Add CodeQL workflow for GitHub code scanning

[lgtm-com]

Hi aws/s2n-tls!

This is a one-off automatically generated pull request from LGTM.com 🤖. You might have heard that we’ve integrated LGTM’s underlying CodeQL analysis engine natively into GitHub. The result is GitHub code scanning!

With LGTM fully integrated into code scanning, we are focused on improving CodeQL within the native GitHub code scanning experience. In order to take advantage of current and future improvements to our analysis capabilities, we suggest you enable code scanning on your repository. Please take a look at our blog post for more information.

This pull request enables code scanning by adding an auto-generated codeql.yml workflow file for GitHub Actions to your repository — take a look! We tested it before opening this pull request, so all should be working ✔️. In fact, you might already have seen some alerts appear on this pull request!

Where needed and if possible, we’ve adjusted the configuration to the needs of your particular repository. But of course, you should feel free to tweak it further! Check this page for detailed documentation.

Questions? Check out the FAQ below!

FAQ

Click here to expand the FAQ section

How often will the code scanning analysis run?

By default, code scanning will trigger a scan with the CodeQL engine on the following events:

• On every pull request — to flag up potential security problems for you to investigate before merging a PR.
• On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
• Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

What will this cost?

Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

What types of problems does CodeQL find?

The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the security-and-quality query suite for you.

How do I upgrade my CodeQL engine?

No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

The analysis doesn’t seem to be working

If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

How do I disable LGTM.com?

If you have LGTM’s automatic pull request analysis enabled, then you can follow these steps to disable the LGTM pull request analysis. You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com (more info here).

Which source code hosting platforms does code scanning support?

GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

How do I know this PR is legitimate?

This PR is filed by the official LGTM.com GitHub App, in line with the deprecation timeline that was announced on the official GitHub Blog. The proposed GitHub Action workflow uses the official open source GitHub CodeQL Action. If you have any other questions or concerns, please join the discussion here in the official GitHub community!

I have another question / how do I get in touch?

Please join the discussion here to ask further questions and send us suggestions!

[harrisonkaiser]

The output below shows where the bulk (a little over 2 hours out of 2 and a half) of the time is being spent:

2022-11-10T23:37:10.4552437Z [133/163 eval 4.2s] Evaluation done; writing results to codeql/cpp-queries/jsf/4.24 Control Flow Structures/AV Rule 201.bqrs.
2022-11-11T01:33:04.5614247Z [134/163 eval 116m25s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-807/TaintedCondition.bqrs.
2022-11-11T01:33:04.5627544Z [135/163 eval 116m29s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-611/XXE.bqrs.
2022-11-11T01:33:04.5641945Z [136/163 eval 116m32s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-497/ExposedSystemData.bqrs.
2022-11-11T01:33:04.5647568Z [137/163 eval 117m21s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-311/CleartextBufferWrite.bqrs.
2022-11-11T01:33:04.5660325Z [138/163 eval 118m40s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-290/AuthenticationBypass.bqrs.
2022-11-11T01:33:04.5665385Z [139/163 eval 119m3s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-190/TaintedAllocationSize.bqrs.
2022-11-11T01:33:04.5666226Z [140/163 eval 117m21s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-295/SSLResultNotChecked.bqrs.
2022-11-11T01:33:04.5667010Z [141/163 eval 119m17s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-190/ArithmeticUncontrolled.bqrs.
2022-11-11T01:33:04.5675300Z [142/163 eval 119m17s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.bqrs.
2022-11-11T01:33:04.5676246Z [143/163 eval 119m17s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-134/UncontrolledFormatString.bqrs.
2022-11-11T01:33:04.5680217Z [144/163 eval 121m44s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-120/UnboundedWrite.bqrs.
2022-11-11T01:33:04.5685386Z [145/163 eval 123m8s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-114/UncontrolledProcessOperation.bqrs.
2022-11-11T01:33:04.5694837Z [146/163 eval 123m8s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-089/SqlTainted.bqrs.
2022-11-11T01:33:04.5695551Z [147/163 eval 123m8s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-079/CgiXss.bqrs.
2022-11-11T01:33:04.5701766Z [148/163 eval 123m10s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-078/ExecTainted.bqrs.
2022-11-11T01:33:04.5712162Z [149/163 eval 123m23s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-022/TaintedPath.bqrs.
2022-11-11T01:33:04.5715935Z [150/163 eval 116m52s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-326/InsufficientKeySize.bqrs.
2022-11-11T01:33:04.5721408Z [151/163 eval 123m47s] Evaluation done; writing results to codeql/cpp-queries/Likely Bugs/OO/UnsafeUseOfThis.bqrs.
2022-11-11T01:33:04.5726813Z [152/163 eval 124m31s] Evaluation done; writing results to codeql/cpp-queries/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.bqrs.
2022-11-11T01:33:04.5735540Z [153/163 eval 123m48s] Evaluation done; writing results to codeql/cpp-queries/Likely Bugs/Memory Management/UsingExpiredStackAddress.bqrs.
2022-11-11T01:33:04.5737839Z [154/163 eval 136m12s] Evaluation done; writing results to codeql/cpp-queries/Critical/MissingCheckScanf.bqrs.
2022-11-11T01:33:04.5742320Z [155/163 eval 116m22s] Evaluation done; writing results to codeql/cpp-queries/jsf/4.10 Classes/AV Rule 79.bqrs.
2022-11-11T01:33:04.5753832Z [156/163 eval 116m29s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.bqrs.
2022-11-11T01:33:04.5754816Z [157/163 eval 116m55s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-319/UseOfHttp.bqrs.
2022-11-11T01:33:04.5760300Z [158/163 eval 117m17s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-311/CleartextFileWrite.bqrs.
2022-11-11T01:33:04.5764214Z [159/163 eval 124m3s] Evaluation done; writing results to codeql/cpp-queries/Likely Bugs/Memory Management/SuspiciousCallToStrncat.bqrs.
2022-11-11T01:33:04.5769561Z [160/163 eval 124m3s] Evaluation done; writing results to codeql/cpp-queries/Likely Bugs/Memory Management/StrncpyFlippedArgs.bqrs.
2022-11-11T01:33:04.5773073Z [161/163 eval 124m31s] Evaluation done; writing results to codeql/cpp-queries/Likely Bugs/Memory Management/PointerOverflow.bqrs.
2022-11-11T01:33:04.5774023Z [162/163 eval 127m42s] Evaluation done; writing results to codeql/cpp-queries/Likely Bugs/Arithmetic/SignedOverflowCheck.bqrs.
2022-11-11T01:33:35.7868684Z [163/163 eval 117m3s] Evaluation done; writing results to codeql/cpp-queries/Security/CWE/CWE-497/PotentiallyExposedSystemData.bqrs.

Here is a list of the id's of the above long running evaluations to be considered for potential exclusion:

cpp/bad-strncpy-size
cpp/certificate-not-checked
cpp/cgi-xss
cpp/cleartext-storage-buffer
cpp/cleartext-storage-file
cpp/command-line-injection
cpp/external-entity-expansion
cpp/incorrect-allocation-error-handling
cpp/insufficient-key-size
cpp/missing-check-scanf
cpp/non-https-url
cpp/path-injection
cpp/pointer-overflow-check
cpp/potential-system-data-exposure
cpp/resource-not-released-in-destructor
cpp/return-stack-allocated-memory
cpp/signed-overflow-check
cpp/sql-injection
cpp/system-data-exposure
cpp/tainted-format-string
cpp/tainted-format-string-through-global
cpp/tainted-permissions-check
cpp/unbounded-write
cpp/uncontrolled-allocation-size
cpp/uncontrolled-arithmetic
cpp/uncontrolled-process-operation
cpp/unsafe-strncat
cpp/unsafe-use-of-this
cpp/user-controlled-bypass
cpp/using-expired-stack-address

Here is the mapping of ql files to ids:

./codeql/cpp/ql/src/Critical/MissingCheckScanf.ql:cpp/missing-check-scanf
./codeql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql:cpp/signed-overflow-check
./codeql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql:cpp/pointer-overflow-check
./codeql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql:cpp/return-stack-allocated-memory
./codeql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql:cpp/bad-strncpy-size
./codeql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql:cpp/unsafe-strncat
./codeql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql:cpp/using-expired-stack-address
./codeql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql:cpp/unsafe-use-of-this
./codeql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql:cpp/path-injection
./codeql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql:cpp/command-line-injection
./codeql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql:cpp/cgi-xss
./codeql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql:cpp/sql-injection
./codeql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql:cpp/uncontrolled-process-operation
./codeql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql:cpp/unbounded-write
./codeql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql:cpp/tainted-format-string
./codeql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql:cpp/tainted-format-string-through-global
./codeql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql:cpp/uncontrolled-arithmetic
./codeql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql:cpp/uncontrolled-allocation-size
./codeql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql:cpp/user-controlled-bypass
./codeql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql:cpp/certificate-not-checked
./codeql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql:cpp/cleartext-storage-buffer
./codeql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql:cpp/cleartext-storage-file
./codeql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql:cpp/non-https-url
./codeql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql:cpp/insufficient-key-size
./codeql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql:cpp/system-data-exposure
./codeql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql:cpp/potential-system-data-exposure
./codeql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql:cpp/incorrect-allocation-error-handling
./codeql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql:cpp/external-entity-expansion
./codeql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql:cpp/tainted-permissions-check
./codeql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql:cpp/resource-not-released-in-destructor

They are all of kind path-problem or problem.

./codeql/cpp/ql/src/Critical/MissingCheckScanf.ql:problem
./codeql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql:problem
./codeql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql:problem
./codeql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql:path-problem
./codeql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql:problem
./codeql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql:problem
./codeql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql:path-problem
./codeql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql:problem
./codeql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql:problem
./codeql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql:path-problem
./codeql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql:path-problem
./codeql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql:problem

[harrisonkaiser]

This list of analyses that seemed to have taken the longest amount of time. We should review the wisdom of disabling them.

• Does this suggested commit reduce the time taken by 2hrs (to 30 minutes)
• Can exclude only a subset of this list and achieve the same performance results?
• Evaluate this list for things we should not exclude.
• Look for other ways of reducing the run time.
• Consider a running more expensive checks on a schedule (as suggested by @goatgoose in a comment that appears to have been deleted)

[franklee26]

Python-only codeql completed in ~4 min.

[github-advanced-security]

CodeQL found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

[dougch]

We many want separate workflows for python and C if their configs are vastly different, but that can be a refactor later when we figure out the open questions

[dougch]

Since this PR is (now?) focused on Python, it might make sense to move these comments to another issue where we can track what's needed for the C checks.