How to audit CodeQL findings

Question

How do I need to audit CodeQL findings in GitHub according to OIS Software Assurance guidelines?

Answer

CodeQL findings are audited within GitHub, under the Security tab. To add an audit comment, select the finding or findings you wish to comment on and select the “Dismiss” button. You will be prompted to select a reason fo dismiss the finding. Select an appropriate reason and provide a comment as to why it is being dismissed.

  • Comments should be detailed enough so that another programmer who is not familiar with the code can verify that the necessary mitigations are in place.

  • If additional comments are required on an issue, either in response to a review or for other reasons, the issue must be reopened, then dismissed again at which time the new comment may be added.

GitHub does not currently provide a mechanism to attach comments to an open issue.

Multiple open issues may be selected at the same time to dismiss with the same comment as well as multiple closed issues may be selected at the same time to reopen as a group.

How to view and audit findings

The follow steps show how to view and audit individual findings:

  • Navigate to your application’s GitHub repository and select the “Security” tab:

    Image of tab that says Security

  • On the left-hand side of the “Security overview” page will be a section showing the number of open vulnerability alerts. Select the “Code scanning” menu item to view the alerts:

    Image of vulnerability alert menu with code scanning highlighted

  • You will now see a list of issues found in the application. By default, these are filtered to show open findings on the default branch, however the filter may be adjusted to show other groupings as well.

    Image of a list of vulnerability alerts filtered for open issues on main branch

  • To view a particular issue, click on it in the list of vulnerability alerts. This will show a page indicating where the finding is, information on what the concern is about and potential mitigations. The developer will need to determine if this is a true positive and must be fixed or if it is not an issue an may be dismissed. To dismiss an issue, select “Dismiss alert” in the upper right hand corner of the screen:

    Image of 'Dismiss alert' button

  • The “Dismiss alert” button asks you to choose a reason the alert is being dismissed. Select an appropriate reason. It also provides a comment box that must be filled in to provide an explanation explaing why the issue is being dismissed as described above.

    Image of 'Dismiss alert' options, including a selection of reasons to dismiss and a comment field

  • Finally, select the “Dismiss alert” button on this screen to commit the change.

How to bulk dismiss findings

If you want to apply the same comment to more than one issue, you may perform a bulk dismissal of findings. This is performed from the page of open findings as described above. If you select one or more findings from this page, you will gget a dismiss button:

Image of listing of vulnerabilities with one selected and a 'Dismiss' button.

Select the “Dismiss” button and follow the instructions above for selecting a resaon and adding a comment for the dismissal.

How to bulk open findings

If you need to reopen multiple findings to apply new comments, you may perform a bulk reopening of findings. This is performed from the page of findings, like the bulk dismiss, however you must first change the filter to show closed findings. If you select one or more findings from the list of closed findings you will get a “reopen” button that will reopen the selected findings when clicked:

Image of listing of closed vulnerabilities with two selected and a 'Reopen' button.