kibana

github-mirrors/kibana

Fork 0

mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00

Commit graph

Author	SHA1	Message	Date
Elena Shostak	9dd4205639	[CodeQL] Local run script (#194272 ) ## Summary This PR introduces a script that allows developers to run CodeQL analysis locally. It uses a Docker container with prebuilt CodeQL queries to facilitate easy setup and execution. The script has the following key steps: - Creating a CodeQL database from the source code. The database is essentially a representation of the codebase that CodeQL uses to analyze for potential issues. - Running the analysis on the created database, `javascript-security-and-quality` suit is used. ### Usage ``` bash scripts/codeql/quick_check.sh -s path/to/your-source-dir ``` For example ``` bash scripts/codeql/quick_check.sh -s ./x-pack/plugins/security_solution/public/common/components/ml/conditional_links ``` The `-s` option allows you to specify the path to the source code directory that you wish to analyze. ### Why custom Docker file? Checked the ability to use MSFT image for local run https://github.com/microsoft/codeql-container. Turned out it has several problems: 1. The published one has an error with [execute permissions](https://github.com/microsoft/codeql-container/issues/53). 2. Container has outdated nodejs version, so it didn't parse our syntax (like `??`) and failed. 3. The technique used in the repository to download the CodeQL binaries and precompile the queries is outdated in the sense that GitHub now offers pre-compiled queries you can just download. Follow this [comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512). Taking this into consideration I have created a lightweight docker image without extraneous dependencies for go/.net/java. ## Context and interdependencies issues There are issues sometimes when analyze run returns no results, particularly when analyzing a single folder. It might be due to the missing context for the data flow graph CodeQL generates or context for interdependencies. This is actually a trade off of running it locally for a subset of source directories. We need to explicitly state that in the documentation and advise to expand the scope of source code directories involved for local scan. Documentation for triaging issues will be updated separately. __Closes: https://github.com/elastic/kibana/issues/195740__	2024-10-28 13:40:27 +01:00

Author

SHA1

Message

Date

Elena Shostak

9dd4205639

[CodeQL] Local run script (#194272 )

## Summary

This PR introduces a script that allows developers to run CodeQL
analysis locally. It uses a Docker container with prebuilt CodeQL
queries to facilitate easy setup and execution.
The script has the following key steps:
- Creating a CodeQL database from the source code. The database is
essentially a representation of the codebase that CodeQL uses to analyze
for potential issues.
- Running the analysis on the created database,
`javascript-security-and-quality` suit is used.

### Usage
```
bash scripts/codeql/quick_check.sh -s path/to/your-source-dir
```
For example
```
bash scripts/codeql/quick_check.sh -s ./x-pack/plugins/security_solution/public/common/components/ml/conditional_links
```

The `-s` option allows you to specify the path to the source code
directory that you wish to analyze.

### Why custom Docker file?
Checked the ability to use MSFT image for local run
https://github.com/microsoft/codeql-container. Turned out it has several
problems:
1. The published one has an error with [execute
permissions](https://github.com/microsoft/codeql-container/issues/53).
2. Container has outdated nodejs version, so it didn't parse our syntax
(like `??`) and failed.
3. The technique used in the repository to download the CodeQL binaries
and precompile the queries is outdated in the sense that GitHub now
offers pre-compiled queries you can just download. Follow this
[comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512).

Taking this into consideration I have created a lightweight docker image
without extraneous dependencies for go/.net/java.

## Context and interdependencies issues
There are issues sometimes when analyze run returns no results,
particularly when analyzing a single folder.
It might be due to the missing context for the data flow graph CodeQL
generates or context for interdependencies. This is actually a trade off
of running it locally for a subset of source directories. We need to
explicitly state that in the documentation and advise to expand the
scope of source code directories involved for local scan.

Documentation for triaging issues will be updated separately.

__Closes: https://github.com/elastic/kibana/issues/195740__

2024-10-28 13:40:27 +01:00

1 commit