[GitHub] [tinkerpop] FlorianHockmann commented on pull request #1947: Adds CodeQL vulnerability scanning to Github Actions

[GitBox <gi...@apache.org>]

FlorianHockmann commented on PR #1947:
URL: https://github.com/apache/tinkerpop/pull/1947#issuecomment-1396535991

   > The diagnostics here is referring to what code it was able to analyze, not what the results of that analysis was. The extraction error there means that there was one file which codeQL failed to extract for analysis. We could potentially learn more from running codeQL in debug mode. According to the codeQL [docs](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#extraction-errors-in-the-database): "A small number of extractor errors is healthy and typically indicates a good state of analysis."
   
   Thanks for the explanation, that's good to know.
   
   > All of the analysis results for the repo are also collected in the security tab [here](https://github.com/apache/tinkerpop/security/code-scanning). (Hopefully that link works, it is only accessible to committers).
   
   Yep, that's working. Looks good to me.
   
   I also agree with your assessment of the 3 warnings it found. I'll just leave the Go one open for someone with more Go experience to confirm & mark as a FP.
   
   Overall, this is good to go from my side. VOTE +1
   But this probably has to wait a bit as we're currently in code freeze.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@tinkerpop.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org