From be97a8d158cdb374cd4dee2748187ad82890010b Mon Sep 17 00:00:00 2001 From: Andreas Motl Date: Thu, 14 Nov 2024 00:45:21 +0100 Subject: [PATCH] Chore: Suppress unqualified CodeQL admonitions GitHub's CodeQL flags [1] those spots with "Unused global variable" [2]. Based on a suggestion [3], this patch attempts to use the `advanced-security/dismiss-alerts` [4] GitHub Action recipe to provide measures to suppress CodeQL flagging by using inline code annotations. [1] https://github.com/crate/crate-python/security/code-scanning [2] https://codeql.github.com/codeql-query-help/python/py-unused-global-variable/ [3] Issue 11427 at https://github.com/github/codeql/issues [4] https://github.com/advanced-security/dismiss-alerts --- .github/workflows/codeql.yml | 19 +++++++++++++++++++ src/crate/client/__init__.py | 1 + 2 files changed, 20 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6a23088d..0e099fca 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -53,6 +53,8 @@ jobs: languages: ${{ matrix.language }} config-file: ./.github/codeql.yml queries: +security-and-quality + # run an 'alert-suppression' query + packs: "codeql/${{ matrix.language }}-queries:AlertSuppression.ql" #- name: Autobuild # uses: github/codeql-action/autobuild@v2 @@ -62,4 +64,21 @@ jobs: uv pip install --system '.[test]' - name: Perform CodeQL Analysis + id: analyze uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + # define the output folder for SARIF files + output: sarif-results + + # Unlock inline mechanism to suppress CodeQL warnings. + # https://github.com/github/codeql/issues/11427#issuecomment-1721059096 + - name: Dismiss alerts + # if: github.ref == 'refs/heads/main' + uses: advanced-security/dismiss-alerts@v1 + with: + # specify a 'sarif-id' and 'sarif-file' + sarif-id: ${{ steps.analyze.outputs.sarif-id }} + sarif-file: sarif-results/${{ matrix.language }}.sarif + env: + GITHUB_TOKEN: ${{ github.token }} diff --git a/src/crate/client/__init__.py b/src/crate/client/__init__.py index 35a53d6e..61a61a88 100644 --- a/src/crate/client/__init__.py +++ b/src/crate/client/__init__.py @@ -31,6 +31,7 @@ # regex! __version__ = "1.0.0" +# codeql[py/unused-global-variable] apilevel = "2.0" threadsafety = 1 paramstyle = "qmark"