advanced-security / codeql-summarize Goto Github PK
View Code? Open in Web Editor NEWCodeQL Summary Generator
License: MIT License
CodeQL Summary Generator
License: MIT License
In some cases we might want to include or exclude certain namespaces / module paths to allow for end-users to automatically remove / add particular paths from libraries
Right now we only check for some use cases and need to support more in the future
gh
cliWe might want to way to support multiple languages being passed into the tool. This might also help if we want to use the GitHub API to check what languages are present in the repo.
gh codeql-summarize -l java,javascript ...
In the event that a database is not available, it would be great to add a separate section of the configuration file to be used for the purposes of performing a git clone
and then attempting to create a database locally. This would be a great use case for interpreted languages, and could possibly parse the CodeQL Action workflow file for build commands with compiled languages.
This might also help security teams prepare for turning on CodeQL with a repository if Code Scanning has not been enabled there yet. We don't necessarily need to perform the analysis, but would be neat to perform an upload of a new database (or databases) for SARIF review prior to turning on Code Scanning for a given repo.
We might want to "store summaries" in JSON or other format that is stored in a repo.
This would solve the "over time the framework / library might change".
Users might just want to get a summary file without submitting pull requests etc. For those uses it would be useful if that flag was optional.
Should Bundling export an updated version of the projects.json
file if present? This means that if I scanned "org/test" ad-hoc then it should be registered in the projects file
Databases have a primaryLanguage
field in their manifest, which could be used to automatically set --language
. That way we could likely remove --language
altogether and make the cli interface more convenient.
We might hit an issue with namespaces and modules when generating CodeQL and creating a bundle.
I haven't seen this but a side note to make sure that if we do, its noted here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.