GHA CI: add CodeQL scanning #18687
GHA CI: add CodeQL scanning #18687
Conversation
|
|
||
| query-filters: | ||
| - exclude: | ||
| id: js/superfluous-trailing-arguments |
There was a problem hiding this comment.
This has too many false-positives at the moment so exclude it for now.
| @@ -68,8 +68,9 @@ | |||
| } | |||
|
|
|||
| // Register keyboard events to modal window | |||
| var keyboard = undefined; | |||
| if (!keyboard) { | |||
There was a problem hiding this comment.
Why to check it if you assigned it to undefined just above?
There was a problem hiding this comment.
I can change it to var keyboard; but I wanted to be explicit.
There was a problem hiding this comment.
CodeQL report the variable wasn't declared before use.
There was a problem hiding this comment.
CodeQL report the variable wasn't declared before use.
Although I am not familiar enough with JS stuff, but to me it looked as if keyboard was intended to preserve a previously assigned value (i.e., to reuse Keyboard object once created).
There was a problem hiding this comment.
Otherwise it is meaningless to check variable just declared as undefined, isn't it?
There was a problem hiding this comment.
since the variable is still declared in the scope in which it is used.
This is the confusing point which my previous comment aims to address.
It still looks to me like an attempt to give a slightly less confusing look to something that is confusing by nature. But I won't go into further discussions about it. It is enough that now (after applying var keyboard;) the "fixing the analyzer warnings" does not break the logic of the program.
There was a problem hiding this comment.
This is the confusing point which my #18687 (comment) aims to address.
commit updated.
There was a problem hiding this comment.
It still looks to me like an attempt to give a slightly less confusing look to something that is confusing by nature.
Yes and in the future with the analyzer in place, new code can be inspected better or even rewritten to avoid such situations.
There was a problem hiding this comment.
yeah it's pretty confusing. i believe @glassez is correct in that you can redeclare var keyboard
There was a problem hiding this comment.
This is a very, very bad and confusing practice. It is better to avoid legacy JS mistakes and do something like
let { keyboard } = globalThis;
if (!keyboard) {
keyboard = new Keyboard({
Why don't you just state your intend? I would suppress the warnings with the most false positives and keep the lesser ones. The remaining false positives can be dismissed by hand. |
This enable codebase scanning for C++ and JavaScript languages. https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning
https://docs.github.com/en/actions/learn-github-actions/expressions#about-expressions >When you use expressions in an if conditional, you may omit the >expression syntax (${{ }}) because GitHub automatically evaluates the if conditional as an expression.
After suppressing some CodeQL checks, the final report looks clean now. |
I didn't have clear intentions, I just saw a picture that I didn't like. Using analyzers that give a lot of false positives can have a negative effect. I suppose you've at least got a little familiar with CodeQL, since you're offering it. So I would expect it to be configured as much as possible before we merge it (assuming it can be configured appropriately). |
Of course and I meant you could just say that (wished for less false positives) instead of asking my opinion which I find it to be ambiguous. Also IMO the CodeQL is more useful for the js language than for c++ since there wasn't any good static analyzer employed. As for c++ just think of it as another checker for reference, it might be occasionally useful and it won't (shouldn't) be a hard block for merging PRs. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
GHA CI: add CodeQL scanning
This enable codebase scanning for C++ and JavaScript languages.
https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql
https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning
GHA CI: drop needless syntax
https://docs.github.com/en/actions/learn-github-actions/expressions#about-expressions
Fix code defects