CodeQL is a semantic code analysis engine developed by GitHub to automate security checks. A database is extracted from source code that can be analysed with a powerful query language. Each single query can be thought of as a “check” or “rule” representing a distinct security vulnerability that is being searched for. There is an available set of standard CodeQL queries, written by GitHub researchers and community contributors, and custom ones can be written too. See Writing queries in the CodeQL docs for more information.
CodeQL is integrated in the EDC CI build in a dedicated GitHub workflow. Currently, the workflow runs on PRs and commits to the main branch and runs the default set of queries as provided by CodeQL.
To have more detailed scan we decided to extend the CodeQL queries, by using the built-in CodeQL query suite: security-and-quality.
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: +security-and-qualityTo reduce amount on false positive alerts we excluded the test code from the scan by replacing CodeQL Autobuild with a task that compiles only Java production sources:
# Compiles production Java source (without tests)
- name: Build
run: ./gradlew compileJavaThe results can be visible in the GitHub Workflow check view under the PR and in Security Tab.
After clicking on the alert we can see a view with more detailed explanations about it, references and examples.
The alerts can be suppressed or removed by users with Security permissions which are assigned by default to user roles Write, Maintain and Admin.
Users with Read permissions (repository Members by default) can see the alerts in the PRs, but they don't have access to suppress the alerts or to see the details.
Users with the proper permissions can analyse the alerts and dismiss/remove them if they are not applicable from both views - under the PR and in the Security Tab.
Dismissing the alerts will dismiss them on all branches. Dismissed alerts can be later reopened. Deleting the alerts doesn't prevent them from appearing on the next scans. Here you can find more information about dismissing/deleting CodeQL alerts.
In Settings tab we can also define the alert severities causing pull request check failure (available also only for users with at least Write role).
GitHub code scanning does not support alert suppression comments and annotations at the moment.
LGTM is an online analysis platform that automatically checks your code for real CVEs and vulnerabilities using CodeQL. In contrast to running CodeQL as a GitHub Action, LGTM supports alert suppression through comments and annotations in the code. It could be considered a useful addition to the project in the future as it seems more comfortable to use and mature alternative.
After reviewing the current capabilities of CodeQL for the customization of queries with the intention of providing additional insight for the repo the following findings are presented:
- The documentation for CodeQL is lacking in detail and provides little insight into the capabilities of the query language
- Customization of CodeQL at this time brings little benefit and would require addition review of the source code in order to fully expose a robust features to enable customizations
- CodeQL has valuable functionality in existing
packswhich can and should be used when it benefits the needs for the project - Development efforts for CodeQL remain strong and progress is expected to bring clarity and new features that will enable one to develop customizations in the future