Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CodeQL Not catching known CWE's, not failing build for caught CWE

See original GitHub issue

Got them to run as expected per PR #104

However this pr should definitely cause a failure for:

CWE-377 py/insecure-temporary-file - via "/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/ql/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql" : { },
CWE-78 py/command-line-injection - via "/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/ql/python/ql/src/Security/CWE-078/CommandInjection.ql" : { },

It did catch CWE-377, but it did not fail the build:

It also didnt show much info. I did not realize it caught this until I accidentally clicked on the changes:

It does show as a check, but only if you happen to expand it. The default view:

If I expand it:

This is very very easy to miss and not at all a good UX. I would think that the action itself would fail the build, or that the check would be easier to spot a failure. At a glance the PR looks mergeable.

That said, it still never caught CWE-78

Issue Analytics

State:
Created 3 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

myoung34commented, Jul 13, 2020

I’ll reopen if this pops back up but it seems to be working as expected now

0reactions

myoung34commented, Jul 10, 2020

I’m not convinced it’s a good example though. The “evil” user that can trigger the exec clearly has access to invoke the program from the command line, so from my understanding the “evil” user could just execute the code with python -c “<command>”. (I might be mistaking though)

The example in question is purely to beta test codeql catches. I’m investigating using this at our company, so I was hoping to see how the workflows worked in terms of UI/UX and noticed that CWE-78 didn’t trigger (after my original issues with CWE-377 started working at some point)

Likely i wrote my example too fast and used exec() vs what i really meant: subprocess.call(executable)

Top Results From Across the Web

CodeQL full CWE coverage - GitHub

CWE Language Query id CWE‑11 C# cs/web/debug‑binary CWE‑12 C# cs/web/missing‑global‑error‑handler CWE‑13 C# cs/password‑in‑configuration

CodeQL CWE coverage - GitHub

The CWE categorization contains several types of entity, collectively known as CWEs. The CWEs that we consider in this report are only those...

Troubleshooting the CodeQL workflow - GitHub Docs

Creating CodeQL debugging artifacts using a workflow flag. Automatic build for a compiled language fails. No code found during the build.

CWE coverage for C and C++ - CodeQL - GitHub

CWE Language Query id CWE‑14 C++ cpp/memset‑may‑be‑deleted CWE‑20 C++ cpp/count‑untrusted‑data‑external‑api CWE‑20 C++ cpp/count‑untrusted‑data‑external‑api‑ir

Configuring the CodeQL workflow for compiled languages

You can configure how GitHub uses the CodeQL analysis workflow to scan code ... build steps for compiled languages and code scanning is...