/jenkins-codeql

Custom CodeQL code scanning rules for Jenkins

Primary LanguageJavaMIT LicenseMIT

Jenkins CodeQL

This repository contains Jenkins-specific CodeQL queries.

Usage

Use in a regular CodeQL workflow

You can use the Jenkins CodeQL queries as part of the regular CodeQL code scanning workflow. This is the more flexible approach in terms of your ability to configure the build, and additionally only requires one workflow to be set up to use the generic code scanning rules provided by GitHub in addition to the Jenkins-specific rules. Please note the findings will be reported part of the "CodeQL" code scanning tool on the GitHub UI.

Additionally, code-level suppressions documented as part of finding descriptions do not work by default. See advanced-security/dismiss-alerts for a GitHub-provided way to support code-level suppression. The instructions below do not add suppression support, see advanced-security/dismiss-alerts for the necessary configuration changes.

Setting up

These instructions assume use of the standard CodeQL workflow template as of 42326d0

Update your use of github/codeql-action/init@v3 to specify a with.config (related GitHub documentation).

Add Jenkins-specific queries in addition to CodeQL
with:
  config: |
    packs:
    - jenkins-infra/jenkins-codeql
Only run Jenkins-specific queries (like Jenkins Security Scan)
with:
  config: |
    disable-default-queries: true
    packs:
    - jenkins-infra/jenkins-codeql

Jenkins Security Scan GitHub Workflow

Basic local/standalone use

  1. Install the CodeQL CLI.

  2. Run codeql pack install test/ to install the dependencies.

Run Jenkins queries against a CodeQL database

Generate or download a CodeQL database for the code base you want to run the queries against.

Then, run:

codeql database codeql database analyze --format=sarifv2.1.0 --output=result.sarif <path to database> src/

This will generate the result.sarif file containing the query results.

Development

Run tests

codeql pack install test/
codeql test run test/

The file run-tests.sh in this repository is a self-contained script that installs CodeQL, pack dependencies, and then runs the tests. Since it downloads and extracts CodeQL CLI binaries, its use is not recommended for local development.

Update CodeQL

To update to a newer CodeQL release:

  1. Determine which release to update to. See the list of CodeQL releases and the corresponding releases of java-all.

  2. Edit all qlpack.yml files in this repository and increase the version of codeql/java-all to the corresponding version in github/codeql (java/ql/src/qlpack.yml at the tagged top-level version in tags).

  3. Run codeql pack upgrade <dir> on each of the directories containing a qlpack.yml file.

  4. Edit run-tests.sh to download the correct CodeQL release and run it to confirm everything works as expected.

Note
https://github.com/jenkins-infra/jenkins-security-scan needs a corresponding change.

Release as CodeQL Pack

To release this as QL packs here:

  1. Update the versions from x.y.z-dev to x.y.z in qlpack.yml files and git commit this (example).

  2. Define the environment variable GITHUB_TOKEN or prepare to pass the argument --github-auth-stdin to the next command. Either way, you need a token with write:packages permission.

  3. Run codeql pack publish --groups=-test to upload everything but the tests as packs.

  4. Update the versions from x.y.z to x.y.(z+1)-dev in qlpack.yml files and git commit this (example).