Description
We have five alerts in one file for the same rule:
Line 410
Line 417
Line 472
Line 531
Line 580
Our developer worked on the first two alerts first, for lines 410 and 417. The code around line 410 was unneeded, so they deleted that code entirely. They then fixed the alert for line 417. Upon merging and a new codeql scan, the following happened for each line:
Line 410 marked as fixed
Line 417 this alert now corresponded to the alert that was for line 472 (which after code deletion is line 466)
Line 472 this alert now corresponded to the alert that was for line 531 (which after code deletion is line 525)
Line 531 this alert now corresponded to the alert that was for line 580 (which after code deletion is line 574)
Line 580 this alert marked as fixed
The alert for line 417 is no longer present, as it has been switched to line 472. The developer then fixed the alert for line 525 (which did not involve deleting any code). After the merge and new codeql scan, the following happened:
Line 466 this alert still corresponds to 466
Line 525 this alert now corresponds to the alert that was for line 574
Line 574 this alert marked as fixed
The alert for line 525 is no longer present, as it has been switched to line 574 (and the old alert with the same rule and same line has now been marked as fixed).
The fact that CodeQL is shifting the alerts around like this makes it so that some of the alerts are incorrectly marked as fixed when they haven't been, and other alerts disappear altogether.
I understand that this is confusing, but it also makes it just as confusing for the developers working on fixing the alerts in the first place. Feel free to ask any questions to clarify!