I'd like to cross-check the vulnerabilities covered by GitHub's CodeQL service and OWASP Top Ten Web Application Security Risks so that I know where the gaps are.
I can't find a list of vulnerabilities covered by CodeQL. Does GitHub publish the list of rules?
The source code of the CodeQL queries is available in the GitHub repository. The documentation also lists the existing queries:
CodeQL query help
CodeQL CWE coverage
However, which queries (or rather query suites) are run as part of GitHub workflows depends on the configuration of the workflow.
Related
Have started using cucumber framework for testing of my project.
Able to generate cucumber html , json and xml report.
I am looking for something like JIRA ID link to be represented against feature representation in report.
Can anyone help me in this.
In the past, I have used tags to represent JIRA tickets in scenarios/features. For example, if you have a JIRA ticket with ID JIRA-123, your scenario could look like this:
#JIRA-123
Scenario: ...
You should then be able to see from the cucumber reports which features/scenarios are marked with which tags. You can build a custom report that fetches all the JIRA tags and retrieves ticket information from JIRA in runtime using for example JS and the JIRA API.
A major flaw in what you are trying to do is that Jira tickets are historical whilst scenarios are current.
Jira tickets document what was being done at a particular time in the projects lifecyle whilst scenarios document the current state of the application.
Scenarios have current knowledge of the application. Jira tickets only have the knowledge that was available when they were created.
Trying to link these two very different things has some negative consequences including:
You stop people from refactoring scenarios to reflect the current state of the application, because they need to maintain the links with the jira history.
Your links mislead, a scenario changes over time to reflect the current application but your links imply that what is in the jira ticket still applies.
Link management becomes very confusing, scenarios end up with multiple links and links get removed or applied to un-related scenarios as refactoring takes place.
Point 1 is particularly important. Scenarios can very easily become slow, unreliable and unwieldy. They can significantly increase the cost of change for an application unless they are very well managed. Anything that stops this management is detrimental.
Product , catalogs etc both staged and online we have in Hybris...If we want show online the staged one we do synchronization but why we need staged products or catalogs?
Modifications of - Content, Product, Media,... - are made first in the staged catalog.
When changes/modifications are tested/approved and you are satisfied then you publish them to be available online to your users by synchronizing staged catalog to the online catalog.
Imagine if you have one single catalog, your users will be able to see unapproved and untested changes immediately, that's will increase the amount of risks and errors significantly.
You allow the merch team to upload the proper visual, modify product texts etc... Then they can also test product pages with various device without any impact on the online website (online catalog).
It also allows to prepare seasonal catalog. For exemple you're in summer and you can start to work on the online version to be deployed on winter.
Stage catalog is the one on which you work - change the data, etc. This catalog is not displayed in the storefornt.
Online catalog is used in the storefront and should not be manually edited.
Usually there is synchronization between Stage and Online versions so that when the changes are approved for showing to the customers the synchronization is triggered and the products are available in the Online catalog (which implies storefront visibility).
background
I've been a religious user for github/zenhub for quite a while. We recently moved our repos to gitlab for many reasons, including free pipelines, security, more flexible groups etc.
Problem
Zenhub is a greasemonkey app that's added to github, one of its features is the scrumboard that's similar to gitlab's native issue board. One of the amazing things about zenhub scrumboard is that it allows you to put many repos on the same board (I recall jira had the same thing).
question
Is there a way to do this on gitlab?
Beside a third-party like kanban.leanlabs.io, recent GitLab releases do integrate a more sophisticated issue management.
See "Announcing The GitLab Issue Board " (presented here)
But it might be limited to only the current repo.
Note that with GitLab 13.6 (November 2020), this is no longer limited to a repository:
Group-level management of project integrations
In GitLab 13.3, we added the ability to enable an integration across an entire instance. With GitLab 13.6, that feature is being expanded to allow integrations to be managed at the group level as well!
Group owners can now add an integration to a group, and that integration will be inherited by all projects under that group. This has the potential for saving massive amounts of time, as many organizations have specific integrations that they want rolled out to every project they create.
A great example of this is using our Jira integration. If you’re using Jira, it’s almost always across the whole company. Some of these companies have thousands of projects and therefore had to configure each and every one of those integrations individually.
With group-level management of project integrations, you can add the integration at each parent group, reducing the amount of configuration required by orders of magnitude!
Read more in our announcement on the GitLab blog.
See Documentation and Epic.
In GitLab issues and merge requests within a group display a collection of issues and merge requests from all projects below them.
And they also have an Issue Board available, which aggregates the issues from the projects within the given group. This is currently not reflected in the documentation, and could be well worth a Pull Request in doc/user/group/index.md and doc/user/project/issue_board.md.
Using this together with group labels and milestones, which also span across all subprojects, you can create the desired board view.
I do use github/zenhub in the past. https://gitboard.co is the zenhub alternative for gitlab. Which shows all your issue and merge request in one simple dashboard across multiple projects.
I'm using Gitlab and I've several projects.
project1;
project2;
project3;
Is it possible to have a common Wiki for these projects?
Every wiki is linked to a project, but there is a workaround:
Go to Settings → Services → External Wiki for your 2nd and 3rd projects and set External wiki URL to the URL of your first project wiki:
Or you can host your own wiki, for example, gollum on your server for the same purpose.
Is it possible to have a common Wiki for these projects?
Yes: (October 2020, 4 years later)
GitLab 13.5 proposes:
Group wikis
For many teams, using GitLab wikis for planning and documentation is a critical part of their workflow. Wikis are so popular that they get over a million views each month on GitLab.com. Despite this popularity, teams have struggled with the limitation that wikis were only available at the project level.
Teams working on multiple projects needed to create separate wikis for each repository, leading to a fragmented experience.
In Gitlab 13.5, we are so excited to bring you group wikis!
With 680 upvotes this was the most upvoted feature in the entire GitLab backlog. While highly requested, making a large project-only feature like wikis available at the group level has been a non-trivial operation. We’ve worked tirelessly over the past year to make it happen and now we can’t wait to get it in your hands and hear your feedback.
Group-level wikis open up tons of possibilities to keep your information at a higher level and accessible to a broader set of people. A few examples of what you can put in your group wikis include team-specific information, coding style guides, and designs for your brand or your company.
We know a lot of folks have been looking forward to this feature and shared their input pre-release. We hope all of you will continue to weigh in now that group wikis are available and we’ve opened up a dedicated issue for your feedback.
See Documentation and Issue.
We are working on a web application (Javascript + php). We want to start using Team Foundation Server in order to apply application lifecycle management. but we don't know where to start! any good guide or tutorials?
If you are investigating TFS to be used as an ALM tool in your company, you probably want to take a look at the free preview of the service that is available in the cloud. That will allow you to see if this tool will get you what you need. There a lots of tools out there, but first you need to figure out what your problem is and what you are trying to solve. TFS may not be the solution you need, but it is a solution for certain teams.
You'll probably likely be using TFS as an ALM tool for the following:
Source Control. Ensure you have version history on your changes. Note: You can now tap into GIT as your repository, if you don't want to use the TFS source control.
Continuous Integration. You can make your build configurations deploy your files out to your environments, and run unit tests if necessary.
Bug Tracking. Use the built-in work items to track all your bugs.
Requirements Tracking. Use Scrum or Kanban for your project to take advantage of the boards that are available with the service. Work items like 'Stories' or 'Product Backlog Items' will let you track the work your team is delivering.
Burndown. The built-in reports should help you report to your management on progress, though you'll have to see if the TFS ones meet your needs.
Test Cases. Your QA team can write their test cases in TFS to document how to test the requirements. If you have the correct license, you can also tap in Microsoft Test Manager for your QA team to execute and plan their tests.
I would strongly advise doing some research into what ALM means, what it is used for, and why you should be doing it before deciding on a tool. The tool won't fix the problem, it just supports you in whatever you are doing to fix your problem.