Add CodeQL Action#85
Conversation
|
BTW @jonschlinkert how about disabling Coveralls comments? You can configure this on the Coveralls project page. |
Nice thanks for this PR! This might confirm my hunch for what was causing issues in Jest. I wasn't sure where specifically, but my guess was either backslashes (not from escaping per se, but users defining windows-style paths as globs, which is invalid), or negative lookbehinds. However, shouldn't we only be testing the library itself? Meaning, is there an option to avoid flagging unit test fixtures as problematic? IMHO, for a couple of reasons it doesn't make sense to flag those fixtures:
Thoughts? |
I don't really have an opinion on that, but I'd support whatever you want to do. |
|
You can ignore any issues that you want later through the security repo tab. It should be possible to limit what CodeQL scans but this is simpler.
I'd definitely disable comments because they are just noise since there is a status check already :) |
|
Another side note, while we're on this topic of ReDoS... Have you seen any other JavaScript-based libraries or solutions besides safe-regex for checking for regex vulnerabilities? I don't think safe-regex is doing star-heigh calculations correctly. I'm not sure about it's dependency (vuln-regex-detector), but at a quick glance it also seems to be doing naive calculations that will result in false positives and negatives. |
|
@jonschlinkert not sure how to mitigate the issues, but I'd start by using CodeQL and/or LGTM. |
|
sorry for taking such a long time on this. I had some unexpected changes this past year, but I'm getting back up to speed. |
3 participants
This should flag a potential Polynomial ReDos issue I've been seeing on lgtm.com.