Skip to content

Commit e131740

Browse files
david-a-wheelerdavid-a-wheeler
authored
We also use CodeQL, we may as well note it (#2413)
Signed-off-by: David A. Wheeler <[email protected]>
1 parent 0a06d76 commit e131740

File tree

1 file changed

+6
-4
lines changed

1 file changed

+6
-4
lines changed

docs/assurance-case.md

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1900,9 +1900,9 @@ We take a number of steps to counter misconfiguration.
19001900
We have strived to enable secure defaults from the start.
19011901
We use a number of [external online checkers](#online-checkers)
19021902
to detect common HTTPS misconfiguration problems (see below).
1903-
We use Brakeman, which can detect
1903+
We use Brakeman and CodeQL, which can detect
19041904
some misconfigurations in Rails applications.
1905-
We invoke a static analysis tool (Brakeman) as part of
1905+
We invoke static analysis tools (Brakeman and CodeQL) as part of
19061906
our continuous integration pipeline.
19071907

19081908
However, our primary mechanism for countering misconfigurations is by
@@ -2646,15 +2646,17 @@ and how it helps make the software more secure:
26462646
Our style checking tools detect misleading indentation;
26472647
<a href="http://www.dwheeler.com/essays/apple-goto-fail.html#indentation">this
26482648
counters the mistake in the Apple goto fail vulnerability</a>.
2649-
* Source code weakness analyzer (for finding vulnerabilities in custom code).
2649+
* Source code weakness analyzers (for finding vulnerabilities in custom code).
26502650
A source code weakness analyzer, also known as a security vulnerability
26512651
scanner, examines the source code to identify vulnerabilities.
26522652
This is one of many kinds of "static analysis" tools, that is, a tool
26532653
that doesn't run the code (and thus is not limited to examining only the
26542654
cases of specific inputs).
26552655
We use Brakeman, a source code weakness analyzer that focuses
26562656
on finding security issues in Ruby on Rails applications.
2657-
Note that this is separate from the automatic detection of
2657+
We also use CodeQL, another source code weakness analyzer that's
2658+
general-purpose and reviews both the Ruby and JavaScript code.
2659+
Note that this is all separate from the automatic detection of
26582660
third-party components with publicly-known vulnerabilities;
26592661
see the [supply chain](#supply-chain) section for how we counter those.
26602662
* FLOSS. Reviewability is important for security.

0 commit comments

Comments
 (0)