False positive for stapler permission check #43
Comments
That wouldn't be a problem. The problem is that it doesn't look at the code of dependencies, and since the actual permission check is in
CodeQL cannot identify the actual permission check, so… suggestions welcome. I'd rather not go with method name matching or similar hacks.
I think you could change https://github.com/jenkins-infra/jenkins-security-scan/blob/187851c1b2401848d69015680c62b48160f7bce1/.github/workflows/jenkins-security-scan.yaml#L43-L45 to specify the rules you want to use based on https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#specifying-which-queries-to-run-in-a-codeql-pack. I don't think you can exclude individual queries though, so this comes with quite a maintenance burden. Applying suppressions seems easier. |
I see, then I will stay with my permission tests that utilize ArchUnit. This framework works on the byte code including all dependencies. |
The check 'Stapler: Missing permission check` creates false positives if the permission check is hidden in a facade.
Example (https://github.com/jenkinsci/prism-api-plugin/security/code-scanning/7):
It would be helpful if the check could be improved.
Is there a way to disable some of the rules in the configuration file in the meantime? I get a lot of these false positives in all my plugins...
The text was updated successfully, but these errors were encountered: