Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add runcodeql.sh for "tox -e codeql" - Security check in python codes #105

Merged
merged 3 commits into from
Jan 26, 2023
Merged

Add runcodeql.sh for "tox -e codeql" - Security check in python codes #105

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
681d5b2
Add runcodeql.sh for "tox -e codeql" - Security check in python codes
nhosoi Jan 25, 2023
95dc729
Fixed issues found in the reviews by @richm.
nhosoi Jan 25, 2023
687c3f1
Fixed typo found in the reviews by @richm.
nhosoi Jan 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/tox_lsr/config_files/tox-default.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ envlist =
black, pylint, flake8, yamllint
py{26,27,36,37,38,39,310,311}, shellcheck
collection, ansible-lint, custom
ansible-test, woke
ansible-test, woke, codeql
skipsdist = true
skip_missing_interpreters = true

Expand Down Expand Up @@ -272,6 +272,11 @@ changedir = {toxinidir}
commands =
bash {lsr_scriptdir}/runwoke.sh

[testenv:codeql]
changedir = {toxinidir}
commands =
bash {lsr_scriptdir}/runcodeql.sh

[qemu_common]
changedir = {toxinidir}
basepython = python3
Expand Down
115 changes: 115 additions & 0 deletions src/tox_lsr/test_scripts/runcodeql.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
#!/bin/bash
# SPDX-License-Identifier: MIT

# Do not exit on an error to continue ansible-doc and ansible-test.
set -euo pipefail

#uncomment if you use $ME - otherwise set in utils.sh
#ME=$(basename "$0")
SCRIPTDIR=$(readlink -f "$(dirname "$0")")

. "${SCRIPTDIR}/utils.sh"

# Run codeql against python codes in a role
CODEQLACTIONDIR=${CODEQLACTIONDIR:-"${HOME}/github.com/github/codeql-action"}
ROLE=${ROLE:-"$( basename $TOPDIR )"}
WORKDIR=$( mktemp -d /var/tmp/CODEQL_DB_${ROLE}_XXX )
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because this is running in tox, you already have a "working" directory .tox/codeql and a "temp" directory .tox/codeql/.tmp
https://github.com/linux-system-roles/tox-lsr#environment-variables-available-for-test-scripts
The codeql command should be installed in $LSR_TOX_ENV_DIR/bin which is in the PATH when running in tox.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could probably make it idempotent:

if [ ! -f "$LSR_TOX_ENV_TMP_DIR/codeql-bundle-linux64.tar.gz" ]; then
  curl -o "$LSR_TOX_ENV_TMP_DIR/codeql-bundle-linux64.tar.gz"  "$CODEQLURL"
fi
if [ ! -f "$LSR_TOX_ENV_DIR/bin/codeql" ]; then
  tar xfz "$LSR_TOX_ENV_TMP_DIR/codeql-bundle-linux64.tar.gz" -C "$LSR_TOX_ENV_TMP_DIR"
  cp "$LSR_TOX_ENV_TMP_DIR/codeql" "$LSR_TOX_ENV_DIR/bin/codeql"
fi


# Go to the TOPDIR
cd "$TOPDIR"

# Install CodeQL
# https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system
CODEQLTARBALL=codeql-bundle-linux64.tar.gz
CODEQLURL=https://github.com/github/codeql-action/releases/latest/download/$CODEQLTARBALL
CODEQLPATH=$( which codeql 2> /dev/null )
if [ $? -ne 0 ]; then
wget "$CODEQLURL"
tar -xzf ./"$CODEQLTARBALL"
# Set $( pwd )/codeql to PATH
PATH=$( pwd )/codeql:$PATH
else
# Set parentdir of $CODEQLPATH to PATH
PATH=$( dirname "$CODEQLPATH" ):$PATH
fi

# Checkout codeql-action
GITHUBDIR="${HOME}/github.com/github"
CODEQLACTIONDIR=${CODEQLACTIONDIR:-"${GITHUBDIR}/codeql-action"}
if [ ! -d $CODEQLACTIONDIR ]; then
if [ ! -d $GITHUBDIR ]; then
mkdir -p $GITHUBDIR
fi
(cd $GITHUBDIR; gh repo clone github/codeql-action)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
(cd $GITHUBDIR; gh repo clone github/codeql-action)
git clone https://github.com/github/codeql-action "$LSR_TOX_ENV_DIR/codeql-action"

fi

# Create a database dir:
DBDIR=$WORKDIR/database
mkdir $DBDIR
RESULTS=$WORKDIR/results
mkdir $RESULTS

# Load language configuration
codeql resolve queries python-code-scanning.qls --format=bylanguage

codeql resolve queries python-security-and-quality.qls --format=bylanguage

codeql resolve languages --format=betterjson --extractor-options-verbosity=4

# Setup Python dependencies
# $CODEQLACTIONDIR/python-setup/install_tools.sh
# Remove "--user" from "pip install" to workaround this error.
# ERROR: Can not perform a '--user' install. User site-packages are
# not visible in this virtualenv.
sed -e "s/pip install --user/pip install/" \
$CODEQLACTIONDIR/python-setup/install_tools.sh > $WORKDIR/install_tools.sh
bash -x $WORKDIR/install_tools.sh

codeql database init --db-cluster $DBDIR --source-root=$TOPDIR \
--language=python

# Setup environment variables
export CODEQL_WORKFLOW_STARTED_AT=$( date -Iseconds )
export CODEQL_RAM=5919
export CODEQL_THREADS=2

# Extracting python
codeql database trace-command $DBDIR/python -- \
$( dirname "$CODEQLPATH" )/python/tools/autobuild.sh

# Finalizing python
codeql database finalize --finalize-dataset --threads=$CODEQL_THREADS \
--ram=$CODEQL_RAM $DBDIR/python

# Running queries for python
codeql database run-queries --ram=$CODEQL_RAM --threads=$CODEQL_THREADS \
$DBDIR/python --min-disk-free=1024 \
-v python-security-and-quality.qls

# Interpreting results for python
codeql database interpret-results --threads=$CODEQL_THREADS \
--format=sarif-latest -v --output=$RESULTS/python.sarif \
--no-sarif-add-snippets --print-diagnostics-summary \
--print-metrics-summary --sarif-group-rules-by-pack \
--sarif-add-query-help --sarif-category /language:python \
--sarif-add-baseline-file-info $DBDIR/python \
python-security-and-quality.qls

codeql database print-baseline $DBDIR/python

echo "CodeQL result file on $ROLE: $RESULTS/python.sarif"

JQPATH=$( which jq 2> /dev/null )
if [ $? -ne 0 ]; then
echo "WARNING: please install jq package"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move this check to near the top so the script fails early if jq not found

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove this check since you added it to the top

else
rcnt=$( jq '.runs[0].results | length' $RESULTS/python.sarif )
if [ $rcnt -gt 0 ]; then
echo "CODEQL RESULT"
jq '.runs[0].results' $RESULTS/python.sarif
lsr_error "${ME}: Found $rcnt security issues."
else
echo "PASS: Found no security issues."
fi
fi
exit 0
4 changes: 4 additions & 0 deletions tests/fixtures/test_tox_merge_ini/result.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,10 @@ commands = bash {lsr_scriptdir}/runansible-test.sh
changedir = {toxinidir}
commands = bash {lsr_scriptdir}/runwoke.sh

[testenv:codql]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[testenv:codql]
[testenv:codeql]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shame shame Thanks, @richm!

changedir = {toxinidir}
commands = bash {lsr_scriptdir}/runcodql.sh

[qemu_common]
changedir = {toxinidir}
basepython = python3
Expand Down