4417 fix codeql issues (#5793)

* Add release to codeql and queries to match lgtm * Add lgtm config file * Custom codeQL config to ignore app.js * Custom config for lgtm * Remove query filter for lgtm * Updated the security test docs * Remove lgtm.yml and delete app.js references * Update codeql-config.yml Co-authored-by: Alize Nguyen <alizenguyen@gmail.com> Co-authored-by: Andrew Henry <akhenry@gmail.com>
2024-12-18 20:57:53 +00:00 · 2022-10-07 11:30:09 -05:00 · 2022-10-07 11:30:09 -05:00 · 026eb86f5f
commit 026eb86f5f
parent 866859a937
3 changed files with 18 additions and 16 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@ -0,0 +1 @@
+name: 'Custom CodeQL config'
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -1,11 +1,10 @@
-
-name: "CodeQL"
+name: 'CodeQL'

 on:
  push:
-    branches: [ master ]
+    branches: [master, 'release/*']
  pull_request:
-    branches: [ master ]
+    branches: [master, 'release/*']
    paths-ignore:
      - '**/*Spec.js'
      - '**/*.md'
@ -27,17 +26,19 @@ jobs:
      security-events: write

    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v3

-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: javascript
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          config-file: ./.github/codeql/codeql-config.yml
+          languages: javascript
+          queries: security-and-quality

-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
--- a/README.md
+++ b/README.md
@ -100,7 +100,7 @@ To run the performance tests:
 The test suite is configured to all tests localed in `e2e/tests/` ending in `*.e2e.spec.js`. For more about the e2e test suite, please see the [README](./e2e/README.md)

 ### Security Tests
-Each commit is analyzed for known security vulnerabilities using [CodeQL](https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-javascript/) and our overall security report is available on [LGTM](https://lgtm.com/projects/g/nasa/openmct/)
+Each commit is analyzed for known security vulnerabilities using [CodeQL](https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-javascript/) and our overall security report is available on [LGTM](https://lgtm.com/projects/g/nasa/openmct/). The list of CWE coverage items is avaiable in the [CodeQL docs](https://codeql.github.com/codeql-query-help/javascript-cwe/). The CodeQL workflow is specified in the [CodeQL analysis file](./.github/workflows/codeql-analysis.yml) and the custom [CodeQL config](./.github/codeql/codeql-config.yml).

 ### Test Reporting and Code Coverage