Thanks a lot for you insights Even!
Ok then, this is way beyond my skills and available time, let's forget
this naive approach. And let's plant a seed. Any Grant proposal toward
enabling code scanning would be probably more than welcome.
I know some of you are trying to gather funding to approach the security
globally. If plans are already made, please express yourselves here. As
a person in charge of responding to security inquiries, I need some
visibility here.
Best regards
Régis
Le 13/11/2024 à 12:03, Even Rouault a écrit :
Régis,
you will probably need a bit more work than just pushing the default
button, as it will likely generate a default codeql.yml file that
won't work out-of-the-box on QGIS without tuning it. You'll need first
to install the list of QGIS dependencies to get a successful build.
Cf
https://github.com/OSGeo/gdal/blob/master/.github/workflows/codeql.yml
for an example on GDAL. We disabled Python scanning, as 99% of Python
is in our test suite and I didn't want to be spammed about warnings in
non-production code. Turned on a large code base like QGIS, be ready
to see several hundreds of warnings popping up. In GDAL, one of the
most recurring category was about "Multiplication result converted to
larger type", ie doing something like int64_t var = some_int_32_var *
another_int_32_var. Another thing I noticed with CodeQL is that it
seems to limit the analysis to a max number of files, more or less
randomly chosen depending on builds. So while we have it enabled for
pull requests, in some cases, it missed new warnings specific on the
PR during the review of the PR, but it then analyzed the modified
files during a run in master. As QGIS is larger than GDAL, I would
expect that to happen for QGIS too. That said, there's probably no
harm in enabling it as the number or detail of warnings is only
visible to users with write privileges to the repository
Even
Le 13/11/2024 à 09:58, Régis Haubourg via QGIS-Developer a écrit :
Hi all,
the security requirements of IT departments keeps on growing and we
receive more and more requests on the security mail.
The topic is broad, from filling in custom forms based on various
national or company-specific policies, to very precise vulnerability
scanning, or even ask us what we do to prevent XZ-like social
engineering attacks.
To get a better score on good practices [0], a simple first step
would be to activate code scanning. Github provides CodeQL [1] for
free. I would like to activate it and see how it goes.
Would you be OK with activating this and see how it goes (too much
spamming, limitations on our codebase, more advanced configuration
required etc... ) ?
In case of no reaction, I'll push the button on friday and see what
happens :)
@lova @Tim, we probably should do similar things for our websites, we
have some bounty seekers raising disclosures on our websites. I'd
prefer that we catch those CVE earlier than have to deal with some of
those anonymous persons.
Thanks a lot !
Régis
[0] https://securityscorecards.dev/viewer/?uri=github.com/qgis/QGIS
[1] https://codeql.github.com/
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
