Skip to content

A query suite for common bug patterns in Cosmos SDK-based applications

License

Notifications You must be signed in to change notification settings

crypto-com/cosmos-sdk-codeql

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cosmos-sdk-codeql

A query suite for common bug patterns in Cosmos SDK-based applications.

Passive Maintenance

This repository is in a passive maintenance mode: it is not actively developed, but we will accept pull requests and issues. It may, however, take some time to respond.

Usage

In CodeQL CLI, you can download it using the following command:

$ codeql pack download crypto-com/[email protected]

See more details in the CodeQL CLI documentation.

In order to add the extra queries to the CI pipeline, you can use the queries or packs option in the CodeQL initialization:

#...
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: 'go'
        queries: crypto-com/[email protected], <...other queries...>
#...

See more details in the GitHub Code Scanning documentation.

False Negatives

The queries have heuristics based on the usage in the Cosmos SDK codebase to reduce false positives. They may, however, lead to false negatives: for example, if you used "client" package's code parts (that may be ignored by queries) in consensus-critical sections, related bugs from ignored packages may not be uncovered by queries. If you are worried about false negatives in particular queries, you can open an issue to discuss the query change. Alternatively, you can tweak the query and either execute it manually from time to time, or add the tweaked query to your CI scanning action.

False Positives

The queries over-approximate and may lead to false positives. If you encounter a false positive, you can do the following:

  1. you can dismiss the false positive alerts in the Security tab on GitHub;
  2. if see a repeating pattern of false positives, you can open an issue to discuss the query improvement;
  3. alternatively, if you cannot dismiss alerts in the Security tab on GitHub, some of the queries will ignore findings that have an explicit comment (starting with "SAFE:") that explains why it is safe to ignore that bit of code. The comments can be placed either on the preceding line or on the enclosing function:
// SAFE: ...explanation why findings in this function are false positives...
func myFun(...) {
   ...
}

func myFun2(...) {
  ...
  // SAFE: ...explanation why this particular finding is a false positive...
  myVar := ...
  ...
}

About

A query suite for common bug patterns in Cosmos SDK-based applications

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Languages