Skip to content

Alert suppression: allow // codeql[...] suppression comments on the same line#11772

Closed
aibaars wants to merge 2 commits intogithub:mainfrom
aibaars:alert-suppression-same-line
Closed

Alert suppression: allow // codeql[...] suppression comments on the same line#11772
aibaars wants to merge 2 commits intogithub:mainfrom
aibaars:alert-suppression-same-line

Conversation

@aibaars
Copy link
Copy Markdown
Contributor

@aibaars aibaars commented Dec 21, 2022

In an earlier PR I added support for //codeql[query-id] suppression comments that can be placed on the line before the alert that needs to be suppressed. These suppression comments can be used via https://github.com/advanced-security/dismiss-alerts which automatically suppressed marked alerts via CodeScanning's API.

I'm a bit in doubt about whether we should allow //codeql[query-id] comments on the same line as an alert as well. The main reason for not allowing it, is that it does not play well with the way CodeScanning identifies alerts (content hash of the line containing the alert). As a result the original alert would be marked as "fixed" by CodeScanning, while a fresh duplicate would be created with a suppression marker.

On the other hand, users may expect such comments the work on the end of a line even though we'd recommend not doing that for the reason described above.

@sj @AlonaHlobina @turbo

@aibaars aibaars added the awaiting-response The CodeQL team is awaiting further input or clarification from the original reporter of this issue. label Dec 21, 2022
@aibaars aibaars force-pushed the alert-suppression-same-line branch from 66745d5 to f4a2d99 Compare December 21, 2022 12:16
@aibaars aibaars force-pushed the alert-suppression-same-line branch from f4a2d99 to 54a7702 Compare December 21, 2022 13:34
@github-actions github-actions Bot added the Swift label Dec 21, 2022
@aibaars aibaars marked this pull request as ready for review December 22, 2022 10:50
@aibaars aibaars requested review from a team as code owners December 22, 2022 10:50
@aibaars aibaars added the no-change-note-required This PR does not need a change note label Dec 22, 2022
@calumgrant calumgrant requested a review from turbo January 9, 2023 09:28
@sj
Copy link
Copy Markdown
Contributor

sj commented Jan 12, 2023

it does not play well with the way CodeScanning identifies alerts (content hash of the line containing the alert)

Great point. I think this is a (very!) valid concern and my suggestion would be to not allow same-line suppressions for the time being. If that results in significant negative feedback we can reconsider that decision in the future. The opposite would be difficult: once we ship this, it's hard to un-ship it.

It's probably worth pointing out that this change does not mean that GitHub code scanning will natively support in-code alert suppression/dismissal (right?). This change opens the door to designing API-based tool automation in the future. If my understanding is correct, then it's probably worth including that note in the description of the PR in order to avoid confusion. Thanks!

@aibaars
Copy link
Copy Markdown
Contributor Author

aibaars commented Jan 12, 2023

It's probably worth pointing out that this change does not mean that GitHub code scanning will natively support in-code alert suppression/dismissal (right?). This change opens the door to designing API-based tool automation in the future. If my understanding is correct, then it's probably worth including that note in the description of the PR in order to avoid confusion. Thanks!

Yes, that's right. The updated suppression queries are meant to be used in combination with https://github.com/advanced-security/dismiss-alerts . I added an introduction to the PR description mentioning the dismiss-alerts action

@aibaars
Copy link
Copy Markdown
Contributor Author

aibaars commented Jan 16, 2023

Thanks for the comments, closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

awaiting-response The CodeQL team is awaiting further input or clarification from the original reporter of this issue. C# C++ Go Java JS no-change-note-required This PR does not need a change note Python Ruby Swift

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants