You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/01/21 23:56:12 UTC
[GitHub] [trafficcontrol] ocket8888 opened a new pull request #5459: Code QL workflow
ocket8888 opened a new pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459
## What does this PR (Pull Request) do?
- [x] This PR is not related to any Issue
This PR adds a new GHA workflow that scans the repository for common security vulnerabilities like e.g.
```
func Handle(w http.ResponseWriter, r *http.Request) {
globalDBHandle.Exec("DELETE FROM " + r.Body.Read())
}
```
or something. It scans Go code, Javascript, and Python - and the tools has support for Java as well, but TR's build process couldn't be done automatically by the "Autobuild" step and I didn't bother trying to get it to work until I know if anyone's even interested in this.
## Which Traffic Control components are affected by this PR?
None
## What is the best way to verify this PR?
Note the Action results on this PR. Should pass (because it did on my fork's `master` branch)
## The following criteria are ALL met by this PR
- [x] This PR is a test
- [x] Documentation is unnecessary
- [x] An update to CHANGELOG.md is not necessary
- [x] This PR includes any and all required license headers
- [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY**
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman merged pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman merged pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r562375268
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
Review comment:
A comment that describes this CRON expression would make it more maintainable
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-768641954
So, regarding
> 1 issue was detected with this workflow: Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.
if I add `on.push` hooks to all of those then we'll be double-testing every push to master with each of those workflows _and_ the main/scheduled one.
If it's comparing against the state of master, then maybe we didn't need to split these into separate workflows? Because then the runs for languages that have no changes won't actually be doing anything, if I'm understanding that correctly. The CodeQL web pages aren't helping me understand the action's behavior very much, because they're very focused on the parsing tool and don't mention this GHA at all, but I can probably contact GitHub support for a more thorough explanation
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r562375782
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
Review comment:
that was actually auto-generated so I'll need to look it up (because I always need to, which is why this is a good idea) but I can do that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman edited a comment on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman edited a comment on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-769264030
> So, regarding
>
> > 1 issue was detected with this workflow: Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.
>
> if I add `on.push` hooks to all of those then we'll be double-testing every push to master with each of those workflows _and_ the main/scheduled one.
IMO we should just nix the scheduled workflow. The scheduled workflow alone is not adequate to provide a commit baseline for the per-language workflows that we want to run against PRs.
> If it's comparing against the state of master, then maybe we didn't need to split these into separate workflows? Because then the runs for languages that have no changes won't actually be doing anything, if I'm understanding that correctly.
Once the runs start. they won't get far before exiting if nothing has changed, sure, but in cases where Apache has surpassed the *concurrent jobs* limit, which happens daily, each of these languages adds an additional job to the queue that holds up other Apache projects' GitHub Action runs that were queued after that job, even if nothing has changed for that language.
So, it's still advantageous to split the workflow by language, since each workflow ignores different paths.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r562379003
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ # CodeQL also supports Java, but our build system is too esoteric for them.
+ language: [ 'go', 'javascript', 'python' ]
Review comment:
This GHA is set to run for commits to master and on PRs. As-is, all 3 languages are scanned each time. What do you think about breaking this workflow file into 3 separate workflow files so each language's workflow is only triggered if sources for that language are changed?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r562375782
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
Review comment:
that was actually auto-generated so I'll need to look it up (because I always need to, which is why this is a good idea) but I can do that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-770028149
Per github/codeql#5048 we should just get rid of the fourth workflow altogether - schedule _and_ push -, and run each of the language-specific ones on both push and pull, otherwise CodeQL won't run properly. I'll do that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-765102060
Results are at [https://github.com/apache/trafficcontrol/security/code-scanning?query=ref:refs/pull/5459/merge](/apache/trafficcontrol/security/code-scanning?query=ref:refs/pull/5459/merge) but write access to the repo [is required](https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization#permission-requirements-for-security-features) in order to see them.
> The tools has support for Java as well, but TR's build process couldn't be done automatically by the "Autobuild" step and I didn't bother trying to get it to work until I know if anyone's even interested in this.
This is a cool thing, any chance we can get it working for Java also?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-765107186
> There's always a chance. I just don't really know how. I took a glance at the build output and didn't see anything that pointed me to the obvious problem, but I'd bet just about anything that it's because of Tomcat not being present.
Okay, it can always be added later.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r565702210
##########
File path: .github/workflows/codeql.python.yml
##########
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
Review comment:
https://github.com/apache/trafficcontrol/actions/runs/514388430
> Unable to download and extract the tools needed for installing the python dependencies. You can call this action with 'setup-python-dependencies: false' to disable this process.
##########
File path: .github/workflows/codeql.javascript.yml
##########
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
Review comment:
https://github.com/apache/trafficcontrol/actions/runs/514388423
> 1 issue was detected with this workflow: Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.
##########
File path: .github/workflows/codeql.python.yml
##########
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
Review comment:
https://github.com/apache/trafficcontrol/actions/runs/514388430
> 1 issue was detected with this workflow: Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.
> Unable to download and extract the tools needed for installing the python dependencies. You can call this action with 'setup-python-dependencies: false' to disable this process.
##########
File path: .github/workflows/codeql.go.yml
##########
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
Review comment:
https://github.com/apache/trafficcontrol/actions/runs/514388427
> 1 issue was detected with this workflow: Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r562375268
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
Review comment:
A comment that describes this CRON expression would make it more maintainable
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ # CodeQL also supports Java, but our build system is too esoteric for them.
+ language: [ 'go', 'javascript', 'python' ]
Review comment:
This GHA is set to run for commits to master and on PRs. As-is, all 3 languages are scanned each time. What do you think about breaking this workflow file into 3 separate workflow files so each language's workflow is only triggered if sources for that language are changed?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-769264030
> So, regarding
>
> > 1 issue was detected with this workflow: Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.
>
> if I add `on.push` hooks to all of those then we'll be double-testing every push to master with each of those workflows _and_ the main/scheduled one.
IMO we should just nix the scheduled workflow. The scheduled workflow alone is not adequate to provide a commit baseline for the per-language workflows that we want to run against PRs.
> If it's comparing against the state of master, then maybe we didn't need to split these into separate workflows? Because then the runs for languages that have no changes won't actually be doing anything, if I'm understanding that correctly.
Once the runs start. they won't get far before exiting if nothing has changed, sure, but in cases where Apache has surpassed the *concurrent jobs* limit, which happens daily, each of these languages adds an additional job to the queue that holds up other Apache projects' GitHub Action runs that were queued after that job, even if nothing has changed for that language.
So, it's still advantageous to split the workflow by language, since each workflow ignores different paths.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r563243377
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ # CodeQL also supports Java, but our build system is too esoteric for them.
+ language: [ 'go', 'javascript', 'python' ]
Review comment:
So I think the reason it isn't is because when you run the cron task you want it to hit everything, since nothing in particular has changed, possibly. I could split it into 4 separate worflows to keep that behavior and also only run what's needed on PRs.
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ # CodeQL also supports Java, but our build system is too esoteric for them.
+ language: [ 'go', 'javascript', 'python' ]
Review comment:
So I think the reason it isn't is because when you run the cron task you want it to hit everything, since nothing in particular has changed, possibly. I could split it into 4 separate worflows to keep that behavior and also only run what's needed on PRs.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-765102060
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-765105201
There's always a chance. I just don't really know how. I took a glance at the build output and didn't see anything that pointed me to the obvious problem, but I'd bet just about anything that it's because of Tomcat not being present.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] ocket8888 commented on pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#issuecomment-765105201
There's always a chance. I just don't really know how. I took a glance at the build output and didn't see anything that pointed me to the obvious problem, but I'd bet just about anything that it's because of Tomcat not being present.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r563248477
##########
File path: .github/workflows/codeql.analysis.yml
##########
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ master ]
+ pull_request:
+ branches: [ master ]
+ schedule:
+ - cron: '32 11 * * 0'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ # CodeQL also supports Java, but our build system is too esoteric for them.
+ language: [ 'go', 'javascript', 'python' ]
Review comment:
Yeah, with that explanation, 4 workflows makes the most sense since we still want the weekly job to hit all languages.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficcontrol] zrhoffman commented on a change in pull request #5459: Code QL workflow
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on a change in pull request #5459:
URL: https://github.com/apache/trafficcontrol/pull/5459#discussion_r565702021
##########
File path: .github/workflows/codeql.python.yml
##########
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
Review comment:
https://github.com/apache/trafficcontrol/actions/runs/514388430
> 1 issue was detected with this workflow: Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org