Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feasibility and DR: use of CodeQL for VS Code #5180

Closed
5 tasks done
Tracked by #5005
roslynwythe opened this issue Aug 10, 2023 · 10 comments
Closed
5 tasks done
Tracked by #5005

Feasibility and DR: use of CodeQL for VS Code #5180

roslynwythe opened this issue Aug 10, 2023 · 10 comments
Assignees
@kiran98118
Labels
Complexity: Medium Feature: Code Alerts ready for dev lead Issues that tech leads or merge team members need to follow up on role: back end/devOps Tasks for back-end developers size: 1pt Can be done in 4-6 hours
Milestone
08. Team workflow

Comments

@roslynwythe
Copy link
Member

roslynwythe commented Aug 10, 2023
edited by kiran98118
Loading

Overview

We should consider whether to adopt the policy that developers should install the "CodeQL for VS Code" extension. Currently the default branch of the repository is scanned weekly and the changed files in each Pull Request are scanned, however there are advantages to recieving alerts prior to initiating the Pull Request process.

Action Items

  • Become familiar with the repository level CodeQL scanning implemented in codeql-implementation #4886
  • Consider whether HfLA developers should install the CodeQL for VS Code extension.
  • We are currently in the process of moving the old wiki to the new website-wiki repo, so we will not be making any changes or additions to the old wiki at this time. Thus, we will be adding wiki content through a different process now. Read How to Contribute to the Wiki
  • Following the instruction in How to Contribute to the Wiki, write a draft DR with your recommendation in a comment in this issue.
  • Move this issue to Questions/In Review and add the ready for dev lead label.

Resources/Instructions
@roslynwythe roslynwythe added role: back end/devOps Tasks for back-end developers Complexity: Medium Feature Missing This label means that the issue needs to be linked to a precise feature label. size: 1pt Can be done in 4-6 hours Feature: Code Alerts labels Aug 10, 2023
@github-actions github-actions bot removed the Feature Missing This label means that the issue needs to be linked to a precise feature label. label Aug 10, 2023
@wanyuguan wanyuguan added this to the 08. Team workflow milestone Aug 12, 2023
@roslynwythe roslynwythe mentioned this issue Aug 14, 2023
Closed
2 tasks
@kiran98118 kiran98118 self-assigned this Feb 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 4, 2024

Hi @kiran98118, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

@kiran98118
Copy link
Contributor

i. Availability: I am available on Sunday, Tuesday, Wednesday, Friday and Saturday (10 am to 5pm)
ii. ETA: 11-02-2024

@ExperimentsInHonesty
Copy link
Member

@kiran98118 It looks like you forgot to move this to the in progress column on the board. I will move it for you.

@kiran98118
Copy link
Contributor

kiran98118 commented Feb 14, 2024 via email

@kiran98118 kiran98118 added the ready for dev lead Issues that tech leads or merge team members need to follow up on label Feb 18, 2024
@LRenDO
Copy link
Member

LRenDO commented Feb 21, 2024

Hi @kiran98118!

It looks like you have moved this because you are finished with the issue and it is ready for review. However, I don't see a draft DR in a comment on this issue or a link to a DR on the How to Contribute to the Wiki page. If I've missed it, please let me know. Otherwise, please add the DR according to the instructions on the How to Contribute to the Wiki page. Feel free to ping me if you have any questions. I am moving this back to the In Progress (actively working) column for now. Please move it back to Questions / In Review once you've completed the DR and add the ready for dev lead label.

Thanks for taking the time to contribute!

@LRenDO LRenDO removed the ready for dev lead Issues that tech leads or merge team members need to follow up on label Feb 21, 2024
@github-actions github-actions bot added the To Update ! No update has been provided label Feb 23, 2024
@github-actions GitHub Actions
Copy link

@kiran98118

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

You are receiving this comment because your last comment was before Monday, February 19, 2024 at 11:06 PM PST.

@kiran98118
Copy link
Contributor

kiran98118 commented Feb 26, 2024
edited by roslynwythe
Loading

Draft DR: Recommendation to adopt CodeQL for VS Code extension

  • HfLA developers should install the "CodeQL for VS Code" extension to enable real-time code analysis and security vulnerability detection within their local development environment.

  • The extension will provide immediate feedback and alerts on potential issues, allowing developers to address them before submitting a Pull Request.

  • This proactive approach complements the existing repository-level and Pull Request-level CodeQL scanning, further enhancing the overall code quality and security posture of the project.

  • Early detection and resolution of code issues and vulnerabilities, reducing the risk of introducing defects or security vulnerabilities into the codebase.

  • Improved developer productivity by addressing potential issues locally, minimizing the need for rework after the Pull Request review process.

  • Establish coding guidelines and standards that incorporate the CodeQL analysis findings and recommendations.

  • Gather feedback from HfLA developers on their experience with the "CodeQL for VS Code" extension and address any concerns or issues that arise.

@kiran98118 kiran98118 added ready for dev lead Issues that tech leads or merge team members need to follow up on and removed To Update ! No update has been provided labels Feb 26, 2024
@roslynwythe
Copy link
Member Author

  • Thank you @kiran98118 for your analysis. A problem with CodeQL has become apparent in Resolve CodeQL extraction errors #5234 and I would like to ask you about it. The problem is that on GitHub, CodeQL fails to scan any file that contains non-JS code, includeing liquid statements that appear in many of our JS files. Do you happen to know if the same will occur in the "CodeQL for VS Code" extension, and if there is a workaround?

@kiran98118
Copy link
Contributor

kiran98118 commented Mar 13, 2024
edited
Loading

@roslynwythe

CodeQL only supports C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, Swift languages. If the code you're attempting to scan is not written in one of the supported languages, the CodeQL scan will fail automatically. This behavior is also observed when using the CodeQL extension within Visual Studio (VS). The tool does not have the capability to analyze or process code written in languages that are not explicitly supported by the CodeQL platform.

@roslynwythe
Copy link
Member Author

Thank you @kiran98118 for your analysis and recommendation.

@roslynwythe roslynwythe mentioned this issue Mar 21, 2024
Closed
5 tasks
@roslynwythe roslynwythe mentioned this issue Apr 7, 2024
Open
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kiran98118 kiran98118

Labels
Complexity: Medium Feature: Code Alerts ready for dev lead Issues that tech leads or merge team members need to follow up on role: back end/devOps Tasks for back-end developers size: 1pt Can be done in 4-6 hours
Projects
P: HfLA Website: Project Board
Archived in project
Milestone
08. Team workflow
Development

No branches or pull requests
5 participants
@roslynwythe @wanyuguan @ExperimentsInHonesty @kiran98118 @LRenDO