2022-11-15 18:25:59 +03:00
|
|
|
---
|
2022-11-16 15:09:47 +03:00
|
|
|
name: CodeQL false positive
|
2022-11-15 20:20:28 +03:00
|
|
|
about: Report CodeQL alerts that you think should not have been detected (not applicable, not exploitable, etc.)
|
2022-11-15 18:25:59 +03:00
|
|
|
title: False positive
|
|
|
|
|
labels: false-positive
|
|
|
|
|
assignees: ''
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
**Description of the false positive**
|
|
|
|
|
|
|
|
|
|
<!-- Please explain briefly why you think it shouldn't be included. -->
|
|
|
|
|
|
|
|
|
|
**Code samples or links to source code**
|
|
|
|
|
|
|
|
|
|
<!--
|
|
|
|
|
For open source code: file links with line numbers on GitHub, for example:
|
|
|
|
|
https://github.com/github/codeql/blob/dc440aaee6695deb0d9676b87e06ea984e1b4ae5/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js#L10
|
|
|
|
|
|
|
|
|
|
For closed source code: (redacted) code samples that illustrate the problem, for example:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
function execSh(command, options) {
|
|
|
|
|
return cp.spawn(getShell(), ["-c", command], options) // <- command line injection
|
|
|
|
|
};
|
|
|
|
|
```
|
|
|
|
|
-->
|
|
|
|
|
|
2022-11-15 20:20:28 +03:00
|
|
|
**URL to the alert on GitHub code scanning (optional)**
|
2022-11-15 18:25:59 +03:00
|
|
|
|
|
|
|
|
<!--
|
|
|
|
|
1. Open the project on GitHub.com.
|
|
|
|
|
2. Switch to the `Security` tab.
|
|
|
|
|
3. Browse to the alert that you would like to report.
|
|
|
|
|
4. Copy and paste the page URL here.
|
|
|
|
|
-->
|
