Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code scanning alerts in codeql action #2763

Open
6 of 8 tasks
aeisenberg opened this issue Feb 13, 2025 · 5 comments
Open
6 of 8 tasks

Fix code scanning alerts in codeql action #2763

aeisenberg opened this issue Feb 13, 2025 · 5 comments
Assignees
@angelapwen
Labels
CodeQL Action This repo! Helps for internal planning

Comments

@aeisenberg
Copy link
Contributor

aeisenberg commented Feb 13, 2025
edited by angelapwen
Loading

Tracking issue for:
@aeisenberg aeisenberg added the CodeQL Action This repo! Helps for internal planning label Feb 13, 2025
@aeisenberg
Copy link
Contributor Author

@kaeluka since you're shield next week, I am assigning this to you. These are both minor security issues. I believe these are both straight forward to fix, if they are really problems at all. If it turns out they are not easy to fix, please comment here and we will address later. If they are FPs, please close them.

@aeisenberg aeisenberg assigned angelapwen and unassigned kaeluka Feb 24, 2025
@angelapwen
Copy link
Contributor

First alert is a false positive and I've dismissed.

Second alert is about differing input descriptions across Actions.

  • PR to unify the token input: Unify token description for resolve-environment, start-proxy, and upload-sarif #2780. Note that I have a comment about not actually being sure if the start-proxy token description should be unified based off the required token permissions.
  • For the language input, I think I will dismiss as wont-fix. For resolve-environment, the description is "The language to infer the build environment configuration for." and for start-proxythe description isThe programming language to setup the proxy for the correct ecosystem`. It seems unnecessarily confusing to make the description something general like "the programming language" just for the sake of resolving the alert 🤔

@angelapwen
Copy link
Contributor

A few more of these popped up over the weekend. I've added them to the list in the issue

@angelapwen
Copy link
Contributor

#2781 for the new code injection warnings

@angelapwen
Copy link
Contributor

#2782 for the new unversioned immutable SHA alerts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@angelapwen angelapwen

Labels
CodeQL Action This repo! Helps for internal planning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aeisenberg @kaeluka @angelapwen