Relate Adoption of suggested AutoFixes to CodeQL Findings

[davewichers]

Select Topic Area

Product Feedback

Body

I'm testing out AutoFix and notice that when you accept/merge a suggested AutoFix for a CodeQL finding, the CodeQL finding itself is left hanging out there. The Label Outdated is put next to the filename title where the CodeQL finding is. So, while there is an indication that it might have been dealt with, that's still kind of weird, and requires additional work for the user. And the CodeQL finding is still reporting the issue in the old code, when the code has actually been changed by adopting the AutoFix. I'd recommend something better be done to handle this. I can envision a few techniques, instead of simply marking it "Outdated":

1. Ideally, it would simply rescan the code with CodeQL and if the finding 'goes away', autoupdate the CodeQL finding to mark it resolved. (This would be ideal as it would be automatic, and I believe is also what happens when the developer makes code changes by hand).
2. Alternatively, when an AutoFix is suggested, you could add another Dismiss alert option: Fixed by adopting Autofix. But this is less than ideal because the autofix could be ignored and this option selected, when it wasn't actually done. Or, you could add this option, and automatically trigger it when an AutoFix is merged. That way both the AutoFix and CodeQL finding are dealt with simultaneously.

Right now, with no changes, when you want to Dismiss a CodeQL issue fixed via adopting an AutoFix, you have to select one of 3 options: False Positive, Used in Tests, or Won't fix. None of these 3 options are valid when an AutoFix is adopted.

UPDATE: I now understand that Outdated means that the PR is going to be rescanned. After the rescan, the CodeQL finding associated with the finding that was FIXED should 'go away' on its own. As such, maybe nothing else needs to be done, other than maybe clarify what 'Outdated' means. Maybe it would be better if the label was: 'Will update after Rescan' or something like that. I know that's more wordy but 'Outdated' doesn't obviously imply a rescan is underway and this issue will likely be updated after the rescan is complete.

Don't know if you can create tool tips. If you can, you could add an explanation to what 'Outdated' means so you don't have to change this label into a much longer, more explanatory label name. There is a current tooltip, but it simply says: "Label: Outdated"