search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.52k stars 1.49k forks source link

Local variable address stored in non-local memory (False positive) #11528

Open uNetworkingAB opened 1 year ago

uNetworkingAB commented 1 year ago

Description of the false positive

I have 6 total false positives of the same category:

Code samples or links to source code

https://github.com/uNetworking/uWebSockets/blob/c4d45fbf3d282bf68a3b44d6dcabad9414f49e84/src/AsyncSocket.h#L123

URL to the alert on GitHub code scanning (optional)

https://github.com/uNetworking/uWebSockets/security/code-scanning/101

alexet commented 1 year ago

Indeed, this looks like a false positive. Thank you for reporting it!

Our current focus is on improving our security analysis. Because your report does not relate to a security query, we will put this on our backlog and prioritize it if we get enough reports of the same underlying issue in other projects. If you think that your report is related to our security analysis, please clarify that in a comment. Either way, we'll let you know here as soon as it's fixed!

As you might know, all of our queries are open source. If you do have an idea for a code change, we encourage you to open a pull request. GitHub Code Scanning and lgtm.com have facilities for suppressing individual alerts or disabling a query.

uNetworkingAB commented 1 year ago

Makes sense. It's a good service either way and I found out how to disable it. Alerts work like issues so you can easily close them - that's neat