Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CodeQL security analysis to GitHub Actions workflows #36957

Closed
smorimoto opened this issue Jan 16, 2021 · 6 comments
Closed

Add CodeQL security analysis to GitHub Actions workflows #36957

smorimoto opened this issue Jan 16, 2021 · 6 comments
Labels
build Issues and PRs related to build files or the CI.

Comments

@smorimoto
Copy link

It seems that a PR was opened by someone to add this before, but somehow it was closed. In many cases, I think it's worth doing this and I'm ready for PR, so if you are willing to add it, I will raise a PR.

@aduh95
Copy link
Contributor

aduh95 commented Jan 16, 2021

What is CodeQL, and why is it worth doing?

@smorimoto
Copy link
Author

CodeQL is a tool for finding vulnerabilities in the entire codebase. Since it was acquired by GitHub last year, it has been integrated natively, and now it can be easily integrated to workflows with GitHub Actions. It's free for open-source repositories, so there's no harm in using it. Of course, it doesn't find all the vulnerabilities, but it's much better than nothing.
https://securitylab.github.com/tools/codeql

@Trott
Copy link
Member

Trott commented Jan 16, 2021

CodeQL may be a good fit for lots of repositories, but I suspect this is not one of them. I could be wrong. Maybe there's a way to open a pull request adding it such that we can see what kind of results we get without having to land it in the repository first.

CodeQL was the tool created by/for LGTM.com. I therefore assume that enabling it here will result in similar results to LGTM.com. At the current time LGTM.com flags 160 things in the Node.js repository. Of those 160 alerts, 153 are in three dependencies that are vendored into the repository: V8, gyp, and inspector_protocol. The issues flagged appear to contain many false positives and/or test/tooling code that is not relevant to Node.js core.

Of the remaining 7, there are multiple false positives such as this incorrect flagging of a line in configure.py. I reported this as a bug in the CodeQL issue tracker in September. It's entirely possible a fix is imminent or already happened on the GitHub CodeQL side, but LGTM.com is still reporting this issue so maybe not.

Basically, my expectation is that a CodeQL analysis at the current time would produce too much noise to be useful. I could be wrong. Or I could be right but it will change as the tool evolves. As I said above, maybe there's a way to open a pull request adding it such that we can see what kind of results we get without having to land it in the repository first. If so, I'd welcome that.

@aduh95
Copy link
Contributor

aduh95 commented Jan 16, 2021

If CodeQL is able to reliably detect use of unsafe array iteration or report where primordials should be used, I'd be up for that, personally. I guess it depends how configurable it is, I agree it's not helpful if it produces more false positives than useful warnings.

@jasnell
Copy link
Member

jasnell commented Jan 16, 2021

I won't block but I'm generally not a fan due to the complexity and false positives. eslint seems to cover the majority of what we'd need.

@targos targos added the build Issues and PRs related to build files or the CI. label Jan 23, 2021
@Trott
Copy link
Member

Trott commented Feb 23, 2021

I'm going to close this, but feel free to comment or re-open if you think there's a reason to keep this open. Thanks!

@Trott Trott closed this as completed Feb 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI.
Projects
None yet
Development

No branches or pull requests

5 participants