Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeQL should respect Java's @SuppressWarnings("all") annotation #7294

Open
lenaschoenburg opened this issue Dec 2, 2021 · 7 comments
Open

CodeQL should respect Java's @SuppressWarnings("all") annotation #7294

lenaschoenburg opened this issue Dec 2, 2021 · 7 comments
Labels
enhancement New feature or request Java

Comments

@lenaschoenburg
Copy link

Description of the issue
Similar to #2076, it'd be nice to respect @SuppressWarnings(all) by supressing all lgtm warnings. This is often used by generated code, for example code generated by SBE:

https://github.com/real-logic/simple-binary-encoding/blob/44ca92f152cbfaaaf0b72bc9ee08e2f2c345b303/sbe-tool/src/main/java/uk/co/real_logic/sbe/generation/java/JavaGenerator.java#L1664
@lenaschoenburg lenaschoenburg added the question Further information is requested label Dec 2, 2021
@aibaars
Copy link
Contributor

aibaars commented Dec 2, 2021

It should be easy to extend AlertSuppressionAnnotations.ql that was introduced in
#2152 to treat @SuppressWarnings(all) as equivalent to @SuppressWarnings(lgtm) . This would make LGTM suppress the alerts and the CodeQL CLI would mark the alerts as suppressedInSource in its SARIF output.

@aeisenberg aeisenberg added Java enhancement New feature or request and removed question Further information is requested labels Dec 2, 2021
@smowton
Copy link
Contributor

smowton commented Dec 3, 2021

@oleschoenburg are you using code scanning, LGTM or the CLI to run your analysis?

@lenaschoenburg
Copy link
Author

@smowton We are using the CodeQL Github Workflow

@aibaars
Copy link
Contributor

aibaars commented Dec 3, 2021
edited
Loading

GitHub CodeScanning does not support alert suppression comments and annotations at the moment. Please file a feature request in https://github.com/github/codeql/discussion .

As a workaround you might want to use https://github.com/zbazztian/filter-sarif . This is an Action that can be used to filter results by file path . You can use it to remove results from the "SARIF" file containing the alerts before it is uploaded to the CodeScanning API. As a quick way to get a list of file paths you could run git grep -l '@SuppressWarnings(all)' .

@lenaschoenburg
Copy link
Author

Okay, thanks for the clarification! Still would be a useful improvement I think 🙂

@Marcono1234
Copy link
Contributor

Just for reference: The "all" value is not standardized, it is not mentioned in the language specification. And apparently javac indeed does not support it (yet), see JDK-7141469. However, Eclipse and IntelliJ both seem to support it.
So it probably makes sense to have CodeQL support it nonetheless?

@Izzzu Izzzu mentioned this issue Feb 14, 2022
Merged
@leerho
Copy link

leerho commented Dec 9, 2022

It has been a year now. Where is this issue of being able to suppress codeQL errors and warnings that are determined to be false positives?

@planetf1 planetf1 mentioned this issue Mar 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Java
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@smowton @aeisenberg @lenaschoenburg @aibaars @Marcono1234 @leerho