[QGIS-Developer] [security] Activate CodeQL Scanning in Github

Wed Nov 13 03:03:06 PST 2024

Régis,

you will probably need a bit more work than just pushing the default 
button, as it will likely generate a default codeql.yml file that won't 
work out-of-the-box on QGIS without tuning it. You'll need first to 
install the list of QGIS dependencies to get a successful build.  Cf 
https://github.com/OSGeo/gdal/blob/master/.github/workflows/codeql.yml 
for an example on GDAL. We disabled Python scanning, as 99% of Python is 
in our test suite and I didn't want to be spammed about warnings in 
non-production code. Turned on a large code base like QGIS, be ready to 
see several hundreds of warnings popping up. In GDAL, one of the most 
recurring category was about "Multiplication result converted to larger 
type", ie doing something like int64_t var = some_int_32_var * 
another_int_32_var. Another thing I noticed with CodeQL is that it seems 
to limit the analysis to a max number of files, more or less randomly 
chosen depending on builds. So while we have it enabled for pull 
requests, in some cases, it missed new warnings specific on the PR 
during the review of the PR, but it then analyzed the modified files 
during a run in master. As QGIS is larger than GDAL, I would expect that 
to happen for QGIS too. That said, there's probably no harm in enabling 
it as the number or detail of warnings is only visible to users with 
write privileges to the repository

Even

Le 13/11/2024 à 09:58, Régis Haubourg via QGIS-Developer a écrit :
>
> Hi all,
>
> the security requirements of IT departments keeps on growing and we 
> receive more and more requests on the security mail.
>
> The topic is broad, from filling in custom forms based on various 
> national or company-specific policies, to very precise vulnerability 
> scanning, or even ask us what we do to prevent XZ-like social 
> engineering attacks.
>
> To get a better score on good practices [0], a simple first step would 
> be to activate code scanning. Github provides CodeQL [1] for free. I 
> would like to activate it and see how it goes.
>
> Would you be OK with activating this and see how it goes (too much 
> spamming, limitations on our codebase, more advanced configuration 
> required etc... ) ?
>
>  In case of no reaction, I'll push the button on friday and see what 
> happens :)
>
>
> @lova @Tim, we probably should do similar things for our websites, we 
> have some bounty seekers raising disclosures on our websites. I'd 
> prefer that we catch those CVE earlier than have to deal with some of 
> those anonymous persons.
>
>
> Thanks a lot !
>
> Régis
>
>
> [0] https://securityscorecards.dev/viewer/?uri=github.com/qgis/QGIS
>
> [1] https://codeql.github.com/
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

-- 
http://www.spatialys.com
My software is free, but my time generally not.
Butcher of all kinds of standards, open or closed formats. At the end, this is just about bytes.