Skip to content

Remove dead code from scorecard SARIF upload logic#822

Merged
justaugustus merged 1 commit intomainfrom
copilot/fix-sarif-upload-logic
Apr 21, 2026
Merged

Remove dead code from scorecard SARIF upload logic#822
justaugustus merged 1 commit intomainfrom
copilot/fix-sarif-upload-logic

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 21, 2026

deadcode ./cmd/allstar flagged four unreachable functions in pkg/policies/scorecard/sarif.go. Git history investigation shows these are not accidentally orphaned — they were intentionally superseded in 920cfa2 when uploadSARIF was refactored to do commit-SHA change detection before the expensive scorecard run, which required inlining the logic from generateSARIF and calling uploadToCodeScanningWithRef directly to avoid a double branch-info fetch.

The production SARIF upload path is intact: Check()uploadSARIF()resultToSARIF() + uploadToCodeScanningWithRef().

Removed

  • generateSARIF — ran scRun() + resultToSARIF(); superseded when uploadSARIF inlined this to gate on commit SHA first
  • uploadToCodeScanning — wrapper that fetched branch info then called uploadToCodeScanningWithRef; superseded when uploadSARIF started fetching branch info itself for change detection
  • ClearResults — exported test utility, never called from any code path
  • Corresponding tests (TestGenerateSARIF, TestGenerateSARIFRunError, TestUploadToCodeScanning, TestUploadToCodeScanningAPIError)
  • Unused clients import from sarif.go

Kept

  • clearSARIFHashes — actively used in test cleanup; expected deadcode from binary perspective

@jeffmendoza
Remove dead code from scorecard SARIF upload logic
3731aaa 
Remove unreachable functions found by deadcode analysis:
- generateSARIF: superseded by refactored flow that passes *sc.Result
  to uploadSARIF which calls resultToSARIF directly
- uploadToCodeScanning: wrapper bypassed by uploadSARIF which calls
  uploadToCodeScanningWithRef directly
- ClearResults: exported but never called from any code path

Also remove corresponding tests for the removed functions and clean up
the unused clients import from sarif.go.

The SARIF upload path remains fully connected:
Check() -> uploadSARIF() -> resultToSARIF() + uploadToCodeScanningWithRef()

Agent-Logs-Url: https://github.com/ossf/allstar/sessions/25e7e4f0-812e-4454-95db-5081af24b84d

Co-authored-by: jeffmendoza <771387+jeffmendoza@users.noreply.github.com>
@jeffmendoza jeffmendoza marked this pull request as ready for review April 21, 2026 15:54
@jeffmendoza jeffmendoza requested a review from a team as a code owner April 21, 2026 15:54
@dosubot dosubot Bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Apr 21, 2026
@justaugustus justaugustus mentioned this pull request Apr 21, 2026
Closed
justaugustus
justaugustus approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the catches, @jeffmendoza!
Filed this as a follow-up: #823

@justaugustus justaugustus merged commit 27d3a9a into main Apr 21, 2026
9 checks passed
@justaugustus justaugustus deleted the copilot/fix-sarif-upload-logic branch April 21, 2026 19:31
Copilot AI mentioned this pull request Apr 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justaugustus justaugustus justaugustus approved these changes

Assignees

@jeffmendoza jeffmendoza

Copilot code review Copilot

Labels

size:M This PR changes 30-99 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@justaugustus @jeffmendoza