[QGIS-Developer] [security] Activate CodeQL Scanning in Github
Nick Bearman
nick at nickbearman.com
Thu Nov 14 01:58:13 PST 2024
There was some discussion about Security within OSGeo a while back. Jody
did some discussion on this, but I don't know where things are.
This is a related post
-https://lists.osgeo.org/pipermail/discuss/2023-November/039996.html -
OSGeo Cyber Resilience Act statement - I know it's not the same thing,
but it is related.
This was the thread I was looking for -
https://lists.osgeo.org/pipermail/discuss/2023-December/040004.html.
Hope this helps.
Best wishes,
Nick.
On 13/11/2024 11:30, Régis Haubourg via QGIS-Developer wrote:
>
> Thanks a lot for you insights Even!
>
> Ok then, this is way beyond my skills and available time, let's forget
> this naive approach. And let's plant a seed. Any Grant proposal
> toward enabling code scanning would be probably more than welcome.
>
> I know some of you are trying to gather funding to approach the
> security globally. If plans are already made, please express
> yourselves here. As a person in charge of responding to security
> inquiries, I need some visibility here.
>
> Best regards
>
> Régis
>
> Le 13/11/2024 à 12:03, Even Rouault a écrit :
>> Régis,
>>
>> you will probably need a bit more work than just pushing the default
>> button, as it will likely generate a default codeql.yml file that
>> won't work out-of-the-box on QGIS without tuning it. You'll need
>> first to install the list of QGIS dependencies to get a successful
>> build. Cf
>> https://github.com/OSGeo/gdal/blob/master/.github/workflows/codeql.yml
>> for an example on GDAL. We disabled Python scanning, as 99% of Python
>> is in our test suite and I didn't want to be spammed about warnings
>> in non-production code. Turned on a large code base like QGIS, be
>> ready to see several hundreds of warnings popping up. In GDAL, one of
>> the most recurring category was about "Multiplication result
>> converted to larger type", ie doing something like int64_t var =
>> some_int_32_var * another_int_32_var. Another thing I noticed with
>> CodeQL is that it seems to limit the analysis to a max number of
>> files, more or less randomly chosen depending on builds. So while we
>> have it enabled for pull requests, in some cases, it missed new
>> warnings specific on the PR during the review of the PR, but it then
>> analyzed the modified files during a run in master. As QGIS is larger
>> than GDAL, I would expect that to happen for QGIS too. That said,
>> there's probably no harm in enabling it as the number or detail of
>> warnings is only visible to users with write privileges to the
>> repository
>>
>> Even
>>
>> Le 13/11/2024 à 09:58, Régis Haubourg via QGIS-Developer a écrit :
>>>
>>> Hi all,
>>>
>>> the security requirements of IT departments keeps on growing and we
>>> receive more and more requests on the security mail.
>>>
>>> The topic is broad, from filling in custom forms based on various
>>> national or company-specific policies, to very precise vulnerability
>>> scanning, or even ask us what we do to prevent XZ-like social
>>> engineering attacks.
>>>
>>> To get a better score on good practices [0], a simple first step
>>> would be to activate code scanning. Github provides CodeQL [1] for
>>> free. I would like to activate it and see how it goes.
>>>
>>> Would you be OK with activating this and see how it goes (too much
>>> spamming, limitations on our codebase, more advanced configuration
>>> required etc... ) ?
>>>
>>> In case of no reaction, I'll push the button on friday and see what
>>> happens :)
>>>
>>>
>>> @lova @Tim, we probably should do similar things for our websites,
>>> we have some bounty seekers raising disclosures on our websites. I'd
>>> prefer that we catch those CVE earlier than have to deal with some
>>> of those anonymous persons.
>>>
>>>
>>> Thanks a lot !
>>>
>>> Régis
>>>
>>>
>>> [0] https://securityscorecards.dev/viewer/?uri=github.com/qgis/QGIS
>>>
>>> [1] https://codeql.github.com/
>>>
>>>
>>> _______________________________________________
>>> QGIS-Developer mailing list
>>> QGIS-Developer at lists.osgeo.org
>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
--
Nick Bearman
+44 (0) 7717745715
nick at nickbearman.com - New email address!
Please let me know if I can make any adjustments related to disability or neurodivergence to improve how we interact.
Due to my own life/work balance, you may get emails from me outside of normal working hours. Please do not feel any pressure to respond outside of your own working pattern.
More information about the QGIS-Developer
mailing list