You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@baremaps.apache.org by GitBox <gi...@apache.org> on 2022/11/10 19:25:10 UTC
[GitHub] [incubator-baremaps] jorgectf opened a new pull request, #534: Add CodeQL workflow
jorgectf opened a new pull request, #534:
URL: https://github.com/apache/incubator-baremaps/pull/534
Hi `apache/incubator-baremaps`!
This is not an automatic, 🤖-generated PR, as you can check in my [GitHub profile](https://github.com/jorgectf), I work for GitHub and I am part of the [GitHub Security Lab](https://securitylab.github.com/) which is helping out with the migration of LGTM configurations to Code Scanning.
You might have heard that we've integrated LGTM's underlying CodeQL analysis engine natively into GitHub. The result is [__GitHub code scanning__](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)!
With LGTM fully integrated into code scanning, we are focused on improving CodeQL within the native GitHub code scanning experience. In order to take advantage of current and future improvements to our analysis capabilities, we suggest you enable code scanning on your repository. Please take a look at our [blog post for more information](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/).
This pull request enables code scanning by adding an auto-generated [`codeql.yml` workflow file for GitHub Actions](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository#setting-up-code-scanning-manually) to your repository — take a look! We tested it before opening this pull request, so all should be working :heavy_check_mark:. In fact, you might already have seen some alerts appear on this pull request!
Where needed and if possible, we’ve adjusted the configuration to the needs of your particular repository. But of course, you should feel free to tweak it further! Check [this page](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#editing-a-code-scanning-workflow) for detailed documentation.
Questions? Check out the FAQ below!
### FAQ
<details>
<summary>Click here to expand the FAQ section</summary>
#### How often will the code scanning analysis run?
By default, code scanning will trigger a scan with the CodeQL engine on the following events:
* On every pull request — to flag up potential security problems for you to investigate before merging a PR.
* On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s *Security* tab up to date.
* Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.
#### What will this cost?
Nothing! The CodeQL engine will run inside GitHub Actions, making use of your [unlimited free compute minutes for public repositories](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#about-billing-for-github-actions).
#### What types of problems does CodeQL find?
The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the [`security-and-quality` query suite](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs) for you.
#### How do I upgrade my CodeQL engine?
No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.
#### The analysis doesn’t seem to be working
If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please [follow the instructions here](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow) to debug the analysis.
#### How do I disable LGTM.com?
If you have LGTM’s automatic pull request analysis enabled, then you can [follow these steps to disable the LGTM pull request analysis](https://lgtm.com/help/lgtm/managing-automated-code-review#disabling-pr-integration). You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com ([more info here](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/)).
#### Which source code hosting platforms does code scanning support?
GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.
#### How do I know this PR is legitimate?
This PR is filed by the official LGTM.com GitHub App, in line with the [deprecation timeline that was announced on the official GitHub Blog](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/). The proposed GitHub Action workflow uses the [official open source GitHub CodeQL Action](https://github.com/github/codeql-action/). If you have any other questions or concerns, please join the discussion [here](https://github.com/orgs/community/discussions/29534) in the official GitHub community!
#### I have another question / how do I get in touch?
Please join the discussion [here](https://github.com/orgs/community/discussions/29534) to ask further questions and send us suggestions!
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For additional commands, e-mail: dev-help@baremaps.apache.org
[GitHub] [incubator-baremaps] julianhyde commented on pull request #534: Add CodeQL workflow
Posted by GitBox <gi...@apache.org>.
julianhyde commented on PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534#issuecomment-1311044458
Your reply makes me feel a bit better.
I'm not the decision-maker here, and my remark was just advice for the committers to be skeptical, and do due diligence on PRs that may have security implications.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For additional commands, e-mail: dev-help@baremaps.apache.org
[GitHub] [incubator-baremaps] bchapuis commented on pull request #534: Add CodeQL workflow
Posted by GitBox <gi...@apache.org>.
bchapuis commented on PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534#issuecomment-1312206874
@julianhyde Thanks a lot for the warning.
@jorgectf @sj could you please clarify why the codeql workflow needs write permission in case of security event? I checked the following [documentation](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) but havn't been able to find an explanation. For instance, does the workflow perform changes in the repo to apply security updates?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For additional commands, e-mail: dev-help@baremaps.apache.org
[GitHub] [incubator-baremaps] bchapuis merged pull request #534: Add CodeQL workflow
Posted by "bchapuis (via GitHub)" <gi...@apache.org>.
bchapuis merged PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-baremaps] jorgectf commented on pull request #534: Add CodeQL workflow
Posted by GitBox <gi...@apache.org>.
jorgectf commented on PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534#issuecomment-1312294533
@bchapuis: The `security-events: write` permission directive is granting the `GITHUB_TOKEN` generated for the job the [specific permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) required to [add security alerts](https://docs.github.com/en/rest/code-scanning#upload-an-analysis-as-sarif-data) to the repository, which get displayed under the repository [security tab](https://github.com/apache/incubator-baremaps/security/code-scanning). Other permissions such as `contents: write` are not needed in this workflow.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For additional commands, e-mail: dev-help@baremaps.apache.org
[GitHub] [incubator-baremaps] sj commented on pull request #534: Add CodeQL workflow
Posted by GitBox <gi...@apache.org>.
sj commented on PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534#issuecomment-1310938035
Hi @julianhyde! I understand that it can be surprising to receive a pull request with a new Actions workflow file from an unknown contributor. @jorgectf is a GitHub staff member who is helping key open source projects migrate from LGTM.com to GitHub code scanning. You can read more about the gradual deprecation in [this blog post (authored by me!) on the official GitHub Blog](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/).
And you can check [@jorgectf's profile](https://github.com/jorgectf); it has the `staff` badge on it:
I hope this helps; do let us know if you'd like any other form of confirmation that this is indeed a genuine offer of help — nothing fishy!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For additional commands, e-mail: dev-help@baremaps.apache.org
[GitHub] [incubator-baremaps] jorgectf commented on pull request #534: Add CodeQL workflow
Posted by "jorgectf (via GitHub)" <gi...@apache.org>.
jorgectf commented on PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534#issuecomment-1474049435
👋 Friendly ping
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-baremaps] bchapuis commented on pull request #534: Add CodeQL workflow
Posted by GitBox <gi...@apache.org>.
bchapuis commented on PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534#issuecomment-1312716225
@jorgectf Thanks a lot for the clarification. I just ran the workflow to check the kind of feedback it generates (we used to have LGTM and replaced it by sonar at some point). I will probably disable the javascript verifications as we use it as a scripting language in a java application.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For additional commands, e-mail: dev-help@baremaps.apache.org
[GitHub] [incubator-baremaps] julianhyde commented on pull request #534: Add CodeQL workflow
Posted by GitBox <gi...@apache.org>.
julianhyde commented on PR #534:
URL: https://github.com/apache/incubator-baremaps/pull/534#issuecomment-1310836869
This looks fishy to me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@baremaps.apache.org
For additional commands, e-mail: dev-help@baremaps.apache.org