-
-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix codeql #927
Fix codeql #927
Conversation
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
@charankamarapu I am having trouble solving it. also why there are multiple instances of check failure clicking on "sensitive data returned by http request header" always point to the same line ? |
Regarding |
Regarding |
I hope everything is clear now |
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
Hey @charankamarapu |
Hey @AkashKumar7902 even I don't think there is a way to suppress this. But there is a way to filter this out of scanning . GitHub Advanced Security uses CodeQL for code scanning, and you can use |
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
|
||
file, err := os.OpenFile(yamlPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, os.ModePerm) | ||
if err != nil { | ||
ys.Logger.Error("failed to open the created yaml file", zap.Error(err), zap.Any("yaml file name", fileName)) // lgtm [go/clear-text-logging] |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Sensitive data returned by HTTP request headers
return err | ||
} | ||
data = append(data, d...) | ||
|
||
_, err = file.Write(data) | ||
if err != nil { | ||
ys.Logger.Error("failed to write the yaml document", zap.Error(err), zap.Any("yaml file name", fileName)) | ||
ys.Logger.Error("failed to write the yaml document", zap.Error(err), zap.Any("yaml file name", fileName)) // lgtm [go/clear-text-logging] |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Sensitive data returned by HTTP request headers
@charankamarapu Its still not working. I have verified the query id. Also i think we require to modify the workflow file to add configuration to supress those warnings [1] [2] P.S.: Sorry for creating a new PR. As my internet connection is metered, I am unable to setup alt since it requires a large docker image of ubuntu. So i made this new PR to test out the codeql workflow. After you will approve this PR i will add all the redundant commits into the previous PR with a single commit so my original branch remains clean. |
No problem. There is no need for being sorry😅 . Regarding the comment which you have added , I gave a reference that this kind of comments are used to suppress warning . But I didn't give you the exact comment . The comment which I gave you was for LGTM workflow and we are using codeQL working (although LGTM uses codeQL internally). Find a way to suppress the warning in the case of codeQL. I will be clear next time 👍. Also Try the references which you have mentioned github/codeql#10940 |
Hey @AkashKumar7902 I have actually gone through the docs of codeQL and it was mentioned there that they have knowing didn't add this feature of using comments to suppress warnings . They suggested to go via dismissing alerts in UI . Please add the changes from this PR to the other PR you have created and request for code review. |
attaching reference - github/codeql#11427 |
closing this PR on basis of #903 |
Related Issue
Closes: #[issue number that will be closed through this PR]
Describe the changes you've made
A clear and concise description of what you have done to successfully close your assigned issue. Any new files? or anything you feel to let us know!
Type of change
Please let us know if any test cases are added
Please describe the tests(if any). Provide instructions how its affecting the coverage.
Describe if there is any unusual behaviour of your code(Write
NA
if there isn't)A clear and concise description of it.
Checklist:
Screenshots (if any)