akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
24509dc84f2a0b9ec439c8aa7ddd2e77d3b6b803
Charon/docs/plans/current_spec.md

8.8 KiB
Raw Blame History

CodeQL Go Coverage RCA (2026-02-18)

1) Observed Evidence (exact commands/workflow paths/config knobs that control scope)

  • Local CI-aligned command in VS Code task Security: CodeQL Go Scan (CI-Aligned) [~60s]:
    • codeql database create codeql-db-go --language=go --source-root=backend --codescanning-config=.github/codeql/codeql-config.yml --overwrite --threads=0
    • codeql database analyze codeql-db-go --additional-packs=codeql-custom-queries-go --format=sarif-latest --output=codeql-results-go.sarif --sarif-add-baseline-file-info --threads=0
  • Local pre-commit CodeQL Go scan command (scripts/pre-commit-hooks/codeql-go-scan.sh):
    • codeql database analyze codeql-db-go codeql/go-queries:codeql-suites/go-security-and-quality.qls --format=sarif-latest --output=codeql-results-go.sarif --sarif-add-baseline-file-info --threads=0
  • Reproduced analyzer output from local run:
    • CodeQL scanned 175 out of 436 Go files in this invocation.
    • Path filters have no effect for Go... 'paths' and 'paths-ignore' ... have no effect for this language.
  • Workflow controlling CI scan: .github/workflows/codeql.yml
    • on.pull_request.branches: [main, nightly]
    • on.push.branches: [main, nightly, development]
    • Uses github/codeql-action/init + autobuild + analyze.
    • init currently does not set queries, so suite selection is implicit.
    • Uses config file ./.github/codeql/codeql-config.yml.
  • Config file: .github/codeql/codeql-config.yml
    • Only paths-ignore entries for coverage/build artifacts; no Go-specific exclusions.
  • Ground-truth file counts:
    • find backend -type f -name '*.go' | wc -l => 436
    • find backend -type f -name '*.go' ! -name '*_test.go' | wc -l => 177
    • go list -json ./... | jq -s 'map((.GoFiles|length)+(.CgoFiles|length))|add' => 175
  • Target file verification:
    • Local scan output includes extraction of backend/internal/api/handlers/system_permissions_handler.go.
    • SARIF contains go/path-injection findings in that file.

2) Why 175/436 happens (expected vs misconfiguration)

  • Expected behavior (primary):
    • 436 is a raw repository count including *_test.go and non-build files.
    • Go CodeQL analyzes build-resolved files (roughly Go compiler view), not all raw .go files.
    • Build-resolved count is 175, which exactly matches go list compiled files.
  • Denominator inflation details:
    • 259 files are *_test.go and are not part of normal build-resolved extraction.
    • Two non-test files are also excluded from compiled set:
      • backend/internal/api/handlers/security_handler_test_fixed.go (//go:build ignore)
      • backend/.venv/.../empty_template_main.go (not in module package graph)
  • Conclusion: 175/436 is mostly expected Go extractor semantics, not a direct scope misconfiguration by itself.

3) How this could miss findings

  • Build tags / ignored files:
    • Files behind build constraints (for example //go:build ignore) are excluded from compiled extraction; findings there are missed.
  • Path filters:
    • For Go, paths / paths-ignore do not reduce extraction scope (confirmed by CodeQL diagnostic).
    • Therefore .github/codeql/codeql-config.yml is not the cause of reduced Go coverage.
  • Generated or non-module files:
    • Files outside the module/package graph (for example under .venv) can appear in raw counts but are not analyzed.
  • Uncompiled packages/files:
    • Any code not reachable in package resolution/build context will not be analyzed.
  • Trigger gaps (CI event coverage):
    • pull_request only targets main and nightly; PRs to development are not scanned by CodeQL workflow.
    • push only scans main/nightly/development; feature-branch pushes are not scanned.
  • Baseline behavior:
    • --sarif-add-baseline-file-info adds baseline metadata; it does not itself suppress extraction.
    • Alert visibility can still appear delayed based on when a qualifying workflow run uploads SARIF.
  • Local/CI suite drift (explicit evidence):
    • CI workflow (.github/workflows/codeql.yml) and VS Code CI-aligned task (.vscode/tasks.json) use implicit/default suite selection.
    • Pre-commit Go scan (scripts/pre-commit-hooks/codeql-go-scan.sh) pins explicit go-security-and-quality.qls.

4) Why finding appeared now (most plausible ranked causes with confidence)

  1. Trigger-path visibility gap (Plausible hypothesis, 0.60)
    • The code likely existed before, but this remains a hypothesis unless workflow history shows explicit missing qualifying runs for the affected branch/PR path.
  2. Local/CI command drift labeled as “CI-aligned” (Medium-High, 0.70)
    • Different entrypoints use different suite semantics (explicit in pre-commit vs implicit in workflow/task), increasing chance of inconsistent detection timing.
  3. Query/toolpack evolution over time (Medium, 0.55)
    • Updated CodeQL packs/engines can surface dataflow paths not previously reported.
  4. Extractor file-count misunderstanding (Low, 0.25)
    • 175/436 itself did not hide system_permissions_handler.go; that file is in the extracted set.

5) Prevention controls (local + CI): exact changes to scan commands/workflows/policies

  • CI workflow controls (.github/workflows/codeql.yml):
    • Expand PR coverage to include development:
      • on.pull_request.branches: [main, nightly, development]
    • Expand push coverage to active delivery branches (or remove push branch filter if acceptable).
    • Pin query suite explicitly in init (avoid implicit defaults):
      • add queries: security-and-quality
  • Local command controls (make truly CI-aligned):
    • Require one canonical local invocation path (single source of truth):
      • Prefer VS Code task calling scripts/pre-commit-hooks/codeql-go-scan.sh.
    • If task remains standalone, it must pin explicit suite:
      • codeql database analyze codeql-db-go codeql/go-queries:codeql-suites/go-security-and-quality.qls --additional-packs=codeql-custom-queries-go ...
  • Policy controls:
    • Require CodeQL checks as branch-protection gates on main, nightly, and development.
    • Add a parity check that fails when suite selection diverges across workflow, VS Code local task, and pre-commit script.
    • Keep reporting both metrics in documentation/logs:
      • raw .go count
      • compiled/extracted .go count (go list-derived)
    • Add metric guardrail: fail the run when extracted compiled Go count diverges from the go list compiled baseline beyond approved tolerance.

6) Verification checklist

  • Run and record raw vs compiled counts:
    • find backend -type f -name '*.go' | wc -l
    • cd backend && go list -json ./... | jq -s 'map((.GoFiles|length)+(.CgoFiles|length))|add'
  • Run local CodeQL Go scan and confirm diagnostic line:
    • CodeQL scanned X out of Y Go files...
  • Compare extraction metric to compiler baseline and fail on unexpected divergence:
    • baseline: cd backend && go list -json ./... | jq -s 'map((.GoFiles|length)+(.CgoFiles|length))|add'
    • extracted: parse CodeQL scanned X out of Y Go files... and assert X == baseline (or documented tolerance)
  • Confirm target file is extracted:
    • local output includes Done extracting .../system_permissions_handler.go
  • Confirm SARIF includes expected finding for file:
    • jq filter on system_permissions_handler.go
  • Validate CI workflow trigger coverage includes intended PR targets/branches.
  • Validate workflow and local command both use explicit security-and-quality suite.

7) PR Slicing Strategy

  • Decision: Multiple PRs (3), to reduce rollout risk and simplify review.

  • Trigger reasons: Cross-domain change (workflow + local tooling + policy), security-sensitive, and high review impact if combined.

  • PR-1: CI Trigger/Suite Hardening

    • Scope: .github/workflows/codeql.yml
    • Changes: broaden pull_request branch targets, keep/expand push coverage, set explicit queries: security-and-quality.
    • Dependencies: none.
    • Validation gate: actionlint + successful CodeQL run on PR to development.
    • Rollback: revert workflow file only.

  • PR-2: Local Command Convergence

    • Scope: .vscode/tasks.json and/or canonical script wrapper.
    • Changes: enforce explicit go-security-and-quality.qls in local Go task, keep custom pack additive only.
    • Dependencies: PR-1 preferred, not hard-required.
    • Validation gate: local task output shows explicit suite and reproducible SARIF.
    • Rollback: revert tasks/scripts without affecting CI.

  • PR-3: Governance/Policy Guardrails

    • Scope: branch protection requirements + parity check job/documentation.
    • Changes: require CodeQL checks on main/nightly/development; add drift guard.
    • Dependencies: PR-1 and PR-2.
    • Validation gate: blocked merge when CodeQL missing/failing or parity check fails.
Reference in New Issue View Git Blame Copy Permalink