Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alert is removed, incorrect alert is marked as fixed, and all other alerts jump to other links #18745

Open
halpinhand opened this issue Feb 11, 2025 · 1 comment
Open

Alert is removed, incorrect alert is marked as fixed, and all other alerts jump to other links #18745

halpinhand opened this issue Feb 11, 2025 · 1 comment
Labels
question Further information is requested

Comments

@halpinhand
Copy link

We have five alerts in one file for the same rule:
Line 410
Line 417
Line 472
Line 531
Line 580

Our developer worked on the first two alerts first, for lines 410 and 417. The code around line 410 was unneeded, so they deleted that code entirely. They then fixed the alert for line 417. Upon merging and a new codeql scan, the following happened for each line:
Line 410 marked as fixed
Line 417 this alert now corresponded to the alert that was for line 472 (which after code deletion is line 466)
Line 472 this alert now corresponded to the alert that was for line 531 (which after code deletion is line 525)
Line 531 this alert now corresponded to the alert that was for line 580 (which after code deletion is line 574)
Line 580 this alert marked as fixed

The alert for line 417 is no longer present, as it has been switched to line 472. The developer then fixed the alert for line 525 (which did not involve deleting any code). After the merge and new codeql scan, the following happened:
Line 466 this alert still corresponds to 466
Line 525 this alert now corresponds to the alert that was for line 574
Line 574 this alert marked as fixed

The alert for line 525 is no longer present, as it has been switched to line 574 (and the old alert with the same rule and same line has now been marked as fixed).

The fact that CodeQL is shifting the alerts around like this makes it so that some of the alerts are incorrectly marked as fixed when they haven't been, and other alerts disappear altogether.

I understand that this is confusing, but it also makes it just as confusing for the developers working on fixing the alerts in the first place. Feel free to ask any questions to clarify!
@halpinhand halpinhand added the question Further information is requested label Feb 11, 2025
@jketema
Copy link
Contributor

jketema commented Feb 12, 2025

Hi @halpinhand,

We work hard to avoid these kinds of issues using heuristics, but as you have noticed our heuristics sometimes fail. We could investigate the concrete issue you're observing in more detail, but for that you'll need to provide actual concrete examples where you see this happening. Either provide them here, or if you cannot do that - which means you're a paying customer - by reaching out to GitHub support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jketema @halpinhand