-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prune results of Ruby query from SARIF #1344
Conversation
955dd50
to
9157344
Compare
src/upload-lib.ts
Outdated
run.tool?.driver?.semanticVersion === "2.11.2" | ||
) { | ||
// Version 2.11.2 of the CodeQL CLI had many false positives in the | ||
// rb/weak-cryptographic-algorithm query which we prune here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a public facing issue for this? Maybe add a link to it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do indeed. Added a link.
src/upload-lib.ts
Outdated
@@ -396,6 +396,8 @@ async function uploadFiles( | |||
environment | |||
); | |||
|
|||
sarif = pruneInvalidResults(sarif, logger); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to gate this with an undocumented environment variable? So that individual users can turn this back on if they really, really want to?
We can consider also feature flagging this, but that feels like something too heavy-weight.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. This code is hopefully very temporary but it can't hurt to have an escape hatch if a user needs to disable it for some reason.
9157344
to
862a512
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM. @aibaars, thanks for verifying this is working on code scanning.
This PR is a mitigation for the fact that the
rb/weak-cryptographic-algorithm
query was released in version 2.11.2 of CodeQL with a large number of false positives relating to hashing algorithms. This was tweaked in github/codeql#11119 for 2.11.3, but we'd like to filter the false positives out while we wait for that to be released.Merge / deployment checklist