Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency between the sarif file and information from vscode codeql panel #18933

Open
lllssskkk opened this issue Mar 5, 2025 · 3 comments
Open

Inconsistency between the sarif file and information from vscode codeql panel #18933

lllssskkk opened this issue Mar 5, 2025 · 3 comments
Assignees
@mbg
Labels
awaiting-response The CodeQL team is awaiting further input or clarification from the original reporter of this issue. question Further information is requested Stale

Comments

@lllssskkk
Copy link

I'm running a query. The vscode codeql addon gives the following analysis result.

Image

From the image, i suppose there should be 8 paths in total. However, when i look at the sarif file, it only present four. What about the other four? The first and second thread flows belong to the upper one, third and forth belong to the lower one.

...
"codeFlows" : [ 
  {
    "first thread flow" : [{}]
  },
  {
     "second thread flow" : [{}]
  },
  {
     "third thread flow" : [{}]
  },
  {
     "forth thread flow" : [{}]
  },
  ],
...
@lllssskkk lllssskkk added the question Further information is requested label Mar 5, 2025
@mbg
Copy link
Member

mbg commented Mar 7, 2025

Hi @lllssskkk 👋🏻

I believe the codeFlows property is specific to a SARIF "result" object. In VSCode, you show two results, so I'd expect there to be two "result" objects in the SARIF file, each with four elements in their respective codeFlows property. Could you check whether that's the case? If not, are you able to share the SARIF file?

@mbg mbg self-assigned this Mar 7, 2025
@mbg mbg added the awaiting-response The CodeQL team is awaiting further input or clarification from the original reporter of this issue. label Mar 7, 2025
@lllssskkk
Copy link
Author

Hi, I apologize for late response. I didn't notice that i got replied. Yes, I can share the sarif file with you.

I double checked. Indeed you are right, but partially.

Image

If i right click on the history and select "View Alerts (SARIF)", i shall see two elements in the results field, and each holds 4 threadFlows in codeFlows.

But running the same query, against the same database, from the command line, the result sarif file only contains one element in the results, it holds 4 threadFlows in codeFlows. The first and second thread flows belong to the upper one, third and forth belong to the lower one.

Also result messages are different. I attach both in the comment.

fromCodeQLPanel.json
directlyFromSarif.json

@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open 14 days with no activity. Comment or remove the Stale label in order to avoid having this issue closed in 7 days.

@github-actions github-actions bot added the Stale label Mar 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbg mbg

Labels
awaiting-response The CodeQL team is awaiting further input or clarification from the original reporter of this issue. question Further information is requested Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbg @lllssskkk