codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard

Published 20 hours ago verified publisher icon github

Fixed alerts stay in Open state

Open johannes-riecken opened this issue 2 years ago • 3 comments

Actual behavior

I hacked out a small script to fix missing overrides alerts (this one if anyone's interested, but not relevant to this issue). After pushing the changes directly to the default branch (master, which is the only branch), the alerts are recognized as "fixed on master", but still appear as "open" (for example this alert).

Expected behavior

When alerts are fixed on the default branch, they appear as "closed".

Additional info

I read a similar issue, but in my case, the CodeQL config always had name: "CodeQL". I did change the file name from codeql-analysis.yml to codeql.yml to match how the Github Action auto-generates the file, but as far as I remember the problem with being stuck in "open" already appeared before.

johannes-riecken avatar Aug 31 '22 07:08 johannes-riecken

I suspect that renaming the workflow is the cause of the problem. Looking at the event log at the bottom of the alert page I see:

  • Appeared in branch master on 28 Sep 2021 in analysis origin .github/workflows/codeql-analysis.yml:analyze/language:java
  • Fixed in branch master 12 hours ago in analysis origin .github/workflows/codeql.yml:analyze/language:java

An alert is only considered fixed, if it has disappeared from all analysis configurations (aka categories). The workflow file name is part of the configuration key, so changing it causes problems like this.

The easiest way to validate if this is indeed the problem would be to copy codeql.yml to codeql-analysis.yml and let both workflow run. You should see that the fixed alerts get closed.

Of course you'd want to get rid of the duplicated codeql-analysis.yml . Before deleting it, however, you need to make sure that all its alerts are closed. The simplest way to achieve this is probably to insert an advanced-security/filter-sarif step in the workflow that filters out all file paths from the SARIF results before uploading. This should mark all alerts with the codeql-analysis.yml category as fixed, leaving only the ones that are still reported by codeql.yml

aibaars avatar Aug 31 '22 08:08 aibaars

Looks like you were correct, your solution worked as expected on the first try, super!👍

johannes-riecken avatar Aug 31 '22 09:08 johannes-riecken

Happy I could help!

Before deleting codeql-analysis.yml, I would add the following to the filter-sarif step:

with:
        patterns: |
          -**/*.java

to make it drop results from all files. I'm not sure what the behaviour is if there are no patterns at all.

aibaars avatar Aug 31 '22 09:08 aibaars