Hello curlonauts! We started using codeql for static code analysis in 7183f5acc3d7ca39, June 2020.
Since then, not a single commit has been merged into the source code repository citing codeql as source or reason. Yet, it keeps getting updated and we get constant reminders to upgrade the pinning it to the latest hash.
During 4.5 years with intense development and significant code churn. While Coverity, scan-buld and CodeSonar have belped us point out many mistakes, codeql has remained silent (or had false positives).
For this little gain, I think we spend a disproportionate amount of work on codeql maintanance.
My PR => https://github.com/curl/curl/pull/15798 Thoughts? -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
