Create wiki page to guide developers how to manage CodeQL alerts #6463

roslynwythe · 2024-03-14T08:29:54Z

Overview

We require a wiki page to guide developers how to manage and resolve CodeQL alerts

Action Items

After this issue is completed

Release dependency on Create new issue template for resolution of CodeQL alert #5242

Resources/Instructions

This issue resulted from Epic: Manage CodeQL deployment #5005

roslynwythe · 2024-03-17T18:38:42Z

Draft Wiki page: How to manage CodeQL alerts

Overview of CodeQL scanning

CodeQL scanning is implemented via the workflow .github/workflows/codeql.yml which is triggered by push, pull request on gh-pages, and scheduled weekly. See codeql-implementation #4886 for details
The queries (tests) executed by CodeQL are grouped into query packs. Our workflow specifies the security-and-quality query pack.
Code scanning results are available from the code scanning page You can browse to this page from the Security menu item throughout the hackforla/website repository. Note that by default only open alerts are displayed. Closed alerts are those that have been fixed (by code change) or dismissed.
To view information about the past resolution of a particular query type, for example "Missing variable declaration", use a query such as "Missing variable declaration" is:closed branch:gh-pages
Here is a sample alert detail page https://github.com/hackforla/website/security/code-scanning/40

Screenshot of CodeQL alert detail page with tracking issue outlined in red

Note these elements of the detail page
- The tracking issue (in red) is the issue intended to manage the alert. An issue is linked as a tracking issue for an alert if the alert URL appears in an issue action Item.
- The code alert details include the file path and line number. Note that the same problem may exist in several locations within a code file. Only update the section of code indicated in the alert detail page.
- In the right hand column there is important information: the severity of the alert and the tags, which will indicate if the alert is a security alert
- Dismiss Alert button/form - Alerts should be dismissed only by merge team after review of an issue recommending dismissal. Other developers should not dismiss alerts! When an alert is dismissed the dev lead/merge team member must select one of the following options: false positive, used in test or wont fix.
- If you are assigned to an issue to resolve a CodeQL alert and you recommend dismissal, document your recommendation in a comment within the tracking issue, then place the issue into the "Questions/In Review" column with a ready for dev lead label. If you are a dev lead or merge team member closing an issue with a recommendation to dismiss, be sure to visit the alert detail page and complete the dismissal.

Issues for resolving CodeQL alerts

The workflow .github/workflows/codeql.yml scans all open CodeQL alerts and if an alert is found without a tracking issue, the workflow will create an issue linked to the CodeQL alert.

How to resolve specific alert types

Potentially unsafe external link - sample https://github.com/hackforla/website/security/code-scanning/3

Details

For this alert type we modify the code, adding the attribute rel="noopener noreferrer" to the <a> tag, as recommended in the alert detail page.

Unused variable, import, function or class - sample https://github.com/hackforla/website/security/code-scanning/94

Details

We remove declarations for unused variables, functions or classes to improve readability of the code

Inclusion of functionality from an untrusted source - sample https://github.com/hackforla/website/security/code-scanning/37

Details

These are resolved by implementing SRI check as detailed in #6120

Malformed id attribute (see sample https://github.com/hackforla/website/security/code-scanning/25)

Details

The sample is an example of a false positive which results from the fact that CodeQL scans static HTML. In the static HTML source, the id attribute is empty, but in fact it is populated via Javascript on page load

Syntax error - sample https://github.com/hackforla/website/security/code-scanning/97 not resolved

Details

The sample is an example of a false positive which results from the inclusion of Jekyll/liquid front matter which CodeQL attempts to parse as Javascript.

Superfluous trailing arguments - sample resolution see https://github.com/hackforla/website/security/code-scanning/35

Details

A code quality and readability issue that may indicate a bug

Use of returnless function - https://github.com/hackforla/website/security/code-scanning/57

Details

This usually indicates a bug or a misunderstanding of the syntax

Missing variable declaration - https://github.com/hackforla/website/security/code-scanning/44

Details

A variable is used like a local variable but is missing a declaration, and so it becomes a global variable by default, subject to risk of global variable corruption. Resolved by adding the appropriate variable declaration, followed by testing to confirm that behavior of the code is unchanged.

HackforLABot · 2024-11-08T07:06:55Z

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

Progress: "What is the current status of your project? What have you completed and what is left to do?"
Blockers: "Difficulties or errors encountered."
Availability: "How much time will you have this week to work on this issue?"
ETA: "When do you expect this issue to be completed?"
Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Monday, November 4, 2024 at 11:04 PM PST.}

HackforLABot · 2024-11-15T07:07:55Z

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

Progress: "What is the current status of your project? What have you completed and what is left to do?"
Blockers: "Difficulties or errors encountered."
Availability: "How much time will you have this week to work on this issue?"
ETA: "When do you expect this issue to be completed?"
Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Monday, November 11, 2024 at 11:04 PM PST.}

roslynwythe added Feature Missing This label means that the issue needs to be linked to a precise feature label. size: missing role missing Complexity: Missing labels Mar 14, 2024