fix: suppress CodeQL false positives in formatters.py #57
Conversation
Pin all GitHub Actions dependencies to specific commit SHAs instead of version tags to prevent supply chain attacks. This follows OpenSSF Scorecard best practices for dependency pinning. Pinned actions: - actions/checkout@v5 - actions/create-github-app-token@v2 - actions/setup-python@v6 - actions/upload-artifact@v4 - amannn/action-semantic-pull-request@v6 - astral-sh/setup-uv@v7 - codecov/codecov-action@v5 - github/codeql-action/*@V3 - github/codeql-action/*@v4 - ossf/scorecard-action@v2.4.3 - pypa/gh-action-pypi-publish@release/v1 All SHAs include comments showing the original version tag for maintainability. Expected impact: Pinned-Dependencies score 0 → 10 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Suppress two categories of CodeQL alerts that are false positives: 1. Clear-text logging (alert #31): The flagged print() statement outputs public peak data to stdout for CLI users, not logging. No sensitive data is handled by this tool. 2. Overly permissive regex (alerts #32-35): The emoji removal regex uses overlapping Unicode ranges intentionally for comprehensive coverage. Used only for display formatting, not security validation. Both suppressions include detailed comments explaining why the alerts are false positives in this context. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Warning Rate limit exceeded@dreamiurg has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 11 minutes and 38 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #57 +/- ##
=======================================
Coverage 91.21% 91.21%
=======================================
Files 8 8
Lines 1081 1081
=======================================
Hits 986 986
Misses 95 95 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Problem
CodeQL flagged 5 security alerts in
formatters.pythat are false positives:Analysis
Alert #31: Clear-text logging
Location: Line 97 -
print(json.dumps(data, ...))This is not logging - it's intentional CLI output. The tool only handles public peak data from PeakBagger.com. No credentials or sensitive information ever pass through this code.
Alerts #32-35: Regex ranges
Location: Lines 354-359 - emoji removal regex
The emoji pattern uses overlapping Unicode ranges, which CodeQL flags as potentially exploitable. However, this regex is only used for display formatting (removing emojis from scraped text), not for security validation or input sanitization.
Solution
Add suppression comments (
lgtm[...]) with detailed explanations for why these are false positives:Impact
This will resolve 5 open security alerts on the code scanning dashboard without changing any functional behavior.
🤖 Generated with Claude Code