Enable CodeQL scanning for all the OFBiz repositories

[Aditya Sharma <ad...@apache.org>]

Hi team,

I think we can enable the code scanning security feature for all the OFBiz
repositories available with GitHub that helps identifying security
vulnerabilities using CodeQL.

https://github.com/apache/ofbiz-framework/security/code-scanning
https://securitylab.github.com/tools/codeql

Citation from
https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
:
*"CodeQL, a semantic code analysis engine and query tool for finding
security vulnerabilities across a codebase, has been made available for
free by GitHub for anyone to use in research or to analyze open source
code."*

If no one is against it, I will move ahead with it.

Thanks and Regards,
Aditya Sharma

Re: Enable CodeQL scanning for all the OFBiz repositories

[Jacques Le Roux <ja...@les7arts.com>]

Sounds good to me, thanks Aditya

Jacques

Le 03/10/2020 à 07:41, Aditya Sharma a écrit :
> That makes sense Jacques. It is critical.
>
> I tried with one of my repositories and found that Code scanning alerts
> under Security are only visible to people with write access i.e.
> Committers.
>
> Citation from article Managing code scanning alerts for your repository[1]
>
> *"Anyone with read permission for a repository can see code scanning alerts
> on pull requests. However, you need write permission to view a summary of
> alerts for repository on the Security tab."*
> Though I will spend some more time checking its behavior with other
> scenarios like PR.
>
> 1.
> https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert
>
> Thanks and Regards,
> Aditya Sharma
>
> On Fri, Oct 2, 2020 at 10:19 PM Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Hi Aditya,
>>
>> We (I at least) receive already security alerts for our website code. It
>> notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
>>
>> As long are we are able to restrict the alerts sending to committers, it's
>> OK with me. I'd not like other people to receive zero days information...
>>
>> Thanks
>>
>> Jacques
>>
>> Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
>>> Hi team,
>>>
>>> I think we can enable the code scanning security feature for all the
>> OFBiz
>>> repositories available with GitHub that helps identifying security
>>> vulnerabilities using CodeQL.
>>>
>>> https://github.com/apache/ofbiz-framework/security/code-scanning
>>> https://securitylab.github.com/tools/codeql
>>>
>>> Citation from
>>>
>> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
>>> :
>>> *"CodeQL, a semantic code analysis engine and query tool for finding
>>> security vulnerabilities across a codebase, has been made available for
>>> free by GitHub for anyone to use in research or to analyze open source
>>> code."*
>>>
>>> If no one is against it, I will move ahead with it.
>>>
>>> Thanks and Regards,
>>> Aditya Sharma
>>

Re: Enable CodeQL scanning for all the OFBiz repositories

[Aditya Sharma <ad...@apache.org>]

That makes sense Jacques. It is critical.

I tried with one of my repositories and found that Code scanning alerts
under Security are only visible to people with write access i.e.
Committers.

Citation from article Managing code scanning alerts for your repository[1]

*"Anyone with read permission for a repository can see code scanning alerts
on pull requests. However, you need write permission to view a summary of
alerts for repository on the Security tab."*
Though I will spend some more time checking its behavior with other
scenarios like PR.

1.
https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert

Thanks and Regards,
Aditya Sharma

On Fri, Oct 2, 2020 at 10:19 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:

> Hi Aditya,
>
> We (I at least) receive already security alerts for our website code. It
> notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
>
> As long are we are able to restrict the alerts sending to committers, it's
> OK with me. I'd not like other people to receive zero days information...
>
> Thanks
>
> Jacques
>
> Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
> > Hi team,
> >
> > I think we can enable the code scanning security feature for all the
> OFBiz
> > repositories available with GitHub that helps identifying security
> > vulnerabilities using CodeQL.
> >
> > https://github.com/apache/ofbiz-framework/security/code-scanning
> > https://securitylab.github.com/tools/codeql
> >
> > Citation from
> >
> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
> > :
> > *"CodeQL, a semantic code analysis engine and query tool for finding
> > security vulnerabilities across a codebase, has been made available for
> > free by GitHub for anyone to use in research or to analyze open source
> > code."*
> >
> > If no one is against it, I will move ahead with it.
> >
> > Thanks and Regards,
> > Aditya Sharma
>
>

Re: Enable CodeQL scanning for all the OFBiz repositories

[Jacques Le Roux <ja...@les7arts.com>]

Hi Aditya,

We (I at least) receive already security alerts for our website code. It notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git

As long are we are able to restrict the alerts sending to committers, it's OK with me. I'd not like other people to receive zero days information...

Thanks

Jacques

Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
> Hi team,
>
> I think we can enable the code scanning security feature for all the OFBiz
> repositories available with GitHub that helps identifying security
> vulnerabilities using CodeQL.
>
> https://github.com/apache/ofbiz-framework/security/code-scanning
> https://securitylab.github.com/tools/codeql
>
> Citation from
> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
> :
> *"CodeQL, a semantic code analysis engine and query tool for finding
> security vulnerabilities across a codebase, has been made available for
> free by GitHub for anyone to use in research or to analyze open source
> code."*
>
> If no one is against it, I will move ahead with it.
>
> Thanks and Regards,
> Aditya Sharma