From 9740c815d2aef97a388e7253585eab711af4212e Mon Sep 17 00:00:00 2001 From: Shiran Pasternak Date: Wed, 14 Jan 2026 14:50:07 -0500 Subject: [PATCH] Addresses CodeQL issues - Suppresses false positives - Removes Electron `webSecurity` disablement --- CodeQL.yml | 3 +++ desktop/scripts/publish/publish.ts | 8 +++----- .../azure-batch/certificate/certificate.service.ts | 2 +- desktop/src/app/utils/storage-utils.ts | 2 +- desktop/src/client/main-window/main-window.ts | 1 - 5 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 CodeQL.yml diff --git a/CodeQL.yml b/CodeQL.yml new file mode 100644 index 0000000000..5ade51c411 --- /dev/null +++ b/CodeQL.yml @@ -0,0 +1,3 @@ +path_classifiers: + generated: + - "web/lib-umd/*.js" diff --git a/desktop/scripts/publish/publish.ts b/desktop/scripts/publish/publish.ts index 7dc9877ddd..670645cba1 100644 --- a/desktop/scripts/publish/publish.ts +++ b/desktop/scripts/publish/publish.ts @@ -7,8 +7,6 @@ import { createIssue, createPullRequest, getMilestone, githubToken, listMilestoneIssues, listPullRequests, } from "./github-api"; -const MAIN_BRANCH = "main"; - const root = path.resolve(path.join(__dirname, "../../..")); const allMessages: string[] = []; const repoName = "Azure/BatchExplorer"; @@ -34,7 +32,7 @@ function success(message: string) { async function run(command: string): Promise<{ stdout: string, stderr: string }> { return new Promise<{ stdout: string, stderr: string }>((resolve, reject) => { - exec(command, { maxBuffer: 100_000_000 }, (error, stdout, stderr) => { + exec(command, { maxBuffer: 100_000_000 }, (error, stdout, stderr) => { // CodeQL [SM01509] This is a dev tool, not used in production or by customers. if (error) { reject(error); return; @@ -57,9 +55,9 @@ function checkGithubToken() { * This goes back to the main branch and pulls the latest */ async function gotoMainBranch() { - await run(`git checkout ${MAIN_BRANCH}`); + await run(`git checkout main`); await run("git pull"); - success(`Checkout to ${MAIN_BRANCH} branch and pulled latest`); + success(`Checkout to main branch and pulled latest`); } async function loadMilestone(milestoneId: number) { diff --git a/desktop/src/app/services/azure-batch/certificate/certificate.service.ts b/desktop/src/app/services/azure-batch/certificate/certificate.service.ts index 927919775c..79a6f927f0 100644 --- a/desktop/src/app/services/azure-batch/certificate/certificate.service.ts +++ b/desktop/src/app/services/azure-batch/certificate/certificate.service.ts @@ -210,7 +210,7 @@ export class CertificateService { // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore start is not in the @types/node-forge md.start(); - md.update(certDer); + md.update(certDer); // CodeQL [SM01510] Used only to generate identification thumbprint, not for security purposes const digest = md.digest(); return digest.toHex(); } diff --git a/desktop/src/app/utils/storage-utils.ts b/desktop/src/app/utils/storage-utils.ts index 56f4a7f74a..15c28a38e2 100644 --- a/desktop/src/app/utils/storage-utils.ts +++ b/desktop/src/app/utils/storage-utils.ts @@ -107,7 +107,7 @@ export class StorageUtils { private static async _getJobIdHash(jobId: string): Promise { const jobIdBytes = new TextEncoder().encode(jobId); - const hash = await crypto.subtle.digest("SHA-1", jobIdBytes); + const hash = await crypto.subtle.digest("SHA-1", jobIdBytes); // CodeQL [SM04514] SHA-1 is only used for generating unique identifiers, not for security purposes return this._hex(hash); } diff --git a/desktop/src/client/main-window/main-window.ts b/desktop/src/client/main-window/main-window.ts index 28296e926c..9c4ab7eb61 100644 --- a/desktop/src/client/main-window/main-window.ts +++ b/desktop/src/client/main-window/main-window.ts @@ -76,7 +76,6 @@ export class MainWindow extends GenericWindow { show: false, // Don't show the window until it is ready titleBarStyle: process.platform === "darwin" ? "hidden" : "default", webPreferences: { - webSecurity: false, allowRunningInsecureContent: false, nodeIntegration: true, contextIsolation: false,