Régis,
you will probably need a bit more work than just pushing the default
button, as it will likely generate a default codeql.yml file that won't
work out-of-the-box on QGIS without tuning it. You'll need first to
install the list of QGIS dependencies to get a successful build. Cf
https://github.com/OSGeo/gdal/blob/master/.github/workflows/codeql.yml
for an example on GDAL. We disabled Python scanning, as 99% of Python is
in our test suite and I didn't want to be spammed about warnings in
non-production code. Turned on a large code base like QGIS, be ready to
see several hundreds of warnings popping up. In GDAL, one of the most
recurring category was about "Multiplication result converted to larger
type", ie doing something like int64_t var = some_int_32_var *
another_int_32_var. Another thing I noticed with CodeQL is that it seems
to limit the analysis to a max number of files, more or less randomly
chosen depending on builds. So while we have it enabled for pull
requests, in some cases, it missed new warnings specific on the PR
during the review of the PR, but it then analyzed the modified files
during a run in master. As QGIS is larger than GDAL, I would expect that
to happen for QGIS too. That said, there's probably no harm in enabling
it as the number or detail of warnings is only visible to users with
write privileges to the repository
Even
Le 13/11/2024 à 09:58, Régis Haubourg via QGIS-Developer a écrit :
Hi all,
the security requirements of IT departments keeps on growing and we
receive more and more requests on the security mail.
The topic is broad, from filling in custom forms based on various
national or company-specific policies, to very precise vulnerability
scanning, or even ask us what we do to prevent XZ-like social
engineering attacks.
To get a better score on good practices [0], a simple first step would
be to activate code scanning. Github provides CodeQL [1] for free. I
would like to activate it and see how it goes.
Would you be OK with activating this and see how it goes (too much
spamming, limitations on our codebase, more advanced configuration
required etc... ) ?
In case of no reaction, I'll push the button on friday and see what
happens :)
@lova @Tim, we probably should do similar things for our websites, we
have some bounty seekers raising disclosures on our websites. I'd
prefer that we catch those CVE earlier than have to deal with some of
those anonymous persons.
Thanks a lot !
Régis
[0] https://securityscorecards.dev/viewer/?uri=github.com/qgis/QGIS
[1] https://codeql.github.com/
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
--
http://www.spatialys.com
My software is free, but my time generally not.
Butcher of all kinds of standards, open or closed formats. At the end, this is
just about bytes.
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
