LGTM.com - Missing Vulnerability Path Steps in LGTM render #8976
Comments
|
This is expected, and working as currently intended. An additional step defined on the configuration that's purely local gets collapsed together with other local steps in the path explanation, whereas the steps that are added as a result of a csv model is a more complex sequence that involves dispatch to a synthesised (but hidden) method/constructor body. It is this indirection through a call that then causes the additional step to appear in the path explanation. Since the csv model exists, then the additional step on the configuration becomes superfluous, so simply removing that should fix it such that only the 7 step path is shown. |
This is non-intuitive and kinda annoying, especially when local method paths are non-trivial. I'd personally prefer if full paths were always displayed |
Description of the false positive
I've encountered a few cases where LGTM and the VS Code plugin won't correctly render path steps. It's my hunch that this may be related to when
additionalTaintStepsare duplicated, ie. are both captured in the CSV model, and in a CodeQL query in directly. It seems when this happens, one path gets generated without this double represented element, and one path does get generated.codeql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
Lines 69 to 72 in ef0ea24
codeql/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
Lines 333 to 334 in 811a2c0
URL to the alert on the project page on LGTM.com
Example: there are two paths, the first one is only 6 steps, and is missing the critical
new Filecall, the second, longer path with 7 steps is correct.https://lgtm.com/projects/g/apache/ace/snapshot/dbdba56171c187ef5f7796afe5245f7224c86169/files/org.apache.ace.client.workspace/src/org/apache/ace/client/workspace/impl/DPHelper.java?sort=name&dir=ASC&mode=heatmap#L101
The text was updated successfully, but these errors were encountered: