Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not detect use of CodeQL (SAST) #3817

Open
mwager opened this issue Jan 23, 2024 · 5 comments
Open

Does not detect use of CodeQL (SAST) #3817

mwager opened this issue Jan 23, 2024 · 5 comments
Labels
check/SAST kind/bug Something isn't working

Comments

@mwager
Copy link

mwager commented Jan 23, 2024

Describe the bug
This repo is using CodeQL for SAST scanning:

https://github.com/secureIO-GmbH/VulnerabilityHeatmap/actions/workflows/github-code-scanning/codeql

Reproduction steps
Steps to reproduce the behavior:
1.
grafik

  1. Does not detect SAST:
    grafik

Expected behavior
Docs say:
grafik

Maybe it is missing to detect the direct actions? (without a workflow file?)

Am I doing smt wrong?
@mwager mwager added the kind/bug Something isn't working label Jan 23, 2024
@spencerschrock
Copy link
Member

Maybe it is missing to detect the direct actions? (without a workflow file?)

The CodeQL detection can work without a workflow file, depending on if it still runs the scan on the PR.

Right now the code:

  1. looks for the last 30 commits
  2. looks for the PR associated with the commit
  3. checks if the PR has CodeQL checks before merge

It seems like the CodeQL runs in your repo, take place once the commits are pushed to main. Which has been discussed before: #3451 #1580. We should probably re-evaluate our notion on pre/post merge.

@mwager
Copy link
Author

mwager commented Jan 24, 2024

Ok thanks for the explanation, strange thing is there are PRs, example: secureIO-GmbH/VulnerabilityHeatmap#11

If the other issues already address this, feel free to close here.

@spencerschrock
Copy link
Member

Ok thanks for the explanation, strange thing is there are PRs, example: secureIO-GmbH/VulnerabilityHeatmap#11

Specifically it evaluates the last 30 commits in main, and the PRs which they came from. Since that PR is still open, it's not being considered.

@afmarcum afmarcum moved this to Backlog - Bugs in Scorecard - NEW Mar 5, 2024
@afmarcum afmarcum removed the status in Scorecard - NEW Mar 5, 2024
@afmarcum afmarcum moved this to Backlog - Checks in Scorecard - NEW Mar 5, 2024
@thepwagner
Copy link
Contributor

For GitHub+CodeQL specifically, I think scorecard could also consider this API endpoint: https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28#get-a-code-scanning-default-setup-configuration--status-codes

The downside is that it needs administration:read permission on the repository.

Disabled:

{
  "state": "not-configured",
  "languages": [

  ],
  "query_suite": "default",
  "updated_at": null,
  "schedule": null
}

Enabled:

{
  "state": "configured",
  "languages": [
    "ruby"
  ],
  "query_suite": "default",
  "updated_at": "2024-04-15T14:22:53Z",
  "schedule": "weekly"
}

@jhutchings1
Copy link

As @thepwagner mentioned, default setup is the new standard way that developers enable CodeQL scanning. It's true that the API for accessing that configuration requires administrative privileges, but there's actually a workaround that I think would make tons of sense for Scorecard and should be a relatively straightforward swap.

GitHub also has an API that lists Actions workflows that have run on the repository. This includes dynamic workflows like the default setup workflow for CodeQL. Here's an example from a test repo of mine, which lists both the CodeQL and Dependabot updates workflows (slightly redacted). The path for those workflows is consistent and you can count on that as an indicator that the analysis is enabled.

{
  "total_count": 2,
  "workflows": [
    {
      "id": ...,
      "node_id": "...",
      "name": "Dependabot Updates",
      "path": "dynamic/dependabot/dependabot-updates",
      "state": "active",
      "created_at": "2024-05-01T10:10:17.000-07:00",
      "updated_at": "2024-05-01T10:10:17.000-07:00",
      "url": "...",
      "html_url": "...",
      "badge_url": "..."
    },
    {
      "id": ...,
      "node_id": "...",
      "name": "CodeQL",
      "path": "dynamic/github-code-scanning/codeql",
      "state": "active",
      "created_at": "2024-01-23T09:14:42.000-08:00",
      "updated_at": "2024-01-23T09:14:42.000-08:00",
      "url": "...",
      "html_url": "...",
      "badge_url": "..."
    }
  ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
check/SAST kind/bug Something isn't working
Projects
Scorecard - NEW
Status: Backlog - New Checks
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mwager @thepwagner @spencerschrock @jhutchings1