feat(codeql): add CodeQL enablement check as a dedicated extension#876
feat(codeql): add CodeQL enablement check as a dedicated extension#876akiioto wants to merge 8 commits into
Conversation
Introduces a new CodeQL extension that checks whether GitHub Advanced Security CodeQL is enabled for each source artefact referenced by an OCM component. Changes: - odg/model.py: add Datatype.CODEQL_FINDING, Datasource.CODEQL, CodeqlStatus, CodeqlFinding, RescoreCodeqlFinding - odg/extensions_cfg.py: add Services.CODEQL and CodeqlConfig (BacklogItemMixins) - odg/extensions_cfg.yaml: add codeql default (enabled: False) - odg/findings_cfg.yaml: add finding/codeql block with BLOCKER categorisation; external (github.com) components are auto-rescored to NONE - codeql.py: new extension — queries GitHub code-scanning analyses API (tool_name=CodeQL), emits CodeqlFinding(NOT_ENABLED) when CodeQL is absent
Per discussion with Philipp Heil: findings should contain enough information to be meaningful in the dashboard and issue view. repo_url points directly to the GitHub repository where CodeQL needs to be enabled.
Required for categorise_finding() to match on codeql_status values in the findings_cfg.yaml selector configuration.
Adds the codeql backlog item creation block analogous to sast, so the artefact-enumerator creates codeql backlog items for source artefacts when the codeql extension is enabled.
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- settings_url: direct link to repo/settings/security_analysis so engineers can enable CodeQL in one click from the dashboard/issue - language: primary repo language from GitHub API; enables auto-rescoring for repos in languages CodeQL does not support - fix: key now includes repo_url to avoid collisions across artefacts - refactor: fetch_repo_info() combines /repos and /code-scanning/analyses into one function so both calls share the same auth token lookup
languages: [Go, Python, Java] in extensions_cfg limits CodeQL checks to repos whose primary language matches. Empty list (default) checks all.
Instead of a single enabled/disabled check per repo, the extension now:
- fetches active CodeQL languages from code-scanning/analyses (environment.language)
- emits a separate CodeqlFinding per language configured in codeql_config.languages
that is NOT actively scanned
- key includes language: not-enabled|{repo_url}|{language}
When languages is empty (default), falls back to single finding if CodeQL
is not enabled at all for the repo.
8R0WNI3
left a comment
There was a problem hiding this comment.
This already looks very promising, thank you for your contribution! :-)
| case odg.model.Datatype.OSID_FINDING: | ||
| self._validate_osid() | ||
| case odg.model.Datatype.CRYPTO_FINDING: | ||
| self._validate_crypto() |
There was a problem hiding this comment.
Please also add a validation function for the new finding type.
| artefact_kind: source | ||
| issues: | ||
| enable_issues: False | ||
| rescoring_ruleset: |
There was a problem hiding this comment.
I think this ruleset is not used anywhere 🤔
| import ocm.iter | ||
|
|
||
| import ctx_util | ||
| import ghas |
There was a problem hiding this comment.
Conceptionally, an extension should not have a dependency on another extension. Please consider moving the necessary functions to the already existing github_util module instead.
| scan_callback = functools.partial( | ||
| scan, | ||
| codeql_finding_config=codeql_finding_config, | ||
| secret_factory=secret_factory, |
There was a problem hiding this comment.
The secret_factory will be already provided by the process_backlog_items wrapper, so there should be no need to explicitly add it here.
| if len(path_parts) < 2: | ||
| return None | ||
| org, repo = path_parts[0], path_parts[1] | ||
| hostname = parsed.hostname or 'github.com' |
There was a problem hiding this comment.
Why would it be necessary to fallback to github.com here?
| codeql_status: CodeqlStatus | ||
| repo_url: str | None = None | ||
| settings_url: str | None = None | ||
| language: str | None = None |
There was a problem hiding this comment.
I think according to the codeql module, repo_url and language would never be None. Why did you decide to make them optional here?
Addresses review comment: Services, Datatype, Datasource.datasource(), and ExtensionsConfiguration fields are now in alphabetical order.
Summary
codeqlextension that checks whether GitHub Advanced Security CodeQL is enabled for each source artefact referenced by an OCM componentsastextensionChanges
src/codeql.pytool_name=CodeQL), emitsCodeqlFinding(NOT_ENABLED)when CodeQL is absentsrc/odg/model.pyDatatype.CODEQL_FINDING,Datasource.CODEQL,CodeqlStatus,CodeqlFinding,RescoreCodeqlFindingsrc/odg/extensions_cfg.pyServices.CODEQLandCodeqlConfig(BacklogItemMixins, same asSASTConfig)src/odg/extensions_cfg.yamlcodeql: enabled: Falsedefaultsrc/odg/findings_cfg.yamlfinding/codeqlblock with BLOCKER categorisation; external (github.com) components auto-rescored to NONEsrc/odg/findings.pyCodeqlFindingSelectorforcategorise_finding()matching oncodeql_statussrc/artefact_enumerator.pyCODEQLservice so backlog items are created for source artefactsDesign decisions
ghas.github_api_request()— same GitHub API authentication mechanism as the existing GHAS extensionrepo_urlstored in finding — allows direct navigation to the repository from the dashboard/issue viewgithub.comcomponents exempt — external open-source components are not subject to SAP product standardsPrerequisites for full E2E test
github.tools.sap) needssecurity_events: readpermission addedTest plan
codeql.pyloads and starts polling backlog itemsartefact-enumeratorcreatescodeqlbacklog items for source artefactssecurity_events: readpermission is granted to GitHub AppCodeqlFinding(NOT_ENABLED)is stored in DB for repos without CodeQLgithub.comcomponents are auto-rescored to NONE