Skip to content

VolkRun CodeQL #351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
volkTRhacV wants to merge 4 commits into
base: main
Choose a base branch
from
+66 −0
Open

VolkRun CodeQL #351

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a07ee30
VolkRun CodeQL
volkTRhacV Apr 22, 2026
0afce43
Merge branch 'main' into main
volkTRhacV Apr 22, 2026
39da56f
Rename banner.png to volner.png
volkTRhacV Apr 22, 2026
997e3f1
Merge pull request #1 from volkTRhacV/volkTRhacV-patch-1
volkTRhacV Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/generator-generic-ossf-slsa3-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow lets you generate SLSA provenance file for your project.
# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
# https://github.com/slsa-framework/slsa-github-generator.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.

name: SLSA generic generator
on:
workflow_dispatch:
release:
Comment on lines +15 to +16
Copy link
Copy Markdown

@sentry sentry Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Manually triggering the SLSA provenance workflow via workflow_dispatch will fail to upload the provenance artifact because the slsa-github-generator@v1.4.0 action cannot determine the release tag.
Severity: MEDIUM

Suggested Fix

To support manual triggers, upgrade the slsa-framework/slsa-github-generator action to v1.5.0 or later and provide the upload-tag-name input. If manual dispatch is not a required feature, remove the workflow_dispatch trigger to prevent this failure path.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/generator-generic-ossf-slsa3-publish.yml#L15-L16

Potential issue: The SLSA provenance workflow `generator-generic-ossf-slsa3-publish.yml`
is configured with both a `release` trigger and a `workflow_dispatch` trigger. When the
workflow is manually triggered via `workflow_dispatch`, there is no associated GitHub
Release. The `slsa-framework/slsa-github-generator` action, pinned to version `v1.4.0`,
will either fail with an internal error or silently skip uploading the provenance when
`upload-assets` is set to `true` without a release context. This happens because the
action cannot determine the release tag to upload the assets to, and the
`upload-tag-name` input, which could serve as a workaround, is not provided.
Consequently, manually running this workflow will not result in the SLSA provenance
being uploaded as intended.

types: [created]

jobs:
build:
runs-on: ubuntu-latest
outputs:
digests: ${{ steps.hash.outputs.digests }}
Copy link
Copy Markdown
Contributor

@cursor cursor Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Output variable name mismatch breaks provenance generation

High Severity

The build job output references steps.hash.outputs.digests but the hash step writes to hashes (not digests), so needs.build.outputs.digests will always be empty. The provenance job then receives an empty base64-subjects, making the entire SLSA provenance workflow non-functional.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 0afce43. Configure here.

Copy link
Copy Markdown

@sentry sentry Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The build job references steps.hash.outputs.digests, but the hash step produces an output named hashes, causing the digests output to be empty.
Severity: HIGH

Suggested Fix

In the build job's outputs block, change the reference from steps.hash.outputs.digests to steps.hash.outputs.hashes to match the actual output name produced by the hash step.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/generator-generic-ossf-slsa3-publish.yml#L23

Potential issue: The `build` job's `outputs` block maps the `digests` output to
`steps.hash.outputs.digests`. However, the step with `id: hash` writes its output to a
key named `hashes`. Because `steps.hash.outputs.digests` does not exist, the job-level
`digests` output resolves to an empty string. This empty string is then passed as the
`base64-subjects` input to the SLSA provenance generator, which will cause it to fail or
generate incorrect provenance for zero artifacts.

Did we get this right? 👍 / 👎 to inform future reviews.


steps:
- uses: actions/checkout@v4

# ========================================================
#
# Step 1: Build your artifacts.
#
# ========================================================
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "artifact1" > artifact1
echo "artifact2" > artifact2
Copy link
Copy Markdown
Contributor

@cursor cursor Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Placeholder artifacts instead of actual project build

High Severity

The build step creates dummy files (echo "artifact1" > artifact1) instead of building the actual project artifacts. This is unmodified SLSA template boilerplate. The workflow triggers on releases and workflow_dispatch, so it would generate provenance for meaningless placeholder files rather than real build outputs.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 0afce43. Configure here.

Comment on lines +34 to +37
Copy link
Copy Markdown

@sentry sentry Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The workflow builds placeholder files (artifact1, artifact2) instead of the project's actual release artifacts, generating useless SLSA provenance for them.
Severity: HIGH

Suggested Fix

Replace the placeholder commands that create artifact1 and artifact2 with the actual build commands required to generate the project's release artifacts, as seen in the release.yml workflow.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/generator-generic-ossf-slsa3-publish.yml#L34-L37

Potential issue: The "Build artifacts" step is configured to create two dummy
placeholder files, `artifact1` and `artifact2`, instead of building the project's actual
release artifacts (e.g., `.tgz` packages, binaries). As a result, the workflow generates
and uploads SLSA provenance attesting to these meaningless files, completely defeating
the purpose of supply-chain provenance as it does not cover the real artifacts
distributed in a release.

Did we get this right? 👍 / 👎 to inform future reviews.


# ========================================================
#
# Step 2: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
#
# ========================================================
- name: Generate subject for provenance
id: hash
run: |
set -euo pipefail

# List the artifacts the provenance will refer to.
files=$(ls artifact*)
# Generate the subjects (base64 encoded).
echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"

provenance:
needs: [build]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
with:
base64-subjects: "${{ needs.build.outputs.digests }}"
upload-assets: true # Optional: Upload to a new release
0 assets/banner.png → assets/volner.png
View file
Open in desktop
File renamed without changes