[QGIS-Developer] [security] Activate CodeQL Scanning in Github

Wed Nov 13 03:30:39 PST 2024

Thanks a lot for you insights Even!

Ok then, this is way beyond my skills and available time, let's forget 
this naive approach.  And let's plant a seed. Any Grant proposal toward 
enabling code scanning would be probably more than welcome.

I know some of you are trying to gather funding to approach the security 
globally. If plans are already made, please express yourselves here. As 
a person in charge of responding to security inquiries, I need some 
visibility here.

Best regards

Régis

Le 13/11/2024 à 12:03, Even Rouault a écrit :
> Régis,
>
> you will probably need a bit more work than just pushing the default 
> button, as it will likely generate a default codeql.yml file that 
> won't work out-of-the-box on QGIS without tuning it. You'll need first 
> to install the list of QGIS dependencies to get a successful build.  
> Cf 
> https://github.com/OSGeo/gdal/blob/master/.github/workflows/codeql.yml 
> for an example on GDAL. We disabled Python scanning, as 99% of Python 
> is in our test suite and I didn't want to be spammed about warnings in 
> non-production code. Turned on a large code base like QGIS, be ready 
> to see several hundreds of warnings popping up. In GDAL, one of the 
> most recurring category was about "Multiplication result converted to 
> larger type", ie doing something like int64_t var = some_int_32_var * 
> another_int_32_var. Another thing I noticed with CodeQL is that it 
> seems to limit the analysis to a max number of files, more or less 
> randomly chosen depending on builds. So while we have it enabled for 
> pull requests, in some cases, it missed new warnings specific on the 
> PR during the review of the PR, but it then analyzed the modified 
> files during a run in master. As QGIS is larger than GDAL, I would 
> expect that to happen for QGIS too. That said, there's probably no 
> harm in enabling it as the number or detail of warnings is only 
> visible to users with write privileges to the repository
>
> Even
>
> Le 13/11/2024 à 09:58, Régis Haubourg via QGIS-Developer a écrit :
>>
>> Hi all,
>>
>> the security requirements of IT departments keeps on growing and we 
>> receive more and more requests on the security mail.
>>
>> The topic is broad, from filling in custom forms based on various 
>> national or company-specific policies, to very precise vulnerability 
>> scanning, or even ask us what we do to prevent XZ-like social 
>> engineering attacks.
>>
>> To get a better score on good practices [0], a simple first step 
>> would be to activate code scanning. Github provides CodeQL [1] for 
>> free. I would like to activate it and see how it goes.
>>
>> Would you be OK with activating this and see how it goes (too much 
>> spamming, limitations on our codebase, more advanced configuration 
>> required etc... ) ?
>>
>>  In case of no reaction, I'll push the button on friday and see what 
>> happens :)
>>
>>
>> @lova @Tim, we probably should do similar things for our websites, we 
>> have some bounty seekers raising disclosures on our websites. I'd 
>> prefer that we catch those CVE earlier than have to deal with some of 
>> those anonymous persons.
>>
>>
>> Thanks a lot !
>>
>> Régis
>>
>>
>> [0] https://securityscorecards.dev/viewer/?uri=github.com/qgis/QGIS
>>
>> [1] https://codeql.github.com/
>>
>>
>> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241113/9a60a07f/attachment.htm>