CodeQL - security analysis

Hello everyone,

I’ve added CodeQL on pulp repos,
please note the security tab of your plugin:
image
it may have vulnerabilities to fix:

3 Likes

To run CodeQL locally, one needs to download a ZIP file containing the CodeQL CLI utility (Releases · github/codeql-cli-binaries · GitHub).

When running code scans on plugins, it is required to create a database that contains all data necessary for executing queries on code. For pulp_container, the workflow would look like this:

./codeql database create --language=python --source-root=/home/lmjachky/Workplace/pulp/pulp_container --search-path=/home/lmjachky/Workplace/pulp/pulp_container/ --overwrite python-pulp-container

Then, the code is analyzed by running queries on the database:

./codeql database analyze python-pulp-container --format=sarif-latest --output=python-pulp-container-analysis.sarif --download codeql/python-queries

The created report can be browsed in a text editor:

vim python-pulp-container-analysis.sarif

More details about queries and reports are described at CodeQL CLI — CodeQL.


This might be useful when testing fixes to see whether security flaws were removed or not by a particular change.

1 Like