gradle: False positives from generated code from the version catalog feature

[recke96]

Using the version catalog feature of gradle (https://docs.gradle.org/current/userguide/platforms.html) with the default libs.versions.toml file produces false positives such as:

.gradle/8.4/dependencies-accessors/1989acdfa2790571c9dc5975340ca543de5bf0a0/sources/org/gradle/accessors/dm/LibrariesForLibsInPluginsBlock.java:609
This method overrides ProviderConvertible.asProvider; it is advisable to add an Override annotation.

This is generated code and should not produce a warning (even if it's just at the note level)

Example source: https://github.com/recke96/HemaTournament/blob/main/gradle/libs.versions.toml
Corresponding alerts: https://github.com/recke96/HemaTournament/security/code-scanning

[jketema]

Hi @recke96,

Thanks for your report. By default we do not exclude any generated code, but we'll discuss the particular case internally.

For now I can offer two workarounds:

• If the path to the generate file is actually stable across builds, then it should suffice to just dismiss the alerts, and they should stay closed after that.
• Alternatively, you can filter the Sarif file produced by the CodeQL analysis before you upload it. This can be done using, for example, the filter-sarif action: https://github.com/advanced-security/filter-sarif

[recke96]

I understand. I think it's an interesting case because the generated code is not shipped but "just" part of the build logic.

Should I close this issue?

[jketema]

Should I close this issue?

Let's just leave this open for now, as this is a genuine issue.