ci: add CodeQL query to enforce OpenSSL return code handling (#1867)#2415
ci: add CodeQL query to enforce OpenSSL return code handling (#1867)#2415Vishnu2707 wants to merge 4 commits intoopen-quantum-safe:mainfrom
Conversation
Adds a custom CodeQL query (.github/codeql/openssl-return-check.ql) that detects calls to OpenSSL EVP_* functions whose return value is not guarded by the OQS_OPENSSL_GUARD macro. Integrates the query into a new CodeQL workflow (.github/workflows/codeql.yml) that runs on every PR and push to main. The query was originally written by Trail of Bits during their audit of liboqs and reported in issue open-quantum-safe#1867. Closes open-quantum-safe#1867 Signed-off-by: Vishnu Ajith <27vishnu07@gmail.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Addresses Scorecard Token-Permissions finding: security-events write permission scoped to codeql job only, not workflow level. Signed-off-by: Vishnu Ajith <27vishnu07@gmail.com>
|
coverage: 82.272% (+0.002%) from 82.27% — Vishnu2707:codeql-openssl-return-check into open-quantum-safe:main |
Replace inline queries: path with a codeql-config.yml config file. The CodeQL init action requires local queries to be referenced via a config file rather than a direct relative path in the queries field. Signed-off-by: Vishnu Ajith <27vishnu07@gmail.com>
The CodeQL cpp extractor pre-finalize script crashes with exit code 134 when the trapCaches/cpp/tarballs directory does not exist on the runner. Disabling TRAP caching avoids the crash. Signed-off-by: Vishnu Ajith <27vishnu07@gmail.com>
|
The query runs successfully, CodeQL scanned 200 C files with no errors. The remaining failure is CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled, which indicates the repo has CodeQL default setup active in settings. This conflicts with the custom workflow SARIF upload. @dstebila @baentsch, would it be possible to disable default setup in the repository's Code Security settings to allow the custom workflow to run, or should the workflow be restructured to work alongside default setup? |
|
Hi @Vishnu2707 Thanks very much for the PR and helping us reduce our backlog!
The latter: We want to keep the current checks. Copilot suggested this change (plus, removal of the new codeql-config.yml from the PR): Could you please try this / whether this gets the PR across the finish line? |
4 participants
Closes #1867
What this PR does
Adds a custom CodeQL query that detects calls to OpenSSL
EVP_*functions whose return value is not guarded by the
OQS_OPENSSL_GUARDmacro. Integrates the query into a new CodeQL workflow that runs on
every PR and push to main.
Files added
.github/codeql/openssl-return-check.ql— custom CodeQL query.github/workflows/codeql.yml— CodeQL workflowFiles modified
.github/workflows/pr.yml— addscodeqljob to PR checksBackground
Trail of Bits identified unchecked
EVP_*return values during theiraudit of liboqs (issue #1862, fixed in #1869). This query makes that
class of bug permanently detectable in CI, preventing new instances
from being introduced.
The query was originally written by Trail of Bits and provided in
issue #1867.
Checklist