[QGIS-Developer] [security] Activate CodeQL Scanning in Github

Thu Nov 14 02:00:00 PST 2024

There was some discussion about Security within OSGeo a while back. Jody 
did some discussion on this, but I don't know where things are.

This is a related post 
-https://lists.osgeo.org/pipermail/discuss/2023-November/039996.html - 
OSGeo Cyber Resilience Act statement - I know it's not the same thing, 
but it is related.

This was the thread I was looking for - 
https://lists.osgeo.org/pipermail/discuss/2023-December/040004.html.

Hope this helps.

Best wishes,
Nick.

On 13/11/2024 11:30, Régis Haubourg via QGIS-Developer wrote:
>
> Thanks a lot for you insights Even!
>
> Ok then, this is way beyond my skills and available time, let's forget 
> this naive approach.  And let's plant a seed. Any Grant proposal 
> toward enabling code scanning would be probably more than welcome.
>
> I know some of you are trying to gather funding to approach the 
> security globally. If plans are already made, please express 
> yourselves here. As a person in charge of responding to security 
> inquiries, I need some visibility here.
>
> Best regards
>
> Régis
>
> Le 13/11/2024 à 12:03, Even Rouault a écrit :
>> Régis,
>>
>> you will probably need a bit more work than just pushing the default 
>> button, as it will likely generate a default codeql.yml file that 
>> won't work out-of-the-box on QGIS without tuning it. You'll need 
>> first to install the list of QGIS dependencies to get a successful 
>> build.  Cf 
>> https://github.com/OSGeo/gdal/blob/master/.github/workflows/codeql.yml 
>> for an example on GDAL. We disabled Python scanning, as 99% of Python 
>> is in our test suite and I didn't want to be spammed about warnings 
>> in non-production code. Turned on a large code base like QGIS, be 
>> ready to see several hundreds of warnings popping up. In GDAL, one of 
>> the most recurring category was about "Multiplication result 
>> converted to larger type", ie doing something like int64_t var = 
>> some_int_32_var * another_int_32_var. Another thing I noticed with 
>> CodeQL is that it seems to limit the analysis to a max number of 
>> files, more or less randomly chosen depending on builds. So while we 
>> have it enabled for pull requests, in some cases, it missed new 
>> warnings specific on the PR during the review of the PR, but it then 
>> analyzed the modified files during a run in master. As QGIS is larger 
>> than GDAL, I would expect that to happen for QGIS too. That said, 
>> there's probably no harm in enabling it as the number or detail of 
>> warnings is only visible to users with write privileges to the 
>> repository
>>
>> Even
>>
>> Le 13/11/2024 à 09:58, Régis Haubourg via QGIS-Developer a écrit :
>>>
>>> Hi all,
>>>
>>> the security requirements of IT departments keeps on growing and we 
>>> receive more and more requests on the security mail.
>>>
>>> The topic is broad, from filling in custom forms based on various 
>>> national or company-specific policies, to very precise vulnerability 
>>> scanning, or even ask us what we do to prevent XZ-like social 
>>> engineering attacks.
>>>
>>> To get a better score on good practices [0], a simple first step 
>>> would be to activate code scanning. Github provides CodeQL [1] for 
>>> free. I would like to activate it and see how it goes.
>>>
>>> Would you be OK with activating this and see how it goes (too much 
>>> spamming, limitations on our codebase, more advanced configuration 
>>> required etc... ) ?
>>>
>>>  In case of no reaction, I'll push the button on friday and see what 
>>> happens :)
>>>
>>>
>>> @lova @Tim, we probably should do similar things for our websites, 
>>> we have some bounty seekers raising disclosures on our websites. I'd 
>>> prefer that we catch those CVE earlier than have to deal with some 
>>> of those anonymous persons.
>>>
>>>
>>> Thanks a lot !
>>>
>>> Régis
>>>
>>>
>>> [0] https://securityscorecards.dev/viewer/?uri=github.com/qgis/QGIS
>>>
>>> [1] https://codeql.github.com/
>>>
>>>
>>> _______________________________________________
>>> QGIS-Developer mailing list
>>> QGIS-Developer at lists.osgeo.org
>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

-- 
Nick Bearman
+44 (0) 7717745715
nick at nickbearman.com - New email address!

Please let me know if I can make any adjustments related to disability or neurodivergence to improve how we interact.

Due to my own life/work balance, you may get emails from me outside of normal working hours. Please do not feel any pressure to respond outside of your own working pattern.