Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CodeQL issues #4417

Closed
akhenry opened this issue Nov 1, 2021 · 2 comments · Fixed by #5793
Closed

Fix CodeQL issues #4417

akhenry opened this issue Nov 1, 2021 · 2 comments · Fixed by #5793
Assignees
@michaelrogers @unlikelyzero
Labels
type:enhancement

Comments

@akhenry
Copy link
Contributor

akhenry commented Nov 1, 2021

CodeQL is now checking all new code submissions for issues, but there are 18 legacy issues in our codebase that predate the introduction of CodeQL. These should be addressed.

This is the list of issues:
https://lgtm.com/projects/g/nasa/openmct/?mode=list
@unlikelyzero
Copy link
Collaborator

unlikelyzero commented Nov 2, 2021
edited

@unlikelyzero unlikelyzero added this to the Target: 1.8.1 milestone Nov 3, 2021
@unlikelyzero unlikelyzero removed this from the Target: 1.8.1 milestone Dec 7, 2021
@akhenry akhenry assigned alizenguyen and unlikelyzero and unassigned trusktr Jun 7, 2022
@alizenguyen
Copy link
Contributor

alizenguyen commented Aug 10, 2022
edited

In the codeql-analysis.yml file, the property queries: security-and-quality

  • Will include all queries of lower severity and precision than the default queries, plus maintainability and reliability queries. This is what you will see under the Security tab on Github dashboard.
  • I couldn't find a direct way to exclude based on severity, this feature seems to be a work in progress and will be included in the next release: https://github.com/github/codeql-action/pull/1098. It looks like it will utilize a 'query-filters' property. 
  • Another option is to make custom queries then exclude the queries specifically.

On the Github dashboard, in Settings > Code security and analysis > Code Scanning > Check Failure

  • Is only be applied to pull requests which will cause it to fail the check.
  • This is separate from above where it scans the branch and does not seem to limit the severity from the Security scan above 

In the ./.github/codeql/codeql-config.yml file

  • Is a custom codeQL config file that will override defaults
  • Is needed to ignore 'app.js'
  • Can disable default queries and add custom queries here

In lgtm.yml config in the root directory

  • You will only see changes once they are merged
  • Note for testing from FAQ: LGTM checks the external repository host for new commits roughly once a day. When a new commit is found, LGTM analyzes it and updates the latest alerts view. This explains why you won't immediately see analysis results or alerts on LGTM for that commit. If you want a more rapid response, you should enable automated code review for pull requests. That way you’ll get results on proposed changes straight away, even before they are merged into your codebase.
  • You can adjust queries here by severity and tags or see below for example (I removed this to match the codeQL security scan).
queries:
  - exclude: '*'
  - include:
      severity: 'error'
  - include:
      severity: 'warning'

@michaelrogers michaelrogers linked a pull request Sep 20, 2022 that will close this issue
4417 fix codeql issues #5793
Merged
15 tasks
@michaelrogers michaelrogers mentioned this issue Sep 20, 2022
Merged
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrogers michaelrogers

@unlikelyzero unlikelyzero

Labels
type:enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

4417 fix codeql issues nasa/openmct
5 participants
@trusktr @akhenry @michaelrogers @unlikelyzero @alizenguyen