[neomutt-devel] Help with CodeQL on GitHub
Richard Russon
rich at flatcap.org
Wed Dec 17 14:13:43 CET 2025
Does anyone have any experience of CodeQL on GitHub?
We have a CodeQL GitHub Action that does static analysis for every commit.
https://github.com/neomutt/neomutt/actions/workflows/codeql.yml
It's reported a handful of false-positives:
"Uncontrolled data used in path expression"
It happens when one function uses a Buffer from the Buffer Pool
and fills it with tainted data (e.g. from the user).
When it's finished, it returns the Buffer to the Pool.
Later, another function gets that same Buffer from the Pool,
but CodeQL still thinks it's tainted.
It not. It's been `memset()` to zero.
GitHub Copilot created a CodeQL query to fix this,
but I'm not sure it's even working.
- https://github.com/neomutt/neomutt/pull/4739
Any help would be appreciated.
Cheers,
FlatCap / Rich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mailman.neomutt.org/pipermail/neomutt-devel-neomutt.org/attachments/20251217/5e8f9aee/attachment.sig>
More information about the neomutt-devel
mailing list