search

alphagov / govuk-browser-extension

Chrome and Firefox extension for developers working on GOV.UK.
22 stars 5 forks source link

Add missing SCA / SAST scans to CI #196

Closed ChrisBAshton closed 3 months ago

ChrisBAshton commented 4 months ago

This will resolve the alert at https://gds.slack.com/archives/C02L13S214K/p1714381348726429.

NB, this took a bit of effort! We were seeing an error with the default code analysis:

Extracting javascript
Extracting ruby
Finalizing javascript
Finalizing ruby
  /opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby
  CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build .
  Error: Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.17.1/x64/codeql/codeql database finalize --finalize-dataset --threads=4 --ram=14567 /home/runner/work/_temp/codeql_databases/ruby". Exit code was 32 and last log line was: CodeQL detected code written in JavaScript/TypeScript, but not any written in Ruby. Confirm that there is some source code for Ruby in the project. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build . See the logs for more details.

We explored configuring the reusable workflow to take a languages input, but there doesn't seem to be a way of defaulting to 'undefined' if the parameter isn't passed, meaning we'd have to set a default of, say, 'ruby'. This would break the workflow for repos that may already be working with both Ruby and JS, where they'd be forced to pass the languages parameter now.

We also explored setting up CodeQL directly within the GitHub UI and explicitly opting out of Ruby to have JS only, but the reusable workflow still does a language detection and runs both JS and Ruby scans (the "JS only" scan appears as a separate job called "CodeQL / Analyze (javascript-typescript) (dynamic)"):

Screenshot 2024-05-29 at 09 50 26

Eventually, on closer inspection, we found that the only ruby in this project was a disused Rakefile, so we removed it in https://github.com/alphagov/govuk-browser-extension/pull/198. Now the CodeQL scan passes.

github-advanced-security[bot] commented 4 months ago

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.