From 6c9a75eab36ba8724c93f93c71573200b16bc35c Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 4 Sep 2025 13:56:53 +0200 Subject: [PATCH 01/10] C#: Include metrics in the database quality diagnostics. --- .../Telemetry/DatabaseQualityDiagnostics.ql | 37 ++++++++++++------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql b/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql index bde07633d941..34d2b56658e1 100644 --- a/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql +++ b/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql @@ -8,26 +8,37 @@ import csharp import DatabaseQuality +private int getThreshold() { result = 85 } + private newtype TDbQualityDiagnostic = - TTheDbQualityDiagnostic() { - exists(float percentageGood | - CallTargetStatsReport::percentageOfOk(_, percentageGood) - or - ExprTypeStatsReport::percentageOfOk(_, percentageGood) - | - percentageGood < 95 - ) + TTheDbQualityDiagnostic(string callMsg, float callTargetOk, string exprMsg, float exprTypeOk) { + CallTargetStatsReport::percentageOfOk(callMsg, callTargetOk) and + ExprTypeStatsReport::percentageOfOk(exprMsg, exprTypeOk) and + [callTargetOk, exprTypeOk] < getThreshold() } class DbQualityDiagnostic extends TDbQualityDiagnostic { + private string callMsg; + private float callTargetOk; + private float exprTypeOk; + private string exprMsg; + + DbQualityDiagnostic() { + this = TTheDbQualityDiagnostic(callMsg, callTargetOk, exprMsg, exprTypeOk) + } + + private string getDbHealth() { + result = + callMsg + ": " + callTargetOk.floor() + ". " + exprMsg + ": " + exprTypeOk.floor() + ". " + } + string toString() { result = "Scanning C# code completed successfully, but the scan encountered issues. " + - "This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- " - + - "see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. " - + - "Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning C# " + "This may be caused by problems identifying dependencies or use of generated source code. " + + "Some metrics of the database quality are: " + this.getDbHealth() + + "Both of these metrics should ideally be above " + getThreshold() + ". " + + "Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# " + "using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes)." } From 08298f48d00c3154463744cd4228cc6b5209dea1 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 4 Sep 2025 14:03:58 +0200 Subject: [PATCH 02/10] C#: Add change note. --- csharp/ql/src/change-notes/2025-09-04-database-diagnostics.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/src/change-notes/2025-09-04-database-diagnostics.md diff --git a/csharp/ql/src/change-notes/2025-09-04-database-diagnostics.md b/csharp/ql/src/change-notes/2025-09-04-database-diagnostics.md new file mode 100644 index 000000000000..8bf63438089d --- /dev/null +++ b/csharp/ql/src/change-notes/2025-09-04-database-diagnostics.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* The message for `csharp/diagnostic/database-quality` has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page. From 7bf05297cfcfb9b45dbc8f642e54de6337612f92 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 4 Sep 2025 14:15:03 +0200 Subject: [PATCH 03/10] C#: Update integration test expected output. --- .../standalone/DatabaseQualityDiagnostics.expected | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected b/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected index b26e22079462..a84ea88f462c 100644 --- a/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected +++ b/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected @@ -1,6 +1,6 @@ diagnosticAttributes -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityCliSummaryTable | true | -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityStatusPage | true | -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityTelemetry | true | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityCliSummaryTable | true | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityStatusPage | true | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityTelemetry | true | #select -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | 1 | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | 1 | From 827ea4c769a0059da4dd1598552d031fee4127cf Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 8 Sep 2025 10:11:58 +0200 Subject: [PATCH 04/10] C#: Address review comments. --- .../Telemetry/DatabaseQualityDiagnostics.ql | 44 ++++++++++--------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql b/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql index 34d2b56658e1..207a25081a20 100644 --- a/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql +++ b/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql @@ -8,36 +8,38 @@ import csharp import DatabaseQuality -private int getThreshold() { result = 85 } +private predicate diagnostic(string msg, float value, float threshold) { + CallTargetStatsReport::percentageOfOk(msg, value) and + threshold = 85 + or + ExprTypeStatsReport::percentageOfOk(msg, value) and + threshold = 85 +} private newtype TDbQualityDiagnostic = - TTheDbQualityDiagnostic(string callMsg, float callTargetOk, string exprMsg, float exprTypeOk) { - CallTargetStatsReport::percentageOfOk(callMsg, callTargetOk) and - ExprTypeStatsReport::percentageOfOk(exprMsg, exprTypeOk) and - [callTargetOk, exprTypeOk] < getThreshold() - } - -class DbQualityDiagnostic extends TDbQualityDiagnostic { - private string callMsg; - private float callTargetOk; - private float exprTypeOk; - private string exprMsg; - - DbQualityDiagnostic() { - this = TTheDbQualityDiagnostic(callMsg, callTargetOk, exprMsg, exprTypeOk) + TTheDbQualityDiagnostic() { + exists(float percentageGood, float threshold | + diagnostic(_, percentageGood, threshold) and + percentageGood < threshold + ) } - private string getDbHealth() { - result = - callMsg + ": " + callTargetOk.floor() + ". " + exprMsg + ": " + exprTypeOk.floor() + ". " - } +private string getDbHealth() { + result = + strictconcat(string msg, float value, float threshold | + diagnostic(msg, value, threshold) + | + msg + ": " + value.floor() + " % (threshold " + threshold.floor() + " %)", ". " + ) +} +class DbQualityDiagnostic extends TDbQualityDiagnostic { string toString() { result = "Scanning C# code completed successfully, but the scan encountered issues. " + "This may be caused by problems identifying dependencies or use of generated source code. " + - "Some metrics of the database quality are: " + this.getDbHealth() + - "Both of these metrics should ideally be above " + getThreshold() + ". " + + "Some metrics of the database quality are: " + getDbHealth() + ". " + + "Ideally these metrics should be above their thresholds. " + "Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# " + "using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes)." From ed11a32f422e6b51b8c61f290338a1fec11b46dd Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 8 Sep 2025 10:22:40 +0200 Subject: [PATCH 05/10] C#: Update integration test expected output. --- .../standalone/DatabaseQualityDiagnostics.expected | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected b/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected index a84ea88f462c..e9b4f2e24283 100644 --- a/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected +++ b/csharp/ql/integration-tests/all-platforms/standalone/DatabaseQualityDiagnostics.expected @@ -1,6 +1,6 @@ diagnosticAttributes -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityCliSummaryTable | true | -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityStatusPage | true | -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityTelemetry | true | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25 % (threshold 85 %). Percentage of expressions with known type: 58 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityCliSummaryTable | true | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25 % (threshold 85 %). Percentage of expressions with known type: 58 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityStatusPage | true | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25 % (threshold 85 %). Percentage of expressions with known type: 58 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityTelemetry | true | #select -| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25. Percentage of expressions with known type: 58. Both of these metrics should ideally be above 85. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | 1 | +| Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25 % (threshold 85 %). Percentage of expressions with known type: 58 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | Scanning C# code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 25 % (threshold 85 %). Percentage of expressions with known type: 58 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning C# using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | 1 | From b0ef0f06eb3592a6cc5f98e4f562b6f81650525b Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 8 Sep 2025 11:49:40 +0200 Subject: [PATCH 06/10] Java: Include metrics in the database quality diagnostics and lower threshold. --- .../Telemetry/DatabaseQualityDiagnostics.ql | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql b/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql index 6bbe1d11ee1c..ad58b90bc95c 100644 --- a/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql +++ b/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql @@ -8,26 +8,39 @@ import java import DatabaseQuality +private predicate diagnostic(string msg, float value, float threshold) { + CallTargetStatsReport::percentageOfOk(msg, value) and + threshold = 85 + or + ExprTypeStatsReport::percentageOfOk(msg, value) and + threshold = 85 +} + private newtype TDbQualityDiagnostic = TTheDbQualityDiagnostic() { - exists(float percentageGood | - CallTargetStatsReport::percentageOfOk(_, percentageGood) - or - ExprTypeStatsReport::percentageOfOk(_, percentageGood) - | - percentageGood < 95 + exists(float percentageGood, float threshold | + diagnostic(_, percentageGood, threshold) and + percentageGood < threshold ) } +private string getDbHealth() { + result = + strictconcat(string msg, float value, float threshold | + diagnostic(msg, value, threshold) + | + msg + ": " + value.floor() + " % (threshold " + threshold.floor() + " %)", ". " + ) +} + class DbQualityDiagnostic extends TDbQualityDiagnostic { string toString() { result = "Scanning Java code completed successfully, but the scan encountered issues. " + - "This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- " - + - "see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. " - + - "Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java " + "This may be caused by problems identifying dependencies or use of generated source code. " + + "Some metrics of the database quality are: " + getDbHealth() + ". " + + "Ideally these metrics should be above their thresholds. " + + "Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning Java " + "using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes)." } From 3f4b2b7cc83cd2416c398a93d68dfb51a5bf9e0b Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 8 Sep 2025 11:52:37 +0200 Subject: [PATCH 07/10] Java: Add change note. --- java/ql/src/change-notes/2025-09-04-database-diagnostics.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2025-09-04-database-diagnostics.md diff --git a/java/ql/src/change-notes/2025-09-04-database-diagnostics.md b/java/ql/src/change-notes/2025-09-04-database-diagnostics.md new file mode 100644 index 000000000000..ca035346f9f1 --- /dev/null +++ b/java/ql/src/change-notes/2025-09-04-database-diagnostics.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* The message for `java/diagnostic/database-quality` has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page. From 572da264d34174716ceb3b6d95237f1883daa08f Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 8 Sep 2025 11:56:11 +0200 Subject: [PATCH 08/10] Java: Update integration test expected output. --- .../DatabaseQualityDiagnostics.expected | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/java/ql/integration-tests/java/buildless-erroneous/DatabaseQualityDiagnostics.expected b/java/ql/integration-tests/java/buildless-erroneous/DatabaseQualityDiagnostics.expected index e50a800d25c3..a22cf324a384 100644 --- a/java/ql/integration-tests/java/buildless-erroneous/DatabaseQualityDiagnostics.expected +++ b/java/ql/integration-tests/java/buildless-erroneous/DatabaseQualityDiagnostics.expected @@ -1,6 +1,6 @@ diagnosticAttributes -| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityCliSummaryTable | true | -| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityStatusPage | true | -| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityTelemetry | true | +| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 20 % (threshold 85 %). Percentage of expressions with known type: 14 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityCliSummaryTable | true | +| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 20 % (threshold 85 %). Percentage of expressions with known type: 14 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityStatusPage | true | +| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 20 % (threshold 85 %). Percentage of expressions with known type: 14 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | visibilityTelemetry | true | #select -| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | 1 | +| Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 20 % (threshold 85 %). Percentage of expressions with known type: 14 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | Scanning Java code completed successfully, but the scan encountered issues. This may be caused by problems identifying dependencies or use of generated source code. Some metrics of the database quality are: Percentage of calls with call target: 20 % (threshold 85 %). Percentage of expressions with known type: 14 % (threshold 85 %). Ideally these metrics should be above their thresholds. Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning Java using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes). | 1 | From d9787efc10fa214a8928fa76c1ce8318d482106a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 8 Sep 2025 12:02:06 +0200 Subject: [PATCH 09/10] Rust: Include metrics in the database quality diagnostics. --- .../telemetry/DatabaseQualityDiagnostics.ql | 30 ++++++++++++++----- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql b/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql index 18e7445939f9..63fb1e4c6cc5 100644 --- a/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql +++ b/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql @@ -9,22 +9,36 @@ import rust import DatabaseQuality import codeql.util.Unit +private predicate diagnostic(string msg, float value, float threshold) { + CallTargetStatsReport::percentageOfOk(msg, value) and threshold = 50 + or + MacroCallTargetStatsReport::percentageOfOk(msg, value) and threshold = 50 +} + +private string getDbHealth() { + result = + strictconcat(string msg, float value, float threshold | + diagnostic(msg, value, threshold) + | + msg + ": " + value.floor() + " % (threshold " + threshold.floor() + " %)", ". " + ) +} + class DbQualityDiagnostic extends Unit { DbQualityDiagnostic() { - exists(float percentageGood | - CallTargetStatsReport::percentageOfOk(_, percentageGood) and percentageGood < 50 - or - MacroCallTargetStatsReport::percentageOfOk(_, percentageGood) and percentageGood < 50 + exists(float percentageGood, float threshold | + diagnostic(_, percentageGood, threshold) and + percentageGood < threshold ) } string toString() { result = "Scanning Rust code completed successfully, but the scan encountered issues. " + - "This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- " - + - "see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. " - + "Addressing these warnings is advisable to avoid false-positive or missing results." + "This may be caused by problems identifying dependencies or use of generated source code. " + + "Some metrics of the database quality are: " + getDbHealth() + ". " + + "Ideally these metrics should be above their thresholds. " + + "Addressing these issues is advisable to avoid false-positives or missing results." } } From 29c22e6fcff332ea5ce6e651b1b2046abde21d37 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 8 Sep 2025 12:04:41 +0200 Subject: [PATCH 10/10] Rust: Add change note. --- rust/ql/src/change-notes/2025-09-04-database-diagnostics.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 rust/ql/src/change-notes/2025-09-04-database-diagnostics.md diff --git a/rust/ql/src/change-notes/2025-09-04-database-diagnostics.md b/rust/ql/src/change-notes/2025-09-04-database-diagnostics.md new file mode 100644 index 000000000000..b578fcef1411 --- /dev/null +++ b/rust/ql/src/change-notes/2025-09-04-database-diagnostics.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* The message for `rust/diagnostic/database-quality` has been updated to include detailed database health metrics. These changes are visible on the tool status page.