You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Aditya Sharma <ad...@apache.org> on 2020/10/02 13:06:27 UTC
Enable CodeQL scanning for all the OFBiz repositories
Hi team,
I think we can enable the code scanning security feature for all the OFBiz
repositories available with GitHub that helps identifying security
vulnerabilities using CodeQL.
https://github.com/apache/ofbiz-framework/security/code-scanning
https://securitylab.github.com/tools/codeql
Citation from
https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
:
*"CodeQL, a semantic code analysis engine and query tool for finding
security vulnerabilities across a codebase, has been made available for
free by GitHub for anyone to use in research or to analyze open source
code."*
If no one is against it, I will move ahead with it.
Thanks and Regards,
Aditya Sharma
Re: Enable CodeQL scanning for all the OFBiz repositories
Posted by Jacques Le Roux <ja...@les7arts.com>.
Sounds good to me, thanks Aditya
Jacques
Le 03/10/2020 à 07:41, Aditya Sharma a écrit :
> That makes sense Jacques. It is critical.
>
> I tried with one of my repositories and found that Code scanning alerts
> under Security are only visible to people with write access i.e.
> Committers.
>
> Citation from article Managing code scanning alerts for your repository[1]
>
> *"Anyone with read permission for a repository can see code scanning alerts
> on pull requests. However, you need write permission to view a summary of
> alerts for repository on the Security tab."*
> Though I will spend some more time checking its behavior with other
> scenarios like PR.
>
> 1.
> https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert
>
> Thanks and Regards,
> Aditya Sharma
>
> On Fri, Oct 2, 2020 at 10:19 PM Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Hi Aditya,
>>
>> We (I at least) receive already security alerts for our website code. It
>> notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
>>
>> As long are we are able to restrict the alerts sending to committers, it's
>> OK with me. I'd not like other people to receive zero days information...
>>
>> Thanks
>>
>> Jacques
>>
>> Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
>>> Hi team,
>>>
>>> I think we can enable the code scanning security feature for all the
>> OFBiz
>>> repositories available with GitHub that helps identifying security
>>> vulnerabilities using CodeQL.
>>>
>>> https://github.com/apache/ofbiz-framework/security/code-scanning
>>> https://securitylab.github.com/tools/codeql
>>>
>>> Citation from
>>>
>> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
>>> :
>>> *"CodeQL, a semantic code analysis engine and query tool for finding
>>> security vulnerabilities across a codebase, has been made available for
>>> free by GitHub for anyone to use in research or to analyze open source
>>> code."*
>>>
>>> If no one is against it, I will move ahead with it.
>>>
>>> Thanks and Regards,
>>> Aditya Sharma
>>
Re: Enable CodeQL scanning for all the OFBiz repositories
Posted by Aditya Sharma <ad...@apache.org>.
That makes sense Jacques. It is critical.
I tried with one of my repositories and found that Code scanning alerts
under Security are only visible to people with write access i.e.
Committers.
Citation from article Managing code scanning alerts for your repository[1]
*"Anyone with read permission for a repository can see code scanning alerts
on pull requests. However, you need write permission to view a summary of
alerts for repository on the Security tab."*
Though I will spend some more time checking its behavior with other
scenarios like PR.
1.
https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert
Thanks and Regards,
Aditya Sharma
On Fri, Oct 2, 2020 at 10:19 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi Aditya,
>
> We (I at least) receive already security alerts for our website code. It
> notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
>
> As long are we are able to restrict the alerts sending to committers, it's
> OK with me. I'd not like other people to receive zero days information...
>
> Thanks
>
> Jacques
>
> Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
> > Hi team,
> >
> > I think we can enable the code scanning security feature for all the
> OFBiz
> > repositories available with GitHub that helps identifying security
> > vulnerabilities using CodeQL.
> >
> > https://github.com/apache/ofbiz-framework/security/code-scanning
> > https://securitylab.github.com/tools/codeql
> >
> > Citation from
> >
> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
> > :
> > *"CodeQL, a semantic code analysis engine and query tool for finding
> > security vulnerabilities across a codebase, has been made available for
> > free by GitHub for anyone to use in research or to analyze open source
> > code."*
> >
> > If no one is against it, I will move ahead with it.
> >
> > Thanks and Regards,
> > Aditya Sharma
>
>
Re: Enable CodeQL scanning for all the OFBiz repositories
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Aditya,
We (I at least) receive already security alerts for our website code. It notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
As long are we are able to restrict the alerts sending to committers, it's OK with me. I'd not like other people to receive zero days information...
Thanks
Jacques
Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
> Hi team,
>
> I think we can enable the code scanning security feature for all the OFBiz
> repositories available with GitHub that helps identifying security
> vulnerabilities using CodeQL.
>
> https://github.com/apache/ofbiz-framework/security/code-scanning
> https://securitylab.github.com/tools/codeql
>
> Citation from
> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
> :
> *"CodeQL, a semantic code analysis engine and query tool for finding
> security vulnerabilities across a codebase, has been made available for
> free by GitHub for anyone to use in research or to analyze open source
> code."*
>
> If no one is against it, I will move ahead with it.
>
> Thanks and Regards,
> Aditya Sharma