mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:21:35 +00:00
shankar0123
482e952dde
Two CodeQL runs (commits1122f5a+c4157fd) since the initial Option A landing both completed with conclusion=success but failed to dismiss alert #23 (go/request-forgery on scep_probe.go:232). Root cause: the local pack never loaded. The bug was in codeql-config.yml — `packs: { go: ['./'] }` looked plausible (the path is relative to the config file's directory) but the `packs:` field requires pack NAMES, not paths. Discovery of unpublished local packs goes through the codeql-action `init` step's `additional-packs:` input, not through `packs:`. Verified pattern by reading github/vscode-codeql's working .github/codeql/ setup. The supported chain: workflow init step passes additional-packs: <parent-dir> ↓ CodeQL CLI registers each pack under the parent ↓ codeql-config.yml names the pack in `packs: go: [name]` ↓ CodeQL CLI resolves the name → pack on disk ↓ pack's qlpack.yml declares extensionTargets: codeql/go-all ↓ data extension YAML auto-loads, applies the barrier rows Restructure to match this chain: Before After -------- ----- .github/codeql/qlpack.yml .github/codeql/codeql-config.yml .github/codeql/models/ .github/codeql/certctl-models/ request-forgery-sanitizers.model.yml qlpack.yml .github/codeql/codeql-config.yml models/ request-forgery-sanitizers.model.yml The new `.github/codeql/certctl-models/` is the pack directory, named to match `name: shankar0123/certctl-models` in qlpack.yml. Its parent `.github/codeql/` is what additional-packs points at. The action discovers the pack by walking the parent dir, sees the qlpack.yml, registers the name, and `packs:` lookup succeeds. Three concrete changes: - Pack moves from .github/codeql/{qlpack.yml, models/} into the sibling subdirectory .github/codeql/certctl-models/. - codeql-config.yml's packs: directive now uses the pack NAME (`shankar0123/certctl-models`) instead of the broken `./` path. - codeql.yml's Initialize CodeQL step gains `additional-packs: .github/codeql` so the CLI's resolver knows where to find unpublished packs. Belt-and-suspenders correctness fix: the model row's `subtypes` column now uses `False` (Python-style capitalized) instead of `false` to match every shipped CodeQL Go .model.yml convention. SnakeYAML accepts lowercase too — this is a hedge against any strict-format tooling in the path. Why this matters: alert #23 is rated Critical with CWE-918 + CWE-180. The runtime defense is correct (validate-then-pin via ValidateSafeURL + SafeHTTPDialContext), but the analyzer doesn't know it. With the pack actually loading this time, the next CodeQL run will see the barrier and dismiss the alert at source. Same fix implicitly applies to the webhook notifier's outbound client.Do (the second site that uses ValidateSafeURL). Operator: push and watch the next CodeQL run dismiss alert #23. If it doesn't, the next iteration will be on the YAML row's column shape — most likely a one-line tweak, not another redesign.