Skip to content

Java: remove SpringBootActuators query #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Java: remove SpringBootActuators query #123

wants to merge 1 commit into from

Conversation

jcogs33
Copy link
Collaborator

@jcogs33 jcogs33 commented Apr 21, 2025
edited
Loading

Description

This PR removes the githubsecuritylab/java/spring-boot-exposed-actuators query. This query was added to the default code scanning query suite by github/codeql#18793 and released in CodeQL 2.21.0.

I will make follow-up PRs to update package dependencies for 2.21.0 (draft PR) and to publish a new release.

Consideration

  • Does this need a change note? I see a Change notes section in CONTRIBUTING.md, but since the linked guide does not exist, I'm not sure if a change note is needed.
  • I have not contributed to this repo before, so let me know if there's anything else I need to do.

(cc @michaelnebel)

@jcogs33 jcogs33 mentioned this pull request Apr 22, 2025
Open
@jcogs33 jcogs33 marked this pull request as ready for review April 22, 2025 22:36
@Copilot Copilot AI review requested due to automatic review settings April 22, 2025 22:36
Copilot
Copilot AI reviewed Apr 22, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes the Spring Boot Actuators query by deleting two files that define both test and configuration code for actuator endpoints, aligning the codebase with the updated CodeQL query suite.

  • Removed test file for Spring Boot actuator security from java/test/security/CWE-016.
  • Removed Spring Boot actuator configuration classes from java/src/security/CWE-016.

Reviewed Changes

Copilot reviewed 2 out of 7 changed files in this pull request and generated no comments.

File Description
java/test/security/CWE-016/SpringBootActuators.java Removed test code for actuator endpoint security
java/src/security/CWE-016/SpringBootActuators.java Removed actuator security configuration classes
Files not reviewed (5)
  • java/src/security/CWE-016/SpringBootActuators.qhelp: Language not supported
  • java/src/security/CWE-016/SpringBootActuators.ql: Language not supported
  • java/src/security/CWE-016/SpringBootActuators.qll: Language not supported
  • java/test/security/CWE-016/SpringBootActuators.expected: Language not supported
  • java/test/security/CWE-016/SpringBootActuators.qlref: Language not supported

michaelnebel
michaelnebel approved these changes Apr 23, 2025
View reviewed changes
Copy link
Collaborator

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@michaelnebel
Copy link
Collaborator

I will make follow-up PRs to update package dependencies for 2.21.0 (draft PR) and to publish a new release.
Excellent!

Does this need a change note? I see a Change notes section in CONTRIBUTING.md, but since the linked guide does not exist, I'm not sure if a change note is needed.

Good question. It appears that this guide was merged around the time, where we added the experimental queries in the first place (at that time we didn't make any change notes). My best guess is that we don't need to add a change note (as this part of the documentation is dangling/unfinished). In any case, maybe ask in #codeql-community-packs on slack (the section in Contributing file should either be deleted or extended with the missing parts).

@jcogs33
Copy link
Collaborator Author

jcogs33 commented Apr 28, 2025

In any case, maybe ask in #codeql-community-packs on slack

Will do, thanks!

@jcogs33 jcogs33 mentioned this pull request Apr 29, 2025
Open
@jcogs33
Copy link
Collaborator Author

jcogs33 commented Apr 30, 2025

@michaelnebel A change note is not required. The section in the Contributing file will be deleted in #127.

Can you merge this PR for me? Or give me access to merge in this repo? I don't have an option to merge, I just see:

Merging is blocked
You're not authorized to push to this branch. Visit https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches for more information.
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

@michaelnebel
Copy link
Collaborator

@michaelnebel A change note is not required. The section in the Contributing file will be deleted in #127.

Can you merge this PR for me? Or give me access to merge in this repo? I don't have an option to merge, I just see:

Merging is blocked
You're not authorized to push to this branch. Visit https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches for more information.
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

I have added you as maintainer. Maybe it should be done properly as part of entitlements (maybe ask for permission in the slack channel - this is probably up to SecLab).

@jcogs33
Copy link
Collaborator Author

jcogs33 commented Apr 30, 2025

I have added you as maintainer.

Thanks! I have access to push to the repo now, but I still see:

Merging is blocked
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

Do you know what needs to be done to resolve that message?

@michaelnebel
Copy link
Collaborator

I have added you as maintainer.

Thanks! I have access to push to the repo now, but I still see:

Merging is blocked
Code scanning is waiting for results from CodeQL for the commits 7de4b4b or 798d8ed.

Do you know what needs to be done to resolve that message?

Haven't seen that before; Maybe the CodeQL workflow wasn't triggered when the PR was made since you didn't have the right permissions at that time. Maybe rebase and push again.

@jcogs33 jcogs33 force-pushed the jcogs33/java/remove-spring-boot-actuators-query branch from 798d8ed to bfff18f Compare May 2, 2025 13:15
@jcogs33
Copy link
Collaborator Author

jcogs33 commented May 2, 2025

Haven't seen that before; Maybe the CodeQL workflow wasn't triggered when the PR was made since you didn't have the right permissions at that time. Maybe rebase and push again.

I've rebased but am still seeing the same message. 🤔 I'll ask about this in the slack channel.

@michaelnebel
Copy link
Collaborator

Haven't seen that before; Maybe the CodeQL workflow wasn't triggered when the PR was made since you didn't have the right permissions at that time. Maybe rebase and push again.

I've rebased but am still seeing the same message. 🤔 I'll ask about this in the slack channel.

Its odd - the CodeQL workflow is not triggered at all.
Maybe consider opening a new PR since we changed the permissions. Alternatively we can ignore this - the CodeQL analysis will not tell us anything - as this PR is deleting a QL query.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@michaelnebel michaelnebel michaelnebel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jcogs33 @michaelnebel