codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard

Published 20 hours ago verified publisher icon github

Alerts in LGTM, No alerts in CodeQL-Action

Open Jee-Bee opened this issue 2 years ago • 5 comments

I'm not sure if this is the right repository (If not point me to the right one).

Currently i use lgtm for code analysis, but since it will stop working i want to try moving to CodeQL. As of now i have added it to two of my repositories, but at the same time i'm not sure if it works well. I use for both (lgtm and the CodeQL action) the default setup. In lgtm i have some alerts while in CodeQL i don't have any. for pointing to the right repositories:

Both repositories are written in python.

I am currently running in circles through the documentation but i can't find anything that lead me to where the difference come from. I have no idea how to set CodeQL that the results are equal... Is there any documentation what different settings are between lgtm and code QL.

Thanks in advance

Jee-Bee

Jee-Bee avatar Aug 29 '22 14:08 Jee-Bee

By default the codeql-action runs only security-related queries, while LGTM runs a lot more queries by default. CodeQL comes with several pre-defined query suites. The most important ones are code-scanning.qls (the default) , security-extended.qls , and security-and-quality.qls (roughly LGTM's default settings).

See also: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs

aibaars avatar Aug 29 '22 14:08 aibaars

Thanks that worked out

Jee-Bee avatar Aug 30 '22 09:08 Jee-Bee

Hi,

we also would like to report our observations when switching from LGTM to CodeQL, but when I try to create a new issue, the only offer is to privately report a security vulnerability. Do you employ any other means for submitting experience reports?

With kind regards, Andreas.

Edit: I've discovered the right place to report CodeQL False positive(s), it is on the github/codeql repository, at https://github.com/github/codeql/issues/new/choose. Thanks.

amotl avatar Nov 24 '22 08:11 amotl

@amotl, you can create a blank issue by using the link at the bottom, or just going here.

aeisenberg avatar Nov 24 '22 18:11 aeisenberg

Thanks. In this case, I've created https://github.com/github/codeql/issues/11407 and https://github.com/github/codeql/issues/11408.

Other than this, everything on the transition went very smoothly with https://github.com/crate/crate-python/pull/467 and https://github.com/crate/crash/pull/373. Thank you very much for the efforts you are putting into this!

amotl avatar Nov 24 '22 19:11 amotl