What appears to be happening is the repository previously used both javascript and python and scans were performed on both. The python code was removed, so was removed from scanning as well (https://github.com/department-of-veterans-affairs/covid-patient-manager/pull/1683). While code scanning is continuing for javascript, there aren’t any new scans for python. Verify-scans flags the last python analysis as using an old version of CodeQL although there is no longer any python code to scan.
From verify-scans log:
[covid-patient-manager]: Validating CodeQL CLI version
Warning: [covid-patient-manager]: [out-of-date-cli] Outdated CodeQL CLI version found: 2.14.0
[covid-patient-manager]: [generating-email] Sending 'GitHub Repository Code Scanning Software Is Out Of Date' email to OIS and System Owner
We tried to work around the issue with the developer by excluding python in codeql.yml and by removing the ois-python configuration. Neither of which has resolved the issue. Only change is that now the CLI version reported is null.
This is in relation to: https://github.com/department-of-veterans-affairs/github-user-requests/issues/17490 opened by the developer.
The repository https://github.com/department-of-veterans-affairs/covid-patient-manager is being incorrectly flagged for using an old version of CodeQL. It is using the GitHub CI for scanning.
What appears to be happening is the repository previously used both javascript and python and scans were performed on both. The python code was removed, so was removed from scanning as well (https://github.com/department-of-veterans-affairs/covid-patient-manager/pull/1683). While code scanning is continuing for javascript, there aren’t any new scans for python. Verify-scans flags the last python analysis as using an old version of CodeQL although there is no longer any python code to scan.
From verify-scans log:
We tried to work around the issue with the developer by excluding python in
codeql.yml
and by removing the ois-python configuration. Neither of which has resolved the issue. Only change is that now the CLI version reported isnull
.