• Engineering
  • Product

    • Increasing developer happiness with GitHub code scanning

    Image of Sam Partington

    Sam Partington

    You probably already know about using GitHub code scanning to secure your code. But how about using it to make your day-to-day coding easier? We窶况e been making internal use of CodeQL, our code analysis engine for code scanning, to keep code quality high by protecting ourselves from those annoying coding mistakes that are easy to make but hard to spot! Read on for some examples of what we窶况e done so far and how you can make the most of CodeQL for yourself.

    Plugging a memory leak

    Go窶冱 defer statement defers the execution of a function until the surrounding function returns. This is useful for cleaning up: For example, closing resources like file handles or completing database transactions.

    When changing existing code, you can end up moving a defer statement inside a loop. If you do so, you窶冤l still have to wait until the end of the function for cleanup; it won窶冲 happen at the end of the iteration. We窶况e seen this mistake lead to memory leaks in production.

    Wouldn窶冲 it be great if this mistake could be pointed out to you? We wanted to live in that happy world, and all it took was four lines of CodeQL.

    A nice postscript to this story is that seeing this query led another team at GitHub to add CodeQL to their repository. They窶囘 been bitten by a defer-in-loop memory leak before and didn窶冲 want it to happen again. Once code scanning was set up for them, CodeQL discovered another problem in their codebase, which was similar to the one we窶冤l discuss next.

    The error you can窶冲 ignore

    We use GORM, a Go Object Relational Mapper, in some of our codebases. Error handling in GORM is different than in idiomatic Go code, because it has a chainable API. Here窶冱 an example:

    if err := db.Where("name = ?", "jinzhu").First(&user;).Error; err !=
nil {
 // error handling...
}

    As you can imagine, it窶冱 easy to write code like db.Where("name = ?", "jinzhu").First(&user) and not check that Error field.

    At least it used to be easy to do that. We窶况e now created a CodeQL query which detects GORM calls that don窶冲 check the associated Error field and flags these calls in pull requests. You窶冤l also find a similar query for error checking functions which return pointers in the security-and-quality query suite for CodeQL.

    Loopy performance problems

    In addition to protecting against missing error checking, we also want to keep our database-querying code performant. 窶廸+1 queries窶� are a common performance issue. This is where some expensive operation is performed once for every member of a set, so the code will get slower as the number of items increases. Database calls in a loop are often the culprit here; typically, you窶冤l get better performance from a batch query outside of the loop instead.

    We created a custom CodeQL query, which looks for calls to any of the GORM methods that actually result in a query being performed. We filter that list of calls down to those that happen within a loop and fail CI if any are encountered. What窶冱 nice about CodeQL is that we窶决e not limited to database calls directly within the body of a loop窶苗alls within functions called directly or indirectly from the loop are caught too.

    Using these queries

    These queries are experimental, so we窶况e not included them in our standard suites. However, you can use them by referencing a special query suite we窶况e created.

    First, create a file .github/codeql/go-developer-happiness.qls in the repository you would like to analyze:

    - import: codeql-suites/go-developer-happiness.qls
  from: codeql-go

    Next, set up a CodeQL workflow (or edit an existing one) and amend the 窶廬nitialize CodeQL窶� section of the template as follows:

    - name: Initialize CodeQL
  uses: github/codeql-action/init@v1
  with:
    languages: go
    queries: ./.github/codeql/go-developer-happiness.qls

    For more information and configuration examples, please refer to the documentation for running custom CodeQL queries in GitHub code scanning.

    Making your own

    Are there common 窶徃otchas窶� in your codebase? Why not ease developer friction with some custom CodeQL queries of your own? You can learn more about writing CodeQL with our documentation and discussions窶病nd also find out more about contributing queries back to the community窶品n the CodeQL repository at https://github.com/github/codeql. We look forward to seeing what you come up with!

    Tags:

    Related posts