The CodeQL analysis is broken due to the large content of the SARIF file (#10606)

The issue was originally caused by high number of flows paths per alert
generated by the LDAP federation module. That was identified taking the
SARIF file generated and running:

```
jq '.runs[0].results | map({query_id: .rule.id, numPaths: .codeFlows |
length})' java.sarif

```

Together we reduced the number of flows paths, adding optimizations to
skip some paths and avoid false alerts.

Co-authored-by: Bruno Oliveira da Silva <bruno@abstractj.com>

Closes #10203

Co-authored-by: Joshua Mulliken <joshua@mulliken.net>
This commit is contained in:
Bruno Oliveira da Silva 2022-03-11 09:55:17 -03:00 committed by GitHub
parent 30d2dcb7b3
commit f06ba05405
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 107 additions and 34 deletions

40
.github/scripts/codeql/codeql-analyze.sh vendored Executable file
View file

@ -0,0 +1,40 @@
#!/bin/sh
CODEQL_BINARY="./codeql/codeql"
# Check if the binary exists
if [ ! -f "$CODEQL_BINARY" ];
then
printf "CodeQL binary not found!"
exit 1
fi
upload_results () {
echo "Uploading $1"
$CODEQL_BINARY github upload-results --sarif="$1" --repository="$GITHUB_REPOSITORY" --ref="$GITHUB_REF"
}
# Create the database based on the specifics per language
if [ "$1" = "java" ];
then
printf "Analyzing CodeQL Java database"
$CODEQL_BINARY database analyze "$1-database" codeql/java-queries --format=sarifv2.1.0 --output="$1".sarif --download --max-paths=1 --sarif-add-query-help
< java.sarif jq 'del(.runs[].results[].codeFlows)' > processed-java.sarif
upload_results processed-java.sarif
elif [ "$1" = "javascript" ];
then
printf "Analyzing themes database"
$CODEQL_BINARY database analyze themes-database codeql/javascript-queries --format=sarifv2.1.0 --output=themes.sarif --download --max-paths=1 --sarif-add-query-help
< themes.sarif jq 'del(.runs[].results[].codeFlows)' > processed-themes.sarif
upload_results processed-themes.sarif
printf "Analyzing js-adapter database"
$CODEQL_BINARY database analyze js-adapter-database codeql/javascript-queries --format=sarifv2.1.0 --output=js-adapter.sarif --download --max-paths=1 --sarif-add-query-help
< js-adapter.sarif jq 'del(.runs[].results[].codeFlows)' > processed-js-adapter.sarif
upload_results processed-js-adapter.sarif
fi

View file

@ -0,0 +1,25 @@
#!/bin/sh
CODEQL_BINARY="./codeql/codeql"
# Check if the binary exists
if [ ! -f "$CODEQL_BINARY" ];
then
printf "CodeQL binary not found!"
exit 1
fi
# Create the database based on the specifics per language
if [ "$1" = "java" ];
then
printf "Creating CodeQL Java database"
$CODEQL_BINARY database create "$1-database" --no-run-unnecessary-builds --language="$1" --command='mvn clean install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests'
elif [ "$1" = "javascript" ];
then
printf "Creating themes database"
$CODEQL_BINARY database create themes-database --no-run-unnecessary-builds --language=javascript --source-root=themes/ --command='mvn install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests'
printf "Creating js-adapter database"
$CODEQL_BINARY database create js-adapter-database --no-run-unnecessary-builds --language=javascript --source-root=adapters/oidc/js/ --command='mvn install -Dmaven.test.skip -DskipQuarkus -DskipTestsuite -DskipExamples -DskipTests'
fi

6
.github/scripts/codeql/codeql-install.sh vendored Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh
LATEST_RELEASE_URL=$(curl -s https://api.github.com/repos/github/codeql-cli-binaries/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep -i linux)
wget -q --show-progress "$LATEST_RELEASE_URL"
unzip codeql-linux64.zip

View file

@ -7,18 +7,20 @@ name: "CodeQL"
on: on:
# Disable for push and pull_request until https://github.com/keycloak/keycloak/issues/10203 is resolved # Disable for push and pull_request until https://github.com/keycloak/keycloak/issues/10203 is resolved
# push: push:
# branches: [main] branches: [main]
# pull_request: pull_request:
# The branches below must be a subset of the branches above # The branches below must be a subset of the branches above
# branches: [main] branches: [main]
# paths-ignore:
# - 'testsuite/**'
# - 'examples/**'
# - 'quarkus/tests/**'
schedule: schedule:
- cron: '0 9 * * 2' - cron: '0 9 * * 2'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
permissions:
security-events: write
jobs: jobs:
analyze: analyze:
name: Analyze name: Analyze
@ -37,34 +39,34 @@ jobs:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Install CodeQL
run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-install.sh
- uses: actions/setup-java@v2
if: ${{ matrix.language == 'java' }}
with:
distribution: 'temurin'
java-version: '11'
- name: Update maven settings - name: Update maven settings
run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/ run: mkdir -p ~/.m2 ; cp .github/settings.xml ~/.m2/
# Initializes the CodeQL tools for scanning. # Create the codeql database for Java
- name: Initialize CodeQL - name: Create CodeQL Java database
uses: github/codeql-action/init@v1 if: ${{ matrix.language == 'java' }}
with: run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-database-create.sh java
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Run the analysis for Java
# If this step fails, then you should remove it and run the build manually (see below) - name: Run CodeQL analysis for Java
- name: Autobuild if: ${{ matrix.language == 'java' }}
uses: github/codeql-action/autobuild@v1 run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-analyze.sh java
# Command-line programs to run using the OS shell. # Create the codeql database for JavaScript
# 📚 https://git.io/JvXDl - name: Create CodeQL JavaScript database
if: ${{ matrix.language == 'javascript' }}
run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-database-create.sh javascript
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # Run the analysis for JavaScript
# and modify them (or add more) to build your code if your project - name: Run CodeQL analysis for JavaScript
# uses a compiled language if: ${{ matrix.language == 'javascript' }}
run: ${GITHUB_WORKSPACE}/.github/scripts/codeql/codeql-analyze.sh javascript
#- run: |
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1