Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAST analyzer does not find CodeQL run via 'uses' directive #3600

Closed
intelfisz opened this issue Oct 24, 2023 · 3 comments
Closed

SAST analyzer does not find CodeQL run via 'uses' directive #3600

intelfisz opened this issue Oct 24, 2023 · 3 comments
Labels
kind/bug Something isn't working

Comments

@intelfisz
Copy link

Describe the bug
In opi-intel-bridge repo I have run CodeQL scans for a long time - see https://github.com/opiproject/opi-intel-bridge/blob/main/.github/workflows/codeql.yml. The action reuses action defined in actions repo - see https://github.com/opiproject/actions/blob/main/.github/workflows/codeql.yml.
However, OSSF score shows 0/10 points since it can't detect that CodeQL is actually run.

Reproduction steps
Steps to reproduce the behavior:

  1. Create codeql action on any repo
  2. Create another codeql action on a different repo which uses the one defined in 1. by 'uses' directive
  3. See that repo in 2. gets no points for the SAST category

Expected behavior
I expect that the evaluation has more intelligence to detect factual CodeQL scan runs since it is a common practise to reduce code duplication in an organization and reuse actions between different repos.

Additional context
It seems that a change has happened recently or SAST was introduced as this score penalty was not observed before and we run CodeQL scans for a long time already.
@intelfisz intelfisz added the kind/bug Something isn't working label Oct 24, 2023
@raghavkaul
Copy link
Contributor

Which version of scorecard are you using? With the latest scorecard, https://github.com/opiproject/opi-intel-bridge scores 10/10 on SAST. You're right that CodeQL is not detected (we don't parse GitHub composite actions or transitive action steps) but we should detect the existence of CodeQL as a check run on PRs.

Starting [SAST]
Finished [SAST]

RESULTS
-------
Aggregate score: 10.0 / 10

Check scores:
|---------|------|--------------------------------|--------------------------------|-----------------------------------------------------------------|
|  SCORE  | NAME |             REASON             |            DETAILS             |                    DOCUMENTATION/REMEDIATION                    |
|---------|------|--------------------------------|--------------------------------|-----------------------------------------------------------------|
| 10 / 10 | SAST | SAST tool is run on all        | Info: all commits (30) are     | https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast |
|         |      | commits                        | checked with a SAST tool Warn: |                                                                 |
|         |      |                                | CodeQL tool not detected       |                                                                 |
|---------|------|--------------------------------|--------------------------------|-----------------------------------------------------------------|

@spencerschrock
Copy link
Member

Please see #3591, GitHub changed a string we were using for CodeQL detection. Make sure you're using Scorecard v4.13.1 or Scorecard Action v2.3.1

@intelfisz
Copy link
Author

Thanks for the clarifications - indeed, this seems to be related to the recent change and works fine with the latest version. I am closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spencerschrock @raghavkaul @intelfisz