issues Search Results · repo:github/codeql language:CodeQL is:public is:public linked:pr
Filter by
307 results (92 ms)
307 results
ingithub/codeql (press backspace or delete to remove)The rule currently misses standard library functions and patterns that perform archive extraction, such as
shutil.unpack_archive and system tar commands invoked via subprocess.
https://github.com/positive666/yolo_research/blob/f5795f27a56ca4dbe4c182e12f61309a52e23967/utils/downloads.py#L173 ...
9iang22
Description of the false positive !-- Please explain briefly why you think it shouldn t be included. -- The rule does
not cover using basename to mitigate the path injection. This is a common mitigation, ...
false-positive
Description of the false positive
Note from code scanning:
Missed opportunity to use Select This foreach loop immediately maps its iteration variable to another variable
- consider mapping the sequence ...
false-positive
christiannagel
Description
The actions/unpinned-tag query flags step-level uses: references that are not pinned to a commit SHA, but silently
ignores job-level uses: references (reusable workflow calls). Both patterns ...
question
PhilipAtCisco
Description of the false positive
The java/sensitive-log query (CWE-532) flags data that has been hashed or encrypted before logging. The sibling query
java/cleartext-storage-in-log (CWE-312) already ...
false-positive
MarkLee131
Description of the false positive
PathNormalizeSanitizer recognizes Path.normalize() and File.getCanonicalPath()/getCanonicalFile(), but not
Path.toRealPath().
toRealPath() is strictly stronger than ...
false-positive
Description of the false positive
The source regex (?i).*(token|secret).* in getCommonSensitiveInfoRegex() matches any variable containing token or secret
. The FP exclusion list (getCommonSensitiveInfoFPRegex) ...
false-positive
Description of the issue
Rust is missing an AlertSuppression.ql query, which means // codeql[...] and // lgtm[...] inline suppression comments
have no effect on Rust code scanning alerts. Every other ...
christiannuss-ybor
We are getting the actions/missing-workflow-permissions alert raised on reusable workflow files that only contain the
workflow_call trigger.
!-- Please explain briefly why you think it shouldn t be included. ...
false-positive
Lawls91
Description of the false positive
The java/tainted-arithmetic query (CWE-190/CWE-191) reports false positives when a tainted value is used in an
arithmetic expression that is itself a bounds check. A ...
false-positive
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.