CI: try adding codeql #22446
CI: try adding codeql #22446
Conversation
|
Lots of alerts in FreeType and Qhull; might need to exclude them somehow. Though I haven't quite determined if any of them are actually 'high severity' for us. |
|
I've checked some of the overflow warnings and it appears as if the risk of an actual overflow is quite limited. An option would be just to cast them to the higher precision type before multiplying. This will probably give a bit of a performance hit, but not clear how much. (Seems like the life-time of the full reports are limited, I cannot see get directly to the source anymore.) (Btw, did you change anything in the project settings? I tried this out for SymPy and it didn't run the check. Admittedly, we have a problem with one of our push tests, so maybe it would run if that passed, but still. When I created a PR from my own branch, it didn't run either and after instead adding it to the general test run-file, nothing rerun after force pushing changes...) |
|
Anyone is more than welcome to take over this PR! |
|
Regarding excluding cpp-files it seems, well, at least not trivial (to me): https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#specifying-directories-to-scan |
|
I'm going to close this and work from a branch on my fork. I screwed up naming a file and do not feel comfortable force-pushing to upstream! |
PR Summary
Enable static code analysis.