website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon hackforla

Create new issue template for resolution of CodeQL alert

Open roslynwythe opened this issue 1 year ago • 1 comments

Dependency

  • [ ] Wiki page "How to resolve CodeQL alerts" (when this is ready, fill in the URL in the Resources section below)

Overview

We need an issue template to help in creating issues to resolve CodeQL alerts

Action Items

  • [ ] Create a new file .github/ISSUE_TEMPLATE/resolve-CodeQL-alert.md
  • [ ] Copy/Paste the text below into the file, then save it
  • [ ] Refer to these instructions for testing the new template and preparing the Pull Request.

Content of issue template

---
name: Resolve CodeQL alert
about: Recommend dismissal or update code to resolve CodeQL alert
title: 'Resolve CodeQL Alert [INSERT-ALERTID]'
labels: 'Complexity: Missing, Feature: Code Alerts, role: front end, size: missing'
assignees: ''

---

### Prerequisite
1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).
2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).

### Overview
As developers. we need to analyze [CodeQL query alert INSERT-ALERTID](https://github.com/hackforla/website/security/code-scanning/INSERT-ALERTID) and to either recommend dismissal of the alert or update the code to resolve the alert.    

### Action Items
- [ ] DO NOT DISMISS ANY ALERTS.  Dismissal of alerts should be done by dev leads only after review of the recommendation
- [ ] Browse to the link in the next Action Item and read the contents.  Click "See More" to view Recommendations, Examples and References.  
- [ ] https://github.com/hackforla/website/security/code-scanning/INSERT-ALERTID 
- [ ] It might be useful to look at the resolution of similar alerts that have been closed.  To do that visit the [code scanning page](https://github.com/hackforla/website/security/code-scanning) and search closed alerts for similar alert type.  To see the resolution of a closed alert, view the alert details and open the tracking issue (outlined in red in the screenshot under Resources)
- [ ] In a comment in this issue, provide your recommendation.  The recommendation can be one of the following: `dismiss as test`, `dismiss as false positive`, `dismiss as won't fix`, or `update code`.  An example of a 'false positive' is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as `---` or `{%`.  
- [ ] If the recommendation is to update code:
   - [ ] create an issue branch and proceed with the code update
   - [ ] Use docker to test locally, ensuring that there are no changes to any affected webpage(s)
   - [ ] proceed with pull request in the usual manner 
- [ ] If the recommendation is to dismiss, describe your reason for dismissal in the comment, then move the issue to `Questions/In Review` and apply the label `ready for dev lead`.  


### For merge team/dev lead
- [ ] If recommendation to dismiss is approved, dismiss the alert with a comment, then close the issue as completed.
- [ ] When this issue is closed please check off the dependency (under "Analysis Issues") in #5005.  If all analysis issues are closed, close #5005 as completed.  
  
### Resources/Instructions
<details><summary>Screenshot of CodeQL alert detail page with tracking issue outlined in red</summary>

![CodeQLAlert](https://github.com/hackforla/website/assets/5314153/b74c4ec5-0297-4e30-b89a-097a088a47b3)

</details> 


- [GitHub CodeQL documentation](https://codeql.github.com/docs/codeql-overview/about-codeql/)
- Wiki page "How to resolve CodeQL alerts"
- This issue is part of #5005

Resources/Instructions

Testing Issue Templates

roslynwythe avatar Aug 17 '23 02:08 roslynwythe

Hi @roslynwythe.

Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing: Complexity, Role, Feature

NOTE: Please ignore the adding proper labels comment if you do not have 'write' access to this directory.

To add a label, take a look at Github's documentation here.

Also, don't forget to remove the "missing labels" afterwards. To remove a label, the process is similar to adding a label, but you select a currently added label to remove it.

After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization.

Additional Resources:

github-actions[bot] avatar Aug 17 '23 02:08 github-actions[bot]

Readable version of template above - use for reviewing

Prerequisite

  1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our Getting Started page.
  2. Before you claim or start working on an issue, please make sure you have read our How to Contribute to Hack for LA Guide.

Overview

As developers. we need to analyze CodeQL query alert INSERT-ALERTID and to either recommend dismissal of the alert or update the code to resolve the alert.

Action Items

  • [ ] DO NOT DISMISS ANY ALERTS. Dismissal of alerts should be done by dev leads only after review of the recommendation
  • [ ] Browse to the link in the next Action Item and read the contents. Click "See More" to view Recommendations, Examples and References.
  • [ ] https://github.com/hackforla/website/security/code-scanning/INSERT-ALERTID
  • [ ] Note these resources:
    • [ ] See the wiki page "How to manage CodeQL alerts" (see under Resources)
    • [ ] To look at the resolution of similar alerts, visit the code scanning page and query closed alerts for similar alert type. To see the resolution of a closed alert, view the alert details and open the tracking issue (outlined in red in the screenshot under Resources)
  • [ ] In a comment in this issue, provide your recommendation. The recommendation can be one of the following: dismiss as test, dismiss as false positive, dismiss as won't fix, or update code. An example of a 'false positive' is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as --- or {%.
  • [ ] If the recommendation is to update code:
    • [ ] create an issue branch and proceed with the code update
    • [ ] Use docker to test locally, ensuring that there are no changes to any affected webpage(s)
    • [ ] proceed with pull request in the usual manner
  • [ ] If the recommendation is to dismiss, describe your reason for dismissal in the comment, then move the issue to Questions/In Review and apply the label ready for dev lead.

For merge team/dev lead

  • [ ] If recommendation to dismiss is approved, dismiss the alert with a comment, then close the issue as completed.
  • [ ] When this issue is closed please check off the dependency (under "Issues") in #5159. If all issues are closed, close #5159 as completed.

Resources/Instructions

Screenshot of CodeQL alert detail page with tracking issue outlined in red

CodeQLAlert

  • GitHub CodeQL documentation
  • code scanning page
  • Wiki page "How to resolve CodeQL alerts" (if this page does not exist see the draft at https://github.com/hackforla/website/issues/6463#issuecomment-2002573270)
  • This issue is part of #5159

ExperimentsInHonesty avatar Mar 19 '24 00:03 ExperimentsInHonesty

When #5059 is merged, this issue may be unnecessary, because the codeql.yml workflow will automatically generate issues to address open CodeQL alerts from the codebase. The only possible reason we would require an issue template for resolution of CodeQL alerts is if a CodeQL alert appears in a Pull Request and the assignee cannot resolve it, and we want a resolution prior to merging the code.

roslynwythe avatar Apr 11 '24 05:04 roslynwythe