-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨Add LGTM to the SAST check #1232
Conversation
According to https://github.com/apps/lgtm-com "LGTM is a code analysis platform for identifying vulnerabilities early and preventing them from reaching production". It's used by `systemd`, `lxc` and a lot of other large open source projects. The check is still kind of broken in the sense that it fails to detect projects where every PR is analyzed by LGTM before getting merged but it's better than nothing I guess.
/ok-to-test sha=03c92279e12aeb4b0235d5cd878008fdf89e3013 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Integration tests success for 03c92279e12aeb4b0235d5cd878008fdf89e3013 |
I'm not sure what |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Thanks. I've merged a PR to fix it #1233 |
Can you elaborate? Function |
I'm not sure. I need to figure out why |
Thanks. Let's not block this PR on this problem. Can you create a tracking issue for it so we don't forget? If you're interested in looking into, help is appreciated! |
Looks like in PRs like systemd/systemd#21266 the status of LGTM is "neutral" because "LGTM.com did not detect changes to any C/C++ files". It can be fixed by not skipping PRs where + if cr.Conclusion != "success" && cr.Conclusion != "neutral" {
continue
} With that patch applied |
That sounds good. Please send us a PR and cc me on it, I'll LGTM it. |
This PR is ready to merge code-wise. @olivekl we only need your ack for the documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks, @evverx!
Thanks. |
Some SASTs like LGTM don't analyze PRs where code hasn't been changed, which leads to their status being "neutral" there. It's a follow up to #1232 (comment) I'm not sure what to do about one-offs like the one mentioned in #1232 (comment) that shouldn't affect the aggregate score but it can probably be fixed later.
According to https://github.com/apps/lgtm-com
"LGTM is a code analysis platform for identifying vulnerabilities early and preventing
them from reaching production". It's used by
systemd
,lxc
and a lot of other largeopen source projects. The check is
still kind of broken in the sense that it fails to detect
projects where every PR is analyzed by LGTM before getting merged
but it's better than nothing I guess.