Closed Bug 1629597 Opened 4 years ago Closed 4 years ago

Get codacy integration on community-portal

Categories

(mozilla.org :: Github: Administration, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Nukeador, Assigned: gweber)

Details

Attachments

(1 file)

Hi,

In order to get the code security recommendations we'd need codacy integration installed on the mozilla/community-portal repo.

https://github.com/marketplace/codacy

https://github.com/mozilla/community-portal/

Additionally, please add me as repo owner, since I'm currently the person leading the project and I was unable to find who was originally set-up as repo owner.

Thanks!

Gregor: you're a repo admin for this repo, so I'll let you handle this one. A couple of things to note:

  • this will be the first request for the codacy GitHub application, so a security evaluation will need to be done
  • in my quick check, it asks for write permission to YOUR personal keys <-- that is very concerning, so I expect the review to take a bit, and it may be denied

:Nukeador -- you might want to look for an alternative tool as a backup.

Assignee: nobody → gweber
Flags: needinfo?(gweber)

Gregor got me admin access to the project, but apparently you need to be a mozilla admin to add the integration.

Hal is this something you can check?

If Codacy is not positively evaluated, what other tools we are already using for php code we can check?

Thanks for the support!

Flags: needinfo?(gweber) → needinfo?(hwine)

apparently you need to be a mozilla admin to add the integration

Correct, only a GitHub organization owner of the github.com/mozilla GitHub organization to whitelist a new integration, as the way integrations work is that once whitelisted, all users can then delegate rights for codacy to act as them. This is intentional in order to ensure the security of the users in the GitHub org, the repos and the code in those repos.

(In reply to Rubén Martín [:Nukeador] from comment #2)

Gregor got me admin access to the project, but apparently you need to be a mozilla admin to add the integration.

If you're interested in having Codacy reviewed, you need to do 2 things:

  1. request installation of the app via GitHub (this gets it marked properly there), and
  2. indicate here that you'd like it reviewed -- I can't tell which way you're leaning

If Codacy is not positively evaluated, what other tools we are already using for php code we can check?

We don't track that sort of information (we're volunteers). You'd need to check with other teams that use PHP.

Flags: needinfo?(hwine) → needinfo?(nukeador)

(In reply to Hal Wine [:hwine] (use NI, please) from comment #4)

If you're interested in having Codacy reviewed, you need to do 2 things:

  1. request installation of the app via GitHub (this gets it marked properly there), and
  2. indicate here that you'd like it reviewed -- I can't tell which way you're leaning

Is there a place I can read about how to do this? Github is not offering me the option to request this integration on any of my mozilla repos, just my personal ones.

Cheers.

Flags: needinfo?(nukeador) → needinfo?(hwine)

(In reply to Rubén Martín [:Nukeador] from comment #5)

  1. request installation of the app via GitHub (this gets it marked properly there), and

Is there a place I can read about how to do this? Github is not offering me the option

Grr -- Codacy didn't play the signup game the full way -- we'll use this bug.

Flags: needinfo?(hwine)

Initial research:

  • Permissions requested for the "GitHub Cloud using GitHub Apps" are what would apply to our case.
  • That list includes SSH key access in two forms:
    • "Repository Permissions -- Administration: Create SSH keys. - Read & Write" <-- The "write" permission here is to the set of public keys with access to the repo (aka "deployment keys").
      • Verification Needed The inserted key should not have write permissions to the repository. (This is common for CI systems.) The documentation does not clarify, and the read-only setting needs to be confirmed.
    • "User Permissions -- Git SSH keys: Git SSH keys - Read & Write" <-- again the "write" is for the access to the User's set of public keys.
      • MAJOR CONCERN -- no documentation I could find mentioned functionality that would require a user's SSH key. That would provide the app access to ALL repositories the user has access to, regardless of organization. I.e. they could impersonate the user for any git action.

Setting any sort of SSH key in the user's account is a show stopper in my opinion. At the very least, we'd need a pointer to public documentation about the need and use of app controlled user ssh keys to continue. (I can't think of a legitimate reason, but am willing to be educated.)

Next steps:

  • :gene -- did I miss something here. The ask appears so outrageous to me that I feel I missed something -- can you double check, please?
  • :Nukeador - can you work with Codacy support to obtain an answer to the "major concern" item, please?
Flags: needinfo?(nukeador)
Flags: needinfo?(gene)

Thanks for this review, checking with their support now.

This is the response I got:

When a project is added to Codacy we will try to create an SSH key on it so we can enable the integration. This being said, if this process fails for some reason, the fallback is to create the key on the user's account so the integration can be set.

Also, if the projects are using Sub-modules, the key has to be created on the user's account in order for the sub-modules to be reachable by us. Those are the two use-cases where we will add a key to a user's account.

This being said, I totally understand where you are coming from, but I want to assure you that Codacy will never access any of the keys that were not created by us and we will only create those keys if a project is explicitly added to COdacy.

Please let me know if you have any other questions on this.

Flags: needinfo?(nukeador) → needinfo?(hwine)
Flags: needinfo?(gene)
Summary: Get codacy integration on coomunity-portal → Get codacy integration on community-portal

Another reason to stay away from sub-modules, but I have been educated! :)

I really wish GitHub let you selectively not accept certain permission requests. This is still a tough call.

:Nukeador - can you follow up with support please on the two following questions:

  1. Is the description of usage (as you received) anywhere on their public website? We like to see there be potential consequences to vendors if they mis-state things. (Which, if you used their paid service, would be accomplished by the contract.)
  2. Would the following process work (I'm assuming you have no sub-modules):
    • repo admin grants Codacy permissions to their user account
    • repo admin configures Codacy linkage to that repo
    • repo admin revokes permissions to their user account
    • repo admin manually verifies:
      1. ssh key added added as a deployment key on the repo does not have write permissions
      2. no ssh key changes have been made to their user account

I.e. can the grant of user permissions only be long enough to initially configure or modify the configuration, and have the integration still function effectively.

Depending on the answers, we may have a way forward.

Flags: needinfo?(hwine) → needinfo?(nukeador)

Response:

We have this page going trough our usage of data, please take a look and let me know if there is any info that you would like to get.

Regarding your example, without the permission, the keys would not be accessible by Codacy which would stop several features from working. Please do keep in mind that by default Codacy will always try to create the key on the project itself, only creating on the user's account if this process fails for some reason.

Please let me know if you have any other questions.

Flags: needinfo?(nukeador) → needinfo?(hwine)

(In reply to Rubén Martín [:Nukeador] from comment #11)

Response:

We have this page going trough our usage of data, please take a look and let me know if there is any info that you would like to get.

That response isn't what I was hoping for - let's set that issue aside for the moment though, and see if we can get unblocked.

Regarding your example, without the permission, the keys would not be accessible by Codacy which would stop several features from working.

I don't believe this is true -- they would only loose access to further modify the key. As long as they have the private key, they can read (but that should only be needed for private repos, which this is not.

Please do keep in mind that by default Codacy will always try to create the key on the project itself, only creating on the user's account if this process fails for some reason.

Please let me know if you have any other questions.

Let me try an install and see what the experience is like...

Flags: needinfo?(hwine)

Install notes:

  • temporarily made hwine admin for community-portal
  • could not request install on mozilla
  • temporarily made hwine owner of mozilla
  • did GitHub side of install, set only for community-portal
  • codacy installed an org webhook (will monitor for a bit, as seems to have broader-than-I-would-expect scope)
  • dropped owner status
  • no ssh/gpg key changes on hwine account
  • no ssh key added to community-portal, but web hook installed (good, as read only access)
  • authenticated to codacy site with hwine & added community-portal
  • seems to work (performed initial analysis)
  • revoked both codacy-as-github-app & codacy-oauth access for hwine
  • see attached sec event log for hwine

:Nukeador -- does this seem to work for you okay now?

Flags: needinfo?(nukeador)

Thanks for this.

Where I can configure codacy integration? Did you get instructions on how to configure it? I can't see any options

We need the phpcs with Wordpress Coding Standards and PHPCompatibility filters to be used by codacy.

Flags: needinfo?(nukeador) → needinfo?(hwine)

(In reply to Rubén Martín [:Nukeador] from comment #14)

Where I can configure codacy integration? Did you get instructions on how to configure it? I can't see any options

I have no idea, but my guess would be you log into the codacy website with your Github credentials, and you would be able to see it. Since you're a repo admin, I'd expect you to be able to make config changes.

If not, we'd need clarity from codacy on exactly who needs what permissions to do which actions. Some of these 3rd party apps assume you're okay with:
a) org owners doing a lot of admin work, and
b) org owners being okay giving OAuth access to an app

Neither are true for us.

Flags: needinfo?(hwine) → needinfo?(nukeador)

Ok, I found this, thanks for the support.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(nukeador)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: