website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon hackforla

Feasibility and DR: use of CodeQL for VS Code

Open roslynwythe opened this issue 1 year ago • 9 comments

Overview

We should consider whether to adopt the policy that developers should install the "CodeQL for VS Code" extension. Currently the default branch of the repository is scanned weekly and the changed files in each Pull Request are scanned, however there are advantages to recieving alerts prior to initiating the Pull Request process.

Action Items

  • [x] Become familiar with the repository level CodeQL scanning implemented in #4886
  • [x] Consider whether HfLA developers should install the CodeQL for VS Code extension.
  • [x] We are currently in the process of moving the old wiki to the new website-wiki repo, so we will not be making any changes or additions to the old wiki at this time. Thus, we will be adding wiki content through a different process now. Read How to Contribute to the Wiki
  • [x] Following the instruction in How to Contribute to the Wiki, write a draft DR with your recommendation in a comment in this issue.
  • [x] Move this issue to Questions/In Review and add the ready for dev lead label.

Resources/Instructions

roslynwythe avatar Aug 10 '23 08:08 roslynwythe

Hi @kiran98118, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

github-actions[bot] avatar Feb 04 '24 01:02 github-actions[bot]

i. Availability: I am available on Sunday, Tuesday, Wednesday, Friday and Saturday (10 am to 5pm) ii. ETA: 11-02-2024

kiran98118 avatar Feb 04 '24 01:02 kiran98118

@kiran98118 It looks like you forgot to move this to the in progress column on the board. I will move it for you.

ExperimentsInHonesty avatar Feb 13 '24 21:02 ExperimentsInHonesty

Thank you Bonnie.

On Tue, Feb 13, 2024 at 4:07 PM Bonnie Wolfe @.***> wrote:

@kiran98118 https://github.com/kiran98118 It looks like you forgot to move this to the in progress column on the board. I will move it for you.

— Reply to this email directly, view it on GitHub https://github.com/hackforla/website/issues/5180#issuecomment-1942536564, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKIK4WG3SVHWQHU6QHTNHOLYTPIZLAVCNFSM6AAAAAA3LEZZ52VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBSGUZTMNJWGQ . You are receiving this because you were mentioned.Message ID: @.***>

kiran98118 avatar Feb 14 '24 03:02 kiran98118

Hi @kiran98118!

It looks like you have moved this because you are finished with the issue and it is ready for review. However, I don't see a draft DR in a comment on this issue or a link to a DR on the How to Contribute to the Wiki page. If I've missed it, please let me know. Otherwise, please add the DR according to the instructions on the How to Contribute to the Wiki page. Feel free to ping me if you have any questions. I am moving this back to the In Progress (actively working) column for now. Please move it back to Questions / In Review once you've completed the DR and add the ready for dev lead label.

Thanks for taking the time to contribute!

LRenDO avatar Feb 21 '24 19:02 LRenDO

@kiran98118

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

You are receiving this comment because your last comment was before Monday, February 19, 2024 at 11:06 PM PST.

github-actions[bot] avatar Feb 23 '24 07:02 github-actions[bot]

Draft DR: Recommendation to adopt CodeQL for VS Code extension

  • HfLA developers should install the "CodeQL for VS Code" extension to enable real-time code analysis and security vulnerability detection within their local development environment.

  • The extension will provide immediate feedback and alerts on potential issues, allowing developers to address them before submitting a Pull Request.

  • This proactive approach complements the existing repository-level and Pull Request-level CodeQL scanning, further enhancing the overall code quality and security posture of the project.

  • Early detection and resolution of code issues and vulnerabilities, reducing the risk of introducing defects or security vulnerabilities into the codebase.

  • Improved developer productivity by addressing potential issues locally, minimizing the need for rework after the Pull Request review process.

  • Establish coding guidelines and standards that incorporate the CodeQL analysis findings and recommendations.

  • Gather feedback from HfLA developers on their experience with the "CodeQL for VS Code" extension and address any concerns or issues that arise.

kiran98118 avatar Feb 26 '24 03:02 kiran98118

  • Thank you @kiran98118 for your analysis. A problem with CodeQL has become apparent in #5234 and I would like to ask you about it. The problem is that on GitHub, CodeQL fails to scan any file that contains non-JS code, includeing liquid statements that appear in many of our JS files. Do you happen to know if the same will occur in the "CodeQL for VS Code" extension, and if there is a workaround?

roslynwythe avatar Feb 29 '24 18:02 roslynwythe

@roslynwythe

CodeQL only supports C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, Swift languages. If the code you're attempting to scan is not written in one of the supported languages, the CodeQL scan will fail automatically. This behavior is also observed when using the CodeQL extension within Visual Studio (VS). The tool does not have the capability to analyze or process code written in languages that are not explicitly supported by the CodeQL platform.

kiran98118 avatar Mar 13 '24 16:03 kiran98118

Thank you @kiran98118 for your analysis and recommendation.

roslynwythe avatar Mar 21 '24 08:03 roslynwythe