Skip to content

Commit 82f2d53

Browse files
authored
Merge pull request #76 from melodee-project/sph.2026-07-11.01
Sph.2026 07 11.01
2 parents d91342e + 4870ebb commit 82f2d53

128 files changed

Lines changed: 13600 additions & 14462 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/CODEQL-WORKFLOW.md

Lines changed: 135 additions & 128 deletions
Original file line numberDiff line numberDiff line change
@@ -1,136 +1,143 @@
11
# CodeQL Workflow Configuration
22

3-
## Current State: Dual CodeQL Setup
4-
5-
This repository currently has **two CodeQL analysis configurations** running:
6-
7-
### 1. Custom CodeQL Workflow (`.github/workflows/codeql.yml`)
8-
- **Location**: `.github/workflows/codeql.yml`
9-
- **Status**: Active, but results NOT uploaded to GitHub Security
10-
- **Configuration**: Custom setup with advanced features
11-
- **Languages**: C# and JavaScript/TypeScript (matrix strategy)
12-
- **Custom Config**: `.github/codeql/codeql-config.yml` (path filtering)
13-
- **Upload Setting**: `upload: false` (to avoid conflicts with default setup)
14-
15-
### 2. GitHub Default Setup
16-
- **Location**: Enabled in repository settings (no visible file)
17-
- **Status**: Active (inferred from workflow comments)
18-
- **Configuration**: GitHub-managed default
19-
- **Languages**: Auto-detected
20-
- **Results**: Uploaded to GitHub Security tab
21-
22-
## Why This Exists
23-
24-
The comment in `codeql.yml` lines 78-80 states:
25-
```yaml
26-
# Prevent workflow failure when GitHub "default setup" code scanning is enabled.
27-
# If you want advanced results uploaded, disable default setup or set upload: true.
28-
upload: false
3+
Melodee uses one version-controlled CodeQL advanced setup. The workflow in
4+
`.github/workflows/codeql.yml` uploads results for every supported application
5+
language to GitHub code scanning.
6+
7+
## Scanning Coverage
8+
9+
The workflow runs for pushes and pull requests targeting `main`, every Sunday
10+
at 00:00 UTC, and on manual dispatch. Its matrix analyzes:
11+
12+
- GitHub Actions workflows using the interpreted `none` build mode.
13+
- C# using `autobuild`, so CodeQL observes the compiled solution.
14+
- JavaScript and TypeScript using the interpreted `none` build mode.
15+
- Python using the interpreted `none` build mode and its local threat model.
16+
17+
The shared configuration in `.github/codeql/codeql-config.yml` excludes
18+
documentation, tests, benchmarks, and vendored minified JavaScript from
19+
interpreted-language analysis. C#, JavaScript/TypeScript, and Actions use the
20+
default remote threat model. Python uses
21+
`.github/codeql/codeql-python-config.yml`, which extends the default model with
22+
local files, command-line arguments, environment variables, and other local
23+
sources used by maintenance scripts. Neither configuration excludes C#
24+
findings by rule.
25+
26+
This split is deliberate. The compiled web application has a remote request
27+
boundary, and treating all application-owned database and filesystem state as
28+
attacker-controlled creates unactionable C# flows. Python maintenance tools
29+
really do accept local files, environment variables, and command-line values
30+
from an administrator, so the local threat model accurately represents their
31+
trust boundary. Do not enable `threat-models: local` globally to make the two
32+
very different execution models look uniform.
33+
34+
The local models are intentionally narrow. They identify
35+
`LogSanitizer.Sanitize` as a barrier only for the `log-injection` flow kind and
36+
`ConfigurationLogRedactor.RedactValue` as a barrier only when values would be
37+
persisted to an external location such as a log. They are packaged under
38+
`.github/codeql/extensions/log-sanitizer` so advanced and default setup can
39+
discover them. The `.yml` suffix is intentional because the pack manifest only
40+
loads model files matching `models/**/*.yml`.
41+
Repository-wide query exclusions must not be added to hide a false positive.
42+
Prefer a source fix or a precise CodeQL model; dismiss an individual alert only
43+
when neither option accurately represents the behavior.
44+
45+
All workflow actions are pinned to verified full commit SHAs. Keep the release
46+
comments beside those SHAs when updating the pins so reviews can identify the
47+
corresponding upstream release.
48+
49+
## Required Repository Configuration
50+
51+
GitHub default setup must remain disabled while this advanced workflow is
52+
active. Enabling both configurations can disable advanced uploads, duplicate
53+
work, and leave alert status attached to a configuration that no longer runs.
54+
55+
To verify the setting:
56+
57+
1. Open the repository settings and select **Advanced Security** or
58+
**Code security and analysis**.
59+
2. Find **CodeQL analysis** under code scanning.
60+
3. Confirm default setup is disabled and the checked-in advanced workflow is
61+
enabled.
62+
63+
The REST API reports the same state through:
64+
65+
```shell
66+
gh api repos/melodee-project/melodee/code-scanning/default-setup
2967
```
3068

31-
This indicates that both setups were running, causing conflicts. The custom workflow was modified to NOT upload results to avoid workflow failures.
32-
33-
## Problem
34-
35-
Having two CodeQL setups is inefficient and confusing:
36-
- ❌ Duplicate analysis runs (wastes CI/CD minutes)
37-
- ❌ Custom workflow results not visible in Security tab
38-
- ❌ Configuration spread across multiple systems
39-
- ❌ Unclear which analysis results are authoritative
40-
41-
## Recommended Solution: Keep Custom Workflow
42-
43-
**Advantages of the custom workflow:**
44-
1. ✅ **Path filtering** - Excludes docs, vendored JS, benchmarks (via `codeql-config.yml`)
45-
2. ✅ **Explicit language control** - C# and JavaScript/TypeScript
46-
3. ✅ **Version control** - Configuration tracked in Git
47-
4. ✅ **Transparency** - Visible in repository, reviewable in PRs
48-
5. ✅ **Flexibility** - Can add custom queries, modify triggers, adjust timeout
49-
6. ✅ **Already proven** - Working configuration with comprehensive security audit
50-
51-
**Steps to migrate:**
52-
53-
### Step 1: Disable GitHub Default Setup
54-
1. Go to repository **Settings** → **Code security and analysis**
55-
2. Find **Code scanning** section
56-
3. Locate **CodeQL analysis** → **Default setup**
57-
4. Click **Disable** or switch to **Advanced**
58-
59-
> **Note**: You must have admin access to the repository to change these settings.
60-
61-
### Step 2: Enable Uploads in Custom Workflow
62-
Update `.github/workflows/codeql.yml` line 78-82 to:
63-
64-
```yaml
65-
- name: Perform CodeQL Analysis
66-
uses: github/codeql-action/analyze@v4
67-
with:
68-
category: "/language:${{ matrix.language }}"
69-
# Upload results to GitHub Security tab
70-
# Default setup has been disabled in repository settings
71-
upload: true
72-
```
73-
74-
Remove these lines (they're now unnecessary):
75-
- `upload-database: false`
76-
- `wait-for-processing: false`
77-
78-
### Step 3: Verify Configuration
79-
1. Commit and push the workflow changes
80-
2. Trigger a workflow run (push to main or create PR)
81-
3. Check **Security** tab → **Code scanning** for results
82-
4. Verify both C# and JavaScript/TypeScript results appear
83-
84-
## Alternative Solution: Use Default Setup Only
85-
86-
If you prefer GitHub's managed solution:
87-
88-
### Step 1: Delete Custom Workflow
89-
```bash
90-
git rm .github/workflows/codeql.yml
91-
git rm .github/codeql/codeql-config.yml # optional, if not needed
69+
The expected `state` is `not-configured`.
70+
71+
## Removing a Stale Configuration
72+
73+
An alert can remain open after its code is fixed when it belongs to an older
74+
configuration that no longer runs. Adding the language to this workflow does
75+
not update the stale configuration's result.
76+
77+
After the advanced workflow has completed successfully on `main`:
78+
79+
1. Open **Security and quality** > **Code scanning**.
80+
2. Open **Tool status**, or open the alert and inspect **Affected branches** >
81+
**Configurations analyzing** for `main`.
82+
3. Retain `.github/workflows/codeql.yml:analyze` for each matrix language.
83+
4. Delete the stale `dynamic/github-code-scanning/codeql:analyze` and
84+
`dynamic/github-code-scanning/codeql:upload` configurations left by the
85+
former default setup. Retain every checked-in workflow configuration.
86+
5. Re-run the CodeQL workflow if an active configuration was removed by
87+
mistake.
88+
89+
This administrative cleanup is required for findings that exist only in the
90+
former default-setup configuration; a repository commit cannot delete that
91+
server-side configuration.
92+
93+
The stale Python configurations must not be removed before the checked-in
94+
Python matrix job succeeds on `main`. Otherwise, the repository can temporarily
95+
lose active Python coverage rather than transferring it to the advanced
96+
workflow.
97+
98+
## Verification
99+
100+
The July 2026 local verification reports:
101+
102+
- the six original C# alerts have source fixes and regression coverage, while
103+
the Python setup alert has a hardened necessary sink and narrow documented
104+
suppression;
105+
- a fresh default-remote C# database moved from eight findings to zero;
106+
- fresh GitHub Actions and JavaScript/TypeScript databases report zero
107+
findings;
108+
- a fresh workflow-equivalent Python database ran all 45 default queries with
109+
the local threat model and reported zero findings and no SARIF warning/error
110+
notifications; and
111+
- the 52-query Python security-extended suite also reported zero findings.
112+
113+
The Python filesystem audit passes 57 focused tests, and all 109 script tests
114+
pass with `ResourceWarning` promoted to an error. These complete-suite results,
115+
not an earlier targeted-query result, form the local release gate.
116+
117+
After changing the workflow or CodeQL configuration:
118+
119+
1. Validate `.github/workflows/codeql.yml` with `actionlint`.
120+
2. Run the workflow manually, or push the change to a branch with a pull
121+
request targeting `main`.
122+
3. Confirm all four matrix jobs complete and upload results.
123+
4. On **Security and quality** > **Code scanning** > **Tool status**, confirm
124+
recent GitHub Actions, C#, JavaScript/TypeScript, and Python analyses are
125+
present.
126+
5. Review new alerts before merging; do not dismiss them solely to make the
127+
check pass.
128+
129+
Useful command-line checks:
130+
131+
```shell
132+
gh run list --workflow codeql.yml --limit 10
133+
gh api --paginate \
134+
'repos/melodee-project/melodee/code-scanning/alerts?state=open&tool_name=CodeQL&per_page=100'
92135
```
93136

94-
### Step 2: Ensure Default Setup is Enabled
95-
1. Repository **Settings** → **Code security and analysis**
96-
2. Ensure **CodeQL analysis** is set to **Default setup**
97-
98-
**Trade-offs:**
99-
- ✅ Simpler configuration
100-
- ✅ GitHub manages updates
101-
- ❌ Less control over paths analyzed
102-
- ❌ Cannot customize queries easily
103-
- ❌ Configuration not in version control
104-
105-
## Current Recommendation
106-
107-
**Keep the custom workflow** because:
108-
1. It already has proven security analysis (see `CODEQL-ANALYSIS.md`)
109-
2. Path filtering reduces noise from docs and vendored code
110-
3. Configuration is version-controlled and reviewable
111-
4. Team has already invested in customizing it
112-
113-
The only change needed is to **disable GitHub default setup** and **enable uploads** in the custom workflow.
114-
115-
## Migration Checklist
116-
117-
- [ ] 1. Disable GitHub default setup in repository settings
118-
- [ ] 2. Update `codeql.yml` to set `upload: true`
119-
- [ ] 3. Remove `upload-database: false` and `wait-for-processing: false`
120-
- [ ] 4. Update comments in workflow file
121-
- [ ] 5. Commit and push changes
122-
- [ ] 6. Verify workflow runs successfully
123-
- [ ] 7. Check Security tab for CodeQL results
124-
- [ ] 8. Update `CODEQL-ANALYSIS.md` if needed
125-
126137
## References
127138

128-
- [GitHub CodeQL Documentation](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)
129-
- [Configuring Code Scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning)
130-
- [CodeQL Action Documentation](https://github.com/github/codeql-action)
131-
- Project: [CODEQL-ANALYSIS.md](../CODEQL-ANALYSIS.md) - Security audit results
132-
- Project: [SECURITY-FIXES.md](../SECURITY-FIXES.md) - Security improvements
133-
134-
## Questions?
135-
136-
If you have questions about this configuration, please open an issue or contact the maintainers.
139+
- [Workflow configuration options for code scanning](https://docs.github.com/en/code-security/reference/code-scanning/workflow-configuration-options)
140+
- [CodeQL for compiled languages](https://docs.github.com/en/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/codeql-for-compiled-languages)
141+
- [Resolving code scanning alerts](https://docs.github.com/en/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/resolve-alerts)
142+
- [Secure use of GitHub Actions](https://docs.github.com/en/actions/reference/security/secure-use)
143+
- [Customizing CodeQL library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/)

.github/codeql/codeql-config.yml

Lines changed: 10 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -1,50 +1,12 @@
1-
# CodeQL configuration
2-
# This file configures which paths to analyze for JavaScript/TypeScript
1+
name: CodeQL configuration
32

4-
name: "CodeQL config"
5-
6-
# Model extensions define custom sanitizers and sinks for CodeQL analysis
7-
model-extensions:
8-
- ".github/codeql/extensions/log-sanitizer.model.yaml"
9-
10-
# Query filters to tune analysis results
11-
query-filters:
12-
# Exclude false positives where we have verified mitigations
13-
- exclude:
14-
id: cs/web/cookie-secure-not-set
15-
# MelodeeBlazorCookieMiddleware.cs already sets Secure=true (line 29)
16-
17-
# Exclude log-forging alerts for code using LogSanitizer
18-
# LogSanitizer.Sanitize() properly sanitizes log input by replacing newlines,
19-
# but CodeQL's log-forging query doesn't recognize custom sanitizer methods.
20-
# The sanitizer implementation (src/Melodee.Common/Utility/LogSanitizer.cs)
21-
# uses String.Replace to remove CR, LF, NEL, LS, and PS characters.
22-
# See: https://github.com/github/codeql/issues/15824
23-
- exclude:
24-
id: cs/log-forging
25-
26-
# Exclude cleartext-storage alerts for MpdPlaybackBackend password logging
27-
# The password IS properly masked via GetSafeCommandForLogging() which returns
28-
# "password ***" for any command starting with "password ". CodeQL tracks
29-
# data flow but cannot see through the conditional masking logic.
30-
# File: src/Melodee.Common/Services/Playback/Backends/MpdPlaybackBackend.cs
31-
- exclude:
32-
id: cs/cleartext-storage-of-sensitive-information
33-
34-
# For JavaScript/TypeScript, only analyze application code in src directory
35-
# Exclude documentation, vendored libraries, and other non-application code
3+
# Path filters apply to interpreted languages. The C# database is determined
4+
# by the sources included in its build.
365
paths-ignore:
37-
# Exclude entire docs directory (contains Jekyll templates and vendored JS)
38-
- 'docs/**'
39-
- 'melodee/docs/**'
40-
41-
# Exclude vendored/third-party JavaScript libraries
42-
- '**/jquery*.js'
43-
- '**/lunr*.js'
44-
- '**/*.min.js'
45-
46-
# Exclude benchmark and test directories
47-
- 'benchmarks/**'
48-
- 'tests/**'
49-
- 'melodee/benchmarks/**'
50-
- 'melodee/tests/**'
6+
- "benchmarks/**"
7+
- "docs/**"
8+
- "tests/**"
9+
- "**/tests/**"
10+
- "**/*.min.js"
11+
- "**/jquery*.js"
12+
- "**/lunr*.js"
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
name: CodeQL Python configuration
2+
3+
# Maintenance scripts accept files, command-line arguments, and environment
4+
# variables. Extend Python's default remote model so those local sources are
5+
# analyzed under the local threat model independently from the compiled web
6+
# application's remote request boundary.
7+
threat-models: local
8+
9+
paths-ignore:
10+
- "benchmarks/**"
11+
- "docs/**"
12+
- "tests/**"
13+
- "**/tests/**"
14+
- "**/*.min.js"
15+
- "**/jquery*.js"
16+
- "**/lunr*.js"

.github/codeql/extensions/log-sanitizer.model.yaml

Lines changed: 0 additions & 23 deletions
This file was deleted.
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
name: melodee-project/log-sanitizer-models
2+
version: 0.0.0
3+
library: true
4+
extensionTargets:
5+
codeql/csharp-all: "*"
6+
dataExtensions:
7+
- "models/**/*.yml"
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# LogSanitizer.Sanitize replaces every supported line-ending character before
2+
# returning its value. Model that return value only as a log-injection barrier;
3+
# do not suppress the log-forging query or mark unrelated masking helpers safe.
4+
# ConfigurationLogRedactor.RedactValue is deny-by-default and permits only
5+
# sanitized operational metadata, so its return is safe for external storage.
6+
extensions:
7+
- addsTo:
8+
pack: codeql/csharp-all
9+
extensible: barrierModel
10+
data:
11+
- ["Melodee.Common.Utility", "LogSanitizer", false, "Sanitize", "(System.String)", "", "ReturnValue", "log-injection", "manual"]
12+
- ["Melodee.Common.Configuration", "ConfigurationLogRedactor", false, "RedactValue", "(System.String,System.Object)", "", "ReturnValue", "file-content-store", "manual"]

0 commit comments

Comments
 (0)