Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prune results of Ruby query from SARIF #1344

Merged
merged 1 commit into from Nov 4, 2022
Merged

Conversation

edoardopirovano
Copy link
Contributor

This PR is a mitigation for the fact that the rb/weak-cryptographic-algorithm query was released in version 2.11.2 of CodeQL with a large number of false positives relating to hashing algorithms. This was tweaked in github/codeql#11119 for 2.11.3, but we'd like to filter the false positives out while we wait for that to be released.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

src/upload-lib.test.ts Show resolved Hide resolved
src/upload-lib.test.ts Show resolved Hide resolved
run.tool?.driver?.semanticVersion === "2.11.2"
) {
// Version 2.11.2 of the CodeQL CLI had many false positives in the
// rb/weak-cryptographic-algorithm query which we prune here.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a public facing issue for this? Maybe add a link to it here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do indeed. Added a link.

src/upload-lib.ts Show resolved Hide resolved
@@ -396,6 +396,8 @@ async function uploadFiles(
environment
);

sarif = pruneInvalidResults(sarif, logger);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to gate this with an undocumented environment variable? So that individual users can turn this back on if they really, really want to?

We can consider also feature flagging this, but that feels like something too heavy-weight.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. This code is hopefully very temporary but it can't hurt to have an escape hatch if a user needs to disable it for some reason.

Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM. @aibaars, thanks for verifying this is working on code scanning.

@edoardopirovano edoardopirovano merged commit a8cabaf into main Nov 4, 2022
@edoardopirovano edoardopirovano deleted the edoardo/prune-ruby branch November 4, 2022 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants