Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[proposed enhancement] Error: File size (2838487234) is greater than possible Buffer: #820

Open
JacquesLeRoux opened this issue Nov 17, 2021 · 8 comments
Open

[proposed enhancement] Error: File size (2838487234) is greater than possible Buffer: #820

JacquesLeRoux opened this issue Nov 17, 2021 · 8 comments
Labels
question Further information is requested

Comments

@JacquesLeRoux
Copy link

Hi @aeisenberg , @adityasharad ,

As requested here it the workflow run: https://github.com/apache/ofbiz-framework/actions/runs/1470420767

TIA for you help, much appreciated.
@JacquesLeRoux JacquesLeRoux changed the title Error: File size (2838487234) is greater than possible Buffer: [proposed Improvement] Error: File size (2838487234) is greater than possible Buffer: Nov 17, 2021
@JacquesLeRoux JacquesLeRoux changed the title [proposed Improvement] Error: File size (2838487234) is greater than possible Buffer: [proposed enhancement] Error: File size (2838487234) is greater than possible Buffer: Nov 17, 2021
@aeisenberg aeisenberg added bug Something isn't working question Further information is requested and removed bug Something isn't working labels Nov 17, 2021
@adityasharad
Copy link
Contributor

Thanks. We'll take a look at the SARIF file from that run and get back to you.

@JacquesLeRoux
Copy link
Author

Hi @aeisenberg , @adityasharad ,

Did you get a chance to have a look?

@JacquesLeRoux
Copy link
Author

Hi @aeisenberg , @adityasharad ,

Any news?

@JacquesLeRoux
Copy link
Author

Hi @aeisenberg , @adityasharad ,

Is Apache OFBiz the only project crossing this issue?

@adityasharad
Copy link
Contributor

Hi @JacquesLeRoux, thank you for your patience and apologies for the time it's taken to get back to you.

I've had a look at the SARIF file from the Java analysis on your workflow.
There are two problems here:

  • This results file is too large for the CodeQL Action to process in-memory (hence the Node.js error you see).
  • Even if we managed to load it into memory and upload it, it would be rejected by the code scanning service because of the large number of data flow path locations within the analysis results.

Here is an explanation of what I looked for in the SARIF file:

  • Total number of alerts: 186
    • jq '.runs[0].results | length' java.sarif
    • The current limit supported by code scanning is 5000 per run, so this is not a problem.
    • This is not a particularly high number.
  • Number of flow paths per alert:
    • jq '.runs[0].results | map({query_id: .rule.id, numPaths: .codeFlows | length})' java.sarif
    • Some of the results have 732 or more paths each. This is a potential cause of the large results file.
  • Number of flow path locations per result:
    • jq '.runs[0].results | map({query_id: .rule.id, locations: .locations | length, numPaths: .codeFlows | length, numPathLocations: (if .codeFlows then .codeFlows | map(.threadFlows[0].locations | length) else [] end) | add //0})' java.sarif
    • This is likely the problem. Some of the results here have over 20,000 total locations within their data flow paths, which makes the JSON very large. The code scanning service will also reject results with over 5000 such locations per result.

Why are there so many paths and path locations?

  • This is an unfortunate effect of the way CodeQL groups alerts that have the same location. I suspect we have many alerts here that describe the same vulnerability, with multiple possible sources of tainted data, all ending in the same "sink". CodeQL only produces 4 paths per alert at first, but then it groups those alerts together if they have the same sink location.
  • So for example 183 alerts, each with the same sink and 4 paths, get grouped into 1 alert with 732 paths.

How can we make your runs succeed?

  • I'm discussing this with my colleagues so that we can address it properly in CodeQL. This requires some careful design to avoid breaking existing alerts, so it's unfortunately not a fix I can promise in the short term.
  • Short term workaround: disable the analysis for Java, and run it only for JavaScript while we investigate further.
  • Short term workaround: keep the analysis for Java, but disable the queries that are producing more than 5000 path locations per alert. See the summary below for the query IDs that are producing a large number of paths, and this example on how to disable specific queries.

I appreciate this is not an ideal solution, but I hope it's enough to keep your code scanning workflows from failing while we think of a more principled solution.

Summary of SARIF alerts, with path and path location counts per alert 
[
  {
    "query_id": "java/stack-trace-exposure",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/stack-trace-exposure",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/stack-trace-exposure",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/stack-trace-exposure",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/stack-trace-exposure",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/stack-trace-exposure",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/groovy-injection",
    "numPaths": 764,
    "numPathLocations": 35282
  },
  {
    "query_id": "java/groovy-injection",
    "numPaths": 768,
    "numPathLocations": 53374
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 761,
    "numPathLocations": 27411
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 28355
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 28355
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 1,
    "numPathLocations": 4
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 1,
    "numPathLocations": 4
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 31965
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 761,
    "numPathLocations": 29790
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 28165
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 28165
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 28165
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 35765
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 35765
  },
  {
    "query_id": "java/http-response-splitting",
    "numPaths": 760,
    "numPathLocations": 28165
  },
  {
    "query_id": "java/zipslip",
    "numPaths": 2,
    "numPathLocations": 5
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26853
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26853
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26797
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26853
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26853
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26797
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 1528,
    "numPathLocations": 69045
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 33754
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32902
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 33754
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32990
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27749
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27749
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 30992
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32990
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 31312
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27133
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27749
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27749
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32990
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32990
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 30992
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32990
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32990
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 31312
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32076
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32990
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32076
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 22187
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 22187
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 22187
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 21935
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 29659
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 29425
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27133
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26942
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26942
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26942
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26942
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26751
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 21935
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27749
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27749
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 33563
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32138
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 33563
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32138
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 30228
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 30228
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 27554
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 32226
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 25266
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 30698
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 766,
    "numPathLocations": 31764
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 33666
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 28707
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 33503
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 28381
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26089
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26853
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26147
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26853
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 33093
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 35003
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 36531
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 36149
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 34621
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 34621
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 36149
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 35385
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 34621
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 2,
    "numPathLocations": 38
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26853
  },
  {
    "query_id": "java/path-injection",
    "numPaths": 764,
    "numPathLocations": 26797
  },
  {
    "query_id": "java/cleartext-storage-in-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/cleartext-storage-in-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/cleartext-storage-in-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/cleartext-storage-in-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/cleartext-storage-in-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/cleartext-storage-in-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/xss",
    "numPaths": 764,
    "numPathLocations": 26794
  },
  {
    "query_id": "java/xss",
    "numPaths": 764,
    "numPathLocations": 26794
  },
  {
    "query_id": "java/xss",
    "numPaths": 764,
    "numPathLocations": 37913
  },
  {
    "query_id": "java/xss",
    "numPaths": 764,
    "numPathLocations": 37201
  },
  {
    "query_id": "java/xss",
    "numPaths": 764,
    "numPathLocations": 32902
  },
  {
    "query_id": "java/xss",
    "numPaths": 2,
    "numPathLocations": 47
  },
  {
    "query_id": "java/xss",
    "numPaths": 1,
    "numPathLocations": 9
  },
  {
    "query_id": "java/xss",
    "numPaths": 2,
    "numPathLocations": 35
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 38569
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 36922
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 43327
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 34360
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 48817
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 40948
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 49549
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 40948
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 43144
  },
  {
    "query_id": "java/ssrf",
    "numPaths": 732,
    "numPathLocations": 38752
  },
  {
    "query_id": "java/unsafe-deserialization",
    "numPaths": 763,
    "numPathLocations": 29889
  },
  {
    "query_id": "java/insecure-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/insecure-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/insecure-cookie",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/xxe",
    "numPaths": 1,
    "numPathLocations": 4
  },
  {
    "query_id": "java/xxe",
    "numPaths": 764,
    "numPathLocations": 28693
  },
  {
    "query_id": "java/xxe",
    "numPaths": 765,
    "numPathLocations": 32207
  },
  {
    "query_id": "java/xxe",
    "numPaths": 764,
    "numPathLocations": 31628
  },
  {
    "query_id": "java/sql-injection",
    "numPaths": 752,
    "numPathLocations": 51423
  },
  {
    "query_id": "java/sql-injection",
    "numPaths": 752,
    "numPathLocations": 50563
  },
  {
    "query_id": "java/sql-injection",
    "numPaths": 752,
    "numPathLocations": 45819
  },
  {
    "query_id": "java/sql-injection",
    "numPaths": 752,
    "numPathLocations": 45255
  },
  {
    "query_id": "java/sql-injection",
    "numPaths": 752,
    "numPathLocations": 46007
  },
  {
    "query_id": "java/sql-injection",
    "numPaths": 752,
    "numPathLocations": 45819
  },
  {
    "query_id": "java/sql-injection",
    "numPaths": 752,
    "numPathLocations": 45443
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 764,
    "numPathLocations": 32520
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 764,
    "numPathLocations": 32520
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 765,
    "numPathLocations": 27560
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 764,
    "numPathLocations": 27554
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 764,
    "numPathLocations": 29082
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 1,
    "numPathLocations": 4
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 764,
    "numPathLocations": 30757
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 764,
    "numPathLocations": 27554
  },
  {
    "query_id": "java/unvalidated-url-redirection",
    "numPaths": 765,
    "numPathLocations": 29951
  },
  {
    "query_id": "java/unsafe-hostname-verification",
    "numPaths": 1,
    "numPathLocations": 3
  },
  {
    "query_id": "java/unsafe-hostname-verification",
    "numPaths": 1,
    "numPathLocations": 2
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 8,
    "numPathLocations": 454
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 8,
    "numPathLocations": 454
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 1,
    "numPathLocations": 2
  },
  {
    "query_id": "java/weak-cryptographic-algorithm",
    "numPaths": 1,
    "numPathLocations": 3
  },
  {
    "query_id": "java/tainted-format-string",
    "numPaths": 935,
    "numPathLocations": 28797
  },
  {
    "query_id": "java/command-line-injection",
    "numPaths": 764,
    "numPathLocations": 35282
  },
  {
    "query_id": "java/implicit-cast-in-compound-assignment",
    "numPaths": 0,
    "numPathLocations": 0
  },
  {
    "query_id": "java/implicit-cast-in-compound-assignment",
    "numPaths": 0,
    "numPathLocations": 0
  }
]

@JacquesLeRoux
Copy link
Author

Hi @adityasharad,

Thank you for looking at it, I'm already running CodeQL only for js and it was helpful. All is now OK there.

As soon as I will get some time (Log4j did not help so far 😏) I'll follow your 3rd recommendation...

@DGuhr DGuhr mentioned this issue Feb 17, 2022
Closed
@abstractj
Copy link

@aeisenberg @adityasharad @JacquesLeRoux thank you for the information provided here. On Keycloak we have the same issue https://github.com/keycloak/keycloak/actions/runs/1865950407. Reading the discussion here helped to identify the issue at least, which is the number of flow paths per alert. It would be nice to have the steps here documented in the troubleshooting guide, or provide an alternative to suppress those alerts.

@JacquesLeRoux your project is not the only one facing those issues, at the same time, it seems that we are the only ones with a large Java codebase and running CodeQL :)

@JacquesLeRoux
Copy link
Author

Hi @abstractj,

Since then I did not work on that being deeply involved in OFBiz security. It would be great indeed to not have to handle the number of flow paths per alert upstream of CodeQL

@abstractj abstractj mentioned this issue Mar 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@abstractj @aeisenberg @JacquesLeRoux @adityasharad