Open DefinetlyNotAI opened 1 month ago
Thanks for the report! False positives like these aren't something we're able to prioritise at the moment, but the team have assessed it and we will keep it in mind for future work.
I dont know if my idea has been reached or not, but for clarification, if the function plays with 2 seperate variable types with a single variable, it would take the worst case scenario (which is usually impossible) and then flag it.
Description of the false positive
Sometimes when a variable either stores a tuple containing a password, or a error message in a string with a if statement to check what to do, CodeQL then ignores the variable type and its checks and goes in a impossible route... where somehow the password that can only be stored as a tuple, is then written to a log as a string... thus a false positive
In the following example, the path shows how temp is returned, but the if statements show that it only occurs when its a string, and when temp is a string it contains a error message not a password, as the password is saved in temp as a tuple only if there was no errors, my code is spaghetti so i do apologize
Code samples or links to source code
As shown above
URL to the alert on GitHub code scanning (optional)
https://github.com/DefinetlyNotAI/Test-generator/security/code-scanning/42
Many more, but you get the idea