Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alerts in LGTM, No alerts in CodeQL-Action #1220

Open
Jee-Bee opened this issue Aug 29, 2022 · 5 comments
Open

Alerts in LGTM, No alerts in CodeQL-Action #1220

Jee-Bee opened this issue Aug 29, 2022 · 5 comments

Comments

@Jee-Bee
Copy link

Jee-Bee commented Aug 29, 2022

I'm not sure if this is the right repository (If not point me to the right one).

Currently i use lgtm for code analysis, but since it will stop working i want to try moving to CodeQL.
As of now i have added it to two of my repositories, but at the same time i'm not sure if it works well.
I use for both (lgtm and the CodeQL action) the default setup. In lgtm i have some alerts while in CodeQL i don't have any.
for pointing to the right repositories:

Both repositories are written in python.

I am currently running in circles through the documentation but i can't find anything that lead me to where the difference come from. I have no idea how to set CodeQL that the results are equal... Is there any documentation what different settings are between lgtm and code QL.

Thanks in advance

Jee-Bee

@aibaars
Copy link
Collaborator

aibaars commented Aug 29, 2022

By default the codeql-action runs only security-related queries, while LGTM runs a lot more queries by default. CodeQL comes with several pre-defined query suites. The most important ones are code-scanning.qls (the default) , security-extended.qls , and security-and-quality.qls (roughly LGTM's default settings).

See also: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs

@Jee-Bee
Copy link
Author

Jee-Bee commented Aug 30, 2022

Thanks that worked out

@amotl
Copy link

amotl commented Nov 24, 2022

Hi,

we also would like to report our observations when switching from LGTM to CodeQL, but when I try to create a new issue, the only offer is to privately report a security vulnerability. Do you employ any other means for submitting experience reports?

With kind regards,
Andreas.

Edit: I've discovered the right place to report CodeQL False positive(s), it is on the github/codeql repository, at https://github.com/github/codeql/issues/new/choose. Thanks.

@aeisenberg
Copy link
Contributor

@amotl, you can create a blank issue by using the link at the bottom, or just going here.

@amotl
Copy link

amotl commented Nov 24, 2022

Thanks. In this case, I've created github/codeql#11407 and github/codeql#11408.

Other than this, everything on the transition went very smoothly with crate/crate-python#467 and crate/crash#373. Thank you very much for the efforts you are putting into this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants