GitHub CodeQL (formerly Semmle LGTM)

[chennes]

I don't know if this will be useful to anyone besides me, but when I tried to use Visual Studio to work with the static analysis results in the .sarif files, I ran into some headaches. So I've written a small SARIF file processor that I am using to clean the files so they work well with Visual Studio (and presumably other SARIF readers, but I haven't tested anything else). It's on GitHub, of course: https://github.com/chennes/CleanSARIF

I've put up some precompiled binaries for Windows and Linux (I don't really know how to package for Linux, though, so you might be better off just compiling it yourself!). Comments, bug reports, etc. are all welcome. It needs some polishing, but I've been using it and it more or less does what I needed it to .

[saso]

I don't know if this will be useful to anyone besides me, but when I tried to use Visual Studio to work with the static analysis results in the .sarif files, I ran into some headaches. So I've written a small SARIF file processor that I am using to clean the files so they work well with Visual Studio (and presumably other SARIF readers, but I haven't tested anything else). It's on GitHub, of course: https://github.com/chennes/CleanSARIF

Looks Great! The different scanners do have some options to exports the logs in a few different ways, but obviously it is hard to make this usefully for everyone and specially in a such diverse project development as we have with FreeCAD, this should indeed be a great tool for everyone to adjust the logs to their own needs. Thanks!

[chennes]

I've made some minor tweaks and posted CleanSARIF Release Candidate 2 (it sounds so fancy and formal!). Mostly I added icons . I've attached two generic filter files to this post. I've been using these on the most recent batch of FreeCAD results to get rid of some of the results that aren't needed. I've found that it's also helpful sometimes to add filters that exclude everything but a particular workbench, so I can focus on just that one (since PRs should be broken down by WB, ideally).

To use these in the app, remove the extra ".txt" extension added to make the forums happy.

[Kunda1]

neat!

[saso]

New report from build 0.20.25220 has been created...

[saso]

New report from build 0.20.28030 has been created...

[saso]

New report from build 0.21.30257 has been created...

Also a note about the shut down of LGTM.com
https://github.blog/2022-08-15-the-next ... -scanning/

[saso]

New report from build 0.21.32049 has been created for cpp and python. Since we had this on the LGTM site before, I guess it is ok to also publish this now public...

https://mega.nz/file/vQJzDAoC#9veX3vSMI ... sUdVSLIwr4

[saso]

New report from build 0.21.33678 has been created...

https://mega.nz/file/KNRRzBwY#Jkd1DmRrQ ... mj69EiRTNM


Few recent blogposts about some of the technologies behind CodeQL, for those that have some interest in this...
https://github.blog/2023-03-31-codeql-z ... -research/ CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research
https://github.blog/2023-06-15-codeql-z ... th-codeql/ CodeQL zero to hero part 2: getting started with CodeQL
https://github.blog/2023-10-19-icymi-im ... or-lombok/ ICYMI: improved C++ vulnerability coverage and CodeQL support for Lombok