advanced-security / codeql-summarize Goto Github PK

Right now we only check for some use cases and need to support more in the future

Use cases:

• CLI Path
• Actions
• Using gh cli

https://github.com/advanced-security/codeql-summary-generator/blob/main/codeqlsummaries/generator.py#L42

Should Bundling export an updated version of the projects.json file if present? This means that if I scanned "org/test" ad-hoc then it should be registered in the projects file

Users might just want to get a summary file without submitting pull requests etc. For those uses it would be useful if that flag was optional.

Databases have a primaryLanguage field in their manifest, which could be used to automatically set --language. That way we could likely remove --language altogether and make the cli interface more convenient.

In the event that a database is not available, it would be great to add a separate section of the configuration file to be used for the purposes of performing a git clone and then attempting to create a database locally. This would be a great use case for interpreted languages, and could possibly parse the CodeQL Action workflow file for build commands with compiled languages.

This might also help security teams prepare for turning on CodeQL with a repository if Code Scanning has not been enabled there yet. We don't necessarily need to perform the analysis, but would be neat to perform an upload of a new database (or databases) for SARIF review prior to turning on Code Scanning for a given repo.

https://github.com/github/codeql/blob/main/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll#L379

We might want to way to support multiple languages being passed into the tool. This might also help if we want to use the GitHub API to check what languages are present in the repo.

gh codeql-summarize -l java,javascript ...

We might want to "store summaries" in JSON or other format that is stored in a repo.

This would solve the "over time the framework / library might change".

In some cases we might want to include or exclude certain namespaces / module paths to allow for end-users to automatically remove / add particular paths from libraries

We might hit an issue with namespaces and modules when generating CodeQL and creating a bundle.

• https://github.com/advanced-security/gh-codeql-summarize/blob/main/codeqlsummarize/exporters/customizations.py#L12-L19
• https://github.com/advanced-security/codeql-bundle-action

I haven't seen this but a side note to make sure that if we do, its noted here