This repository contains Jenkins-specific CodeQL queries.
You can use the Jenkins CodeQL queries as part of the regular CodeQL code scanning workflow. This is the more flexible approach in terms of your ability to configure the build, and additionally only requires one workflow to be set up to use the generic code scanning rules provided by GitHub in addition to the Jenkins-specific rules. Please note the findings will be reported part of the "CodeQL" code scanning tool on the GitHub UI.
Additionally, code-level suppressions documented as part of finding descriptions do not work by default.
See advanced-security/dismiss-alerts
for a GitHub-provided way to support code-level suppression.
The instructions below do not add suppression support, see advanced-security/dismiss-alerts
for the necessary configuration changes.
These instructions assume use of the standard CodeQL workflow template as of 42326d0
Update your use of github/codeql-action/init@v3
to specify a with.config
(related GitHub documentation).
with:
config: |
packs:
- jenkins-infra/jenkins-codeql
-
Install the CodeQL CLI.
-
Run
codeql pack install test/
to install the dependencies.
Generate or download a CodeQL database for the code base you want to run the queries against.
Then, run:
codeql database codeql database analyze --format=sarifv2.1.0 --output=result.sarif <path to database> src/
This will generate the result.sarif
file containing the query results.
codeql pack install test/ codeql test run test/
The file run-tests.sh
in this repository is a self-contained script that installs CodeQL, pack dependencies, and then runs the tests.
Since it downloads and extracts CodeQL CLI binaries, its use is not recommended for local development.
To update to a newer CodeQL release:
-
Determine which release to update to. See the list of CodeQL releases and the corresponding releases of
java-all
. -
Edit all
qlpack.yml
files in this repository and increase the version ofcodeql/java-all
to the corresponding version ingithub/codeql
(java/ql/src/qlpack.yml
at the tagged top-level version in tags). -
Run
codeql pack upgrade <dir>
on each of the directories containing aqlpack.yml
file. -
Edit
run-tests.sh
to download the correct CodeQL release and run it to confirm everything works as expected.
Note
|
https://github.com/jenkins-infra/jenkins-security-scan needs a corresponding change. |
To release this as QL packs here:
-
Update the versions from
x.y.z-dev
tox.y.z
inqlpack.yml
files andgit commit
this (example). -
Define the environment variable
GITHUB_TOKEN
or prepare to pass the argument--github-auth-stdin
to the next command. Either way, you need a token withwrite:packages
permission. -
Run
codeql pack publish --groups=-test
to upload everything but the tests as packs. -
Update the versions from
x.y.z
tox.y.(z+1)-dev
inqlpack.yml
files andgit commit
this (example).