Open htuch opened 4 years ago
htuch
commented
4 years ago Apparently we automagically have some this running for our Python, https://lgtm.com/projects/g/envoyproxy/envoy?mode=list. There's apparently some Bazel joy required to get this to work with the C++.
moderation
commented
4 years ago Looking at the alerts Semmle is generating for Python it looks like it is defaulting to Python 2. glob.glob doesn't support Recursive in Python 2 (doco) but it is supported in Python 3 (doco).
I think it is being misidentified as Python 2 as there are commits that pre-date Jan 1 2017 - https://lgtm.com/help/lgtm/analysis-faqs#why-are-there-false-positives-in-my-python-project
Any concern with trying a LGTM project config file lgtm.yaml (docs) with?:
extraction:
python:
python_setup:
version: 3@moderation sounds good. I think the results from Python won't be very interesting at all, as these are just developer tools, but if we can setup a dedicated LGTM YAML and start to move it towards something we can be doing C++ analysis with, it'd be useful for sure.
htuch
commented
4 years ago @asraa can you summarize the current status of the CodeQL work? Do you have a list of items for what could be done next here?
asraa
commented
4 years ago Sure! @stedsome just in case too.
Right now CodeQL runs (1) daily on source/common/http/... tree and (2) on the H/1 and H/2 codecs if a push changes source/common/http/.... It's found one minor potential integer overflow in the H/2 codec.
Future work:
asraa
commented
4 years ago At this point, future work would need:
GitHub now has CodeQL for OSS projects (https://securitylab.github.com/tools/codeql). This is Semmle (lgtm.com), a fairly powerful static analysis tool. We should look at setting this up for Envoy, analyzing reports and adding custom queries.