jorgectf commented on PR #1721: URL: https://github.com/apache/solr/pull/1721#issuecomment-1614818391
@madrob > 1. We need to be able to exclude certain paths. For example, I don't think we're interested in the javascript scan results for `solr/webapp/web/libs/*` as that is all third party code that we don't intend to change. You can use `paths-ignore` in a CodeQL configuration file. See https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#specifying-directories-to-scan. https://github.com/apache/solr/pull/1721/commits/f9c7be6a8f17144a595e0e1bf7681d5cbf398e53 should do the trick :) > 2. Is there a way to mark certain methods as returning sanitized inputs? There are some very long taint analysis chains provided by CodeQL which is awesome, but some of them seem to miss that a value becomes safe at some point. That is what we call "Sanitizers". You are welcome to contribute to https://github.com/github/codeql or open a [False Positive Issue](https://github.com/github/codeql/issues/new?assignees=&labels=false-positive&projects=&template=ql--false-positive.md&title=False+positive) so we can take a look and improve the query! > 3. Is there a way to run this or similar analysis locally for developers? We have tried very hard in the past to avoid "surprises" in PRs where the developer runs into a failing check but has no way to verify that they've actually solved it other than to keep resubmitting their PR. It tends to lead to some bad experiences for contributors which we tend to care quite a bit about. That would be technically possible, but not comfortable for the PR author IMO. The [pull request alerts](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests#viewing-an-alert-on-your-pull-request) should be easily actionable so the author knows what to do, and when they succeeded fixing the alert. > 4. Who will the report be visible to? Project members? Everybody? The alerts will be visible in the `Security` tab of the repository for those with at least `write` access to the repository and [security managers](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
