Fixed code scanning alerts still show up as open #23403

edumserrano · 2021-06-20T22:59:34Z

edumserrano
Jun 20, 2021

Hi,

I’ve been reading through the code scanning docs and after configuring it for my repo it flagged some issues which was great. Then I did some pushes to fix some of the issues and they got marked as “Fixed”. However they still show on the “is:open” filter and they count towards the total number of security issues on the “Security tab” of the repo.

On the Fixing an alert doc it says:

“If you have write permission for a repository, you can view fixed alerts by viewing the summary of alerts and clicking Closed. […] The “Closed” list shows fixed alerts and alerts that users have closed.”

This is happening to me on this public repo of mine. The filter is:open "Useless assignment to local variable" on code scanning shows what I mean, it returns 3 fixed alerts.

Am I missing something obvious? Shouldn’t the fixed alerts be in the closed state?

Answered by edumserrano

Jul 1, 2021

After talking with GitHub support this was the solution I was given that worked for me:

Hello Eduardo,

I heard back from engineering and the reason that the alerts are open is because they are open in a previous stale configuration that is no longer updated. This happened when the analysis file was renamed and left the analyses under the old name stale.

This can be detected through the API, by using the list analyses request (Code scanning - GitHub Docs). From that response you can see multiple analyses that has “deletable”: true and with different values in the category field.

To fix it you should delete all the stale configurations using the delete API (Code scanning - GitHub Docs). No…

View full answer

edumserrano · 2021-07-01T00:46:21Z

edumserrano
Jul 1, 2021
Author

After talking with GitHub support this was the solution I was given that worked for me:

Hello Eduardo,

I heard back from engineering and the reason that the alerts are open is because they are open in a previous stale configuration that is no longer updated. This happened when the analysis file was renamed and left the analyses under the old name stale.

This can be detected through the API, by using the list analyses request (Code scanning - GitHub Docs). From that response you can see multiple analyses that has “deletable”: true and with different values in the category field.

To fix it you should delete all the stale configurations using the delete API (Code scanning - GitHub Docs). Note that if a particular configuration has had several deliveries, then older analyses become deletable when the most recent one is deleted (the delete works as an undo operation) and they also need to be deleted."

This problem happened to me because I had ran an initial CodeQL scan and then renamed the workflow for CodeQL.

Hope this helps others.

0 replies

ajay-qburst · 2023-03-12T17:29:46Z

ajay-qburst
Mar 12, 2023

Had the same problem, but the alerts already generated during the initial CodeQL scan was not removed as part of deleting the stale workflow, even though the fix was pushed to the master (or respective) branches. Needed to remove the stale code scanning configurations from those outdated alerts to get that fixed. Refer: https://github.blog/changelog/2023-03-10-delete-stale-code-scanning-configurations-to-close-outdated-alerts/

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Fixed code scanning alerts still show up as open #23403

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

GitHub Community

Fixed code scanning alerts still show up as open #23403

edumserrano Jun 20, 2021

Replies: 2 comments

edumserrano Jul 1, 2021 Author

ajay-qburst Mar 12, 2023

edumserrano
Jun 20, 2021

edumserrano
Jul 1, 2021
Author

ajay-qburst
Mar 12, 2023