mirror of
https://github.com/elastic/kibana.git
synced 2025-04-22 00:45:43 -04:00
9a7dafcf38
# Backport This will backport the following commits from `main` to `8.x`: - [[CodeQL] Local run script (#194272)](https://github.com/elastic/kibana/pull/194272) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Elena Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-10-28T12:40:27Z","message":"[CodeQL] Local run script (#194272)\n\n## Summary\r\n\r\nThis PR introduces a script that allows developers to run CodeQL\r\nanalysis locally. It uses a Docker container with prebuilt CodeQL\r\nqueries to facilitate easy setup and execution.\r\nThe script has the following key steps:\r\n- Creating a CodeQL database from the source code. The database is\r\nessentially a representation of the codebase that CodeQL uses to analyze\r\nfor potential issues.\r\n- Running the analysis on the created database,\r\n`javascript-security-and-quality` suit is used.\r\n\r\n### Usage\r\n```\r\nbash scripts/codeql/quick_check.sh -s path/to/your-source-dir\r\n```\r\nFor example\r\n```\r\nbash scripts/codeql/quick_check.sh -s ./x-pack/plugins/security_solution/public/common/components/ml/conditional_links\r\n```\r\n\r\nThe `-s` option allows you to specify the path to the source code\r\ndirectory that you wish to analyze.\r\n\r\n### Why custom Docker file?\r\nChecked the ability to use MSFT image for local run\r\nhttps://github.com/microsoft/codeql-container. Turned out it has several\r\nproblems:\r\n1. The published one has an error with [execute\r\npermissions](https://github.com/microsoft/codeql-container/issues/53).\r\n2. Container has outdated nodejs version, so it didn't parse our syntax\r\n(like `??`) and failed.\r\n3. The technique used in the repository to download the CodeQL binaries\r\nand precompile the queries is outdated in the sense that GitHub now\r\noffers pre-compiled queries you can just download. Follow this\r\n[comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512).\r\n\r\nTaking this into consideration I have created a lightweight docker image\r\nwithout extraneous dependencies for go/.net/java.\r\n\r\n## Context and interdependencies issues\r\nThere are issues sometimes when analyze run returns no results,\r\nparticularly when analyzing a single folder.\r\nIt might be due to the missing context for the data flow graph CodeQL\r\ngenerates or context for interdependencies. This is actually a trade off\r\nof running it locally for a subset of source directories. We need to\r\nexplicitly state that in the documentation and advise to expand the\r\nscope of source code directories involved for local scan.\r\n\r\nDocumentation for triaging issues will be updated separately.\r\n\r\n__Closes: https://github.com/elastic/kibana/issues/195740__","sha":"9dd4205639ed16f9086a7c5d70e077b6db21d73b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","enhancement","release_note:skip","v9.0.0","backport:prev-minor"],"title":"[CodeQL] Local run script","number":194272,"url":"https://github.com/elastic/kibana/pull/194272","mergeCommit":{"message":"[CodeQL] Local run script (#194272)\n\n## Summary\r\n\r\nThis PR introduces a script that allows developers to run CodeQL\r\nanalysis locally. It uses a Docker container with prebuilt CodeQL\r\nqueries to facilitate easy setup and execution.\r\nThe script has the following key steps:\r\n- Creating a CodeQL database from the source code. The database is\r\nessentially a representation of the codebase that CodeQL uses to analyze\r\nfor potential issues.\r\n- Running the analysis on the created database,\r\n`javascript-security-and-quality` suit is used.\r\n\r\n### Usage\r\n```\r\nbash scripts/codeql/quick_check.sh -s path/to/your-source-dir\r\n```\r\nFor example\r\n```\r\nbash scripts/codeql/quick_check.sh -s ./x-pack/plugins/security_solution/public/common/components/ml/conditional_links\r\n```\r\n\r\nThe `-s` option allows you to specify the path to the source code\r\ndirectory that you wish to analyze.\r\n\r\n### Why custom Docker file?\r\nChecked the ability to use MSFT image for local run\r\nhttps://github.com/microsoft/codeql-container. Turned out it has several\r\nproblems:\r\n1. The published one has an error with [execute\r\npermissions](https://github.com/microsoft/codeql-container/issues/53).\r\n2. Container has outdated nodejs version, so it didn't parse our syntax\r\n(like `??`) and failed.\r\n3. The technique used in the repository to download the CodeQL binaries\r\nand precompile the queries is outdated in the sense that GitHub now\r\noffers pre-compiled queries you can just download. Follow this\r\n[comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512).\r\n\r\nTaking this into consideration I have created a lightweight docker image\r\nwithout extraneous dependencies for go/.net/java.\r\n\r\n## Context and interdependencies issues\r\nThere are issues sometimes when analyze run returns no results,\r\nparticularly when analyzing a single folder.\r\nIt might be due to the missing context for the data flow graph CodeQL\r\ngenerates or context for interdependencies. This is actually a trade off\r\nof running it locally for a subset of source directories. We need to\r\nexplicitly state that in the documentation and advise to expand the\r\nscope of source code directories involved for local scan.\r\n\r\nDocumentation for triaging issues will be updated separately.\r\n\r\n__Closes: https://github.com/elastic/kibana/issues/195740__","sha":"9dd4205639ed16f9086a7c5d70e077b6db21d73b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194272","number":194272,"mergeCommit":{"message":"[CodeQL] Local run script (#194272)\n\n## Summary\r\n\r\nThis PR introduces a script that allows developers to run CodeQL\r\nanalysis locally. It uses a Docker container with prebuilt CodeQL\r\nqueries to facilitate easy setup and execution.\r\nThe script has the following key steps:\r\n- Creating a CodeQL database from the source code. The database is\r\nessentially a representation of the codebase that CodeQL uses to analyze\r\nfor potential issues.\r\n- Running the analysis on the created database,\r\n`javascript-security-and-quality` suit is used.\r\n\r\n### Usage\r\n```\r\nbash scripts/codeql/quick_check.sh -s path/to/your-source-dir\r\n```\r\nFor example\r\n```\r\nbash scripts/codeql/quick_check.sh -s ./x-pack/plugins/security_solution/public/common/components/ml/conditional_links\r\n```\r\n\r\nThe `-s` option allows you to specify the path to the source code\r\ndirectory that you wish to analyze.\r\n\r\n### Why custom Docker file?\r\nChecked the ability to use MSFT image for local run\r\nhttps://github.com/microsoft/codeql-container. Turned out it has several\r\nproblems:\r\n1. The published one has an error with [execute\r\npermissions](https://github.com/microsoft/codeql-container/issues/53).\r\n2. Container has outdated nodejs version, so it didn't parse our syntax\r\n(like `??`) and failed.\r\n3. The technique used in the repository to download the CodeQL binaries\r\nand precompile the queries is outdated in the sense that GitHub now\r\noffers pre-compiled queries you can just download. Follow this\r\n[comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512).\r\n\r\nTaking this into consideration I have created a lightweight docker image\r\nwithout extraneous dependencies for go/.net/java.\r\n\r\n## Context and interdependencies issues\r\nThere are issues sometimes when analyze run returns no results,\r\nparticularly when analyzing a single folder.\r\nIt might be due to the missing context for the data flow graph CodeQL\r\ngenerates or context for interdependencies. This is actually a trade off\r\nof running it locally for a subset of source directories. We need to\r\nexplicitly state that in the documentation and advise to expand the\r\nscope of source code directories involved for local scan.\r\n\r\nDocumentation for triaging issues will be updated separately.\r\n\r\n__Closes: https://github.com/elastic/kibana/issues/195740__","sha":"9dd4205639ed16f9086a7c5d70e077b6db21d73b"}}]}] BACKPORT--> Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| codeql.dockerfile | ||
| quick_check.sh | ||