search

microsoft / react-native-windows

A framework for building native Windows apps with React.
https://microsoft.github.io/react-native-windows/
Other
16.13k stars 1.13k forks source link

Address compliance issues reported by CodeQL #9960

Closed slobo80 closed 2 years ago

slobo80 commented 2 years ago

Running CodeQL reports several issues.

chrisglein commented 2 years ago

Next action to go through each of these and understanding what's a real indicator of a problem and what's noise. Then identify the set of changes needed to address the analysis feedback (either through fixing, informed suppression, or feedback on false positives to the analysis team).

@asklar Can you get clarity on the timeline commitment on these? Sounds like an initial review is fairly urgent. @AgneLukoseviciute Can you review the list of issues to see what needs to be acted on and what doesn't?

jonthysell commented 2 years ago

FYI, I tried to move CodeQL upstream from partners into our compliance pipeline, but the task isn't supported for GH repos: https://dev.azure.com/microsoft/ReactNative/_build/results?buildId=49473914&view=logs&j=27307724-e5a4-5138-9d40-a20492a83fb9&t=4b1e7d67-b75d-56af-b74f-61b128864bf7&l=32

So unfortunately, until this changes, we'll only be able to address CodeQL issues indirectly via partners reporting issues when they run the task.

asklar commented 2 years ago

@jonthysell could we file a bug to / push this onto the CodeQL team?

jonthysell commented 2 years ago

Opened #9994 to track CodeQL's missing GitHub support.