Conversation
initial commit of changes starting to add quality tagging standards
|
Would it be worth adding there is a limit of 10 tags (including the automatically added CWE tags)? Otherwise, there's a warning message when the sarif is parsed/alerts for that query are displayed in the UI. (At least when calling the API; not sure about sarif uploads from the GitHub action). |
minor tag changes to align with existing tags
I don't see any problem with adding that, i can update |
adityasharad
left a comment
adityasharad
left a comment
There was a problem hiding this comment.
Looks good in general, minor suggestions and we can keep improving over time.
|
|
||
| Maintainers are expected to add a `@security-severity` tag to security relevant queries that will be run on Code Scanning. There is a documented internal process for generating these `@security-severity` values. | ||
|
|
||
| TODO: should we have a severity value for quality queries? |
There was a problem hiding this comment.
There is already a non-security problem.severity field, which can be error/warning/recommendation/none.
There was a problem hiding this comment.
A while ago we intended severity to be the new spelling of problem.severity (and @kind alert to replace @kind problem). This document is even older than that and we never got around to switching existing queries to the new spelling but should we change this to those or do we want to go back on those changes.
There was a problem hiding this comment.
Hey @alexet - ah... i did not know that history. I'm open to whatever the team thinks is best. @yo-h and @adityasharad , do you have opinions of what to do here?
There was a problem hiding this comment.
I also did not know that history, so I have been adding queries with @problem.severity and @kind {path-}problem for the past 2+ years. 😅 It looks like those changes were made in 2021 (https://github.com/github/semmle-code/pull/39133, https://github.com/github/semmle-code/pull/39132), but when I joined in 2022, I was directed to this metadata style guide and metadata-for-codeql-queries which both still only listed problem.severity and {path-}problem as options.
should we change this to those or do we want to go back on those changes
Searching in the codeql repo shows only a handful of queries using @severity (mostly model-generator related queries) and no queries using @kind path-alert or @kind alert. Since it's been four years since these changes were made, and they haven't been used much, maybe it makes sense to go back on them? Or at least not prioritize them now?
There was a problem hiding this comment.
Yeah the CLI recognises those variants, but we never changed the guidance and existing practices :) I am fine keeping the aliases around so we can change over later to the newer names, but no need to rewrite any existing code.
6 participants
initial commit of changes starting to add quality tagging standards