X GET "https://api.github.com/repos/${{ github.repository }}/code-scanning/alerts?state=active")

        # Check if there are any alerts
        if [[ -n $alerts ]]; then

          # Define the _jq function outside the loop to extract values from alerts JSON 
          _jq() {
            echo "$1" | jq -r "${2}"
          }

          # Loop through each alert
          while IFS= read -r alert; do

            # Extract necessary info from the alert
            alertId=$(echo "$alert" | jq -r '.number')
            locationPath=$(echo "$alert" | jq -r '.html_url')

            echo "alertId: $alertId"
            echo "locationPath: $locationPath"

            # Check if there is an existing tracking issue for the alert
            trackingIssue=$(curl -s -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -X GET "https://api.github.com/search/issues?q=repo:${{ github.repository }}+codeql-alert-id:${alertId}+state:open")

            echo "trackingIssue: $trackingIssue"

            # If no tracking issue exists, create a new one
            if [[ -z $trackingIssue ]]; then
              issueTitle="Resolve CodeQL query ${alertId} - generated by GHA"
              issueBody="{\"title\":\"$issueTitle\",\"body\":\"### Prerequisite\n1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).\n2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).\n\n### Overview\nWe need to resolve the new \`[ALERT ${alertId}]\` and either recommend dismissal of the alert or update the code files to resolve the alert.\n\n### Action Items\n- [ ] The following action item serves to \"link\" this issue as the \"tracking issue\" for the CodeQL alert and to provide more details regarding the alert.\n- [ ] ${locationPath}\n- [ ] In a comment in this issue, add your analysis and recommendations. The recommendation can be one of the following: \`dismiss as test\`, \`dismiss as false positive\`, \`dismiss as won't fix\`, or \`update code\`. An example of a \`false positive\` is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as \`---\` or \`{%\`\n- [ ] If the recommendation is to dismiss the alert, apply the label \`ready for dev lead\` then move the issue to \`Questions/In Review\`\n- [ ] If the recommendation is to update code:\n  - [ ] create an issue branch and proceed with the code update\n  - [ ] test using docker to ensure that there are no changes to any\"}"

              echo "issueBody: $issueBody"

              # Create a new issue
              response=$(curl -X POST -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -d "{\"title\":\"$issueTitle\",\"body\":\"$issueBody\"}" "https://api.github.com/repos/${{ github.repository }}/issues")

              echo "response: $response"

              # Extract the issueNumber from the response
              issueNumber=$(echo $response | jq -r '.number')

              echo "issueNumber: $issueNumber"

              # Add the "ready for dev lead" label to the new issue
              curl -X POST -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -d "{\"labels\":[\"ready for dev lead\"]}" "https://api.github.com/repos/${{ github.repository }}/issues/${issueNumber}}/labels"
            fi
          done
        fi

[t-will-gillis]

Hey @gaylem I took a look at the code you posted and tried to get it to run in my repo.

• I think that the code scanning is happening per branch (i.e. not only for gh-pages). In my repo I created a update-codeql branch and the "Security" tab reports 38 issues found specifically in update-codeql

• You are correct, not a good idea to make changes in the gh-pages branch and I don't think it is needed for the codeQL

• For the 'branches' lines 16 and 19 I would use the name of the actual branch rather than the wildcard. I don't know if the wildcard results in all of your repos being scanned or only the current branch, but using the name of current branch works for sure.

• I could not get the curl commands to work, but I am not too familiar with curl.

• I got partial results rewriting the curl command to match more closely the syntax shown in the GitHub docs, hardcoding OWNER/REPO, removing 'GET' and the quotes on the URL. But I am getting a message that I am not authorized to see alerts which makes me think that (besides making the other edits) there might be a problem with the syntax for the authorization/ token. The token I'm using retrieves the alerts using REST API in JavaScript, so I know it is not the token itself.

• BTW Is there any reason to use curl? This would be straightforward to write this using REST API with JavaScript.

Hope at least that helps a little...

[roslynwythe]

@gaylem Unfortunately I'm also not familiar with curl in this context. If I understand correctly, you are not able to verify that curl is retrieving the list of alerts, so you might try the GitHub REST API, using the link sent by @t-will-gillis. The documentation mentioned that the token should have the security_events or the public_repo scope.

[gaylem]

Thank you so much @t-will-gillis and @roslynwythe!! I'll dig into your advice today and let you know how it goes.

[ExperimentsInHonesty]

@gaylem Im moving this issue back to in progress. If you need additional help, please add your comment and move it back to question column and add the ready for dev lead label.

[gaylem]

Progress: This issue is basically done, but I have a blocker related to my github-token on one of the codeql.yml steps I added. It doesn't appear to have sufficient permissions. Blockers: See details in this comment. Availability: Weekdays ETA: Uncertain, but hopefully by Wednesday 4/10/2024