Add CodeQL workflow #6122
Add CodeQL workflow #6122
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
I am not sure about this tbh. NetBeans is a large project with an old code base and doesn't have a shortage of warnings or issues even without code scanners active. We are slowly modernizing the codebase but this takes time (see cleanup label). We can't really speed this up since it would make review impossible and bugs will slip though. This will likely produce thousands additional warnings, some of them will be valid but a lot of them will be false positives or less important. Without someone committing to triage/investigate/fix those warnings this will just cause more noise without helping anyone. I am ok with code scanners and have also used CodeQL before with good results (on smaller and younger code bases), but maybe its still too early for this code base for it to be useful. cc @neilcsmith-net @matthiasblaesing @lkishalmi @MartinBalin @sdedic @ebarboni opinions? Is anyone willing to spend time to fix/trigage the warnings? |
|
I think it will land to security tab on github, I hope this not autocreate PR. |
right, take a look at apache roller as example: https://github.com/apache/roller/security/code-scanning
no it won't. Most warnings explain the problem and do often suggest how to fix it. The problem has to be still understood, triaged and fixed by someone. New PRs are also scanned to avoid the introduction of new issues - which is a great feature. However I noticed in other projects that when old code is refactored it sometimes thinks that the PR is adding a new issue. I am slightly in favor for enabling the scans, but only if we have more devs beside me who agree to periodically look at those warnings and help to reduce them - otherwise they serve no purpose. |
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} |
There was a problem hiding this comment.
NB doesn't use swift anywhere, so this can be likely simplified and hardcoded to ubuntu-latest
There was a problem hiding this comment.
To be pedantic, we use Swift in at least two files for generating macOS launchers, but depending on current dev@ discussion they might end up being externalized anyway.
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: [ 'javascript', 'java', 'go', 'python', 'ruby' ] |
There was a problem hiding this comment.
can be probably reduced to just java
| # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). | ||
| # If this step fails, then you should remove it and run the build manually (see below) | ||
| - name: Autobuild | ||
| uses: github/codeql-action/autobuild@v2 |
There was a problem hiding this comment.
we would have to either integrate it into the current build pipeline, or at least use the cache.
The job takes over 2.2h atm which is too much.
-> https://github.com/apache/netbeans/actions/runs/5376693354/jobs/9925753597
There was a problem hiding this comment.
CodeQL needs to trace the build to create the database, using a cache will make CodeQL blind of what the cache introduces.
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v2 | ||
| with: | ||
| category: "/language:${{matrix.language}}" |
There was a problem hiding this comment.
probably worth trying to exclude test packages and test data. Might reduce warning count / job time and make it more observable
There was a problem hiding this comment.
You can use a configuration file to customize the queries to be run and the files to be analyzed, see https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-a-custom-configuration-file
|
-1 right now. Well, I've looked at the report. Honestly, I'm not impressed. It has 1700+ new issues, many of them are completely off if we are considering that we are talking about an IDE which is not an usual server-side java application. At this point I see this generates more noise than value. I have to admit that I did not check every rule and findings there, so some of them might be valid and worth to fix, but then someone has to fine-tune the rules, before this would be useful. |
|
I tend to agree with @lkishalmi. The signal to noice ratio does not seem to be high enough. |
Hello from GitHub Security Lab!
Your repository is critical to the security of the Open Source Software (OSS) ecosystem, and as part of our mission to make OSS safer, we are contributing a CodeQL configuration for code scanning to your repository. By enabling code scanning with CodeQL, you will be able to continuously analyze your code and surface potential vulnerabilities before they can even reach your codebase.
We’ve tested the configuration manually before opening this pull request and adjusted it to the needs of your particular repository, but feel free to tweak it further! Check this page for detailed documentation.
Questions? Check out the FAQ below!
FAQ
Click here to expand the FAQ section
How often will the code scanning analysis run?
By default, code scanning will trigger a scan with the CodeQL engine on the following events:
What will this cost?
Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.
Where can I see the results of the analysis?
The results of the analysis will be available on the Security tab of your repository. You can find more information about the results here.
For Pull Requests, you can find the results of the analysis in the Checks tab. You can find more information about the Pull Request results here.
What types of problems does CodeQL find?
CodeQL queries are hosted in the
github/codeqlrepository.By default, code scanning runs the
defaultquery suite. The queries in thedefaultquery suite are highly precise and return few false positive code scanning results.If you are looking for a more comprehensive analysis, which could return a greater number of false positives, you can enable the
security-extendedquery suite in thequeriesoption ofgithub/codeql-action/init.In the event of finding a false positive, please create a false positive Issue in
github/codeqlso we can investigate and improve the query in question. You can also contribute to the query by opening a pull request againstgithub/codeql.How do I customize the analysis?
You can customize the analysis by using a CodeQL configuration file. This way, you can specify which queries should [not] be run, and/or which files should be excluded from the analysis. You can find more information about the configuration file here.
How do I upgrade my CodeQL engine?
No need! New versions of the CodeQL analysis are constantly deployed on github.com; your repository will automatically benefit from the most recently released version.
The analysis doesn’t seem to be working
If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.
Which source code hosting platforms does code scanning support?
GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.