-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation opened by @github-code-scanning bot does not resolve/collapse properly #1411
Comments
Uneducated guess: this sounds a lot like https://github.com/github/code-scanning/issues/5262 so tagging @anaarmas to have a quick look when she comes in on Monday to prove me wrong 🙇♀️ |
Hi @amotl 👋 |
Hi @anaarmas, thank you for your response, we appreciate it very much. First things first: Kudos to you and your colleagues for working on the excellent features supported by the LGTM/CodeQL integration/migration. We hear you on the rationale of designing the dismissal feature like that, but yes, a few details surprised us, and it would be sweet if you could take our feedback into your refinement process. Let me show you another example at crate/crate-python#481, where three notices are displayed. We would love to collapse them, because we all agree that they are false positives discovered by the scanning engine (github/codeql#11407), and they just distract the reviewing process, thus decreasing the user experience. It may not be your department, but improving this detail together with github/codeql#11427 would be so awesome. I think both features would be crucial for the new CodeQL integration you are working on. Thanks for listening and with kind regards, |
Hi again, we have another PR which demonstrates how distractive the current implementation of CodeQL admonitions is: crate/crate-python#498. The admonitions dominate the whole page and there is no chance to acknowledge or hide individual admonition sections. It also looks like there is a bug that we can not dismiss those open items, which are actually false positives, in a second round of review, where there have been some rebasing and commits beforehand, and where also some admonition items have been dismissed, but re-opened. With kind regards, |
Hi again, at [1], there is another spot which I would like to draw your attention to. The first few admonitions are actually items which already have been fixed, contrary to the other ones which only have been dismissed. With kind regards, |
Hi, another spot at [2] has been fixed with a subsequent push, but the admonition is still there. Following "Show more details" yields a 404 at [3]. With kind regards, [2] https://github.com/crate/crate-python/pull/488/files/b4582208817a671a0a68607077d9e57d26cbf210#diff-8d4d5446aad4c66a2236f9c83edd825550a1565f3190e3adb01ed761e457fa02 |
Hi Andreas, thanks for the detailed feedback! We have limited coverage over this holiday period, but will take a look at your examples and get back to you in the new year. |
Hi @amotl! Thanks for providing those examples 🙇♀️ they're priceless for debugging purposes! |
I started looking into this and even though I'm not finished with all the things I want to poke, I noticed that when you updated the workflow file you didn't teach the code scanning |
It lacked an appropriate setting for the `category` parameter. When introducing a matrix axis (here: sqla-version), you will have to teach code scanning about it. This has been discovered by the CodeQL team. Thanks a stack! github/codeql-action#1411 (comment)
Thank you very much for discovering this on our CI configuration 🌻, I am just fixing it with crate/crate-python#505 based on your suggestions. Apologies for not reading the documentation properly on this detail. Many of the misleading admonitions from code scanning obviously have been caused by this misconfiguration, sorry for the noise about those. |
It lacked an appropriate setting for the `category` parameter. When introducing a matrix axis (here: sqla-version), you will have to teach code scanning about it. This has been discovered by the CodeQL team. Thanks a stack! github/codeql-action#1411 (comment)
It lacked an appropriate setting for the `category` parameter. When introducing a matrix axis (here: sqla-version), you will have to teach code scanning about it. This has been discovered by the CodeQL team. Thanks a stack! github/codeql-action#1411 (comment)
It lacked an appropriate setting for the `category` parameter. When introducing a matrix axis (here: sqla-version), you will have to teach code scanning about it. This has been discovered by the CodeQL team. Thanks a stack! github/codeql-action#1411 (comment)
Hi again @amotl! |
Hi again, I think all the teething woes are gone with the @github-code-scanning bot improvements you have been bringing in at the beginning of the year. Thank you again for assisting us on a misconfiguration of one of our repositories. I also hope you are doing well in general. Other than this, I would like to get back to the original matter if this discussion, as we just encountered another occasion where we would like to dearly resolve & collapse a conversation about a false positive reported by CodeQL. With kind regards, |
Hi @amotl 👋 |
Hi @amotl! |
Hi there,
we recently reported github/codeql#11407 and github/codeql#11408, and now are trying to properly dismiss admonitions reported by @github-code-scanning bot.
On crate/crate-python#474, we are observing a situation where we tried to Resolve the conversation started by @github-code-scanning, using the usual GitHub UI feature, after dismissing the Check notice as "false positive" beforehand, see https://github.com/crate/crate-python/security/code-scanning/55.
However, even if the conversation has apparently been flagged as resolved, the UI component does not collapse properly, even after reloading the page.
It would be sweet if you could look into this issue, or advise us how to properly handle the situation.
With kind regards,
Andreas.
P.S.: Maybe related: #986, #1223
The text was updated successfully, but these errors were encountered: