|
| 1 | +# Code Scanning Javascript Tutorial |
| 2 | + |
| 3 | +Welcome to the Code Scanning Java Tutorial! This tutorial will take you through how to set up Github Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains SQL injection vulnerability for demonstration purpose. |
| 4 | + |
| 5 | +## Introduction |
| 6 | + |
| 7 | +Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub. |
| 8 | + |
| 9 | +You can use code scanning with CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers. |
| 10 | + |
| 11 | +This tutorial with use CodeQL Analysis with Code Scanning in order to search for vulnerabilities within your code. |
| 12 | + |
| 13 | +## Instructions |
| 14 | + |
| 15 | +<details> |
| 16 | +<summary>Fork this repo</summary> |
| 17 | +<p> |
| 18 | + |
| 19 | +Begin by [forking this repo](https://docs.github.com/en/free-pro-team@latest/github/getting-started-with-github/fork-a-repo). |
| 20 | +</p> |
| 21 | +</details> |
| 22 | + |
| 23 | +<details> |
| 24 | +<summary>Enable Code Scanning</summary> |
| 25 | +<p> |
| 26 | + |
| 27 | +#### Security tab |
| 28 | + |
| 29 | +Click on the `Security` tab. |
| 30 | + |
| 31 | + |
| 32 | +<img src="images/00-repo-security-tab.png" width="70%"/> |
| 33 | + |
| 34 | +#### Set up code scanning |
| 35 | + |
| 36 | +Click `Set up code scanning`. |
| 37 | + |
| 38 | +<img src="images/01-repo-secruity-setup-code-scanning.png" width="70%"/> |
| 39 | + |
| 40 | +#### Setup Workflow |
| 41 | + |
| 42 | +Click the `Setup this workflow` button by CodeQL Analysis. |
| 43 | + |
| 44 | +<img src="images/02-repo-security-setup-codeql-workflow.png" width="70%"/> |
| 45 | + |
| 46 | +This will create a GitHub Actions Workflow file with CodeQL already set up. Since Java is a compiled language you will need to setup the build in later steps. See the [documentation](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system) if you would like to configure CodeQL Analysis with a 3rd party CI system instead of using GitHub Actions. |
| 47 | +</p> |
| 48 | +</details> |
| 49 | + |
| 50 | +<details> |
| 51 | + |
| 52 | +<summary>Actions Workflow file</summary> |
| 53 | +<p> |
| 54 | + |
| 55 | +#### Actions Workflow |
| 56 | + |
| 57 | +The Actions Workflow file contains a number of different sections including: |
| 58 | +1. Checking out the repository |
| 59 | +2. Initializing the CodeQL Action |
| 60 | +3. Running Autobuilder (or code your own build steps if autobuild doesn't work) |
| 61 | +4. Running the CodeQL Analysis |
| 62 | + |
| 63 | +<img src="images/03-actions-sample-workflow.png" width="80%"/> |
| 64 | + |
| 65 | +Click `Start Commit` -> `Commit this file` to commit the changes to _main_ branch. |
| 66 | +</p> |
| 67 | +</details> |
| 68 | + |
| 69 | +<details> |
| 70 | + |
| 71 | +<summary>Workflow triggers</summary> |
| 72 | +<p> |
| 73 | + |
| 74 | +#### Workflow triggers |
| 75 | + |
| 76 | +There are a [number of events](https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows) that can trigger a GitHub Actions workflow. In this example, the workflow will be triggered on |
| 77 | + |
| 78 | +<img src="images/04-actions-sample-events.png" width="50%"/> |
| 79 | + |
| 80 | +- push to _main_ branch |
| 81 | +- pull request to merge to _main_ branch |
| 82 | +- on schedule, at 6:33 every Thursday |
| 83 | + |
| 84 | +Setting up the new CodeQL workflow and committing it to _main_ branch in the step above will trigger the scan. |
| 85 | + |
| 86 | +</p> |
| 87 | +</details> |
| 88 | + |
| 89 | + |
| 90 | +<details> |
| 91 | +<summary>GitHub Actions Progress</summary> |
| 92 | + |
| 93 | +<p> |
| 94 | + |
| 95 | +#### GitHub Actions Progress |
| 96 | + |
| 97 | +Click `Actions` tab -> `CodeQL` |
| 98 | + |
| 99 | +Click the specific workflow run. You can view the progress of the Workflow run until the analysis completes. |
| 100 | + |
| 101 | +<img src="images/05-actions-completed.png" width="80%"/> |
| 102 | + |
| 103 | +</p> |
| 104 | +</details> |
| 105 | + |
| 106 | +<details> |
| 107 | +<summary>Security Issues</summary> |
| 108 | +<p> |
| 109 | + |
| 110 | +Once the Workflow has completed, click the `Security` tab -> ` Code Scanning Alerts`. An security alert "Query built from user-controlled sources" should be visible. |
| 111 | + |
| 112 | +#### Security Alert View |
| 113 | + |
| 114 | +Clicking on the security alert will provide details about the security alert including: <br/> |
| 115 | +<ul> |
| 116 | +<li>A description of the issue </li> |
| 117 | +<li>A tag to the CWE that it is connected to as well as the type of alert (Error, Warning, Note)</li> |
| 118 | +<li>The line of code that triggered the security alert</li> |
| 119 | +<li>The ability to dismiss the alert depending on certain conditions (`False positive`? `Won't fix`? `Used in tests`?)</li> |
| 120 | +</ul> |
| 121 | +<img src="images/06-security-codeql-alert.png" width="80%"/> |
| 122 | + |
| 123 | +#### Security Alert Description |
| 124 | + |
| 125 | +Click `Show more` to view a full desciption of the alert including examples and links to additional information. |
| 126 | + |
| 127 | +<img src="images/07-security-codeql-show-more.png" width="80%"/> |
| 128 | + |
| 129 | +#### Security Full Description |
| 130 | + |
| 131 | +<img width="80%" src="images/08-security-codeql-full-desc.png"> |
| 132 | + |
| 133 | +</p> |
| 134 | +</details> |
| 135 | + |
| 136 | +<details> |
| 137 | +<summary>Show Paths</summary> |
| 138 | +<p> |
| 139 | + |
| 140 | +#### Show Paths Button |
| 141 | + |
| 142 | +CodeQL Analysis is able to trace the dataflow path from source to sink and gives you the ability to view the path traversal within the alert. |
| 143 | + |
| 144 | +Click `show paths` in order to see the dataflow path that resulted in this alert. |
| 145 | + |
| 146 | +<img src="images/09-security-codeql-show-paths.png" width="80%"/> |
| 147 | + |
| 148 | +#### Show Paths View |
| 149 | + |
| 150 | +<img src="images/10-security-codeql-show-paths-details.png" width="80%"/> |
| 151 | + |
| 152 | +</p> |
| 153 | +</details> |
| 154 | + |
| 155 | +<details> |
| 156 | +<p> |
| 157 | + |
| 158 | +<summary>Fix the Security Alert</summary> |
| 159 | + |
| 160 | +In order to fix this specific alert, we will need to ensure parameters used in the SQL query is validated and sanitized. |
| 161 | + |
| 162 | +Click on the `Code` tab and [Edit](https://docs.github.com/en/free-pro-team@latest/github/managing-files-in-a-repository/editing-files-in-your-repository) the file [`IndexController.java`](./src/main/java/com/github/hackathon/advancedsecurityjava/Controllers/IndexController.java) in the `Controllers` folder, replace the content with the file [`fixme`](./fixme). |
| 163 | + |
| 164 | +<img src="images/11-fix-source-code.png" width="80%"/> |
| 165 | + |
| 166 | +Click `Create a new branch for this commit and start a pull request`, name the branch `fix-sql-injection`, and create the Pull Request. |
| 167 | + |
| 168 | +#### Pull Request Status Check |
| 169 | + |
| 170 | +In the Pull Request, you will notice that the CodeQL Analysis has started as a status check. Wait until it completes. |
| 171 | + |
| 172 | +<img src="images/12-fix-pr-in-progress.png" width="80%"/> |
| 173 | + |
| 174 | +#### Security Alert Details |
| 175 | + |
| 176 | +After the Workflow has completed click on `Details` by the `Code Scanning Results / CodeQL` status check. |
| 177 | + |
| 178 | +<img src="images/13-fix-pr-done.png" width="80%"/> |
| 179 | + |
| 180 | +#### Fixed Alert |
| 181 | + |
| 182 | +Notice that Code Scanning has detected that this Pull Request will fix the SQL injection vulnerability that was detected before. |
| 183 | + |
| 184 | +<img src="images/14-fix-detail.png" width="80%"/> |
| 185 | + |
| 186 | +Merge the Pull Request. After the Pull Request has been merged, another Workflow will kick off to scan the repository for any vulnerabilties. |
| 187 | + |
| 188 | +#### Closed Security Alerts |
| 189 | + |
| 190 | +After the final Workflow has completed, navigate back to the `Security` tab and click `Closed`. Notice that the **Query built from user-controlled sources** security alert now shows up as a closed issue. |
| 191 | + |
| 192 | +<img src="images/15-fixed-alert.png" width="80%"/> |
| 193 | + |
| 194 | +#### Traceability |
| 195 | + |
| 196 | +Click on the security alert and notice that it details when the fix was made, by whom, and the specific commit. This provides full traceability to detail when and how a security alert was fixed and exactly what was changed to remediate the issue. |
| 197 | + |
| 198 | +<img src="images/16-fix-history.png" width="80%"/> |
| 199 | + |
| 200 | +</p> |
| 201 | +</details> |
| 202 | + |
| 203 | +## Next Steps |
| 204 | + |
| 205 | +Ready to talk about advanced security features for GitHub Enterprise? [Contact Sales](https://enterprise.github.com/contact) for more information! |
| 206 | + |
| 207 | +Check out [GitHub's Security feature page](https://github.com/features/security) for more security features embedded into GitHub. |
| 208 | + |
| 209 | +Check out the Code Scanning [documentation](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) for additional configuration options and technical details. |
0 commit comments