Skip to content

Java: remove SpringBootActuators query #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Java: remove SpringBootActuators query #123

wants to merge 1 commit into from

Conversation

jcogs33
Copy link

@jcogs33 jcogs33 commented Apr 21, 2025
edited
Loading

Description

This PR removes the githubsecuritylab/java/spring-boot-exposed-actuators query. This query was added to the default code scanning query suite by github/codeql#18793 and released in CodeQL 2.21.0.

I will make follow-up PRs to update package dependencies for 2.21.0 (draft PR) and to publish a new release.

Consideration

  • Does this need a change note? I see a Change notes section in CONTRIBUTING.md, but since the linked guide does not exist, I'm not sure if a change note is needed.
  • I have not contributed to this repo before, so let me know if there's anything else I need to do.

(cc @michaelnebel)

@jcogs33 jcogs33 mentioned this pull request Apr 22, 2025
Draft
@jcogs33 jcogs33 marked this pull request as ready for review April 22, 2025 22:36
@Copilot Copilot AI review requested due to automatic review settings April 22, 2025 22:36
Copilot
Copilot AI reviewed Apr 22, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes the Spring Boot Actuators query by deleting two files that define both test and configuration code for actuator endpoints, aligning the codebase with the updated CodeQL query suite.

  • Removed test file for Spring Boot actuator security from java/test/security/CWE-016.
  • Removed Spring Boot actuator configuration classes from java/src/security/CWE-016.

Reviewed Changes

Copilot reviewed 2 out of 7 changed files in this pull request and generated no comments.

File Description
java/test/security/CWE-016/SpringBootActuators.java Removed test code for actuator endpoint security
java/src/security/CWE-016/SpringBootActuators.java Removed actuator security configuration classes
Files not reviewed (5)
  • java/src/security/CWE-016/SpringBootActuators.qhelp: Language not supported
  • java/src/security/CWE-016/SpringBootActuators.ql: Language not supported
  • java/src/security/CWE-016/SpringBootActuators.qll: Language not supported
  • java/test/security/CWE-016/SpringBootActuators.expected: Language not supported
  • java/test/security/CWE-016/SpringBootActuators.qlref: Language not supported

michaelnebel
michaelnebel approved these changes Apr 23, 2025
View reviewed changes
Copy link
Collaborator

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@michaelnebel
Copy link
Collaborator

I will make follow-up PRs to update package dependencies for 2.21.0 (draft PR) and to publish a new release.
Excellent!

Does this need a change note? I see a Change notes section in CONTRIBUTING.md, but since the linked guide does not exist, I'm not sure if a change note is needed.

Good question. It appears that this guide was merged around the time, where we added the experimental queries in the first place (at that time we didn't make any change notes). My best guess is that we don't need to add a change note (as this part of the documentation is dangling/unfinished). In any case, maybe ask in #codeql-community-packs on slack (the section in Contributing file should either be deleted or extended with the missing parts).

@jcogs33
Copy link
Author

jcogs33 commented Apr 28, 2025

In any case, maybe ask in #codeql-community-packs on slack

Will do, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@michaelnebel michaelnebel michaelnebel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jcogs33 @michaelnebel