Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppress warnings from Github #9298

Closed
leoluz opened this issue Mar 18, 2022 · 7 comments
Closed

Suppress warnings from Github #9298

leoluz opened this issue Mar 18, 2022 · 7 comments
Labels
false-positive Go question Further information is requested

Comments

@leoluz
Copy link

leoluz commented Mar 18, 2022

Hi!
I am trying to suppress a warning from what I understand a false positive zip-slip validation. We are using the GitHub Code Scanning job for running CodeQL. Even when I add the // lgtm[go/zipslip] tag in the code I still get the warning.

Example case:
https://github.com/argoproj/argo-cd/pull/8789/checks?check_run_id=5574205353

Is // lgtm tags supported by Github Code Scanning jobs? If not, how could I suppress warnings in this case?

Thank you!
@leoluz leoluz mentioned this issue Mar 18, 2022
Merged
10 tasks
@leoluz
Copy link
Author

leoluz commented Mar 18, 2022
edited
Loading

By the way, the false positive warning is pointing this line complaining about unsanitized target variable. However the sanitization code is applied by the Inbound function called a few lines above. It seems the zipslip validation isn't able to follow that function. Sorry but this is just a guess as I don't know how codeql query works. If I copy the code from Inbound inside the caller function the warning goes away.

@aibaars
Copy link
Contributor

aibaars commented Mar 18, 2022

Alert suppression using //lgtm or otherwise is not supported by GitHub Code Scanning.

@smowton Could you have a look at this? At a glance the sanitization code looks fine. Should the query be updated to recognize the sanitization code ?

@smowton
Copy link
Contributor

smowton commented Mar 18, 2022
edited
Loading

It'll be difficult to accurately classify https://github.com/argoproj/argo-cd/blob/77f9515547096ea939dd8b0b3aeae77708f11795/util/io/files/util.go#L80 as a barrier guard. Manually dismissing the warning is probably right in this case. @aibaars can you advise how to do that?

@aibaars
Copy link
Contributor

aibaars commented Mar 18, 2022

Manually dismissing the warning is probably right in this case. @aibaars can you advise how to do that?

Manually dismissing can be done in the UI.

@leoluz
Copy link
Author

leoluz commented Mar 21, 2022

Tks all for confirming this.
We dismissed from the UI but I was wondering if there is a declarative way of doing it like using the // lgtm[] tag but that didn't work for me.

@adityasharad adityasharad transferred this issue from github/codeql-go May 24, 2022
@adityasharad adityasharad added Go question Further information is requested false-positive and removed false-positive labels May 24, 2022
@smowton
Copy link
Contributor

smowton commented May 25, 2022

Closing as answered: no there isn't an inline comment mechanism for suppression in current code scanning, but manual dismissal via the UI can be done.

@smowton smowton closed this as not planned Won't fix, can't repro, duplicate, stale May 25, 2022
@ybelleguic ybelleguic mentioned this issue Aug 4, 2022
Open
7 tasks
@alexpovel alexpovel mentioned this issue Aug 13, 2022
Closed
@faddat faddat mentioned this issue Aug 21, 2022
Closed
19 tasks
@seladb seladb mentioned this issue Aug 28, 2022
Merged
@guusdk guusdk mentioned this issue Nov 10, 2022
Closed
@bryevdv bryevdv mentioned this issue Nov 25, 2022
Open
@offa offa mentioned this issue Nov 29, 2022
Merged
@goatgoose goatgoose mentioned this issue Nov 29, 2022
Merged
This was referenced Dec 4, 2022
Open
Open
MalteHerrmann added a commit to evmos/evmos-ledger-go that referenced this issue Dec 7, 2022
@MalteHerrmann
remove nosec before system time call because CodeQL doesn't support this
67df8fb 
See github/codeql#9298 for more details. CodeQL does not support disabling linter warnings by comments.
@MalteHerrmann MalteHerrmann mentioned this issue Dec 7, 2022
Merged
@FireMasterK FireMasterK mentioned this issue Dec 31, 2022
Merged
9 tasks
@kfcampbell kfcampbell mentioned this issue Jan 13, 2023
Merged
5 tasks
@aibaars
Copy link
Contributor

aibaars commented Sep 15, 2023

You may want to use https://github.com/advanced-security/dismiss-alerts to automate the task of dismissing alerts that have suppression markers in the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive Go question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@leoluz @smowton @adityasharad @aibaars