Hello everyone,
I’ve added CodeQL on pulp repos,
please note the security tab of your plugin:
it may have vulnerabilities to fix:
3 Likes
To run CodeQL locally, one needs to download a ZIP file containing the CodeQL CLI utility (Releases · github/codeql-cli-binaries · GitHub).
When running code scans on plugins, it is required to create a database that contains all data necessary for executing queries on code. For pulp_container, the workflow would look like this:
./codeql database create --language=python --source-root=/home/lmjachky/Workplace/pulp/pulp_container --search-path=/home/lmjachky/Workplace/pulp/pulp_container/ --overwrite python-pulp-container
Then, the code is analyzed by running queries on the database:
./codeql database analyze python-pulp-container --format=sarif-latest --output=python-pulp-container-analysis.sarif --download codeql/python-queries
The created report can be browsed in a text editor:
vim python-pulp-container-analysis.sarif
More details about queries and reports are described at CodeQL CLI — CodeQL.
This might be useful when testing fixes to see whether security flaws were removed or not by a particular change.
1 Like
Resurrecting this thread to remind folk to check the “Security” tab for CodeQL reports and get them addressed (either open-issue/fix or marked as “not a problem”)
2 Likes