Closed slobo80 closed 2 years ago
Next action to go through each of these and understanding what's a real indicator of a problem and what's noise. Then identify the set of changes needed to address the analysis feedback (either through fixing, informed suppression, or feedback on false positives to the analysis team).
@asklar Can you get clarity on the timeline commitment on these? Sounds like an initial review is fairly urgent. @AgneLukoseviciute Can you review the list of issues to see what needs to be acted on and what doesn't?
FYI, I tried to move CodeQL upstream from partners into our compliance pipeline, but the task isn't supported for GH repos: https://dev.azure.com/microsoft/ReactNative/_build/results?buildId=49473914&view=logs&j=27307724-e5a4-5138-9d40-a20492a83fb9&t=4b1e7d67-b75d-56af-b74f-61b128864bf7&l=32
So unfortunately, until this changes, we'll only be able to address CodeQL issues indirectly via partners reporting issues when they run the task.
@jonthysell could we file a bug to / push this onto the CodeQL team?
Opened #9994 to track CodeQL's missing GitHub support.
Running CodeQL reports several issues.