So do you want to not use CodeQL in the Git? I think the bugs that CodeQL can find rely too much on expert knowledge, so this may be the reason why it is not effective.
> -----原始邮件----- > 发件人: "Dan Fandrich via curl-library" <curl-library@lists.haxx.se> > 发送时间: 2024-12-22 03:33:43 (星期日) > 收件人: curl-library@lists.haxx.se > 抄送: "Dan Fandrich" <d...@coneharvesters.com> > 主题: Re: Time to drop codeql from the CI setup? > > On Sat, Dec 21, 2024 at 03:04:39PM +0100, Daniel Stenberg via curl-library wrote: > > We started using codeql for static code analysis in 7183f5acc3d7ca39, > > June 2020. > > > > Since then, not a single commit has been merged into the source code repository citing codeql as > > source or reason. Yet, it keeps getting updated and we get constant reminders to upgrade the > > pinning it to the latest hash. > > There have been 158 issues raised by CodeQL in that time. Every single one of > them was closed as "false positive" or "won't fix". So, I think you're onto > something. > > Dan > -- > Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library > Etiquette: https://curl.se/mail/etiquette.html </d...@coneharvesters.com></curl-library@lists.haxx.se> -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
